diff --git a/.creusot-config.sample/Config.toml b/.creusot-config.sample/Config.toml
new file mode 100644
index 0000000000..5fdb1a34ac
--- /dev/null
+++ b/.creusot-config.sample/Config.toml
@@ -0,0 +1,6 @@
+version = 1
+
+[tools]
+mode = "external"
+why3_path = "why3"
+altergo_path = "alt-ergo"
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 14b4aac0be..160fb88621 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -44,6 +44,8 @@ jobs:
         key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
     - name: Build
       run: cargo build
+    - name: dummy creusot setup
+      run: cp -r .creusot-config.sample .creusot-config
     - name: Run tests
       run: cargo test
   why3:
@@ -55,47 +57,34 @@ jobs:
     - name: Fetch target branch
       if: github.base_ref
       run: git fetch --no-tags --prune --depth=1 origin +refs/heads/${{github.base_ref}}:refs/remotes/origin/${{github.base_ref}}
-    - name: Install CVC4
-      run: sudo apt-get install -y cvc4=1.8-2
-    - name: Install CVC5
-      run: |
-        wget https://github.com/cvc5/cvc5/releases/download/cvc5-1.0.5/cvc5-Linux
-        sudo cp cvc5-Linux /usr/local/bin/cvc5
-        sudo chmod +x /usr/local/bin/cvc5
-    - name: Install Z3
-      run: |
-        wget https://github.com/Z3Prover/z3/releases/download/z3-4.12.4/z3-4.12.4-x64-glibc-2.35.zip
-        unzip z3-4.12.4-x64-glibc-2.35.zip
-        sudo cp -rn z3-4.12.4-x64-glibc-2.35/bin /usr/local
-        sudo cp -rn z3-4.12.4-x64-glibc-2.35/include /usr/local
-        sudo chmod +x /usr/local/bin/z3
     - uses: actions/cache@v2
       with:
         path: |
           ~/.cargo/registry
           ~/.cargo/git
+          ~/.cache/creusot
           target
-        key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+        key: ${{ runner.os }}-cargo-creusot-${{ hashFiles('**/Cargo.lock', 'creusot-setup/src/tools_versions_urls.rs') }}
     - uses: dawidd6/action-download-artifact@v2
       with:
         workflow: why3.yml
         name: why3
         path: /home/runner/work/creusot/why3
-    - run: |
+    - name: setup paths for why3 and alt-ergo
+      run: |
         chmod -R +x ~/work/creusot/why3/bin
         chmod -R +x ~/work/creusot/why3/lib/why3/why3server
+        echo ~/work/creusot/why3/bin >> $GITHUB_PATH
 
         mv ~/work/creusot/why3/alt-ergo /usr/local/bin/alt-ergo
         chmod +x /usr/local/bin/alt-ergo
         echo $(/usr/local/bin/alt-ergo --version)
-
-        ~/work/creusot/why3/bin/why3 config detect
-        cat ~/.why3.conf
+    - name: run cargo creusot setup install
+      run: |
+        cargo run --bin cargo-creusot creusot setup install
+        echo -e "\n>> ~/.config/creusot/Config.toml:\n"
+        cat ~/.config/creusot/Config.toml
+        echo -e "\n>> ~/.config/creusot/why3.conf:\n"
+        cat ~/.config/creusot/why3.conf
     - run: cargo test --test why3 "" -- --replay=none --diff-from=origin/master
-      env:
-        WHY3_CONFIG: ${{ github.workspace }}/ci/why.conf
-        WHY3_PATH: ${{ github.workspace }}/../why3/bin/why3
     - run: cargo test --test why3 "" -- --skip-unstable
-      env:
-        WHY3_CONFIG: ${{ github.workspace }}/ci/why.conf
-        WHY3_PATH: ${{ github.workspace }}/../why3/bin/why3
diff --git a/.gitignore b/.gitignore
index e952f9d1bc..2796032c7b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,9 @@
 nll-facts/
 mir_dump/
 
+# Creusot local config for development
+/.creusot-config
+
 # Creusot files
 *.creusot
 *.cmeta
diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md
index eafaf886d0..b23aa48468 100644
--- a/ARCHITECTURE.md
+++ b/ARCHITECTURE.md
@@ -151,7 +151,7 @@ Instead, we replace the `discriminant` / `switchInt` pair with a match directly
 
 ## Logical functions
 
-Logical functions are created by `#[ghost]`, `#[logic]`, or `#[predicate]`.
+Logical functions are created by `#[logic]` or `#[predicate]`.
 
 ## Specifications
 
diff --git a/Cargo.lock b/Cargo.lock
index 6c8149ff36..e5a97f4374 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -17,63 +17,81 @@ version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe"
 
+[[package]]
+name = "aes"
+version = "0.8.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b169f7a6d4742236a0a00c541b845991d0ac43e546831af1249753ab4c3aa3a0"
+dependencies = [
+ "cfg-if",
+ "cipher",
+ "cpufeatures",
+]
+
 [[package]]
 name = "aho-corasick"
-version = "1.1.2"
+version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b2969dcb958b36655471fc61f7e416fa76033bdd4bfed0678d8fee1e2d07a1f0"
+checksum = "67fc08ce920c31afb70f013dcce1bfc3a3195de6a228474e45e1f145b36f8d04"
 dependencies = [
  "memchr",
 ]
 
 [[package]]
 name = "anstream"
-version = "0.6.11"
+version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6e2e1ebcb11de5c03c67de28a7df593d32191b44939c482e97702baaaa6ab6a5"
+checksum = "0ca84f3628370c59db74ee214b3263d58f9aadd9b4fe7e711fd87dc452b7f163"
 dependencies = [
  "anstyle",
  "anstyle-parse",
  "anstyle-query",
  "anstyle-wincon",
  "colorchoice",
+ "is-terminal",
  "utf8parse",
 ]
 
 [[package]]
 name = "anstyle"
-version = "1.0.4"
+version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7079075b41f533b8c61d2a4d073c4676e1f8b249ff94a393b0595db304e0dd87"
+checksum = "41ed9a86bf92ae6580e0a31281f65a1b1d867c0cc68d5346e2ae128dddfa6a7d"
 
 [[package]]
 name = "anstyle-parse"
-version = "0.2.3"
+version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c75ac65da39e5fe5ab759307499ddad880d724eed2f6ce5b5e8a26f4f387928c"
+checksum = "e765fd216e48e067936442276d1d57399e37bce53c264d6fefbe298080cb57ee"
 dependencies = [
  "utf8parse",
 ]
 
 [[package]]
 name = "anstyle-query"
-version = "1.0.2"
+version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e28923312444cdd728e4738b3f9c9cac739500909bb3d3c94b43551b16517648"
+checksum = "5ca11d4be1bab0c8bc8734a9aa7bf4ee8316d462a08c6ac5052f888fef5b494b"
 dependencies = [
- "windows-sys",
+ "windows-sys 0.48.0",
 ]
 
 [[package]]
 name = "anstyle-wincon"
-version = "3.0.2"
+version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1cd54b81ec8d6180e24654d0b371ad22fc3dd083b6ff8ba325b72e00c87660a7"
+checksum = "180abfa45703aebe0093f79badacc01b8fd4ea2e35118747e5811127f926e188"
 dependencies = [
  "anstyle",
- "windows-sys",
+ "windows-sys 0.48.0",
 ]
 
+[[package]]
+name = "anyhow"
+version = "1.0.80"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5ad32ce52e4161730f7098c077cd2ed6229b5804ccf99e5366be1ab72a98b4e1"
+
 [[package]]
 name = "arraydeque"
 version = "0.4.5"
@@ -121,12 +139,54 @@ dependencies = [
  "rustc-demangle",
 ]
 
+[[package]]
+name = "base64"
+version = "0.21.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567"
+
+[[package]]
+name = "base64ct"
+version = "1.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8c3c1a368f70d6cf7302d78f8f7093da241fb8e8807c05cc9e51a125895a6d5b"
+
+[[package]]
+name = "bit-set"
+version = "0.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0700ddab506f33b20a03b13996eccd309a48e5ff77d0d95926aa0210fb4e95f1"
+dependencies = [
+ "bit-vec",
+]
+
+[[package]]
+name = "bit-vec"
+version = "0.6.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb"
+
 [[package]]
 name = "bitflags"
 version = "1.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
 
+[[package]]
+name = "bitflags"
+version = "2.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf"
+
+[[package]]
+name = "block-buffer"
+version = "0.10.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
+dependencies = [
+ "generic-array",
+]
+
 [[package]]
 name = "bstr"
 version = "0.2.17"
@@ -135,14 +195,55 @@ checksum = "ba3569f383e8f1598449f1a423e72e99569137b47740b1da11ef19af3d5c3223"
 dependencies = [
  "lazy_static",
  "memchr",
- "regex-automata 0.1.10",
+ "regex-automata",
+]
+
+[[package]]
+name = "bumpalo"
+version = "3.15.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7ff69b9dd49fd426c69a0db9fc04dd934cdb6645ff000864d98f7e2af8830eaa"
+
+[[package]]
+name = "byteorder"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
+
+[[package]]
+name = "bytes"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a2bd12c1caf447e69cd4528f47f94d203fd2582878ecb9e9465484c4148a8223"
+
+[[package]]
+name = "bzip2"
+version = "0.4.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bdb116a6ef3f6c3698828873ad02c3014b3c85cadb88496095628e3ef1e347f8"
+dependencies = [
+ "bzip2-sys",
+ "libc",
+]
+
+[[package]]
+name = "bzip2-sys"
+version = "0.1.11+1.0.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "736a955f3fa7875102d57c82b8cac37ec45224a07fd32d58f9f7a186b6cd4cdc"
+dependencies = [
+ "cc",
+ "libc",
+ "pkg-config",
 ]
 
 [[package]]
 name = "cargo-creusot"
 version = "0.1.0"
 dependencies = [
+ "anyhow",
  "creusot-args",
+ "creusot-setup",
  "env_logger",
  "serde",
  "serde_json",
@@ -151,12 +252,11 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.0.83"
+version = "1.0.79"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1174fb0b6ec23863f8b971027804a42614e347eafb0a95bf0b12cdae21fc4d0"
+checksum = "50d30906286121d95be3d479533b458f87493b30a4b5f79a607db8f5d11aa91f"
 dependencies = [
  "jobserver",
- "libc",
 ]
 
 [[package]]
@@ -165,33 +265,45 @@ version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
 
+[[package]]
+name = "cipher"
+version = "0.4.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad"
+dependencies = [
+ "crypto-common",
+ "inout",
+]
+
 [[package]]
 name = "clap"
-version = "4.4.18"
+version = "4.2.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e578d6ec4194633722ccf9544794b71b1385c3c027efe0c55db226fc880865c"
+checksum = "8a1f23fa97e1d1641371b51f35535cb26959b8e27ab50d167a8b996b5bada819"
 dependencies = [
  "clap_builder",
  "clap_derive",
+ "once_cell",
 ]
 
 [[package]]
 name = "clap_builder"
-version = "4.4.18"
+version = "4.2.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4df4df40ec50c46000231c914968278b1eb05098cf8f1b3a518a95030e71d1c7"
+checksum = "0fdc5d93c358224b4d6867ef1356d740de2303e9892edc06c5340daeccd96bab"
 dependencies = [
  "anstream",
  "anstyle",
+ "bitflags 1.3.2",
  "clap_lex",
  "strsim",
 ]
 
 [[package]]
 name = "clap_derive"
-version = "4.4.7"
+version = "4.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cf9804afaaf59a91e75b022a30fb7229a7901f60c755489cc61c9b423b836442"
+checksum = "3f9644cd56d6b87dbe899ef8b053e331c0637664e9e21a33dfcdc36093f5c5c4"
 dependencies = [
  "heck",
  "proc-macro2",
@@ -201,9 +313,9 @@ dependencies = [
 
 [[package]]
 name = "clap_lex"
-version = "0.6.0"
+version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "702fc72eb24e5a1e48ce58027a675bc24edd52096d5397d4aea7c6dd9eca0bd1"
+checksum = "8a2dd5a6fe8c6e3502f568a6353e5273bbb15193ad9a89e457b9970798efbea1"
 
 [[package]]
 name = "colorchoice"
@@ -213,14 +325,54 @@ checksum = "acbf1af155f9b9ef647e42cdc158db4b64a1b61f743629225fde6f3e0be2a7c7"
 
 [[package]]
 name = "console"
-version = "0.15.8"
+version = "0.15.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0e1f83fc076bd6dd27517eacdf25fef6c4dfe5f1d7448bafaaf3a26f13b5e4eb"
+checksum = "c3d79fbe8970a77e3e34151cc13d3b3e248aa0faaecb9f6091fa07ebefe5ad60"
 dependencies = [
  "encode_unicode",
  "lazy_static",
  "libc",
- "windows-sys",
+ "windows-sys 0.42.0",
+]
+
+[[package]]
+name = "constant_time_eq"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "245097e9a4535ee1e3e3931fcfcd55a796a44c643e8596ff6566d68f09b87bbc"
+
+[[package]]
+name = "core-foundation"
+version = "0.9.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "core-foundation-sys"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "06ea2b9bc92be3c2baa9334a323ebca2d6f074ff852cd1d7b11064035cd3868f"
+
+[[package]]
+name = "cpufeatures"
+version = "0.2.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "53fe5e26ff1b7aef8bca9c6080520cfb8d9333c7568e1829cef191a9723e5504"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "crc32fast"
+version = "1.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b3855a8a784b474f333699ef2bbca9db2c4a1f6d9088a90a2d25b1eb53111eaa"
+dependencies = [
+ "cfg-if",
 ]
 
 [[package]]
@@ -229,24 +381,22 @@ version = "0.2.0"
 dependencies = [
  "arraydeque",
  "assert_cmd",
- "backtrace",
  "clap",
  "creusot-contracts",
+ "creusot-dev-config",
  "creusot-metadata",
  "escargot",
  "glob",
  "heck",
  "include_dir",
  "indexmap 1.9.3",
- "internal-iterator",
- "itertools 0.12.0",
+ "itertools",
  "lazy_static",
  "log",
  "petgraph",
  "serde",
  "serde_json",
  "similar",
- "smallvec",
  "tempdir",
  "termcolor",
  "toml",
@@ -288,6 +438,14 @@ dependencies = [
  "uuid",
 ]
 
+[[package]]
+name = "creusot-dev-config"
+version = "0.1.0"
+dependencies = [
+ "anyhow",
+ "creusot-setup",
+]
+
 [[package]]
 name = "creusot-metadata"
 version = "0.2.0"
@@ -307,12 +465,85 @@ dependencies = [
  "toml",
 ]
 
+[[package]]
+name = "creusot-setup"
+version = "0.1.0"
+dependencies = [
+ "anyhow",
+ "creusot-args",
+ "directories",
+ "hex",
+ "reqwest",
+ "serde",
+ "sha2",
+ "toml",
+ "which",
+ "zip",
+]
+
+[[package]]
+name = "crossbeam-utils"
+version = "0.8.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "248e3bacc7dc6baa3b21e405ee045c3047101a49145e7e9eca583ab4c2ca5345"
+
+[[package]]
+name = "crypto-common"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
+dependencies = [
+ "generic-array",
+ "typenum",
+]
+
+[[package]]
+name = "deranged"
+version = "0.3.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b42b6fa04a440b495c8b04d0e71b707c585f83cb9cb28cf8cd0d976c315e31b4"
+dependencies = [
+ "powerfmt",
+]
+
 [[package]]
 name = "difflib"
 version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6184e33543162437515c2e2b48714794e37845ec9851711914eec9d308f6ebe8"
 
+[[package]]
+name = "digest"
+version = "0.10.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
+dependencies = [
+ "block-buffer",
+ "crypto-common",
+ "subtle",
+]
+
+[[package]]
+name = "directories"
+version = "5.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a49173b84e034382284f27f1af4dcbbd231ffa358c0fe316541a7337f376a35"
+dependencies = [
+ "dirs-sys",
+]
+
+[[package]]
+name = "dirs-sys"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "520f05a5cbd335fae5a99ff7a6ab8627577660ee5cfd6a94a6a929b52ff0321c"
+dependencies = [
+ "libc",
+ "option-ext",
+ "redox_users",
+ "windows-sys 0.48.0",
+]
+
 [[package]]
 name = "doc-comment"
 version = "0.3.3"
@@ -321,9 +552,9 @@ checksum = "fea41bba32d969b513997752735605054bc0dfa92b4c56bf1189f2e174be7a10"
 
 [[package]]
 name = "either"
-version = "1.9.0"
+version = "1.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a26ae43d7bcc3b814de94796a5e736d4029efb0ee900c12e2d54c993ad1a1e07"
+checksum = "11157ac094ffbdde99aa67b23417ebdd801842852b500e395a45a9c0aac03e4a"
 
 [[package]]
 name = "encode_unicode"
@@ -332,26 +563,25 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a357d28ed41a50f9c765dbfe56cbc04a64e53e5fc58ba79fbc34c10ef3df831f"
 
 [[package]]
-name = "env_filter"
-version = "0.1.0"
+name = "encoding_rs"
+version = "0.8.33"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a009aa4810eb158359dda09d0c87378e4bbb89b5a801f016885a4707ba24f7ea"
+checksum = "7268b386296a025e474d5140678f75d6de9493ae55a5d709eeb9dd08149945e1"
 dependencies = [
- "log",
- "regex",
+ "cfg-if",
 ]
 
 [[package]]
 name = "env_logger"
-version = "0.11.0"
+version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9eeb342678d785662fd2514be38c459bb925f02b68dd2a3e0f21d7ef82d979dd"
+checksum = "85cdab6a89accf66733ad5a1693a4dcced6aeff64602b634530dd73c1f3ee9f0"
 dependencies = [
- "anstream",
- "anstyle",
- "env_filter",
  "humantime",
+ "is-terminal",
  "log",
+ "regex",
+ "termcolor",
 ]
 
 [[package]]
@@ -360,11 +590,21 @@ version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5"
 
+[[package]]
+name = "errno"
+version = "0.3.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a258e46cdc063eb8519c00b9fc845fc47bcfca4130e2f08e88665ceda8474245"
+dependencies = [
+ "libc",
+ "windows-sys 0.52.0",
+]
+
 [[package]]
 name = "escargot"
-version = "0.5.8"
+version = "0.5.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "768064bd3a0e2bedcba91dc87ace90beea91acc41b6a01a3ca8e9aa8827461bf"
+checksum = "f5584ba17d7ab26a8a7284f13e5bd196294dd2f2d79773cff29b9e9edef601a6"
 dependencies = [
  "log",
  "once_cell",
@@ -372,17 +612,54 @@ dependencies = [
  "serde_json",
 ]
 
+[[package]]
+name = "fastrand"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "25cbce373ec4653f1a01a31e8a5e5ec0c622dc27ff9c4e6606eefef5cbbed4a5"
+
 [[package]]
 name = "fixedbitset"
 version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0ce7134b9999ecaf8bcd65542e436736ef32ddca1b3e06094cb6ec5755203b80"
 
+[[package]]
+name = "flate2"
+version = "1.0.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "46303f565772937ffe1d394a4fac6f411c6013172fadde9dcdb1e147a086940e"
+dependencies = [
+ "crc32fast",
+ "miniz_oxide",
+]
+
+[[package]]
+name = "fnv"
+version = "1.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
+
+[[package]]
+name = "foreign-types"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
+dependencies = [
+ "foreign-types-shared",
+]
+
+[[package]]
+name = "foreign-types-shared"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
+
 [[package]]
 name = "form_urlencoded"
-version = "1.2.1"
+version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e13624c2627564efccf4934284bdd98cbaa14e79b0b5a141218e507b3a823456"
+checksum = "a9c384f161156f5260c24a097c56119f9be8c798586aecc13afbcbe7b7e26bf8"
 dependencies = [
  "percent-encoding",
 ]
@@ -393,11 +670,69 @@ version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a06f77d526c1a601b7c4cdd98f54b5eaabffc14d5f2f0296febdc7f357c6d3ba"
 
+[[package]]
+name = "futures-channel"
+version = "0.3.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eac8f7d7865dcb88bd4373ab671c8cf4508703796caa2b1985a9ca867b3fcb78"
+dependencies = [
+ "futures-core",
+]
+
+[[package]]
+name = "futures-core"
+version = "0.3.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dfc6580bb841c5a68e9ef15c77ccc837b40a7504914d52e47b8b0e9bbda25a1d"
+
+[[package]]
+name = "futures-io"
+version = "0.3.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a44623e20b9681a318efdd71c299b6b222ed6f231972bfe2f224ebad6311f0c1"
+
+[[package]]
+name = "futures-sink"
+version = "0.3.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9fb8e00e87438d937621c1c6269e53f536c14d3fbd6a042bb24879e57d474fb5"
+
+[[package]]
+name = "futures-task"
+version = "0.3.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "38d84fa142264698cdce1a9f9172cf383a0c82de1bddcf3092901442c4097004"
+
+[[package]]
+name = "futures-util"
+version = "0.3.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3d6401deb83407ab3da39eba7e33987a73c3df0c82b4bb5813ee871c19c41d48"
+dependencies = [
+ "futures-core",
+ "futures-io",
+ "futures-task",
+ "memchr",
+ "pin-project-lite",
+ "pin-utils",
+ "slab",
+]
+
+[[package]]
+name = "generic-array"
+version = "0.14.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
+dependencies = [
+ "typenum",
+ "version_check",
+]
+
 [[package]]
 name = "getrandom"
-version = "0.2.12"
+version = "0.2.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "190092ea657667030ac6a35e305e62fc4dd69fd98ac98631e5d3a2b1575a12b5"
+checksum = "c85e1d9ab2eadba7e5040d4e09cbd6d072b76a557ad64e797c2cb9d4da21d7e4"
 dependencies = [
  "cfg-if",
  "libc",
@@ -416,7 +751,7 @@ version = "0.14.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d0155506aab710a86160ddb504a480d2964d7ab5b9e62419be69e0032bc5931c"
 dependencies = [
- "bitflags",
+ "bitflags 1.3.2",
  "libc",
  "libgit2-sys",
  "log",
@@ -431,6 +766,25 @@ version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b"
 
+[[package]]
+name = "h2"
+version = "0.3.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bb2c4422095b67ee78da96fbb51a4cc413b3b25883c7717ff7ca1ab31022c9c9"
+dependencies = [
+ "bytes",
+ "fnv",
+ "futures-core",
+ "futures-sink",
+ "futures-util",
+ "http",
+ "indexmap 2.2.5",
+ "slab",
+ "tokio",
+ "tokio-util",
+ "tracing",
+]
+
 [[package]]
 name = "hashbrown"
 version = "0.12.3"
@@ -450,113 +804,246 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8"
 
 [[package]]
-name = "humantime"
-version = "2.1.0"
+name = "hermit-abi"
+version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4"
+checksum = "fed44880c466736ef9a5c5b5facefb5ed0785676d0c02d612db14e54f0d84286"
 
 [[package]]
-name = "idna"
-version = "0.5.0"
+name = "hex"
+version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "634d9b1461af396cad843f47fdba5597a4f9e6ddd4bfb6ff5d85028c25cb12f6"
-dependencies = [
- "unicode-bidi",
- "unicode-normalization",
-]
+checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
 
 [[package]]
-name = "include_dir"
-version = "0.7.3"
+name = "hmac"
+version = "0.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "18762faeff7122e89e0857b02f7ce6fcc0d101d5e9ad2ad7846cc01d61b7f19e"
+checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e"
 dependencies = [
- "include_dir_macros",
+ "digest",
 ]
 
 [[package]]
-name = "include_dir_macros"
-version = "0.7.3"
+name = "home"
+version = "0.5.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b139284b5cf57ecfa712bcc66950bb635b31aff41c188e8a4cfc758eca374a3f"
+checksum = "e3d1354bf6b7235cb4a0576c2619fd4ed18183f689b12b006a0ee7329eeff9a5"
 dependencies = [
- "proc-macro2",
- "quote",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
-name = "indexmap"
-version = "1.9.3"
+name = "http"
+version = "0.2.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bd070e393353796e801d209ad339e89596eb4c8d430d18ede6a1cced8fafbd99"
+checksum = "601cbb57e577e2f5ef5be8e7b83f0f63994f25aa94d673e54a92d5c516d101f1"
 dependencies = [
- "autocfg",
- "hashbrown 0.12.3",
- "serde",
+ "bytes",
+ "fnv",
+ "itoa",
 ]
 
 [[package]]
-name = "indexmap"
-version = "2.1.0"
+name = "http-body"
+version = "0.4.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d530e1a18b1cb4c484e6e34556a0d948706958449fca0cab753d649f2bce3d1f"
+checksum = "7ceab25649e9960c0311ea418d17bee82c0dcec1bd053b5f9a66e265a693bed2"
 dependencies = [
- "equivalent",
- "hashbrown 0.14.3",
+ "bytes",
+ "http",
+ "pin-project-lite",
 ]
 
 [[package]]
-name = "insta"
-version = "1.34.0"
+name = "httparse"
+version = "1.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5d64600be34b2fcfc267740a243fa7744441bb4947a619ac4e5bb6507f35fbfc"
-dependencies = [
- "console",
- "lazy_static",
+checksum = "d897f394bad6a705d5f4104762e116a75639e470d80901eed05a860a95cb1904"
+
+[[package]]
+name = "httpdate"
+version = "1.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
+
+[[package]]
+name = "humantime"
+version = "2.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4"
+
+[[package]]
+name = "hyper"
+version = "0.14.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bf96e135eb83a2a8ddf766e426a841d8ddd7449d5f00d34ea02b41d2f19eef80"
+dependencies = [
+ "bytes",
+ "futures-channel",
+ "futures-core",
+ "futures-util",
+ "h2",
+ "http",
+ "http-body",
+ "httparse",
+ "httpdate",
+ "itoa",
+ "pin-project-lite",
+ "socket2",
+ "tokio",
+ "tower-service",
+ "tracing",
+ "want",
+]
+
+[[package]]
+name = "hyper-tls"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d6183ddfa99b85da61a140bea0efc93fdf56ceaa041b37d553518030827f9905"
+dependencies = [
+ "bytes",
+ "hyper",
+ "native-tls",
+ "tokio",
+ "tokio-native-tls",
+]
+
+[[package]]
+name = "idna"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e14ddfc70884202db2244c223200c204c2bda1bc6e0998d11b5e024d657209e6"
+dependencies = [
+ "unicode-bidi",
+ "unicode-normalization",
+]
+
+[[package]]
+name = "include_dir"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "18762faeff7122e89e0857b02f7ce6fcc0d101d5e9ad2ad7846cc01d61b7f19e"
+dependencies = [
+ "include_dir_macros",
+]
+
+[[package]]
+name = "include_dir_macros"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b139284b5cf57ecfa712bcc66950bb635b31aff41c188e8a4cfc758eca374a3f"
+dependencies = [
+ "proc-macro2",
+ "quote",
+]
+
+[[package]]
+name = "indexmap"
+version = "1.9.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bd070e393353796e801d209ad339e89596eb4c8d430d18ede6a1cced8fafbd99"
+dependencies = [
+ "autocfg",
+ "hashbrown 0.12.3",
+ "serde",
+]
+
+[[package]]
+name = "indexmap"
+version = "2.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b0b929d511467233429c45a44ac1dcaa21ba0f5ba11e4879e6ed28ddb4f9df4"
+dependencies = [
+ "equivalent",
+ "hashbrown 0.14.3",
+]
+
+[[package]]
+name = "inout"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a0c10553d664a4d0bcff9f4215d0aac67a639cc68ef660840afe309b807bc9f5"
+dependencies = [
+ "generic-array",
+]
+
+[[package]]
+name = "insta"
+version = "1.29.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a28d25139df397cbca21408bb742cf6837e04cdbebf1b07b760caf971d6a972"
+dependencies = [
+ "console",
+ "lazy_static",
  "linked-hash-map",
  "similar",
  "yaml-rust",
 ]
 
 [[package]]
-name = "internal-iterator"
-version = "0.2.3"
+name = "io-lifetimes"
+version = "1.0.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9c66c74d2ae7e79a5a8f7ac924adbe38ee42a859c6539ad869eb51f0b52dc220"
+dependencies = [
+ "hermit-abi",
+ "libc",
+ "windows-sys 0.48.0",
+]
+
+[[package]]
+name = "ipnet"
+version = "2.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "969ee3fc68ec2e88eb21434ce4d9b7e1600d1ce92ff974560a6c4a304f5124b9"
+checksum = "8f518f335dce6725a761382244631d86cf0ccb2863413590b31338feb467f9c3"
 
 [[package]]
-name = "itertools"
-version = "0.10.5"
+name = "is-terminal"
+version = "0.4.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b0fd2260e829bddf4cb6ea802289de2f86d6a7a690192fbe91b3f46e0f2c8473"
+checksum = "adcf93614601c8129ddf72e2d5633df827ba6551541c6d8c59520a371475be1f"
 dependencies = [
- "either",
+ "hermit-abi",
+ "io-lifetimes",
+ "rustix 0.37.18",
+ "windows-sys 0.48.0",
 ]
 
 [[package]]
 name = "itertools"
-version = "0.12.0"
+version = "0.10.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "25db6b064527c5d482d0423354fcd07a89a2dfe07b67892e62411946db7f07b0"
+checksum = "b0fd2260e829bddf4cb6ea802289de2f86d6a7a690192fbe91b3f46e0f2c8473"
 dependencies = [
  "either",
 ]
 
 [[package]]
 name = "itoa"
-version = "1.0.10"
+version = "1.0.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b1a46d1a171d865aa5f83f92695765caa047a9b4cbae2cbf37dbd613a793fd4c"
+checksum = "453ad9f582a441959e5f0d088b02ce04cfe8d51a8eaf077f12ac6d3e94164ca6"
 
 [[package]]
 name = "jobserver"
-version = "0.1.27"
+version = "0.1.26"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8c37f63953c4c63420ed5fd3d6d398c719489b9f872b9fa683262f8edd363c7d"
+checksum = "936cfd212a0155903bcbc060e316fb6cc7cbf2e1907329391ebadc1fe0ce77c2"
 dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "js-sys"
+version = "0.3.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "29c15563dc2726973df627357ce0c9ddddbea194836909d655df6a75d2cf296d"
+dependencies = [
+ "wasm-bindgen",
+]
+
 [[package]]
 name = "lazy_static"
 version = "1.4.0"
@@ -565,9 +1052,9 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
 
 [[package]]
 name = "libc"
-version = "0.2.152"
+version = "0.2.153"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "13e3bf6590cbc649f4d1a3eefc9d5d6eb746f5200ffb04e5e142700b8faa56e7"
+checksum = "9c198f91728a82281a64e1f4f9eeb25d82cb32a5de251c6bd1b5154d63a8e7bd"
 
 [[package]]
 name = "libgit2-sys"
@@ -583,6 +1070,23 @@ dependencies = [
  "pkg-config",
 ]
 
+[[package]]
+name = "libm"
+version = "0.2.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ec2a862134d2a7d32d7983ddcdd1c4923530833c9f2ea1a44fc5fa473989058"
+
+[[package]]
+name = "libredox"
+version = "0.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85c833ca1e66078851dba29046874e38f08b2c883700aa29a03ddd3b23814ee8"
+dependencies = [
+ "bitflags 2.4.2",
+ "libc",
+ "redox_syscall",
+]
+
 [[package]]
 name = "libssh2-sys"
 version = "0.2.23"
@@ -599,9 +1103,9 @@ dependencies = [
 
 [[package]]
 name = "libz-sys"
-version = "1.1.14"
+version = "1.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "295c17e837573c8c821dbaeb3cceb3d745ad082f7572191409e69cbc1b3fd050"
+checksum = "56ee889ecc9568871456d42f603d6a0ce59ff328d291063a45cbdf0036baf6db"
 dependencies = [
  "cc",
  "libc",
@@ -615,34 +1119,84 @@ version = "0.5.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0717cef1bc8b636c6e1c1bbdefc09e6322da8a9321966e8928ef80d20f7f770f"
 
+[[package]]
+name = "linux-raw-sys"
+version = "0.3.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b64f40e5e03e0d54f03845c8197d0291253cdbedfb1cb46b13c2c117554a9f4c"
+
+[[package]]
+name = "linux-raw-sys"
+version = "0.4.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "01cda141df6706de531b6c46c3a33ecca755538219bd484262fa09410c13539c"
+
 [[package]]
 name = "log"
-version = "0.4.20"
+version = "0.4.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5e6163cb8c49088c2c36f57875e58ccd8c87c7427f7fbd50ea6710b2f3f2e8f"
+checksum = "abb12e687cfb44aa40f41fc3978ef76448f9b6038cad6aef4259d3c095a2382e"
+dependencies = [
+ "cfg-if",
+]
 
 [[package]]
 name = "memchr"
-version = "2.7.1"
+version = "2.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "523dc4f511e55ab87b694dc30d0f820d60906ef06413f93d4d7a1385599cc149"
+checksum = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d"
+
+[[package]]
+name = "mime"
+version = "0.3.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"
 
 [[package]]
 name = "miniz_oxide"
-version = "0.7.1"
+version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e7810e0be55b428ada41041c41f32c9f1a42817901b4ccf45fa3d4b6561e74c7"
+checksum = "9d811f3e15f28568be3407c8e7fdb6514c1cda3cb30683f15b6a1a1dc4ea14a7"
 dependencies = [
  "adler",
 ]
 
+[[package]]
+name = "mio"
+version = "0.8.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a4a650543ca06a924e8b371db273b2756685faae30f8487da1b56505a8f78b0c"
+dependencies = [
+ "libc",
+ "wasi",
+ "windows-sys 0.48.0",
+]
+
+[[package]]
+name = "native-tls"
+version = "0.2.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "07226173c32f2926027b63cce4bcd8076c3552846cbe7925f3aaffeac0a3b92e"
+dependencies = [
+ "lazy_static",
+ "libc",
+ "log",
+ "openssl",
+ "openssl-probe",
+ "openssl-sys",
+ "schannel",
+ "security-framework",
+ "security-framework-sys",
+ "tempfile",
+]
+
 [[package]]
 name = "num"
-version = "0.4.1"
+version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b05180d69e3da0e530ba2a1dae5110317e49e3b7f3d41be227dc5f92e49ee7af"
+checksum = "43db66d1170d347f9a065114077f7dccb00c1b9478c89384490a3425279a4606"
 dependencies = [
- "num-bigint 0.4.4",
+ "num-bigint 0.4.3",
  "num-complex",
  "num-integer",
  "num-iter",
@@ -663,9 +1217,9 @@ dependencies = [
 
 [[package]]
 name = "num-bigint"
-version = "0.4.4"
+version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "608e7659b5c3d7cba262d894801b9ec9d00de989e8a82bd4bef91d08da45cdc0"
+checksum = "f93ab6289c7b344a8a9f60f88d80aa20032336fe78da341afc91c8a2341fc75f"
 dependencies = [
  "autocfg",
  "num-integer",
@@ -674,13 +1228,19 @@ dependencies = [
 
 [[package]]
 name = "num-complex"
-version = "0.4.4"
+version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1ba157ca0885411de85d6ca030ba7e2a83a28636056c7c699b07c8b6f7383214"
+checksum = "02e0d21255c828d6f128a1e41534206671e8c3ea0c62f32291e808dc82cff17d"
 dependencies = [
  "num-traits",
 ]
 
+[[package]]
+name = "num-conv"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9"
+
 [[package]]
 name = "num-integer"
 version = "0.1.45"
@@ -721,18 +1281,29 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0638a1c9d0a3c0914158145bc76cff373a75a627e6ecbfb71cbe6f453a5a19b0"
 dependencies = [
  "autocfg",
- "num-bigint 0.4.4",
+ "num-bigint 0.4.3",
  "num-integer",
  "num-traits",
 ]
 
 [[package]]
 name = "num-traits"
-version = "0.2.17"
+version = "0.2.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "39e3200413f237f41ab11ad6d161bc7239c84dcb631773ccd7de3dfe4b5c267c"
+checksum = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd"
 dependencies = [
  "autocfg",
+ "libm",
+]
+
+[[package]]
+name = "num_cpus"
+version = "1.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4161fcb6d602d4d2081af7c3a45852d875a03dd337a6bfdd6e06407b61342a43"
+dependencies = [
+ "hermit-abi",
+ "libc",
 ]
 
 [[package]]
@@ -746,9 +1317,35 @@ dependencies = [
 
 [[package]]
 name = "once_cell"
-version = "1.19.0"
+version = "1.17.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7e5500299e16ebb147ae15a00a942af264cf3688f47923b8fc2cd5858f23ad3"
+
+[[package]]
+name = "openssl"
+version = "0.10.64"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92"
+checksum = "95a0481286a310808298130d22dd1fef0fa571e05a8f44ec801801e84b216b1f"
+dependencies = [
+ "bitflags 2.4.2",
+ "cfg-if",
+ "foreign-types",
+ "libc",
+ "once_cell",
+ "openssl-macros",
+ "openssl-sys",
+]
+
+[[package]]
+name = "openssl-macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
 
 [[package]]
 name = "openssl-probe"
@@ -758,9 +1355,9 @@ checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf"
 
 [[package]]
 name = "openssl-sys"
-version = "0.9.99"
+version = "0.9.101"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "22e1bf214306098e4832460f797824c05d25aacdf896f64a985fb0fd992454ae"
+checksum = "dda2b0f344e78efc2facf7d195d098df0dd72151b26ab98da807afc26c198dff"
 dependencies = [
  "cc",
  "libc",
@@ -768,6 +1365,35 @@ dependencies = [
  "vcpkg",
 ]
 
+[[package]]
+name = "option-ext"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d"
+
+[[package]]
+name = "password-hash"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7676374caaee8a325c9e7a2ae557f216c5563a171d6997b0ef8a65af35147700"
+dependencies = [
+ "base64ct",
+ "rand_core 0.6.4",
+ "subtle",
+]
+
+[[package]]
+name = "pbkdf2"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "83a0692ec44e4cf1ef28ca317f14f8f07da2d95ec3fa01f86e4467b725e60917"
+dependencies = [
+ "digest",
+ "hmac",
+ "password-hash",
+ "sha2",
+]
+
 [[package]]
 name = "pearlite-syn"
 version = "0.2.0"
@@ -781,25 +1407,49 @@ dependencies = [
 
 [[package]]
 name = "percent-encoding"
-version = "2.3.1"
+version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"
+checksum = "478c572c3d73181ff3c2539045f6eb99e5491218eae919370993b890cdbdd98e"
 
 [[package]]
 name = "petgraph"
-version = "0.6.4"
+version = "0.6.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e1d3afd2628e69da2be385eb6f2fd57c8ac7977ceeff6dc166ff1657b0e386a9"
+checksum = "4dd7d28ee937e54fe3080c91faa1c3a46c06de6252988a7f4592ba2310ef22a4"
 dependencies = [
  "fixedbitset",
- "indexmap 2.1.0",
+ "indexmap 1.9.3",
 ]
 
+[[package]]
+name = "pin-project-lite"
+version = "0.2.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8afb450f006bf6385ca15ef45d71d2288452bc3683ce2e2cacc0d18e4be60b58"
+
+[[package]]
+name = "pin-utils"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
+
 [[package]]
 name = "pkg-config"
-version = "0.3.29"
+version = "0.3.26"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ac9a59f73473f1b8d852421e59e64809f025994837ef743615c6d0c5b305160"
+
+[[package]]
+name = "powerfmt"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
+
+[[package]]
+name = "ppv-lite86"
+version = "0.2.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2900ede94e305130c13ddd391e0ab7cbaeb783945ae07a279c268cb05109c6cb"
+checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de"
 
 [[package]]
 name = "predicates"
@@ -808,7 +1458,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "59230a63c37f3e18569bdb90e4a89cbf5bf8b06fea0b84e65ea10cc4df47addd"
 dependencies = [
  "difflib",
- "itertools 0.10.5",
+ "itertools",
  "predicates-core",
 ]
 
@@ -842,13 +1492,39 @@ dependencies = [
 
 [[package]]
 name = "proc-macro2"
-version = "1.0.78"
+version = "1.0.76"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e2422ad645d89c99f8f3e6b88a9fdeca7fabeac836b1002371c4367c8f984aae"
+checksum = "95fc56cda0b5c3325f5fbbd7ff9fda9e02bb00bb3dac51252d2f1bfa1cb8cc8c"
 dependencies = [
  "unicode-ident",
 ]
 
+[[package]]
+name = "proptest"
+version = "1.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "31b476131c3c86cb68032fdc5cb6d5a1045e3e42d96b69fa599fd77701e1f5bf"
+dependencies = [
+ "bit-set",
+ "bit-vec",
+ "bitflags 2.4.2",
+ "lazy_static",
+ "num-traits",
+ "rand 0.8.5",
+ "rand_chacha",
+ "rand_xorshift",
+ "regex-syntax 0.8.2",
+ "rusty-fork",
+ "tempfile",
+ "unarray",
+]
+
+[[package]]
+name = "quick-error"
+version = "1.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a1d01941d82fa2ab50be1e79e6714289dd7cde78eba4c074bc5a4374f650dfe0"
+
 [[package]]
 name = "quote"
 version = "1.0.35"
@@ -871,6 +1547,27 @@ dependencies = [
  "winapi",
 ]
 
+[[package]]
+name = "rand"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+dependencies = [
+ "libc",
+ "rand_chacha",
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+dependencies = [
+ "ppv-lite86",
+ "rand_core 0.6.4",
+]
+
 [[package]]
 name = "rand_core"
 version = "0.3.1"
@@ -887,63 +1584,95 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c33a3c44ca05fa6f1807d8e6743f3824e8509beca625669633be0acbdf509dc"
 
 [[package]]
-name = "rdrand"
-version = "0.4.0"
+name = "rand_core"
+version = "0.6.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "678054eb77286b51581ba43620cc911abf02758c91f93f479767aed0f90458b2"
+checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
 dependencies = [
- "rand_core 0.3.1",
+ "getrandom",
 ]
 
 [[package]]
-name = "ref-cast"
-version = "1.0.22"
+name = "rand_xorshift"
+version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c4846d4c50d1721b1a3bef8af76924eef20d5e723647333798c1b519b3a9473f"
+checksum = "d25bf25ec5ae4a3f1b92f929810509a2f53d7dca2f50b794ff57e3face536c8f"
 dependencies = [
- "ref-cast-impl",
+ "rand_core 0.6.4",
 ]
 
 [[package]]
-name = "ref-cast-impl"
-version = "1.0.22"
+name = "rdrand"
+version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5fddb4f8d99b0a2ebafc65a87a69a7b9875e4b1ae1f00db265d300ef7f28bccc"
+checksum = "678054eb77286b51581ba43620cc911abf02758c91f93f479767aed0f90458b2"
 dependencies = [
- "proc-macro2",
- "quote",
- "syn",
+ "rand_core 0.3.1",
 ]
 
 [[package]]
-name = "regex"
-version = "1.10.3"
+name = "redox_syscall"
+version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b62dbe01f0b06f9d8dc7d49e05a0785f153b00b2c227856282f671e0318c9b15"
+checksum = "4722d768eff46b75989dd134e5c353f0d6296e5aaa3132e776cbdb56be7731aa"
 dependencies = [
- "aho-corasick",
- "memchr",
- "regex-automata 0.4.5",
- "regex-syntax",
+ "bitflags 1.3.2",
 ]
 
 [[package]]
-name = "regex-automata"
-version = "0.1.10"
+name = "redox_users"
+version = "0.4.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6c230d73fb8d8c1b9c0b3135c5142a8acee3a0558fb8db5cf1cb65f8d7862132"
+checksum = "a18479200779601e498ada4e8c1e1f50e3ee19deb0259c25825a98b5603b2cb4"
+dependencies = [
+ "getrandom",
+ "libredox",
+ "thiserror",
+]
 
 [[package]]
-name = "regex-automata"
-version = "0.4.5"
+name = "ref-cast"
+version = "1.0.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f43faa91b1c8b36841ee70e97188a869d37ae21759da6846d4be66de5bf7b12c"
+dependencies = [
+ "ref-cast-impl",
+]
+
+[[package]]
+name = "ref-cast-impl"
+version = "1.0.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8d2275aab483050ab2a7364c1a46604865ee7d6906684e08db0f090acf74f9e7"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "regex"
+version = "1.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5bb987efffd3c6d0d8f5f89510bb458559eab11e4f869acb20bf845e016259cd"
+checksum = "af83e617f331cc6ae2da5443c602dfa5af81e517212d9d611a5b3ba1777b5370"
 dependencies = [
  "aho-corasick",
  "memchr",
- "regex-syntax",
+ "regex-syntax 0.7.1",
 ]
 
+[[package]]
+name = "regex-automata"
+version = "0.1.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c230d73fb8d8c1b9c0b3135c5142a8acee3a0558fb8db5cf1cb65f8d7862132"
+
+[[package]]
+name = "regex-syntax"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a5996294f19bd3aae0453a862ad728f60e6600695733dd5df01da90c54363a3c"
+
 [[package]]
 name = "regex-syntax"
 version = "0.8.2"
@@ -959,11 +1688,51 @@ dependencies = [
  "winapi",
 ]
 
+[[package]]
+name = "reqwest"
+version = "0.11.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c6920094eb85afde5e4a138be3f2de8bbdf28000f0029e72c45025a56b042251"
+dependencies = [
+ "base64",
+ "bytes",
+ "encoding_rs",
+ "futures-core",
+ "futures-util",
+ "h2",
+ "http",
+ "http-body",
+ "hyper",
+ "hyper-tls",
+ "ipnet",
+ "js-sys",
+ "log",
+ "mime",
+ "native-tls",
+ "once_cell",
+ "percent-encoding",
+ "pin-project-lite",
+ "rustls-pemfile",
+ "serde",
+ "serde_json",
+ "serde_urlencoded",
+ "sync_wrapper",
+ "system-configuration",
+ "tokio",
+ "tokio-native-tls",
+ "tower-service",
+ "url",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "web-sys",
+ "winreg",
+]
+
 [[package]]
 name = "roxmltree"
-version = "0.18.1"
+version = "0.18.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "862340e351ce1b271a378ec53f304a5558f7db87f3769dc655a8f6ecbb68b302"
+checksum = "d8f595a457b6b8c6cda66a48503e92ee8d19342f905948f29c383200ec9eb1d8"
 dependencies = [
  "xmlparser",
 ]
@@ -974,11 +1743,91 @@ version = "0.1.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d626bb9dae77e28219937af045c257c28bfd3f69333c512553507f5f9798cb76"
 
+[[package]]
+name = "rustix"
+version = "0.37.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8bbfc1d1c7c40c01715f47d71444744a81669ca84e8b63e25a55e169b1f86433"
+dependencies = [
+ "bitflags 1.3.2",
+ "errno",
+ "io-lifetimes",
+ "libc",
+ "linux-raw-sys 0.3.6",
+ "windows-sys 0.48.0",
+]
+
+[[package]]
+name = "rustix"
+version = "0.38.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ea3e1a662af26cd7a3ba09c0297a31af215563ecf42817c98df621387f4e949"
+dependencies = [
+ "bitflags 2.4.2",
+ "errno",
+ "libc",
+ "linux-raw-sys 0.4.13",
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "rustls-pemfile"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c"
+dependencies = [
+ "base64",
+]
+
+[[package]]
+name = "rusty-fork"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cb3dcc6e454c328bb824492db107ab7c0ae8fcffe4ad210136ef014458c1bc4f"
+dependencies = [
+ "fnv",
+ "quick-error",
+ "tempfile",
+ "wait-timeout",
+]
+
 [[package]]
 name = "ryu"
-version = "1.0.16"
+version = "1.0.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f91339c0467de62360649f8d3e185ca8de4224ff281f66000de5eb2a77a79041"
+
+[[package]]
+name = "schannel"
+version = "0.1.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fbc91545643bcf3a0bbb6569265615222618bdf33ce4ffbbd13c4bbd4c093534"
+dependencies = [
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "security-framework"
+version = "2.9.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "05b64fb303737d99b81884b2c63433e9ae28abebe5eb5045dcdd175dc2ecf4de"
+dependencies = [
+ "bitflags 1.3.2",
+ "core-foundation",
+ "core-foundation-sys",
+ "libc",
+ "security-framework-sys",
+]
+
+[[package]]
+name = "security-framework-sys"
+version = "2.9.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f98d2aa92eebf49b69786be48e4477826b256916e84a57ff2a4f21923b48eb4c"
+checksum = "e932934257d3b408ed8f30db49d85ea163bfe74961f017f405b025af298f0c7a"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
 
 [[package]]
 name = "serde"
@@ -1011,17 +1860,64 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "serde_urlencoded"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3491c14715ca2294c4d6a88f15e84739788c1d030eed8c110436aafdaa2f3fd"
+dependencies = [
+ "form_urlencoded",
+ "itoa",
+ "ryu",
+ "serde",
+]
+
+[[package]]
+name = "sha1"
+version = "0.10.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "digest",
+]
+
+[[package]]
+name = "sha2"
+version = "0.10.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "793db75ad2bcafc3ffa7c68b215fee268f537982cd901d132f89c6343f3a3dc8"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "digest",
+]
+
 [[package]]
 name = "similar"
-version = "2.4.0"
+version = "2.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "420acb44afdae038210c99e69aae24109f32f15500aa708e81d46c9f29d55fcf"
+
+[[package]]
+name = "slab"
+version = "0.4.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "32fea41aca09ee824cc9724996433064c89f7777e60762749a4170a14abbfa21"
+checksum = "8f92a496fb766b417c996b9c5e57daf2f7ad3b0bebe1ccfca4856390e3d3bb67"
+dependencies = [
+ "autocfg",
+]
 
 [[package]]
-name = "smallvec"
-version = "1.13.1"
+name = "socket2"
+version = "0.5.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7"
+checksum = "05ffd9c0a93b7543e062e759284fcf5f5e3b098501104bfbdde4d404db792871"
+dependencies = [
+ "libc",
+ "windows-sys 0.52.0",
+]
 
 [[package]]
 name = "strsim"
@@ -1029,6 +1925,12 @@ version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623"
 
+[[package]]
+name = "subtle"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "81cdd64d312baedb58e21336b31bc043b77e01cc99033ce76ef539f78e965ebc"
+
 [[package]]
 name = "syn"
 version = "2.0.48"
@@ -1040,21 +1942,60 @@ dependencies = [
  "unicode-ident",
 ]
 
+[[package]]
+name = "sync_wrapper"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2047c6ded9c721764247e62cd3b03c09ffc529b2ba5b10ec482ae507a4a70160"
+
+[[package]]
+name = "system-configuration"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba3a3adc5c275d719af8cb4272ea1c4a6d668a777f37e115f6d11ddbc1c8e0e7"
+dependencies = [
+ "bitflags 1.3.2",
+ "core-foundation",
+ "system-configuration-sys",
+]
+
+[[package]]
+name = "system-configuration-sys"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a75fb188eb626b924683e3b95e3a48e63551fcfb51949de2f06a9d91dbee93c9"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
 [[package]]
 name = "tempdir"
 version = "0.3.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "15f2b5fb00ccdf689e0149d1b1b3c03fead81c2b37735d812fa8bddbbf41b6d8"
 dependencies = [
- "rand",
+ "rand 0.4.6",
  "remove_dir_all",
 ]
 
+[[package]]
+name = "tempfile"
+version = "3.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a365e8cd18e44762ef95d87f284f4b5cd04107fec2ff3052bd6a3e6069669e67"
+dependencies = [
+ "cfg-if",
+ "fastrand",
+ "rustix 0.38.31",
+ "windows-sys 0.52.0",
+]
+
 [[package]]
 name = "termcolor"
-version = "1.4.1"
+version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "06794f8f6c5c898b3275aebefa6b8a1cb24cd2c6c79397ab15774837a0bc5755"
+checksum = "be55cf8942feac5c765c2c993422806843c9a9a45d4d5c407ad6dd2ea95eb9b6"
 dependencies = [
  "winapi-util",
 ]
@@ -1065,6 +2006,45 @@ version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3369f5ac52d5eb6ab48c6b4ffdc8efbcad6b89c765749064ba298f2c68a16a76"
 
+[[package]]
+name = "thiserror"
+version = "1.0.57"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e45bcbe8ed29775f228095caf2cd67af7a4ccf756ebff23a306bf3e8b47b24b"
+dependencies = [
+ "thiserror-impl",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "1.0.57"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a953cb265bef375dae3de6663da4d3804eee9682ea80d8e2542529b73c531c81"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "time"
+version = "0.3.34"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c8248b6521bb14bc45b4067159b9b6ad792e2d6d754d6c41fb50e29fefe38749"
+dependencies = [
+ "deranged",
+ "num-conv",
+ "powerfmt",
+ "serde",
+ "time-core",
+]
+
+[[package]]
+name = "time-core"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3"
+
 [[package]]
 name = "tinyvec"
 version = "1.6.0"
@@ -1080,32 +2060,116 @@ version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 
+[[package]]
+name = "tokio"
+version = "1.36.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "61285f6515fa018fb2d1e46eb21223fff441ee8db5d0f1435e8ab4f5cdb80931"
+dependencies = [
+ "backtrace",
+ "bytes",
+ "libc",
+ "mio",
+ "num_cpus",
+ "pin-project-lite",
+ "socket2",
+ "windows-sys 0.48.0",
+]
+
+[[package]]
+name = "tokio-native-tls"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2"
+dependencies = [
+ "native-tls",
+ "tokio",
+]
+
+[[package]]
+name = "tokio-util"
+version = "0.7.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5419f34732d9eb6ee4c3578b7989078579b7f039cbbb9ca2c4da015749371e15"
+dependencies = [
+ "bytes",
+ "futures-core",
+ "futures-sink",
+ "pin-project-lite",
+ "tokio",
+ "tracing",
+]
+
 [[package]]
 name = "toml"
 version = "0.5.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f4f7f0dd8d50a853a531c426359045b1998f04219d88799810762cd4ad314234"
 dependencies = [
+ "indexmap 1.9.3",
  "serde",
 ]
 
+[[package]]
+name = "tower-service"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6bc1c9ce2b5135ac7f93c72918fc37feb872bdc6a5533a8b85eb4b86bfdae52"
+
+[[package]]
+name = "tracing"
+version = "0.1.40"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c3523ab5a71916ccf420eebdf5521fcef02141234bbc0b8a49f2fdc4544364ef"
+dependencies = [
+ "pin-project-lite",
+ "tracing-core",
+]
+
+[[package]]
+name = "tracing-core"
+version = "0.1.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c06d3da6113f116aaee68e4d601191614c9053067f9ab7f6edbcb161237daa54"
+dependencies = [
+ "once_cell",
+]
+
+[[package]]
+name = "try-lock"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
+
 [[package]]
 name = "typed-arena"
 version = "2.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6af6ae20167a9ece4bcb41af5b80f8a1f1df981f6391189ce00fd257af04126a"
 
+[[package]]
+name = "typenum"
+version = "1.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825"
+
+[[package]]
+name = "unarray"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eaea85b334db583fe3274d12b4cd1880032beab409c0d774be044d4480ab9a94"
+
 [[package]]
 name = "unicode-bidi"
-version = "0.3.15"
+version = "0.3.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "08f95100a766bf4f8f28f90d77e0a5461bbdb219042e7679bebe79004fed8d75"
+checksum = "92888ba5573ff080736b3648696b70cafad7d250551175acbaa4e0385b3e1460"
 
 [[package]]
 name = "unicode-ident"
-version = "1.0.12"
+version = "1.0.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b"
+checksum = "e5464a87b239f13a63a501f2701565754bae92d243d4bb7eb12f6d57d2269bf4"
 
 [[package]]
 name = "unicode-normalization"
@@ -1124,9 +2188,9 @@ checksum = "1dd624098567895118886609431a7c3b8f516e41d30e0643f03d94592a147e36"
 
 [[package]]
 name = "url"
-version = "2.5.0"
+version = "2.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "31e6302e3bb753d46e83516cae55ae196fc0c309407cf11ab35cc51a4c2a4633"
+checksum = "0d68c799ae75762b8c3fe375feb6600ef5602c883c5d21eb51c09f22b83c4643"
 dependencies = [
  "form_urlencoded",
  "idna",
@@ -1141,9 +2205,9 @@ checksum = "711b9620af191e0cdc7468a8d14e709c3dcdb115b36f838e601583af800a370a"
 
 [[package]]
 name = "uuid"
-version = "1.7.0"
+version = "1.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f00cc9702ca12d3c81455259621e676d0f7251cec66a21e98fe2e9a37db93b2a"
+checksum = "4dad5567ad0cf5b760e5665964bec1b47dfd077ba8a2544b513f3556d3d239a2"
 dependencies = [
  "getrandom",
 ]
@@ -1154,6 +2218,12 @@ version = "0.2.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
 
+[[package]]
+name = "version_check"
+version = "0.9.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
+
 [[package]]
 name = "wait-timeout"
 version = "0.2.0"
@@ -1163,22 +2233,122 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "want"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bfa7760aed19e106de2c7c0b581b509f2f25d3dacaf737cb82ac61bc6d760b0e"
+dependencies = [
+ "try-lock",
+]
+
 [[package]]
 name = "wasi"
 version = "0.11.0+wasi-snapshot-preview1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
 
+[[package]]
+name = "wasm-bindgen"
+version = "0.2.92"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4be2531df63900aeb2bca0daaaddec08491ee64ceecbee5076636a3b026795a8"
+dependencies = [
+ "cfg-if",
+ "wasm-bindgen-macro",
+]
+
+[[package]]
+name = "wasm-bindgen-backend"
+version = "0.2.92"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "614d787b966d3989fa7bb98a654e369c762374fd3213d212cfc0251257e747da"
+dependencies = [
+ "bumpalo",
+ "log",
+ "once_cell",
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-futures"
+version = "0.4.42"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "76bc14366121efc8dbb487ab05bcc9d346b3b5ec0eaa76e46594cabbe51762c0"
+dependencies = [
+ "cfg-if",
+ "js-sys",
+ "wasm-bindgen",
+ "web-sys",
+]
+
+[[package]]
+name = "wasm-bindgen-macro"
+version = "0.2.92"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a1f8823de937b71b9460c0c34e25f3da88250760bec0ebac694b49997550d726"
+dependencies = [
+ "quote",
+ "wasm-bindgen-macro-support",
+]
+
+[[package]]
+name = "wasm-bindgen-macro-support"
+version = "0.2.92"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e94f17b526d0a461a191c78ea52bbce64071ed5c04c9ffe424dcb38f74171bb7"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wasm-bindgen-backend",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-shared"
+version = "0.2.92"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "af190c94f2773fdb3729c55b007a722abb5384da03bc0986df4c289bf5567e96"
+
+[[package]]
+name = "web-sys"
+version = "0.3.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77afa9a11836342370f4817622a2f0f418b134426d91a82dfb48f532d2ec13ef"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "which"
+version = "6.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7fa5e0c10bf77f44aac573e498d1a82d5fbd5e91f6fc0a99e7be4b38e85e101c"
+dependencies = [
+ "either",
+ "home",
+ "once_cell",
+ "rustix 0.38.31",
+ "windows-sys 0.52.0",
+]
+
 [[package]]
 name = "why3"
 version = "0.2.0"
 dependencies = [
  "indexmap 1.9.3",
- "itertools 0.12.0",
+ "itertools",
  "num",
  "pretty",
+ "proptest",
  "serde",
  "serde_json",
+ "tempfile",
 ]
 
 [[package]]
@@ -1187,6 +2357,7 @@ version = "0.1.0"
 dependencies = [
  "assert_cmd",
  "clap",
+ "creusot-dev-config",
  "git2",
  "glob",
  "roxmltree",
@@ -1211,9 +2382,9 @@ checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
 
 [[package]]
 name = "winapi-util"
-version = "0.1.6"
+version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f29e6f9198ba0d26b4c9f07dbe6f9ed633e1f3d5b8b414090084349e46a52596"
+checksum = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178"
 dependencies = [
  "winapi",
 ]
@@ -1224,13 +2395,52 @@ version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
 
+[[package]]
+name = "windows-sys"
+version = "0.42.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a3e1820f08b8513f676f7ab6c1f99ff312fb97b553d30ff4dd86f9f15728aa7"
+dependencies = [
+ "windows_aarch64_gnullvm 0.42.2",
+ "windows_aarch64_msvc 0.42.2",
+ "windows_i686_gnu 0.42.2",
+ "windows_i686_msvc 0.42.2",
+ "windows_x86_64_gnu 0.42.2",
+ "windows_x86_64_gnullvm 0.42.2",
+ "windows_x86_64_msvc 0.42.2",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9"
+dependencies = [
+ "windows-targets 0.48.0",
+]
+
 [[package]]
 name = "windows-sys"
 version = "0.52.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
 dependencies = [
- "windows-targets",
+ "windows-targets 0.52.0",
+]
+
+[[package]]
+name = "windows-targets"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b1eb6f0cd7c80c79759c929114ef071b87354ce476d9d94271031c0497adfd5"
+dependencies = [
+ "windows_aarch64_gnullvm 0.48.0",
+ "windows_aarch64_msvc 0.48.0",
+ "windows_i686_gnu 0.48.0",
+ "windows_i686_msvc 0.48.0",
+ "windows_x86_64_gnu 0.48.0",
+ "windows_x86_64_gnullvm 0.48.0",
+ "windows_x86_64_msvc 0.48.0",
 ]
 
 [[package]]
@@ -1239,62 +2449,156 @@ version = "0.52.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8a18201040b24831fbb9e4eb208f8892e1f50a37feb53cc7ff887feb8f50e7cd"
 dependencies = [
- "windows_aarch64_gnullvm",
- "windows_aarch64_msvc",
- "windows_i686_gnu",
- "windows_i686_msvc",
- "windows_x86_64_gnu",
- "windows_x86_64_gnullvm",
- "windows_x86_64_msvc",
+ "windows_aarch64_gnullvm 0.52.0",
+ "windows_aarch64_msvc 0.52.0",
+ "windows_i686_gnu 0.52.0",
+ "windows_i686_msvc 0.52.0",
+ "windows_x86_64_gnu 0.52.0",
+ "windows_x86_64_gnullvm 0.52.0",
+ "windows_x86_64_msvc 0.52.0",
 ]
 
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8"
+
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "91ae572e1b79dba883e0d315474df7305d12f569b400fcf90581b06062f7e1bc"
+
 [[package]]
 name = "windows_aarch64_gnullvm"
 version = "0.52.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cb7764e35d4db8a7921e09562a0304bf2f93e0a51bfccee0bd0bb0b666b015ea"
 
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43"
+
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b2ef27e0d7bdfcfc7b868b317c1d32c641a6fe4629c171b8928c7b08d98d7cf3"
+
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.52.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bbaa0368d4f1d2aaefc55b6fcfee13f41544ddf36801e793edbbfd7d7df075ef"
 
+[[package]]
+name = "windows_i686_gnu"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f"
+
+[[package]]
+name = "windows_i686_gnu"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "622a1962a7db830d6fd0a69683c80a18fda201879f0f447f065a3b7467daa241"
+
 [[package]]
 name = "windows_i686_gnu"
 version = "0.52.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a28637cb1fa3560a16915793afb20081aba2c92ee8af57b4d5f28e4b3e7df313"
 
+[[package]]
+name = "windows_i686_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060"
+
+[[package]]
+name = "windows_i686_msvc"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4542c6e364ce21bf45d69fdd2a8e455fa38d316158cfd43b3ac1c5b1b19f8e00"
+
 [[package]]
 name = "windows_i686_msvc"
 version = "0.52.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ffe5e8e31046ce6230cc7215707b816e339ff4d4d67c65dffa206fd0f7aa7b9a"
 
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36"
+
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ca2b8a661f7628cbd23440e50b05d705db3686f894fc9580820623656af974b1"
+
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.52.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3d6fa32db2bc4a2f5abeacf2b69f7992cd09dca97498da74a151a3132c26befd"
 
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3"
+
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7896dbc1f41e08872e9d5e8f8baa8fdd2677f29468c4e156210174edc7f7b953"
+
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.52.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1a657e1e9d3f514745a572a6846d3c7aa7dbe1658c056ed9c3344c4109a6949e"
 
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0"
+
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a515f5799fe4961cb532f983ce2b23082366b898e52ffbce459c86f67c8378a"
+
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.52.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "dff9641d1cd4be8d1a070daf9e3773c5f67e78b4d9d42263020c057706765c04"
 
+[[package]]
+name = "winreg"
+version = "0.50.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "524e57b2c537c0f9b1e69f1965311ec12182b4122e45035b1508cd24d2adadb1"
+dependencies = [
+ "cfg-if",
+ "windows-sys 0.48.0",
+]
+
 [[package]]
 name = "xmlparser"
-version = "0.13.6"
+version = "0.13.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "66fee0b777b0f5ac1c69bb06d361268faafa61cd4682ae064a171c16c433e9e4"
+checksum = "4d25c75bf9ea12c4040a97f829154768bbbce366287e2dc044af160cd79a13fd"
 
 [[package]]
 name = "yaml-rust"
@@ -1304,3 +2608,52 @@ checksum = "56c1936c4cc7a1c9ab21a1ebb602eb942ba868cbd44a99cb7cdc5892335e1c85"
 dependencies = [
  "linked-hash-map",
 ]
+
+[[package]]
+name = "zip"
+version = "0.6.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "760394e246e4c28189f19d488c058bf16f564016aefac5d32bb1f3b51d5e9261"
+dependencies = [
+ "aes",
+ "byteorder",
+ "bzip2",
+ "constant_time_eq",
+ "crc32fast",
+ "crossbeam-utils",
+ "flate2",
+ "hmac",
+ "pbkdf2",
+ "sha1",
+ "time",
+ "zstd",
+]
+
+[[package]]
+name = "zstd"
+version = "0.11.2+zstd.1.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "20cc960326ece64f010d2d2107537f26dc589a6573a316bd5b1dba685fa5fde4"
+dependencies = [
+ "zstd-safe",
+]
+
+[[package]]
+name = "zstd-safe"
+version = "5.0.2+zstd.1.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d2a5585e04f9eea4b2a3d1eca508c4dee9592a89ef6f450c11719da0726f4db"
+dependencies = [
+ "libc",
+ "zstd-sys",
+]
+
+[[package]]
+name = "zstd-sys"
+version = "2.0.9+zstd.1.5.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9e16efa8a874a0481a574084d34cc26fdb3b99627480f785888deb6386506656"
+dependencies = [
+ "cc",
+ "pkg-config",
+]
diff --git a/HACKING.md b/HACKING.md
new file mode 100644
index 0000000000..31a0eaa18a
--- /dev/null
+++ b/HACKING.md
@@ -0,0 +1,73 @@
+# Hacking on Creusot: developer workflow
+
+This is a work-in-progress document describing the developer workflow for
+working on the Creusot codebase.
+
+## Setup
+
+On top of the usual Rust/Cargo workflow, the "Creusot developer setup" requires
+a working Why3 in order to run the testsuite and update tests proofs. You have
+two choices:
+
+- **By default** the testsuite will use the global Creusot configuration managed
+  by `cargo creusot setup`. You first need to have successfully run `cargo
+  creusot setup install` (or `cargo creusot setup install-external`).
+- **Alternatively** you can set a custom "developer" Creusot configuration in
+  `.creusot-config/` at the root of the git repo. Start by running `cp -r
+  .creusot-config.sample .creusot-config`. This will tell the testsuite to use
+  whichever `why3` binary is in the PATH, but you can also tweak
+  `.creusot-config/Config.toml` to point to a specific binary.
+
+The first option is recommended if you simply want a working setup to run the
+testsuite.
+
+The second option is useful if you need to try custom versions of Why3 or the
+solvers.
+
+Notes:
+- to avoid first installing the `cargo-creusot` binary before running `cargo
+  creusot setup`, one can directly call it from the git repository: `cargo run
+  --bin cargo-creusot creusot setup`
+- the format of the `.creusot-config/` directory is simply the same as
+  `~/.config/creusot`, which is where `cargo creusot setup` writes its
+  configuration.
+
+## Running the testsuite
+
+- Test the output of creusot (mlcfg files) against reference files:
+```
+cargo test --test ui
+```
+
+Then, to update an out-of-date reference file:
+```
+cargo test --test ui -- "optional-string" --bless
+```
+
+- Replay proofs:
+```
+cargo test --test why3
+```
+
+Additional useful parameters, to avoid replaying *every* proof in development:
+- `--diff-from=GIT_REF`
+- `--replay=<none|obsolete|all>`
+
+## Inspecting/fixing the proof of a test
+
+If the proof of a test is broken (e.g.
+`creusot/tests/should_succeed/cell/01.rs`), launch the why3 ide with `./ide`:
+```
+./ide creusot/tests/should_succeed/cell/01
+```
+
+## Calling why3
+
+To invoke why3 robustly (manually or in scripts), we provide a wrapper that will
+lookup the why3 path and config according to the logic described in **Setup**
+above.
+
+To invoke why3 this way, run:
+```
+cargo run --bin dev-why3 -- <arguments_to_why3...>
+```
diff --git a/README.md b/README.md
index 91ff22aa29..89aa94c1ca 100644
--- a/README.md
+++ b/README.md
@@ -33,25 +33,43 @@ More examples are found in [creusot/tests/should_succeed](creusot/tests/should_s
 
 # Installing Creusot as a user
 
-. Set up **Rust**
+1. Set up **Rust**
     - [Install `rustup`](https://www.rust-lang.org/tools/install), to get the suitable Rust toolchain
-1. Set up **Why3**
+2. Set up **Why3** and **Alt-Ergo**
     - [Get `opam`](https://opam.ocaml.org/doc/Install.html), the package manager for OCaml
-    - Pin `why3` to `master` :
+    - Create an opam switch with OCaml 4.14.1:
     ```
-    $ opam pin add why3 https://gitlab.inria.fr/why3/why3.git
-    $ opam pin add why3-ide https://gitlab.inria.fr/why3/why3.git
+    $ opam switch create creusot ocaml.4.14.1
+    $ eval $(opam env --switch=creusot)
     ```
-    - Install `why3` and `why3-ide`: `$ opam install lablgtk3 lablgtk3-sourceview3 ocamlgraph why3 why3-ide`
-    - Get some SMT solvers: [Z3](https://github.com/Z3Prover/z3) (available by `brew`, `apt`, etc.), [CVC4](https://cvc4.github.io/) (`brew`, `apt`, etc.), [Alt-Ergo](https://alt-ergo.ocamlpro.com/) (`opam`, `apt`, etc.)
-    - Configure Why3: `$ why3 config detect`
-      * Troubleshoot:
-        When your `z3` is a bit too new (e.g., Why3 supports up to ver. 4.8.10 but yours is 4.8.12), Why3 refuses `z3`.
-        Then you can try hacking Why3 to make it consider your `z3` be of an older version (e.g., 4.8.10), by updating the relevant field of `~/.why3.conf`.
-2. Clone the [creusot](https://github.com/xldenis/creusot/) repo at any directory you like
-3. Build **Creusot**
-    - Enter the cloned directory and run `$ cargo install --path cargo-creusot`, and `$ cargo install --path creusot-rustc` this will build the `cargo-creusot` and `creusot-rustc` executables and place them in `~/.cargo/bin`.
+    - Pin `why3` to `master` and install it:
+    ```
+    $ opam pin -n why3 --dev-repo
+    $ opam pin -n why3-ide --dev-repo
+    $ opam install zarith ocamlgraph camlzip why3 why3-ide
+    ```
+    - Pin `alt-ergo` to version 2.4.3 and install it:
+    ```
+    $ opam pin alt-ergo 2.4.3
+    ```
+3. Clone the [creusot](https://github.com/xldenis/creusot/) repo at any directory you like
+4. Build **Creusot**
+    - Enter the cloned directory and run:
+    ```
+    $ cargo install --path creusot-rustc
+    $ cargo install --path cargo-creusot
+    ```
+    this will build the `cargo-creusot` and `creusot-rustc` executables and place them in `~/.cargo/bin`.
+5. Set up **Creusot**
+   ```
+   $ cargo creusot setup install
+   ```
+   This will download additional solvers (Z3, CVC4, CVC5) and configure Why3 to use them.
+
+# Hacking on Creusot
 
+See [HACKING.md](HACKING.md) for information on the developer workflow for
+hacking on the Creusot codebase.
 
 # Verifying with Creusot and Why3
 
@@ -152,15 +170,14 @@ Contracts and logic functions are written in Pearlite, a specification language
 - Logical Expressions: quantifiers (`forall` and `exists`), logical implication `==>`, *logical* equality `a == b`, labels
 - Rust specific logical expressions: access to the **final** value of a mutable reference `^`, access to the *model* of an object `@`
 
-We also provide three new attributes on Rust functions: `ghost`, `logic` and `predicate`.
-
-A ghost function is marked with `#[ghost]`. It can be used in ghost code, to assign ghost
-variables of the `Ghost<T>` type.
+We also provide two new attributes on Rust functions: `logic` and `predicate`.
 
 Marked  `#[logic]` or `#[predicate]`, a function can be used in specs and other logical conditions (`requires`/`ensures` and `invariant`). They can use ghost functions.
 The two attributes have the following difference.
 - A `logic` function can freely have logical, non-executable operations, such as quantifiers, logic equalities, etc. Instead, this function can't be called in normal Rust code (the function body of a `logic` function is replaced with a panic).
   You can use pearlite syntax for any part in the logic function by marking that part with the `pearlite! { ... }` macro.
+
+  If you need to use the prophecy operator `^` on a mutable reference, you need to mark the function `#[logic(prophetic)]`.
 - A `predicate` is a logical function which returns a proposition (in practice, returns a boolean value).
 
 When you write *recursive* `ghost`, `logic` or `predicate` functions, you have to show that the function terminates.
diff --git a/cargo-creusot/Cargo.toml b/cargo-creusot/Cargo.toml
index ef6e1a25e4..63ba85f38c 100644
--- a/cargo-creusot/Cargo.toml
+++ b/cargo-creusot/Cargo.toml
@@ -7,7 +7,9 @@ edition = "2021"
 
 [dependencies]
 serde_json = { version = "1.0" }
-toml = "0.5.8"
+toml = { version = "0.5.8" }
 env_logger = "*"
 serde = { version = "1.0", features = ["derive"] }
 creusot-args = {path = "../creusot-args"}
+creusot-setup = {path = "../creusot-setup"}
+anyhow = "1.0"
diff --git a/cargo-creusot/src/main.rs b/cargo-creusot/src/main.rs
index bdfaa07712..d28c94e874 100644
--- a/cargo-creusot/src/main.rs
+++ b/cargo-creusot/src/main.rs
@@ -1,12 +1,50 @@
-use creusot_args::options::Args;
+use creusot_args::options::*;
+use creusot_setup as setup;
 use std::{
     env,
     process::{exit, Command},
 };
 
-fn main() {
-    let args = Args::parse_from(std::env::args().skip(1));
+enum Subcommand {
+    // subcommand to pass on to creusot-rustc
+    Creusot(Option<CreusotSubCommand>),
+    // subcommand to handle in cargo-creusot
+    Setup(SetupSubCommand),
+}
+use Subcommand::*;
+
+fn main() -> anyhow::Result<()> {
+    let cargs = CargoCreusotArgs::parse_from(std::env::args().skip(1));
+
+    let subcommand = match cargs.subcommand {
+        None => Creusot(None),
+        Some(CargoCreusotSubCommand::Creusot(cmd)) => Creusot(Some(cmd)),
+        Some(CargoCreusotSubCommand::Setup { command }) => Setup(command),
+    };
+
+    match subcommand {
+        Creusot(subcmd) => {
+            let config_args = setup::status_for_creusot(&cargs.config_dir)?;
+            let creusot_args = CreusotArgs {
+                options: cargs.options,
+                why3_path: config_args.why3_path,
+                why3_config_file: config_args.why3_config,
+                subcommand: subcmd,
+                rust_flags: cargs.rust_flags,
+            };
+            Ok(invoke_cargo(&creusot_args))
+        }
+        Setup(SetupSubCommand::Status) => setup::status(&cargs.config_dir),
+        Setup(SetupSubCommand::Install) => {
+            setup::install(&cargs.config_dir, setup::InstallMode::Managed)
+        }
+        Setup(SetupSubCommand::InstallExternal { no_resolve_paths }) => {
+            setup::install(&cargs.config_dir, setup::InstallMode::External { no_resolve_paths })
+        }
+    }
+}
 
+fn invoke_cargo(args: &CreusotArgs) {
     let creusot_rustc_path = std::env::current_exe()
         .expect("current executable path invalid")
         .with_file_name("creusot-rustc");
@@ -18,11 +56,11 @@ fn main() {
     let mut cmd = Command::new(cargo_path);
     cmd.arg(format!("+{toolchain}"))
         .arg(&cargo_cmd)
-        .args(args.rust_flags)
+        .args(args.rust_flags.clone())
         .env("RUSTC_WRAPPER", creusot_rustc_path)
         .env("CARGO_CREUSOT", "1");
 
-    cmd.env("CREUSOT_ARGS", serde_json::to_string(&args.creusot).unwrap());
+    cmd.env("CREUSOT_ARGS", serde_json::to_string(&args).unwrap());
 
     let exit_status = cmd.status().expect("could not run cargo");
     if !exit_status.success() {
diff --git a/ci/rust-toolchain b/ci/rust-toolchain
index a49a9c7e7b..8ec00e1cb2 100644
--- a/ci/rust-toolchain
+++ b/ci/rust-toolchain
@@ -1,3 +1,3 @@
 [toolchain]
-channel = "nightly-2023-10-20"
+channel = "nightly-2024-01-31"
 components = [ "rustfmt", "rustc-dev", "llvm-tools" ]
diff --git a/creusot-args/src/options.rs b/creusot-args/src/options.rs
index 6fbe839da1..00a0d1f5fc 100644
--- a/creusot-args/src/options.rs
+++ b/creusot-args/src/options.rs
@@ -1,15 +1,20 @@
 use clap::*;
 use serde::{Deserialize, Serialize};
-use std::{error::Error, ffi::OsString};
+use std::{error::Error, ffi::OsString, path::PathBuf};
 
 #[derive(Parser, Serialize, Deserialize)]
-pub struct CreusotArgs {
+pub struct CommonOptions {
     /// Determines how to format the spans in generated code to loading in Why3.
     /// [Relative] is better if the generated code is meant to be checked into VCS.
     /// [Absolute] means the files can easily be moved around your system and still work.
     /// [None] provides the clearest diffs.
     #[clap(long, value_enum, default_value_t=SpanMode::Relative)]
     pub span_mode: SpanMode,
+    #[clap(long, default_value_os_t = get_default_root_path_relative_from_output())]
+    /// Relative path of the root of the Rust project relative to the output files
+    /// of Creusot. This is used when producing [Relative] spans, to know the location
+    /// of Rust files corresponding to the generated Why3 files.
+    pub root_path_relative_from_output: PathBuf,
     #[clap(long)]
     /// Only generate proofs for items matching the provided string. The string is treated
     /// as a Rust qualified path.
@@ -29,15 +34,25 @@ pub struct CreusotArgs {
     /// Specify locations of metadata for external crates. The format is the same as rustc's `--extern` flag.
     #[clap(long = "creusot-extern", value_parser= parse_key_val::<String, String>, required=false)]
     pub extern_paths: Vec<(String, String)>,
-    /// Check the installed why3 version.
-    #[clap(long, default_value_t = true, action = clap::ArgAction::Set)]
-    pub check_why3: bool,
     /// Use `result` as the trigger of definition and specification axioms of logic/ghost/predicate functions
     #[clap(long, default_value_t = false, action = clap::ArgAction::Set)]
     pub simple_triggers: bool,
-    /// Run why3
+}
+
+#[derive(Parser, Serialize, Deserialize)]
+pub struct CreusotArgs {
+    #[clap(flatten)]
+    pub options: CommonOptions,
+    /// Path to the Why3 binary
+    #[arg(long, default_value_os_t = PathBuf::from("why3"))]
+    pub why3_path: PathBuf,
+    /// Specify an alternative location for Why3's configuration
+    #[arg(long)]
+    pub why3_config_file: Option<PathBuf>,
     #[command(subcommand)]
     pub subcommand: Option<CreusotSubCommand>,
+    #[clap(last = true)]
+    pub rust_flags: Vec<String>,
 }
 
 #[derive(Subcommand, Serialize, Deserialize)]
@@ -54,6 +69,32 @@ pub enum CreusotSubCommand {
     },
 }
 
+#[derive(Parser)]
+pub struct CargoCreusotArgs {
+    #[clap(flatten)]
+    pub options: CommonOptions,
+    /// Custom path for Creusot's config directory (managed by 'cargo creusot setup')
+    #[arg(long)]
+    pub config_dir: Option<PathBuf>,
+    /// Subcommand: why3, setup
+    #[command(subcommand)]
+    pub subcommand: Option<CargoCreusotSubCommand>,
+    #[clap(last = true)]
+    pub rust_flags: Vec<String>,
+}
+
+#[derive(Subcommand)]
+pub enum CargoCreusotSubCommand {
+    /// Setup and manage Creusot's installation
+    #[command(arg_required_else_help(true))]
+    Setup {
+        #[command(subcommand)]
+        command: SetupSubCommand,
+    },
+    #[command(flatten)]
+    Creusot(CreusotSubCommand),
+}
+
 #[derive(ValueEnum, Serialize, Deserialize, Clone)]
 pub enum Why3SubCommand {
     Prove,
@@ -61,6 +102,28 @@ pub enum Why3SubCommand {
     Replay,
 }
 
+#[derive(Parser, Clone)]
+pub enum SetupSubCommand {
+    /// Show the current status of the Creusot installation
+    Status,
+    /// Setup Creusot or update an existing installation
+    Install,
+    /// Setup Creusot but use external tools configured manually (not recommended, for experts)
+    InstallExternal {
+        /// Do not lookup and resolve paths to the external binaries (they will
+        /// instead be looked up in PATH at each Creusot invocation)
+        #[arg(long, default_value_t = false)]
+        no_resolve_paths: bool,
+    },
+}
+
+/// Default relative path of the root project wrt the output.
+/// This corresponds to the default scenario where the user invokes "cargo creusot"
+/// which writes its output in target/debug/
+fn get_default_root_path_relative_from_output() -> PathBuf {
+    ["..", ".."].iter().collect()
+}
+
 /// Parse a single key-value pair
 fn parse_key_val<T, U>(s: &str) -> Result<(T, U), Box<dyn Error + Send + Sync + 'static>>
 where
@@ -73,17 +136,9 @@ where
     Ok((s[..pos].parse()?, s[pos + 1..].parse()?))
 }
 
-#[derive(Parser)]
-pub struct Args {
-    #[clap(flatten)]
-    pub creusot: CreusotArgs,
-    #[clap(last = true)]
-    pub rust_flags: Vec<String>,
-}
-
-impl Args {
+impl CreusotArgs {
     fn move_rust_flags(&mut self) {
-        let rust_flags = match &mut self.creusot.subcommand {
+        let rust_flags = match &mut self.subcommand {
             None => return,
             Some(CreusotSubCommand::Why3 { rust_flags, .. }) => rust_flags,
         };
@@ -99,6 +154,26 @@ impl Args {
     }
 }
 
+impl CargoCreusotArgs {
+    fn move_rust_flags(&mut self) {
+        let rust_flags = match &mut self.subcommand {
+            Some(CargoCreusotSubCommand::Creusot(CreusotSubCommand::Why3 {
+                rust_flags, ..
+            })) => rust_flags,
+            _ => return,
+        };
+        let rust_flags = std::mem::take(rust_flags);
+        assert!(self.rust_flags.is_empty());
+        self.rust_flags = rust_flags
+    }
+
+    pub fn parse_from<I: Into<OsString> + Clone>(it: impl IntoIterator<Item = I>) -> Self {
+        let mut res: Self = Parser::parse_from(it);
+        res.move_rust_flags();
+        res
+    }
+}
+
 #[derive(clap::ValueEnum, Clone, Deserialize, Serialize)]
 pub enum SpanMode {
     Relative,
diff --git a/creusot-contracts-dummy/src/lib.rs b/creusot-contracts-dummy/src/lib.rs
index b6a88d352b..420da6add2 100644
--- a/creusot-contracts-dummy/src/lib.rs
+++ b/creusot-contracts-dummy/src/lib.rs
@@ -28,8 +28,9 @@ pub fn proof_assert(_: TS1) -> TS1 {
 }
 
 #[proc_macro]
-pub fn gh(_: TS1) -> TS1 {
-    quote::quote! { creusot_contracts::ghost::Ghost::from_fn(|| std::process::abort()) }.into()
+pub fn snapshot(_: TS1) -> TS1 {
+    quote::quote! { creusot_contracts::snapshot::Snapshot::from_fn(|| std::process::abort()) }
+        .into()
 }
 
 #[proc_macro_attribute]
@@ -42,11 +43,6 @@ pub fn pearlite(_: TS1) -> TS1 {
     TS1::new()
 }
 
-#[proc_macro_attribute]
-pub fn ghost(_: TS1, _: TS1) -> TS1 {
-    TS1::new()
-}
-
 #[proc_macro_attribute]
 pub fn predicate(_: TS1, _: TS1) -> TS1 {
     TS1::new()
diff --git a/creusot-contracts-proc/src/derive/deep_model.rs b/creusot-contracts-proc/src/derive/deep_model.rs
index 6dd6807924..7171b82fd9 100644
--- a/creusot-contracts-proc/src/derive/deep_model.rs
+++ b/creusot-contracts-proc/src/derive/deep_model.rs
@@ -47,7 +47,7 @@ pub fn derive_deep_model(input: proc_macro::TokenStream) -> proc_macro::TokenStr
         impl #impl_generics ::creusot_contracts::DeepModel for #name #ty_generics #where_clause {
             type DeepModelTy = #deep_model_ty_name #ty_generics;
 
-            #[ghost]
+            #[logic]
             #open
             fn deep_model(self) -> Self::DeepModelTy {
                 #eq
diff --git a/creusot-contracts-proc/src/derive/resolve.rs b/creusot-contracts-proc/src/derive/resolve.rs
index 1b081e2daf..3888b8ebc6 100644
--- a/creusot-contracts-proc/src/derive/resolve.rs
+++ b/creusot-contracts-proc/src/derive/resolve.rs
@@ -14,7 +14,7 @@ pub fn derive_resolve(input: proc_macro::TokenStream) -> proc_macro::TokenStream
     let expanded = quote! {
         #[::creusot_contracts::trusted]
         impl #impl_generics ::creusot_contracts::Resolve for #name #ty_generics #where_clause {
-            #[::creusot_contracts::predicate]
+            #[::creusot_contracts::predicate(prophetic)]
             #[::creusot_contracts::open]
             fn resolve(self) -> bool {
                 use ::creusot_contracts::Resolve;
diff --git a/creusot-contracts-proc/src/invariant.rs b/creusot-contracts-proc/src/invariant.rs
index bce8c2bcb3..dd09700161 100644
--- a/creusot-contracts-proc/src/invariant.rs
+++ b/creusot-contracts-proc/src/invariant.rs
@@ -144,8 +144,8 @@ fn desugar_for(mut invariants: Vec<Invariant>, f: ExprForLoop) -> TokenStream {
 
     quote! { {
         let mut #it = ::std::iter::IntoIterator::into_iter(#iter);
-        let #iter_old = gh! { #it };
-        let mut #produced = gh! { ::creusot_contracts::logic::Seq::EMPTY };
+        let #iter_old = snapshot! { #it };
+        let mut #produced = snapshot! { ::creusot_contracts::logic::Seq::EMPTY };
         #(#invariants;)*
         #(#outer)*
         #lbl
@@ -153,7 +153,7 @@ fn desugar_for(mut invariants: Vec<Invariant>, f: ExprForLoop) -> TokenStream {
             #(#inner)*
             match ::std::iter::Iterator::next(&mut #it) {
                 Some(#elem) => {
-                    #produced = gh! { #produced.inner().concat(::creusot_contracts::logic::Seq::singleton(#elem)) };
+                    #produced = snapshot! { #produced.inner().concat(::creusot_contracts::logic::Seq::singleton(#elem)) };
                     let #pat = #elem;
                     #body
                 },
diff --git a/creusot-contracts-proc/src/lib.rs b/creusot-contracts-proc/src/lib.rs
index df45d50c35..42801cdcde 100644
--- a/creusot-contracts-proc/src/lib.rs
+++ b/creusot-contracts-proc/src/lib.rs
@@ -415,17 +415,17 @@ pub fn proof_assert(assertion: TS1) -> TS1 {
 }
 
 #[proc_macro]
-pub fn gh(assertion: TS1) -> TS1 {
+pub fn snapshot(assertion: TS1) -> TS1 {
     let assert = parse_macro_input!(assertion as Assertion);
     let assert_body = pretyping::encode_block(&assert.0).unwrap();
 
     TS1::from(quote! {
         {
-            ::creusot_contracts::__stubs::ghost_from_fn(
+            ::creusot_contracts::__stubs::snapshot_from_fn(
                 #[creusot::no_translate]
                 #[creusot::spec]
-                #[creusot::spec::ghost]
-                || { ::creusot_contracts::ghost::Ghost::new (#assert_body) }
+                #[creusot::spec::snapshot]
+                || { ::creusot_contracts::snapshot::Snapshot::new (#assert_body) }
             )
         }
     })
@@ -477,59 +477,35 @@ impl Parse for LogicInput {
 }
 
 #[proc_macro_attribute]
-pub fn ghost(_: TS1, tokens: TS1) -> TS1 {
-    let log = parse_macro_input!(tokens as LogicInput);
-    match log {
-        LogicInput::Item(log) => ghost_item(log),
-        LogicInput::Sig(sig) => ghost_sig(sig),
-    }
-}
-
-fn ghost_sig(sig: TraitItemSignature) -> TS1 {
-    let span = sig.span();
-    TS1::from(quote_spanned! {span=>
-        #[creusot::decl::ghost]
-        #sig
-    })
-}
-
-fn ghost_item(log: LogicItem) -> TS1 {
-    let span = log.sig.span();
-
-    let term = log.body;
-    let vis = log.vis;
-    let def = log.defaultness;
-    let sig = log.sig;
-    let attrs = log.attrs;
-    let req_body = pretyping::encode_block(&term.stmts).unwrap();
-
-    TS1::from(quote_spanned! {span=>
-        #[creusot::decl::ghost]
-        #(#attrs)*
-        #vis #def #sig {
-            #req_body
+pub fn logic(prophetic: TS1, tokens: TS1) -> TS1 {
+    let prophetic = if prophetic.is_empty() {
+        None
+    } else {
+        let t = parse_macro_input!(prophetic as Ident);
+        if t.to_string() == "prophetic" {
+            Some(quote!(#[creusot::decl::logic::prophetic]))
+        } else {
+            None
         }
-    })
-}
-
-#[proc_macro_attribute]
-pub fn logic(_: TS1, tokens: TS1) -> TS1 {
+    };
     let log = parse_macro_input!(tokens as LogicInput);
     match log {
-        LogicInput::Item(log) => logic_item(log),
-        LogicInput::Sig(sig) => logic_sig(sig),
+        LogicInput::Item(log) => logic_item(log, prophetic),
+        LogicInput::Sig(sig) => logic_sig(sig, prophetic),
     }
 }
 
-fn logic_sig(sig: TraitItemSignature) -> TS1 {
+fn logic_sig(sig: TraitItemSignature, prophetic: Option<TokenStream>) -> TS1 {
     let span = sig.span();
-    TS1::from(quote_spanned! {span=>
+
+    TS1::from(quote_spanned! {span =>
         #[creusot::decl::logic]
+        #prophetic
         #sig
     })
 }
 
-fn logic_item(log: LogicItem) -> TS1 {
+fn logic_item(log: LogicItem, prophetic: Option<TokenStream>) -> TS1 {
     let span = log.sig.span();
 
     let term = log.body;
@@ -539,8 +515,9 @@ fn logic_item(log: LogicItem) -> TS1 {
     let attrs = log.attrs;
     let req_body = pretyping::encode_block(&term.stmts).unwrap();
 
-    TS1::from(quote_spanned! {span=>
+    TS1::from(quote_spanned! {span =>
         #[creusot::decl::logic]
+        #prophetic
         #(#attrs)*
         #vis #def #sig {
             #req_body
@@ -560,7 +537,18 @@ pub fn law(_: TS1, tokens: TS1) -> TS1 {
 }
 
 #[proc_macro_attribute]
-pub fn predicate(_: TS1, tokens: TS1) -> TS1 {
+pub fn predicate(prophetic: TS1, tokens: TS1) -> TS1 {
+    let prophetic = if prophetic.is_empty() {
+        None
+    } else {
+        let t = parse_macro_input!(prophetic as Ident);
+        if t.to_string() == "prophetic" {
+            Some(quote!(#[creusot::decl::logic::prophetic]))
+        } else {
+            None
+        }
+    };
+
     let pred = parse_macro_input!(tokens as LogicInput);
 
     let sig = match &pred {
@@ -583,20 +571,21 @@ pub fn predicate(_: TS1, tokens: TS1) -> TS1 {
     };
 
     match pred {
-        LogicInput::Item(log) => predicate_item(log),
-        LogicInput::Sig(sig) => predicate_sig(sig),
+        LogicInput::Item(log) => predicate_item(log, prophetic),
+        LogicInput::Sig(sig) => predicate_sig(sig, prophetic),
     }
 }
 
-fn predicate_sig(sig: TraitItemSignature) -> TS1 {
+fn predicate_sig(sig: TraitItemSignature, prophetic: Option<TokenStream>) -> TS1 {
     let span = sig.span();
     TS1::from(quote_spanned! {span=>
         #[creusot::decl::predicate]
+        #prophetic
         #sig
     })
 }
 
-fn predicate_item(log: LogicItem) -> TS1 {
+fn predicate_item(log: LogicItem, prophetic: Option<TokenStream>) -> TS1 {
     let span = log.sig.span();
     let term = log.body;
     let vis = log.vis;
@@ -608,6 +597,7 @@ fn predicate_item(log: LogicItem) -> TS1 {
 
     TS1::from(quote_spanned! {span=>
         #[creusot::decl::predicate]
+        #prophetic
         #(#attrs)*
         #vis #def #sig {
             #req_body
diff --git a/creusot-contracts/src/ghost.rs b/creusot-contracts/src/ghost.rs
deleted file mode 100644
index f6d5fc65d3..0000000000
--- a/creusot-contracts/src/ghost.rs
+++ /dev/null
@@ -1,60 +0,0 @@
-use crate::{std::ops::Deref, *};
-
-#[cfg_attr(creusot, creusot::builtins = "prelude.Ghost.ghost_ty")]
-pub struct Ghost<T>(std::marker::PhantomData<T>)
-where
-    T: ?Sized;
-
-impl<T: ?Sized> Deref for Ghost<T> {
-    type Target = T;
-
-    #[trusted]
-    #[ghost]
-    #[open(self)]
-    #[rustc_diagnostic_item = "ghost_deref"]
-    #[creusot::builtins = "prelude.Ghost.inner"]
-    fn deref(&self) -> &Self::Target {
-        pearlite! { absurd }
-    }
-}
-
-impl<T: ShallowModel + ?Sized> ShallowModel for Ghost<T> {
-    type ShallowModelTy = T::ShallowModelTy;
-
-    #[ghost]
-    #[open]
-    fn shallow_model(self) -> Self::ShallowModelTy {
-        pearlite! { self.deref().shallow_model() }
-    }
-}
-
-impl<T: ?Sized> Clone for Ghost<T> {
-    fn clone(&self) -> Self {
-        gh! { **self }
-    }
-}
-
-impl<T: ?Sized> Copy for Ghost<T> {}
-
-impl<T: ?Sized> Ghost<T> {
-    #[trusted]
-    #[ghost]
-    #[open(self)]
-    #[creusot::builtins = "prelude.Ghost.new"]
-    pub fn new(_: T) -> Ghost<T> {
-        pearlite! { absurd }
-    }
-
-    #[trusted]
-    #[ghost]
-    #[open(self)]
-    #[rustc_diagnostic_item = "ghost_inner"]
-    #[creusot::builtins = "prelude.Ghost.inner"]
-    #[creusot::prusti::home_sig = "('x) -> 'x"]
-    pub fn inner(self) -> T
-    where
-        T: Sized, // TODO: don't require T: Sized here. Problem: return type is T.
-    {
-        pearlite! { absurd }
-    }
-}
diff --git a/creusot-contracts/src/ghost_ptr.rs b/creusot-contracts/src/ghost_ptr.rs
index 281546b934..64041cec16 100644
--- a/creusot-contracts/src/ghost_ptr.rs
+++ b/creusot-contracts/src/ghost_ptr.rs
@@ -1,12 +1,26 @@
 // Inspired by https://plv.mpi-sws.org/rustbelt/ghostcell/ https://rust-unofficial.github.io/too-many-lists/fifth.html
-use crate::{logic::FMap, *};
-use ::std::marker::PhantomData;
+use crate::{logic::FMap, Clone, *};
+use ::std::{
+    marker::PhantomData,
+    ops::{Deref, DerefMut},
+};
 
 /// Models a fragment of the heap that maps the [`GhostPtr`]s it has permission to their value.
 /// At most one [`GhostToken`] has permission to each [`GhostPtr`]
 /// No [`GhostToken`] has permission to a dangling [`GhostPtr`]
 #[trusted]
-pub struct GhostPtrToken<T: ?Sized>(Ghost<FMap<GhostPtr<T>, T>>, PhantomData<T>);
+pub struct GhostPtrToken<T: ?Sized>(PhantomData<T>);
+
+/// ZST equivalent of [`&'a GhostPtrToken<T>`](GhostPtrToken)
+/// Can be created using [`GhostPtrToken::borrow`]
+#[trusted]
+#[derive(Copy, Clone)]
+pub struct GhostPtrTokenRef<'a, T: ?Sized>(PhantomData<&'a T>);
+
+/// ZST equivalent of [`&'a mut GhostPtrToken<T>`](GhostPtrToken)
+/// Can be created using [`GhostPtrToken::borrow_mut`]
+#[trusted]
+pub struct GhostPtrTokenMut<'a, T: ?Sized>(PhantomData<&'a mut T>);
 
 /// Thin wrapper over a raw pointer managed by a [`GhostPtr`]
 pub type GhostPtr<T> = *const T;
@@ -15,7 +29,7 @@ impl<T: ?Sized> ShallowModel for GhostPtrToken<T> {
     type ShallowModelTy = FMap<GhostPtr<T>, T>;
 
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     fn shallow_model(self) -> Self::ShallowModelTy {
         absurd
@@ -26,7 +40,7 @@ impl<T: ?Sized> GhostPtrToken<T> {
     /// Creates a new [`GhostPtr`] that has no permission
     #[ensures(result@ == FMap::empty())]
     pub fn new() -> Self {
-        GhostPtrToken(gh!(FMap::empty()), PhantomData)
+        GhostPtrToken(PhantomData)
     }
 
     #[trusted]
@@ -68,36 +82,12 @@ impl<T: ?Sized> GhostPtrToken<T> {
         unsafe { &*ptr }
     }
 
-    /// Shrinks the view of the `self` so that it's model is now new-model
-    #[trusted]
-    #[requires(new_model.subset(self@))]
-    #[ensures(result@ == *new_model)]
-    #[allow(unused_variables)]
-    pub fn shrink_token_ref(&self, new_model: Ghost<FMap<*const T, T>>) -> &GhostPtrToken<T> {
-        self
-    }
-
-    /// Mutably borrows `ptr` and shrinks `t` so that it can no longer be used to access `ptr`
-    // Safety no other token has permission to `self`
-    // `t` can no longer be used to access `ptr`
-    #[trusted]
-    #[requires((**self)@.contains(ptr))]
-    #[ensures(*result == *(**self)@.lookup_unsized(ptr))]
-    #[ensures((*^self)@ == (**self)@.remove(ptr))]
-    #[ensures((^*self)@ == (^^self)@.insert(ptr, ^result))]
-    #[ensures(!(^^self)@.contains(ptr))]
-    // ^~ It shouldn't have been possible to add pointer to `t` while we were holding a mutable reference to the pointer
-    pub fn take_mut<'o, 'i>(self: &'o mut &'i mut GhostPtrToken<T>, ptr: *const T) -> &'i mut T {
-        unsafe { &mut *(ptr as *mut _) }
-    }
-
     /// Mutably borrows `ptr`
     #[requires(self@.contains(ptr))]
     #[ensures(*result == *(*self)@.lookup_unsized(ptr))]
     #[ensures((^self)@ == (*self)@.insert(ptr, ^result))]
     pub fn ptr_as_mut(&mut self, ptr: *const T) -> &mut T {
-        let mut t = self;
-        t.take_mut(ptr)
+        self.borrow_mut().take_mut(ptr)
     }
 
     /// Transfers ownership of `ptr` back into a `Box`
@@ -121,31 +111,163 @@ impl<T: ?Sized> GhostPtrToken<T> {
     /// Leaks memory iff the precondition fails
     #[requires(self@.is_empty())]
     pub fn drop(self) {}
+
+    /// Convert a shared reference in an equivalent ZST
+    #[trusted]
+    #[ensures(result@ == self@)]
+    pub fn borrow(&self) -> GhostPtrTokenRef<'_, T> {
+        GhostPtrTokenRef(PhantomData)
+    }
+
+    /// Convert a mutable reference in an equivalent ZST
+    #[trusted]
+    #[ensures(result.cur() == (*self)@)]
+    #[ensures(result.fin() == (^self)@)]
+    pub fn borrow_mut(&mut self) -> GhostPtrTokenMut<'_, T> {
+        GhostPtrTokenMut(PhantomData)
+    }
 }
 
 impl<T: ?Sized> GhostPtrExt<T> for GhostPtr<T> {
     #[trusted]
     #[open(self)]
-    #[ghost]
+    #[logic]
     #[ensures(forall<t: GhostPtrToken<T>> !t@.contains(result))]
-    // #[ensures(result.addr_logic() == 0@)]
+    #[ensures(result.addr_logic() == 0)]
     #[ensures(forall<ptr: GhostPtr<T>> ptr.addr_logic() == result.addr_logic() ==> ptr == result)]
     fn null_logic() -> Self {
         absurd
     }
 
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     fn addr_logic(self) -> Int {
         absurd
     }
 }
 
+impl<'a, T: ?Sized> ShallowModel for GhostPtrTokenRef<'a, T> {
+    type ShallowModelTy = FMap<GhostPtr<T>, T>;
+
+    #[trusted]
+    #[logic]
+    #[open(self)]
+    fn shallow_model(self) -> Self::ShallowModelTy {
+        absurd
+    }
+}
+
+impl<'a, T: ?Sized> Deref for GhostPtrTokenRef<'a, T> {
+    type Target = GhostPtrToken<T>;
+
+    #[trusted]
+    #[ensures(result@ == self@)]
+    fn deref(&self) -> &Self::Target {
+        &GhostPtrToken(PhantomData)
+    }
+}
+
+impl<'a, T: ?Sized> GhostPtrTokenRef<'a, T> {
+    /// Shrinks the view of the `self` so that it's model is now new-model
+    #[trusted]
+    #[requires(new_model.subset(self@))]
+    #[ensures(result@ == *new_model)]
+    #[allow(unused_variables)]
+    pub fn shrink_token_ref(self, new_model: Snapshot<FMap<*const T, T>>) -> Self {
+        self
+    }
+}
+
+impl<'a, T: ?Sized> GhostPtrTokenMut<'a, T> {
+    #[trusted]
+    #[logic]
+    #[open(self)]
+    pub fn cur(self) -> FMap<GhostPtr<T>, T> {
+        absurd
+    }
+
+    #[trusted]
+    #[logic]
+    #[open(self)]
+    pub fn fin(self) -> FMap<GhostPtr<T>, T> {
+        absurd
+    }
+
+    #[ensures(self.fin() == self.cur())]
+    #[ensures(result@ == self.cur())]
+    pub fn shr(self) -> GhostPtrTokenRef<'a, T> {
+        GhostPtrTokenRef(PhantomData)
+    }
+
+    /// Mutably borrows `ptr` and shrinks `self` so that it can no longer be used to access `ptr`
+    ///
+    /// This function can be used to get multiple mutable references to non-aliasing pointers at the same time
+    ///
+    /// ```
+    /// use creusot_contracts::ghost_ptr::GhostPtrToken;
+    ///
+    /// let mut token = GhostPtrToken::new();
+    /// let ptr1 = token.ptr_from_box(Box::new(1));
+    /// let ptr2 = token.ptr_from_box(Box::new(2));
+    ///
+    /// let mut token_mut = token.borrow_mut();
+    /// let m1 = token_mut.take_mut(ptr1);
+    /// // let m1_alias = token_mut.take_mut(ptr1); // Verification Error
+    /// let m2 = token_mut.take_mut(ptr2);
+    ///
+    /// assert_eq!(*m1, 1);
+    /// assert_eq!(*m2, 2);
+    ///
+    /// core::mem::swap(m1, m2);
+    /// assert_eq!(*token.ptr_as_ref(ptr1), 2);
+    /// assert_eq!(*token.ptr_as_ref(ptr2), 1);
+    /// ```
+    // Safety no other token has permission to `self`
+    // `self` can no longer be used to access `ptr`
+    #[trusted]
+    #[requires((*self).cur().contains(ptr))]
+    #[ensures(*result == *(*self).cur().lookup_unsized(ptr))]
+    #[ensures((^self).cur() == (*self).cur().remove(ptr))]
+    #[ensures((*self).fin() == (^self).fin().insert(ptr, ^result))]
+    #[ensures(!(^self).fin().contains(ptr))]
+    pub fn take_mut(&mut self, ptr: *const T) -> &'a mut T {
+        unsafe { &mut *(ptr as *mut _) }
+    }
+}
+
+impl<'a, T> Deref for GhostPtrTokenMut<'a, T> {
+    type Target = GhostPtrToken<T>;
+
+    #[trusted]
+    #[ensures(result@ == self.cur())]
+    fn deref(&self) -> &Self::Target {
+        &GhostPtrToken(PhantomData)
+    }
+}
+
+impl<'a, T> DerefMut for GhostPtrTokenMut<'a, T> {
+    #[trusted]
+    #[ensures((*result)@ == (*self).cur())]
+    #[ensures((^self).cur() == (^result)@)]
+    fn deref_mut(&mut self) -> &mut Self::Target {
+        Box::leak(Box::new(GhostPtrToken(PhantomData)))
+    }
+}
+
+#[trusted]
+impl<'a, T> Resolve for GhostPtrTokenMut<'a, T> {
+    #[predicate]
+    #[open]
+    fn resolve(self) -> bool {
+        self.cur() == self.fin()
+    }
+}
+
 pub trait GhostPtrExt<T: ?Sized>: Sized {
-    #[ghost]
+    #[logic]
     fn null_logic() -> Self;
-    #[ghost]
+    #[logic]
     fn addr_logic(self) -> Int;
 }
 
diff --git a/creusot-contracts/src/invariant.rs b/creusot-contracts/src/invariant.rs
index ff9fdae4c4..51aa0d047a 100644
--- a/creusot-contracts/src/invariant.rs
+++ b/creusot-contracts/src/invariant.rs
@@ -1,7 +1,7 @@
 use crate::*;
 
 pub trait Invariant {
-    #[predicate]
+    #[predicate(prophetic)]
     #[open]
     #[rustc_diagnostic_item = "creusot_invariant_user"]
     fn invariant(self) -> bool {
diff --git a/creusot-contracts/src/lib.rs b/creusot-contracts/src/lib.rs
index f44d1c760c..a45053c34f 100644
--- a/creusot-contracts/src/lib.rs
+++ b/creusot-contracts/src/lib.rs
@@ -25,7 +25,7 @@ mod macros {
     /// A post-condition of a function or trait item
     pub use base_macros::ensures;
 
-    pub use base_macros::gh;
+    pub use base_macros::snapshot;
 
     /// A loop invariant
     /// The first argument should be a name for the invariant
@@ -37,20 +37,41 @@ mod macros {
     pub use base_macros::law;
 
     /// Declare a function as being a logical function, this declaration must be pure and
-    /// total. It cannot be called from Rust programs as it is *ghost*, in exchange it can
-    /// use logical operations and syntax with the help of the [pearlite] macro.
+    /// total. It cannot be called from Rust programs, but in exchange it can use logical
+    /// operations and syntax with the help of the [`pearlite!`] macro.
+    ///
+    /// # `prophetic`
+    ///
+    /// If you wish to use the `^` operator on mutable borrows to get the final value, you need to
+    /// specify that the function is _prophetic_, like so:
+    /// ```ignore
+    /// #[logic(prophetic)]
+    /// fn uses_prophecies(x: &mut Int) -> Int {
+    ///     pearlite! { if ^x == 0 { 0 } else { 1 } }
+    /// }
+    /// ```
+    /// Such a logic function cannot be used in [`snapshot!`] anymore, and cannot be
+    /// called from a regular [`logic`] or [`predicate`] function.
     pub use base_macros::logic;
 
-    /// Declare a function as being a ghost function, this declaration must be pure and
-    /// total. It cannot be called from Rust programs as it is *ghost*, in exchange it can
-    /// use logical operations and syntax with the help of the [pearlite] macro.
-    /// Unlike functions marked with the `[logic]` attribute, `[ghost]` functions cannot
-    /// use the final value operator (^), nor call other `[predicate]` or `[logic]` functions.
-    pub use base_macros::ghost;
-
     /// Declare a function as being a logical function, this declaration must be pure and
     /// total. It cannot be called from Rust programs as it is *ghost*, in exchange it can
-    /// use logical operations and syntax with the help of the [pearlite] macro.
+    /// use logical operations and syntax with the help of the [`pearlite!`] macro.
+    ///
+    /// It **must** return a boolean.
+    ///
+    /// # `prophetic`
+    ///
+    /// If you wish to use the `^` operator on mutable borrows to get the final value, you need to
+    /// specify that the function is _prophetic_, like so:
+    /// ```ignore
+    /// #[predicate(prophetic)]
+    /// fn uses_prophecies(x: &mut Int) -> bool {
+    ///     pearlite! { ^x == 0 }
+    /// }
+    /// ```
+    /// Such a predicate function cannot be used in [`snapshot!`] anymore, and cannot be
+    /// called from a regular [`logic`] or [`predicate`] function.
     pub use base_macros::predicate;
 
     /// Inserts a *logical* assertion into the code. This assertion will not be checked at runtime
@@ -88,6 +109,10 @@ mod macros {
     /// A body can only be visible in contexts where all the symbols used in the body are also visible.
     /// This means you cannot `#[open]` a body which refers to a `pub(crate)` symbol.
     pub use base_macros::open;
+
+    pub use base_macros::DeepModel;
+
+    pub use base_macros::Resolve;
 }
 
 #[cfg(creusot)]
@@ -103,27 +128,27 @@ pub mod std;
 pub mod num_rational;
 
 #[cfg(creusot)]
-pub mod ghost;
+pub mod snapshot;
 
 #[cfg(not(creusot))]
-pub mod ghost {
-    pub struct Ghost<T>(std::marker::PhantomData<T>)
+pub mod snapshot {
+    pub struct Snapshot<T>(std::marker::PhantomData<T>)
     where
         T: ?Sized;
 
-    impl<T: ?Sized> Ghost<T> {
+    impl<T: ?Sized> Snapshot<T> {
         pub fn from_fn(_: fn() -> T) -> Self {
-            Ghost(std::marker::PhantomData)
+            Snapshot(std::marker::PhantomData)
         }
     }
 
-    impl<T: ?Sized> Clone for Ghost<T> {
+    impl<T: ?Sized> Clone for Snapshot<T> {
         fn clone(&self) -> Self {
-            Ghost(std::marker::PhantomData)
+            Snapshot(std::marker::PhantomData)
         }
     }
 
-    impl<T: ?Sized> Copy for Ghost<T> {}
+    impl<T: ?Sized> Copy for Snapshot<T> {}
 }
 
 pub mod ghost_ptr;
@@ -137,10 +162,10 @@ pub mod well_founded;
 // We add some common things at the root of the creusot-contracts library
 mod base_prelude {
     pub use crate::{
-        ghost::Ghost,
         logic::{IndexLogic as _, Int, OrdLogic, Seq},
         model::{DeepModel, ShallowModel},
         resolve::Resolve,
+        snapshot::Snapshot,
         std::{
             // Shadow std::prelude by our version.
             // For Clone and PartialEq, this is important for the derive macro.
@@ -168,7 +193,7 @@ mod base_prelude {
 pub mod prusti_macros {
     pub use base_macros::{
         invariant, open, pearlite, proof_assert, prusti_ensures as ensures,
-        prusti_ensures_expiry as after_expiry, prusti_ghost as ghost, prusti_law as law,
+        prusti_ensures_expiry as after_expiry, prusti_law as law,
         prusti_logic as logic, prusti_predicate as predicate, prusti_requires as requires, trusted,
         variant,
     };
diff --git a/creusot-contracts/src/logic/fmap.rs b/creusot-contracts/src/logic/fmap.rs
index b1ad25fe86..04357dd532 100644
--- a/creusot-contracts/src/logic/fmap.rs
+++ b/creusot-contracts/src/logic/fmap.rs
@@ -7,7 +7,7 @@ pub struct FMap<K, V: ?Sized>(PMap<K, V>);
 
 impl<K, V: ?Sized> FMap<K, V> {
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[ensures(result >= 0)]
     pub fn len(self) -> Int {
@@ -15,7 +15,7 @@ impl<K, V: ?Sized> FMap<K, V> {
     }
 
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     pub fn mk(_m: PMap<K, V>) -> Self {
         absurd
@@ -23,7 +23,7 @@ impl<K, V: ?Sized> FMap<K, V> {
 
     #[trusted]
     #[open(self)]
-    #[ghost]
+    #[logic]
     #[ensures(Self::mk(result) == self)] // injectivity
     pub fn view(self) -> PMap<K, V> {
         absurd
@@ -31,7 +31,7 @@ impl<K, V: ?Sized> FMap<K, V> {
 
     #[trusted]
     #[open(self)]
-    #[ghost]
+    #[logic]
     #[ensures(result.view() == self.view().set(k, Some(v.make_sized())))]
     #[ensures(self.contains(k) ==> result.len() == self.len())]
     #[ensures(!self.contains(k) ==> result.len() == self.len() + 1)]
@@ -41,27 +41,28 @@ impl<K, V: ?Sized> FMap<K, V> {
 
     #[trusted]
     #[open(self)]
-    #[ghost]
+    #[logic]
     #[ensures(result.view() == self.view().set(k, None))]
     #[ensures(result.len() == if self.contains(k) {self.len() - 1} else {self.len()})]
     pub fn remove(self, k: K) -> Self {
         absurd
     }
 
-    #[ghost]
+    #[logic]
     #[open]
     #[why3::attr = "inline:trivial"]
     pub fn get(self, k: K) -> Option<SizedW<V>> {
         self.view().get(k)
     }
 
-    #[ghost]
+    #[logic]
     #[open]
+    #[why3::attr = "inline:trivial"]
     pub fn lookup_unsized(self, k: K) -> SizedW<V> {
         unwrap(self.get(k))
     }
 
-    #[ghost]
+    #[logic]
     #[open]
     #[why3::attr = "inline:trivial"]
     pub fn lookup(self, k: K) -> V
@@ -71,14 +72,15 @@ impl<K, V: ?Sized> FMap<K, V> {
         *self.lookup_unsized(k)
     }
 
-    #[ghost]
+    #[logic]
     #[open]
+    #[why3::attr = "inline:trivial"]
     pub fn contains(self, k: K) -> bool {
         self.get(k) != None
     }
 
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[ensures(result.len() == 0)]
     #[ensures(result.view() == Mapping::cst(None))]
@@ -86,26 +88,26 @@ impl<K, V: ?Sized> FMap<K, V> {
         absurd
     }
 
-    #[ghost]
+    #[logic]
     #[open]
     pub fn is_empty(self) -> bool {
         self.ext_eq(FMap::empty())
     }
 
-    #[ghost]
+    #[logic]
     #[open]
     pub fn disjoint(self, other: Self) -> bool {
         pearlite! {forall<k: K> !self.contains(k) || !other.contains(k)}
     }
 
-    #[ghost]
+    #[logic]
     #[open]
     pub fn subset(self, other: Self) -> bool {
         pearlite! {forall<k: K> self.contains(k) ==> other.get(k) == self.get(k)}
     }
 
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[requires(self.disjoint(other))]
     #[ensures(forall<k: K> result.get(k) == if self.contains(k) {
@@ -121,23 +123,24 @@ impl<K, V: ?Sized> FMap<K, V> {
     }
 
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[ensures(forall<k: K> result.get(k) == if other.contains(k) {None} else {self.get(k)})]
     pub fn subtract_keys(self, other: Self) -> Self {
         absurd
     }
 
-    #[ghost]
+    #[logic]
     #[open]
     #[requires(other.subset(self))]
     #[ensures(result.disjoint(other))]
     #[ensures(other.union(result).ext_eq(self))]
+    #[ensures(forall<k: K> result.get(k) == if other.contains(k) {None} else {self.get(k)})]
     pub fn subtract(self, other: Self) -> Self {
         self.subtract_keys(other)
     }
 
-    #[ghost]
+    #[logic]
     #[open]
     #[ensures(result ==> self == other)]
     #[ensures((forall<k: K> self.get(k) == other.get(k)) ==> result)]
diff --git a/creusot-contracts/src/logic/fset.rs b/creusot-contracts/src/logic/fset.rs
index c500edcde6..7b3dfb65b4 100644
--- a/creusot-contracts/src/logic/fset.rs
+++ b/creusot-contracts/src/logic/fset.rs
@@ -17,7 +17,7 @@ impl<T: ?Sized> FSet<T> {
     }
 
     #[doc(hidden)]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "set.Fset.mem"]
     pub fn mem(_: T, _: Self) -> bool {
@@ -25,14 +25,14 @@ impl<T: ?Sized> FSet<T> {
     }
 
     #[open]
-    #[ghost]
+    #[logic]
     #[why3::attr = "inline:trivial"]
     pub fn insert(self, e: T) -> Self {
         Self::add(e, self)
     }
 
     #[doc(hidden)]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "set.Fset.add"]
     pub fn add(_: T, _: Self) -> Self {
@@ -47,21 +47,21 @@ impl<T: ?Sized> FSet<T> {
     }
 
     #[open]
-    #[ghost]
+    #[logic]
     #[why3::attr = "inline:trivial"]
     pub fn remove(self, a: T) -> Self {
         Self::rem(a, self)
     }
 
     #[doc(hidden)]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "set.Fset.remove"]
     pub fn rem(_: T, _: Self) -> Self {
         pearlite! { absurd }
     }
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "set.Fset.union"]
     pub fn union(self, _: Self) -> Self {
@@ -82,14 +82,14 @@ impl<T: ?Sized> FSet<T> {
         Self::is_subset(other, self)
     }
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "set.Fset.cardinal"]
     pub fn len(self) -> Int {
         pearlite! { absurd }
     }
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "set.Fset.pick"]
     pub fn peek(self) -> T
diff --git a/creusot-contracts/src/logic/int.rs b/creusot-contracts/src/logic/int.rs
index 7fb8a8de44..4f429865ae 100644
--- a/creusot-contracts/src/logic/int.rs
+++ b/creusot-contracts/src/logic/int.rs
@@ -4,11 +4,12 @@ use crate::{
 };
 
 #[cfg_attr(creusot, rustc_diagnostic_item = "creusot_int", creusot::builtins = "prelude.Int.int")]
+#[allow(dead_code)]
 pub struct Int(*mut ());
 
 impl Int {
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "int.Power.power"]
     pub fn pow(self, _: Int) -> Int {
@@ -16,7 +17,7 @@ impl Int {
     }
 
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "int.MinMax.max"]
     pub fn max(self, _: Int) -> Int {
@@ -24,7 +25,7 @@ impl Int {
     }
 
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "int.MinMax.min"]
     pub fn min(self, _: Int) -> Int {
@@ -32,7 +33,7 @@ impl Int {
     }
 
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "int.EuclideanDivision.div"]
     pub fn div_euclid(self, _: Int) -> Int {
@@ -40,14 +41,14 @@ impl Int {
     }
 
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "int.EuclideanDivision.mod"]
     pub fn rem_euclid(self, _: Int) -> Int {
         absurd
     }
 
-    #[ghost]
+    #[logic]
     #[open]
     pub fn abs_diff(self, other: Int) -> Int {
         if self < other {
diff --git a/creusot-contracts/src/logic/mapping.rs b/creusot-contracts/src/logic/mapping.rs
index 7fb7be6089..b53c838370 100644
--- a/creusot-contracts/src/logic/mapping.rs
+++ b/creusot-contracts/src/logic/mapping.rs
@@ -5,7 +5,7 @@ pub struct Mapping<A, B>(std::marker::PhantomData<(A, B)>);
 
 impl<A, B> Mapping<A, B> {
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "map.Map.get"]
     pub fn get(self, _: A) -> B {
@@ -13,7 +13,7 @@ impl<A, B> Mapping<A, B> {
     }
 
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "map.Map.set"]
     pub fn set(self, _: A, _: B) -> Self {
@@ -21,7 +21,7 @@ impl<A, B> Mapping<A, B> {
     }
 
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "map.Const.const"]
     pub fn cst(_: B) -> Self {
diff --git a/creusot-contracts/src/logic/ops.rs b/creusot-contracts/src/logic/ops.rs
index 9a9b09fefb..3deff865dd 100644
--- a/creusot-contracts/src/logic/ops.rs
+++ b/creusot-contracts/src/logic/ops.rs
@@ -5,7 +5,7 @@ use crate::*;
 pub trait IndexLogic<I> {
     type Item;
 
-    #[ghost]
+    #[logic]
     #[rustc_diagnostic_item = "index_logic_method"]
     fn index_logic(self, idx: I) -> Self::Item;
 }
@@ -13,7 +13,7 @@ pub trait IndexLogic<I> {
 impl<T, A: Allocator> IndexLogic<Int> for Vec<T, A> {
     type Item = T;
 
-    #[ghost]
+    #[logic]
     #[open]
     #[why3::attr = "inline:trivial"]
     fn index_logic(self, ix: Int) -> Self::Item {
@@ -24,7 +24,7 @@ impl<T, A: Allocator> IndexLogic<Int> for Vec<T, A> {
 impl<T, A: Allocator> IndexLogic<usize> for Vec<T, A> {
     type Item = T;
 
-    #[ghost]
+    #[logic]
     #[open]
     #[why3::attr = "inline:trivial"]
     fn index_logic(self, ix: usize) -> Self::Item {
@@ -35,7 +35,7 @@ impl<T, A: Allocator> IndexLogic<usize> for Vec<T, A> {
 impl<T> IndexLogic<Int> for [T] {
     type Item = T;
 
-    #[ghost]
+    #[logic]
     #[open]
     #[why3::attr = "inline:trivial"]
     #[rustc_diagnostic_item = "slice_index_logic"]
@@ -47,7 +47,7 @@ impl<T> IndexLogic<Int> for [T] {
 impl<T> IndexLogic<usize> for [T] {
     type Item = T;
 
-    #[ghost]
+    #[logic]
     #[open]
     #[why3::attr = "inline:trivial"]
     fn index_logic(self, ix: usize) -> Self::Item {
@@ -58,7 +58,7 @@ impl<T> IndexLogic<usize> for [T] {
 impl<T, const N: usize> IndexLogic<Int> for [T; N] {
     type Item = T;
 
-    #[ghost]
+    #[logic]
     #[open]
     #[why3::attr = "inline:trivial"]
     fn index_logic(self, ix: Int) -> Self::Item {
@@ -69,7 +69,7 @@ impl<T, const N: usize> IndexLogic<Int> for [T; N] {
 impl<T, const N: usize> IndexLogic<usize> for [T; N] {
     type Item = T;
 
-    #[ghost]
+    #[logic]
     #[open]
     #[why3::attr = "inline:trivial"]
     fn index_logic(self, ix: usize) -> Self::Item {
@@ -77,10 +77,10 @@ impl<T, const N: usize> IndexLogic<usize> for [T; N] {
     }
 }
 
-impl<T> IndexLogic<Int> for Ghost<Seq<T>> {
+impl<T> IndexLogic<Int> for Snapshot<Seq<T>> {
     type Item = T;
 
-    #[ghost]
+    #[logic]
     #[open]
     #[why3::attr = "inline:trivial"]
     fn index_logic(self, ix: Int) -> Self::Item {
diff --git a/creusot-contracts/src/logic/ord.rs b/creusot-contracts/src/logic/ord.rs
index e5f9177019..76bda7b493 100644
--- a/creusot-contracts/src/logic/ord.rs
+++ b/creusot-contracts/src/logic/ord.rs
@@ -2,10 +2,10 @@ use crate::{std::cmp::Ordering, *};
 
 #[allow(unused)]
 pub trait OrdLogic {
-    #[ghost]
+    #[logic]
     fn cmp_log(self, _: Self) -> Ordering;
 
-    #[ghost]
+    #[logic]
     #[open]
     fn le_log(self, o: Self) -> bool {
         pearlite! { self.cmp_log(o) != Ordering::Greater }
@@ -15,7 +15,7 @@ pub trait OrdLogic {
     #[ensures(x.le_log(y) == (x.cmp_log(y) != Ordering::Greater))]
     fn cmp_le_log(x: Self, y: Self);
 
-    #[ghost]
+    #[logic]
     #[open]
     fn lt_log(self, o: Self) -> bool {
         pearlite! { self.cmp_log(o) == Ordering::Less }
@@ -25,7 +25,7 @@ pub trait OrdLogic {
     #[ensures(x.lt_log(y) == (x.cmp_log(y) == Ordering::Less))]
     fn cmp_lt_log(x: Self, y: Self);
 
-    #[ghost]
+    #[logic]
     #[open]
     fn ge_log(self, o: Self) -> bool {
         pearlite! { self.cmp_log(o) != Ordering::Less }
@@ -35,7 +35,7 @@ pub trait OrdLogic {
     #[ensures(x.ge_log(y) == (x.cmp_log(y) != Ordering::Less))]
     fn cmp_ge_log(x: Self, y: Self);
 
-    #[ghost]
+    #[logic]
     #[open]
     fn gt_log(self, o: Self) -> bool {
         pearlite! { self.cmp_log(o) == Ordering::Greater }
@@ -134,7 +134,7 @@ pub use ord_laws_impl;
 macro_rules! ord_logic_impl {
     ($t:ty) => {
         impl OrdLogic for $t {
-            #[ghost]
+            #[logic]
             #[open]
             fn cmp_log(self, o: Self) -> Ordering {
                 if self < o {
@@ -148,7 +148,7 @@ macro_rules! ord_logic_impl {
 
             #[trusted]
             #[open]
-            #[ghost]
+            #[logic]
             #[creusot::builtins = "int.Int.(<=)"]
             fn le_log(self, _: Self) -> bool {
                 true
@@ -156,7 +156,7 @@ macro_rules! ord_logic_impl {
 
             #[trusted]
             #[open]
-            #[ghost]
+            #[logic]
             #[creusot::builtins = "int.Int.(<)"]
             fn lt_log(self, _: Self) -> bool {
                 true
@@ -164,7 +164,7 @@ macro_rules! ord_logic_impl {
 
             #[trusted]
             #[open]
-            #[ghost]
+            #[logic]
             #[creusot::builtins = "int.Int.(>=)"]
             fn ge_log(self, _: Self) -> bool {
                 true
@@ -172,7 +172,7 @@ macro_rules! ord_logic_impl {
 
             #[trusted]
             #[open]
-            #[ghost]
+            #[logic]
             #[creusot::builtins = "int.Int.(>)"]
             fn gt_log(self, _: Self) -> bool {
                 true
@@ -201,7 +201,7 @@ ord_logic_impl!(isize);
 
 impl OrdLogic for bool {
     #[open]
-    #[ghost]
+    #[logic]
     fn cmp_log(self, o: Self) -> Ordering {
         match (self, o) {
             (false, false) => Ordering::Equal,
@@ -215,7 +215,7 @@ impl OrdLogic for bool {
 }
 
 impl<A: OrdLogic, B: OrdLogic> OrdLogic for (A, B) {
-    #[ghost]
+    #[logic]
     #[open]
     fn cmp_log(self, o: Self) -> Ordering {
         pearlite! { {
@@ -228,25 +228,25 @@ impl<A: OrdLogic, B: OrdLogic> OrdLogic for (A, B) {
         } }
     }
 
-    #[ghost]
+    #[logic]
     #[open]
     fn le_log(self, o: Self) -> bool {
         pearlite! { (self.0 == o.0 && self.1 <= o.1) || self.0 <= o.0 }
     }
 
-    #[ghost]
+    #[logic]
     #[open]
     fn lt_log(self, o: Self) -> bool {
         pearlite! { (self.0 == o.0 && self.1 < o.1) || self.0 < o.0 }
     }
 
-    #[ghost]
+    #[logic]
     #[open]
     fn ge_log(self, o: Self) -> bool {
         pearlite! { (self.0 == o.0 && self.1 >= o.1) || self.0 >= o.0 }
     }
 
-    #[ghost]
+    #[logic]
     #[open]
     fn gt_log(self, o: Self) -> bool {
         pearlite! { (self.0 == o.0 && self.1 > o.1) || self.0 > o.0 }
@@ -256,7 +256,7 @@ impl<A: OrdLogic, B: OrdLogic> OrdLogic for (A, B) {
 }
 
 impl<T: OrdLogic> OrdLogic for Option<T> {
-    #[ghost]
+    #[logic]
     #[open]
     fn cmp_log(self, o: Self) -> Ordering {
         match (self, o) {
diff --git a/creusot-contracts/src/logic/seq.rs b/creusot-contracts/src/logic/seq.rs
index 31f3860705..cbeba88a70 100644
--- a/creusot-contracts/src/logic/seq.rs
+++ b/creusot-contracts/src/logic/seq.rs
@@ -13,14 +13,14 @@ impl<T> Seq<T> {
     pub const EMPTY: Self = { Seq(std::marker::PhantomData) };
 
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "seq.Seq.create"]
     pub fn new(_: Int, _: Mapping<Int, T>) -> Self {
         absurd
     }
 
-    #[ghost]
+    #[logic]
     #[open]
     pub fn get(self, ix: Int) -> Option<T> {
         if 0 <= ix && ix < self.len() {
@@ -31,7 +31,7 @@ impl<T> Seq<T> {
     }
 
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "seq_ext.SeqExt.subsequence"]
     pub fn subsequence(self, _: Int, _: Int) -> Self {
@@ -39,21 +39,21 @@ impl<T> Seq<T> {
     }
 
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "seq.Seq.singleton"]
     pub fn singleton(_: T) -> Self {
         absurd
     }
 
-    #[ghost]
+    #[logic]
     #[open]
     pub fn tail(self) -> Self {
         self.subsequence(1, self.len())
     }
 
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[rustc_diagnostic_item = "seq_len"]
     #[creusot::builtins = "seq.Seq.length"]
@@ -62,7 +62,7 @@ impl<T> Seq<T> {
     }
 
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "seq.Seq.set"]
     pub fn set(self, _: Int, _: T) -> Self {
@@ -78,7 +78,7 @@ impl<T> Seq<T> {
     }
 
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "seq.Seq.snoc"]
     pub fn push(self, _: T) -> Self {
@@ -86,7 +86,7 @@ impl<T> Seq<T> {
     }
 
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "seq.Seq.(++)"]
     pub fn concat(self, _: Self) -> Self {
@@ -94,7 +94,7 @@ impl<T> Seq<T> {
     }
 
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "seq.Reverse.reverse"]
     pub fn reverse(self) -> Self {
@@ -163,7 +163,7 @@ impl<T> Seq<&T> {
 impl<T> IndexLogic<Int> for Seq<T> {
     type Item = T;
 
-    #[ghost]
+    #[logic]
     #[trusted]
     #[open(self)]
     #[rustc_diagnostic_item = "seq_index"]
diff --git a/creusot-contracts/src/logic/set.rs b/creusot-contracts/src/logic/set.rs
index ec36252a28..f4bc35d3ea 100644
--- a/creusot-contracts/src/logic/set.rs
+++ b/creusot-contracts/src/logic/set.rs
@@ -17,7 +17,7 @@ impl<T: ?Sized> Set<T> {
     }
 
     #[doc(hidden)]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "set.Set.mem"]
     pub fn mem(_: T, _: Self) -> bool {
@@ -25,14 +25,14 @@ impl<T: ?Sized> Set<T> {
     }
 
     #[open]
-    #[ghost]
+    #[logic]
     #[why3::attr = "inline:trivial"]
     pub fn insert(self, e: T) -> Self {
         Self::add(e, self)
     }
 
     #[doc(hidden)]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "set.Set.add"]
     pub fn add(_: T, _: Self) -> Self {
@@ -47,14 +47,14 @@ impl<T: ?Sized> Set<T> {
     }
 
     #[open]
-    #[ghost]
+    #[logic]
     #[why3::attr = "inline:trivial"]
     pub fn remove(self, a: T) -> Self {
         Self::rem(a, self)
     }
 
     #[doc(hidden)]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[creusot::builtins = "set.Set.remove"]
     pub fn rem(_: T, _: Self) -> Self {
@@ -62,7 +62,7 @@ impl<T: ?Sized> Set<T> {
     }
 
     #[open(self)]
-    #[ghost]
+    #[logic]
     #[creusot::builtins = "set.Set.union"]
     pub fn union(self, _: Self) -> Self {
         pearlite! { absurd}
diff --git a/creusot-contracts/src/model.rs b/creusot-contracts/src/model.rs
index d4238eaf79..6d7fae038a 100644
--- a/creusot-contracts/src/model.rs
+++ b/creusot-contracts/src/model.rs
@@ -8,7 +8,7 @@ use crate::*;
 /// Models of inner types are typically not involved.
 pub trait ShallowModel {
     type ShallowModelTy;
-    #[ghost]
+    #[logic]
     fn shallow_model(self) -> Self::ShallowModelTy;
 }
 
@@ -20,13 +20,13 @@ pub use crate::base_macros::DeepModel;
 /// Typically, such a model recursively calls deep models of inner types.
 pub trait DeepModel {
     type DeepModelTy;
-    #[ghost]
+    #[logic]
     fn deep_model(self) -> Self::DeepModelTy;
 }
 
 impl<T: DeepModel> DeepModel for Rc<T> {
     type DeepModelTy = T::DeepModelTy;
-    #[ghost]
+    #[logic]
     #[open]
     fn deep_model(self) -> Self::DeepModelTy {
         pearlite! { self.shallow_model().deep_model() }
@@ -35,7 +35,7 @@ impl<T: DeepModel> DeepModel for Rc<T> {
 
 impl<T> ShallowModel for Rc<T> {
     type ShallowModelTy = T;
-    #[ghost]
+    #[logic]
     #[open]
     #[trusted]
     fn shallow_model(self) -> Self::ShallowModelTy {
@@ -45,7 +45,7 @@ impl<T> ShallowModel for Rc<T> {
 
 impl<T: DeepModel> DeepModel for Arc<T> {
     type DeepModelTy = T::DeepModelTy;
-    #[ghost]
+    #[logic]
     #[open]
     fn deep_model(self) -> Self::DeepModelTy {
         pearlite! { self@.deep_model() }
@@ -54,7 +54,7 @@ impl<T: DeepModel> DeepModel for Arc<T> {
 
 impl<T> ShallowModel for Arc<T> {
     type ShallowModelTy = T;
-    #[ghost]
+    #[logic]
     #[open]
     #[trusted]
     fn shallow_model(self) -> Self::ShallowModelTy {
@@ -64,7 +64,7 @@ impl<T> ShallowModel for Arc<T> {
 
 impl<T: DeepModel + ?Sized> DeepModel for &T {
     type DeepModelTy = T::DeepModelTy;
-    #[ghost]
+    #[logic]
     #[open]
     fn deep_model(self) -> Self::DeepModelTy {
         (*self).deep_model()
@@ -73,7 +73,7 @@ impl<T: DeepModel + ?Sized> DeepModel for &T {
 
 impl<T: ShallowModel + ?Sized> ShallowModel for &T {
     type ShallowModelTy = T::ShallowModelTy;
-    #[ghost]
+    #[logic]
     #[open]
     fn shallow_model(self) -> Self::ShallowModelTy {
         (*self).shallow_model()
@@ -82,7 +82,7 @@ impl<T: ShallowModel + ?Sized> ShallowModel for &T {
 
 impl<T: DeepModel + ?Sized> DeepModel for &mut T {
     type DeepModelTy = T::DeepModelTy;
-    #[ghost]
+    #[logic]
     #[open]
     fn deep_model(self) -> Self::DeepModelTy {
         (*self).deep_model()
@@ -91,7 +91,7 @@ impl<T: DeepModel + ?Sized> DeepModel for &mut T {
 
 impl<T: ShallowModel + ?Sized> ShallowModel for &mut T {
     type ShallowModelTy = T::ShallowModelTy;
-    #[ghost]
+    #[logic]
     #[open]
     fn shallow_model(self) -> Self::ShallowModelTy {
         (*self).shallow_model()
@@ -101,7 +101,7 @@ impl<T: ShallowModel + ?Sized> ShallowModel for &mut T {
 impl DeepModel for bool {
     type DeepModelTy = bool;
 
-    #[ghost]
+    #[logic]
     #[open]
     fn deep_model(self) -> Self::DeepModelTy {
         self
diff --git a/creusot-contracts/src/num_rational.rs b/creusot-contracts/src/num_rational.rs
index be700d066e..95cf6e595f 100644
--- a/creusot-contracts/src/num_rational.rs
+++ b/creusot-contracts/src/num_rational.rs
@@ -1,6 +1,6 @@
 use std::marker::PhantomData;
 
-use crate::{ghost, open, pearlite, trusted, DeepModel, Int, OrdLogic};
+use crate::{logic, open, pearlite, trusted, DeepModel, Int, OrdLogic};
 use num_rational::BigRational;
 use std::cmp::Ordering;
 
@@ -12,7 +12,7 @@ pub struct Real(PhantomData<*mut ()>);
 impl DeepModel for BigRational {
     type DeepModelTy = Real;
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[trusted]
     fn deep_model(self) -> Self::DeepModelTy {
@@ -21,7 +21,7 @@ impl DeepModel for BigRational {
 }
 
 impl Real {
-    #[ghost]
+    #[logic]
     #[trusted]
     #[open(self)]
     pub fn from_int(_: Int) -> Self {
@@ -30,7 +30,7 @@ impl Real {
 }
 
 impl OrdLogic for Real {
-    #[ghost]
+    #[logic]
     #[open]
     fn cmp_log(self, o: Self) -> Ordering {
         if self < o {
@@ -44,7 +44,7 @@ impl OrdLogic for Real {
 
     #[trusted]
     #[open]
-    #[ghost]
+    #[logic]
     #[creusot::builtins = "prelude.Real.(<=)"]
     fn le_log(self, _: Self) -> bool {
         true
@@ -52,7 +52,7 @@ impl OrdLogic for Real {
 
     #[trusted]
     #[open]
-    #[ghost]
+    #[logic]
     #[creusot::builtins = "prelude.Real.(<)"]
     fn lt_log(self, _: Self) -> bool {
         true
@@ -60,7 +60,7 @@ impl OrdLogic for Real {
 
     #[trusted]
     #[open]
-    #[ghost]
+    #[logic]
     #[creusot::builtins = "prelude.Real.(>=)"]
     fn ge_log(self, _: Self) -> bool {
         true
@@ -68,7 +68,7 @@ impl OrdLogic for Real {
 
     #[trusted]
     #[open]
-    #[ghost]
+    #[logic]
     #[creusot::builtins = "prelude.Real.(>)"]
     fn gt_log(self, _: Self) -> bool {
         true
diff --git a/creusot-contracts/src/resolve.rs b/creusot-contracts/src/resolve.rs
index 40558e95a5..ea1a3a6606 100644
--- a/creusot-contracts/src/resolve.rs
+++ b/creusot-contracts/src/resolve.rs
@@ -5,14 +5,14 @@ pub use crate::base_macros::Resolve;
 #[cfg_attr(creusot, rustc_diagnostic_item = "creusot_resolve")]
 #[trusted]
 pub trait Resolve {
-    #[predicate]
+    #[predicate(prophetic)]
     #[rustc_diagnostic_item = "creusot_resolve_method"]
     fn resolve(self) -> bool;
 }
 
 #[trusted]
 impl<T1, T2: ?Sized> Resolve for (T1, T2) {
-    #[predicate]
+    #[predicate(prophetic)]
     #[open]
     fn resolve(self) -> bool {
         Resolve::resolve(self.0) && Resolve::resolve(self.1)
@@ -21,7 +21,7 @@ impl<T1, T2: ?Sized> Resolve for (T1, T2) {
 
 #[trusted]
 impl<T: ?Sized> Resolve for &mut T {
-    #[predicate]
+    #[predicate(prophetic)]
     #[open]
     fn resolve(self) -> bool {
         pearlite! { ^self == *self }
@@ -30,7 +30,7 @@ impl<T: ?Sized> Resolve for &mut T {
 
 #[trusted]
 impl<T: ?Sized> Resolve for Box<T> {
-    #[predicate]
+    #[predicate(prophetic)]
     #[open]
     fn resolve(self) -> bool {
         Resolve::resolve(*self)
diff --git a/creusot-contracts/src/snapshot.rs b/creusot-contracts/src/snapshot.rs
new file mode 100644
index 0000000000..4ba6827948
--- /dev/null
+++ b/creusot-contracts/src/snapshot.rs
@@ -0,0 +1,59 @@
+use crate::{std::ops::Deref, *};
+
+#[cfg_attr(creusot, creusot::builtins = "prelude.Snapshot.snap_ty")]
+pub struct Snapshot<T>(pub(crate) std::marker::PhantomData<T>)
+where
+    T: ?Sized;
+
+impl<T: ?Sized> Deref for Snapshot<T> {
+    type Target = T;
+
+    #[trusted]
+    #[logic]
+    #[open(self)]
+    #[rustc_diagnostic_item = "snapshot_deref"]
+    #[creusot::builtins = "prelude.Snapshot.inner"]
+    fn deref(&self) -> &Self::Target {
+        pearlite! { absurd }
+    }
+}
+
+impl<T: ShallowModel + ?Sized> ShallowModel for Snapshot<T> {
+    type ShallowModelTy = T::ShallowModelTy;
+
+    #[logic]
+    #[open]
+    fn shallow_model(self) -> Self::ShallowModelTy {
+        pearlite! { self.deref().shallow_model() }
+    }
+}
+
+impl<T: ?Sized> Clone for Snapshot<T> {
+    fn clone(&self) -> Self {
+        snapshot! { **self }
+    }
+}
+
+impl<T: ?Sized> Copy for Snapshot<T> {}
+
+impl<T: ?Sized> Snapshot<T> {
+    #[trusted]
+    #[logic]
+    #[open(self)]
+    #[creusot::builtins = "prelude.Snapshot.new"]
+    pub fn new(_: T) -> Snapshot<T> {
+        pearlite! { absurd }
+    }
+
+    #[trusted]
+    #[logic]
+    #[open(self)]
+    #[rustc_diagnostic_item = "snapshot_inner"]
+    #[creusot::builtins = "prelude.Snapshot.inner"]
+    pub fn inner(self) -> T
+    where
+        T: Sized, // TODO: don't require T: Sized here. Problem: return type is T.
+    {
+        pearlite! { absurd }
+    }
+}
diff --git a/creusot-contracts/src/std/array.rs b/creusot-contracts/src/std/array.rs
index dc2f2d2501..d4badf497c 100644
--- a/creusot-contracts/src/std/array.rs
+++ b/creusot-contracts/src/std/array.rs
@@ -3,7 +3,7 @@ use crate::*;
 impl<T, const N: usize> ShallowModel for [T; N] {
     type ShallowModelTy = Seq<T>;
 
-    #[ghost]
+    #[logic]
     #[trusted]
     #[open]
     #[creusot::builtins = "prelude.Slice.id"]
@@ -18,7 +18,7 @@ impl<T, const N: usize> ShallowModel for [T; N] {
 impl<T: DeepModel, const N: usize> DeepModel for [T; N] {
     type DeepModelTy = Seq<T::DeepModelTy>;
 
-    #[ghost]
+    #[logic]
     #[trusted]
     #[open(self)]
     // TODO
diff --git a/creusot-contracts/src/std/boxed.rs b/creusot-contracts/src/std/boxed.rs
index 2e65842d17..cd686e68f5 100644
--- a/creusot-contracts/src/std/boxed.rs
+++ b/creusot-contracts/src/std/boxed.rs
@@ -4,7 +4,7 @@ pub use ::std::boxed::*;
 #[cfg(creusot)]
 impl<T: DeepModel + ?Sized, A: Allocator> DeepModel for Box<T, A> {
     type DeepModelTy = Box<T::DeepModelTy>;
-    #[ghost]
+    #[logic]
     #[open]
     fn deep_model(self) -> Self::DeepModelTy {
         Box::new((*self).deep_model())
@@ -14,7 +14,7 @@ impl<T: DeepModel + ?Sized, A: Allocator> DeepModel for Box<T, A> {
 #[cfg(creusot)]
 impl<T: ShallowModel + ?Sized, A: Allocator> ShallowModel for Box<T, A> {
     type ShallowModelTy = T::ShallowModelTy;
-    #[ghost]
+    #[logic]
     #[open]
     fn shallow_model(self) -> Self::ShallowModelTy {
         (*self).shallow_model()
diff --git a/creusot-contracts/src/std/cmp.rs b/creusot-contracts/src/std/cmp.rs
index ea8c76d6ea..9db3799cce 100644
--- a/creusot-contracts/src/std/cmp.rs
+++ b/creusot-contracts/src/std/cmp.rs
@@ -64,7 +64,7 @@ extern_spec! {
 impl<T: DeepModel> DeepModel for Reverse<T> {
     type DeepModelTy = Reverse<T::DeepModelTy>;
 
-    #[ghost]
+    #[logic]
     #[open]
     fn deep_model(self) -> Self::DeepModelTy {
         pearlite! { Reverse(self.0.deep_model()) }
@@ -72,7 +72,7 @@ impl<T: DeepModel> DeepModel for Reverse<T> {
 }
 
 impl<T: OrdLogic> OrdLogic for Reverse<T> {
-    #[ghost]
+    #[logic]
     #[open]
     fn cmp_log(self, o: Self) -> Ordering {
         match self.0.cmp_log(o.0) {
diff --git a/creusot-contracts/src/std/default.rs b/creusot-contracts/src/std/default.rs
index e95565db1e..b1770f27ab 100644
--- a/creusot-contracts/src/std/default.rs
+++ b/creusot-contracts/src/std/default.rs
@@ -2,7 +2,7 @@ use crate::*;
 pub use ::std::default::*;
 
 pub trait Default: ::std::default::Default {
-    #[predicate]
+    #[predicate(prophetic)]
     fn is_default(self) -> bool;
 }
 
diff --git a/creusot-contracts/src/std/deque.rs b/creusot-contracts/src/std/deque.rs
index 8dace155aa..3d06232b86 100644
--- a/creusot-contracts/src/std/deque.rs
+++ b/creusot-contracts/src/std/deque.rs
@@ -5,7 +5,7 @@ pub use ::std::collections::VecDeque;
 impl<T, A: Allocator> ShallowModel for VecDeque<T, A> {
     type ShallowModelTy = Seq<T>;
 
-    #[ghost]
+    #[logic]
     #[trusted]
     #[open(self)]
     #[ensures(result.len() <= usize::MAX@)]
@@ -17,7 +17,7 @@ impl<T, A: Allocator> ShallowModel for VecDeque<T, A> {
 impl<T: DeepModel, A: Allocator> DeepModel for VecDeque<T, A> {
     type DeepModelTy = Seq<T::DeepModelTy>;
 
-    #[ghost]
+    #[logic]
     #[trusted]
     #[open(self)]
     #[ensures(self.shallow_model().len() == result.len())]
@@ -31,7 +31,7 @@ impl<T: DeepModel, A: Allocator> DeepModel for VecDeque<T, A> {
 impl<T, A: Allocator> IndexLogic<Int> for VecDeque<T, A> {
     type Item = T;
 
-    #[ghost]
+    #[logic]
     #[open]
     #[why3::attr = "inline:trivial"]
     fn index_logic(self, ix: Int) -> Self::Item {
@@ -42,7 +42,7 @@ impl<T, A: Allocator> IndexLogic<Int> for VecDeque<T, A> {
 impl<T, A: Allocator> IndexLogic<usize> for VecDeque<T, A> {
     type Item = T;
 
-    #[ghost]
+    #[logic]
     #[open]
     #[why3::attr = "inline:trivial"]
     fn index_logic(self, ix: usize) -> Self::Item {
@@ -115,7 +115,7 @@ impl<T, A: Allocator> IntoIterator for &VecDeque<T, A> {
 impl<'a, T> ShallowModel for Iter<'a, T> {
     type ShallowModelTy = &'a [T];
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[trusted]
     fn shallow_model(self) -> Self::ShallowModelTy {
@@ -126,7 +126,7 @@ impl<'a, T> ShallowModel for Iter<'a, T> {
 impl<'a, T> Invariant for Iter<'a, T> {}
 
 impl<'a, T> Iterator for Iter<'a, T> {
-    #[predicate]
+    #[predicate(prophetic)]
     #[open]
     fn completed(&mut self) -> bool {
         pearlite! { self.resolve() && (*self@)@ == Seq::EMPTY }
diff --git a/creusot-contracts/src/std/iter.rs b/creusot-contracts/src/std/iter.rs
index 05c9871b5d..e7d6544f14 100644
--- a/creusot-contracts/src/std/iter.rs
+++ b/creusot-contracts/src/std/iter.rs
@@ -24,10 +24,10 @@ pub use take::TakeExt;
 pub use zip::ZipExt;
 
 pub trait Iterator: ::std::iter::Iterator {
-    #[predicate]
+    #[predicate(prophetic)]
     fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool;
 
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool;
 
     #[law]
@@ -40,16 +40,16 @@ pub trait Iterator: ::std::iter::Iterator {
     #[ensures(a.produces(ab.concat(bc), c))]
     fn produces_trans(a: Self, ab: Seq<Self::Item>, b: Self, bc: Seq<Self::Item>, c: Self);
 
-    #[requires(forall<e : Self::Item, i2 : Self> self.produces(Seq::singleton(e), i2) ==> func.precondition((e, Ghost::new(Seq::EMPTY))))]
+    #[requires(forall<e : Self::Item, i2 : Self> self.produces(Seq::singleton(e), i2) ==> func.precondition((e, Snapshot::new(Seq::EMPTY))))]
     #[requires(MapInv::<Self, _, F>::reinitialize())]
     #[requires(MapInv::<Self, Self::Item, F>::preservation(self, func))]
-    #[ensures(result == MapInv { iter: self, func, produced: Ghost::new(Seq::EMPTY) })]
+    #[ensures(result == MapInv { iter: self, func, produced: Snapshot::new(Seq::EMPTY) })]
     fn map_inv<B, F>(self, func: F) -> MapInv<Self, Self::Item, F>
     where
         Self: Sized,
-        F: FnMut(Self::Item, Ghost<Seq<Self::Item>>) -> B,
+        F: FnMut(Self::Item, Snapshot<Seq<Self::Item>>) -> B,
     {
-        MapInv { iter: self, func, produced: gh! {Seq::EMPTY} }
+        MapInv { iter: self, func, produced: snapshot! {Seq::EMPTY} }
     }
 }
 
@@ -63,7 +63,7 @@ where
         pearlite! { true }
     }
 
-    #[predicate]
+    #[predicate(prophetic)]
     fn into_iter_post(self, res: Self::IntoIter) -> bool;
 }
 
diff --git a/creusot-contracts/src/std/iter/cloned.rs b/creusot-contracts/src/std/iter/cloned.rs
index 514b3abe13..09cef10136 100644
--- a/creusot-contracts/src/std/iter/cloned.rs
+++ b/creusot-contracts/src/std/iter/cloned.rs
@@ -1,13 +1,13 @@
 use crate::{std::iter::Cloned, *};
 
 pub trait ClonedExt<I> {
-    #[ghost]
+    #[logic]
     fn iter(self) -> I;
 }
 
 impl<I> ClonedExt<I> for Cloned<I> {
     #[open(self)]
-    #[ghost]
+    #[logic]
     #[trusted]
     fn iter(self) -> I {
         pearlite! { absurd }
@@ -17,7 +17,7 @@ impl<I> ClonedExt<I> for Cloned<I> {
 #[trusted]
 impl<I> Resolve for Cloned<I> {
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn resolve(self) -> bool {
         pearlite! {
             self.iter().resolve()
@@ -31,13 +31,13 @@ where
     T: Clone,
 {
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! { exists<inner : &mut _> *inner == self.iter() && ^inner == (^self).iter() && inner.completed() }
     }
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool {
         pearlite! {
             exists<s: Seq<&'a T>> self.iter().produces(s, o.iter())
diff --git a/creusot-contracts/src/std/iter/copied.rs b/creusot-contracts/src/std/iter/copied.rs
index 0460d5178c..9944f4b4b6 100644
--- a/creusot-contracts/src/std/iter/copied.rs
+++ b/creusot-contracts/src/std/iter/copied.rs
@@ -1,13 +1,13 @@
 use crate::{std::iter::Copied, *};
 
 pub trait CopiedExt<I> {
-    #[ghost]
+    #[logic]
     fn iter(self) -> I;
 }
 
 impl<I> CopiedExt<I> for Copied<I> {
     #[open]
-    #[ghost]
+    #[logic]
     #[trusted]
     fn iter(self) -> I {
         pearlite! { absurd }
@@ -17,7 +17,7 @@ impl<I> CopiedExt<I> for Copied<I> {
 #[trusted]
 impl<I> Resolve for Copied<I> {
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn resolve(self) -> bool {
         pearlite! {
             self.iter().resolve()
@@ -31,13 +31,13 @@ where
     T: Copy,
 {
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! { exists<inner : &mut _> *inner == self.iter() && ^inner == (^self).iter() && inner.completed() }
     }
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool {
         pearlite! {
             exists<s: Seq<&'a T>> self.iter().produces(s, o.iter())
diff --git a/creusot-contracts/src/std/iter/empty.rs b/creusot-contracts/src/std/iter/empty.rs
index 9fdc551ec7..52def108b0 100644
--- a/creusot-contracts/src/std/iter/empty.rs
+++ b/creusot-contracts/src/std/iter/empty.rs
@@ -2,7 +2,7 @@ use crate::{std::iter::Empty, *};
 
 impl<T> Iterator for Empty<T> {
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! { self.resolve() }
     }
diff --git a/creusot-contracts/src/std/iter/enumerate.rs b/creusot-contracts/src/std/iter/enumerate.rs
index f2d0172950..662f3cc642 100644
--- a/creusot-contracts/src/std/iter/enumerate.rs
+++ b/creusot-contracts/src/std/iter/enumerate.rs
@@ -1,23 +1,23 @@
 use crate::{invariant::Invariant, std::iter::Enumerate, *};
 
 pub trait EnumerateExt<I> {
-    #[ghost]
+    #[logic]
     fn iter(self) -> I;
 
-    #[ghost]
+    #[logic]
     fn n(self) -> Int;
 }
 
 impl<I> EnumerateExt<I> for Enumerate<I> {
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     fn iter(self) -> I {
         absurd
     }
 
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     fn n(self) -> Int {
         absurd
@@ -27,7 +27,7 @@ impl<I> EnumerateExt<I> for Enumerate<I> {
 #[trusted]
 impl<I> Resolve for Enumerate<I> {
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn resolve(self) -> bool {
         pearlite! {
             self.iter().resolve()
@@ -37,7 +37,7 @@ impl<I> Resolve for Enumerate<I> {
 
 impl<I: Iterator> Invariant for Enumerate<I> {
     #[open(self)]
-    #[predicate]
+    #[predicate(prophetic)]
     fn invariant(self) -> bool {
         pearlite! {
             (forall<s: Seq<I::Item>, i: I> self.iter().produces(s, i) ==> self.n() + s.len() < std::usize::MAX@)
@@ -51,13 +51,13 @@ where
     I: Iterator,
 {
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! { exists<inner : &mut _> *inner == self.iter() && ^inner == (^self).iter() && inner.completed() }
     }
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool {
         pearlite! {
             visited.len() == o.n() - self.n()
diff --git a/creusot-contracts/src/std/iter/fuse.rs b/creusot-contracts/src/std/iter/fuse.rs
index 1893a0a124..2ac534497a 100644
--- a/creusot-contracts/src/std/iter/fuse.rs
+++ b/creusot-contracts/src/std/iter/fuse.rs
@@ -3,7 +3,7 @@ use crate::{std::iter::Fuse, *};
 impl<I: Iterator> ShallowModel for Fuse<I> {
     type ShallowModelTy = Option<I>;
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[trusted]
     fn shallow_model(self) -> Option<I> {
@@ -13,7 +13,7 @@ impl<I: Iterator> ShallowModel for Fuse<I> {
 
 impl<I: Iterator> Iterator for Fuse<I> {
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! {
             (self@ == None || exists<it:&mut I> it.completed() && self@ == Some(*it)) &&
@@ -22,7 +22,7 @@ impl<I: Iterator> Iterator for Fuse<I> {
     }
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn produces(self, prod: Seq<Self::Item>, other: Self) -> bool {
         pearlite! {
             match self@ {
diff --git a/creusot-contracts/src/std/iter/map_inv.rs b/creusot-contracts/src/std/iter/map_inv.rs
index 355637eee6..d71b1cc7e9 100644
--- a/creusot-contracts/src/std/iter/map_inv.rs
+++ b/creusot-contracts/src/std/iter/map_inv.rs
@@ -3,14 +3,14 @@ use crate::{invariant::Invariant, *};
 pub struct MapInv<I, B, F> {
     pub iter: I,
     pub func: F,
-    pub produced: Ghost<Seq<B>>,
+    pub produced: Snapshot<Seq<B>>,
 }
 
-impl<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B> Iterator
+impl<I: Iterator, B, F: FnMut(I::Item, Snapshot<Seq<I::Item>>) -> B> Iterator
     for MapInv<I, I::Item, F>
 {
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! {
             *(^self).produced == Seq::EMPTY &&
@@ -31,7 +31,7 @@ impl<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B> Iterator
     fn produces_trans(a: Self, ab: Seq<Self::Item>, b: Self, bc: Seq<Self::Item>, c: Self) {}
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     #[why3::attr = "inline:trivial"]
     fn produces(self, visited: Seq<Self::Item>, succ: Self) -> bool {
         pearlite! {
@@ -44,8 +44,8 @@ impl<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B> Iterator
                else { *fs[0] == self.func &&  ^fs[visited.len() - 1] == succ.func }
             && forall<i : Int> 0 <= i && i < visited.len() ==>
                  self.func.unnest(*fs[i])
-                 && (*fs[i]).precondition((s[i], Ghost::new(self.produced.concat(s.subsequence(0, i)))))
-                 && fs[i].postcondition_mut((s[i], Ghost::new(self.produced.concat(s.subsequence(0, i)))), visited[i])
+                 && (*fs[i]).precondition((s[i], Snapshot::new(self.produced.concat(s.subsequence(0, i)))))
+                 && fs[i].postcondition_mut((s[i], Snapshot::new(self.produced.concat(s.subsequence(0, i)))), visited[i])
         }
     }
 }
@@ -53,18 +53,18 @@ impl<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B> Iterator
 #[trusted]
 impl<I, B, F> Resolve for MapInv<I, B, F> {
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn resolve(self) -> bool {
         self.iter.resolve() && self.func.resolve()
     }
 }
 
-impl<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B> Invariant
+impl<I: Iterator, B, F: FnMut(I::Item, Snapshot<Seq<I::Item>>) -> B> Invariant
     for MapInv<I, I::Item, F>
 {
     // Should not quantify over self or the `invariant` cannot be made into a type invariant
     #[open(self)]
-    #[predicate]
+    #[predicate(prophetic)]
     fn invariant(self) -> bool {
         pearlite! {
             Self::reinitialize() &&
@@ -74,7 +74,7 @@ impl<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B> Invariant
     }
 }
 
-impl<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B> ::std::iter::Iterator
+impl<I: Iterator, B, F: FnMut(I::Item, Snapshot<Seq<I::Item>>) -> B> ::std::iter::Iterator
     for MapInv<I, I::Item, F>
 {
     type Item = B;
@@ -84,66 +84,66 @@ impl<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B> ::std::iter::I
       Some(v) => (*self).produces_one(v, ^self)
     })]
     fn next(&mut self) -> Option<Self::Item> {
-        let old_self: Ghost<Self> = gh! { *self };
+        let old_self: Snapshot<Self> = snapshot! { *self };
         match self.iter.next() {
             Some(v) => {
                 proof_assert! { self.func.precondition((v, self.produced)) };
-                let produced = gh! { self.produced.push(v) };
+                let produced = snapshot! { self.produced.push(v) };
                 let r = (self.func)(v, self.produced);
                 self.produced = produced;
                 #[allow(path_statements)]
-                let _: Ghost<()> = gh! { { Self::produces_one_invariant; () } };
+                let _: Snapshot<()> = snapshot! { { Self::produces_one_invariant; () } };
                 proof_assert! { old_self.produces_one(r, *self) };
                 let _ = self; // Make sure self is not resolve until here.
                 Some(r)
             }
             None => {
-                self.produced = gh! { Seq::EMPTY };
+                self.produced = snapshot! { Seq::EMPTY };
                 None
             }
         }
     }
 }
 
-impl<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B> MapInv<I, I::Item, F> {
+impl<I: Iterator, B, F: FnMut(I::Item, Snapshot<Seq<I::Item>>) -> B> MapInv<I, I::Item, F> {
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     pub fn next_precondition(iter: I, func: F, produced: Seq<I::Item>) -> bool {
         pearlite! {
             forall<e: I::Item, i: I>
                 iter.produces(Seq::singleton(e), i) ==>
-                func.precondition((e, Ghost::new(produced)))
+                func.precondition((e, Snapshot::new(produced)))
         }
     }
 
-    #[predicate]
+    #[predicate(prophetic)]
     #[ensures(produced == Seq::EMPTY ==> result == Self::preservation(iter, func))]
     fn preservation_inv(iter: I, func: F, produced: Seq<I::Item>) -> bool {
         pearlite! {
             forall<s: Seq<I::Item>, e1: I::Item, e2: I::Item, f: &mut F, b: B, i: I>
                 func.unnest(*f) ==>
                 iter.produces(s.push(e1).push(e2), i) ==>
-                (*f).precondition((e1, Ghost::new(produced.concat(s)))) ==>
-                f.postcondition_mut((e1, Ghost::new(produced.concat(s))), b) ==>
-                (^f).precondition((e2, Ghost::new(produced.concat(s).push(e1))))
+                (*f).precondition((e1, Snapshot::new(produced.concat(s)))) ==>
+                f.postcondition_mut((e1, Snapshot::new(produced.concat(s))), b) ==>
+                (^f).precondition((e2, Snapshot::new(produced.concat(s).push(e1))))
         }
     }
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     pub fn preservation(iter: I, func: F) -> bool {
         pearlite! {
             forall<s: Seq<I::Item>, e1: I::Item, e2: I::Item, f: &mut F, b: B, i: I>
                 func.unnest(*f) ==>
                 iter.produces(s.push(e1).push(e2), i) ==>
-                (*f).precondition((e1, Ghost::new(s))) ==>
-                f.postcondition_mut((e1, Ghost::new(s)), b) ==>
-                (^f).precondition((e2, Ghost::new(s.push(e1))))
+                (*f).precondition((e1, Snapshot::new(s))) ==>
+                f.postcondition_mut((e1, Snapshot::new(s)), b) ==>
+                (^f).precondition((e2, Snapshot::new(s.push(e1))))
         }
     }
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     pub fn reinitialize() -> bool {
         pearlite! {
             forall<iter: &mut I, func: F>
@@ -153,7 +153,7 @@ impl<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B> MapInv<I, I::I
         }
     }
 
-    #[ghost]
+    #[logic]
     #[requires(self.iter.produces(Seq::singleton(e), iter))]
     #[requires(*f == self.func)]
     #[requires(f.postcondition_mut((e, self.produced), r) )]
@@ -168,7 +168,7 @@ impl<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B> MapInv<I, I::I
     }
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     #[ensures(result == self.produces(Seq::singleton(visited), succ))]
     fn produces_one(self, visited: B, succ: Self) -> bool {
         pearlite! {
diff --git a/creusot-contracts/src/std/iter/once.rs b/creusot-contracts/src/std/iter/once.rs
index ad96988263..000d18ca89 100644
--- a/creusot-contracts/src/std/iter/once.rs
+++ b/creusot-contracts/src/std/iter/once.rs
@@ -3,7 +3,7 @@ use crate::{std::iter::Once, *};
 impl<T> ShallowModel for Once<T> {
     type ShallowModelTy = Option<T>;
 
-    #[ghost]
+    #[logic]
     #[trusted]
     #[open(self)]
     fn shallow_model(self) -> Option<T> {
@@ -13,7 +13,7 @@ impl<T> ShallowModel for Once<T> {
 
 impl<T> Iterator for Once<T> {
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! { (*self)@ == None && self.resolve() }
     }
diff --git a/creusot-contracts/src/std/iter/range.rs b/creusot-contracts/src/std/iter/range.rs
index db68337ff0..2a21d42f9e 100644
--- a/creusot-contracts/src/std/iter/range.rs
+++ b/creusot-contracts/src/std/iter/range.rs
@@ -7,7 +7,7 @@ use crate::{
 };
 
 impl<Idx: DeepModel<DeepModelTy = Int> + Step> Iterator for Range<Idx> {
-    #[predicate]
+    #[predicate(prophetic)]
     #[open]
     fn completed(&mut self) -> bool {
         pearlite! {
@@ -40,7 +40,7 @@ impl<Idx: DeepModel<DeepModelTy = Int> + Step> Iterator for Range<Idx> {
     fn produces_trans(a: Self, ab: Seq<Self::Item>, b: Self, bc: Seq<Self::Item>, c: Self) {}
 }
 
-#[ghost]
+#[logic]
 #[open]
 #[ensures(r.is_empty_log() == (result == 0))]
 pub fn range_inclusive_len<Idx: DeepModel<DeepModelTy = Int>>(r: RangeInclusive<Idx>) -> Int {
@@ -51,7 +51,7 @@ pub fn range_inclusive_len<Idx: DeepModel<DeepModelTy = Int>>(r: RangeInclusive<
 }
 
 impl<Idx: DeepModel<DeepModelTy = Int> + Step> Iterator for RangeInclusive<Idx> {
-    #[predicate]
+    #[predicate(prophetic)]
     #[open]
     fn completed(&mut self) -> bool {
         pearlite! {
diff --git a/creusot-contracts/src/std/iter/repeat.rs b/creusot-contracts/src/std/iter/repeat.rs
index 2dd172cec5..156c00b34c 100644
--- a/creusot-contracts/src/std/iter/repeat.rs
+++ b/creusot-contracts/src/std/iter/repeat.rs
@@ -3,7 +3,7 @@ use crate::{std::iter::Repeat, *};
 impl<T> ShallowModel for Repeat<T> {
     type ShallowModelTy = T;
 
-    #[ghost]
+    #[logic]
     #[trusted]
     #[open(self)]
     fn shallow_model(self) -> T {
diff --git a/creusot-contracts/src/std/iter/skip.rs b/creusot-contracts/src/std/iter/skip.rs
index 830306e384..0c3acd035d 100644
--- a/creusot-contracts/src/std/iter/skip.rs
+++ b/creusot-contracts/src/std/iter/skip.rs
@@ -1,22 +1,22 @@
 use crate::{std::iter::Skip, *};
 
 pub trait SkipExt<I> {
-    #[ghost]
+    #[logic]
     fn iter(self) -> I;
 
-    #[ghost]
+    #[logic]
     fn n(self) -> Int;
 }
 
 impl<I> SkipExt<I> for Skip<I> {
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[trusted]
     fn iter(self) -> I {
         pearlite! { absurd }
     }
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[trusted]
     #[ensures(result >= 0 && result <= usize::MAX@)]
@@ -28,7 +28,7 @@ impl<I> SkipExt<I> for Skip<I> {
 #[trusted]
 impl<I> Resolve for Skip<I> {
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn resolve(self) -> bool {
         pearlite! {
             self.iter().resolve()
@@ -38,7 +38,7 @@ impl<I> Resolve for Skip<I> {
 
 impl<I: Iterator> Iterator for Skip<I> {
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! {
             (^self).n() == 0 &&
@@ -52,7 +52,7 @@ impl<I: Iterator> Iterator for Skip<I> {
     }
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool {
         pearlite! {
             visited == Seq::EMPTY && self == o ||
diff --git a/creusot-contracts/src/std/iter/take.rs b/creusot-contracts/src/std/iter/take.rs
index f4d7b57185..25d76f10b9 100644
--- a/creusot-contracts/src/std/iter/take.rs
+++ b/creusot-contracts/src/std/iter/take.rs
@@ -1,25 +1,25 @@
 use crate::{std::iter::Take, *};
 
 pub trait TakeExt<I> {
-    #[ghost]
+    #[logic]
     fn iter(self) -> I;
 
-    #[ghost]
+    #[logic]
     fn iter_mut(&mut self) -> &mut I;
 
-    #[ghost]
+    #[logic]
     fn n(self) -> Int;
 }
 
 impl<I> TakeExt<I> for Take<I> {
-    #[ghost]
+    #[logic]
     #[trusted]
     #[open(self)]
     fn iter(self) -> I {
         pearlite! { absurd }
     }
 
-    #[ghost]
+    #[logic]
     #[trusted]
     #[open(self)]
     #[ensures((*self).iter() == *result && (^self).iter() == ^result)]
@@ -27,7 +27,7 @@ impl<I> TakeExt<I> for Take<I> {
         pearlite! { absurd }
     }
 
-    #[ghost]
+    #[logic]
     #[trusted]
     #[open(self)]
     #[ensures(result >= 0 && result <= usize::MAX@)]
@@ -39,7 +39,7 @@ impl<I> TakeExt<I> for Take<I> {
 #[trusted]
 impl<I> Resolve for Take<I> {
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn resolve(self) -> bool {
         pearlite! {
             self.iter().resolve()
@@ -49,7 +49,7 @@ impl<I> Resolve for Take<I> {
 
 impl<I: Iterator> Iterator for Take<I> {
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! {
             self.n() == 0 && self.resolve() ||
@@ -58,7 +58,7 @@ impl<I: Iterator> Iterator for Take<I> {
     }
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool {
         pearlite! {
             self.n() == o.n() + visited.len() && self.iter().produces(visited, o.iter())
diff --git a/creusot-contracts/src/std/iter/zip.rs b/creusot-contracts/src/std/iter/zip.rs
index 409f2fa485..a5f1069ad2 100644
--- a/creusot-contracts/src/std/iter/zip.rs
+++ b/creusot-contracts/src/std/iter/zip.rs
@@ -1,22 +1,22 @@
 use crate::{std::iter::Zip, *};
 
 pub trait ZipExt<A: Iterator, B: Iterator> {
-    #[ghost]
+    #[logic]
     fn itera(self) -> A;
 
-    #[ghost]
+    #[logic]
     fn iterb(self) -> B;
 }
 
 impl<A: Iterator, B: Iterator> ZipExt<A, B> for Zip<A, B> {
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[trusted]
     fn itera(self) -> A {
         pearlite! { absurd }
     }
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[trusted]
     fn iterb(self) -> B {
@@ -26,7 +26,7 @@ impl<A: Iterator, B: Iterator> ZipExt<A, B> for Zip<A, B> {
 
 impl<A: Iterator, B: Iterator> Iterator for Zip<A, B> {
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! {
             exists<a: &mut A, b: &mut B>
@@ -39,7 +39,7 @@ impl<A: Iterator, B: Iterator> Iterator for Zip<A, B> {
     }
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool {
         pearlite! {
             // Using an `unzip` definition doesn't work well because of issues related to datatypes and `match`
diff --git a/creusot-contracts/src/std/num.rs b/creusot-contracts/src/std/num.rs
index 6ea805cfae..5eadb2b86d 100644
--- a/creusot-contracts/src/std/num.rs
+++ b/creusot-contracts/src/std/num.rs
@@ -5,7 +5,7 @@ macro_rules! mach_int {
     ($t:ty, $ty_nm:expr, $zero:expr) => {
         impl ShallowModel for $t {
             type ShallowModelTy = Int;
-            #[ghost]
+            #[logic]
             #[open]
             #[trusted]
             #[creusot::builtins = concat!($ty_nm, ".to_int")]
@@ -16,7 +16,7 @@ macro_rules! mach_int {
 
         impl DeepModel for $t {
             type DeepModelTy = Int;
-            #[ghost]
+            #[logic]
             #[open]
             fn deep_model(self) -> Self::DeepModelTy {
                 pearlite! { self@ }
diff --git a/creusot-contracts/src/std/ops.rs b/creusot-contracts/src/std/ops.rs
index e07157388d..d4c0912267 100644
--- a/creusot-contracts/src/std/ops.rs
+++ b/creusot-contracts/src/std/ops.rs
@@ -172,13 +172,13 @@ extern_spec! {
 }
 
 pub trait RangeInclusiveExt<Idx> {
-    #[ghost]
+    #[logic]
     fn start_log(self) -> Idx;
 
-    #[ghost]
+    #[logic]
     fn end_log(self) -> Idx;
 
-    #[ghost]
+    #[logic]
     fn is_empty_log(self) -> bool
     where
         Idx: DeepModel,
@@ -187,21 +187,21 @@ pub trait RangeInclusiveExt<Idx> {
 
 impl<Idx> RangeInclusiveExt<Idx> for RangeInclusive<Idx> {
     #[open(self)]
-    #[ghost]
+    #[logic]
     #[trusted]
     fn start_log(self) -> Idx {
         pearlite! { absurd }
     }
 
     #[open(self)]
-    #[ghost]
+    #[logic]
     #[trusted]
     fn end_log(self) -> Idx {
         pearlite! { absurd }
     }
 
     #[open(self)]
-    #[ghost]
+    #[logic]
     #[trusted]
     #[ensures(!result ==> self.start_log().deep_model() <= self.end_log().deep_model())]
     fn is_empty_log(self) -> bool
diff --git a/creusot-contracts/src/std/option.rs b/creusot-contracts/src/std/option.rs
index 3470d856f4..accd4a752f 100644
--- a/creusot-contracts/src/std/option.rs
+++ b/creusot-contracts/src/std/option.rs
@@ -4,7 +4,7 @@ pub use ::std::option::*;
 impl<T: DeepModel> DeepModel for Option<T> {
     type DeepModelTy = Option<T::DeepModelTy>;
 
-    #[ghost]
+    #[logic]
     #[open]
     fn deep_model(self) -> Self::DeepModelTy {
         match self {
@@ -137,7 +137,7 @@ impl<T> ShallowModel for IntoIter<T> {
     type ShallowModelTy = Option<T>;
 
     #[open(self)]
-    #[ghost]
+    #[logic]
     #[trusted]
     fn shallow_model(self) -> Option<T> {
         pearlite! { absurd }
@@ -145,7 +145,7 @@ impl<T> ShallowModel for IntoIter<T> {
 }
 
 impl<T> Iterator for IntoIter<T> {
-    #[predicate]
+    #[predicate(prophetic)]
     #[open]
     fn completed(&mut self) -> bool {
         pearlite! { (*self)@ == None && self.resolve() }
@@ -191,7 +191,7 @@ impl<'a, T> ShallowModel for Iter<'a, T> {
     type ShallowModelTy = Option<&'a T>;
 
     #[open(self)]
-    #[ghost]
+    #[logic]
     #[trusted]
     fn shallow_model(self) -> Option<&'a T> {
         pearlite! { absurd }
@@ -199,7 +199,7 @@ impl<'a, T> ShallowModel for Iter<'a, T> {
 }
 
 impl<'a, T> Iterator for Iter<'a, T> {
-    #[predicate]
+    #[predicate(prophetic)]
     #[open]
     fn completed(&mut self) -> bool {
         pearlite! { (*self)@ == None && self.resolve() }
@@ -247,7 +247,7 @@ impl<'a, T> IntoIterator for &'a Option<T> {
 impl<'a, T> ShallowModel for IterMut<'a, T> {
     type ShallowModelTy = Option<&'a mut T>;
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[trusted]
     fn shallow_model(self) -> Option<&'a mut T> {
@@ -256,7 +256,7 @@ impl<'a, T> ShallowModel for IterMut<'a, T> {
 }
 
 impl<'a, T> Iterator for IterMut<'a, T> {
-    #[predicate]
+    #[predicate(prophetic)]
     #[open]
     fn completed(&mut self) -> bool {
         pearlite! { (*self)@ == None && self.resolve() }
@@ -291,7 +291,7 @@ impl<'a, T> IntoIterator for &'a mut Option<T> {
         pearlite! { true }
     }
 
-    #[predicate]
+    #[predicate(prophetic)]
     #[open]
     fn into_iter_post(self, res: Self::IntoIter) -> bool {
         pearlite! {
diff --git a/creusot-contracts/src/std/result.rs b/creusot-contracts/src/std/result.rs
index 9fd665d826..0a746d8f4b 100644
--- a/creusot-contracts/src/std/result.rs
+++ b/creusot-contracts/src/std/result.rs
@@ -5,7 +5,7 @@ use ::std::fmt::Debug;
 impl<T: DeepModel, E: DeepModel> DeepModel for Result<T, E> {
     type DeepModelTy = Result<T::DeepModelTy, E::DeepModelTy>;
 
-    #[ghost]
+    #[logic]
     #[open]
     fn deep_model(self) -> Self::DeepModelTy {
         match self {
diff --git a/creusot-contracts/src/std/slice.rs b/creusot-contracts/src/std/slice.rs
index 96ecb87765..a1d67f0e7b 100644
--- a/creusot-contracts/src/std/slice.rs
+++ b/creusot-contracts/src/std/slice.rs
@@ -11,7 +11,7 @@ impl<T> ShallowModel for [T] {
     type ShallowModelTy = Seq<T>;
 
     // We define this as trusted because builtins and ensures are incompatible
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[trusted]
     #[ensures(result.len() <= usize::MAX@)]
@@ -24,7 +24,7 @@ impl<T> ShallowModel for [T] {
 impl<T: DeepModel> DeepModel for [T] {
     type DeepModelTy = Seq<T::DeepModelTy>;
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[trusted]
     #[ensures((&self)@.len() == result.len())]
@@ -34,14 +34,14 @@ impl<T: DeepModel> DeepModel for [T] {
     }
 }
 
-#[ghost]
+#[logic]
 #[trusted]
 #[creusot::builtins = "prelude.Slice.id"]
 fn slice_model<T>(_: &[T]) -> Seq<T> {
     pearlite! { absurd }
 }
 
-#[ghost]
+#[logic]
 #[open]
 #[rustc_diagnostic_item = "slice_len_logic"]
 pub fn slice_len<T>(x: [T]) -> Int {
@@ -50,7 +50,7 @@ pub fn slice_len<T>(x: [T]) -> Int {
 
 impl<T> Default for &mut [T] {
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn is_default(self) -> bool {
         pearlite! { self@ == Seq::EMPTY && (^self)@ == Seq::EMPTY }
     }
@@ -65,15 +65,15 @@ impl<T> Default for &[T] {
 }
 
 pub trait SliceExt<T> {
-    #[ghost]
+    #[logic]
     fn to_mut_seq(&mut self) -> Seq<&mut T>;
 
-    #[ghost]
+    #[logic]
     fn to_ref_seq(&self) -> Seq<&T>;
 }
 
 impl<T> SliceExt<T> for [T] {
-    #[ghost]
+    #[logic]
     #[trusted]
     #[open(self)]
     #[ensures(result.len() == self@.len())]
@@ -83,7 +83,7 @@ impl<T> SliceExt<T> for [T] {
         pearlite! { absurd }
     }
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[trusted]
     #[ensures(result.len() == self@.len())]
@@ -364,7 +364,7 @@ impl<T> IntoIterator for &mut [T] {
 impl<'a, T> ShallowModel for Iter<'a, T> {
     type ShallowModelTy = &'a [T];
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[trusted]
     fn shallow_model(self) -> Self::ShallowModelTy {
@@ -373,7 +373,7 @@ impl<'a, T> ShallowModel for Iter<'a, T> {
 }
 
 impl<'a, T> Iterator for Iter<'a, T> {
-    #[predicate]
+    #[predicate(prophetic)]
     #[open]
     fn completed(&mut self) -> bool {
         pearlite! { self.resolve() && (*self@)@ == Seq::EMPTY }
@@ -403,7 +403,7 @@ impl<'a, T> Iterator for Iter<'a, T> {
 impl<'a, T> ShallowModel for IterMut<'a, T> {
     type ShallowModelTy = &'a mut [T];
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[trusted]
     #[ensures((^result)@.len() == (*result)@.len())]
@@ -414,7 +414,7 @@ impl<'a, T> ShallowModel for IterMut<'a, T> {
 
 #[trusted]
 impl<'a, T> Resolve for IterMut<'a, T> {
-    #[predicate]
+    #[predicate(prophetic)]
     #[open]
     fn resolve(self) -> bool {
         pearlite! { *self@ == ^self@ }
@@ -422,7 +422,7 @@ impl<'a, T> Resolve for IterMut<'a, T> {
 }
 
 impl<'a, T> Iterator for IterMut<'a, T> {
-    #[predicate]
+    #[predicate(prophetic)]
     #[open]
     fn completed(&mut self) -> bool {
         pearlite! { self.resolve() && (*self@)@ == Seq::EMPTY }
diff --git a/creusot-contracts/src/std/time.rs b/creusot-contracts/src/std/time.rs
index 3178c16e9c..6b087f06b6 100644
--- a/creusot-contracts/src/std/time.rs
+++ b/creusot-contracts/src/std/time.rs
@@ -7,7 +7,7 @@ pub use ::std::{
 impl ShallowModel for Duration {
     type ShallowModelTy = Int;
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[trusted]
     #[ensures(result >= 0 && result <= secs_to_nanos(u64::MAX@) + 999_999_999)]
@@ -19,7 +19,7 @@ impl ShallowModel for Duration {
 impl DeepModel for Duration {
     type DeepModelTy = Int;
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[trusted]
     #[ensures(result >= 0 && result <= secs_to_nanos(u64::MAX@) + 999_999_999)]
@@ -29,21 +29,21 @@ impl DeepModel for Duration {
     }
 }
 
-#[ghost]
+#[logic]
 fn nanos_to_micros(nanos: Int) -> Int {
     nanos / 1_000
 }
-#[ghost]
+#[logic]
 fn nanos_to_millis(nanos: Int) -> Int {
     nanos / 1_000_000
 }
 
-#[ghost]
+#[logic]
 fn nanos_to_secs(nanos: Int) -> Int {
     nanos / 1_000_000_000
 }
 
-#[ghost]
+#[logic]
 fn secs_to_nanos(secs: Int) -> Int {
     secs * 1_000_000_000
 }
@@ -51,7 +51,7 @@ fn secs_to_nanos(secs: Int) -> Int {
 impl ShallowModel for Instant {
     type ShallowModelTy = Int;
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[trusted]
     #[ensures(result >= 0)]
@@ -63,7 +63,7 @@ impl ShallowModel for Instant {
 impl DeepModel for Instant {
     type DeepModelTy = Int;
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[trusted]
     #[ensures(result >= 0)]
diff --git a/creusot-contracts/src/std/tuples.rs b/creusot-contracts/src/std/tuples.rs
index 74d29bdf97..0aa1ed6c60 100644
--- a/creusot-contracts/src/std/tuples.rs
+++ b/creusot-contracts/src/std/tuples.rs
@@ -3,7 +3,7 @@ use crate::{Default, *};
 impl DeepModel for () {
     type DeepModelTy = ();
 
-    #[ghost]
+    #[logic]
     #[open]
     fn deep_model(self) -> Self::DeepModelTy {
         pearlite! { () }
@@ -23,7 +23,7 @@ macro_rules! tuple_impls {
         impl<$($name: DeepModel),+> DeepModel for ($($name,)+) {
             type DeepModelTy = ($($name::DeepModelTy,)+);
 
-            #[ghost]
+            #[logic]
             #[open]
             fn deep_model(self) -> Self::DeepModelTy {
                 pearlite! { ($(self.$idx.deep_model(),)+) }
@@ -31,7 +31,7 @@ macro_rules! tuple_impls {
         }
 
         impl<$($name: Default),+> Default for ($($name,)+) {
-            #[predicate]
+            #[predicate(prophetic)]
             #[open]
             fn is_default(self) -> bool {
                 pearlite! { $(self.$idx.is_default())&&+ }
diff --git a/creusot-contracts/src/std/vec.rs b/creusot-contracts/src/std/vec.rs
index b2251ecaa4..efacdeaa04 100644
--- a/creusot-contracts/src/std/vec.rs
+++ b/creusot-contracts/src/std/vec.rs
@@ -13,7 +13,7 @@ impl<T, A: Allocator> ShallowModel for Vec<T, A> {
     type ShallowModelTy = Seq<T>;
 
     #[open(self)]
-    #[ghost]
+    #[logic]
     #[trusted]
     #[ensures(result.len() <= usize::MAX@)]
     fn shallow_model(self) -> Seq<T> {
@@ -24,7 +24,7 @@ impl<T, A: Allocator> ShallowModel for Vec<T, A> {
 impl<T: DeepModel, A: Allocator> DeepModel for Vec<T, A> {
     type DeepModelTy = Seq<T::DeepModelTy>;
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[trusted]
     #[ensures(self.shallow_model().len() == result.len())]
@@ -45,7 +45,7 @@ impl<T> Default for Vec<T> {
 
 #[trusted]
 impl<T> Resolve for Vec<T> {
-    #[predicate]
+    #[predicate(prophetic)]
     #[open]
     fn resolve(self) -> bool {
         pearlite! { forall<i : Int> 0 <= i && i < self@.len() ==> self[i].resolve() }
@@ -207,7 +207,7 @@ impl<T, A: Allocator> ShallowModel for std::vec::IntoIter<T, A> {
     type ShallowModelTy = Seq<T>;
 
     #[open(self)]
-    #[ghost]
+    #[logic]
     #[trusted]
     fn shallow_model(self) -> Self::ShallowModelTy {
         absurd
@@ -216,7 +216,7 @@ impl<T, A: Allocator> ShallowModel for std::vec::IntoIter<T, A> {
 
 #[trusted]
 impl<T, A: Allocator> Resolve for std::vec::IntoIter<T, A> {
-    #[predicate]
+    #[predicate(prophetic)]
     #[open]
     fn resolve(self) -> bool {
         pearlite! { forall<i: Int> 0 <= i && i < self@.len() ==> self@[i].resolve() }
@@ -224,7 +224,7 @@ impl<T, A: Allocator> Resolve for std::vec::IntoIter<T, A> {
 }
 
 impl<T, A: Allocator> Iterator for std::vec::IntoIter<T, A> {
-    #[predicate]
+    #[predicate(prophetic)]
     #[open]
     fn completed(&mut self) -> bool {
         pearlite! { self.resolve() && self@ == Seq::EMPTY }
diff --git a/creusot-contracts/src/stubs.rs b/creusot-contracts/src/stubs.rs
index dacfcf1604..af1e7a3868 100644
--- a/creusot-contracts/src/stubs.rs
+++ b/creusot-contracts/src/stubs.rs
@@ -58,8 +58,8 @@ pub fn variant_check<R: crate::well_founded::WellFounded + ?Sized>(_: R) -> Box<
 pub fn closure_result<R: ?Sized>(_: R, _: R) {}
 
 #[creusot::no_translate]
-#[rustc_diagnostic_item = "ghost_from_fn"]
-pub fn ghost_from_fn<T: ?Sized, F: Fn() -> crate::Ghost<T>>(_: F) -> crate::Ghost<T> {
+#[rustc_diagnostic_item = "snapshot_from_fn"]
+pub fn snapshot_from_fn<T: ?Sized, F: Fn() -> crate::Snapshot<T>>(_: F) -> crate::Snapshot<T> {
     panic!()
 }
 
diff --git a/creusot-contracts/src/util.rs b/creusot-contracts/src/util.rs
index a719a9cb15..da7ea0126d 100644
--- a/creusot-contracts/src/util.rs
+++ b/creusot-contracts/src/util.rs
@@ -3,14 +3,14 @@ use crate::*;
 pub type SizedW<T> = Box<T>;
 
 pub trait MakeSized {
-    #[ghost]
+    #[logic]
     #[why3::attr = "inline:trivial"]
     fn make_sized(&self) -> SizedW<Self>;
 }
 
 impl<T: ?Sized> MakeSized for T {
     #[trusted]
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[ensures(*result == *self)]
     fn make_sized(&self) -> SizedW<Self> {
@@ -19,7 +19,7 @@ impl<T: ?Sized> MakeSized for T {
 }
 
 #[allow(unconditional_recursion)]
-#[ghost]
+#[logic]
 #[open(self)]
 #[requires(false)]
 #[ensures(false)]
@@ -28,7 +28,7 @@ pub fn unreachable<T>() -> T {
     unreachable()
 }
 
-#[ghost]
+#[logic]
 #[open(self)]
 #[requires(op != None)]
 #[ensures(Some(result) == op)]
diff --git a/creusot-dev-config/Cargo.toml b/creusot-dev-config/Cargo.toml
new file mode 100644
index 0000000000..d736482384
--- /dev/null
+++ b/creusot-dev-config/Cargo.toml
@@ -0,0 +1,8 @@
+[package]
+name = "creusot-dev-config"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+creusot-setup = { path = "../creusot-setup" }
+anyhow = "1.0"
diff --git a/creusot-dev-config/src/bin/dev-why3.rs b/creusot-dev-config/src/bin/dev-why3.rs
new file mode 100644
index 0000000000..e44d8de62f
--- /dev/null
+++ b/creusot-dev-config/src/bin/dev-why3.rs
@@ -0,0 +1,8 @@
+pub fn main() -> anyhow::Result<()> {
+    let mut cmd = creusot_dev_config::why3_command()?;
+    eprintln!("Using Why3 invocation: {:?}", cmd);
+    let args = std::env::args().skip(1);
+    cmd.args(args);
+    cmd.status()?;
+    Ok(())
+}
diff --git a/creusot-dev-config/src/lib.rs b/creusot-dev-config/src/lib.rs
new file mode 100644
index 0000000000..90dba83417
--- /dev/null
+++ b/creusot-dev-config/src/lib.rs
@@ -0,0 +1,43 @@
+use std::{path::PathBuf, process::Command};
+
+/// Helper library encapsulating the logic for looking up creusot's config and
+/// calling why3 in development workflows. This is used in particular by the
+/// testsuite.
+
+/// We look for configuration specifying Why3's path and configuration in the
+/// following places:
+/// - in the .creusot-config directory at the root of the git repo, if it exists
+/// - otherwise, in the global config repository used by creusot setup
+
+pub fn custom_config_dir() -> Option<PathBuf> {
+    let local_config = PathBuf::from("../.creusot-config");
+    if local_config.is_dir() {
+        Some(std::fs::canonicalize(local_config).unwrap())
+    } else {
+        None
+    }
+}
+
+pub struct Paths {
+    pub why3: PathBuf,
+    pub why3_config: Option<PathBuf>,
+}
+
+/// Fails if the config could not be loaded
+pub fn paths() -> anyhow::Result<Paths> {
+    let custom_config_dir = custom_config_dir();
+    let paths = creusot_setup::status_for_creusot(&custom_config_dir)?;
+    Ok(Paths { why3: paths.why3_path, why3_config: paths.why3_config })
+}
+
+/// Returns a command to invoke why3 (passing it the path to its configuration
+/// file if needed).
+/// Fails if the config could not be loaded
+pub fn why3_command() -> anyhow::Result<Command> {
+    let p = paths()?;
+    let mut cmd = Command::new(p.why3.clone());
+    if let Some(ref config) = p.why3_config {
+        cmd.arg("-C").arg(config);
+    }
+    Ok(cmd)
+}
diff --git a/creusot-metadata/src/decoder.rs b/creusot-metadata/src/decoder.rs
index cf3df46432..24e744a842 100644
--- a/creusot-metadata/src/decoder.rs
+++ b/creusot-metadata/src/decoder.rs
@@ -34,79 +34,28 @@ impl<'a, 'tcx> MetadataDecoder<'a, 'tcx> {
         self.file_index_to_file
             .entry(index)
             .or_insert_with(|| {
-                let stable_id = self.file_index_to_stable_id[&index].translate(self.tcx);
-                self.tcx.cstore_untracked().import_source_files(self.tcx.sess, stable_id.cnum);
+                let source_file_id = &self.file_index_to_stable_id[&index];
+                let source_file_cnum =
+                    self.tcx.stable_crate_id_to_crate_num(source_file_id.stable_crate_id);
+
+                self.tcx.cstore_untracked().import_source_files(self.tcx.sess, source_file_cnum);
                 self.tcx
                     .sess
                     .source_map()
-                    .source_file_by_stable_id(stable_id)
+                    .source_file_by_stable_id(source_file_id.stable_source_file_id)
                     .expect("failed to lookup `SourceFile` in new context")
             })
             .clone()
     }
 }
 
-// Both the `CrateNum` and the `DefIndex` of a `DefId` can change in between two
-// compilation sessions. We use the `DefPathHash`, which is stable across
-// sessions, to map the old `DefId` to the new one.
-impl<'a, 'tcx> Decodable<MetadataDecoder<'a, 'tcx>> for DefId {
-    fn decode(d: &mut MetadataDecoder<'a, 'tcx>) -> Self {
-        let def_path_hash = DefPathHash::decode(d);
-        d.tcx.def_path_hash_to_def_id(def_path_hash, &mut || panic!("Cannot resolve crate."))
-    }
-}
-
-impl<'a, 'tcx> Decodable<MetadataDecoder<'a, 'tcx>> for CrateNum {
-    fn decode(d: &mut MetadataDecoder<'a, 'tcx>) -> CrateNum {
-        let stable_id = StableCrateId::decode(d);
-        d.tcx.stable_crate_id_to_crate_num(stable_id)
-    }
-}
-
-// This impl makes sure that we get a runtime error when we try decode a
-// `DefIndex` that is not contained in a `DefId`. Such a case would be problematic
-// because we would not know how to transform the `DefIndex` to the current
-// context.
-impl<'a, 'tcx> Decodable<MetadataDecoder<'a, 'tcx>> for DefIndex {
-    fn decode(_: &mut MetadataDecoder<'a, 'tcx>) -> DefIndex {
-        panic!("trying to decode `DefIndex` outside the context of a `DefId`")
-    }
-}
-
-impl<'a, 'tcx> Decodable<MetadataDecoder<'a, 'tcx>> for SyntaxContext {
-    fn decode(decoder: &mut MetadataDecoder<'a, 'tcx>) -> Self {
-        let syntax_contexts = decoder.syntax_contexts;
-        rustc_span::hygiene::decode_syntax_context(decoder, &decoder.hygiene_context, |this, id| {
-            // This closure is invoked if we haven't already decoded the data for the `SyntaxContext` we are deserializing.
-            // We look up the position of the associated `SyntaxData` and decode it.
-            let pos = syntax_contexts.get(&id).unwrap();
-            this.with_position(pos.to_usize(), |decoder| SyntaxContextData::decode(decoder))
-        })
-    }
-}
-
-impl<'a, 'tcx> Decodable<MetadataDecoder<'a, 'tcx>> for ExpnId {
-    fn decode(decoder: &mut MetadataDecoder<'a, 'tcx>) -> Self {
-        let stable_id = StableCrateId::decode(decoder);
-        let cnum = decoder.tcx.stable_crate_id_to_crate_num(stable_id);
-        let index = u32::decode(decoder);
-
-        let expn_id = rustc_span::hygiene::decode_expn_id(cnum, index, |_| {
-            let pos = decoder.expn_data.get(&(stable_id, index)).unwrap();
-            decoder.with_position(pos.to_usize(), |decoder| {
-                let data = ExpnData::decode(decoder);
-                let hash = ExpnHash::decode(decoder);
-                (data, hash)
-            })
-        });
-        expn_id
-    }
-}
+implement_ty_decoder!(MetadataDecoder<'a, 'tcx>);
 
-impl<'a, 'tcx> Decodable<MetadataDecoder<'a, 'tcx>> for Span {
-    fn decode(decoder: &mut MetadataDecoder<'a, 'tcx>) -> Self {
-        let ctxt = SyntaxContext::decode(decoder);
-        let tag: u8 = Decodable::decode(decoder);
+use rustc_span::{AttrId, SpanDecoder};
+impl SpanDecoder for MetadataDecoder<'_, '_> {
+    fn decode_span(&mut self) -> Span {
+        let ctxt = SyntaxContext::decode(self);
+        let tag: u8 = Decodable::decode(self);
 
         if tag == TAG_PARTIAL_SPAN {
             return DUMMY_SP.with_ctxt(ctxt);
@@ -114,49 +63,89 @@ impl<'a, 'tcx> Decodable<MetadataDecoder<'a, 'tcx>> for Span {
 
         debug_assert!(tag == TAG_FULL_SPAN);
 
-        let source_file_index = SourceFileIndex::decode(decoder);
-        let lo = BytePos::decode(decoder);
-        let len = BytePos::decode(decoder);
+        let source_file_index = SourceFileIndex::decode(self);
+
+        let lo = BytePos::decode(self);
+        let len = BytePos::decode(self);
 
-        let file = decoder.file_index_to_file(source_file_index);
+        let file = self.file_index_to_file(source_file_index);
         let lo = file.start_pos + lo;
         let hi = lo + len;
 
         Span::new(lo, hi, ctxt, None)
     }
-}
 
-// copy&paste impl from rustc_metadata
-impl<'a, 'tcx> Decodable<MetadataDecoder<'a, 'tcx>> for Symbol {
-    fn decode(d: &mut MetadataDecoder<'a, 'tcx>) -> Self {
-        let tag = d.read_u8();
+    fn decode_symbol(&mut self) -> Symbol {
+        let tag = self.read_u8();
 
         match tag {
             SYMBOL_STR => {
-                let s = d.read_str();
+                let s = self.read_str();
                 Symbol::intern(s)
             }
             SYMBOL_OFFSET => {
                 // read str offset
-                let pos = d.read_usize();
+                let pos = self.read_usize();
 
                 // move to str ofset and read
-                let sym = d.opaque.with_position(pos, |d| {
+                let sym = self.opaque.with_position(pos, |d| {
                     let s = d.read_str();
                     Symbol::intern(s)
                 });
                 sym
             }
             SYMBOL_PREINTERNED => {
-                let symbol_index = d.read_u32();
+                let symbol_index = self.read_u32();
                 Symbol::new_from_decoded(symbol_index)
             }
             _ => unreachable!(),
         }
     }
-}
 
-implement_ty_decoder!(MetadataDecoder<'a, 'tcx>);
+    fn decode_expn_id(&mut self) -> ExpnId {
+        let stable_id = StableCrateId::decode(self);
+        let cnum = self.tcx.stable_crate_id_to_crate_num(stable_id);
+        let index = u32::decode(self);
+
+        let expn_id = rustc_span::hygiene::decode_expn_id(cnum, index, |_| {
+            let pos = self.expn_data.get(&(stable_id, index)).unwrap();
+            self.with_position(pos.to_usize(), |decoder| {
+                let data = ExpnData::decode(decoder);
+                let hash = ExpnHash::decode(decoder);
+                (data, hash)
+            })
+        });
+        expn_id
+    }
+    fn decode_syntax_context(&mut self) -> SyntaxContext {
+        let syntax_contexts = self.syntax_contexts;
+        rustc_span::hygiene::decode_syntax_context(self, &self.hygiene_context, |this, id| {
+            // This closure is invoked if we haven't already decoded the data for the `SyntaxContext` we are deserializing.
+            // We look up the position of the associated `SyntaxData` and decode it.
+            let pos = syntax_contexts.get(&id).unwrap();
+            this.with_position(pos.to_usize(), |decoder| SyntaxContextData::decode(decoder))
+        })
+    }
+    fn decode_crate_num(&mut self) -> CrateNum {
+        let stable_id = StableCrateId::decode(self);
+        self.tcx.stable_crate_id_to_crate_num(stable_id)
+    }
+    fn decode_def_index(&mut self) -> DefIndex {
+        panic!("trying to decode `DefIndex` outside the context of a `DefId`")
+    }
+
+    // Both the `CrateNum` and the `DefIndex` of a `DefId` can change in between two
+    // compilation sessions. We use the `DefPathHash`, which is stable across
+    // sessions, to map the old `DefId` to the new one.
+    fn decode_def_id(&mut self) -> DefId {
+        let def_path_hash = DefPathHash::decode(self);
+        self.tcx.def_path_hash_to_def_id(def_path_hash, &mut || panic!("Cannot resolve crate."))
+    }
+
+    fn decode_attr_id(&mut self) -> AttrId {
+        todo!()
+    }
+}
 
 impl<'a, 'tcx> TyDecoder for MetadataDecoder<'a, 'tcx> {
     // Whether crate-local information can be cleared while encoding
diff --git a/creusot-metadata/src/encoder.rs b/creusot-metadata/src/encoder.rs
index cd58464fd7..244da48563 100644
--- a/creusot-metadata/src/encoder.rs
+++ b/creusot-metadata/src/encoder.rs
@@ -16,7 +16,11 @@ use rustc_span::{
     hygiene::{raw_encode_syntax_context, HygieneEncodeContext},
     ExpnId, SourceFile, Span, Symbol, SyntaxContext,
 };
-use std::{collections::hash_map::Entry, io::Error, path::Path};
+use std::{
+    collections::hash_map::Entry,
+    io::Error,
+    path::{Path, PathBuf},
+};
 
 pub struct MetadataEncoder<'a, 'tcx> {
     tcx: TyCtxt<'tcx>,
@@ -29,7 +33,7 @@ pub struct MetadataEncoder<'a, 'tcx> {
 }
 
 impl<'a, 'tcx> MetadataEncoder<'a, 'tcx> {
-    pub fn finish(self) -> Result<usize, Error> {
+    pub fn finish(mut self) -> Result<usize, (PathBuf, Error)> {
         self.opaque.finish()
     }
 
@@ -68,88 +72,71 @@ impl<'a, 'tcx> Encoder for MetadataEncoder<'a, 'tcx> {
     }
 }
 
-impl<'a, 'tcx> Encodable<MetadataEncoder<'a, 'tcx>> for DefId {
-    fn encode(&self, s: &mut MetadataEncoder<'a, 'tcx>) {
-        s.tcx.def_path_hash(*self).encode(s)
-    }
-}
-
-impl<'a, 'tcx> Encodable<MetadataEncoder<'a, 'tcx>> for CrateNum {
-    fn encode(&self, s: &mut MetadataEncoder<'a, 'tcx>) {
-        s.tcx.stable_crate_id(*self).encode(s)
-    }
-}
-
-impl<'a, 'tcx> Encodable<MetadataEncoder<'a, 'tcx>> for DefIndex {
-    fn encode(&self, _: &mut MetadataEncoder<'a, 'tcx>) {
-        panic!("encoding `DefIndex` without context");
-    }
-}
-
-impl<'a, 'tcx> Encodable<MetadataEncoder<'a, 'tcx>> for SyntaxContext {
-    fn encode(&self, s: &mut MetadataEncoder<'a, 'tcx>) {
-        raw_encode_syntax_context(*self, &s.hygiene_context, s);
-    }
-}
-
-impl<'a, 'tcx> Encodable<MetadataEncoder<'a, 'tcx>> for ExpnId {
-    fn encode(&self, s: &mut MetadataEncoder<'a, 'tcx>) {
-        s.hygiene_context.schedule_expn_data_for_encoding(*self);
-        self.krate.encode(s);
-        self.local_id.as_u32().encode(s);
-    }
-}
-
-impl<'a, 'tcx> Encodable<MetadataEncoder<'a, 'tcx>> for Span {
-    fn encode(&self, s: &mut MetadataEncoder<'a, 'tcx>) {
-        let span = self.data();
-        span.ctxt.encode(s);
+use rustc_span::SpanEncoder;
+impl SpanEncoder for MetadataEncoder<'_, '_> {
+    fn encode_span(&mut self, span: Span) {
+        let span = span.data();
+        span.ctxt.encode(self);
 
         if span.is_dummy() {
-            return TAG_PARTIAL_SPAN.encode(s);
+            return TAG_PARTIAL_SPAN.encode(self);
         }
 
-        let source_file = s.tcx.sess().source_map().lookup_source_file(span.lo);
+        let source_file = self.tcx.sess().source_map().lookup_source_file(span.lo);
         if !source_file.contains(span.hi) {
             // Unfortunately, macro expansion still sometimes generates Spans
             // that malformed in this way.
-            return TAG_PARTIAL_SPAN.encode(s);
+            return TAG_PARTIAL_SPAN.encode(self);
         }
 
         let lo = span.lo - source_file.start_pos;
         let len = span.hi - span.lo;
-        let source_file_index = s.source_file_index(source_file);
+        let source_file_index = self.source_file_index(source_file);
 
-        TAG_FULL_SPAN.encode(s);
-        source_file_index.encode(s);
-        lo.encode(s);
-        len.encode(s);
+        TAG_FULL_SPAN.encode(self);
+        source_file_index.encode(self);
+        lo.encode(self);
+        len.encode(self);
     }
-}
-
-impl<'a, 'tcx> Encodable<MetadataEncoder<'a, 'tcx>> for Symbol {
-    fn encode(&self, s: &mut MetadataEncoder<'a, 'tcx>) {
+    fn encode_symbol(&mut self, sym: Symbol) {
         // if symbol preinterned, emit tag and symbol index
-        if self.is_preinterned() {
-            s.opaque.emit_u8(SYMBOL_PREINTERNED);
-            s.opaque.emit_u32(self.as_u32());
+        if sym.is_preinterned() {
+            self.opaque.emit_u8(SYMBOL_PREINTERNED);
+            self.opaque.emit_u32(sym.as_u32());
         } else {
             // otherwise write it as string or as offset to it
-            match s.symbol_table.entry(*self) {
+            match self.symbol_table.entry(sym) {
                 Entry::Vacant(o) => {
-                    s.opaque.emit_u8(SYMBOL_STR);
-                    let pos = s.opaque.position();
+                    self.opaque.emit_u8(SYMBOL_STR);
+                    let pos = self.opaque.position();
                     o.insert(pos);
-                    s.emit_str(self.as_str());
+                    self.emit_str(sym.as_str());
                 }
                 Entry::Occupied(o) => {
                     let x = *o.get();
-                    s.emit_u8(SYMBOL_OFFSET);
-                    s.emit_usize(x);
+                    self.emit_u8(SYMBOL_OFFSET);
+                    self.emit_usize(x);
                 }
             }
         }
     }
+    fn encode_expn_id(&mut self, eid: ExpnId) {
+        self.hygiene_context.schedule_expn_data_for_encoding(eid);
+        eid.krate.encode(self);
+        eid.local_id.as_u32().encode(self);
+    }
+    fn encode_syntax_context(&mut self, ctx: SyntaxContext) {
+        raw_encode_syntax_context(ctx, &self.hygiene_context, self);
+    }
+    fn encode_crate_num(&mut self, cnum: CrateNum) {
+        self.tcx.stable_crate_id(cnum).encode(self)
+    }
+    fn encode_def_index(&mut self, _: DefIndex) {
+        panic!("encoding `DefIndex` without context");
+    }
+    fn encode_def_id(&mut self, id: DefId) {
+        self.tcx.def_path_hash(id).encode(self)
+    }
 }
 
 impl<'a, 'tcx> TyEncoder for MetadataEncoder<'a, 'tcx> {
@@ -179,19 +166,58 @@ pub fn encode_metadata<'tcx, T: for<'a> Encodable<MetadataEncoder<'a, 'tcx>>>(
     tcx: TyCtxt<'tcx>,
     path: &Path,
     x: T,
-) -> Result<(), Error> {
+) -> Result<(), (PathBuf, Error)> {
     let (file_to_file_index, file_index_to_stable_id) = {
         let files = tcx.sess.source_map().files();
         let mut file_to_file_index =
             FxHashMap::with_capacity_and_hasher(files.len(), Default::default());
         let mut file_index_to_stable_id =
             FxHashMap::with_capacity_and_hasher(files.len(), Default::default());
-
+        use rustc_span::def_id::LOCAL_CRATE;
+        let source_map = tcx.sess.source_map();
+        let working_directory = &tcx.sess.opts.working_dir;
+        let local_crate_stable_id = tcx.stable_crate_id(LOCAL_CRATE);
+
+        // This portion of the code is adapted from the rustc metadata encoder, while the rest of
+        // the code in this file is based off the rustc incremental cache encoder.
+        //
+        // Probably we should refactor the code to be exclusively based on the metadata encoder
         for (index, file) in files.iter().enumerate() {
             let index = SourceFileIndex(index as u32);
             let file_ptr: *const SourceFile = &**file as *const _;
             file_to_file_index.insert(file_ptr, index);
-            let source_file_id = EncodedSourceFileId::new(tcx, &file);
+
+            let mut adapted_source_file = (**file).clone();
+            if adapted_source_file.cnum == LOCAL_CRATE {
+                use rustc_span::FileName;
+                match file.name {
+                    FileName::Real(ref original_file_name) => {
+                        let adapted_file_name = if tcx.sess.should_prefer_remapped_for_codegen() {
+                            source_map.path_mapping().to_embeddable_absolute_path(
+                                original_file_name.clone(),
+                                working_directory,
+                            )
+                        } else {
+                            source_map.path_mapping().to_local_embeddable_absolute_path(
+                                original_file_name.clone(),
+                                working_directory,
+                            )
+                        };
+
+                        adapted_source_file.name = FileName::Real(adapted_file_name);
+                    }
+                    _ => {
+                        // expanded code, not from a file
+                    }
+                };
+                use rustc_span::StableSourceFileId;
+                adapted_source_file.stable_id = StableSourceFileId::from_filename_for_export(
+                    &adapted_source_file.name,
+                    local_crate_stable_id,
+                );
+            }
+
+            let source_file_id = EncodedSourceFileId::new(tcx, &adapted_source_file);
             file_index_to_stable_id.insert(index, source_file_id);
         }
 
@@ -202,7 +228,7 @@ pub fn encode_metadata<'tcx, T: for<'a> Encodable<MetadataEncoder<'a, 'tcx>>>(
 
     let mut encoder = MetadataEncoder {
         tcx,
-        opaque: FileEncoder::new(path)?,
+        opaque: FileEncoder::new(path).unwrap(),
         type_shorthands: Default::default(),
         predicate_shorthands: Default::default(),
         hygiene_context: &hygiene_context,
diff --git a/creusot-metadata/src/lib.rs b/creusot-metadata/src/lib.rs
index d062575960..e20e08e328 100644
--- a/creusot-metadata/src/lib.rs
+++ b/creusot-metadata/src/lib.rs
@@ -26,19 +26,12 @@ mod encoder;
 
 pub use decoder::decode_metadata;
 pub use encoder::encode_metadata;
-use rustc_data_structures::{
-    fx::FxHashMap,
-    stable_hasher::{Hash64, StableHasher},
-};
+use rustc_data_structures::fx::FxHashMap;
 use rustc_middle::ty::TyCtxt;
-use rustc_span::{
-    def_id::{StableCrateId, LOCAL_CRATE},
-    source_map::StableSourceFileId,
-    FileName, SourceFile,
-};
+use rustc_span::{def_id::StableCrateId, SourceFile, StableSourceFileId};
 use std::hash::Hash;
 
-#[derive(Encodable, Decodable, Eq, PartialEq, Hash, Clone, Copy)]
+#[derive(Encodable, Decodable, Eq, PartialEq, Hash, Clone, Copy, Debug)]
 struct SourceFileIndex(u32);
 
 #[derive(Encodable, Decodable, Clone, Copy)]
@@ -61,42 +54,16 @@ impl AbsoluteBytePos {
 /// is the only thing available when decoding the [Footer].
 #[derive(Encodable, Decodable, Clone, Debug)]
 struct EncodedSourceFileId {
-    file_name_hash: Hash64,
+    stable_source_file_id: StableSourceFileId,
     stable_crate_id: StableCrateId,
 }
 
 impl EncodedSourceFileId {
-    fn translate(&self, tcx: TyCtxt<'_>) -> StableSourceFileId {
-        let cnum = tcx.stable_crate_id_to_crate_num(self.stable_crate_id);
-        StableSourceFileId { file_name_hash: self.file_name_hash, cnum }
-    }
-
+    #[inline]
     fn new(tcx: TyCtxt<'_>, file: &SourceFile) -> EncodedSourceFileId {
-        if file.cnum == LOCAL_CRATE {
-            /* Cf rustc_metadata::rmeta::encode_source_map */
-            if let FileName::Real(ref original_file_name) = file.name {
-                let adapted_file_name =
-                    tcx.sess.source_map().path_mapping().to_embeddable_absolute_path(
-                        original_file_name.clone(),
-                        &tcx.sess.opts.working_dir,
-                    );
-                if adapted_file_name != *original_file_name {
-                    let file_name_hash = {
-                        let mut hasher = StableHasher::new();
-                        FileName::Real(adapted_file_name).hash(&mut hasher);
-                        hasher.finish::<_>()
-                    };
-                    return EncodedSourceFileId {
-                        file_name_hash,
-                        stable_crate_id: tcx.stable_crate_id(LOCAL_CRATE),
-                    };
-                }
-            }
-        }
-        let source_file_id = StableSourceFileId::new(file);
         EncodedSourceFileId {
-            file_name_hash: source_file_id.file_name_hash,
-            stable_crate_id: tcx.stable_crate_id(source_file_id.cnum),
+            stable_source_file_id: file.stable_id,
+            stable_crate_id: tcx.stable_crate_id(file.cnum),
         }
     }
 }
diff --git a/creusot-rustc/src/main.rs b/creusot-rustc/src/main.rs
index 8bdfec745a..bb4d67837b 100644
--- a/creusot-rustc/src/main.rs
+++ b/creusot-rustc/src/main.rs
@@ -6,7 +6,7 @@ extern crate rustc_interface;
 extern crate rustc_session;
 
 mod options;
-use options::{Args, CreusotArgsExt as _};
+use options::CreusotArgsExt as _;
 
 #[macro_use]
 extern crate log;
@@ -14,13 +14,12 @@ extern crate log;
 use creusot::callbacks::*;
 use options::CreusotArgs;
 use rustc_driver::{RunCompiler, DEFAULT_LOCALE_RESOURCES};
-use rustc_errors::emitter::EmitterWriter;
+use rustc_errors::emitter::HumanEmitter;
 use rustc_interface::interface::try_print_query_stack;
-use rustc_session::{config::ErrorOutputType, EarlyErrorHandler};
-use std::{backtrace, env, panic, panic::PanicInfo, process::Command};
+use rustc_session::{config::ErrorOutputType, EarlyDiagCtxt};
+use std::{env, panic, panic::PanicInfo, process::Command};
 
 const BUG_REPORT_URL: &'static str = &"https://github.com/xldenis/creusot/issues/new";
-const WHY3_VERSION: &[&'static str] = &["1", "7", "1"];
 
 lazy_static::lazy_static! {
     static ref ICE_HOOK: Box<dyn Fn(&panic::PanicInfo<'_>) + Sync + Send + 'static> = {
@@ -38,10 +37,10 @@ fn report_panic(info: &PanicInfo) {
     let fallback_bundle =
         rustc_errors::fallback_fluent_bundle(DEFAULT_LOCALE_RESOURCES.to_vec(), false);
 
-    let emitter = Box::new(EmitterWriter::stderr(rustc_errors::ColorConfig::Auto, fallback_bundle));
-    let handler = rustc_errors::Handler::with_emitter(emitter);
+    let emitter = Box::new(HumanEmitter::stderr(rustc_errors::ColorConfig::Auto, fallback_bundle));
+    let handler = rustc_errors::DiagCtxt::with_emitter(emitter);
 
-    let mut diagnostic = handler.struct_note_without_error("Creusot has panic-ed!");
+    let mut diagnostic = handler.struct_note("Creusot has panic-ed!");
     diagnostic.note("Oops, that shouldn't have happened, sorry about that.");
     diagnostic.note(format!("Please report this bug over here: {}", BUG_REPORT_URL));
 
@@ -52,7 +51,6 @@ fn report_panic(info: &PanicInfo) {
 
     if backtrace {
         try_print_query_stack(&handler, None, None);
-        eprintln!("{}", backtrace::Backtrace::capture());
     }
 }
 
@@ -60,7 +58,7 @@ struct DefaultCallbacks;
 impl rustc_driver::Callbacks for DefaultCallbacks {}
 
 fn main() {
-    let handler = EarlyErrorHandler::new(ErrorOutputType::default());
+    let handler = EarlyDiagCtxt::new(ErrorOutputType::default());
     rustc_driver::init_rustc_env_logger(&handler);
     env_logger::init();
     lazy_static::initialize(&ICE_HOOK);
@@ -80,25 +78,11 @@ fn setup_plugin() {
     let creusot: CreusotArgs = if is_wrapper {
         serde_json::from_str(&std::env::var("CREUSOT_ARGS").unwrap()).unwrap()
     } else {
-        let all_args = Args::parse_from(&args);
-        args = all_args.rust_flags;
-        all_args.creusot
+        let mut all_args = CreusotArgs::parse_from(&args);
+        args = std::mem::take(&mut all_args.rust_flags);
+        all_args
     };
 
-    if creusot.check_why3 {
-        if let Some(why3_vers) = why3_version() {
-            let parts: Vec<_> = why3_vers.split(|c| c == '.' || c == '+').collect();
-            if &parts[..2] < WHY3_VERSION {
-                emit_warning(format!(
-                    "the recommended version of why3 is at least {} (installed: {why3_vers})",
-                    WHY3_VERSION.join(".")
-                ));
-            }
-        } else {
-            emit_warning("could not determine installed why3 version".to_string());
-        }
-    }
-
     let sysroot = sysroot_path();
     args.push(format!("--sysroot={}", sysroot));
 
@@ -123,6 +107,7 @@ fn setup_plugin() {
         args.push("-Zcrate-attr=feature(rustc_attrs)".to_owned());
         args.push("-Zcrate-attr=feature(unsized_fn_params)".to_owned());
         args.push("--allow=internal_features".to_owned());
+        args.push("-Zdump-mir=speccleanup".to_owned());
         args.extend(["--cfg", "creusot"].into_iter().map(str::to_owned));
         debug!("creusot args={:?}", args);
 
@@ -149,22 +134,11 @@ fn sysroot_path() -> String {
     String::from_utf8(output.stdout).unwrap().trim().to_owned()
 }
 
-fn why3_version() -> Option<String> {
-    let output = Command::new("why3").arg("--version").output().ok()?;
-
-    let version = String::from_utf8(output.stdout).ok()?;
-    if version.trim().starts_with("Why3 platform, version ") {
-        Some(version.trim()[23..].to_owned())
-    } else {
-        None
-    }
-}
-
-fn emit_warning(text: String) {
+fn _emit_warning(text: String) {
     let fallback_bundle =
         rustc_errors::fallback_fluent_bundle(DEFAULT_LOCALE_RESOURCES.to_vec(), false);
 
-    let emitter = Box::new(EmitterWriter::stderr(rustc_errors::ColorConfig::Auto, fallback_bundle));
-    let handler = rustc_errors::Handler::with_emitter(emitter);
+    let emitter = Box::new(HumanEmitter::stderr(rustc_errors::ColorConfig::Auto, fallback_bundle));
+    let handler = rustc_errors::DiagCtxt::with_emitter(emitter);
     handler.warn(text);
 }
diff --git a/creusot-rustc/src/options.rs b/creusot-rustc/src/options.rs
index 4add35c947..8dd3371737 100644
--- a/creusot-rustc/src/options.rs
+++ b/creusot-rustc/src/options.rs
@@ -1,34 +1,39 @@
 use creusot::options::{self, Options, OutputFile};
 pub use creusot_args::options::*;
+use std::path::PathBuf;
 
 pub trait CreusotArgsExt {
     fn to_options(self) -> Options;
 }
 
-fn why3_command(cmd: CreusotSubCommand) -> options::Why3Command {
+fn why3_command(
+    path: PathBuf,
+    config_file: Option<PathBuf>,
+    cmd: CreusotSubCommand,
+) -> options::Why3Command {
     let CreusotSubCommand::Why3 { command, args, .. } = cmd;
     let sub = match command {
         Why3SubCommand::Prove => options::Why3Sub::Prove,
         Why3SubCommand::Ide => options::Why3Sub::Ide,
         Why3SubCommand::Replay => options::Why3Sub::Replay,
     };
-    options::Why3Command { sub, args }
+    options::Why3Command { path, config_file, sub, args }
 }
 impl CreusotArgsExt for CreusotArgs {
     fn to_options(self) -> Options {
-        let metadata_path = self.metadata_path;
-        let extern_paths = self.extern_paths.into_iter().collect();
+        let metadata_path = self.options.metadata_path;
+        let extern_paths = self.options.extern_paths.into_iter().collect();
 
         let cargo_creusot = std::env::var("CARGO_CREUSOT").is_ok();
         let should_output = !cargo_creusot || std::env::var("CARGO_PRIMARY_PACKAGE").is_ok();
 
-        let output_file = match (self.stdout, self.output_file) {
+        let output_file = match (self.options.stdout, self.options.output_file) {
             (true, _) => Some(OutputFile::Stdout),
             (_, Some(f)) => Some(OutputFile::File(f)),
             _ => None,
         };
 
-        let span_mode = match self.span_mode {
+        let span_mode = match self.options.span_mode {
             SpanMode::Relative => options::SpanMode::Relative,
             SpanMode::Absolute => options::SpanMode::Absolute,
             SpanMode::Off => options::SpanMode::Off,
@@ -37,14 +42,17 @@ impl CreusotArgsExt for CreusotArgs {
         Options {
             extern_paths,
             metadata_path,
-            export_metadata: self.export_metadata,
+            export_metadata: self.options.export_metadata,
             should_output,
             output_file,
             in_cargo: cargo_creusot,
-            span_mode: span_mode,
-            match_str: self.focus_on,
-            simple_triggers: self.simple_triggers,
-            why3_cmd: self.subcommand.map(why3_command),
+            span_mode,
+            root_path_relative_from_output: self.options.root_path_relative_from_output,
+            match_str: self.options.focus_on,
+            simple_triggers: self.options.simple_triggers,
+            why3_cmd: self
+                .subcommand
+                .map(|cmd| why3_command(self.why3_path, self.why3_config_file, cmd)),
         }
     }
 }
diff --git a/creusot-setup/Cargo.toml b/creusot-setup/Cargo.toml
new file mode 100644
index 0000000000..839a8ffdef
--- /dev/null
+++ b/creusot-setup/Cargo.toml
@@ -0,0 +1,16 @@
+[package]
+name = "creusot-setup"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+creusot-args = {path = "../creusot-args"}
+serde = { version = "1.0", features = ["derive"] }
+toml = { version = "0.5.8", features = ["preserve_order"] }
+directories = "5.0"
+which = "6.0"
+anyhow = "1.0"
+reqwest = { version = "0.11", features = ["blocking"] }
+zip = "0.6"
+hex = "0.4"
+sha2 = "0.10"
diff --git a/creusot-setup/src/config.rs b/creusot-setup/src/config.rs
new file mode 100644
index 0000000000..f0207cedf8
--- /dev/null
+++ b/creusot-setup/src/config.rs
@@ -0,0 +1,112 @@
+use serde::{Deserialize, Serialize};
+use std::{
+    fmt, fs,
+    path::{Path, PathBuf},
+};
+
+// identifies a version of the config file.
+// the goal is to avoid silently mis-interpreting a past or future version of
+// the config file whenever its format changes.
+pub const CURRENT_CONFIG_VERSION: i64 = 1;
+
+// bump CURRENT_CONFIG_VERSION if you change this definition
+#[derive(Serialize, Deserialize)]
+#[serde(tag = "mode")]
+pub enum ToolsConfig {
+    #[serde(rename = "managed")]
+    Managed {
+        why3_path: PathBuf,
+        altergo_path: PathBuf,
+        z3: String,   // version
+        cvc4: String, // version
+        cvc5: String, // version
+    },
+    #[serde(rename = "external")]
+    External { why3_path: PathBuf, altergo_path: PathBuf },
+}
+
+// bump CURRENT_CONFIG_VERSION if you change this definition
+#[derive(Serialize, Deserialize)]
+pub struct Config {
+    pub tools: ToolsConfig,
+}
+
+pub enum Error {
+    NotFound,
+    Invalid(String),
+    WrongVersion(i64),
+}
+
+fn get_config_version(cfg: &toml::Value) -> Result<i64, String> {
+    cfg.get("version")
+        .ok_or("'version' field not found".to_string())?
+        .as_integer()
+        .ok_or("'version' is not an integer".to_string())
+}
+
+impl Config {
+    pub fn read_from_file(p: &Path) -> Result<Self, Error> {
+        if !p.is_file() {
+            return Err(Error::NotFound);
+        };
+        let s = match fs::read_to_string(p) {
+            Err(e) => return Err(Error::Invalid(e.to_string())),
+            Ok(s) => s,
+        };
+        let toml: toml::Value = match toml::from_str(&s) {
+            Err(e) => return Err(Error::Invalid(e.to_string())),
+            Ok(config) => config,
+        };
+        let version = match get_config_version(&toml) {
+            Err(e) => return Err(Error::Invalid(e)),
+            Ok(v) => v,
+        };
+        if version != CURRENT_CONFIG_VERSION {
+            return Err(Error::WrongVersion(version));
+        }
+        toml.try_into().map_err(|e| Error::Invalid(e.to_string()))
+    }
+
+    pub fn write_to_file(&self, p: &Path) -> anyhow::Result<()> {
+        let mut toml = toml::Value::try_from(self)?;
+        let tbl = toml.as_table_mut().unwrap();
+        tbl.insert("version".to_owned(), toml::Value::Integer(CURRENT_CONFIG_VERSION));
+        fs::write(p, &toml::to_string(&toml)?)?;
+        Ok(())
+    }
+}
+
+impl fmt::Display for ToolsConfig {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            ToolsConfig::Managed { why3_path, altergo_path, z3, cvc4, cvc5 } => {
+                writeln!(f, "mode: managed")?;
+                writeln!(f, "Path to Why3: {}", why3_path.display())?;
+                writeln!(f, "Path to Alt-Ergo: {}", altergo_path.display())?;
+                writeln!(f, "Z3 version: {z3}")?;
+                writeln!(f, "CVC4 version: {cvc4}")?;
+                writeln!(f, "CVC5 version: {cvc5}")
+            }
+            ToolsConfig::External { why3_path, altergo_path } => {
+                writeln!(f, "mode: external")?;
+                writeln!(f, "Path to Why3: {}", why3_path.display())?;
+                writeln!(f, "Path to Alt-Ergo: {}", altergo_path.display())
+            }
+        }
+    }
+}
+
+impl fmt::Display for Error {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            Error::NotFound => write!(f, "No existing Creusot configuration found."),
+            Error::Invalid(reason) => write!(f, "Invalid Creusot configuration found: {reason}."),
+            Error::WrongVersion(v) => write!(
+                f,
+                "Existing Creusot configuration found, \
+                           but with a different version than expected ({v}, \
+                           expected {CURRENT_CONFIG_VERSION})."
+            ),
+        }
+    }
+}
diff --git a/creusot-setup/src/lib.rs b/creusot-setup/src/lib.rs
new file mode 100644
index 0000000000..ebef8fd04a
--- /dev/null
+++ b/creusot-setup/src/lib.rs
@@ -0,0 +1,326 @@
+use anyhow::{anyhow, bail, Context};
+use directories::ProjectDirs;
+use std::{
+    fmt, fs,
+    path::{Path, PathBuf},
+};
+
+mod config;
+mod tools;
+mod tools_versions_urls;
+use config::{Error::*, *};
+use tools::*;
+use tools_versions_urls::*;
+use ToolsConfig::*;
+
+// CAUTION: on MacOS, [config_dir] and [data_dir] are in fact the same directory
+struct CfgPaths {
+    config_dir: PathBuf,
+    config_file: PathBuf,
+    why3_config_file: PathBuf,
+    data_dir: PathBuf,
+    bin_subdir: PathBuf,
+    cache_dir: PathBuf,
+}
+
+fn get_config_paths(custom_config_dir: &Option<PathBuf>) -> anyhow::Result<CfgPaths> {
+    // arguments: qualifier, organization, application
+    let dirs = ProjectDirs::from("", "creusot", "creusot")
+        .context("failed to compute configuration paths")?;
+    let config_dir = match custom_config_dir {
+        Some(dir) => dir,
+        None => dirs.config_dir(),
+    };
+    Ok(CfgPaths {
+        config_dir: PathBuf::from(config_dir),
+        config_file: config_dir.join("Config.toml"),
+        why3_config_file: config_dir.join("why3.conf"),
+        data_dir: PathBuf::from(dirs.data_dir()),
+        bin_subdir: dirs.data_dir().join("bin"),
+        cache_dir: PathBuf::from(dirs.cache_dir()),
+    })
+}
+
+// helpers for diagnostics of a creusot installation.
+// used by the implementation of the various subcommands.
+struct Issue {
+    tool: String,
+    cur_version: Option<String>,
+    expected_version: String,
+}
+
+impl fmt::Display for Issue {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let Issue { tool, cur_version, expected_version } = self;
+        write!(
+            f,
+            "{tool} has version {}, but version {expected_version} is expected",
+            cur_version.as_deref().unwrap_or("(not detected)")
+        )
+    }
+}
+
+fn diagnostic_config(config: &Config) -> Vec<Issue> {
+    let mut issues: Vec<Issue> = Vec::new();
+
+    // check versions of the external binaries registered in the config (binary
+    // --version vs expected version)
+    let extbins = match &config.tools {
+        Managed { why3_path, altergo_path, .. } => [(WHY3, why3_path), (ALTERGO, altergo_path)],
+        External { why3_path, altergo_path, .. } => [(WHY3, why3_path), (ALTERGO, altergo_path)],
+    };
+    for (bin, path) in extbins {
+        if let DetectedVersion::Bad(ver) = detect_binary_version(&bin, &path) {
+            issues.push(Issue {
+                tool: bin.display_name.to_owned(),
+                cur_version: ver,
+                expected_version: bin.version.to_owned(),
+            })
+        }
+    }
+
+    // check versions of the managed binaries (version in the config file vs expected version)
+    if let Config { tools: Managed { z3, cvc4, cvc5, .. } } = &config {
+        for (cur_version, bin) in [(z3, Z3), (cvc4, CVC4), (cvc5, CVC5)] {
+            if cur_version != bin.version {
+                issues.push(Issue {
+                    tool: bin.display_name.to_owned(),
+                    cur_version: Some(cur_version.to_owned()),
+                    expected_version: bin.version.to_owned(),
+                })
+            }
+        }
+    };
+
+    issues
+}
+
+fn diagnostic_extbinary(bin: ExtBinary, issues: &mut Vec<Issue>) -> anyhow::Result<PathBuf> {
+    let path = detect_binary_path(&bin).ok_or(anyhow!(
+        "{} not found. Please install {} version {}",
+        &bin.display_name,
+        &bin.display_name,
+        &bin.version
+    ))?;
+    println!("Found {} at path: {}", &bin.display_name, &path.display());
+    if let DetectedVersion::Bad(ver) = detect_binary_version(&bin, &path) {
+        issues.push(Issue {
+            tool: bin.display_name.to_owned(),
+            cur_version: ver,
+            expected_version: bin.version.to_owned(),
+        })
+    }
+    Ok(path)
+}
+
+// display the status of the creusot installation to the user
+pub fn status(custom_config_dir: &Option<PathBuf>) -> anyhow::Result<()> {
+    let paths = get_config_paths(custom_config_dir)?;
+    match Config::read_from_file(&paths.config_file) {
+        Err(err) => {
+            println!("{err}");
+            println!(
+                "Hint: run 'cargo creusot setup install' to setup Creusot,\n\
+                      or run 'cargo creusot setup' for more information."
+            );
+        }
+        Ok(cfg) => {
+            println!("Creusot installation found.");
+            print!("{}", cfg.tools);
+            let issues = diagnostic_config(&cfg);
+            if !issues.is_empty() {
+                let severity = match cfg.tools {
+                    External { .. } => "Warning",
+                    Managed { .. } => "Error",
+                };
+                println!("");
+                for issue in &issues {
+                    println!("{severity}: {issue}")
+                }
+                if let Managed { .. } = cfg.tools {
+                    println!(
+                        "Hint: for tools installed by Creusot, \
+                              re-run 'cargo creusot setup install' \n\
+                              to upgrade them to the expected version."
+                    )
+                }
+            }
+        }
+    };
+    Ok(())
+}
+
+pub struct CreusotFlags {
+    pub why3_path: PathBuf,
+    pub why3_config: Option<PathBuf>,
+}
+
+/// compute the flags to pass to creusot-rustc.
+/// fail if the installation is not in an acceptable state, which means we will
+/// stop there and do not attempt launching creusot-rustc.
+pub fn status_for_creusot(custom_config_dir: &Option<PathBuf>) -> anyhow::Result<CreusotFlags> {
+    let paths = get_config_paths(custom_config_dir)?;
+    match Config::read_from_file(&paths.config_file) {
+        Err(err) => bail!(
+            "{err}\n\
+                   Please run 'cargo creusot setup' for more information on \
+                   how to perform Creusot's initial setup."
+        ),
+        Ok(cfg) => {
+            match cfg.tools {
+                External { why3_path, .. } =>
+                // in external mode we assume that everything is setup correctly
+                {
+                    Ok(CreusotFlags { why3_path, why3_config: None })
+                }
+                Managed { ref why3_path, .. } => {
+                    let issues = diagnostic_config(&cfg);
+                    if !issues.is_empty() {
+                        for issue in &issues {
+                            println!("Error: {issue}")
+                        }
+                        bail!(
+                            "Please run 'cargo creusot setup status' \
+                               to diagnostic and fix the issue(s)"
+                        )
+                    }
+                    Ok(CreusotFlags {
+                        why3_path: why3_path.to_path_buf(),
+                        why3_config: Some(paths.why3_config_file),
+                    })
+                }
+            }
+        }
+    }
+}
+
+pub enum InstallMode {
+    Managed,
+    External { no_resolve_paths: bool },
+}
+
+pub fn install(custom_config_dir: &Option<PathBuf>, mode: InstallMode) -> anyhow::Result<()> {
+    let paths = get_config_paths(custom_config_dir)?;
+
+    // figure out whether we're installing a new configuration from scratch, or
+    // updating an existing configuration
+    let previous_config = match (Config::read_from_file(&paths.config_file), &mode) {
+        (Err(NotFound), _) => None,
+        (Err(Invalid(_) | WrongVersion(_)), _) => {
+            println!("Removing invalid or outdated config...");
+            None
+        }
+        (Ok(Config { tools: Managed { .. } }), InstallMode::External { .. }) => {
+            println!(
+                "Switching to an installation using external tools. \
+                 Erasing current installation..."
+            );
+            None
+        }
+        (Ok(Config { tools: External { .. } }), InstallMode::Managed) => {
+            println!(
+                "Switching to an installation using managed tools. \
+                 Erasing current installation..."
+            );
+            None
+        }
+        (Ok(cfg), _) => {
+            println!("Existing configuration found. Updating.");
+            Some(cfg)
+        }
+    };
+
+    // delete then (re)create the directories we need
+    if previous_config.is_none() {
+        let _ = fs::remove_dir_all(&paths.config_dir);
+        let _ = fs::remove_dir_all(&paths.data_dir);
+    }
+    fs::create_dir_all(&paths.config_dir)?;
+    fs::create_dir_all(&paths.data_dir)?;
+    fs::create_dir_all(&paths.bin_subdir)?;
+    fs::create_dir_all(&paths.cache_dir)?;
+
+    match mode {
+        InstallMode::Managed => install_managed(&paths, previous_config)?,
+        InstallMode::External { no_resolve_paths } => install_external(&paths, no_resolve_paths)?,
+    };
+    Ok(println!("Done."))
+}
+
+fn install_external(paths: &CfgPaths, no_resolve_paths: bool) -> anyhow::Result<()> {
+    // in external mode, upgrades and fresh installs are equivalent: we
+    // write the paths of external binaries.
+    let mut issues = Vec::new();
+    let why3_path = if no_resolve_paths {
+        PathBuf::from(WHY3.binary_name)
+    } else {
+        diagnostic_extbinary(WHY3, &mut issues)?
+    };
+    let altergo_path = if no_resolve_paths {
+        PathBuf::from(ALTERGO.binary_name)
+    } else {
+        diagnostic_extbinary(ALTERGO, &mut issues)?
+    };
+    // in external mode, only warn about issues
+    for issue in issues {
+        println!("Warning: {issue}")
+    }
+    let config = Config { tools: External { why3_path, altergo_path } };
+    config.write_to_file(&paths.config_file)
+}
+
+fn install_managed(paths: &CfgPaths, previous_config: Option<Config>) -> anyhow::Result<()> {
+    // reread paths to external binaries
+    let mut issues = Vec::new();
+    let why3_path = diagnostic_extbinary(WHY3, &mut issues)?;
+    let altergo_path = diagnostic_extbinary(ALTERGO, &mut issues)?;
+    // in managed mode, issues are failures
+    if !issues.is_empty() {
+        for issue in issues {
+            println!("Error: {issue}")
+        }
+        bail!("Issues with external binaries.")
+    }
+    if let Some(Config { tools: Managed { z3, cvc4, cvc5, .. } }) = previous_config {
+        // we are upgrading an existing configuration
+        let to_upgrade: Vec<_> = [(z3, Z3), (cvc4, CVC4), (cvc5, CVC5)]
+            .into_iter()
+            .filter(|(cur_ver, bin)| cur_ver != bin.version)
+            .map(|(_, bin)| bin)
+            .collect();
+        managed_download_and_generate_config(paths, &why3_path, &altergo_path, &to_upgrade)
+    } else {
+        // otherwise this is a fresh install
+        managed_download_and_generate_config(paths, &why3_path, &altergo_path, &[Z3, CVC4, CVC5])
+    }
+}
+
+// in managed mode, download required binaries, then (re)generate configuration
+// files for why3 and creusot
+fn managed_download_and_generate_config(
+    paths: &CfgPaths,
+    why3_path: &Path,
+    altergo_path: &Path,
+    bins: &[Binary],
+) -> anyhow::Result<()> {
+    // download tool binaries
+    download_all(bins, &paths.cache_dir, &paths.bin_subdir)?;
+
+    // create a symbolic link for alt-ergo so that it why3 picks it up
+    symlink_file(altergo_path, &paths.bin_subdir.join(ALTERGO.binary_name))?;
+
+    // generate the corresponding .why3.conf
+    generate_why3_conf(why3_path, &paths.bin_subdir, &paths.why3_config_file)?;
+
+    // write the config file
+    let config = Config {
+        tools: Managed {
+            why3_path: why3_path.to_owned(),
+            altergo_path: altergo_path.to_owned(),
+            z3: Z3_VERSION.to_owned(),
+            cvc4: CVC4_VERSION.to_owned(),
+            cvc5: CVC5_VERSION.to_owned(),
+        },
+    };
+    config.write_to_file(&paths.config_file)
+}
diff --git a/creusot-setup/src/tools.rs b/creusot-setup/src/tools.rs
new file mode 100644
index 0000000000..e01e099656
--- /dev/null
+++ b/creusot-setup/src/tools.rs
@@ -0,0 +1,264 @@
+use crate::tools_versions_urls::*;
+use anyhow::{anyhow, bail, Context};
+use reqwest::blocking::Client;
+use std::{
+    fs,
+    path::{Path, PathBuf},
+    process::Command,
+};
+
+// ----
+// we should only need to update the [Binary] definitions below whenever the
+// format of a tool binary releases change (unlikely)
+
+pub const WHY3: ExtBinary = ExtBinary {
+    display_name: "Why3",
+    binary_name: "why3",
+    version: WHY3_VERSION,
+    detect_version: detect_why3_version,
+};
+
+pub const ALTERGO: ExtBinary = ExtBinary {
+    display_name: "Alt-Ergo",
+    binary_name: "alt-ergo",
+    version: ALTERGO_VERSION,
+    detect_version: detect_altergo_version,
+};
+
+pub const Z3: Binary = Binary {
+    display_name: "Z3",
+    version: Z3_VERSION,
+    install_as: "z3",
+    url: &URLS.z3,
+    download_with: download_z3_from_url,
+};
+
+pub const CVC4: Binary = Binary {
+    display_name: "CVC4",
+    version: CVC4_VERSION,
+    install_as: "cvc4",
+    url: &URLS.cvc4,
+    download_with: download_from_url_with_cache,
+};
+
+pub const CVC5: Binary = Binary {
+    display_name: "CVC5",
+    version: CVC5_VERSION,
+    install_as: "cvc5",
+    url: &URLS.cvc5,
+    download_with: download_from_url_with_cache,
+};
+
+// ----
+
+#[derive(Clone, Copy)]
+pub struct Binary {
+    pub display_name: &'static str,
+    pub version: &'static str,
+    install_as: &'static str,
+    url: &'static Url,
+    download_with: fn(&Client, &Url, &Path, &Path) -> anyhow::Result<()>,
+}
+
+#[derive(Clone, Copy)]
+pub struct ExtBinary {
+    pub display_name: &'static str,
+    pub binary_name: &'static str,
+    pub version: &'static str,
+    detect_version: fn(&Path) -> Option<String>,
+}
+
+// download a list [Binary]s
+
+pub fn download_all(bins: &[Binary], cache_dir: &Path, dest_dir: &Path) -> anyhow::Result<()> {
+    let client = Client::new();
+    for bin in bins {
+        println!("Downloading {} {}...", bin.display_name, bin.version);
+        let path = dest_dir.join(bin.install_as);
+        let dl = bin.download_with;
+        dl(&client, bin.url, cache_dir, &path)?;
+        set_executable(&path)?;
+    }
+    Ok(())
+}
+
+// download helper
+
+fn sha256sum(file: &Path) -> anyhow::Result<String> {
+    use sha2::{Digest, Sha256};
+    let mut hasher = Sha256::new();
+    let mut f = fs::File::open(file).context("opening file to hash")?;
+    std::io::copy(&mut f, &mut hasher)?;
+    Ok(hex::encode(hasher.finalize()))
+}
+
+fn download_from_url(client: &Client, url: &Url, dest: &Path) -> anyhow::Result<()> {
+    const DOWNLOAD_RETRIES: u32 = 1;
+    let do_download = || -> anyhow::Result<()> {
+        let mut resp = client.get(url.url).send()?;
+        let mut file = fs::File::create(dest)?;
+        resp.copy_to(&mut file)?;
+        Ok(())
+    };
+    let mut success = false;
+    let mut tries: u32 = 0;
+    while !success && tries <= DOWNLOAD_RETRIES {
+        if tries > 0 {
+            eprintln!("Retrying...")
+        };
+        do_download().with_context(|| format!("downloading {} to {}", url.url, dest.display()))?;
+        let file_hash = sha256sum(dest)?;
+        if file_hash == url.sha256 {
+            success = true
+        } else {
+            eprintln!("Download failed (wrong hash)");
+            let _ = fs::remove_file(dest);
+        }
+        tries = tries + 1;
+    }
+    if !success {
+        bail!("Download failed after {DOWNLOAD_RETRIES} retries (wrong hash?)")
+    };
+    Ok(())
+}
+
+// looks up [cache_dir] to try to find a cached download; if not, stores the
+// result of the download in [cache_dir] (using the hash as the filename).
+fn download_from_url_with_cache(
+    client: &Client,
+    url: &Url,
+    cache_dir: &Path,
+    dest: &Path,
+) -> anyhow::Result<()> {
+    let cached_path = cache_dir.join(url.sha256);
+    if !(cached_path.is_file() && sha256sum(&cached_path)? == url.sha256) {
+        download_from_url(client, url, &cached_path)?;
+    }
+    if cached_path != dest {
+        fs::copy(cached_path, dest)?;
+    }
+    Ok(())
+}
+
+// helpers: external binaries
+
+pub enum DetectedVersion {
+    Good,
+    Bad(Option<String>),
+}
+
+pub fn detect_binary_path(bin: &ExtBinary) -> Option<PathBuf> {
+    use which::which;
+    which(bin.binary_name).ok()
+}
+
+pub fn detect_binary_version(bin: &ExtBinary, path: &Path) -> DetectedVersion {
+    let detect_version = bin.detect_version;
+    match detect_version(&path) {
+        None => DetectedVersion::Bad(None),
+        Some(ver) if ver != bin.version => DetectedVersion::Bad(Some(ver)),
+        Some(_) => DetectedVersion::Good,
+    }
+}
+
+// helpers: why3
+
+fn detect_why3_version(why3: &Path) -> Option<String> {
+    let output = Command::new(&why3).arg("--version").output().ok()?;
+    let version_full = String::from_utf8(output.stdout).ok()?;
+    let version = version_full.strip_prefix("Why3 platform, version ");
+    version.map(|ver| {
+        let parts: Vec<_> = ver.split(|c| c == '.' || c == '+').collect();
+        String::from(&parts[..3].join("."))
+    })
+}
+
+pub fn generate_why3_conf(
+    why3_path: &Path,
+    bin_dir: &Path,
+    dest_file: &Path,
+) -> anyhow::Result<()> {
+    println!("Generating a fresh why3 configuration...");
+    // create or empty the destination file to avoid getting a warning from why3
+    // because it doesn't exist
+    {
+        let _ = fs::File::create(&dest_file);
+    }
+    let status = Command::new(why3_path)
+        .arg("-C")
+        .arg(&dest_file)
+        .args(["config", "detect"])
+        .envs([("PATH", bin_dir)])
+        .status()
+        .context("launching 'why3 config detect' on downloaded solvers")?;
+    if !status.success() {
+        bail!("failed to generate why3's configuration")
+    };
+    Ok(())
+}
+
+// helpers: alt-ergo
+
+fn detect_altergo_version(altergo: &Path) -> Option<String> {
+    let output = Command::new(&altergo).arg("--version").output().ok()?;
+    let out_s = String::from_utf8(output.stdout).ok()?;
+    // will be needed for more recent altergo versions
+    // out_s.trim_end_matches(char::is_whitespace).strip_prefix("v").map(String::from)
+    Some(out_s.trim_end_matches(char::is_whitespace).to_owned())
+}
+
+// helpers: Z3
+
+// Z3 releases come as a .zip archive that includes many things. We are only
+// interested in the z3 binary, so we extract it from the archive and throw away
+// the rest.
+
+fn download_z3_from_url(
+    client: &Client,
+    url: &Url,
+    cache_dir: &Path,
+    dest: &Path,
+) -> anyhow::Result<()> {
+    use zip::read::ZipArchive;
+    // just use the zip file stored in the cache
+    let zip_path = cache_dir.join(url.sha256);
+    download_from_url_with_cache(client, url, cache_dir, &zip_path)?;
+    {
+        // extract the z3 binary from the .zip archive
+        let zipfile = std::fs::File::open(&zip_path)?;
+        let mut archive = ZipArchive::new(zipfile)?;
+        // find out the full path of the z3 binary in the archive
+        let z3_archive_path = archive
+            .file_names()
+            .find(|s| s.ends_with("/bin/z3"))
+            .map(String::from)
+            .ok_or(anyhow!("did not find a bin/z3 binary in the z3 release archive"))?;
+        let mut z3zipfile = archive.by_name(&z3_archive_path)?;
+        let mut z3file = fs::File::create(&dest)?;
+        std::io::copy(&mut z3zipfile, &mut z3file)?;
+    }
+    Ok(())
+}
+
+fn set_executable(dest: &Path) -> anyhow::Result<()> {
+    #[cfg(unix)]
+    {
+        use std::os::unix::fs::PermissionsExt;
+        let mut perms = fs::metadata(&dest)?.permissions();
+        perms.set_mode(0o755);
+        fs::set_permissions(&dest, perms)?;
+    }
+    Ok(())
+}
+
+pub fn symlink_file<P: AsRef<Path>, Q: AsRef<Path>>(original: P, link: Q) -> std::io::Result<()> {
+    let _ = fs::remove_file(&link);
+    #[cfg(unix)]
+    {
+        std::os::unix::fs::symlink(original, link)
+    }
+    #[cfg(windows)]
+    {
+        std::os::windows::fs::symlink_file(original, link)
+    }
+}
diff --git a/creusot-setup/src/tools_versions_urls.rs b/creusot-setup/src/tools_versions_urls.rs
new file mode 100644
index 0000000000..3333a31a14
--- /dev/null
+++ b/creusot-setup/src/tools_versions_urls.rs
@@ -0,0 +1,74 @@
+// "known good" versions and URLs for downloading binary releases
+
+// NOTE: when ugrading a binary to a newer version:
+// - update its [FOO_VERSION] below
+// - update its URL in each [URLS] block below
+// - update the SHA256 hash for each binary accordingly (use e.g. sha256sum to compute it)
+
+// tools without binary releases
+pub const WHY3_VERSION: &'static str = "1.7.1";
+pub const ALTERGO_VERSION: &'static str = "2.4.3";
+// tools with binary releases
+pub const Z3_VERSION: &'static str = "4.12.4";
+pub const CVC4_VERSION: &'static str = "1.8";
+pub const CVC5_VERSION: &'static str = "1.0.5";
+
+#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
+pub const URLS: Urls = Urls {
+    z3: Url {
+        url: "https://github.com/Z3Prover/z3/releases/download/z3-4.12.4/z3-4.12.4-x64-glibc-2.35.zip",
+        sha256: "e23d3a5670dc83285f581c2610e9cf701bb22db09b5336d85a4df743253b2335",
+    },
+    cvc4: Url {
+        url: "https://github.com/CVC4/CVC4-archived/releases/download/1.8/cvc4-1.8-x86_64-linux-opt",
+        sha256: "d38a79cf984592785eda41ec888d94ca107ac1f13058740238041e28c8472e51",
+    },
+    cvc5: Url {
+        url: "https://github.com/cvc5/cvc5/releases/download/cvc5-1.0.5/cvc5-Linux",
+        sha256: "57fa94b740e0827f655a731b97dae84fedf86e65fa897c3a56a01a83d283d15e",
+    }
+};
+
+#[cfg(all(target_os = "macos", target_arch = "x86_64"))]
+pub const URLS: Urls = Urls {
+    z3: Url {
+        url: "https://github.com/Z3Prover/z3/releases/download/z3-4.12.4/z3-4.12.4-x64-osx-11.7.10.zip",
+        sha256: "0e6da979dc6ec501ad878d962802d20aff465ac0c24e4c1234169f3e92a0e6a3",
+    },
+    cvc4: Url {
+        url: "https://github.com/CVC4/CVC4-archived/releases/download/1.8/cvc4-1.8-macos-opt",
+        sha256: "b8a0b8714dd947aa46182402d9caba27d3d696041e17704884bc3d8510066527",
+    },
+    cvc5: Url {
+        url: "https://github.com/cvc5/cvc5/releases/download/cvc5-1.0.5/cvc5-macOS",
+        sha256: "0e74e40a3db82f3ac4d8ea23308931bedbc6afbcf3ed484b8b000da17c75885c",
+    }
+};
+
+#[cfg(all(target_os = "macos", target_arch = "aarch64"))]
+pub const URLS: Urls = Urls {
+    z3: Url {
+        url: "https://github.com/Z3Prover/z3/releases/download/z3-4.12.4/z3-4.12.4-arm64-osx-11.0.zip",
+        sha256: "ab6798a9a85f406d7db9eb1fe692ff3db78155c509f71d0cae5933f4c47b5a38",
+    },
+    // CVC4 only has a macos x86_64 binary; we rely on rosetta for compatibility
+    cvc4: Url {
+        url: "https://github.com/CVC4/CVC4-archived/releases/download/1.8/cvc4-1.8-macos-opt",
+        sha256: "b8a0b8714dd947aa46182402d9caba27d3d696041e17704884bc3d8510066527",
+    },
+    cvc5: Url {
+        url: "https://github.com/cvc5/cvc5/releases/download/cvc5-1.0.5/cvc5-macOS-arm64",
+        sha256: "f1fe16664d88f9549da3df00853b6ddabafa68b1dc1c62d6dad0c0549cf95a33",
+    }
+};
+
+pub struct Urls {
+    pub z3: Url,
+    pub cvc4: Url,
+    pub cvc5: Url,
+}
+
+pub struct Url {
+    pub url: &'static str,
+    pub sha256: &'static str,
+}
diff --git a/creusot/Cargo.toml b/creusot/Cargo.toml
index 3abae07167..1ccacf37d1 100644
--- a/creusot/Cargo.toml
+++ b/creusot/Cargo.toml
@@ -36,6 +36,7 @@ termcolor = "1.1"
 arraydeque = "0.4"
 creusot-contracts = { path = "../creusot-contracts", features = ["typechecker"] }
 escargot = { version = "0.5" }
+creusot-dev-config = { path = "../creusot-dev-config" }
 [[test]]
 name = "ui"
 harness = false
diff --git a/creusot/src/analysis.rs b/creusot/src/analysis.rs
index ae5f464433..70f2309d8d 100644
--- a/creusot/src/analysis.rs
+++ b/creusot/src/analysis.rs
@@ -112,7 +112,7 @@ pub(crate) fn categorize(context: PlaceContext) -> Option<DefUse> {
         // cross suspension points so this behavior is unproblematic.
         PlaceContext::MutatingUse(MutatingUseContext::Borrow) |
         PlaceContext::NonMutatingUse(NonMutatingUseContext::SharedBorrow) |
-        PlaceContext::NonMutatingUse(NonMutatingUseContext::ShallowBorrow) |
+        PlaceContext::NonMutatingUse(NonMutatingUseContext::FakeBorrow) |
         PlaceContext::NonMutatingUse(NonMutatingUseContext::PlaceMention) |
         PlaceContext::MutatingUse(MutatingUseContext::AddressOf) |
         PlaceContext::NonMutatingUse(NonMutatingUseContext::AddressOf) |
diff --git a/creusot/src/analysis/frozen_locals.rs b/creusot/src/analysis/frozen_locals.rs
index 3717b458a7..4c3be0ef90 100644
--- a/creusot/src/analysis/frozen_locals.rs
+++ b/creusot/src/analysis/frozen_locals.rs
@@ -185,7 +185,7 @@ impl<'tcx> dataflow::GenKillAnalysis<'tcx> for Borrows<'_, 'tcx> {
 
     fn before_terminator_effect(
         &mut self,
-        _trans: &mut impl GenKill<Self::Idx>,
+        _trans: &mut Self::Domain,
         _terminator: &mir::Terminator<'tcx>,
         _location: Location,
     ) {
@@ -213,7 +213,7 @@ impl<'tcx> dataflow::GenKillAnalysis<'tcx> for Borrows<'_, 'tcx> {
 
     fn call_return_effect(
         &mut self,
-        _trans: &mut impl GenKill<Self::Idx>,
+        _trans: &mut Self::Domain,
         _block: mir::BasicBlock,
         _return_places: CallReturnPlaces<'_, 'tcx>,
     ) {
diff --git a/creusot/src/analysis/init_locals.rs b/creusot/src/analysis/init_locals.rs
index 06c9656a82..1023597205 100644
--- a/creusot/src/analysis/init_locals.rs
+++ b/creusot/src/analysis/init_locals.rs
@@ -54,7 +54,7 @@ impl<'tcx> GenKillAnalysis<'tcx> for MaybeInitializedLocals {
 
     fn call_return_effect(
         &mut self,
-        trans: &mut impl GenKill<Self::Idx>,
+        trans: &mut Self::Domain,
         _block: BasicBlock,
         return_places: CallReturnPlaces<'_, 'tcx>,
     ) {
@@ -108,7 +108,7 @@ where
                 NonMutatingUseContext::Inspect
                 | NonMutatingUseContext::Copy
                 | NonMutatingUseContext::SharedBorrow
-                | NonMutatingUseContext::ShallowBorrow
+                | NonMutatingUseContext::FakeBorrow
                 | NonMutatingUseContext::AddressOf
                 | NonMutatingUseContext::PlaceMention
                 | NonMutatingUseContext::Projection,
diff --git a/creusot/src/analysis/liveness_no_drop.rs b/creusot/src/analysis/liveness_no_drop.rs
index 0d481cafa3..1f1f9283d3 100644
--- a/creusot/src/analysis/liveness_no_drop.rs
+++ b/creusot/src/analysis/liveness_no_drop.rs
@@ -55,7 +55,7 @@ impl<'tcx> GenKillAnalysis<'tcx> for MaybeLiveExceptDrop {
 
     fn call_return_effect(
         &mut self,
-        trans: &mut impl GenKill<Self::Idx>,
+        trans: &mut Self::Domain,
         _block: mir::BasicBlock,
         return_places: CallReturnPlaces<'_, 'tcx>,
     ) {
@@ -186,7 +186,7 @@ impl DefUse {
                 | NonMutatingUseContext::Copy
                 | NonMutatingUseContext::Inspect
                 | NonMutatingUseContext::Move
-                | NonMutatingUseContext::ShallowBorrow
+                | NonMutatingUseContext::FakeBorrow
                 | NonMutatingUseContext::SharedBorrow
                 | NonMutatingUseContext::PlaceMention,
             ) => Some(DefUse::Use),
diff --git a/creusot/src/analysis/not_final_places.rs b/creusot/src/analysis/not_final_places.rs
index 849c7f6a51..28219cb3e8 100644
--- a/creusot/src/analysis/not_final_places.rs
+++ b/creusot/src/analysis/not_final_places.rs
@@ -478,7 +478,7 @@ impl<'tcx> GenKillAnalysis<'tcx> for NotFinalPlaces<'tcx> {
 
     fn call_return_effect(
         &mut self,
-        _trans: &mut impl GenKill<Self::Idx>,
+        _trans: &mut Self::Domain,
         _block: BasicBlock,
         _return_places: CallReturnPlaces<'_, 'tcx>,
     ) {
@@ -496,7 +496,7 @@ impl<'tcx> GenKillAnalysis<'tcx> for NotFinalPlaces<'tcx> {
 
     fn before_terminator_effect(
         &mut self,
-        trans: &mut impl GenKill<Self::Idx>,
+        trans: &mut Self::Domain,
         terminator: &mir::Terminator<'tcx>,
         location: Location,
     ) {
diff --git a/creusot/src/analysis/uninit_locals.rs b/creusot/src/analysis/uninit_locals.rs
index 1ef0f8d47d..9cf8e99a70 100644
--- a/creusot/src/analysis/uninit_locals.rs
+++ b/creusot/src/analysis/uninit_locals.rs
@@ -55,7 +55,7 @@ impl<'tcx> GenKillAnalysis<'tcx> for MaybeUninitializedLocals {
 
     fn call_return_effect(
         &mut self,
-        trans: &mut impl GenKill<Self::Idx>,
+        trans: &mut Self::Domain,
         _block: BasicBlock,
         return_places: CallReturnPlaces<'_, 'tcx>,
     ) {
@@ -106,7 +106,7 @@ where
                 NonMutatingUseContext::Inspect
                 | NonMutatingUseContext::Copy
                 | NonMutatingUseContext::SharedBorrow
-                | NonMutatingUseContext::ShallowBorrow
+                | NonMutatingUseContext::FakeBorrow
                 | NonMutatingUseContext::AddressOf
                 | NonMutatingUseContext::PlaceMention
                 | NonMutatingUseContext::Projection,
diff --git a/creusot/src/backend.rs b/creusot/src/backend.rs
index 0bf36c5dac..94c8783f5e 100644
--- a/creusot/src/backend.rs
+++ b/creusot/src/backend.rs
@@ -140,9 +140,8 @@ impl<'tcx> Why3Generator<'tcx> {
                     self.finish(def_id);
                 }
             }
-            ItemType::Ghost
-            | ItemType::Logic
-            | ItemType::Predicate
+            ItemType::Logic { .. }
+            | ItemType::Predicate { .. }
             | ItemType::Program
             | ItemType::Closure => {
                 self.start(def_id);
@@ -200,7 +199,7 @@ impl<'tcx> Why3Generator<'tcx> {
         }
 
         let translated = match util::item_type(self.tcx, def_id) {
-            ItemType::Ghost | ItemType::Logic | ItemType::Predicate => {
+            ItemType::Logic { .. } | ItemType::Predicate { .. } => {
                 debug!("translating {:?} as logical", def_id);
                 let (proof_modl, deps) = logic::translate_logic_or_predicate(self, def_id);
                 self.dependencies.insert(def_id.into(), deps);
@@ -259,9 +258,9 @@ impl<'tcx> Why3Generator<'tcx> {
             self.translate(adt_did);
         }
 
-        let (modl, deps) = ty_inv::build_inv_module(self, inv_kind);
+        let deps = ty_inv::build_inv_module(self, inv_kind);
         self.dependencies.insert(tid, deps);
-        self.functions.insert(tid, TranslatedItem::TyInv { modl });
+        self.functions.insert(tid, TranslatedItem::TyInv {});
     }
 
     // pub(crate) fn item(&self, def_id: DefId) -> Option<&TranslatedItem> {
@@ -340,7 +339,7 @@ impl<'tcx> Why3Generator<'tcx> {
     fn is_logical(&self, item: DefId) -> bool {
         matches!(
             util::item_type(self.tcx, item),
-            ItemType::Logic | ItemType::Predicate | ItemType::Ghost
+            ItemType::Logic { .. } | ItemType::Predicate { .. }
         )
     }
 
@@ -383,7 +382,6 @@ impl<'tcx> Why3Generator<'tcx> {
         let filename = match self.opts.span_mode {
             SpanMode::Absolute => path.to_string_lossy().into_owned(),
             SpanMode::Relative => {
-                // Why3 treats the spans as relative to the session not the source file??
                 format!("{}", self.opts.relative_to_output(&path).to_string_lossy())
             }
             _ => return None,
@@ -415,7 +413,7 @@ pub(crate) fn closure_generic_decls(
     mut def_id: DefId,
 ) -> impl Iterator<Item = Decl> + '_ {
     loop {
-        if tcx.is_closure(def_id) {
+        if tcx.is_closure_or_coroutine(def_id) {
             def_id = tcx.parent(def_id);
         } else {
             break;
diff --git a/creusot/src/backend/clone_map.rs b/creusot/src/backend/clone_map.rs
index ebe25a097d..9720e26827 100644
--- a/creusot/src/backend/clone_map.rs
+++ b/creusot/src/backend/clone_map.rs
@@ -140,7 +140,7 @@ impl<'tcx> Namer<'tcx> for CloneMap<'tcx> {
     fn ty(&mut self, def_id: DefId, subst: GenericArgsRef<'tcx>) -> QName {
         let mut node = DepNode::new(self.tcx, (def_id, subst));
 
-        if self.tcx.is_closure(def_id) {
+        if self.tcx.is_closure_or_coroutine(def_id) {
             node = DepNode::Type(Ty::new_closure(self.tcx, def_id, subst));
         }
 
@@ -221,7 +221,7 @@ impl<'tcx> Namer<'tcx> for CloneMap<'tcx> {
     }
 
     fn import_prelude_module(&mut self, module: PreludeModule) {
-        self.insert(DepNode::Buitlin(module));
+        self.insert(DepNode::Builtin(module));
     }
 
     fn with_vis<F, A>(&mut self, vis: CloneLevel, f: F) -> A
@@ -282,8 +282,10 @@ impl<'tcx> CloneNames<'tcx> {
     }
     fn insert(&mut self, key: DepNode<'tcx>) -> Kind {
         *self.names.entry(key).or_insert_with(|| {
-            if let DepNode::Type(ty) = key && !matches!(ty.kind(), TyKind::Alias(_, _)) {
-                let kind =  if let Some((did, _)) = key.did() {
+            if let DepNode::Type(ty) = key
+                && !matches!(ty.kind(), TyKind::Alias(_, _))
+            {
+                let kind = if let Some((did, _)) = key.did() {
                     let name = Symbol::intern(&*module_name(self.tcx, did));
                     Kind::Named(name)
                 } else {
diff --git a/creusot/src/backend/clone_map/elaborator.rs b/creusot/src/backend/clone_map/elaborator.rs
index a9dd1cc264..3cb767715d 100644
--- a/creusot/src/backend/clone_map/elaborator.rs
+++ b/creusot/src/backend/clone_map/elaborator.rs
@@ -24,7 +24,6 @@ use crate::{
     },
     ctx::*,
     translation::{
-        fmir::LocalDecls,
         pearlite::{normalize, Term},
         specification::PreContract,
     },
@@ -63,21 +62,21 @@ impl<'tcx> SymbolElaborator<'tcx> {
         let param_env = old_names.param_env(ctx);
 
         match item {
-            DepNode::Type(ty) => return self.elaborate_ty(ctx, names, ty),
-            DepNode::Buitlin(b) => {
-                return vec![Decl::UseDecl(Use { name: b.qname(), as_: None, export: false })]
+            DepNode::Type(ty) => self.elaborate_ty(ctx, names, ty),
+            DepNode::Builtin(b) => {
+                vec![Decl::UseDecl(Use { name: b.qname(), as_: None, export: false })]
             }
             DepNode::TyInv(ty, kind) => {
                 let term =
                     InvariantElaborator::new(param_env, true).elaborate_inv(ctx, ty, Some(kind));
                 let exp = lower_pure(ctx, names, &term);
                 let axiom = Axiom { name: names.ty_inv(ty).name, rewrite: false, axiom: exp };
-                return vec![Decl::Axiom(axiom)];
+                vec![Decl::Axiom(axiom)]
             }
             DepNode::Item(_, _) | DepNode::Hacked(_, _, _) => {
-                return self.elaborate_item(ctx, names, param_env, level_of_item, item)
+                self.elaborate_item(ctx, names, param_env, level_of_item, item)
             }
-        };
+        }
     }
 
     fn elaborate_ty<N: Namer<'tcx>>(
@@ -184,7 +183,7 @@ impl<'tcx> SymbolElaborator<'tcx> {
 
             let span = ctx.def_span(def_id);
             let res = crate::constant::from_ty_const(&mut ctx.ctx, constant, param_env, span);
-            let res = res.to_why(ctx, names, &LocalDecls::new());
+            let res = lower_pure(ctx, names, &res);
 
             vec![Decl::Let(LetDecl {
                 kind: Some(LetKind::Constant),
@@ -290,7 +289,7 @@ impl<'tcx> Namer<'tcx> for SymNamer<'tcx> {
     fn ty(&mut self, def_id: DefId, subst: GenericArgsRef<'tcx>) -> QName {
         let mut node = DepNode::new(self.tcx, (def_id, subst));
 
-        if self.tcx.is_closure(def_id) {
+        if self.tcx.is_closure_or_coroutine(def_id) {
             node = DepNode::Type(Ty::new_closure(self.tcx, def_id, subst));
         }
 
diff --git a/creusot/src/backend/clone_map/expander.rs b/creusot/src/backend/clone_map/expander.rs
index 587ac1cce8..db5c69289f 100644
--- a/creusot/src/backend/clone_map/expander.rs
+++ b/creusot/src/backend/clone_map/expander.rs
@@ -162,10 +162,11 @@ impl<'a, 'tcx> Expander<'a, 'tcx> {
                     Some(self.resolve_dep(ctx, node))
                 }
                 TyKind::Closure(_, _) => Some(DepNode::Type(t)),
-                TyKind::Ref(_, _, Mutability::Mut) => Some(DepNode::Buitlin(PreludeModule::Borrow)),
-                TyKind::Int(ity) => Some(DepNode::Buitlin(int_to_prelude(*ity))),
-                TyKind::Uint(uty) => Some(DepNode::Buitlin(uint_to_prelude(*uty))),
-                TyKind::Slice(_) => Some(DepNode::Buitlin(PreludeModule::Slice)),
+                TyKind::Ref(_, _, Mutability::Mut) => Some(DepNode::Builtin(PreludeModule::Borrow)),
+                TyKind::Int(ity) => Some(DepNode::Builtin(int_to_prelude(*ity))),
+                TyKind::Uint(uty) => Some(DepNode::Builtin(uint_to_prelude(*uty))),
+                TyKind::Slice(_) => Some(DepNode::Builtin(PreludeModule::Slice)),
+                TyKind::RawPtr(_) => Some(DepNode::Builtin(PreludeModule::Opaque)),
                 TyKind::Adt(_, _) => Some(DepNode::Type(t)),
                 _ => None,
             };
@@ -213,7 +214,9 @@ impl<'a, 'tcx> Expander<'a, 'tcx> {
             TyInvKind::from_ty(ctx.tcx, ty).unwrap_or(TyInvKind::Trivial)
         };
 
-        if let TransId::TyInv(self_kind) = self.self_id && self_kind == inv_kind {
+        if let TransId::TyInv(self_kind) = self.self_id
+            && self_kind == inv_kind
+        {
             return;
         }
 
@@ -237,7 +240,8 @@ impl<'a, 'tcx> Expander<'a, 'tcx> {
 
         // Dont clone laws into the trait / impl which defines them.
         if let Some(self_item) = ctx.tcx.opt_associated_item(self_did)
-            && self_item.container_id(ctx.tcx) == item.container_id(ctx.tcx) {
+            && self_item.container_id(ctx.tcx) == item.container_id(ctx.tcx)
+        {
             return;
         }
 
diff --git a/creusot/src/backend/constant.rs b/creusot/src/backend/constant.rs
index df9c0cb8e8..28e8cad3f1 100644
--- a/creusot/src/backend/constant.rs
+++ b/creusot/src/backend/constant.rs
@@ -1,14 +1,12 @@
 use rustc_hir::def_id::DefId;
 use rustc_middle::ty::{self, Const, GenericArgs};
 
-use crate::{
-    ctx::TranslatedItem,
-    translation::{constant::from_ty_const, fmir::LocalDecls},
-};
+use crate::{ctx::TranslatedItem, translation::constant::from_ty_const};
 
 use super::{
     clone_map::{CloneMap, CloneSummary},
     signature::signature_of,
+    term::lower_pure,
     CloneDepth, Why3Generator,
 };
 
@@ -29,7 +27,7 @@ impl<'tcx> Why3Generator<'tcx> {
         let span = self.def_span(def_id);
         let res = from_ty_const(&mut self.ctx, constant, param_env, span);
         let mut names = CloneMap::new(self.tcx, def_id.into());
-        let _ = res.to_why(self, &mut names, &LocalDecls::new());
+        let _ = lower_pure(self, &mut names, &res);
         let _ = signature_of(self, &mut names, def_id);
         let (_, summary) = names.to_clones(self, CloneDepth::Shallow);
 
diff --git a/creusot/src/backend/dependency.rs b/creusot/src/backend/dependency.rs
index 7dba79f1d4..53197b1030 100644
--- a/creusot/src/backend/dependency.rs
+++ b/creusot/src/backend/dependency.rs
@@ -25,7 +25,7 @@ pub(crate) enum Dependency<'tcx> {
     Item(DefId, GenericArgsRef<'tcx>),
     TyInv(Ty<'tcx>, TyInvKind),
     Hacked(HackedId, DefId, GenericArgsRef<'tcx>),
-    Buitlin(PreludeModule),
+    Builtin(PreludeModule),
 }
 
 #[derive(Copy, Clone, PartialEq, Eq, Debug, Hash, PartialOrd, Ord)]
@@ -99,7 +99,7 @@ impl<'tcx> Dependency<'tcx> {
             Dependency::Item(id, _) => Some(TransId::Item(id)),
             Dependency::TyInv(_, k) => Some(TransId::TyInv(k)),
             Dependency::Hacked(h, id, _) => Some(TransId::Hacked(h, id)),
-            Dependency::Buitlin(_) => None,
+            Dependency::Builtin(_) => None,
         }
     }
 
@@ -125,7 +125,7 @@ impl<'tcx> Dependency<'tcx> {
                 _ => None,
             },
             Dependency::Hacked(_, id, substs) => Some((id, substs)),
-            Dependency::Buitlin(_) => None,
+            Dependency::Builtin(_) => None,
         }
     }
 
@@ -200,7 +200,7 @@ impl<'tcx> Dependency<'tcx> {
                 HackedId::Resolve => Symbol::intern("resolve"),
                 HackedId::Accessor(ix) => Symbol::intern(&format!("field_{ix}")),
             },
-            Dependency::Buitlin(_) => Symbol::intern("builtin_should_not_appear"),
+            Dependency::Builtin(_) => Symbol::intern("builtin_should_not_appear"),
         }
     }
 }
@@ -212,8 +212,9 @@ fn resolve_item<'tcx>(
     param_env: ParamEnv<'tcx>,
 ) -> Dependency<'tcx> {
     let resolved = if tcx.trait_of_item(item).is_some()
-        && let Some(resolved) = traits::resolve_opt(tcx, param_env, item, substs) {
-            resolved
+        && let Some(resolved) = traits::resolve_opt(tcx, param_env, item, substs)
+    {
+        resolved
     } else {
         (item, substs)
     };
diff --git a/creusot/src/backend/logic.rs b/creusot/src/backend/logic.rs
index 54149df259..6a149bf2cb 100644
--- a/creusot/src/backend/logic.rs
+++ b/creusot/src/backend/logic.rs
@@ -1,7 +1,10 @@
 use std::borrow::Cow;
 
 use crate::{
-    backend::all_generic_decls_for, ctx::*, translation::pearlite::Term, util, util::get_builtin,
+    backend::all_generic_decls_for,
+    ctx::*,
+    translation::pearlite::Term,
+    util::{self, get_builtin},
 };
 use rustc_hir::def_id::DefId;
 use why3::{
@@ -10,29 +13,29 @@ use why3::{
     Ident, QName,
 };
 
-use super::{
-    signature::signature_of,
-    term::{lower_impure, lower_pure},
-    CloneSummary, Why3Generator,
-};
+mod vcgen;
+
+use self::vcgen::vc;
+
+use super::{signature::signature_of, term::lower_pure, CloneSummary, Why3Generator};
 
 pub(crate) fn binders_to_args(
     ctx: &mut Why3Generator,
     binders: Vec<Binder>,
-) -> (Vec<why3::Exp>, Vec<Binder>) {
+) -> (Vec<Ident>, Vec<Binder>) {
     let mut args = Vec::new();
     let mut out_binders = Vec::new();
     let mut fresh = 0;
     for b in binders {
         match b {
             Binder::Wild => {
-                args.push(Exp::pure_var(format!("_wild{fresh}").into()));
+                args.push(format!("_wild{fresh}").into());
                 out_binders.push(Binder::Named(format!("_wild{fresh}").into()));
                 fresh += 1;
             }
             Binder::UnNamed(_) => unreachable!("unnamed parameter in logical function signature"),
             Binder::Named(ref nm) => {
-                args.push(Exp::pure_var(nm.clone()));
+                args.push(nm.clone().into());
                 out_binders.push(b);
             }
             Binder::Typed(ghost, binders, ty) => {
@@ -78,8 +81,10 @@ fn builtin_body<'tcx>(
 
     // Program symbol (for proofs)
     let mut val_sig = sig.clone();
-    val_sig.contract.ensures = vec![Exp::pure_var("result".into())
-        .eq(Exp::pure_var(val_sig.name.clone()).app(val_args.clone()))];
+
+    let val_args: Vec<_> = val_args.into_iter().map(|id| Exp::var(id)).collect();
+    val_sig.contract.ensures =
+        vec![Exp::var("result").eq(Exp::var(val_sig.name.clone()).app(val_args.clone()))];
 
     if util::is_predicate(ctx.tcx, def_id) {
         sig.retty = None;
@@ -96,7 +101,7 @@ fn builtin_body<'tcx>(
 
     decls.extend(clones);
     if !builtin.module.is_empty() {
-        let body = Exp::pure_qvar(builtin.without_search_path()).app(val_args);
+        let body = Exp::qvar(builtin.without_search_path()).app(val_args);
 
         if util::is_predicate(ctx.tcx, def_id) {
             decls.push(Decl::PredDecl(Predicate { sig, body }));
@@ -122,10 +127,12 @@ pub(crate) fn val_decl<'tcx, N: Namer<'tcx>>(
     sig.contract.variant = Vec::new();
 
     let (val_args, val_binders) = binders_to_args(ctx, sig.args);
+    let val_args: Vec<_> = val_args.into_iter().map(|id| Exp::var(id)).collect();
+
     sig.contract
         .ensures
         // = vec!(Exp::pure_var("result".into()).eq(Exp::pure_var(sig.name.clone()).app(val_args)));
-        .push(Exp::pure_var("result".into()).eq(Exp::pure_var(sig.name.clone()).app(val_args)));
+        .push(Exp::var("result").eq(Exp::var(sig.name.clone()).app(val_args)));
     sig.args = val_binders;
     Decl::ValDecl(ValDecl { sig, ghost: false, val: true, kind: None })
 }
@@ -248,10 +255,12 @@ pub fn sigs<'tcx>(ctx: &mut Why3Generator<'tcx>, mut sig: Signature) -> (Signatu
     contract.variant = Vec::new();
     prog_sig.contract = contract;
     let (val_args, val_binders) = binders_to_args(ctx, prog_sig.args);
+    let val_args: Vec<_> = val_args.into_iter().map(|id| Exp::var(id)).collect();
+
     prog_sig.args = val_binders;
 
     prog_sig.contract.ensures =
-        vec![Exp::pure_var("result".into()).eq(Exp::pure_var(sig.name.clone()).app(val_args))];
+        vec![Exp::var("result").eq(Exp::var(sig.name.clone()).app(val_args))];
 
     (sig, prog_sig)
 }
@@ -272,8 +281,8 @@ fn subst_qname(body: &mut Exp, name: &Ident, lim_name: &Ident) {
     impl<'a> ExpMutVisitor for QNameSubst<'a> {
         fn visit_mut(&mut self, exp: &mut Exp) {
             match exp {
-                Exp::QVar(qname, _) if qname.module.is_empty() && &qname.name == self.0 => {
-                    *exp = Exp::pure_var(self.1.clone())
+                Exp::QVar(qname) if qname.module.is_empty() && &qname.name == self.0 => {
+                    *exp = Exp::var(self.1.clone())
                 }
                 _ => super_visit_mut(self, exp),
             }
@@ -326,23 +335,52 @@ fn proof_module(ctx: &mut Why3Generator, def_id: DefId) -> Option<Module> {
         return None;
     }
     let term = ctx.term(def_id).unwrap().clone();
-    let body = lower_impure(ctx, &mut names, &term);
+
+    let mut body_decls = Vec::new();
+
+    let (arg_names, new_binders) = binders_to_args(ctx, sig.args);
+
+    let param_decls = arg_names.iter().zip(new_binders.iter()).map(|(nm, binder)| {
+        Decl::ValDecl(ValDecl {
+            ghost: false,
+            val: false,
+            kind: Some(LetKind::Constant),
+            sig: Signature {
+                name: nm.clone(),
+                trigger: None,
+                attrs: Vec::new(),
+                retty: binder.type_of().cloned(),
+                args: Vec::new(),
+                contract: Default::default(),
+            },
+        })
+    });
+    body_decls.extend(param_decls);
+    sig.args = new_binders;
+
+    let mut val_sig = sig.clone();
+    val_sig.contract = Default::default();
+    body_decls.push(Decl::ValDecl(util::item_type(ctx.tcx, def_id).val(val_sig)));
+
+    let postcondition = sig.contract.ensures_conj();
+    let body = vc(ctx, &mut names, def_id, term, "result".into(), postcondition.clone());
+
+    let body = match body {
+        Ok(body) => body,
+        Err(e) => ctx.fatal_error(e.span(), &format!("{e:?}")).emit(),
+    };
+
+    let body = sig.contract.requires.into_iter().fold(body, |acc, pre| pre.implies(acc));
+
+    body_decls
+        .extend([Decl::Goal(Goal { name: format!("vc_{}", (&*sig.name)).into(), goal: body })]);
 
     let mut decls: Vec<_> = Vec::new();
     decls.extend(all_generic_decls_for(ctx.tcx, def_id));
+
     let (clones, _) = names.to_clones(ctx, CloneDepth::Deep);
     decls.extend(clones);
-
-    let kind = match util::item_type(ctx.tcx, def_id) {
-        ItemType::Predicate => {
-            sig.retty = None;
-            Some(LetKind::Predicate)
-        }
-        ItemType::Ghost | ItemType::Logic => Some(LetKind::Function),
-        _ => unreachable!(),
-    };
-
-    decls.push(Decl::Let(LetDecl { sig, rec: true, ghost: true, body, kind }));
+    decls.extend(body_decls);
 
     let name = impl_name(ctx, def_id);
     Some(Module { name, decls })
@@ -382,13 +420,13 @@ fn function_call(sig: &Signature) -> Exp {
         .cloned()
         .flat_map(|b| b.var_type_pairs())
         .filter(|arg| &*arg.0 != "_")
-        .map(|arg| Exp::pure_var(arg.0))
+        .map(|arg| Exp::var(arg.0))
         .collect();
     if args.is_empty() {
         args = vec![Exp::Tuple(vec![])];
     }
 
-    Exp::pure_var(sig.name.clone()).app(args)
+    Exp::var(sig.name.clone()).app(args)
 }
 
 fn definition_axiom(sig: &Signature, body: Exp, suffix: &str) -> Axiom {
diff --git a/creusot/src/backend/logic/vcgen.rs b/creusot/src/backend/logic/vcgen.rs
new file mode 100644
index 0000000000..6fc3b55a94
--- /dev/null
+++ b/creusot/src/backend/logic/vcgen.rs
@@ -0,0 +1,504 @@
+use std::{
+    cell::RefCell,
+    collections::{HashMap, HashSet},
+};
+
+use rustc_hir::def_id::DefId;
+use rustc_middle::ty::{EarlyBinder, GenericArgsRef, ParamEnv, Ty, TyKind};
+use rustc_span::{Span, Symbol};
+use why3::{declaration::Signature, ty::Type, Exp, Ident, QName};
+
+use crate::{
+    backend::{
+        signature::{sig_to_why3, signature_of},
+        term::{binop_to_binop, lower_literal, lower_pure},
+        ty::{is_int, translate_ty},
+        Namer as _, Why3Generator,
+    },
+    pearlite::{super_visit_term, Literal, Pattern, Term, TermVisitor},
+    util::{self, get_builtin},
+};
+
+use super::{binders_to_args, CloneMap};
+
+/// Verification conditions for lemma functions.
+///
+/// As the `let functions` of Why3 leave a lot to be desired and generally cause an impedence
+/// mismatch with the rest of Creusot, we have instead implemented a custom VCGen for logic
+/// functions.
+///
+/// This VCGen is a sort of cross between WP and an evaluator, we impose a certain 'evaluation
+/// order' on the logical formula so that we can validate the preconditions of function calls and
+/// leverage the structure of the lemma function as the proof skeleton.
+///
+/// There are several intersting / atypical rules here:
+///
+/// 1. Conjunction: 2. Exists & Forall: 3. Function calls:
+
+struct VCGen<'a, 'tcx> {
+    ctx: RefCell<&'a mut Why3Generator<'tcx>>,
+    names: RefCell<&'a mut CloneMap<'tcx>>,
+    self_id: DefId,
+    structurally_recursive: bool,
+    param_env: ParamEnv<'tcx>,
+}
+
+pub(super) fn vc<'tcx>(
+    ctx: &mut Why3Generator<'tcx>,
+    names: &mut CloneMap<'tcx>,
+    self_id: DefId,
+    t: Term<'tcx>,
+    dest: Ident,
+    post: Exp,
+) -> Result<Exp, VCError<'tcx>> {
+    let structurally_recursive = is_structurally_recursive(ctx, self_id, &t);
+    VCGen {
+        param_env: ctx.param_env(self_id),
+        ctx: RefCell::new(ctx),
+        names: RefCell::new(names),
+        self_id,
+        structurally_recursive,
+    }
+    .build_vc(&t, &|exp| Ok(Exp::let_(dest.clone(), exp, post.clone())))
+}
+
+/// Verifies whether a given term is structurally recursive: that is, each recursive call is made to
+/// a component of an argument to the prior call.
+///
+/// The check must also ensure that we are always recursing on the *same* argument since otherwise
+/// we could 'ping pong' infinitely.
+///
+/// Currently, the check is *very* naive: we only consider variables and only check `match`. This
+/// means that something like the following would fail:
+///
+/// ``` match x { Cons(_, tl) => recursive((tl, 0).0) } ```
+///
+/// This check can be extended in the future
+fn is_structurally_recursive(ctx: &mut Why3Generator<'_>, self_id: DefId, t: &Term<'_>) -> bool {
+    struct StructuralRecursion {
+        smaller_than: HashMap<Symbol, Symbol>,
+        self_id: DefId,
+        /// Index of the decreasing argument
+        decreasing_args: HashSet<Symbol>,
+
+        orig_args: Vec<Symbol>,
+    }
+    use crate::pearlite::TermKind;
+
+    impl StructuralRecursion {
+        fn valid(&self) -> bool {
+            self.decreasing_args.len() == 1
+        }
+
+        /// Is `t` smaller than the argument `nm`?
+        fn is_smaller_than(&self, t: &Term, nm: Symbol) -> bool {
+            match &t.kind {
+                TermKind::Var(s) => self.smaller_than.get(s) == Some(&nm),
+                _ => false,
+            }
+        }
+
+        // TODO: could make this a `pattern` to term comparison to make it more powerful
+        /// Mark `sym` as smaller than `term`. Currently, this only updates the relation if `term` is a variable.
+        fn smaller_than(&mut self, sym: Symbol, term: &Term<'_>) {
+            let var = match &term.kind {
+                TermKind::Var(s) => s,
+                _ => return,
+            };
+
+            let parent = self.smaller_than.get(var).unwrap_or(var);
+
+            self.smaller_than.insert(sym, *parent);
+        }
+    }
+
+    impl TermVisitor<'_> for StructuralRecursion {
+        fn visit_term(&mut self, term: &Term<'_>) {
+            match &term.kind {
+                TermKind::Call { id, args, .. } if *id == self.self_id => {
+                    for (arg, nm) in args.iter().zip(self.orig_args.iter()) {
+                        if self.is_smaller_than(arg, *nm) {
+                            self.decreasing_args.insert(*nm);
+                        }
+                    }
+                }
+                TermKind::Exists { binder, body } => {
+                    let old_smaller = self.smaller_than.clone();
+                    self.smaller_than.remove(&binder.0);
+                    self.visit_term(body);
+                    self.smaller_than = old_smaller;
+                }
+
+                TermKind::Forall { binder, body } => {
+                    let old_smaller = self.smaller_than.clone();
+                    self.smaller_than.remove(&binder.0);
+                    self.visit_term(body);
+                    self.smaller_than = old_smaller;
+                }
+
+                TermKind::Let { pattern, arg, body } => {
+                    self.visit_term(arg);
+                    let mut binds = Default::default();
+                    pattern.binds(&mut binds);
+                    let old_smaller = self.smaller_than.clone();
+                    self.smaller_than.retain(|nm, _| !binds.contains(&nm));
+                    binds.into_iter().for_each(|b| self.smaller_than(b, arg));
+                    self.visit_term(body);
+                    self.smaller_than = old_smaller;
+                }
+
+                TermKind::Match { arms, scrutinee } => {
+                    self.visit_term(&scrutinee);
+
+                    for (pat, exp) in arms {
+                        let mut binds = Default::default();
+                        pat.binds(&mut binds);
+                        let old_smaller = self.smaller_than.clone();
+                        self.smaller_than.retain(|nm, _| !binds.contains(&nm));
+                        binds.into_iter().for_each(|b| self.smaller_than(b, scrutinee));
+                        self.visit_term(exp);
+                        self.smaller_than = old_smaller;
+                    }
+                }
+                _ => super_visit_term(term, self),
+            }
+        }
+    }
+
+    let orig_args = ctx.sig(self_id).inputs.iter().map(|a| a.0).collect();
+    let mut s = StructuralRecursion {
+        self_id,
+        smaller_than: Default::default(),
+        decreasing_args: Default::default(),
+        orig_args,
+    };
+
+    s.visit_term(&t);
+
+    s.valid()
+}
+
+#[derive(Debug)]
+pub enum VCError<'tcx> {
+    /// `old` doesn't currently make sense inside of a lemma function
+    Old(Span),
+    /// Too lazy to implement this atm.
+    Reborrow(Span),
+    /// Same here...
+    Closure(Span),
+    /// Variants are currently restricted to `Int`
+    UnsupportedVariant(Ty<'tcx>, Span),
+}
+
+impl<'tcx> VCError<'tcx> {
+    pub fn span(&self) -> Span {
+        match self {
+            VCError::Old(s) => *s,
+            VCError::Reborrow(s) => *s,
+            VCError::Closure(s) => *s,
+            VCError::UnsupportedVariant(_, s) => *s,
+        }
+    }
+}
+
+type PostCont<'a, 'tcx, A> = &'a dyn Fn(A) -> Result<Exp, VCError<'tcx>>;
+
+impl<'a, 'tcx> VCGen<'a, 'tcx> {
+    fn lower_literal(&self, lit: &Literal<'tcx>) -> Exp {
+        lower_literal(*self.ctx.borrow_mut(), *self.names.borrow_mut(), lit)
+    }
+
+    fn lower_pure(&self, lit: &Term<'tcx>) -> Exp {
+        lower_pure(*self.ctx.borrow_mut(), *self.names.borrow_mut(), lit)
+    }
+
+    fn build_vc(&self, t: &Term<'tcx>, k: PostCont<'_, 'tcx, Exp>) -> Result<Exp, VCError<'tcx>> {
+        use crate::pearlite::*;
+        match &t.kind {
+            // VC(v, Q) = Q(v)
+            TermKind::Var(v) => k(Exp::var(util::ident_of(*v))),
+            // VC(l, Q) = Q(l)
+            TermKind::Lit(l) => k(self.lower_literal(l)),
+            // Items are just global names so
+            // VC(i, Q) = Q(i)
+            TermKind::Item(id, sub) => {
+                let item_name =
+                    get_func_name(*self.ctx.borrow_mut(), *self.names.borrow_mut(), *id, sub);
+
+                if get_builtin(self.ctx.borrow().tcx, *id).is_some() {
+                    // Builtins can leverage Why3 polymorphism and sometimes can cause typeck errors in why3 due to ambiguous type variables so lets fix the type now.
+                    k(Exp::qvar(item_name).ascribe(self.ty(t.ty)))
+                } else {
+                    k(Exp::qvar(item_name))
+                }
+            }
+            // VC(assert { C }, Q) => VC(C, |c| c && Q(()))
+            TermKind::Assert { cond } => {
+                self.build_vc(cond, &|exp| Ok(exp.lazy_and(k(Exp::Tuple(Vec::new()))?)))
+            }
+            // VC(f As, Q) = VC(A0, |a0| ... VC(An, |an|
+            //  pre(f)(a0..an) /\ variant(f)(a0..an) /\ (post(f)(a0..an, F(a0..an)) -> Q(F a0..an))
+            // ))
+            TermKind::Call { id, subst, args } => self.build_vc_slice(args, &|args| {
+                let tcx = self.ctx.borrow().tcx;
+                let pre_sig = EarlyBinder::bind(self.ctx.borrow_mut().sig(*id).clone())
+                    .instantiate(tcx, subst);
+
+                let pre_sig = pre_sig.normalize(tcx, self.param_env);
+                let arg_subst = pre_sig
+                    .inputs
+                    .iter()
+                    .zip(args.clone())
+                    .map(|(nm, res)| (util::ident_of(nm.0), res))
+                    .collect();
+                let fname =
+                    get_func_name(*self.ctx.borrow_mut(), *self.names.borrow_mut(), *id, subst);
+                let mut sig =
+                    sig_to_why3(*self.ctx.borrow_mut(), *self.names.borrow_mut(), &pre_sig, *id);
+                sig.contract.subst(&arg_subst);
+                let variant =
+                    if *id == self.self_id { self.build_variant(&args)? } else { Exp::mk_true() };
+
+                let call = Exp::qvar(fname).app(args);
+                sig.contract.subst(&[("result".into(), call.clone())].into_iter().collect());
+
+                let inner = k(call)?;
+
+                let post = sig
+                    .contract
+                    .requires_conj()
+                    .log_and(variant)
+                    .log_and(sig.contract.ensures_conj().implies(inner));
+
+                Ok(post)
+            }),
+
+            // VC(A && B, Q) = VC(A, |a| if a then VC(B, Q) else Q(false))
+            // VC(A OP B, Q) = VC(A, |a| VC(B, |b| Q(a OP B)))
+            TermKind::Binary { op, lhs, rhs } => match op {
+                BinOp::And => self.build_vc(lhs, &|lhs| {
+                    Ok(Exp::if_(lhs, self.build_vc(rhs, k)?, k(Exp::mk_false())?))
+                }),
+                // BinOp::Or => self.build_vc(lhs, &|lhs| {
+                //     Ok(Exp::if_(lhs, k(Exp::mk_true())?, self.build_vc(rhs, k)?,))
+                // }),
+                BinOp::Div => self.build_vc(&lhs, &|lhs| {
+                    self.build_vc(rhs, &|rhs| k(Exp::var("div").app(vec![lhs.clone(), rhs])))
+                }),
+                _ => self.build_vc(&lhs, &|lhs| {
+                    self.build_vc(rhs, &|rhs| {
+                        k(Exp::BinaryOp(binop_to_binop(*op), Box::new(lhs.clone()), Box::new(rhs)))
+                    })
+                }),
+            },
+            // VC(OP A, Q) = VC(A |a| Q(OP a))
+            TermKind::Unary { op, arg } => self.build_vc(arg, &|arg| {
+                let op = match op {
+                    UnOp::Not => why3::exp::UnOp::Not,
+                    UnOp::Neg => why3::exp::UnOp::Neg,
+                };
+
+                k(Exp::UnaryOp(op, Box::new(arg)))
+            }),
+            // // the dual rule should be the one below but that seems weird...
+            // // VC(forall<x> P(x), Q) => (exists<x> VC(P, false)) \/ Q(forall<x>P(x))
+            // // Instead, I think the rule should just be the same as for the existential quantifiers?
+            TermKind::Forall { binder, body } => {
+                let forall_pre = self.build_vc(body, &|_| Ok(Exp::mk_true()))?;
+                let ty = self.ty(binder.1);
+
+                let forall_pre = Exp::forall(vec![(binder.0.to_string().into(), ty)], forall_pre);
+                let forall_pure = self.lower_pure(t);
+                Ok(forall_pre.log_and(k(forall_pure)?))
+            }
+            // // VC(exists<x> P(x), Q) => (forall<x> VC(P, true)) /\ Q(exists<x>P(x))
+            TermKind::Exists { binder, body } => {
+                let exists_pre = self.build_vc(body, &|_| Ok(Exp::mk_true()))?;
+                let ty = self.ty(binder.1);
+
+                let exists_pre = Exp::forall(vec![(binder.0.to_string().into(), ty)], exists_pre);
+                let exists_pure = self.lower_pure(t);
+                Ok(exists_pre.log_and(k(exists_pure)?))
+            }
+            // VC((T...), Q) = VC(T[0], |t0| ... VC(T[N], |tn| Q(t0..tn))))
+            TermKind::Tuple { fields } => self.build_vc_slice(fields, &|flds| k(Exp::Tuple(flds))),
+            // Same as for tuples
+            TermKind::Constructor { typ, variant, fields } => {
+                self.build_vc_slice(fields, &|args| {
+                    let TyKind::Adt(_, subst) = t.ty.kind() else { unreachable!() };
+
+                    let ctor = self.names.borrow_mut().constructor(
+                        self.ctx.borrow().adt_def(typ).variants()[*variant].def_id,
+                        subst,
+                    );
+
+                    k(Exp::Constructor { ctor, args })
+                })
+            }
+            // VC( * T, Q) = VC(T, |t| Q(*t))
+            TermKind::Cur { term } => self.build_vc(&term, &|term| k(Exp::Current(Box::new(term)))),
+            // VC( ^ T, Q) = VC(T, |t| Q(^t))
+            TermKind::Fin { term } => self.build_vc(&term, &|term| k(Exp::Final(Box::new(term)))),
+            // VC(A -> B, Q) = VC(A, VC(B, Q(A -> B)))
+            TermKind::Impl { lhs, rhs } => self.build_vc(lhs, &|lhs| {
+                Ok(Exp::if_(lhs, self.build_vc(rhs, k)?, k(Exp::mk_true())?))
+            }),
+            // VC(match A {P -> E}, Q) = VC(A, |a| match a {P -> VC(E, Q)})
+            TermKind::Match { scrutinee, arms } => self.build_vc(scrutinee, &|scrut| {
+                let arms: Vec<_> = arms
+                    .iter()
+                    .map(&|arm: &(Pattern<'tcx>, Term<'tcx>)| {
+                        Ok((self.build_pattern(&arm.0), self.build_vc(&arm.1, k)?))
+                    })
+                    .collect::<Result<_, _>>()?;
+
+                Ok(Exp::Match(Box::new(scrut), arms))
+            }),
+            // VC(let P = A in B, Q) = VC(A, |a| let P = a in VC(B, Q))
+            TermKind::Let { pattern, arg, body } => self.build_vc(arg, &|arg| {
+                let body = self.build_vc(body, k)?;
+
+                Ok(Exp::Let {
+                    pattern: self.build_pattern(pattern),
+                    arg: Box::new(arg),
+                    body: Box::new(body),
+                })
+            }),
+            // VC(A.f, Q) = VC(A, |a| Q(a.f))
+            TermKind::Projection { lhs, name } => {
+                let accessor = match lhs.ty.kind() {
+                    TyKind::Closure(did, substs) => {
+                        self.names.borrow_mut().accessor(*did, substs, 0, *name)
+                    }
+                    TyKind::Adt(def, substs) => {
+                        self.ctx
+                            .borrow_mut()
+                            .translate_accessor(def.variants()[0u32.into()].fields[*name].did);
+                        self.names.borrow_mut().accessor(def.did(), substs, 0, *name)
+                    }
+                    k => unreachable!("Projection from {k:?}"),
+                };
+
+                self.build_vc(lhs, &|lhs| k(Exp::qvar(accessor.clone()).app(vec![lhs])))
+            }
+            // TODO: lol
+            TermKind::Absurd => todo!("absrd"),
+
+            TermKind::Old { .. } => Err(VCError::Old(t.span)),
+            TermKind::Closure { .. } => Err(VCError::Closure(t.span)),
+            TermKind::Reborrow { .. } => Err(VCError::Reborrow(t.span)),
+        }
+    }
+
+    fn build_pattern(&self, pat: &Pattern<'tcx>) -> why3::exp::Pattern {
+        use why3::exp::Pattern as Pat;
+        match pat {
+            Pattern::Constructor { adt, variant: _, fields, substs } => {
+                let fields = fields.into_iter().map(|pat| self.build_pattern(pat)).collect();
+                Pat::ConsP(self.names.borrow_mut().constructor(*adt, substs), fields)
+            }
+            Pattern::Wildcard => Pat::Wildcard,
+            Pattern::Binder(name) => Pat::VarP(name.to_string().into()),
+            Pattern::Boolean(b) => {
+                if *b {
+                    Pat::mk_true()
+                } else {
+                    Pat::mk_false()
+                }
+            }
+            Pattern::Tuple(pats) => {
+                Pat::TupleP(pats.into_iter().map(|pat| self.build_pattern(pat)).collect())
+            }
+        }
+    }
+
+    fn build_vc_slice(
+        &self,
+        t: &[Term<'tcx>],
+        k: PostCont<'_, 'tcx, Vec<Exp>>,
+    ) -> Result<Exp, VCError<'tcx>> {
+        self.build_vc_slice_inner(t, &|mut args| {
+            args.reverse();
+            k(args)
+        })
+    }
+
+    fn build_vc_slice_inner(
+        &self,
+        t: &[Term<'tcx>],
+        k: PostCont<'_, 'tcx, Vec<Exp>>,
+    ) -> Result<Exp, VCError<'tcx>> {
+        if t.is_empty() {
+            k(Vec::new())
+        } else {
+            self.build_vc(&t[0], &|v| {
+                self.build_vc_slice_inner(&t[1..], &|mut vs| {
+                    vs.push(v.clone());
+                    k(vs)
+                })
+            })
+        }
+    }
+
+    fn ty(&self, ty: Ty<'tcx>) -> Type {
+        translate_ty(*self.ctx.borrow_mut(), *self.names.borrow_mut(), rustc_span::DUMMY_SP, ty)
+    }
+
+    // Generates the expression to test the validity of the variant for a recursive call.
+    // Currently restricted to `Int` until we sort out `WellFounded` (soon?)
+    //
+    // If V is the variant expression at entry and V' is the variant expression of the recursive call it generates
+    //  0 <= V && V' < V
+    //  Weirdly (to me Xavier) this doesn't check `0 <= V'` but this is actually the same behavior as Why3
+    fn build_variant(&self, call_args: &[Exp]) -> Result<Exp, VCError<'tcx>> {
+        if self.structurally_recursive {
+            return Ok(Exp::mk_true());
+        }
+        let variant = self.ctx.borrow_mut().sig(self.self_id).contract.variant.clone();
+        let Some(variant) = variant else { return Ok(Exp::mk_false()) };
+
+        let top_level_args = self.top_level_args();
+
+        let subst: HashMap<_, _> =
+            top_level_args.into_iter().zip(call_args.into_iter().cloned()).collect();
+        let orig_variant = self.self_sig().contract.variant.remove(0);
+        let mut rec_var_exp = orig_variant.clone();
+        rec_var_exp.subst(&subst);
+        if is_int(self.ctx.borrow().tcx, variant.ty) {
+            Ok(Exp::int(0).leq(orig_variant.clone()).log_and(rec_var_exp.lt(orig_variant)))
+        } else {
+            Err(VCError::UnsupportedVariant(variant.ty, variant.span))
+        }
+    }
+
+    fn self_sig(&self) -> Signature {
+        signature_of(*self.ctx.borrow_mut(), *self.names.borrow_mut(), self.self_id)
+    }
+
+    /// Produces the top-level call expression for the function being verified
+    fn top_level_args(&self) -> Vec<Ident> {
+        let sig = self.self_sig();
+        let (arg_names, _) = binders_to_args(*self.ctx.borrow_mut(), sig.args);
+        arg_names
+    }
+}
+
+// Push into `CloneMap::value`?
+pub(crate) fn get_func_name<'tcx>(
+    ctx: &Why3Generator<'tcx>,
+    names: &mut CloneMap<'tcx>,
+    id: DefId,
+    subst: GenericArgsRef<'tcx>,
+) -> QName {
+    let builtin_attr = get_builtin(ctx.tcx, id);
+
+    builtin_attr
+        .and_then(|a| {
+            // Add dependency
+            names.value(id, subst);
+
+            QName::from_string(&a.as_str())
+        })
+        .map(QName::without_search_path)
+        .unwrap_or_else(|| names.value(id, subst))
+}
diff --git a/creusot/src/backend/optimization.rs b/creusot/src/backend/optimization.rs
index cabc00804e..551b1b77c3 100644
--- a/creusot/src/backend/optimization.rs
+++ b/creusot/src/backend/optimization.rs
@@ -45,6 +45,8 @@ pub(crate) struct Usage {
     temp_var: bool,
     // Is this local used in a place where we need a `Term`?
     used_in_pure_ctx: bool,
+    // Is this local being used in a move chain as in: _x = _y
+    is_move_chain: bool,
 }
 
 pub(crate) fn gather_usage(b: &Body) -> HashMap<Symbol, Usage> {
@@ -68,7 +70,7 @@ impl<'a, 'tcx> LocalUsage<'a, 'tcx> {
 
     fn visit_terminator(&mut self, t: &Terminator<'tcx>) {
         match t {
-            Terminator::Switch(e, _) => self.visit_expr(e),
+            Terminator::Switch(e, _) => self.visit_operand(e),
             Terminator::Return => {
                 self.read(Symbol::intern("_0"), true);
                 self.read(Symbol::intern("_0"), true);
@@ -81,6 +83,9 @@ impl<'a, 'tcx> LocalUsage<'a, 'tcx> {
         match b {
             Statement::Assignment(p, r, _) => {
                 self.write_place(p);
+                if let RValue::Operand(_) = r {
+                    self.move_chain(p.local);
+                }
                 self.visit_rvalue(r)
             }
             Statement::Resolve(_, _, p) => {
@@ -94,42 +99,51 @@ impl<'a, 'tcx> LocalUsage<'a, 'tcx> {
             }
             Statement::AssumeBorrowInv(p) => self.read_place(p),
             Statement::AssertTyInv(p) => self.read_place(p),
+            Statement::Call(dest, _, _, args, _) => {
+                self.write_place(dest);
+                args.iter().for_each(|a| self.visit_operand(a));
+            }
         }
     }
 
     fn visit_rvalue(&mut self, r: &RValue<'tcx>) {
         match r {
             RValue::Ghost(t) => self.visit_term(t),
-            RValue::FinalBorrow(p, _) | RValue::Borrow(p) => {
+            RValue::Borrow(_, p) => {
                 self.read_place(p);
                 self.read_place(p)
             }
-            RValue::Expr(e) => self.visit_expr(e),
+            RValue::Operand(op) => match op {
+                Operand::Move(p) | Operand::Copy(p) => {
+                    self.read_place(p);
+                    // self.move_chain(p.local);
+                }
+                Operand::Constant(t) => self.visit_term(t),
+            },
+            RValue::BinOp(_, l, r) => {
+                self.visit_operand(l);
+                self.visit_operand(r)
+            }
+            RValue::UnaryOp(_, e) => self.visit_operand(e),
+            RValue::Constructor(_, _, es) => es.iter().for_each(|e| self.visit_operand(e)),
+            RValue::Cast(e, _, _) => self.visit_operand(e),
+            RValue::Tuple(es) => es.iter().for_each(|e| self.visit_operand(e)),
+            RValue::Len(e) => self.visit_operand(e),
+            RValue::Array(es) => es.iter().for_each(|e| self.visit_operand(e)),
+            RValue::Repeat(l, r) => {
+                self.visit_operand(l);
+                self.visit_operand(r)
+            }
         }
     }
 
     // fn visit_term(&mut self, t: &Term<'tcx>) {}
 
-    fn visit_expr(&mut self, e: &Expr<'tcx>) {
-        match &e.kind {
-            ExprKind::Move(p) => self.read_place(p),
-            ExprKind::Copy(p) => self.read_place(p),
-            ExprKind::BinOp(_, l, r) => {
-                self.visit_expr(l);
-                self.visit_expr(r)
-            }
-            ExprKind::UnaryOp(_, e) => self.visit_expr(e),
-            ExprKind::Constructor(_, _, es) => es.iter().for_each(|e| self.visit_expr(e)),
-            ExprKind::Call(_, _, es) => es.iter().for_each(|e| self.visit_expr(e)),
-            ExprKind::Constant(t) => self.visit_term(t),
-            ExprKind::Cast(e, _, _) => self.visit_expr(e),
-            ExprKind::Tuple(es) => es.iter().for_each(|e| self.visit_expr(e)),
-            ExprKind::Len(e) => self.visit_expr(e),
-            ExprKind::Array(es) => es.iter().for_each(|e| self.visit_expr(e)),
-            ExprKind::Repeat(l, r) => {
-                self.visit_expr(l);
-                self.visit_expr(r)
-            }
+    fn visit_operand(&mut self, op: &Operand<'tcx>) {
+        match op {
+            Operand::Move(p) => self.read_place(p),
+            Operand::Copy(p) => self.read_place(p),
+            Operand::Constant(t) => self.visit_term(t),
         }
     }
 
@@ -149,6 +163,12 @@ impl<'a, 'tcx> LocalUsage<'a, 'tcx> {
         })
     }
 
+    fn move_chain(&mut self, local: Symbol) {
+        if let Some(usage) = self.get(local) {
+            usage.is_move_chain = true;
+        }
+    }
+
     fn read(&mut self, local: Symbol, whole: bool) {
         if let Some(usage) = self.get(local) {
             usage.read.inc(if whole { Whole::Whole } else { Whole::Part })
@@ -193,8 +213,9 @@ impl<'a, 'tcx> TermVisitor<'tcx> for LocalUsage<'a, 'tcx> {
 }
 
 struct SimplePropagator<'tcx> {
+    /// Tracks how many reads and writes each variable has
     usage: HashMap<Symbol, Usage>,
-    prop: HashMap<Symbol, Expr<'tcx>>,
+    prop: HashMap<Symbol, Operand<'tcx>>,
     dead: HashSet<Symbol>,
 }
 
@@ -218,13 +239,16 @@ impl<'tcx> SimplePropagator<'tcx> {
         for mut s in std::mem::take(&mut b.stmts) {
             self.visit_statement(&mut s);
             match s {
-                Statement::Assignment(l, RValue::Expr(r), _)
+                Statement::Assignment(l, RValue::Operand(op), _)
                     // we do not propagate calls to avoid moving them after the resolve of their arguments
-                    if self.should_propagate(l.local) && !self.usage[&l.local].used_in_pure_ctx && !r.is_call() => {
-                      self.prop.insert(l.local, r);
+                    if self.should_propagate(l.local) && !self.usage[&l.local].used_in_pure_ctx => {
+                      self.prop.insert(l.local, op);
                       self.dead.insert(l.local);
                     }
-                Statement::Assignment(ref l, RValue::Expr(ref r), _) if self.should_erase(l.local)  && !r.is_call() && r.is_pure() => {
+                Statement::Assignment(_, RValue::Ghost(_), _) => {
+                    out_stmts.push(s)
+                }
+                Statement::Assignment(ref l, ref r, _) if self.should_erase(l.local) && r.is_pure() => {
                       self.dead.insert(l.local);
                 }
                 Statement::Resolve(_,_, ref p) => {
@@ -240,7 +264,7 @@ impl<'tcx> SimplePropagator<'tcx> {
 
         match &mut b.terminator {
             Terminator::Goto(_) => {}
-            Terminator::Switch(e, _) => self.visit_expr(e),
+            Terminator::Switch(e, _) => self.visit_operand(e),
             Terminator::Return => {}
             Terminator::Abort(_) => {}
         }
@@ -250,49 +274,53 @@ impl<'tcx> SimplePropagator<'tcx> {
         match s {
             Statement::Assignment(_, r, _) => self.visit_rvalue(r),
             Statement::Resolve(_, _, p) => {
-              if let Some(l) = p.as_symbol() && self.dead.contains(&l) {
-
-              }
+                if let Some(l) = p.as_symbol()
+                    && self.dead.contains(&l)
+                {}
             }
             Statement::Assertion { cond, msg: _ } => self.visit_term(cond),
-            Statement::AssumeBorrowInv(_) => {},
-            Statement::AssertTyInv( _) => {},
+            Statement::Call(_, _, _, args, _) => {
+                args.iter_mut().for_each(|a| self.visit_operand(a))
+            }
+            Statement::AssumeBorrowInv(_) => {}
+            Statement::AssertTyInv(_) => {}
         }
     }
 
     fn visit_rvalue(&mut self, r: &mut RValue<'tcx>) {
         match r {
             RValue::Ghost(t) => self.visit_term(t),
-            RValue::FinalBorrow(p, _) | RValue::Borrow(p) => {
+            RValue::Borrow(_, p) => {
                 assert!(self.prop.get(&p.local).is_none(), "Trying to propagate borrowed variable")
             }
-            RValue::Expr(e) => self.visit_expr(e),
+            RValue::Operand(op) => self.visit_operand(op),
+            RValue::BinOp(_, l, r) => {
+                self.visit_operand(l);
+                self.visit_operand(r)
+            }
+            RValue::UnaryOp(_, e) => self.visit_operand(e),
+            RValue::Constructor(_, _, es) => es.iter_mut().for_each(|e| self.visit_operand(e)),
+            RValue::Cast(e, _, _) => self.visit_operand(e),
+            RValue::Tuple(es) => es.iter_mut().for_each(|e| self.visit_operand(e)),
+            RValue::Len(e) => self.visit_operand(e),
+            RValue::Array(es) => es.iter_mut().for_each(|e| self.visit_operand(e)),
+            RValue::Repeat(l, r) => {
+                self.visit_operand(l);
+                self.visit_operand(r)
+            }
         }
     }
 
-    fn visit_expr(&mut self, e: &mut Expr<'tcx>) {
-        match &mut e.kind {
-            ExprKind::Move(p) | ExprKind::Copy(p) => {
-              if let Some(l) = p.as_symbol() && let Some(v) = self.prop.remove(&l) {
-                *e = v;
-              }
-            },
-            ExprKind::BinOp(_, l, r) => {
-                self.visit_expr(l);
-                self.visit_expr(r)
-            }
-            ExprKind::UnaryOp(_, e) => self.visit_expr(e),
-            ExprKind::Constructor(_, _, es) => es.iter_mut().for_each(|e| self.visit_expr(e)),
-            ExprKind::Call(_, _, es) => es.iter_mut().for_each(|e| self.visit_expr(e)),
-            ExprKind::Constant(t) => self.visit_term(t),
-            ExprKind::Cast(e, _, _) => self.visit_expr(e),
-            ExprKind::Tuple(es) => es.iter_mut().for_each(|e| self.visit_expr(e)),
-            ExprKind::Len(e) => self.visit_expr(e),
-            ExprKind::Array(es) => es.iter_mut().for_each(|e| self.visit_expr(e)),
-            ExprKind::Repeat(l, r) => {
-                self.visit_expr(l);
-                self.visit_expr(r)
+    fn visit_operand(&mut self, op: &mut Operand<'tcx>) {
+        match op {
+            Operand::Move(p) | Operand::Copy(p) => {
+                if let Some(l) = p.as_symbol()
+                    && let Some(v) = self.prop.remove(&l)
+                {
+                    *op = v;
+                }
             }
+            Operand::Constant(_) => {}
         }
     }
 
@@ -312,6 +340,7 @@ impl<'tcx> SimplePropagator<'tcx> {
                 u.read == ZeroOneMany::One(Whole::Whole)
                     && u.write == ZeroOneMany::One(Whole::Whole)
                     && u.temp_var
+                    && u.is_move_chain
             })
             .unwrap_or(false)
     }
diff --git a/creusot/src/backend/place.rs b/creusot/src/backend/place.rs
index 4d32c1935e..69ab7de126 100644
--- a/creusot/src/backend/place.rs
+++ b/creusot/src/backend/place.rs
@@ -103,8 +103,7 @@ fn create_assign_rec<'tcx>(
 
                 let varnames = freshvars.take(variant.fields.len()).collect::<Vec<Ident>>();
                 let field_pats = varnames.clone().into_iter().map(|x| VarP(x)).collect();
-                let mut varexps: Vec<Exp> =
-                    varnames.into_iter().map(|x| Exp::impure_var(x)).collect();
+                let mut varexps: Vec<Exp> = varnames.into_iter().map(|x| Exp::var(x)).collect();
 
                 varexps[ix.as_usize()] = inner;
 
@@ -118,8 +117,7 @@ fn create_assign_rec<'tcx>(
             TyKind::Tuple(fields) => {
                 let varnames = freshvars.take(fields.len()).collect::<Vec<Ident>>();
                 let field_pats = varnames.clone().into_iter().map(|x| VarP(x.into())).collect();
-                let mut varexps: Vec<Exp> =
-                    varnames.into_iter().map(|x| Exp::impure_var(x.into())).collect();
+                let mut varexps: Vec<Exp> = varnames.into_iter().map(|x| Exp::var(x)).collect();
 
                 varexps[ix.as_usize()] = inner;
 
@@ -133,8 +131,7 @@ fn create_assign_rec<'tcx>(
                 let varnames =
                     freshvars.take(subst.as_closure().upvar_tys().len()).collect::<Vec<Ident>>();
                 let field_pats = varnames.clone().into_iter().map(|x| VarP(x.into())).collect();
-                let mut varexps: Vec<Exp> =
-                    varnames.into_iter().map(|x| Exp::impure_var(x.into())).collect();
+                let mut varexps: Vec<Exp> = varnames.into_iter().map(|x| Exp::var(x)).collect();
 
                 varexps[ix.as_usize()] = inner;
                 let cons = names.constructor(*id, subst);
@@ -149,8 +146,8 @@ fn create_assign_rec<'tcx>(
         },
         Downcast(_, _) => inner,
         Index(ix) => {
-            let set = Exp::impure_qvar(QName::from_string("Slice.set").unwrap());
-            let ix_exp = Exp::impure_var(Ident::build(ix.as_str()));
+            let set = Exp::qvar(QName::from_string("Slice.set").unwrap());
+            let ix_exp = Exp::var(Ident::build(ix.as_str()));
 
             Call(
                 Box::new(set),
@@ -174,7 +171,7 @@ pub(crate) fn translate_rplace<'tcx, N: Namer<'tcx>>(
     loc: Symbol,
     proj: &[mir::ProjectionElem<Symbol, Ty<'tcx>>],
 ) -> Exp {
-    let mut inner = Exp::impure_var(Ident::build(loc.as_str()));
+    let mut inner = Exp::var(Ident::build(loc.as_str()));
     if proj.is_empty() {
         return inner;
     }
@@ -199,7 +196,7 @@ pub(crate) fn translate_rplace<'tcx, N: Namer<'tcx>>(
                     ctx.translate_accessor(def.variants()[variant_id].fields[*ix].did);
 
                     let acc = names.accessor(def.did(), subst, variant_id.as_usize(), *ix);
-                    inner = Call(Box::new(Exp::impure_qvar(acc)), vec![inner]);
+                    inner = Call(Box::new(Exp::qvar(acc)), vec![inner]);
                 }
                 TyKind::Tuple(fields) => {
                     let mut pat = vec![Wildcard; fields.len()];
@@ -208,23 +205,21 @@ pub(crate) fn translate_rplace<'tcx, N: Namer<'tcx>>(
                     inner = Let {
                         pattern: TupleP(pat),
                         arg: Box::new(inner),
-                        body: Box::new(Exp::impure_var("a".into())),
+                        body: Box::new(Exp::var("a")),
                     }
                 }
                 TyKind::Closure(id, subst) => {
-                    inner = Call(
-                        Box::new(Exp::impure_qvar(names.accessor(*id, subst, 0, *ix))),
-                        vec![inner],
-                    );
+                    inner =
+                        Call(Box::new(Exp::qvar(names.accessor(*id, subst, 0, *ix))), vec![inner]);
                 }
                 e => unreachable!("{:?}", e),
             },
             Downcast(_, _) => {}
             Index(ix) => {
                 // TODO: Use [_] syntax
-                let ix_exp = Exp::impure_var(Ident::build(ix.as_str()));
+                let ix_exp = Exp::var(Ident::build(ix.as_str()));
                 inner = Call(
-                    Box::new(Exp::impure_qvar(QName::from_string("Slice.get").unwrap())),
+                    Box::new(Exp::qvar(QName::from_string("Slice.get").unwrap())),
                     vec![inner, ix_exp],
                 )
             }
diff --git a/creusot/src/backend/program.rs b/creusot/src/backend/program.rs
index ad2a3a5ace..ebfa18f730 100644
--- a/creusot/src/backend/program.rs
+++ b/creusot/src/backend/program.rs
@@ -1,22 +1,18 @@
 use super::{
-    clone_map::PreludeModule,
-    dependency::HackedId,
-    signature::signature_of,
-    term::{lower_impure, lower_pure},
+    clone_map::PreludeModule, dependency::HackedId, signature::signature_of, term::lower_pure,
     CloneDepth, CloneSummary, Namer, TransId, Why3Generator,
 };
 use crate::{
     backend::{
-        closure_generic_decls, optimization, place,
-        place::translate_rplace,
+        closure_generic_decls, optimization,
+        place::{self, translate_rplace},
         ty::{self, translate_closure_ty, translate_ty},
     },
     ctx::{BodyId, CloneMap, TranslationCtx},
+    fmir::{BorrowKind, Operand},
     translation::{
         binop_to_binop,
-        fmir::{
-            self, Block, Branches, Expr, ExprKind, LocalDecls, Place, RValue, Statement, Terminator,
-        },
+        fmir::{self, Block, Branches, LocalDecls, Place, RValue, Statement, Terminator},
         function::promoted,
         unop_to_unop,
     },
@@ -25,7 +21,7 @@ use crate::{
 use rustc_hir::{def_id::DefId, Unsafety};
 use rustc_middle::{
     mir::{BasicBlock, BinOp, ProjectionElem},
-    ty::TyKind,
+    ty::{GenericArgsRef, Ty, TyKind},
 };
 use rustc_span::{Span, DUMMY_SP};
 use rustc_type_ir::{IntTy, UintTy};
@@ -132,7 +128,7 @@ pub(crate) fn translate_closure<'tcx>(
     ctx: &mut Why3Generator<'tcx>,
     def_id: DefId,
 ) -> (CloneSummary<'tcx>, Module, Option<Module>) {
-    assert!(ctx.is_closure(def_id));
+    assert!(ctx.is_closure_or_coroutine(def_id));
     let (summary, func) = translate_function(ctx, def_id);
     (summary, closure_ty(ctx, def_id), func)
 }
@@ -150,7 +146,7 @@ pub(crate) fn translate_function<'tcx, 'sess>(
     };
     let body = to_why(ctx, &mut names, body_ids[0]);
 
-    if ctx.tcx.is_closure(def_id) {
+    if ctx.tcx.is_closure_or_coroutine(def_id) {
         closure_aux_defs(ctx, def_id)
     };
 
@@ -188,7 +184,7 @@ fn collect_body_ids<'tcx>(ctx: &mut TranslationCtx<'tcx>, def_id: DefId) -> Opti
         .collect::<Vec<_>>();
 
     ids.extend(promoted.iter().filter_map(|(p, p_ty)| {
-        if util::ghost_closure_id(ctx.tcx, *p_ty).is_none() {
+        if util::snapshot_closure_id(ctx.tcx, *p_ty).is_none() {
             Some(BodyId::new(def_id.expect_local(), Some(*p)))
         } else {
             None
@@ -210,13 +206,13 @@ fn lower_promoted<'tcx>(
     body_id: BodyId,
 ) -> Decl {
     let promoted = promoted::translate_promoted(ctx, body_id);
-    let (sig, fmir) = promoted.unwrap_or_else(|e| e.emit(ctx.tcx.sess));
+    let (sig, fmir) = promoted.unwrap_or_else(|e| e.emit(ctx.tcx));
 
     let mut sig = sig_to_why3(ctx, names, &sig, body_id.def_id());
     sig.name = format!("promoted{:?}", body_id.promoted.unwrap().as_usize()).into();
 
     let mut previous_block = None;
-    let mut exp = Exp::impure_var("_0".into());
+    let mut exp = Exp::var("_0");
     for (id, bbd) in fmir.blocks.into_iter().rev() {
         // Safety check
         match bbd.terminator {
@@ -270,8 +266,7 @@ pub fn to_why<'tcx>(
         .locals
         .into_iter()
         .map(|(id, decl)| {
-            let init =
-                if decl.arg { Some(Exp::impure_var(Ident::build(id.as_str()))) } else { None };
+            let init = if decl.arg { Some(Exp::var(Ident::build(id.as_str()))) } else { None };
             (
                 false,
                 Ident::build(id.as_str()),
@@ -293,86 +288,74 @@ pub fn to_why<'tcx>(
     Decl::CfgDecl(CfgFunction { sig, rec: true, constant: false, entry, blocks, vars })
 }
 
-impl<'tcx> Expr<'tcx> {
+impl<'tcx> Operand<'tcx> {
     pub(crate) fn to_why<N: Namer<'tcx>>(
         self,
         ctx: &mut Why3Generator<'tcx>,
         names: &mut N,
         locals: &LocalDecls<'tcx>,
     ) -> Exp {
-        let e = match self.kind {
-            ExprKind::Move(pl) => {
-                // TODO invalidate original place
-                pl.as_rplace(ctx, names, locals)
-            }
-            ExprKind::Copy(pl) => pl.as_rplace(ctx, names, locals),
-            ExprKind::BinOp(BinOp::BitAnd, l, r) if l.ty.is_bool() => {
+        match self {
+            Operand::Move(pl) => pl.as_rplace(ctx, names, locals),
+            Operand::Copy(pl) => pl.as_rplace(ctx, names, locals),
+            Operand::Constant(c) => lower_pure(ctx, names, &c),
+        }
+    }
+    fn invalidated_places(&self, places: &mut Vec<fmir::Place<'tcx>>) {
+        if let Operand::Move(pl) = self {
+            places.push(pl.clone())
+        }
+    }
+}
+
+impl<'tcx> RValue<'tcx> {
+    pub(crate) fn to_why<N: Namer<'tcx>>(
+        self,
+        ctx: &mut Why3Generator<'tcx>,
+        names: &mut N,
+        locals: &LocalDecls<'tcx>,
+        ty: Ty<'tcx>,
+    ) -> Exp {
+        let e = match self {
+            RValue::Operand(op) => op.to_why(ctx, names, locals),
+            RValue::BinOp(BinOp::BitAnd, l, r) if l.ty(ctx.tcx, locals).is_bool() => {
                 l.to_why(ctx, names, locals).lazy_and(r.to_why(ctx, names, locals))
             }
-            ExprKind::BinOp(BinOp::Eq, l, r) if l.ty.is_bool() => {
+            RValue::BinOp(BinOp::Eq, l, r) if l.ty(ctx.tcx, locals).is_bool() => {
                 names.import_prelude_module(PreludeModule::Bool);
-                Exp::impure_qvar(QName::from_string("Bool.eqb").unwrap())
+                Exp::qvar(QName::from_string("Bool.eqb").unwrap())
                     .app(vec![l.to_why(ctx, names, locals), r.to_why(ctx, names, locals)])
             }
-            ExprKind::BinOp(BinOp::Ne, l, r) if l.ty.is_bool() => {
+            RValue::BinOp(BinOp::Ne, l, r) if l.ty(ctx.tcx, locals).is_bool() => {
                 names.import_prelude_module(PreludeModule::Bool);
-                Exp::impure_qvar(QName::from_string("Bool.neqb").unwrap())
+                Exp::qvar(QName::from_string("Bool.neqb").unwrap())
                     .app(vec![l.to_why(ctx, names, locals), r.to_why(ctx, names, locals)])
             }
-            ExprKind::BinOp(op, l, r) => {
+            RValue::BinOp(op, l, r) => {
+                let ty = l.ty(ctx.tcx, locals);
                 // Hack
-                translate_ty(ctx, names, DUMMY_SP, l.ty);
+                translate_ty(ctx, names, DUMMY_SP, ty);
 
                 Exp::BinaryOp(
-                    binop_to_binop(ctx, l.ty, op),
+                    binop_to_binop(ctx, ty, op),
                     Box::new(l.to_why(ctx, names, locals)),
                     Box::new(r.to_why(ctx, names, locals)),
                 )
             }
-            ExprKind::UnaryOp(op, arg) => {
-                Exp::UnaryOp(unop_to_unop(arg.ty, op), Box::new(arg.to_why(ctx, names, locals)))
-            }
-            ExprKind::Constructor(id, subst, args) => {
+            RValue::UnaryOp(op, arg) => Exp::UnaryOp(
+                unop_to_unop(arg.ty(ctx.tcx, locals), op),
+                Box::new(arg.to_why(ctx, names, locals)),
+            ),
+            RValue::Constructor(id, subst, args) => {
                 let args = args.into_iter().map(|a| a.to_why(ctx, names, locals)).collect();
 
                 let ctor = names.constructor(id, subst);
                 Exp::Constructor { ctor, args }
             }
-            ExprKind::Call(id, subst, args) => {
-                let mut args: Vec<_> =
-                    args.into_iter().map(|a| a.to_why(ctx, names, locals)).collect();
-                let fname = names.value(id, subst);
-
-                let exp = if ctx.is_closure(id) {
-                    assert!(args.len() == 2, "closures should only have two arguments (env, args)");
-
-                    let real_sig =
-                        ctx.signature_unclosure(subst.as_closure().sig(), Unsafety::Normal);
-                    let closure_arg_count = real_sig.inputs().skip_binder().len();
-                    let names = ('a'..).take(closure_arg_count);
-
-                    let mut closure_args = vec![args.remove(0)];
-
-                    closure_args
-                        .extend(names.clone().map(|nm| Exp::impure_var(nm.to_string().into())));
-
-                    Exp::Let {
-                        pattern: Pattern::TupleP(
-                            names.map(|nm| Pattern::VarP(nm.to_string().into())).collect(),
-                        ),
-                        arg: Box::new(args.remove(0)),
-                        body: Box::new(Exp::impure_qvar(fname).app(closure_args)),
-                    }
-                } else {
-                    Exp::impure_qvar(fname).app(args)
-                };
-                exp
-            }
-            ExprKind::Constant(c) => lower_impure(ctx, names, &c),
-            ExprKind::Tuple(f) => {
+            RValue::Tuple(f) => {
                 Exp::Tuple(f.into_iter().map(|f| f.to_why(ctx, names, locals)).collect())
             }
-            ExprKind::Cast(e, source, target) => {
+            RValue::Cast(e, source, target) => {
                 let to_int = match source.kind() {
                     TyKind::Int(ity) => {
                         names.import_prelude_module(int_to_prelude(*ity));
@@ -384,7 +367,7 @@ impl<'tcx> Expr<'tcx> {
                     }
                     TyKind::Bool => {
                         names.import_prelude_module(PreludeModule::Bool);
-                        Exp::impure_qvar(QName::from_string("Bool.to_int").unwrap())
+                        Exp::qvar(QName::from_string("Bool.to_int").unwrap())
                     }
                     _ => ctx
                         .crash_and_error(DUMMY_SP, "Non integral casts are currently unsupported"),
@@ -395,7 +378,7 @@ impl<'tcx> Expr<'tcx> {
                     TyKind::Uint(uty) => uint_from_int(uty),
                     TyKind::Char => {
                         names.import_prelude_module(PreludeModule::Char);
-                        Exp::impure_qvar(QName::from_string("Char.chr").unwrap())
+                        Exp::qvar(QName::from_string("Char.chr").unwrap())
                     }
                     _ => ctx
                         .crash_and_error(DUMMY_SP, "Non integral casts are currently unsupported"),
@@ -403,22 +386,22 @@ impl<'tcx> Expr<'tcx> {
 
                 from_int.app_to(to_int.app_to(e.to_why(ctx, names, locals)))
             }
-            ExprKind::Len(pl) => {
-                let len_call = Exp::impure_qvar(QName::from_string("Slice.length").unwrap())
+            RValue::Len(pl) => {
+                let len_call = Exp::qvar(QName::from_string("Slice.length").unwrap())
                     .app_to(pl.to_why(ctx, names, locals));
                 len_call
             }
-            ExprKind::Array(fields) => {
+            RValue::Array(fields) => {
                 let id = Ident::build("__arr_temp");
-                let ty = translate_ty(ctx, names, DUMMY_SP, self.ty);
+                let ty = translate_ty(ctx, names, DUMMY_SP, ty);
 
                 let len = fields.len();
 
-                let arr_var = Exp::impure_var(id.clone());
+                let arr_var = Exp::var(id.clone());
                 let arr_elts =
                     Exp::RecField { record: Box::new(arr_var.clone()), label: "elts".into() };
                 let fields = fields.into_iter().enumerate().map(|(ix, f)| {
-                    Exp::impure_qvar(QName::from_string("Seq.get").unwrap())
+                    Exp::qvar(QName::from_string("Seq.get").unwrap())
                         .app(vec![arr_elts.clone(), Exp::Const(Constant::Int(ix as i128, None))])
                         .eq(f.to_why(ctx, names, locals))
                 });
@@ -430,7 +413,7 @@ impl<'tcx> Expr<'tcx> {
                         fields
                             .map(|e| Exp::Assume(Box::new(e)))
                             .chain(std::iter::once(Exp::Assume(Box::new(
-                                Exp::impure_qvar(QName::from_string("Slice.length").unwrap())
+                                Exp::qvar(QName::from_string("Slice.length").unwrap())
                                     .app_to(arr_var.clone())
                                     .eq(Exp::Const(Constant::Int(len as i128, None))),
                             ))))
@@ -439,40 +422,37 @@ impl<'tcx> Expr<'tcx> {
                     )),
                 }
             }
-            ExprKind::Repeat(e, len) => {
-                Exp::impure_qvar(QName::from_string("Slice.create").unwrap())
-                    .app_to(len.to_why(ctx, names, locals))
-                    .app_to(Exp::FnLit(Box::new(e.to_why(ctx, names, locals))))
-            }
+            RValue::Repeat(e, len) => Exp::qvar(QName::from_string("Slice.create").unwrap())
+                .app_to(len.to_why(ctx, names, locals))
+                .app_to(Exp::FnLit(Box::new(e.to_why(ctx, names, locals)))),
+            RValue::Ghost(t) => lower_pure(ctx, names, &t),
+            RValue::Borrow(_, _) => todo!(),
         };
 
-        if self.span != DUMMY_SP {
-            ctx.attach_span(self.span, e)
-        } else {
-            e
-        }
+        e
     }
 
-    fn invalidated_places(&self, places: &mut Vec<(fmir::Place<'tcx>, Span)>) {
-        match &self.kind {
-            ExprKind::Move(p) => places.push((p.clone(), self.span)),
-            ExprKind::Copy(_) => {}
-            ExprKind::BinOp(_, l, r) => {
+    /// Gather the set of places which are moved out of by an expression
+    fn invalidated_places(&self, places: &mut Vec<fmir::Place<'tcx>>) {
+        match &self {
+            RValue::Operand(Operand::Move(p)) => places.push(p.clone()),
+            RValue::Operand(_) => {}
+            RValue::BinOp(_, l, r) => {
                 l.invalidated_places(places);
                 r.invalidated_places(places)
             }
-            ExprKind::UnaryOp(_, e) => e.invalidated_places(places),
-            ExprKind::Constructor(_, _, es) => es.iter().for_each(|e| e.invalidated_places(places)),
-            ExprKind::Call(_, _, es) => es.iter().for_each(|e| e.invalidated_places(places)),
-            ExprKind::Constant(_) => {}
-            ExprKind::Cast(e, _, _) => e.invalidated_places(places),
-            ExprKind::Tuple(es) => es.iter().for_each(|e| e.invalidated_places(places)),
-            ExprKind::Len(e) => e.invalidated_places(places),
-            ExprKind::Array(f) => f.iter().for_each(|f| f.invalidated_places(places)),
-            ExprKind::Repeat(e, len) => {
+            RValue::UnaryOp(_, e) => e.invalidated_places(places),
+            RValue::Constructor(_, _, es) => es.iter().for_each(|e| e.invalidated_places(places)),
+            RValue::Cast(e, _, _) => e.invalidated_places(places),
+            RValue::Tuple(es) => es.iter().for_each(|e| e.invalidated_places(places)),
+            RValue::Len(e) => e.invalidated_places(places),
+            RValue::Array(f) => f.iter().for_each(|f| f.invalidated_places(places)),
+            RValue::Repeat(e, len) => {
                 e.invalidated_places(places);
                 len.invalidated_places(places)
             }
+            RValue::Ghost(_) => {}
+            RValue::Borrow(_, _) => {}
         }
     }
 }
@@ -651,7 +631,7 @@ pub(crate) fn borrow_generated_id<V: std::fmt::Debug, T: std::fmt::Debug>(
     projection: &[ProjectionElem<V, T>],
 ) -> Exp {
     let mut borrow_id = Exp::Call(
-        Box::new(Exp::pure_qvar(QName::from_string("Borrow.get_id").unwrap())),
+        Box::new(Exp::qvar(QName::from_string("Borrow.get_id").unwrap())),
         vec![original_borrow],
     );
     for proj in projection {
@@ -661,7 +641,7 @@ pub(crate) fn borrow_generated_id<V: std::fmt::Debug, T: std::fmt::Debug>(
             }
             ProjectionElem::Field(idx, _) => {
                 borrow_id = Exp::Call(
-                    Box::new(Exp::pure_qvar(QName::from_string("Borrow.inherit_id").unwrap())),
+                    Box::new(Exp::qvar(QName::from_string("Borrow.inherit_id").unwrap())),
                     vec![borrow_id, Exp::Const(Constant::Int(idx.as_u32() as i128 + 1, None))],
                 );
             }
@@ -688,9 +668,9 @@ impl<'tcx> Statement<'tcx> {
         locals: &LocalDecls<'tcx>,
     ) -> Vec<mlcfg::Statement> {
         match self {
-            Statement::Assignment(lhs, RValue::Borrow(rhs), span) => {
+            Statement::Assignment(lhs, RValue::Borrow(BorrowKind::Mut, rhs), span) => {
                 let borrow = Exp::Call(
-                    Box::new(Exp::impure_qvar(QName::from_string("Borrow.borrow_mut").unwrap())),
+                    Box::new(Exp::qvar(QName::from_string("Borrow.borrow_mut").unwrap())),
                     vec![rhs.as_rplace(ctx, names, locals)],
                 );
                 let reassign = Exp::Final(Box::new(lhs.as_rplace(ctx, names, locals)));
@@ -700,7 +680,11 @@ impl<'tcx> Statement<'tcx> {
                     place::create_assign_inner(ctx, names, locals, &rhs, reassign, span),
                 ]
             }
-            Statement::Assignment(lhs, RValue::FinalBorrow(rhs, deref_index), span) => {
+            Statement::Assignment(
+                lhs,
+                RValue::Borrow(BorrowKind::Final(deref_index), rhs),
+                span,
+            ) => {
                 let original_borrow = Place {
                     local: rhs.local.clone(),
                     projection: rhs.projection[..deref_index].to_vec(),
@@ -709,7 +693,7 @@ impl<'tcx> Statement<'tcx> {
                 let borrow_id =
                     borrow_generated_id(original_borrow, &rhs.projection[deref_index + 1..]);
                 let borrow = Exp::Call(
-                    Box::new(Exp::impure_qvar(QName::from_string("Borrow.borrow_final").unwrap())),
+                    Box::new(Exp::qvar(QName::from_string("Borrow.borrow_final").unwrap())),
                     vec![rhs.as_rplace(ctx, names, locals), borrow_id],
                 );
                 let reassign = Exp::Final(Box::new(lhs.as_rplace(ctx, names, locals)));
@@ -719,34 +703,36 @@ impl<'tcx> Statement<'tcx> {
                     place::create_assign_inner(ctx, names, locals, &rhs, reassign, span),
                 ]
             }
-            Statement::Assignment(lhs, RValue::Ghost(rhs), span) => {
-                let ghost = lower_pure(ctx, names, &rhs);
-                vec![place::create_assign_inner(ctx, names, locals, &lhs, ghost, span)]
-            }
-            Statement::Assignment(lhs, RValue::Expr(rhs), span) => {
+            Statement::Assignment(lhs, rhs, span) => {
                 let mut invalid = Vec::new();
                 rhs.invalidated_places(&mut invalid);
-                let rhs = rhs.to_why(ctx, names, locals);
+                let rhs = rhs.to_why(ctx, names, locals, lhs.ty(ctx.tcx, locals));
                 let mut exps =
                     vec![place::create_assign_inner(ctx, names, locals, &lhs, rhs, span)];
-                for (pl, pl_span) in invalid {
-                    let ty = pl.ty(ctx.tcx, locals);
-                    let ty = translate_ty(ctx, names, pl_span.substitute_dummy(span), ty);
-                    exps.push(place::create_assign_inner(
-                        ctx,
-                        names,
-                        locals,
-                        &pl,
-                        Exp::Any(ty),
-                        pl_span,
-                    ));
+                invalidate_places(ctx, names, locals, span, invalid, &mut exps);
+
+                exps
+            }
+            Statement::Call(dest, fun_id, subst, args, span) => {
+                let mut invalid = Vec::new();
+                args.iter().for_each(|a| a.invalidated_places(&mut invalid));
+
+                let mut exp = func_call_to_why3(ctx, names, locals, fun_id, subst, args);
+
+                if let Some(attr) = ctx.span_attr(span) {
+                    exp = Exp::Attr(attr, Box::new(exp));
                 }
+
+                let mut exps =
+                    vec![place::create_assign_inner(ctx, names, locals, &dest, exp, span)];
+                invalidate_places(ctx, names, locals, span, invalid, &mut exps);
+
                 exps
             }
             Statement::Resolve(id, subst, pl) => {
                 ctx.translate(id);
 
-                let rp = Exp::impure_qvar(names.value(id, subst));
+                let rp = Exp::qvar(names.value(id, subst));
 
                 let assume = rp.app_to(pl.as_rplace(ctx, names, locals));
                 vec![mlcfg::Statement::Assume(assume)]
@@ -758,7 +744,7 @@ impl<'tcx> Statement<'tcx> {
                 ))]
             }
             Statement::AssumeBorrowInv(pl) => {
-                let inv_fun = Exp::impure_qvar(
+                let inv_fun = Exp::qvar(
                     names.ty_inv(pl.ty(ctx.tcx, locals).builtin_deref(false).unwrap().ty),
                 );
                 let arg = Exp::Final(Box::new(pl.as_rplace(ctx, names, locals)));
@@ -766,7 +752,7 @@ impl<'tcx> Statement<'tcx> {
                 vec![mlcfg::Statement::Assume(inv_fun.app_to(arg))]
             }
             Statement::AssertTyInv(pl) => {
-                let inv_fun = Exp::impure_qvar(names.ty_inv(pl.ty(ctx.tcx, locals)));
+                let inv_fun = Exp::qvar(names.ty_inv(pl.ty(ctx.tcx, locals)));
                 let arg = pl.as_rplace(ctx, names, locals);
                 let exp = Exp::Attr(
                     Attribute::Attr(format!("expl:type invariant")),
@@ -779,6 +765,56 @@ impl<'tcx> Statement<'tcx> {
     }
 }
 
+fn invalidate_places<'tcx>(
+    ctx: &mut Why3Generator<'tcx>,
+    names: &mut CloneMap<'tcx>,
+    locals: &LocalDecls<'tcx>,
+    span: Span,
+    invalid: Vec<Place<'tcx>>,
+    out: &mut Vec<mlcfg::Statement>,
+) {
+    for pl in invalid {
+        let ty = pl.ty(ctx.tcx, locals);
+        let ty = translate_ty(ctx, names, DUMMY_SP.substitute_dummy(span), ty);
+        out.push(place::create_assign_inner(ctx, names, locals, &pl, Exp::Any(ty), DUMMY_SP));
+    }
+}
+
+fn func_call_to_why3<'tcx>(
+    ctx: &mut Why3Generator<'tcx>,
+    names: &mut CloneMap<'tcx>,
+    locals: &LocalDecls<'tcx>,
+    id: DefId,
+    subst: GenericArgsRef<'tcx>,
+    args: Vec<Operand<'tcx>>,
+) -> Exp {
+    let mut args: Vec<_> = args.into_iter().map(|a| a.to_why(ctx, names, locals)).collect();
+    let fname = names.value(id, subst);
+
+    let exp = if ctx.is_closure_or_coroutine(id) {
+        assert!(args.len() == 2, "closures should only have two arguments (env, args)");
+
+        let real_sig = ctx.signature_unclosure(subst.as_closure().sig(), Unsafety::Normal);
+        let closure_arg_count = real_sig.inputs().skip_binder().len();
+        let names = ('a'..).take(closure_arg_count);
+
+        let mut closure_args = vec![args.remove(0)];
+
+        closure_args.extend(names.clone().map(|nm| Exp::var(nm.to_string())));
+
+        Exp::Let {
+            pattern: Pattern::TupleP(
+                names.map(|nm| Pattern::VarP(nm.to_string().into())).collect(),
+            ),
+            arg: Box::new(args.remove(0)),
+            body: Box::new(Exp::qvar(fname).app(closure_args)),
+        }
+    } else {
+        Exp::qvar(fname).app(args)
+    };
+    exp
+}
+
 pub(crate) fn int_to_prelude(ity: IntTy) -> PreludeModule {
     match ity {
         IntTy::Isize => PreludeModule::Isize,
@@ -803,44 +839,44 @@ pub(crate) fn uint_to_prelude(ity: UintTy) -> PreludeModule {
 
 pub(crate) fn int_from_int(ity: &IntTy) -> Exp {
     match ity {
-        IntTy::Isize => Exp::impure_qvar(QName::from_string("IntSize.of_int").unwrap()),
-        IntTy::I8 => Exp::impure_qvar(QName::from_string("Int8.of_int").unwrap()),
-        IntTy::I16 => Exp::impure_qvar(QName::from_string("Int16.of_int").unwrap()),
-        IntTy::I32 => Exp::impure_qvar(QName::from_string("Int32.of_int").unwrap()),
-        IntTy::I64 => Exp::impure_qvar(QName::from_string("Int64.of_int").unwrap()),
-        IntTy::I128 => Exp::impure_qvar(QName::from_string("Int128.of_int").unwrap()),
+        IntTy::Isize => Exp::qvar(QName::from_string("IntSize.of_int").unwrap()),
+        IntTy::I8 => Exp::qvar(QName::from_string("Int8.of_int").unwrap()),
+        IntTy::I16 => Exp::qvar(QName::from_string("Int16.of_int").unwrap()),
+        IntTy::I32 => Exp::qvar(QName::from_string("Int32.of_int").unwrap()),
+        IntTy::I64 => Exp::qvar(QName::from_string("Int64.of_int").unwrap()),
+        IntTy::I128 => Exp::qvar(QName::from_string("Int128.of_int").unwrap()),
     }
 }
 
 pub(crate) fn uint_from_int(uty: &UintTy) -> Exp {
     match uty {
-        UintTy::Usize => Exp::impure_qvar(QName::from_string("UIntSize.of_int").unwrap()),
-        UintTy::U8 => Exp::impure_qvar(QName::from_string("UInt8.of_int").unwrap()),
-        UintTy::U16 => Exp::impure_qvar(QName::from_string("UInt16.of_int").unwrap()),
-        UintTy::U32 => Exp::impure_qvar(QName::from_string("UInt32.of_int").unwrap()),
-        UintTy::U64 => Exp::impure_qvar(QName::from_string("UInt64.of_int").unwrap()),
-        UintTy::U128 => Exp::impure_qvar(QName::from_string("UInt128.of_int").unwrap()),
+        UintTy::Usize => Exp::qvar(QName::from_string("UIntSize.of_int").unwrap()),
+        UintTy::U8 => Exp::qvar(QName::from_string("UInt8.of_int").unwrap()),
+        UintTy::U16 => Exp::qvar(QName::from_string("UInt16.of_int").unwrap()),
+        UintTy::U32 => Exp::qvar(QName::from_string("UInt32.of_int").unwrap()),
+        UintTy::U64 => Exp::qvar(QName::from_string("UInt64.of_int").unwrap()),
+        UintTy::U128 => Exp::qvar(QName::from_string("UInt128.of_int").unwrap()),
     }
 }
 
 pub(crate) fn int_to_int(ity: &IntTy) -> Exp {
     match ity {
-        IntTy::Isize => Exp::impure_qvar(QName::from_string("IntSize.to_int").unwrap()),
-        IntTy::I8 => Exp::impure_qvar(QName::from_string("Int8.to_int").unwrap()),
-        IntTy::I16 => Exp::impure_qvar(QName::from_string("Int16.to_int").unwrap()),
-        IntTy::I32 => Exp::impure_qvar(QName::from_string("Int32.to_int").unwrap()),
-        IntTy::I64 => Exp::impure_qvar(QName::from_string("Int64.to_int").unwrap()),
-        IntTy::I128 => Exp::impure_qvar(QName::from_string("Int128.to_int").unwrap()),
+        IntTy::Isize => Exp::qvar(QName::from_string("IntSize.to_int").unwrap()),
+        IntTy::I8 => Exp::qvar(QName::from_string("Int8.to_int").unwrap()),
+        IntTy::I16 => Exp::qvar(QName::from_string("Int16.to_int").unwrap()),
+        IntTy::I32 => Exp::qvar(QName::from_string("Int32.to_int").unwrap()),
+        IntTy::I64 => Exp::qvar(QName::from_string("Int64.to_int").unwrap()),
+        IntTy::I128 => Exp::qvar(QName::from_string("Int128.to_int").unwrap()),
     }
 }
 
 pub(crate) fn uint_to_int(uty: &UintTy) -> Exp {
     match uty {
-        UintTy::Usize => Exp::impure_qvar(QName::from_string("UIntSize.to_int").unwrap()),
-        UintTy::U8 => Exp::impure_qvar(QName::from_string("UInt8.to_int").unwrap()),
-        UintTy::U16 => Exp::impure_qvar(QName::from_string("UInt16.to_int").unwrap()),
-        UintTy::U32 => Exp::impure_qvar(QName::from_string("UInt32.to_int").unwrap()),
-        UintTy::U64 => Exp::impure_qvar(QName::from_string("UInt64.to_int").unwrap()),
-        UintTy::U128 => Exp::impure_qvar(QName::from_string("UInt128.to_int").unwrap()),
+        UintTy::Usize => Exp::qvar(QName::from_string("UIntSize.to_int").unwrap()),
+        UintTy::U8 => Exp::qvar(QName::from_string("UInt8.to_int").unwrap()),
+        UintTy::U16 => Exp::qvar(QName::from_string("UInt16.to_int").unwrap()),
+        UintTy::U32 => Exp::qvar(QName::from_string("UInt32.to_int").unwrap()),
+        UintTy::U64 => Exp::qvar(QName::from_string("UInt64.to_int").unwrap()),
+        UintTy::U128 => Exp::qvar(QName::from_string("UInt128.to_int").unwrap()),
     }
 }
diff --git a/creusot/src/backend/term.rs b/creusot/src/backend/term.rs
index 1125934d2e..f5c6838ee9 100644
--- a/creusot/src/backend/term.rs
+++ b/creusot/src/backend/term.rs
@@ -9,7 +9,7 @@ use crate::{
 use rustc_hir::def_id::DefId;
 use rustc_middle::ty::{EarlyBinder, GenericArgsRef, Ty, TyCtxt, TyKind};
 use why3::{
-    exp::{BinOp, Binder, Constant, Exp, Pattern as Pat, Purity},
+    exp::{BinOp, Binder, Constant, Exp, Pattern as Pat},
     ty::Type,
     Ident, QName,
 };
@@ -20,18 +20,7 @@ pub(crate) fn lower_pure<'tcx, N: Namer<'tcx>>(
     term: &Term<'tcx>,
 ) -> Exp {
     let span = term.span;
-    let mut term = Lower { ctx, names, pure: Purity::Logic }.lower_term(term);
-    term.reassociate();
-    ctx.attach_span(span, term)
-}
-
-pub(crate) fn lower_impure<'tcx, N: Namer<'tcx>>(
-    ctx: &mut Why3Generator<'tcx>,
-    names: &mut N,
-    term: &Term<'tcx>,
-) -> Exp {
-    let span = term.span;
-    let mut term = Lower { ctx, names, pure: Purity::Program }.lower_term(term);
+    let mut term = Lower { ctx, names }.lower_term(term);
     term.reassociate();
     ctx.attach_span(span, term)
 }
@@ -39,16 +28,11 @@ pub(crate) fn lower_impure<'tcx, N: Namer<'tcx>>(
 pub(super) struct Lower<'a, 'tcx, N: Namer<'tcx>> {
     pub(super) ctx: &'a mut Why3Generator<'tcx>,
     pub(super) names: &'a mut N,
-    // true when we are translating a purely logical term
-    pub(super) pure: Purity,
 }
 impl<'tcx, N: Namer<'tcx>> Lower<'_, 'tcx, N> {
     pub(crate) fn lower_term(&mut self, term: &Term<'tcx>) -> Exp {
         match &term.kind {
-            TermKind::Lit(l) => {
-                let c = lower_literal(self.ctx, self.names, l);
-                c
-            }
+            TermKind::Lit(l) => lower_literal(self.ctx, self.names, l),
             // FIXME: this is a weird dance.
             TermKind::Item(id, subst) => {
                 let method = (*id, *subst);
@@ -58,11 +42,11 @@ impl<'tcx, N: Namer<'tcx>> Lower<'_, 'tcx, N> {
                     let clone = self.names.value(*id, subst);
                     match self.ctx.type_of(id).instantiate_identity().kind() {
                         TyKind::FnDef(_, _) => Exp::Tuple(Vec::new()),
-                        _ => Exp::pure_qvar(clone),
+                        _ => Exp::qvar(clone),
                     }
                 })
             }
-            TermKind::Var(v) => Exp::pure_var(util::ident_of(*v)),
+            TermKind::Var(v) => Exp::var(util::ident_of(*v)),
             TermKind::Binary { op, box lhs, box rhs } => {
                 let lhs = self.lower_term(lhs);
                 let rhs = self.lower_term(rhs);
@@ -72,54 +56,10 @@ impl<'tcx, N: Namer<'tcx>> Lower<'_, 'tcx, N> {
                     self.names.import_prelude_module(PreludeModule::Int);
                 }
 
-                match (op, self.pure) {
-                    (Div, _) => Exp::pure_var("div".into()).app(vec![lhs, rhs]),
-                    (Rem, _) => Exp::pure_var("mod".into()).app(vec![lhs, rhs]),
-                    (Eq | Ne | Lt | Le | Gt | Ge, Purity::Program) => {
-                        let (lfvs, rfvs) = (lhs.fvs(), rhs.fvs());
-                        let mut freshvars = (0..)
-                            .map(|i| format!("x{i}").into())
-                            .filter(|x: &Ident| !(lfvs.contains(x) || rfvs.contains(x)));
-
-                        let (a, lhs) = if lhs.is_pure() {
-                            (lhs, None)
-                        } else {
-                            let v = freshvars.next().unwrap();
-                            (Exp::Var(v.clone(), self.pure), Some((v, lhs)))
-                        };
-
-                        let (b, rhs) = if rhs.is_pure() {
-                            (rhs, None)
-                        } else {
-                            let v = freshvars.next().unwrap();
-                            (Exp::Var(v.clone(), self.pure), Some((v, rhs)))
-                        };
-
-                        let op = binop_to_binop(*op, Purity::Logic);
-                        let mut inner =
-                            Exp::Pure(Box::new(Exp::BinaryOp(op, Box::new(a), Box::new(b))));
-
-                        if let Some((a, lhs)) = lhs {
-                            inner = Exp::Let {
-                                pattern: Pat::VarP(a),
-                                arg: Box::new(lhs),
-                                body: Box::new(inner),
-                            }
-                        };
-
-                        if let Some((b, rhs)) = rhs {
-                            inner = Exp::Let {
-                                pattern: Pat::VarP(b),
-                                arg: Box::new(rhs),
-                                body: Box::new(inner),
-                            }
-                        };
-
-                        inner
-                    }
-                    _ => {
-                        Exp::BinaryOp(binop_to_binop(*op, self.pure), Box::new(lhs), Box::new(rhs))
-                    }
+                match op {
+                    Div => Exp::var("div").app(vec![lhs, rhs]),
+                    Rem => Exp::var("mod").app(vec![lhs, rhs]),
+                    _ => Exp::BinaryOp(binop_to_binop(*op), Box::new(lhs), Box::new(rhs)),
                 }
             }
             TermKind::Unary { op, box arg } => {
@@ -129,13 +69,7 @@ impl<'tcx, N: Namer<'tcx>> Lower<'_, 'tcx, N> {
                 };
                 Exp::UnaryOp(op, Box::new(self.lower_term(arg)))
             }
-            TermKind::Call {
-                id,
-                subst,
-                // fun: box Term { kind: TermKind::Item(id, subst), .. },
-                args,
-                ..
-            } => {
+            TermKind::Call { id, subst, args, .. } => {
                 let mut args: Vec<_> = args.into_iter().map(|arg| self.lower_term(arg)).collect();
 
                 if args.is_empty() {
@@ -152,24 +86,17 @@ impl<'tcx, N: Namer<'tcx>> Lower<'_, 'tcx, N> {
                     self.ctx.translate(method.0);
 
                     let clone = self.names.value(method.0, method.1);
-                    if self.pure == Purity::Program {
-                        mk_binders(Exp::QVar(clone, self.pure), args)
-                    } else {
-                        Exp::QVar(clone, self.pure).app(args)
-                    }
+                    Exp::qvar(clone).app(args)
                 })
             }
             TermKind::Forall { binder, box body } => {
-                let ty = translate_ty(self.ctx, self.names, rustc_span::DUMMY_SP, binder.1);
-                self.pure_exp(|this| {
-                    Exp::forall(vec![(binder.0.to_string().into(), ty)], this.lower_term(body))
-                })
+                let ty = self.lower_ty(binder.1);
+
+                Exp::forall(vec![(binder.0.to_string().into(), ty)], self.lower_term(body))
             }
             TermKind::Exists { binder, box body } => {
-                let ty = translate_ty(self.ctx, self.names, rustc_span::DUMMY_SP, binder.1);
-                self.pure_exp(|this| {
-                    Exp::exists(vec![(binder.0.to_string().into(), ty)], this.lower_term(body))
-                })
+                let ty = self.lower_ty(binder.1);
+                Exp::exists(vec![(binder.0.to_string().into(), ty)], self.lower_term(body))
             }
             TermKind::Constructor { typ, variant, fields } => {
                 self.ctx.translate(*typ);
@@ -194,7 +121,7 @@ impl<'tcx, N: Namer<'tcx>> Lower<'_, 'tcx, N> {
                 Exp::Final(Box::new(self.lower_term(term)))
             }
             TermKind::Impl { box lhs, box rhs } => {
-                self.pure_exp(|this| this.lower_term(lhs).implies(this.lower_term(rhs)))
+                self.lower_term(lhs).implies(self.lower_term(rhs))
             }
             TermKind::Old { box term } => Exp::Old(Box::new(self.lower_term(term))),
             TermKind::Match { box scrutinee, arms } => {
@@ -204,13 +131,13 @@ impl<'tcx, N: Namer<'tcx>> Lower<'_, 'tcx, N> {
                     } else {
                         (&arms[1].1, &arms[0].1)
                     };
-                    Exp::IfThenElse(
-                        Box::new(self.lower_term(scrutinee)),
-                        Box::new(self.lower_term(true_br)),
-                        Box::new(self.lower_term(false_br)),
+                    Exp::if_(
+                        self.lower_term(scrutinee),
+                        self.lower_term(true_br),
+                        self.lower_term(false_br),
                     )
                 } else {
-                    let _ = translate_ty(self.ctx, self.names, rustc_span::DUMMY_SP, scrutinee.ty);
+                    let _ = self.lower_ty(scrutinee.ty);
                     let arms = arms
                         .iter()
                         .map(|(pat, body)| (self.lower_pat(pat), self.lower_term(body)))
@@ -239,7 +166,7 @@ impl<'tcx, N: Namer<'tcx>> Lower<'_, 'tcx, N> {
                     k => unreachable!("Projection from {k:?}"),
                 };
 
-                Exp::pure_qvar(accessor).app(vec![lhs])
+                Exp::qvar(accessor).app(vec![lhs])
             }
             TermKind::Closure { body } => {
                 let TyKind::Closure(id, subst) = strip_all_refs(term.ty).kind() else {
@@ -261,34 +188,17 @@ impl<'tcx, N: Namer<'tcx>> Lower<'_, 'tcx, N> {
             TermKind::Reborrow { cur, fin, term, projection } => {
                 let inner = self.lower_term(&*term);
                 let borrow_id = borrow_generated_id(inner, &projection);
-                Exp::Call(
-                    Box::new(Exp::QVar("Borrow.borrow_logic".into(), Purity::Logic)),
-                    vec![self.lower_term(&*cur), self.lower_term(&*fin), borrow_id],
-                )
+
+                Exp::qvar("Borrow.borrow_logic".into()).app(vec![
+                    self.lower_term(&*cur),
+                    self.lower_term(&*fin),
+                    borrow_id,
+                ])
             }
             TermKind::Assert { cond } => {
                 let cond = self.lower_term(&*cond);
-                if self.pure == Purity::Program && !cond.is_pure() {
-                    Exp::Let {
-                        pattern: Pat::VarP("a".into()),
-                        arg: Box::new(cond),
-                        body: Box::new(Exp::Assert(Box::new(Exp::impure_var("a".into())))),
-                    }
-                } else {
-                    Exp::Assert(Box::new(cond))
-                }
-            }
-        }
-    }
 
-    fn pure_exp(&mut self, f: impl FnOnce(&mut Self) -> Exp) -> Exp {
-        match self.pure {
-            Purity::Logic => f(self),
-            Purity::Program => {
-                self.pure = Purity::Logic;
-                let ret = f(self);
-                self.pure = Purity::Program;
-                Exp::Pure(Box::new(ret))
+                Exp::Assert(Box::new(cond))
             }
         }
     }
@@ -296,9 +206,7 @@ impl<'tcx, N: Namer<'tcx>> Lower<'_, 'tcx, N> {
     fn lower_pat(&mut self, pat: &Pattern<'tcx>) -> Pat {
         match pat {
             Pattern::Constructor { adt, variant: _, fields, substs } => {
-                // let variant = &adt.variants()[variant];
                 let fields = fields.into_iter().map(|pat| self.lower_pat(pat)).collect();
-                // eprintln!("{adt:?}");
                 Pat::ConsP(self.names.constructor(*adt, substs), fields)
             }
             Pattern::Wildcard => Pat::Wildcard,
@@ -335,14 +243,7 @@ impl<'tcx, N: Namer<'tcx>> Lower<'_, 'tcx, N> {
             self.names.value(def_id.unwrap(), _substs);
             // self.names.import_builtin_module(builtin.clone().module_qname());
 
-            if let Purity::Program = self.pure {
-                return Some(mk_binders(
-                    Exp::pure_qvar(builtin.without_search_path()),
-                    args.clone(),
-                ));
-            } else {
-                return Some(Exp::pure_qvar(builtin.without_search_path()).app(args.clone()));
-            }
+            return Some(Exp::qvar(builtin.without_search_path()).app(args.clone()));
         }
         None
     }
@@ -384,46 +285,24 @@ pub(crate) fn lower_literal<'tcx, N: Namer<'tcx>>(
     }
 }
 
-fn binop_to_binop(op: pearlite::BinOp, purity: Purity) -> why3::exp::BinOp {
-    match (op, purity) {
-        (pearlite::BinOp::Add, _) => BinOp::Add,
-        (pearlite::BinOp::Sub, _) => BinOp::Sub,
-        (pearlite::BinOp::Mul, _) => BinOp::Mul,
-        (pearlite::BinOp::Lt, _) => BinOp::Lt,
-        (pearlite::BinOp::Le, _) => BinOp::Le,
-        (pearlite::BinOp::Gt, _) => BinOp::Gt,
-        (pearlite::BinOp::Ge, _) => BinOp::Ge,
-        (pearlite::BinOp::Eq, Purity::Logic) => BinOp::Eq,
-        (pearlite::BinOp::Ne, Purity::Logic) => BinOp::Ne,
-        (pearlite::BinOp::And, Purity::Logic) => BinOp::LogAnd,
-        (pearlite::BinOp::And, Purity::Program) => BinOp::LazyAnd,
-        (pearlite::BinOp::Or, Purity::Logic) => BinOp::LogOr,
-        (pearlite::BinOp::Or, Purity::Program) => BinOp::LazyOr,
-        _ => unreachable!(),
+pub(crate) fn binop_to_binop(op: pearlite::BinOp) -> why3::exp::BinOp {
+    match op {
+        pearlite::BinOp::Add => BinOp::Add,
+        pearlite::BinOp::Sub => BinOp::Sub,
+        pearlite::BinOp::Mul => BinOp::Mul,
+        pearlite::BinOp::Lt => BinOp::Lt,
+        pearlite::BinOp::Le => BinOp::Le,
+        pearlite::BinOp::Gt => BinOp::Gt,
+        pearlite::BinOp::Ge => BinOp::Ge,
+        pearlite::BinOp::Eq => BinOp::Eq,
+        pearlite::BinOp::Ne => BinOp::Ne,
+        pearlite::BinOp::And => BinOp::LogAnd,
+        pearlite::BinOp::Or => BinOp::LogOr,
+        pearlite::BinOp::Div => todo!("Refactor binop_to_binop to support Div"),
+        pearlite::BinOp::Rem => todo!("Refactor binop_to_binop to support Rem"),
     }
 }
 
-pub(super) fn mk_binders(func: Exp, args: Vec<Exp>) -> Exp {
-    let mut impure_args = Vec::with_capacity(args.len());
-    let mut call_args = Vec::with_capacity(args.len());
-    for (nm, arg) in ('a'..).zip(args.into_iter()) {
-        if arg.is_pure() {
-            call_args.push(arg);
-        } else {
-            call_args.push(Exp::impure_var(format!("{}'", nm).into()));
-            impure_args.push((format!("{}'", nm), arg));
-        }
-    }
-
-    let call = func.app(call_args);
-
-    impure_args.into_iter().rfold(call, |acc, arg| Exp::Let {
-        pattern: Pat::VarP(arg.0.into()),
-        arg: Box::new(arg.1),
-        body: Box::new(acc),
-    })
-}
-
 fn is_identity_from<'tcx>(tcx: TyCtxt<'tcx>, id: DefId, subst: GenericArgsRef<'tcx>) -> bool {
     if tcx.def_path_str(id) == "std::convert::From::from" && subst.len() == 1 {
         let out_ty: Ty<'tcx> = tcx.fn_sig(id).no_bound_vars().unwrap().output().skip_binder();
diff --git a/creusot/src/backend/ty.rs b/creusot/src/backend/ty.rs
index c74558f1e4..c143040ec8 100644
--- a/creusot/src/backend/ty.rs
+++ b/creusot/src/backend/ty.rs
@@ -15,7 +15,7 @@ use rustc_middle::ty::{
     GenericArgsRef, ParamEnv, Ty, TyCtxt, TyKind,
 };
 use rustc_span::{Span, Symbol, DUMMY_SP};
-use rustc_type_ir::sty::TyKind::*;
+use rustc_type_ir::TyKind::*;
 use std::collections::VecDeque;
 use why3::{
     declaration::{
@@ -82,7 +82,7 @@ fn translate_ty_inner<'tcx, N: Namer<'tcx>>(
                 return translate_ty_inner(trans, ctx, names, span, s[0].expect_ty());
             }
 
-            if Some(def.did()) == ctx.tcx.get_diagnostic_item(Symbol::intern("creusot_int")) {
+            if is_int(ctx.tcx, ty) {
                 names.import_prelude_module(PreludeModule::Int);
                 return MlT::Integer;
             }
@@ -156,7 +156,7 @@ fn translate_ty_inner<'tcx, N: Namer<'tcx>>(
         Closure(id, subst) => {
             ctx.translate(*id);
 
-            if util::is_ghost(ctx.tcx, *id) {
+            if util::is_logic(ctx.tcx, *id) {
                 return MlT::Tuple(Vec::new());
             }
 
@@ -455,7 +455,7 @@ pub(crate) fn ty_param_names(
     mut def_id: DefId,
 ) -> impl Iterator<Item = Ident> + '_ {
     loop {
-        if tcx.is_closure(def_id) {
+        if tcx.is_closure_or_coroutine(def_id) {
             def_id = tcx.parent(def_id);
         } else {
             break;
@@ -481,7 +481,7 @@ fn field_ty<'tcx>(
     let ty = ctx.try_normalize_erasing_regions(param_env, ty).unwrap_or(ty);
 
     if !validate_field_ty(ctx, did, ty) {
-        ctx.crash_and_error(ctx.def_span(field.did), "Illegal use of the Ghost type")
+        ctx.crash_and_error(ctx.def_span(field.did), "Illegal use of the Snapshot type")
     }
 
     translate_ty_inner(TyTranslation::Declaration(did), ctx, names, ctx.def_span(field.did), ty)
@@ -492,7 +492,7 @@ fn validate_field_ty<'tcx>(ctx: &mut Why3Generator<'tcx>, adt_did: DefId, ty: Ty
     let bg = ctx.binding_group(adt_did);
 
     !ty.walk().filter_map(ty::GenericArg::as_type).any(|ty| {
-        util::is_ghost_ty(tcx, ty)
+        util::is_snap_ty(tcx, ty)
             && ty.walk().filter_map(ty::GenericArg::as_type).any(|ty| match ty.kind() {
                 TyKind::Adt(adt_def, _) => bg.contains(&adt_def.did()),
                 // TyKind::Param(_) => true,
@@ -598,13 +598,13 @@ pub(crate) fn build_accessor(
             let mut exp = Exp::Any(field_ty.clone());
             if ix == variant_ix {
                 pat[field_ix] = Pattern::VarP("a".into());
-                exp = Exp::pure_var("a".into());
+                exp = Exp::var("a");
             };
             (Pattern::ConsP(name.clone(), pat), exp)
         })
         .collect();
 
-    let discr_exp = Exp::Match(Box::new(Exp::pure_var("self".into())), branches);
+    let discr_exp = Exp::Match(Box::new(Exp::var("self")), branches);
 
     Decl::Let(LetDecl {
         sig,
@@ -767,6 +767,14 @@ pub(crate) fn floatty_to_ty<'tcx, N: Namer<'tcx>>(
     }
 }
 
+pub fn is_int(tcx: TyCtxt, ty: Ty) -> bool {
+    if let TyKind::Adt(def, _) = ty.kind() {
+        Some(def.did()) == tcx.get_diagnostic_item(Symbol::intern("creusot_int"))
+    } else {
+        false
+    }
+}
+
 pub(crate) fn double_ty() -> MlT {
     MlT::TConstructor(QName::from_string("Float64.t").unwrap())
 }
diff --git a/creusot/src/backend/ty_inv.rs b/creusot/src/backend/ty_inv.rs
index 2fa093dca8..a1af5f0c58 100644
--- a/creusot/src/backend/ty_inv.rs
+++ b/creusot/src/backend/ty_inv.rs
@@ -18,7 +18,7 @@ use rustc_macros::{TypeFoldable, TypeVisitable};
 use rustc_middle::ty::{GenericArg, GenericArgsRef, ParamEnv, Ty, TyCtxt, TyKind};
 use rustc_span::{Symbol, DUMMY_SP};
 use why3::{
-    declaration::{Axiom, Decl, Module, TyDecl},
+    declaration::{Axiom, Decl, TyDecl},
     exp::{Exp, Trigger},
     Ident,
 };
@@ -403,7 +403,7 @@ impl<'tcx> InvariantElaborator<'tcx> {
 pub(crate) fn build_inv_module<'tcx>(
     ctx: &mut Why3Generator<'tcx>,
     inv_kind: TyInvKind,
-) -> (Module, CloneSummary<'tcx>) {
+) -> CloneSummary<'tcx> {
     let mut names = CloneMap::new(ctx.tcx, TransId::TyInv(inv_kind));
     let generics = inv_kind.generics(ctx.tcx);
     let inv_axiom =
@@ -434,7 +434,7 @@ pub(crate) fn build_inv_module<'tcx>(
 
     decls.push(Decl::Axiom(inv_axiom));
 
-    (Module { name: util::inv_module_name(ctx.tcx, inv_kind), decls }, summary)
+    summary
 }
 
 fn axiom_name(ctx: &Why3Generator<'_>, inv_kind: TyInvKind) -> Ident {
@@ -465,7 +465,7 @@ fn build_inv_axiom<'tcx>(
     let ty = inv_kind.to_skeleton_ty(ctx.tcx);
     let kind = TyInvKind::from_ty(ctx.tcx, ty);
     // TODO : Refactor and push binding down
-    let lhs: Exp = Exp::impure_qvar(names.ty_inv(ty)).app_to(Exp::pure_var("x".into()));
+    let lhs: Exp = Exp::qvar(names.ty_inv(ty)).app_to(Exp::var("x"));
     let rhs = if TyInvKind::Trivial == inv_kind {
         Exp::mk_true()
     } else {
diff --git a/creusot/src/callbacks.rs b/creusot/src/callbacks.rs
index 64c510ad89..614cd3800e 100644
--- a/creusot/src/callbacks.rs
+++ b/creusot/src/callbacks.rs
@@ -35,6 +35,14 @@ impl Callbacks for ToWhy {
                 tcx.alloc_steal_mir(mir)
             };
 
+            providers.mir_drops_elaborated_and_const_checked = |tcx, def_id| {
+                let mir = (rustc_interface::DEFAULT_QUERY_PROVIDERS
+                    .mir_drops_elaborated_and_const_checked)(tcx, def_id);
+                let mut mir = mir.steal();
+                remove_ghost_closures(tcx, &mut mir);
+                tcx.alloc_steal_mir(mir)
+            };
+
             providers.mir_borrowck = |tcx, def_id| {
                 let opts = ConsumerOptions::RegionInferenceContext;
 
@@ -74,7 +82,7 @@ impl Callbacks for ToWhy {
             let _ = crate::translation::after_analysis(ctx);
         });
 
-        c.session().abort_if_errors();
+        c.sess.dcx().abort_if_errors();
 
         if self.opts.in_cargo {
             Compilation::Continue
diff --git a/creusot/src/cleanup_spec_closures.rs b/creusot/src/cleanup_spec_closures.rs
index b62c5d5b62..9704dd1adc 100644
--- a/creusot/src/cleanup_spec_closures.rs
+++ b/creusot/src/cleanup_spec_closures.rs
@@ -3,8 +3,8 @@ use rustc_hir::def_id::DefId;
 use rustc_index::{Idx, IndexVec};
 use rustc_middle::{
     mir::{
-        visit::MutVisitor, AggregateKind, BasicBlock, BasicBlockData, Body, Local, Location,
-        Rvalue, SourceInfo, Terminator, TerminatorKind,
+        dump_mir, visit::MutVisitor, AggregateKind, BasicBlock, BasicBlockData, Body, Local,
+        Location, Rvalue, SourceInfo, StatementKind, Terminator, TerminatorKind,
     },
     ty::TyCtxt,
 };
@@ -18,11 +18,13 @@ use crate::util;
 /// To prevent the closures from intererring with the borrow checking of the surrounding environment, we replace the MIR body of the closure with an empty loop and remove all of the arguments to the closure in the surrounding MIR.
 pub(crate) fn cleanup_spec_closures<'tcx>(tcx: TyCtxt<'tcx>, def_id: DefId, body: &mut Body<'tcx>) {
     trace!("cleanup_spec_closures: {:?}", def_id);
+
     if util::no_mir(tcx, def_id) {
         trace!("replacing function body");
         *body.basic_blocks_mut() = make_loop(tcx);
         body.var_debug_info = Vec::new();
     } else {
+        // dump_mir(tcx, false, "speccleanup", &"before", &body, |_, _| Ok(()));
         let mut cleanup = NoTranslateNoMoves { tcx, unused: IndexSet::new() };
         cleanup.visit_body(body);
 
@@ -32,12 +34,11 @@ pub(crate) fn cleanup_spec_closures<'tcx>(tcx: TyCtxt<'tcx>, def_id: DefId, body
         updater.visit_body(body);
 
         body.local_decls.shrink_to_fit();
+        dump_mir(tcx, false, "speccleanup", &"after", &body, |_, _| Ok(()));
     }
 }
 
 fn cleanup_statements<'tcx>(body: &mut Body<'tcx>, unused: &IndexSet<Local>) {
-    use rustc_middle::mir::StatementKind;
-
     for data in body.basic_blocks_mut() {
         data.statements.retain(|statement| match &statement.kind {
             StatementKind::StorageLive(local) | StatementKind::StorageDead(local) => {
@@ -81,7 +82,7 @@ impl<'tcx> MutVisitor<'tcx> for NoTranslateNoMoves<'tcx> {
         match rvalue {
             Rvalue::Aggregate(box AggregateKind::Closure(def_id, _), substs) => {
                 if util::is_no_translate(self.tcx, *def_id)
-                    || util::is_ghost_closure(self.tcx, *def_id)
+                    || util::is_snapshot_closure(self.tcx, *def_id)
                 {
                     substs.iter_mut().for_each(|p| {
                         if p.is_move() {
@@ -89,6 +90,7 @@ impl<'tcx> MutVisitor<'tcx> for NoTranslateNoMoves<'tcx> {
                             if let Some(loc) = place.as_local() {
                                 self.unused.insert(loc);
                             }
+                            // *p = Operand::Copy(place);
                         }
                     });
                     *substs = IndexVec::new();
@@ -137,3 +139,33 @@ impl<'tcx> MutVisitor<'tcx> for LocalUpdater<'tcx> {
         *l = self.map[*l].unwrap();
     }
 }
+
+pub fn remove_ghost_closures<'tcx>(tcx: TyCtxt<'tcx>, body: &mut Body<'tcx>) {
+    struct RemoveGhostItems<'tcx> {
+        tcx: TyCtxt<'tcx>,
+    }
+
+    impl<'tcx> MutVisitor<'tcx> for RemoveGhostItems<'tcx> {
+        fn tcx<'a>(&'a self) -> TyCtxt<'tcx> {
+            self.tcx
+        }
+
+        fn visit_statement(
+            &mut self,
+            statement: &mut rustc_middle::mir::Statement<'tcx>,
+            _: Location,
+        ) {
+            let StatementKind::Assign(box (_, rhs)) = &statement.kind else { return };
+            let Rvalue::Aggregate(box AggregateKind::Closure(def_id, _), _) = rhs else {
+                return;
+            };
+            if util::is_no_translate(self.tcx, *def_id)
+                || util::is_snapshot_closure(self.tcx, *def_id)
+            {
+                statement.kind = StatementKind::Nop
+            }
+        }
+    }
+
+    RemoveGhostItems { tcx }.visit_body(body);
+}
diff --git a/creusot/src/ctx.rs b/creusot/src/ctx.rs
index bdf9a6b9e9..14c0b526be 100644
--- a/creusot/src/ctx.rs
+++ b/creusot/src/ctx.rs
@@ -21,7 +21,7 @@ use crate::{
 };
 use indexmap::{IndexMap, IndexSet};
 use rustc_borrowck::consumers::BodyWithBorrowckFacts;
-use rustc_errors::{DiagnosticBuilder, DiagnosticId};
+use rustc_errors::{DiagnosticBuilder, FatalAbort};
 use rustc_hir::{
     def::DefKind,
     def_id::{DefId, LocalDefId},
@@ -168,7 +168,7 @@ impl<'tcx, 'sess> TranslationCtx<'tcx> {
         if util::has_body(self, def_id) {
             if !self.terms.contains_key(&def_id) {
                 let mut term = pearlite::pearlite(self, def_id.expect_local())
-                    .unwrap_or_else(|e| e.emit(self.tcx.sess));
+                    .unwrap_or_else(|e| e.emit(self.tcx));
                 pearlite::normalize(self.tcx, self.param_env(def_id), &mut term);
 
                 self.terms.insert(def_id, term);
@@ -228,39 +228,25 @@ impl<'tcx, 'sess> TranslationCtx<'tcx> {
     }
 
     pub(crate) fn crash_and_error(&self, span: Span, msg: &str) -> ! {
-        self.tcx.sess.span_fatal_with_code(
-            span,
-            msg.to_string(),
-            DiagnosticId::Error(String::from("creusot")),
-        )
-    }
-
-    pub(crate) fn fatal_error(&self, span: Span, msg: &str) -> DiagnosticBuilder<'tcx, !> {
-        self.tcx.sess.struct_span_fatal_with_code(
-            span,
-            msg.to_string(),
-            DiagnosticId::Error(String::from("creusot")),
-        )
-    }
-
-    pub(crate) fn error(&self, span: Span, msg: &str) {
-        self.tcx.sess.span_err_with_code(
-            span,
-            msg.to_string(),
-            DiagnosticId::Error(String::from("creusot")),
-        )
-    }
-
-    pub(crate) fn warn(&self, span: Span, msg: &str) {
-        self.tcx.sess.span_warn_with_code(
-            span,
-            msg.to_string(),
-            DiagnosticId::Lint {
-                name: String::from("creusot"),
-                has_future_breakage: false,
-                is_force_warn: false,
-            },
-        )
+        // TODO: try to add a code back in
+        self.tcx.dcx().span_fatal(span, msg.to_string())
+    }
+
+    pub(crate) fn fatal_error(&self, span: Span, msg: &str) -> DiagnosticBuilder<'tcx, FatalAbort> {
+        // TODO: try to add a code back in
+        self.tcx.dcx().struct_span_fatal(span, msg.to_string())
+    }
+
+    pub(crate) fn error(
+        &self,
+        span: Span,
+        msg: &str,
+    ) -> DiagnosticBuilder<'tcx, rustc_errors::ErrorGuaranteed> {
+        self.tcx.dcx().struct_span_err(span, msg.to_string())
+    }
+
+    pub(crate) fn warn(&self, span: Span, msg: &str) -> DiagnosticBuilder<'tcx, ()> {
+        self.tcx.dcx().struct_span_warn(span, msg.to_string())
     }
 
     fn add_binding_group(&mut self, def_ids: &IndexSet<DefId>) {
@@ -314,7 +300,7 @@ impl<'tcx, 'sess> TranslationCtx<'tcx> {
     fn mk_opacity(&self, item: DefId) -> Opacity {
         if !matches!(
             util::item_type(self.tcx, item),
-            ItemType::Predicate | ItemType::Logic | ItemType::Ghost
+            ItemType::Predicate { .. } | ItemType::Logic { .. }
         ) {
             return Opacity(Visibility::Public);
         };
@@ -391,10 +377,10 @@ impl<'tcx, 'sess> TranslationCtx<'tcx> {
 
     pub(crate) fn check_purity(&mut self, def_id: LocalDefId) {
         let (thir, expr) =
-            self.tcx.thir_body(def_id).unwrap_or_else(|_| Error::from(CrErr).emit(self.tcx.sess));
+            self.tcx.thir_body(def_id).unwrap_or_else(|_| Error::from(CrErr).emit(self.tcx));
         let thir = thir.borrow();
         if thir.exprs.is_empty() {
-            Error::new(self.tcx.def_span(def_id), "type checking failed").emit(self.tcx.sess);
+            Error::new(self.tcx.def_span(def_id), "type checking failed").emit(self.tcx);
         }
 
         let def_id = def_id.to_def_id();
diff --git a/creusot/src/error.rs b/creusot/src/error.rs
index 120546c709..4aea329ad8 100644
--- a/creusot/src/error.rs
+++ b/creusot/src/error.rs
@@ -1,5 +1,4 @@
-use rustc_errors::DiagnosticId;
-use rustc_session::Session;
+use rustc_middle::ty::TyCtxt;
 use rustc_span::{Span, DUMMY_SP};
 
 pub type CreusotResult<T> = Result<T, Error>;
@@ -16,8 +15,9 @@ impl Error {
         Error { span, msg: msg.into() }
     }
 
-    pub(crate) fn emit(self, sess: &Session) -> ! {
-        sess.span_fatal_with_code(self.span, self.msg, DiagnosticId::Error(String::from("creusot")))
+    pub(crate) fn emit(self, tcx: TyCtxt) -> ! {
+        // TODO: try to add a code back in
+        tcx.dcx().span_fatal(self.span, self.msg)
     }
 }
 
diff --git a/creusot/src/extended_location.rs b/creusot/src/extended_location.rs
index cfff054da4..b0eb85562b 100644
--- a/creusot/src/extended_location.rs
+++ b/creusot/src/extended_location.rs
@@ -1,6 +1,5 @@
 use rustc_middle::mir::Location;
-use rustc_mir_dataflow::{self as dataflow, Analysis, AnalysisResults, Results, ResultsCursor};
-use std::borrow::Borrow;
+use rustc_mir_dataflow::{self as dataflow, Analysis, ResultsCursor};
 
 // Dataflow locations
 #[derive(Debug, Copy, Clone)]
@@ -35,12 +34,10 @@ impl ExtendedLocation {
         }
     }
 
-    pub(crate) fn seek_to<'tcx, A, R, D>(self, cursor: &mut ResultsCursor<'_, 'tcx, A, R>)
+    pub(crate) fn seek_to<'tcx, A, D>(self, cursor: &mut ResultsCursor<'_, 'tcx, A>)
     where
         A: Analysis<'tcx, Direction = D>,
         D: Dir,
-        R: AnalysisResults<'tcx, A>,
-        R: Borrow<Results<'tcx, A>>,
     {
         use ExtendedLocation::*;
         if D::is_forward() {
diff --git a/creusot/src/gather_spec_closures.rs b/creusot/src/gather_spec_closures.rs
index 76376d169d..af957da5cd 100644
--- a/creusot/src/gather_spec_closures.rs
+++ b/creusot/src/gather_spec_closures.rs
@@ -3,7 +3,7 @@ use indexmap::{IndexMap, IndexSet};
 use crate::{
     ctx::TranslationCtx,
     pearlite::Term,
-    util::{self, ghost_closure_id},
+    util::{self, snapshot_closure_id},
 };
 use rustc_data_structures::graph::WithSuccessors;
 use rustc_hir::def_id::DefId;
@@ -18,25 +18,32 @@ pub enum LoopSpecKind {
     Variant,
 }
 
-pub(crate) fn assertions_and_ghosts<'tcx>(
-    ctx: &mut TranslationCtx<'tcx>,
-    body: &Body<'tcx>,
-) -> IndexMap<DefId, Term<'tcx>> {
-    let mut visitor = Closures::new(ctx.tcx);
-    visitor.visit_body(&body);
-
-    let mut assertions: IndexMap<_, _> = Default::default();
-    for clos in visitor.closures.into_iter() {
-        if util::is_assertion(ctx.tcx, clos) {
-            let term = ctx.term(clos).unwrap().clone();
-            assertions.insert(clos, term);
-        } else if util::is_ghost_closure(ctx.tcx, clos) {
-            let term = ctx.term(clos).unwrap().clone();
-            // A hack should probably be separately tracked
-            assertions.insert(clos, term);
+/// Collect spec-related special closures in a mir [`Body`].
+pub(crate) struct SpecClosures<'tcx> {
+    /// Closures generated by `proof_assert!`
+    pub(crate) assertions: IndexMap<DefId, Term<'tcx>>,
+    /// Closures generated by `snapshot!`
+    pub(crate) snapshots: IndexMap<DefId, Term<'tcx>>,
+}
+
+impl<'tcx> SpecClosures<'tcx> {
+    pub(crate) fn collect(ctx: &mut TranslationCtx<'tcx>, body: &Body<'tcx>) -> Self {
+        let mut visitor = Closures::new(ctx.tcx);
+        visitor.visit_body(&body);
+
+        let mut assertions = IndexMap::new();
+        let mut snapshots = IndexMap::new();
+        for clos in visitor.closures.into_iter() {
+            if util::is_assertion(ctx.tcx, clos) {
+                let term = ctx.term(clos).unwrap().clone();
+                assertions.insert(clos, term);
+            } else if util::is_snapshot_closure(ctx.tcx, clos) {
+                let term = ctx.term(clos).unwrap().clone();
+                snapshots.insert(clos, term);
+            }
         }
+        Self { assertions, snapshots }
     }
-    assertions
 }
 
 // Collect the closures in thir, so that we can do typechecking ourselves, and
@@ -59,7 +66,7 @@ impl<'tcx> Visitor<'tcx> for Closures<'tcx> {
                 self.closures.insert(*id);
             }
             Rvalue::Use(Operand::Constant(box ck)) => {
-                if let Some(def_id) = ghost_closure_id(self.tcx, ck.const_.ty()) {
+                if let Some(def_id) = snapshot_closure_id(self.tcx, ck.const_.ty()) {
                     self.closures.insert(def_id);
                 }
             }
diff --git a/creusot/src/lints/experimental_types.rs b/creusot/src/lints/experimental_types.rs
index c2bc6c3516..54f29c0f74 100644
--- a/creusot/src/lints/experimental_types.rs
+++ b/creusot/src/lints/experimental_types.rs
@@ -40,20 +40,20 @@ impl<'tcx> LateLintPass<'tcx> for Experimental {
         }
 
         if is_str_ty(cx, e) {
-            cx.struct_span_lint(
+            cx.opt_span_lint(
                 EXPERIMENTAL,
-                e.span,
+                Some(e.span),
                 "support for string types is limited and experimental",
-                |lint| lint,
+                |_lint| (),
             );
         }
 
         if is_dyn_ty(cx, e) {
-            cx.struct_span_lint(
+            cx.opt_span_lint(
                 EXPERIMENTAL,
-                e.span,
+                Some(e.span),
                 "support for trait objects (dyn) is limited and experimental",
-                |lint| lint,
+                |_lint| (),
             );
         }
     }
diff --git a/creusot/src/lints/resolve_trait.rs b/creusot/src/lints/resolve_trait.rs
index c90aa1199f..b4585fceb5 100644
--- a/creusot/src/lints/resolve_trait.rs
+++ b/creusot/src/lints/resolve_trait.rs
@@ -21,11 +21,11 @@ fn resolve_trait_loaded(tcx: TyCtxt) -> bool {
 impl<'tcx> LateLintPass<'tcx> for ResolveTrait {
     fn check_crate(&mut self, cx: &LateContext<'tcx>) {
         if !resolve_trait_loaded(cx.tcx) {
-            cx.struct_span_lint(
+            cx.opt_span_lint(
                 RESOLVE_TRAIT,
-                DUMMY_SP,
+                Some(DUMMY_SP),
                 "the `creusot_contracts` crate is not loaded. You will not be able to verify any code using Creusot until you do so.",
-                |lint| lint,
+                |_lint| (),
             );
         }
     }
diff --git a/creusot/src/metadata.rs b/creusot/src/metadata.rs
index 8fc502ae6e..d3a96ae1a7 100644
--- a/creusot/src/metadata.rs
+++ b/creusot/src/metadata.rs
@@ -154,7 +154,7 @@ pub(crate) fn dump_exports(ctx: &TranslationCtx, out: &Option<String>) {
     debug!("dump_exports={:?}", out_filename);
 
     dump_binary_metadata(ctx.tcx, &out_filename, ctx.metadata()).unwrap_or_else(|err| {
-        panic!("could not save metadata path=`{:?}` error={}", out_filename, err)
+        panic!("could not save metadata path=`{:?}` error={}", out_filename, err.1)
     });
 }
 
@@ -162,7 +162,7 @@ fn dump_binary_metadata<'tcx>(
     tcx: TyCtxt<'tcx>,
     path: &Path,
     dep_info: BinaryMetadata<'tcx>,
-) -> Result<(), std::io::Error> {
+) -> Result<(), (PathBuf, std::io::Error)> {
     encode_metadata(tcx, path, dep_info)
 }
 
diff --git a/creusot/src/options.rs b/creusot/src/options.rs
index 7759ecfdf9..670b73c6a6 100644
--- a/creusot/src/options.rs
+++ b/creusot/src/options.rs
@@ -19,6 +19,8 @@ pub enum Why3Sub {
 
 #[derive(Clone)]
 pub struct Why3Command {
+    pub path: PathBuf,
+    pub config_file: Option<PathBuf>,
     pub sub: Why3Sub,
     pub args: String,
 }
@@ -32,6 +34,7 @@ pub struct Options {
     pub output_file: Option<OutputFile>,
     pub in_cargo: bool,
     pub span_mode: SpanMode,
+    pub root_path_relative_from_output: PathBuf,
     pub match_str: Option<String>,
     pub simple_triggers: bool,
     pub why3_cmd: Option<Why3Command>,
@@ -65,8 +68,18 @@ impl Options {
         let output_components = other.components().count();
         let mut buf = PathBuf::new();
 
-        (0..(output_components - same)).for_each(|_| buf.push(".."));
+        (0..(output_components - same)).for_each(|_| {
+            // Why3 treats the spans as relative to the session, not the source file,
+            // and the session is in a subdirectory next to the mlcfg file, so we need
+            // to add ..
+            buf.push("..");
+            // then add the relative path of the root project with respect to the output
+            // directory (typically some amount of ..)
+            buf.extend(&self.root_path_relative_from_output)
+        });
         buf.extend(p.components().skip(same));
-        buf
+        // the roundtrip through [components()] gives us some basic (syntactic)
+        // normalization of the path (e.g. remove /./)
+        buf.components().collect()
     }
 }
diff --git a/creusot/src/run_why3.rs b/creusot/src/run_why3.rs
index f0b95c89bb..123f7c54ee 100644
--- a/creusot/src/run_why3.rs
+++ b/creusot/src/run_why3.rs
@@ -47,7 +47,10 @@ pub(super) fn run_why3<'tcx>(ctx: &Why3Generator<'tcx>, file: Option<PathBuf>) {
     }
     let prelude_dir = TempDir::new("creusot_why3_prelude").expect("could not create temp dir");
     PRELUDE.extract(prelude_dir.path()).expect("could extract prelude into temp dir");
-    let mut command = Command::new("why3");
+    let mut command = Command::new(&why3_cmd.path);
+    if let Some(cfg) = &why3_cmd.config_file {
+        command.arg("-C").arg(cfg);
+    }
     command
         .args([
             "--warn-off=unused_variable",
@@ -76,7 +79,7 @@ pub(super) fn run_why3<'tcx>(ctx: &Why3Generator<'tcx>, file: Option<PathBuf>) {
                             "Prover reported {answer:?} (time: {time:?}, steps: {step:?}) when trying to solve goal {:?} {:?}",
                             x.term.goal_name, x.term.explanations
                         );
-                        ctx.error(span.unwrap_or_default(), &msg);
+                        ctx.error(span.unwrap_or_default(), &msg).emit();
                         for model in x.prover_result.model_elems() {
                             let span = span_map.decode_span(&model.location);
                             let mut msg = format!("Model Element for {}\n", model.lsymbol.name);
@@ -88,13 +91,13 @@ pub(super) fn run_why3<'tcx>(ctx: &Why3Generator<'tcx>, file: Option<PathBuf>) {
                             writeln!(msg, "Term: {}", expr_to_string(&term)).unwrap();
                             let cterm = cterm_to_ast(&model.value.value_concrete_term);
                             writeln!(msg, "Concrete Term: {}", expr_to_string(&cterm)).unwrap();
-                            ctx.sess.span_note_without_error(span.unwrap_or_default(), msg)
+                            ctx.dcx().span_note(span.unwrap_or_default(), msg)
                         }
                     }
                 }
                 Err(err) => {
                     let msg = format!("error parsing why3 output {err:?}");
-                    ctx.error(DUMMY_SP, &msg)
+                    ctx.error(DUMMY_SP, &msg).emit();
                 }
             }
         }
@@ -138,14 +141,16 @@ impl SpanMap {
         opts: &Options,
         span: Span,
     ) -> Option<why3::declaration::Attribute> {
-        if let Some(cmd) = &opts.why3_cmd && matches!(cmd.sub, Why3Sub::Prove) {
+        if let Some(cmd) = &opts.why3_cmd
+            && matches!(cmd.sub, Why3Sub::Prove)
+        {
             let data = span.data();
             Some(why3::declaration::Attribute::Span(
                 "rustc_span".into(),
                 data.lo.0 as usize,
                 data.hi.0 as usize,
                 self.encode_span_data((data.ctxt, data.parent)),
-                0
+                0,
             ))
         } else {
             None
@@ -199,7 +204,6 @@ fn fun<'a>(args: impl IntoIterator<Item = &'a str>, body: Expr) -> Expr {
         binder: rustc_ast::ClosureBinder::NotPresent,
         capture_clause: rustc_ast::CaptureBy::Ref,
         constness: rustc_ast::Const::No,
-        asyncness: rustc_ast::Async::No,
         movability: rustc_ast::Movability::Movable,
         fn_decl: P(rustc_ast::FnDecl {
             inputs: args
@@ -218,6 +222,7 @@ fn fun<'a>(args: impl IntoIterator<Item = &'a str>, body: Expr) -> Expr {
         body: P(body),
         fn_decl_span: DUMMY_SP,
         fn_arg_span: DUMMY_SP,
+        coroutine_kind: None,
     })))
 }
 
diff --git a/creusot/src/translated_item.rs b/creusot/src/translated_item.rs
index 7b586cfbb8..7a167de7f7 100644
--- a/creusot/src/translated_item.rs
+++ b/creusot/src/translated_item.rs
@@ -26,9 +26,7 @@ pub enum TranslatedItem {
         modl: Vec<Module>,
         accessors: IndexMap<DefId, IndexMap<DefId, Decl>>,
     },
-    TyInv {
-        modl: Module,
-    },
+    TyInv {},
 }
 
 impl<'a> TranslatedItem {
diff --git a/creusot/src/translation.rs b/creusot/src/translation.rs
index 74b7e8e2ea..27da2433ee 100644
--- a/creusot/src/translation.rs
+++ b/creusot/src/translation.rs
@@ -34,7 +34,6 @@ pub(crate) fn before_analysis(ctx: &mut TranslationCtx) -> Result<(), Box<dyn Er
 
         let def_id = def_id.to_def_id();
         if crate::util::is_spec(ctx.tcx, def_id)
-            || crate::util::is_ghost(ctx.tcx, def_id)
             || crate::util::is_predicate(ctx.tcx, def_id)
             || crate::util::is_logic(ctx.tcx, def_id)
         {
@@ -82,7 +81,7 @@ pub(crate) fn after_analysis(ctx: TranslationCtx) -> Result<(), Box<dyn Error>>
     debug!("after_analysis_translate: {:?}", start.elapsed());
     let start = Instant::now();
 
-    if why3.sess.has_errors().is_some() {
+    if why3.dcx().has_errors().is_some() {
         return Err(Box::new(CrErr));
     }
 
@@ -122,7 +121,9 @@ pub(crate) fn after_analysis(ctx: TranslationCtx) -> Result<(), Box<dyn Error>>
         let tcx = why3.tcx;
         let modules = why3.modules();
         let modules = modules.flat_map(|(id, item)| {
-            if let TransId::Item(did) = id && tcx.def_path_str(did).contains(matcher) {
+            if let TransId::Item(did) = id
+                && tcx.def_path_str(did).contains(matcher)
+            {
                 item.modules()
             } else {
                 Box::new(std::iter::empty())
@@ -236,12 +237,12 @@ fn print_crate<W, I: Iterator<Item = Module>>(
 where
     W: Write,
 {
-    let (alloc, mut pe) = mlcfg::printer::PrintEnv::new();
+    let alloc = mlcfg::printer::ALLOC;
 
     writeln!(out)?;
 
     for modl in functions {
-        modl.pretty(&alloc, &mut pe).1.render(120, out)?;
+        modl.pretty(&alloc).1.render(120, out)?;
         writeln!(out)?;
     }
 
diff --git a/creusot/src/translation/constant.rs b/creusot/src/translation/constant.rs
index 7552cd4966..4523478c04 100644
--- a/creusot/src/translation/constant.rs
+++ b/creusot/src/translation/constant.rs
@@ -9,16 +9,13 @@ use rustc_middle::{
 use rustc_span::{Span, Symbol};
 use rustc_target::abi::Size;
 
-use super::{
-    fmir::{Expr, ExprKind},
-    pearlite::{Term, TermKind},
-};
+use super::pearlite::{Term, TermKind};
 
 pub(crate) fn from_mir_constant<'tcx>(
     env: ParamEnv<'tcx>,
     ctx: &mut TranslationCtx<'tcx>,
     c: &rustc_middle::mir::ConstOperand<'tcx>,
-) -> Expr<'tcx> {
+) -> Term<'tcx> {
     from_mir_constant_kind(ctx, c.const_, env, c.span)
 }
 
@@ -27,13 +24,13 @@ pub(crate) fn from_mir_constant_kind<'tcx>(
     ck: mir::Const<'tcx>,
     env: ParamEnv<'tcx>,
     span: Span,
-) -> Expr<'tcx> {
+) -> Term<'tcx> {
     if let mir::Const::Ty(c) = ck {
         return from_ty_const(ctx, c, env, span);
     }
 
     if ck.ty().is_unit() {
-        return Expr { kind: ExprKind::Tuple(Vec::new()), ty: ck.ty(), span };
+        return Term { kind: TermKind::Tuple { fields: Vec::new() }, ty: ck.ty(), span };
     }
     //
     // let ck = ck.normalize(ctx.tcx, env);
@@ -48,36 +45,20 @@ pub(crate) fn from_mir_constant_kind<'tcx>(
                 .unwrap();
             let string = std::str::from_utf8(bytes).unwrap();
 
-            return Expr {
-                ty: ck.ty(),
-                span,
-                kind: ExprKind::Constant(Term {
-                    kind: TermKind::Lit(Literal::String(string.into())),
-                    ty: ck.ty(),
-                    span,
-                }),
-            };
+            return Term { kind: TermKind::Lit(Literal::String(string.into())), ty: ck.ty(), span };
         }
     }
 
     if let mir::Const::Unevaluated(UnevaluatedConst { promoted: Some(p), .. }, _) = ck {
-        return Expr {
-            kind: ExprKind::Constant(Term {
-                kind: TermKind::Var(Symbol::intern(&format!("promoted{:?}", p.as_usize()))),
-                ty: ck.ty(),
-                span,
-            }),
+        return Term {
+            kind: TermKind::Var(Symbol::intern(&format!("promoted{:?}", p.as_usize()))),
             ty: ck.ty(),
             span,
         };
     }
 
-    return Expr {
-        kind: ExprKind::Constant(Term {
-            kind: TermKind::Lit(try_to_bits(ctx, env, ck.ty(), span, ck)),
-            ty: ck.ty(),
-            span,
-        }),
+    return Term {
+        kind: TermKind::Lit(try_to_bits(ctx, env, ck.ty(), span, ck)),
         ty: ck.ty(),
         span,
     };
@@ -88,27 +69,20 @@ pub(crate) fn from_ty_const<'tcx>(
     c: Const<'tcx>,
     env: ParamEnv<'tcx>,
     span: Span,
-) -> Expr<'tcx> {
+) -> Term<'tcx> {
     // Check if a constant is builtin and thus should not be evaluated further
     // Builtin constants are given a body which panics
-    if let ConstKind::Unevaluated(u) = c.kind() &&
-       let Some(_) = get_builtin(ctx.tcx, u.def) {
-            return Expr { kind: ExprKind::Constant(Term { kind: TermKind::Lit(Literal::Function(u.def, u.args)), ty: c.ty(), span}), ty: c.ty(), span }
+    if let ConstKind::Unevaluated(u) = c.kind()
+        && let Some(_) = get_builtin(ctx.tcx, u.def)
+    {
+        return Term { kind: TermKind::Lit(Literal::Function(u.def, u.args)), ty: c.ty(), span };
     };
 
     if let ConstKind::Param(_) = c.kind() {
         ctx.crash_and_error(span, "const generic parameters are not yet supported");
     }
 
-    return Expr {
-        kind: ExprKind::Constant(Term {
-            kind: TermKind::Lit(try_to_bits(ctx, env, c.ty(), span, c)),
-            ty: c.ty(),
-            span,
-        }),
-        ty: c.ty(),
-        span,
-    };
+    return Term { kind: TermKind::Lit(try_to_bits(ctx, env, c.ty(), span, c)), ty: c.ty(), span };
 }
 
 fn try_to_bits<'tcx, C: ToBits<'tcx>>(
@@ -120,7 +94,7 @@ fn try_to_bits<'tcx, C: ToBits<'tcx>>(
     c: C,
 ) -> Literal<'tcx> {
     use rustc_middle::ty::{FloatTy, IntTy, UintTy};
-    use rustc_type_ir::sty::TyKind::{Bool, Float, FnDef, Int, Uint};
+    use rustc_type_ir::TyKind::{Bool, Float, FnDef, Int, Uint};
     match ty.kind() {
         Int(ity) => {
             let bits = c.get_bits(ctx.tcx, env, ty).unwrap();
diff --git a/creusot/src/translation/external.rs b/creusot/src/translation/external.rs
index c5cb9bf3f5..1ff9132d1d 100644
--- a/creusot/src/translation/external.rs
+++ b/creusot/src/translation/external.rs
@@ -69,16 +69,26 @@ pub(crate) fn extract_extern_specs_from_item<'tcx>(
     let mut inner_subst = GenericArgs::identity_for_item(ctx.tcx, id).to_vec();
     let outer_subst = GenericArgs::identity_for_item(ctx.tcx, def_id.to_def_id());
 
+    // FIXME(xavier): Handle this better.
+    // "Host effects" are related to the wip effects feature of Rust. For the moment let's just ignore them.
+    let has_host_effect = ctx.generics_of(id).host_effect_index.is_some();
+    if has_host_effect {
+        inner_subst.pop();
+    }
     // FIXME(xavier): I don't remember the original reason for introducing this...
     let extra_parameters = inner_subst.len() - outer_subst.len();
 
     // Move Self_ to the front of the list like rustc does for real trait impls (not expressible in surface rust).
     // This only matters when we also have lifetime parameters.
     let self_pos = outer_subst.iter().position(|e| {
-        if
-        let GenericArgKind::Type(t) = e.unpack() &&
-        let TyKind::Param(t) = t.kind() &&
-        t.name.as_str().starts_with("Self") { true } else { false }
+        if let GenericArgKind::Type(t) = e.unpack()
+            && let TyKind::Param(t) = t.kind()
+            && t.name.as_str().starts_with("Self")
+        {
+            true
+        } else {
+            false
+        }
     });
 
     if let Some(ix) = self_pos {
@@ -125,7 +135,7 @@ pub(crate) fn extract_extern_specs_from_item<'tcx>(
         }
     }
 
-    errors.into_iter().for_each(|mut e| e.emit());
+    errors.into_iter().for_each(|e| e.emit());
 
     let subst = ctx.mk_args(&subst);
 
@@ -165,7 +175,7 @@ impl<'a, 'tcx> thir::visit::Visitor<'a, 'tcx> for ExtractExternItems<'a, 'tcx> {
         self.thir
     }
 
-    fn visit_expr(&mut self, expr: &Expr<'tcx>) {
+    fn visit_expr(&mut self, expr: &'a Expr<'tcx>) {
         if let ExprKind::Call { ty, .. } = expr.kind {
             if let TyKind::FnDef(id, subst) = ty.kind() {
                 self.items.insert((*id, subst));
diff --git a/creusot/src/translation/fmir.rs b/creusot/src/translation/fmir.rs
index 28fdb02a52..e532e5816f 100644
--- a/creusot/src/translation/fmir.rs
+++ b/creusot/src/translation/fmir.rs
@@ -8,8 +8,6 @@ use rustc_middle::{
 use rustc_span::{Span, Symbol};
 use rustc_target::abi::VariantIdx;
 
-pub use rustc_span::DUMMY_SP;
-
 #[derive(Clone, Debug)]
 pub struct Place<'tcx> {
     pub(crate) local: Symbol,
@@ -42,88 +40,83 @@ pub enum Statement<'tcx> {
     Resolve(DefId, GenericArgsRef<'tcx>, Place<'tcx>),
     Assertion { cond: Term<'tcx>, msg: String },
     AssumeBorrowInv(Place<'tcx>),
+    // Todo: fold into `Assertion`
     AssertTyInv(Place<'tcx>),
+    Call(Place<'tcx>, DefId, GenericArgsRef<'tcx>, Vec<Operand<'tcx>>, Span),
 }
 
-// Re-organize this completely
-// Get rid of Expr and reimpose a more traditional statement-rvalue-operand setup
-#[derive(Clone, Debug)]
-pub enum RValue<'tcx> {
-    Ghost(Term<'tcx>),
-    Borrow(Place<'tcx>),
+// TODO: Add shared borrows?
+#[derive(Clone, Copy, Debug)]
+pub enum BorrowKind {
+    /// Ordinary mutable borrows
+    Mut,
     /// The source of this borrow is not used after the reborrow, and thus we can
     /// inherit the prophecy identifier.
     ///
     /// The second field is an index in `place.projection`: see
     /// [`NotFinalPlaces::is_final_at`](crate::analysis::NotFinalPlaces::is_final_at).
-    FinalBorrow(Place<'tcx>, usize),
-    Expr(Expr<'tcx>),
+    Final(usize),
 }
 
+#[derive(Clone, Debug)]
+pub enum RValue<'tcx> {
+    Ghost(Term<'tcx>),
+    Borrow(BorrowKind, Place<'tcx>),
+    Operand(Operand<'tcx>),
+    BinOp(BinOp, Operand<'tcx>, Operand<'tcx>),
+    UnaryOp(UnOp, Operand<'tcx>),
+    Constructor(DefId, GenericArgsRef<'tcx>, Vec<Operand<'tcx>>),
+    Cast(Operand<'tcx>, Ty<'tcx>, Ty<'tcx>),
+    Tuple(Vec<Operand<'tcx>>),
+    Len(Operand<'tcx>),
+    Array(Vec<Operand<'tcx>>),
+    Repeat(Operand<'tcx>, Operand<'tcx>),
+}
+
+impl<'tcx> RValue<'tcx> {
+    /// Returns true if the expression generates verification conditions
+    pub fn is_pure(&self) -> bool {
+        match &self {
+            RValue::Operand(_) => true,
+            RValue::BinOp(BinOp::Add | BinOp::Mul | BinOp::Rem | BinOp::Div | BinOp::Sub, _, _) => {
+                false
+            }
+            RValue::BinOp(_, _, _) => true,
+            RValue::UnaryOp(UnOp::Neg, _) => false,
+            RValue::UnaryOp(_, _) => true,
+            RValue::Constructor(_, _, _) => true,
+            RValue::Cast(_, _, _) => false,
+            RValue::Tuple(_) => true,
+            RValue::Len(_) => true,
+            RValue::Array(_) => true,
+            RValue::Repeat(_, _) => true,
+            RValue::Ghost(_) => true,
+            RValue::Borrow(_, _) => false,
+        }
+    }
+}
+
+// TODO Inline `Expr` in to `RValue`
 #[derive(Clone, Debug)]
 pub struct Expr<'tcx> {
-    pub kind: ExprKind<'tcx>,
+    pub kind: (),
     pub ty: Ty<'tcx>,
     pub span: Span,
 }
 
 #[derive(Clone, Debug)]
-pub enum ExprKind<'tcx> {
-    // Extract this into a standalone `Operand` type
+pub enum Operand<'tcx> {
     Move(Place<'tcx>),
     Copy(Place<'tcx>),
-    // Revisit whether this is a good idea to allow general expression trees.
-    BinOp(BinOp, Box<Expr<'tcx>>, Box<Expr<'tcx>>),
-    UnaryOp(UnOp, Box<Expr<'tcx>>),
-    Constructor(DefId, GenericArgsRef<'tcx>, Vec<Expr<'tcx>>),
-    // Should this be a statement?
-    Call(DefId, GenericArgsRef<'tcx>, Vec<Expr<'tcx>>),
     Constant(Term<'tcx>),
-    Cast(Box<Expr<'tcx>>, Ty<'tcx>, Ty<'tcx>),
-    Tuple(Vec<Expr<'tcx>>),
-    Len(Box<Expr<'tcx>>),
-    Array(Vec<Expr<'tcx>>),
-    Repeat(Box<Expr<'tcx>>, Box<Expr<'tcx>>),
-}
-
-impl<'tcx> Expr<'tcx> {
-    pub fn is_call(&self) -> bool {
-        match &self.kind {
-            ExprKind::Move(_) => false,
-            ExprKind::Copy(_) => false,
-            ExprKind::BinOp(_, _, _) => false,
-            ExprKind::UnaryOp(_, _) => false,
-            ExprKind::Constructor(_, _, _) => false,
-            ExprKind::Call(_, _, _) => true,
-            ExprKind::Constant(_) => false,
-            ExprKind::Cast(_, _, _) => false,
-            ExprKind::Tuple(_) => false,
-            ExprKind::Len(_) => false,
-            ExprKind::Array(_) => false,
-            ExprKind::Repeat(_, _) => false,
-        }
-    }
+}
 
-    pub fn is_pure(&self) -> bool {
-        match &self.kind {
-            ExprKind::Move(_) => true,
-            ExprKind::Copy(_) => true,
-            ExprKind::BinOp(
-                BinOp::Add | BinOp::Mul | BinOp::Rem | BinOp::Div | BinOp::Sub,
-                _,
-                _,
-            ) => false,
-            ExprKind::BinOp(_, _, _) => true,
-            ExprKind::UnaryOp(UnOp::Neg, _) => false,
-            ExprKind::UnaryOp(_, _) => true,
-            ExprKind::Constructor(_, _, es) => es.iter().all(|e| e.is_pure()),
-            ExprKind::Call(_, _, es) => es.iter().all(|e| e.is_pure()),
-            ExprKind::Constant(_) => true,
-            ExprKind::Cast(_, _, _) => false,
-            ExprKind::Tuple(es) => es.iter().all(|e| e.is_pure()),
-            ExprKind::Len(e) => e.is_pure(),
-            ExprKind::Array(es) => es.iter().all(|e| e.is_pure()),
-            ExprKind::Repeat(l, r) => l.is_pure() && r.is_pure(),
+impl<'tcx> Operand<'tcx> {
+    pub fn ty(&self, tcx: TyCtxt<'tcx>, locals: &LocalDecls<'tcx>) -> Ty<'tcx> {
+        match self {
+            Operand::Move(pl) => pl.ty(tcx, locals),
+            Operand::Copy(pl) => pl.ty(tcx, locals),
+            Operand::Constant(t) => t.ty,
         }
     }
 }
@@ -131,11 +124,35 @@ impl<'tcx> Expr<'tcx> {
 #[derive(Clone)]
 pub enum Terminator<'tcx> {
     Goto(BasicBlock),
-    Switch(Expr<'tcx>, Branches<'tcx>),
+    Switch(self::Operand<'tcx>, Branches<'tcx>),
     Return,
     Abort(Span),
 }
 
+impl<'tcx> Terminator<'tcx> {
+    pub fn targets(&self) -> impl Iterator<Item = BasicBlock> + '_ {
+        use std::iter::*;
+        match self {
+            Terminator::Goto(bb) => Box::new(once(*bb)) as Box<dyn Iterator<Item = BasicBlock>>,
+            Terminator::Switch(_, brs) => match brs {
+                Branches::Int(brs, def) => Box::new(brs.iter().map(|(_, b)| *b).chain(once(*def)))
+                    as Box<dyn Iterator<Item = BasicBlock>>,
+                Branches::Uint(brs, def) => Box::new(brs.iter().map(|(_, b)| *b).chain(once(*def)))
+                    as Box<dyn Iterator<Item = BasicBlock>>,
+                Branches::Constructor(_, _, brs, def) => {
+                    Box::new(brs.iter().map(|(_, b)| *b).chain(once(*def)))
+                        as Box<dyn Iterator<Item = BasicBlock>>
+                }
+                Branches::Bool(f, t) => {
+                    Box::new([*f, *t].into_iter()) as Box<dyn Iterator<Item = BasicBlock>>
+                }
+            },
+            Terminator::Return => Box::new(empty()) as Box<dyn Iterator<Item = BasicBlock>>,
+            Terminator::Abort(_) => Box::new(empty()) as Box<dyn Iterator<Item = BasicBlock>>,
+        }
+    }
+}
+
 #[derive(Clone)]
 pub enum Branches<'tcx> {
     Int(Vec<(i128, BasicBlock)>, BasicBlock),
diff --git a/creusot/src/translation/function.rs b/creusot/src/translation/function.rs
index ee0d9493b4..32b9ea8ec4 100644
--- a/creusot/src/translation/function.rs
+++ b/creusot/src/translation/function.rs
@@ -1,5 +1,5 @@
 use super::{
-    fmir::{ExprKind, LocalDecls, LocalIdent, RValue},
+    fmir::{LocalDecls, LocalIdent, RValue},
     pearlite::{normalize, Term},
     specification::inv_subst,
 };
@@ -7,10 +7,8 @@ use crate::{
     analysis::NotFinalPlaces,
     backend::ty::closure_accessors,
     ctx::*,
-    fmir::{self, Expr},
-    gather_spec_closures::{
-        assertions_and_ghosts, corrected_invariant_names_and_locations, LoopSpecKind,
-    },
+    fmir::{self},
+    gather_spec_closures::{corrected_invariant_names_and_locations, LoopSpecKind, SpecClosures},
     resolve::EagerResolver,
     translation::{
         fmir::LocalDecl,
@@ -61,7 +59,7 @@ pub struct BodyTranslator<'body, 'tcx> {
 
     resolver: Option<EagerResolver<'body, 'tcx>>,
 
-    // Spec / Ghost variables
+    // Spec / Snapshot variables
     erased_locals: BitSet<Local>,
 
     // Current block being generated
@@ -77,7 +75,10 @@ pub struct BodyTranslator<'body, 'tcx> {
 
     invariants: IndexMap<BasicBlock, Vec<(LoopSpecKind, Term<'tcx>)>>,
 
+    /// Map of the `proof_assert!` blocks to their translated version.
     assertions: IndexMap<DefId, Term<'tcx>>,
+    /// Map of the `snapshot!` blocks to their translated version.
+    snapshots: IndexMap<DefId, Term<'tcx>>,
 
     borrows: Option<Rc<BorrowSet<'tcx>>>,
 
@@ -95,12 +96,12 @@ impl<'body, 'tcx> BodyTranslator<'body, 'tcx> {
         body_id: BodyId,
     ) -> Self {
         let invariants = corrected_invariant_names_and_locations(ctx, &body);
-        let assertions = assertions_and_ghosts(ctx, &body);
+        let SpecClosures { assertions, snapshots } = SpecClosures::collect(ctx, &body);
         let mut erased_locals = BitSet::new_empty(body.local_decls.len());
 
         body.local_decls.iter_enumerated().for_each(|(local, decl)| {
             if let TyKind::Closure(def_id, _) = decl.ty.peel_refs().kind() {
-                if crate::util::is_spec(tcx, *def_id) || util::is_ghost_closure(tcx, *def_id) {
+                if crate::util::is_spec(tcx, *def_id) || util::is_snapshot_closure(tcx, *def_id) {
                     erased_locals.insert(local);
                 }
             }
@@ -117,9 +118,6 @@ impl<'body, 'tcx> BodyTranslator<'body, 'tcx> {
                     with_facts.region_inference_context.clone(),
                 );
 
-                // eprintln!("body of {}", tcx.def_path_str(body_id.def_id()));
-                // resolver.debug(with_facts.regioncx.clone());
-
                 (Some(resolver), Some(borrows))
             }
             Some(_) => (None, None),
@@ -141,6 +139,7 @@ impl<'body, 'tcx> BodyTranslator<'body, 'tcx> {
             fresh_id: body.basic_blocks.len(),
             invariants,
             assertions,
+            snapshots,
             borrows,
         }
     }
@@ -151,6 +150,7 @@ impl<'body, 'tcx> BodyTranslator<'body, 'tcx> {
         let arg_count = self.body.arg_count;
 
         assert!(self.assertions.is_empty(), "unused assertions");
+        assert!(self.snapshots.is_empty(), "unused snapshots");
         assert!(self.invariants.is_empty(), "unused invariants");
 
         fmir::Body { locals: self.vars, arg_count, blocks: self.past_blocks }
@@ -205,7 +205,9 @@ impl<'body, 'tcx> BodyTranslator<'body, 'tcx> {
 
             self.translate_terminator(bbd.terminator(), loc);
 
-            if let Some(resolver) = &mut self.resolver && bbd.terminator().successors().next().is_none() {
+            if let Some(resolver) = &mut self.resolver
+                && bbd.terminator().successors().next().is_none()
+            {
                 let mut resolved = resolver.need_resolve_locals_before(loc);
                 resolved.remove(Local::from_usize(0)); // do not resolve return local
                 self.resolve_locals(resolved);
@@ -263,9 +265,9 @@ impl<'body, 'tcx> BodyTranslator<'body, 'tcx> {
         self.emit_assignment(
             lhs,
             if let Some(deref_index) = is_final {
-                fmir::RValue::FinalBorrow(p, deref_index)
+                fmir::RValue::Borrow(fmir::BorrowKind::Final(deref_index), p)
             } else {
-                fmir::RValue::Borrow(p)
+                fmir::RValue::Borrow(fmir::BorrowKind::Mut, p)
             },
             span,
         );
@@ -336,7 +338,7 @@ impl<'body, 'tcx> BodyTranslator<'body, 'tcx> {
     }
 
     fn resolve_locals(&mut self, mut locals: BitSet<Local>) {
-        locals.subtract(&self.erased_locals.to_hybrid());
+        locals.subtract(&self.erased_locals);
 
         // TODO determine resolution order based on outlives relation
         let locals = locals.iter().collect::<Vec<_>>();
@@ -346,16 +348,16 @@ impl<'body, 'tcx> BodyTranslator<'body, 'tcx> {
     }
 
     // Useful helper to translate an operand
-    pub(crate) fn translate_operand(&mut self, operand: &Operand<'tcx>) -> Expr<'tcx> {
-        let kind = match operand {
-            Operand::Copy(pl) => ExprKind::Copy(self.translate_place(*pl)),
-            Operand::Move(pl) => ExprKind::Move(self.translate_place(*pl)),
-            Operand::Constant(c) => {
-                return crate::constant::from_mir_constant(self.param_env(), self.ctx, c)
-            }
-        };
-
-        Expr { kind, span: DUMMY_SP, ty: operand.ty(self.body, self.tcx) }
+    pub(crate) fn translate_operand(&mut self, operand: &Operand<'tcx>) -> fmir::Operand<'tcx> {
+        let kind =
+            match operand {
+                Operand::Copy(pl) => fmir::Operand::Copy(self.translate_place(*pl)),
+                Operand::Move(pl) => fmir::Operand::Move(self.translate_place(*pl)),
+                Operand::Constant(c) => fmir::Operand::Constant(
+                    crate::constant::from_mir_constant(self.param_env(), self.ctx, c),
+                ),
+            };
+        kind
     }
 
     fn translate_place(&self, _pl: mir::Place<'tcx>) -> fmir::Place<'tcx> {
@@ -468,7 +470,7 @@ pub(crate) fn closure_contract<'tcx>(
     ctx: &mut TranslationCtx<'tcx>,
     def_id: DefId,
 ) -> ClosureContract<'tcx> {
-    let TyKind::Closure(_, subst) = ctx.tcx.type_of(def_id).instantiate_identity().kind() else {
+    let TyKind::Closure(_, subst) = ctx.type_of(def_id).instantiate_identity().kind() else {
         unreachable!()
     };
 
@@ -535,7 +537,9 @@ pub(crate) fn closure_contract<'tcx>(
 
     post_sig.inputs.push((Symbol::intern("result"), DUMMY_SP, result_ty));
 
-    let env_ty = ctx.closure_env_ty(def_id, subst, ctx.lifetimes.re_erased).unwrap().peel_refs();
+    let env_ty = ctx
+        .closure_env_ty(ctx.type_of(def_id).instantiate_identity(), kind, ctx.lifetimes.re_erased)
+        .peel_refs();
     let self_ty = env_ty;
 
     let precond = {
@@ -654,7 +658,7 @@ pub(crate) fn closure_contract<'tcx>(
         contracts.postcond_once = Some((post_sig, postcondition));
     }
 
-    return contracts;
+    contracts
 }
 
 fn closure_resolve<'tcx>(
@@ -677,12 +681,7 @@ fn closure_resolve<'tcx>(
         if let Some((id, subst)) = resolve_predicate_of(ctx, param_env, ty) {
             resolve = Term {
                 ty: ctx.types.bool,
-                kind: TermKind::Call {
-                    id: id.into(),
-                    subst,
-                    fun: Box::new(Term::item(ctx.tcx, id, subst)),
-                    args: vec![proj],
-                },
+                kind: TermKind::Call { id: id.into(), subst, args: vec![proj] },
                 span: DUMMY_SP,
             }
             .conj(resolve);
@@ -707,7 +706,9 @@ pub(crate) fn closure_unnest<'tcx>(
     def_id: DefId,
     subst: GenericArgsRef<'tcx>,
 ) -> Term<'tcx> {
-    let env_ty = tcx.closure_env_ty(def_id, subst, tcx.lifetimes.re_erased).unwrap().peel_refs();
+    let ty = Ty::new_closure(tcx, def_id, subst);
+    let kind = subst.as_closure().kind();
+    let env_ty = tcx.closure_env_ty(ty, kind, tcx.lifetimes.re_erased).peel_refs();
 
     let self_ = Term::var(Symbol::intern("self"), env_ty);
 
diff --git a/creusot/src/translation/function/statement.rs b/creusot/src/translation/function/statement.rs
index 24ce51c75b..2e63fd0e54 100644
--- a/creusot/src/translation/function/statement.rs
+++ b/creusot/src/translation/function/statement.rs
@@ -1,11 +1,12 @@
 use super::BodyTranslator;
 use crate::{
     analysis::NotFinalPlaces,
+    fmir::Operand,
     translation::{
-        fmir::{self, Expr, ExprKind, RValue},
+        fmir::{self, RValue},
         specification::inv_subst,
     },
-    util::{self, ghost_closure_id},
+    util::{self, snapshot_closure_id},
 };
 use rustc_borrowck::borrow_set::TwoPhaseActivation;
 use rustc_middle::{
@@ -16,7 +17,6 @@ use rustc_middle::{
     ty::adjustment::PointerCoercion,
 };
 use rustc_mir_dataflow::ResultsCursor;
-use rustc_span::DUMMY_SP;
 
 impl<'tcx> BodyTranslator<'_, 'tcx> {
     pub(crate) fn translate_statement(
@@ -34,7 +34,9 @@ impl<'tcx> BodyTranslator<'_, 'tcx> {
 
                 // if the lhs local becomes resolved during the assignment,
                 // we cannot resolve it afterwards.
-                if let Some(resolved_during) = &mut resolved_during && !pl.is_indirect() {
+                if let Some(resolved_during) = &mut resolved_during
+                    && !pl.is_indirect()
+                {
                     resolved_during.remove(pl.local);
                 }
             }
@@ -52,11 +54,10 @@ impl<'tcx> BodyTranslator<'_, 'tcx> {
             }
             Deinit(_) => unreachable!("Deinit unsupported"),
             PlaceMention(_) => {}
-            ConstEvalCounter => {}
-            // No assembly!
-            // LlvmInlineAsm(_) => self
-            //     .ctx
-            //     .crash_and_error(statement.source_info.span, "inline assembly is not supported"),
+            ConstEvalCounter => {} // No assembly!
+                                   // LlvmInlineAsm(_) => self
+                                   //     .ctx
+                                   //     .crash_and_error(statement.source_info.span, "inline assembly is not supported"),
         }
 
         if let Some(resolved_during) = resolved_during {
@@ -72,25 +73,26 @@ impl<'tcx> BodyTranslator<'_, 'tcx> {
         rvalue: &'_ Rvalue<'tcx>,
         loc: Location,
     ) {
-        let ty = rvalue.ty(self.body, self.tcx);
+        let _ty = rvalue.ty(self.body, self.tcx);
         let span = si.span;
-        let rval: ExprKind<'tcx> = match rvalue {
+        let rval: RValue<'tcx> = match rvalue {
             Rvalue::Use(op) => match op {
-                Move(_pl) | Copy(_pl) => self.translate_operand(op).kind,
+                Move(_pl) | Copy(_pl) => RValue::Operand(self.translate_operand(op)),
                 Constant(box c) => {
-                    if ghost_closure_id(self.tcx, c.const_.ty()).is_some() {
+                    if snapshot_closure_id(self.tcx, c.const_.ty()).is_some() {
                         return;
                     };
-                    crate::constant::from_mir_constant(self.param_env(), self.ctx, c).kind
+                    RValue::Operand(self.translate_operand(op))
                 }
             },
             Rvalue::Ref(_, ss, pl) => match ss {
-                Shared | Shallow => {
+                Shared | Fake => {
                     if self.erased_locals.contains(pl.local) {
                         return;
                     }
 
-                    ExprKind::Copy(self.translate_place(self.compute_ref_place(*pl, loc)))
+                    let op = Operand::Copy(self.translate_place(self.compute_ref_place(*pl, loc)));
+                    RValue::Operand(op)
                 }
                 Mut { .. } => {
                     if self.erased_locals.contains(pl.local) {
@@ -107,24 +109,20 @@ impl<'tcx> BodyTranslator<'_, 'tcx> {
                 self.ctx.crash_and_error(si.span, "bitwise operations are currently unsupported")
             }
             Rvalue::BinaryOp(op, box (l, r)) | Rvalue::CheckedBinaryOp(op, box (l, r)) => {
-                ExprKind::BinOp(
-                    *op,
-                    Box::new(self.translate_operand(l)),
-                    Box::new(self.translate_operand(r)),
-                )
+                RValue::BinOp(*op, self.translate_operand(l), self.translate_operand(r))
             }
-            Rvalue::UnaryOp(op, v) => ExprKind::UnaryOp(*op, Box::new(self.translate_operand(v))),
+            Rvalue::UnaryOp(op, v) => RValue::UnaryOp(*op, self.translate_operand(v)),
             Rvalue::Aggregate(box kind, ops) => {
                 use rustc_middle::mir::AggregateKind::*;
                 let fields = ops.iter().map(|op| self.translate_operand(op)).collect();
 
                 match kind {
-                    Tuple => ExprKind::Tuple(fields),
+                    Tuple => RValue::Tuple(fields),
                     Adt(adt, varix, subst, _, _) => {
                         // self.ctx.translate(*adt);
                         let variant = self.tcx.adt_def(*adt).variant(*varix).def_id;
 
-                        ExprKind::Constructor(variant, subst, fields)
+                        RValue::Constructor(variant, subst, fields)
                     }
                     Closure(def_id, subst) => {
                         if util::is_invariant(self.tcx, *def_id)
@@ -146,10 +144,10 @@ impl<'tcx> BodyTranslator<'_, 'tcx> {
                         } else if util::is_spec(self.tcx, *def_id) {
                             return;
                         } else {
-                            ExprKind::Constructor(*def_id, subst, fields)
+                            RValue::Constructor(*def_id, subst, fields)
                         }
                     }
-                    Array(_) => ExprKind::Array(fields),
+                    Array(_) => RValue::Array(fields),
                     _ => self.ctx.crash_and_error(
                         si.span,
                         &format!("the rvalue {:?} is not currently supported", kind),
@@ -157,26 +155,29 @@ impl<'tcx> BodyTranslator<'_, 'tcx> {
                 }
             }
             Rvalue::Len(pl) => {
-                let e = Expr {
-                    kind: ExprKind::Copy(self.translate_place(*pl)),
-                    ty: pl.ty(self.body, self.tcx).ty,
-                    span: DUMMY_SP,
-                };
-                ExprKind::Len(Box::new(e))
+                let e = Operand::Copy(self.translate_place(*pl));
+                RValue::Len(e)
             }
             Rvalue::Cast(CastKind::IntToInt | CastKind::PtrToPtr, op, cast_ty) => {
                 let op_ty = op.ty(self.body, self.tcx);
-                ExprKind::Cast(Box::new(self.translate_operand(op)), op_ty, *cast_ty)
+                RValue::Cast(self.translate_operand(op), op_ty, *cast_ty)
             }
-            Rvalue::Repeat(op, len) => ExprKind::Repeat(
-                Box::new(self.translate_operand(op)),
-                Box::new(crate::constant::from_ty_const(self.ctx, *len, self.param_env(), si.span)),
+            Rvalue::Repeat(op, len) => RValue::Repeat(
+                self.translate_operand(op),
+                Operand::Constant(crate::constant::from_ty_const(
+                    self.ctx,
+                    *len,
+                    self.param_env(),
+                    si.span,
+                )),
             ),
 
             Rvalue::Cast(CastKind::PointerCoercion(PointerCoercion::Unsize), op, ty) => {
-                if let Some(t) = ty.builtin_deref(true) && t.ty.is_slice() {
+                if let Some(t) = ty.builtin_deref(true)
+                    && t.ty.is_slice()
+                {
                     // treat &[T; N] to &[T] casts as normal assignments
-                    self.translate_operand(op).kind
+                    RValue::Operand(self.translate_operand(op))
                 } else {
                     // TODO: Since we don't do anything with casts into `dyn` objects, just ignore them
                     return;
@@ -207,7 +208,6 @@ impl<'tcx> BodyTranslator<'_, 'tcx> {
                 &format!("MIR code used an unsupported Rvalue {:?}", rvalue),
             ),
         };
-        let rval = Expr { span, ty, kind: rval };
 
         if let Some(resolver) = &mut self.resolver {
             let need_resolve_before = resolver.need_resolve_locals_before(loc);
@@ -217,7 +217,7 @@ impl<'tcx> BodyTranslator<'_, 'tcx> {
                 self.emit_resolve(*place);
             }
 
-            self.emit_assignment(place, RValue::Expr(rval), span);
+            self.emit_assignment(place, rval, span);
 
             // Check if the local is a zombie:
             // if lhs local is dead after the assignment, emit resolve
@@ -225,7 +225,7 @@ impl<'tcx> BodyTranslator<'_, 'tcx> {
                 self.emit_resolve(*place);
             }
         } else {
-            self.emit_assignment(place, RValue::Expr(rval), span);
+            self.emit_assignment(place, rval, span);
         }
     }
 
diff --git a/creusot/src/translation/function/terminator.rs b/creusot/src/translation/function/terminator.rs
index a5435b93c3..0cdb141f22 100644
--- a/creusot/src/translation/function/terminator.rs
+++ b/creusot/src/translation/function/terminator.rs
@@ -1,6 +1,7 @@
 use super::BodyTranslator;
 use crate::{
     ctx::TranslationCtx,
+    fmir,
     translation::{
         fmir::*,
         pearlite::{Term, TermKind, UnOp},
@@ -69,11 +70,10 @@ impl<'tcx> BodyTranslator<'_, 'tcx> {
                 }
 
                 let (fun_def_id, subst) = func_defid(func).expect("expected call with function");
-                if Some(fun_def_id) == self.tcx.get_diagnostic_item(Symbol::intern("ghost_from_fn"))
-                {
+                if self.tcx.is_diagnostic_item(Symbol::intern("snapshot_from_fn"), fun_def_id) {
                     let GenericArgKind::Type(ty) = subst.get(1).unwrap().unpack() else { panic!() };
                     let TyKind::Closure(def_id, _) = ty.kind() else { panic!() };
-                    let mut assertion = self.assertions.remove(def_id).unwrap();
+                    let mut assertion = self.snapshots.remove(def_id).unwrap();
                     assertion.subst(&inv_subst(self.body, &self.locals, terminator.source_info));
                     self.check_ghost_term(&assertion, location);
                     self.emit_ghost_assign(*destination, assertion, span);
@@ -95,21 +95,23 @@ impl<'tcx> BodyTranslator<'_, 'tcx> {
                 }
 
                 let mut func_args: Vec<_> =
-                    args.iter().map(|arg| self.translate_operand(arg)).collect();
+                    args.iter().map(|arg| self.translate_operand(&arg.node)).collect();
 
                 if func_args.is_empty() {
                     // TODO: Remove this, push the 0-ary handling down to why3 backend
                     // We use tuple as a dummy argument for 0-ary functions
-                    func_args.push(Expr {
-                        span: DUMMY_SP,
-                        kind: ExprKind::Tuple(vec![]),
+                    func_args.push(fmir::Operand::Constant(Term {
+                        kind: TermKind::Tuple { fields: Vec::new() },
                         ty: self.ctx.types.unit,
-                    })
+                        span,
+                    }))
                 }
-                let call_exp = if self.is_box_new(fun_def_id) {
+                let (loc, bb) = (destination, target.unwrap());
+
+                if self.is_box_new(fun_def_id) {
                     assert_eq!(func_args.len(), 1);
 
-                    func_args.remove(0)
+                    self.emit_assignment(&loc, RValue::Operand(func_args.remove(0)), span);
                 } else {
                     let (fun_def_id, subst) =
                         resolve_function(self.ctx, self.param_env(), fun_def_id, subst, span);
@@ -118,16 +120,15 @@ impl<'tcx> BodyTranslator<'_, 'tcx> {
                         .try_normalize_erasing_regions(self.param_env(), subst)
                         .unwrap_or(subst);
 
-                    let exp = Expr {
-                        span: span.source_callsite(),
-                        kind: ExprKind::Call(fun_def_id, subst, func_args),
-                        ty: destination.ty(self.body, self.tcx).ty,
-                    };
-                    exp
+                    self.emit_statement(Statement::Call(
+                        self.translate_place(*loc),
+                        fun_def_id,
+                        subst,
+                        func_args,
+                        span.source_callsite(),
+                    ));
                 };
 
-                let (loc, bb) = (destination, target.unwrap());
-                self.emit_assignment(&loc, RValue::Expr(call_exp), span);
                 self.emit_terminator(Terminator::Goto(bb));
             }
             Assert { cond, expected, msg, target, unwind: _ } => {
@@ -166,7 +167,7 @@ impl<'tcx> BodyTranslator<'_, 'tcx> {
             FalseUnwind { real_target, .. } => {
                 self.emit_terminator(mk_goto(*real_target));
             }
-            UnwindResume | Yield { .. } | GeneratorDrop | InlineAsm { .. } => {
+            CoroutineDrop | UnwindResume | Yield { .. } | InlineAsm { .. } => {
                 unreachable!("{:?}", terminator.kind)
             }
         }
@@ -201,7 +202,7 @@ pub(crate) fn resolve_function<'tcx>(
                 .expect("could not find instance");
 
             if !method.0.is_local() && ctx.sig(method.0).contract.is_false() {
-                ctx.warn(sp, "calling an external function with no contract will yield an impossible precondition");
+                ctx.warn(sp, "calling an external function with no contract will yield an impossible precondition").emit();
             }
 
             return method;
@@ -212,7 +213,8 @@ pub(crate) fn resolve_function<'tcx>(
         ctx.warn(
             sp,
             "calling an external function with no contract will yield an impossible precondition",
-        );
+        )
+        .emit();
     }
     // ctx.translate(def_id);
 
@@ -278,7 +280,7 @@ pub(crate) fn make_switch<'tcx>(
     si: SourceInfo,
     switch_ty: Ty<'tcx>,
     targets: &SwitchTargets,
-    discr: Expr<'tcx>,
+    discr: fmir::Operand<'tcx>,
 ) -> Terminator<'tcx> {
     match switch_ty.kind() {
         TyKind::Adt(def, substs) => {
diff --git a/creusot/src/translation/pearlite.rs b/creusot/src/translation/pearlite.rs
index 326213df0f..b2abada1df 100644
--- a/creusot/src/translation/pearlite.rs
+++ b/creusot/src/translation/pearlite.rs
@@ -1,6 +1,6 @@
 // A poorly named module.
 //
-// Entrypoint for translation of all Pearlite specifications and code: #[ghost] / #[logic], contracts, proof_assert!
+// Entrypoint for translation of all Pearlite specifications and code: #[logic], contracts, proof_assert!
 //
 // Transforms THIR into a Term which may be serialized in Creusot metadata files for usage by dependent crates
 // The `lower` module then transforms a `Term` into a WhyML expression.
@@ -15,7 +15,7 @@ use crate::{
     error::{CrErr, CreusotResult, Error},
     projection_vec::{visit_projections, visit_projections_mut, ProjectionVec},
     translation::TranslationCtx,
-    util::{self, is_ghost_ty},
+    util::{self, is_snap_ty},
 };
 use itertools::Itertools;
 use log::*;
@@ -105,7 +105,6 @@ pub enum TermKind<'tcx> {
     Call {
         id: DefId,
         subst: GenericArgsRef<'tcx>,
-        fun: Box<Term<'tcx>>,
         args: Vec<Term<'tcx>>,
     },
     Constructor {
@@ -403,26 +402,30 @@ impl<'a, 'tcx> ThirTerm<'a, 'tcx> {
             ExprKind::Literal { lit, neg } => {
                 let lit = match lit.node {
                     LitKind::Bool(b) => Literal::Bool(b),
-                    LitKind::Int(u, lty) => match lty {
-                        LitIntType::Signed(ity) => {
-                            let val = if neg { (u as i128).wrapping_neg() } else { u as i128 };
-                            Literal::MachSigned(val, int_ty(ity))
-                        }
-                        LitIntType::Unsigned(uty) => Literal::MachUnsigned(u, uint_ty(uty)),
-                        LitIntType::Unsuffixed => match ty.kind() {
-                            TyKind::Int(ity) => {
+                    LitKind::Int(u, lty) => {
+                        let u = u.get();
+                        match lty {
+                            LitIntType::Signed(ity) => {
                                 let val = if neg { (u as i128).wrapping_neg() } else { u as i128 };
-                                Literal::MachSigned(val, *ity)
+                                Literal::MachSigned(val, int_ty(ity))
                             }
-                            TyKind::Uint(uty) => Literal::MachUnsigned(u, *uty),
-                            _ => unreachable!(),
-                        },
-                    },
+                            LitIntType::Unsigned(uty) => Literal::MachUnsigned(u, uint_ty(uty)),
+                            LitIntType::Unsuffixed => match ty.kind() {
+                                TyKind::Int(ity) => {
+                                    let val =
+                                        if neg { (u as i128).wrapping_neg() } else { u as i128 };
+                                    Literal::MachSigned(val, *ity)
+                                }
+                                TyKind::Uint(uty) => Literal::MachUnsigned(u, *uty),
+                                _ => unreachable!(),
+                            },
+                        }
+                    }
                     _ => unimplemented!("Unsupported literal"),
                 };
                 Ok(Term { ty, span, kind: TermKind::Lit(lit) })
             }
-            ExprKind::Call { ty: f_ty, fun, ref args, .. } => {
+            ExprKind::Call { ty: f_ty, ref args, .. } => {
                 use Stub::*;
                 match pearlite_stub(self.ctx.tcx, f_ty) {
                     Some(Forall) => {
@@ -507,7 +510,6 @@ impl<'a, 'tcx> ThirTerm<'a, 'tcx> {
                     }
                     Some(Absurd) => Ok(Term { ty, span, kind: TermKind::Absurd }),
                     None => {
-                        let fun = self.expr_term(fun)?;
                         let args = args
                             .iter()
                             .map(|arg| self.expr_term(*arg))
@@ -518,11 +520,7 @@ impl<'a, 'tcx> ThirTerm<'a, 'tcx> {
                             unreachable!("Call on non-function type");
                         };
 
-                        Ok(Term {
-                            ty,
-                            span,
-                            kind: TermKind::Call { id, subst, fun: Box::new(fun), args },
-                        })
+                        Ok(Term { ty, span, kind: TermKind::Call { id, subst, args } })
                     }
                 }
             }
@@ -877,16 +875,16 @@ impl<'a, 'tcx> ThirTerm<'a, 'tcx> {
                 ))
             }
             ExprKind::Deref { arg } => {
-                // Detect * ghost_deref & and treat that as a single 'projection'
-                if self.is_ghost_deref(*arg) {
+                // Detect * snapshot_deref & and treat that as a single 'projection'
+                if self.is_snapshot_deref(*arg) {
                     let ExprKind::Call { args, .. } = &self.thir[*arg].kind else { unreachable!() };
                     let ExprKind::Borrow { borrow_kind: BorrowKind::Shared, arg } = self.thir[args[0]].kind else { unreachable!() };
 
                     let (cur, fin) = self.logical_reborrow_inner(arg)?;
                     let deref_method =
-                        self.ctx.get_diagnostic_item(Symbol::intern("ghost_inner")).unwrap();
-                    // Extract the `T` from `Ghost<T>`
-                    let TyKind::Adt(_, subst) = self.thir[arg].ty.peel_refs().kind() else {unreachable!()};
+                        self.ctx.get_diagnostic_item(Symbol::intern("snapshot_inner")).unwrap();
+                    // Extract the `T` from `Snapshot<T>`
+                    let TyKind::Adt(_, subst) = self.thir[arg].ty.peel_refs().kind() else { unreachable!() };
                     return Ok((
                         Term::call(self.ctx.tcx, deref_method, subst, vec![cur]),
                         Term::call(self.ctx.tcx, deref_method, subst, vec![fin]),
@@ -955,8 +953,8 @@ impl<'a, 'tcx> ThirTerm<'a, 'tcx> {
                 Ok(res)
             }
             ExprKind::Deref { arg } => {
-                // Detect * ghost_deref & and treat that as a single 'projection'
-                if self.is_ghost_deref(*arg) {
+                // Detect * snapshot_deref & and treat that as a single 'projection'
+                if self.is_snapshot_deref(*arg) {
                     let ExprKind::Call { args, .. } = &self.thir[*arg].kind else { unreachable!() };
                     let ExprKind::Borrow { borrow_kind: BorrowKind::Shared, arg } = self.thir[args[0]].kind else { unreachable!() };
 
@@ -993,7 +991,7 @@ impl<'a, 'tcx> ThirTerm<'a, 'tcx> {
         }
     }
 
-    pub(crate) fn is_ghost_deref(&self, expr_id: ExprId) -> bool {
+    pub(crate) fn is_snapshot_deref(&self, expr_id: ExprId) -> bool {
         let ExprKind::Call { ty, .. } = &self.thir[expr_id].kind else { return false };
 
         let TyKind::FnDef(id, sub) = ty.kind() else { panic!("expected function type") };
@@ -1002,7 +1000,7 @@ impl<'a, 'tcx> ThirTerm<'a, 'tcx> {
             return false;
         }
 
-        sub[0].as_type().map(|ty| is_ghost_ty(self.ctx.tcx, ty)).unwrap_or(false)
+        sub[0].as_type().map(|ty| is_snap_ty(self.ctx.tcx, ty)).unwrap_or(false)
     }
 
     fn mk_projection(&self, lhs: Term<'tcx>, name: FieldIdx) -> Result<TermKind<'tcx>, Error> {
@@ -1041,16 +1039,10 @@ pub(crate) fn type_invariant_term<'tcx>(
     let inv_fn_ty = ctx.type_of(inv_fn_did).instantiate(ctx.tcx, inv_fn_substs);
     assert!(matches!(inv_fn_ty.kind(), TyKind::FnDef(id, _) if id == &inv_fn_did));
 
-    let fun = Term { ty: inv_fn_ty, span, kind: TermKind::Item(inv_fn_did, inv_fn_substs) };
     Some(Term {
         ty: ctx.fn_sig(inv_fn_did).skip_binder().output().skip_binder(),
         span,
-        kind: TermKind::Call {
-            id: inv_fn_did,
-            subst: inv_fn_substs,
-            fun: Box::new(fun),
-            args: vec![arg],
-        },
+        kind: TermKind::Call { id: inv_fn_did, subst: inv_fn_substs, args: vec![arg] },
     })
 }
 
@@ -1190,8 +1182,7 @@ pub fn super_visit_term<'tcx, V: TermVisitor<'tcx>>(term: &Term<'tcx>, visitor:
         TermKind::Unary { op: _, arg } => visitor.visit_term(&*arg),
         TermKind::Forall { binder: _, body } => visitor.visit_term(&*body),
         TermKind::Exists { binder: _, body } => visitor.visit_term(&*body),
-        TermKind::Call { id: _, subst: _, fun, args } => {
-            visitor.visit_term(&*fun);
+        TermKind::Call { id: _, subst: _, args } => {
             args.iter().for_each(|a| visitor.visit_term(&*a))
         }
         TermKind::Constructor { typ: _, variant: _, fields } => {
@@ -1245,8 +1236,7 @@ pub(crate) fn super_visit_mut_term<'tcx, V: TermVisitorMut<'tcx>>(
         TermKind::Unary { op: _, arg } => visitor.visit_mut_term(&mut *arg),
         TermKind::Forall { binder: _, body } => visitor.visit_mut_term(&mut *body),
         TermKind::Exists { binder: _, body } => visitor.visit_mut_term(&mut *body),
-        TermKind::Call { id: _, subst: _, fun, args } => {
-            visitor.visit_mut_term(&mut *fun);
+        TermKind::Call { id: _, subst: _, args } => {
             args.iter_mut().for_each(|a| visitor.visit_mut_term(&mut *a))
         }
         TermKind::Constructor { typ: _, variant: _, fields } => {
@@ -1300,17 +1290,8 @@ impl<'tcx> Term<'tcx> {
     ) -> Self {
         let ty = tcx.type_of(def_id).instantiate(tcx, subst);
         let result = ty.fn_sig(tcx).skip_binder().output();
-        let fun = Term {
-            ty: tcx.type_of(def_id).instantiate(tcx, subst),
-            kind: TermKind::Item(def_id, subst),
-            span: DUMMY_SP,
-        };
 
-        Term {
-            ty: result,
-            span: DUMMY_SP,
-            kind: TermKind::Call { id: def_id, subst, fun: Box::new(fun.clone()), args },
-        }
+        Term { ty: result, span: DUMMY_SP, kind: TermKind::Call { id: def_id, subst, args } }
     }
 
     pub(crate) fn var(sym: Symbol, ty: Ty<'tcx>) -> Self {
@@ -1361,14 +1342,6 @@ impl<'tcx> Term<'tcx> {
         }
     }
 
-    pub(crate) fn item(tcx: TyCtxt<'tcx>, id: DefId, subst: GenericArgsRef<'tcx>) -> Self {
-        Term {
-            ty: tcx.type_of(id).instantiate(tcx, subst),
-            kind: TermKind::Item(id, subst),
-            span: DUMMY_SP,
-        }
-    }
-
     pub(crate) fn bin_op(self, tcx: TyCtxt<'tcx>, op: BinOp, rhs: Self) -> Self {
         Term {
             ty: tcx.types.bool,
@@ -1514,8 +1487,7 @@ impl<'tcx> Term<'tcx> {
 
                 body.subst_with_inner(&bound, inv_subst);
             }
-            TermKind::Call { fun, args, .. } => {
-                fun.subst_with_inner(bound, inv_subst);
+            TermKind::Call { args, .. } => {
                 args.iter_mut().for_each(|f| f.subst_with_inner(bound, inv_subst))
             }
             TermKind::Constructor { fields, .. } => {
@@ -1593,8 +1565,7 @@ impl<'tcx> Term<'tcx> {
 
                 body.free_vars_inner(&bound, free);
             }
-            TermKind::Call { fun, args, .. } => {
-                fun.free_vars_inner(bound, free);
+            TermKind::Call { args, .. } => {
                 for arg in args {
                     arg.free_vars_inner(bound, free);
                 }
@@ -1677,7 +1648,7 @@ fn print_thir_expr<'tcx>(
         ExprKind::Borrow { borrow_kind, arg } => {
             match borrow_kind {
                 BorrowKind::Shared => write!(fmt, "& ")?,
-                BorrowKind::Shallow => write!(fmt, "&shallow ")?,
+                BorrowKind::Fake => write!(fmt, "&fake ")?,
                 BorrowKind::Mut { .. } => write!(fmt, "&mut ")?,
             };
 
diff --git a/creusot/src/translation/pearlite/normalize.rs b/creusot/src/translation/pearlite/normalize.rs
index 599b814e79..dcd2b0bcae 100644
--- a/creusot/src/translation/pearlite/normalize.rs
+++ b/creusot/src/translation/pearlite/normalize.rs
@@ -22,15 +22,17 @@ impl<'tcx> TermVisitorMut<'tcx> for NormalizeTerm<'tcx> {
     fn visit_mut_term(&mut self, term: &mut Term<'tcx>) {
         super_visit_mut_term(term, self);
         match &mut term.kind {
-            TermKind::Call {
-                id,
-                subst,
-                fun: box Term { kind: TermKind::Item(fid, fsubst), .. },
-                args,
-            } => {
-                *id = *fid;
-                *subst = fsubst;
-
+            TermKind::Call { id, subst, args } => {
+                let method = if self.tcx.trait_of_item(*id).is_some() {
+                    resolve_opt(self.tcx, self.param_env, *id, subst).unwrap_or_else(|| {
+                        panic!("could not resolve trait instance {:?}", (*id, *subst))
+                    })
+                } else {
+                    // TODO dont' do this
+                    (*id, *subst)
+                };
+                *id = method.0;
+                *subst = method.1;
                 *subst = self.tcx.normalize_erasing_regions(self.param_env, *subst);
 
                 if self.tcx.def_path_str(*id) == "std::boxed::Box::<T>::new" {
@@ -68,51 +70,115 @@ fn optimize_builtin<'tcx>(
     let builtin_attr = get_builtin(tcx, def_id);
 
     if builtin_attr == Some(Symbol::intern("add_int")) {
-        Some(TermKind::Binary { op: BinOp::Add, lhs: Box::new(args.remove(0)), rhs: Box::new(args.remove(0)) })
+        Some(TermKind::Binary {
+            op: BinOp::Add,
+            lhs: Box::new(args.remove(0)),
+            rhs: Box::new(args.remove(0)),
+        })
     } else if builtin_attr == Some(Symbol::intern("sub_int")) {
-        Some(TermKind::Binary { op: BinOp::Sub, lhs: Box::new(args.remove(0)), rhs: Box::new(args.remove(0)) })
+        Some(TermKind::Binary {
+            op: BinOp::Sub,
+            lhs: Box::new(args.remove(0)),
+            rhs: Box::new(args.remove(0)),
+        })
     } else if builtin_attr == Some(Symbol::intern("mul_int")) {
-        Some(TermKind::Binary { op: BinOp::Mul, lhs: Box::new(args.remove(0)), rhs: Box::new(args.remove(0)) })
+        Some(TermKind::Binary {
+            op: BinOp::Mul,
+            lhs: Box::new(args.remove(0)),
+            rhs: Box::new(args.remove(0)),
+        })
     } else if builtin_attr == Some(Symbol::intern("div_int")) {
-        Some(TermKind::Binary { op: BinOp::Div, lhs: Box::new(args.remove(0)), rhs: Box::new(args.remove(0)) })
+        Some(TermKind::Binary {
+            op: BinOp::Div,
+            lhs: Box::new(args.remove(0)),
+            rhs: Box::new(args.remove(0)),
+        })
     } else if builtin_attr == Some(Symbol::intern("rem_int")) {
-        Some(TermKind::Binary { op: BinOp::Rem, lhs: Box::new(args.remove(0)), rhs: Box::new(args.remove(0)) })
+        Some(TermKind::Binary {
+            op: BinOp::Rem,
+            lhs: Box::new(args.remove(0)),
+            rhs: Box::new(args.remove(0)),
+        })
     } else if builtin_attr == Some(Symbol::intern("neg_int")) {
         Some(TermKind::Unary { op: pearlite::UnOp::Neg, arg: Box::new(args.remove(0)) })
     } else if builtin_attr == Some(Symbol::intern("int.Int.(<=)")) {
-        Some(TermKind::Binary { op: BinOp::Le, lhs: Box::new(args.remove(0)), rhs: Box::new(args.remove(0)) })
+        Some(TermKind::Binary {
+            op: BinOp::Le,
+            lhs: Box::new(args.remove(0)),
+            rhs: Box::new(args.remove(0)),
+        })
     } else if builtin_attr == Some(Symbol::intern("int.Int.(<)")) {
-        Some(TermKind::Binary { op: BinOp::Lt, lhs: Box::new(args.remove(0)), rhs: Box::new(args.remove(0)) })
+        Some(TermKind::Binary {
+            op: BinOp::Lt,
+            lhs: Box::new(args.remove(0)),
+            rhs: Box::new(args.remove(0)),
+        })
     } else if builtin_attr == Some(Symbol::intern("int.Int.(>=)")) {
-        Some(TermKind::Binary { op: BinOp::Ge, lhs: Box::new(args.remove(0)), rhs: Box::new(args.remove(0)) })
+        Some(TermKind::Binary {
+            op: BinOp::Ge,
+            lhs: Box::new(args.remove(0)),
+            rhs: Box::new(args.remove(0)),
+        })
     } else if builtin_attr == Some(Symbol::intern("int.Int.(>)")) {
-        Some(TermKind::Binary { op: BinOp::Gt, lhs: Box::new(args.remove(0)), rhs: Box::new(args.remove(0)) })
+        Some(TermKind::Binary {
+            op: BinOp::Gt,
+            lhs: Box::new(args.remove(0)),
+            rhs: Box::new(args.remove(0)),
+        })
     } else if builtin_attr == Some(Symbol::intern("==")) {
-        Some(TermKind::Binary { op: BinOp::Eq, lhs: Box::new(args.remove(0)), rhs: Box::new(args.remove(0)) })
+        Some(TermKind::Binary {
+            op: BinOp::Eq,
+            lhs: Box::new(args.remove(0)),
+            rhs: Box::new(args.remove(0)),
+        })
     } else if builtin_attr == Some(Symbol::intern("!=")) {
-        Some(TermKind::Binary { op: BinOp::Ne, lhs: Box::new(args.remove(0)), rhs: Box::new(args.remove(0)) })
-    } else if builtin_attr == Some(Symbol::intern("prelude.UInt8.to_int")) && let TermKind::Lit(Literal::MachUnsigned(c, _)) = args[0].kind {
+        Some(TermKind::Binary {
+            op: BinOp::Ne,
+            lhs: Box::new(args.remove(0)),
+            rhs: Box::new(args.remove(0)),
+        })
+    } else if builtin_attr == Some(Symbol::intern("prelude.UInt8.to_int"))
+        && let TermKind::Lit(Literal::MachUnsigned(c, _)) = args[0].kind
+    {
         Some(TermKind::Lit(Literal::Integer(c as i128)))
-    } else if builtin_attr == Some(Symbol::intern("prelude.UInt16.to_int")) && let TermKind::Lit(Literal::MachUnsigned(c, _)) = args[0].kind {
+    } else if builtin_attr == Some(Symbol::intern("prelude.UInt16.to_int"))
+        && let TermKind::Lit(Literal::MachUnsigned(c, _)) = args[0].kind
+    {
         Some(TermKind::Lit(Literal::Integer(c as i128)))
-    } else if builtin_attr == Some(Symbol::intern("prelude.UInt32.to_int")) && let TermKind::Lit(Literal::MachUnsigned(c, _)) = args[0].kind {
+    } else if builtin_attr == Some(Symbol::intern("prelude.UInt32.to_int"))
+        && let TermKind::Lit(Literal::MachUnsigned(c, _)) = args[0].kind
+    {
         Some(TermKind::Lit(Literal::Integer(c as i128)))
-    } else if builtin_attr == Some(Symbol::intern("prelude.UInt64.to_int")) && let TermKind::Lit(Literal::MachUnsigned(c, _)) = args[0].kind {
+    } else if builtin_attr == Some(Symbol::intern("prelude.UInt64.to_int"))
+        && let TermKind::Lit(Literal::MachUnsigned(c, _)) = args[0].kind
+    {
         Some(TermKind::Lit(Literal::Integer(c as i128)))
-    } else if builtin_attr == Some(Symbol::intern("prelude.UInt128.to_int")) && let TermKind::Lit(Literal::MachUnsigned(c, _)) = args[0].kind {
+    } else if builtin_attr == Some(Symbol::intern("prelude.UInt128.to_int"))
+        && let TermKind::Lit(Literal::MachUnsigned(c, _)) = args[0].kind
+    {
         if c > isize::MAX as u128 {
             panic!("integer constant too large")
         }
         Some(TermKind::Lit(Literal::Integer(c as i128)))
-    } else if builtin_attr == Some(Symbol::intern("prelude.Int8.to_int")) && let TermKind::Lit(Literal::MachSigned(c, _)) = args[0].kind {
+    } else if builtin_attr == Some(Symbol::intern("prelude.Int8.to_int"))
+        && let TermKind::Lit(Literal::MachSigned(c, _)) = args[0].kind
+    {
         Some(TermKind::Lit(Literal::Integer(c as i128)))
-    } else if builtin_attr == Some(Symbol::intern("prelude.Int16.to_int")) && let TermKind::Lit(Literal::MachSigned(c, _)) = args[0].kind {
+    } else if builtin_attr == Some(Symbol::intern("prelude.Int16.to_int"))
+        && let TermKind::Lit(Literal::MachSigned(c, _)) = args[0].kind
+    {
         Some(TermKind::Lit(Literal::Integer(c as i128)))
-    } else if builtin_attr == Some(Symbol::intern("prelude.Int32.to_int")) && let TermKind::Lit(Literal::MachSigned(c, _)) = args[0].kind {
+    } else if builtin_attr == Some(Symbol::intern("prelude.Int32.to_int"))
+        && let TermKind::Lit(Literal::MachSigned(c, _)) = args[0].kind
+    {
         Some(TermKind::Lit(Literal::Integer(c as i128)))
-    } else if builtin_attr == Some(Symbol::intern("prelude.Int64.to_int")) && let TermKind::Lit(Literal::MachSigned(c, _)) = args[0].kind {
+    } else if builtin_attr == Some(Symbol::intern("prelude.Int64.to_int"))
+        && let TermKind::Lit(Literal::MachSigned(c, _)) = args[0].kind
+    {
         Some(TermKind::Lit(Literal::Integer(c as i128)))
-    } else if builtin_attr == Some(Symbol::intern("prelude.Int128.to_int")) && let TermKind::Lit(Literal::MachSigned(c, _)) = args[0].kind {
+    } else if builtin_attr == Some(Symbol::intern("prelude.Int128.to_int"))
+        && let TermKind::Lit(Literal::MachSigned(c, _)) = args[0].kind
+    {
         Some(TermKind::Lit(Literal::Integer(c as i128)))
     } else if builtin_attr == Some(Symbol::intern("identity")) {
         Some(args.remove(0).kind)
diff --git a/creusot/src/translation/specification.rs b/creusot/src/translation/specification.rs
index 23907d2737..77324c8802 100644
--- a/creusot/src/translation/specification.rs
+++ b/creusot/src/translation/specification.rs
@@ -302,26 +302,25 @@ pub(crate) fn is_overloaded_item(tcx: TyCtxt, def_id: DefId) -> bool {
         || def_path.ends_with("::boxed::Box::<T>::new")
         || def_path.ends_with("::ops::Deref::deref")
         || def_path.ends_with("::ops::DerefMut::deref_mut")
-        || def_path.ends_with("Ghost::<T>::from_fn")
+        || def_path.ends_with("Snapshot::<T>::from_fn")
 }
 
 #[derive(Clone, Copy, PartialEq, Eq, Debug)]
 pub(crate) enum Purity {
     Program,
-    Ghost,
-    Logic,
+    Logic { prophetic: bool },
 }
 
 impl Purity {
     pub(crate) fn of_def_id<'tcx>(tcx: TyCtxt<'tcx>, def_id: DefId) -> Self {
-        let is_ghost = util::is_ghost_closure(tcx, def_id);
-        if util::is_predicate(tcx, def_id)
-            || util::is_logic(tcx, def_id)
-            || (util::is_spec(tcx, def_id) && !is_ghost)
+        let is_snapshot = util::is_snapshot_closure(tcx, def_id);
+        if (util::is_predicate(tcx, def_id) && util::is_prophetic(tcx, def_id))
+            || (util::is_logic(tcx, def_id) && util::is_prophetic(tcx, def_id))
+            || (util::is_spec(tcx, def_id) && !is_snapshot)
         {
-            Purity::Logic
-        } else if util::is_ghost(tcx, def_id) || is_ghost {
-            Purity::Ghost
+            Purity::Logic { prophetic: true }
+        } else if util::is_predicate(tcx, def_id) || util::is_logic(tcx, def_id) || is_snapshot {
+            Purity::Logic { prophetic: false }
         } else {
             Purity::Program
         }
@@ -329,12 +328,22 @@ impl Purity {
 
     fn can_call(self, other: Purity) -> bool {
         match (self, other) {
-            (Purity::Logic, Purity::Ghost) => true,
+            (Purity::Logic { prophetic: true }, Purity::Logic { prophetic: false }) => true,
             (ctx, call) => ctx == call,
         }
     }
 }
 
+impl std::fmt::Display for Purity {
+    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
+        f.write_str(match self {
+            Purity::Program => "program",
+            Purity::Logic { prophetic: false } => "logic",
+            Purity::Logic { prophetic: true } => "prophetic logic",
+        })
+    }
+}
+
 pub(crate) struct PurityVisitor<'a, 'tcx> {
     pub(crate) tcx: TyCtxt<'tcx>,
     pub(crate) thir: &'a Thir<'tcx>,
@@ -346,15 +355,16 @@ impl<'a, 'tcx> PurityVisitor<'a, 'tcx> {
         let stub = pearlite_stub(self.tcx, self.thir[fun].ty);
 
         if matches!(stub, Some(Stub::Fin))
-            || util::is_predicate(self.tcx, func_did)
-            || util::is_logic(self.tcx, func_did)
+            || (util::is_predicate(self.tcx, func_did) && util::is_prophetic(self.tcx, func_did))
+            || (util::is_logic(self.tcx, func_did) && util::is_prophetic(self.tcx, func_did))
         {
-            Purity::Logic
-        } else if util::is_ghost(self.tcx, func_did)
+            Purity::Logic { prophetic: true }
+        } else if util::is_predicate(self.tcx, func_did)
+            || util::is_logic(self.tcx, func_did)
             || util::get_builtin(self.tcx, func_did).is_some()
             || stub.is_some()
         {
-            Purity::Ghost
+            Purity::Logic { prophetic: false }
         } else {
             Purity::Program
         }
@@ -366,7 +376,7 @@ impl<'a, 'tcx> thir::visit::Visitor<'a, 'tcx> for PurityVisitor<'a, 'tcx> {
         self.thir
     }
 
-    fn visit_expr(&mut self, expr: &thir::Expr<'tcx>) {
+    fn visit_expr(&mut self, expr: &'a thir::Expr<'tcx>) {
         match expr.kind {
             ExprKind::Call { fun, .. } => {
                 if let &ty::FnDef(func_did, _) = self.thir[fun].ty.kind() {
@@ -375,18 +385,15 @@ impl<'a, 'tcx> thir::visit::Visitor<'a, 'tcx> for PurityVisitor<'a, 'tcx> {
                     {
                         let msg =
                             format!("called {fn_purity:?} function in {:?} context", self.context);
-                        self.tcx.sess.span_err_with_code(
+
+                        self.tcx.dcx().span_err(
                             self.thir[fun].span,
                             format!("{} {:?}", msg, self.tcx.def_path_str(func_did)),
-                            rustc_errors::DiagnosticId::Error(String::from("creusot")),
                         );
                     }
                 } else if self.context != Purity::Program {
-                    self.tcx.sess.span_fatal_with_code(
-                        expr.span,
-                        "non function call in logical context",
-                        rustc_errors::DiagnosticId::Error(String::from("creusot")),
-                    )
+                    // TODO Add a "code" back in
+                    self.tcx.dcx().span_fatal(expr.span, "non function call in logical context")
                 }
             }
             ExprKind::Closure(box ClosureExpr { closure_id, .. }) => {
@@ -397,7 +404,7 @@ impl<'a, 'tcx> thir::visit::Visitor<'a, 'tcx> for PurityVisitor<'a, 'tcx> {
                 let (thir, expr) = self
                     .tcx
                     .thir_body(closure_id)
-                    .unwrap_or_else(|_| Error::from(CrErr).emit(self.tcx.sess));
+                    .unwrap_or_else(|_| Error::from(CrErr).emit(self.tcx));
                 let thir = thir.borrow();
 
                 thir::visit::walk_expr(
diff --git a/creusot/src/translation/traits.rs b/creusot/src/translation/traits.rs
index 94f4029ab0..3daae4b41d 100644
--- a/creusot/src/translation/traits.rs
+++ b/creusot/src/translation/traits.rs
@@ -323,9 +323,12 @@ pub(crate) fn still_specializable<'tcx>(
     substs: GenericArgsRef<'tcx>,
 ) -> bool {
     if let Some(trait_id) = tcx.trait_of_item(def_id) {
-        let is_final = if let Some(ImplSource::UserDefined(ud)) = resolve_impl_source_opt(tcx, param_env, def_id, substs) {
-            let trait_def =  tcx.trait_def(trait_id);
-            let leaf = trait_def.ancestors(tcx, ud.impl_def_id).unwrap().leaf_def(tcx, def_id).unwrap();
+        let is_final = if let Some(ImplSource::UserDefined(ud)) =
+            resolve_impl_source_opt(tcx, param_env, def_id, substs)
+        {
+            let trait_def = tcx.trait_def(trait_id);
+            let leaf =
+                trait_def.ancestors(tcx, ud.impl_def_id).unwrap().leaf_def(tcx, def_id).unwrap();
 
             leaf.is_final()
         } else {
@@ -334,7 +337,9 @@ pub(crate) fn still_specializable<'tcx>(
 
         let trait_generics = substs.truncate_to(tcx, tcx.generics_of(trait_id));
         !is_final && trait_generics.still_further_specializable()
-    } else if let Some(impl_id) = tcx.impl_of_method(def_id) && tcx.trait_id_of_impl(impl_id).is_some() {
+    } else if let Some(impl_id) = tcx.impl_of_method(def_id)
+        && tcx.trait_id_of_impl(impl_id).is_some()
+    {
         let is_final = tcx.defaultness(def_id).is_final();
         let trait_ref = tcx.impl_trait_ref(impl_id).unwrap();
         !is_final && trait_ref.instantiate(tcx, substs).still_further_specializable()
diff --git a/creusot/src/util.rs b/creusot/src/util.rs
index d1113e84e6..2b5a8a4908 100644
--- a/creusot/src/util.rs
+++ b/creusot/src/util.rs
@@ -35,10 +35,7 @@ use why3::{
 };
 
 pub(crate) fn no_mir(tcx: TyCtxt, def_id: DefId) -> bool {
-    crate::util::is_no_translate(tcx, def_id)
-        || crate::util::is_ghost(tcx, def_id)
-        || crate::util::is_predicate(tcx, def_id)
-        || crate::util::is_logic(tcx, def_id)
+    is_no_translate(tcx, def_id) || is_predicate(tcx, def_id) || is_logic(tcx, def_id)
 }
 
 pub(crate) fn is_no_translate(tcx: TyCtxt, def_id: DefId) -> bool {
@@ -65,21 +62,25 @@ pub(crate) fn is_assertion(tcx: TyCtxt, def_id: DefId) -> bool {
     get_attr(tcx.get_attrs_unchecked(def_id), &["creusot", "spec", "assert"]).is_some()
 }
 
-pub(crate) fn is_ghost_closure(tcx: TyCtxt, def_id: DefId) -> bool {
-    get_attr(tcx.get_attrs_unchecked(def_id), &["creusot", "spec", "ghost"]).is_some()
+pub(crate) fn is_snapshot_closure(tcx: TyCtxt, def_id: DefId) -> bool {
+    get_attr(tcx.get_attrs_unchecked(def_id), &["creusot", "spec", "snapshot"]).is_some()
 }
 
-pub(crate) fn ghost_closure_id<'tcx>(tcx: TyCtxt<'tcx>, ty: Ty<'tcx>) -> Option<DefId> {
-    if let TyKind::Closure(def_id, _) = ty.peel_refs().kind() && is_ghost_closure(tcx, *def_id)  {
+pub(crate) fn snapshot_closure_id<'tcx>(tcx: TyCtxt<'tcx>, ty: Ty<'tcx>) -> Option<DefId> {
+    if let TyKind::Closure(def_id, _) = ty.peel_refs().kind()
+        && is_snapshot_closure(tcx, *def_id)
+    {
         Some(*def_id)
-    } else { None }
+    } else {
+        None
+    }
 }
 
-pub(crate) fn is_ghost_ty<'tcx>(tcx: TyCtxt<'tcx>, ty: Ty<'tcx>) -> bool {
+pub(crate) fn is_snap_ty<'tcx>(tcx: TyCtxt<'tcx>, ty: Ty<'tcx>) -> bool {
     let r: Option<bool> = try {
         let adt = ty.ty_adt_def()?;
         let builtin = get_builtin(tcx, adt.did())?;
-        builtin.as_str() == "prelude.Ghost.ghost_ty"
+        builtin.as_str() == "prelude.Snapshot.snap_ty"
     };
     r.unwrap_or(false)
 }
@@ -88,12 +89,12 @@ pub(crate) fn is_logic(tcx: TyCtxt, def_id: DefId) -> bool {
     get_attr(tcx.get_attrs_unchecked(def_id), &["creusot", "decl", "logic"]).is_some()
 }
 
-pub(crate) fn is_predicate(tcx: TyCtxt, def_id: DefId) -> bool {
-    get_attr(tcx.get_attrs_unchecked(def_id), &["creusot", "decl", "predicate"]).is_some()
+pub(crate) fn is_prophetic(tcx: TyCtxt, def_id: DefId) -> bool {
+    get_attr(tcx.get_attrs_unchecked(def_id), &["creusot", "decl", "logic", "prophetic"]).is_some()
 }
 
-pub(crate) fn is_ghost(tcx: TyCtxt, def_id: DefId) -> bool {
-    get_attr(tcx.get_attrs_unchecked(def_id), &["creusot", "decl", "ghost"]).is_some()
+pub(crate) fn is_predicate(tcx: TyCtxt, def_id: DefId) -> bool {
+    get_attr(tcx.get_attrs_unchecked(def_id), &["creusot", "decl", "predicate"]).is_some()
 }
 
 pub(crate) fn is_trusted(tcx: TyCtxt, def_id: DefId) -> bool {
@@ -152,7 +153,7 @@ pub(crate) fn why3_attrs(tcx: TyCtxt, def_id: DefId) -> Vec<why3::declaration::A
 }
 
 pub(crate) fn param_def_id(tcx: TyCtxt, def_id: LocalDefId) -> LocalDefId {
-    if is_spec(tcx, def_id.to_def_id()) && tcx.is_closure(def_id.to_def_id()) {
+    if is_spec(tcx, def_id.to_def_id()) && tcx.is_closure_or_coroutine(def_id.to_def_id()) {
         tcx.parent(def_id.to_def_id()).expect_local()
     } else {
         def_id
@@ -165,7 +166,7 @@ pub(crate) fn should_translate(tcx: TyCtxt, mut def_id: DefId) -> bool {
             return false;
         }
 
-        if tcx.is_closure(def_id) {
+        if tcx.is_closure_or_coroutine(def_id) {
             def_id = tcx.parent(def_id);
         } else {
             return true;
@@ -178,7 +179,7 @@ pub(crate) fn has_body(ctx: &mut TranslationCtx, def_id: DefId) -> bool {
         ctx.tcx.hir().maybe_body_owned_by(local_id).is_some()
     } else {
         match item_type(ctx.tcx, def_id) {
-            ItemType::Ghost | ItemType::Logic | ItemType::Predicate => ctx.term(def_id).is_some(),
+            ItemType::Logic { .. } | ItemType::Predicate { .. } => ctx.term(def_id).is_some(),
             _ => false,
         }
     }
@@ -294,9 +295,8 @@ fn ident_path(tcx: TyCtxt, def_id: DefId) -> Ident {
 
 #[derive(Clone, Copy, Debug, PartialEq, Eq)]
 pub enum ItemType {
-    Logic,
-    Predicate,
-    Ghost,
+    Logic { prophetic: bool },
+    Predicate { prophetic: bool },
     Program,
     Closure,
     Trait,
@@ -310,8 +310,8 @@ pub enum ItemType {
 impl ItemType {
     pub(crate) fn let_kind(&self) -> Option<LetKind> {
         match self {
-            ItemType::Logic | ItemType::Ghost => Some(LetKind::Function),
-            ItemType::Predicate => Some(LetKind::Predicate),
+            ItemType::Logic { .. } => Some(LetKind::Function),
+            ItemType::Predicate { .. } => Some(LetKind::Predicate),
             ItemType::Program | ItemType::Closure => None,
             ItemType::Constant => Some(LetKind::Constant),
             _ => None,
@@ -320,10 +320,10 @@ impl ItemType {
 
     pub(crate) fn val(&self, mut sig: Signature) -> ValDecl {
         match self {
-            ItemType::Logic | ItemType::Ghost => {
+            ItemType::Logic { .. } => {
                 ValDecl { sig, ghost: false, val: false, kind: Some(LetKind::Function) }
             }
-            ItemType::Predicate => {
+            ItemType::Predicate { .. } => {
                 sig.retty = None;
                 ValDecl { sig, ghost: false, val: false, kind: Some(LetKind::Predicate) }
             }
@@ -339,9 +339,10 @@ impl ItemType {
 
     pub(crate) fn to_str(&self) -> &str {
         match self {
-            ItemType::Logic => "logic function",
-            ItemType::Predicate => "predicate",
-            ItemType::Ghost => "ghost function",
+            ItemType::Logic { prophetic: false } => "logic function",
+            ItemType::Logic { prophetic: true } => "prophetic logic function",
+            ItemType::Predicate { prophetic: false } => "predicate",
+            ItemType::Predicate { prophetic: true } => "prophetic predicate",
             ItemType::Program => "program function",
             ItemType::Closure => "closure",
             ItemType::Trait => "trait declaration",
@@ -352,6 +353,16 @@ impl ItemType {
             ItemType::Unsupported(_) => "[OTHER]",
         }
     }
+
+    pub(crate) fn can_implement(self, trait_type: Self) -> bool {
+        match (self, trait_type) {
+            (ItemType::Logic { prophetic: false }, ItemType::Logic { prophetic: true }) => true,
+            (ItemType::Predicate { prophetic: false }, ItemType::Predicate { prophetic: true }) => {
+                true
+            }
+            _ => self == trait_type,
+        }
+    }
 }
 
 pub(crate) fn item_type(tcx: TyCtxt<'_>, def_id: DefId) -> ItemType {
@@ -360,11 +371,9 @@ pub(crate) fn item_type(tcx: TyCtxt<'_>, def_id: DefId) -> ItemType {
         DefKind::Impl { .. } => ItemType::Impl,
         DefKind::Fn | DefKind::AssocFn => {
             if is_predicate(tcx, def_id) {
-                ItemType::Predicate
-            } else if is_ghost(tcx, def_id) {
-                ItemType::Ghost
+                ItemType::Predicate { prophetic: is_prophetic(tcx, def_id) }
             } else if is_logic(tcx, def_id) {
-                ItemType::Logic
+                ItemType::Logic { prophetic: is_prophetic(tcx, def_id) }
             } else {
                 ItemType::Program
             }
@@ -382,9 +391,8 @@ pub(crate) fn inputs_and_output<'tcx>(
     tcx: TyCtxt<'tcx>,
     def_id: DefId,
 ) -> (impl Iterator<Item = (symbol::Ident, Ty<'tcx>)>, Ty<'tcx>) {
-    let (inputs, output): (Box<dyn Iterator<Item = (rustc_span::symbol::Ident, _)>>, _) = match tcx
-        .type_of(def_id)
-        .instantiate_identity()
+    let ty = tcx.type_of(def_id).instantiate_identity();
+    let (inputs, output): (Box<dyn Iterator<Item = (rustc_span::symbol::Ident, _)>>, _) = match ty
         .kind()
     {
         TyKind::FnDef(..) => {
@@ -396,7 +404,7 @@ pub(crate) fn inputs_and_output<'tcx>(
         TyKind::Closure(_, subst) => {
             let sig = tcx.signature_unclosure(subst.as_closure().sig(), Unsafety::Normal);
             let sig = tcx.normalize_erasing_late_bound_regions(tcx.param_env(def_id), sig);
-            let env_ty = tcx.closure_env_ty(def_id, subst, tcx.lifetimes.re_erased).unwrap();
+            let env_ty = tcx.closure_env_ty(ty, subst.as_closure().kind(), tcx.lifetimes.re_erased);
 
             // I wish this could be called "self"
             let closure_env = (symbol::Ident::empty(), env_ty);
@@ -447,12 +455,16 @@ pub(crate) fn pre_sig_of<'tcx>(
         });
     }
 
-    if let TyKind::Closure(_, subst) = ctx.tcx.type_of(def_id).instantiate_identity().kind() {
+    let fn_ty = ctx.tcx.type_of(def_id).instantiate_identity();
+
+    if let TyKind::Closure(_, subst) = fn_ty.kind() {
         let self_ = Symbol::intern("_1");
         let mut pre_subst = closure_capture_subst(ctx.tcx, def_id, subst, None, self_);
 
         let mut s = HashMap::new();
-        let env_ty = ctx.closure_env_ty(def_id, subst, ctx.lifetimes.re_erased).unwrap();
+        let kind = subst.as_closure().kind();
+
+        let env_ty = ctx.closure_env_ty(fn_ty, kind, ctx.lifetimes.re_erased);
         s.insert(
             self_,
             if env_ty.is_ref() { Term::var(self_, env_ty).cur() } else { Term::var(self_, env_ty) },
@@ -463,8 +475,6 @@ pub(crate) fn pre_sig_of<'tcx>(
             pre.subst(&s);
         }
 
-        let kind = subst.as_closure().kind();
-
         if kind == ClosureKind::FnMut {
             let args = subst.as_closure().sig().inputs().skip_binder()[0];
             let unnest_subst =
@@ -520,7 +530,7 @@ fn elaborate_type_invariants<'tcx>(
 ) {
     if is_user_tyinv(ctx.tcx, def_id)
         || is_inv_internal(ctx.tcx, def_id)
-        || (is_predicate(ctx.tcx, def_id) || is_ghost(ctx.tcx, def_id) || is_logic(ctx.tcx, def_id))
+        || (is_predicate(ctx.tcx, def_id) || is_logic(ctx.tcx, def_id))
             && pre_sig.contract.ensures.is_empty()
     {
         return;
@@ -753,7 +763,7 @@ pub(crate) fn closure_capture_subst<'tcx>(
     self_name: Symbol,
 ) -> ClosureSubst<'tcx> {
     let mut fun_def_id = def_id;
-    while tcx.is_closure(fun_def_id) {
+    while tcx.is_closure_or_coroutine(fun_def_id) {
         fun_def_id = tcx.parent(fun_def_id);
     }
 
diff --git a/creusot/src/validate.rs b/creusot/src/validate.rs
index e01c00e888..895efe5283 100644
--- a/creusot/src/validate.rs
+++ b/creusot/src/validate.rs
@@ -33,7 +33,7 @@ pub(crate) fn validate_opacity(ctx: &mut TranslationCtx, item: DefId) -> Option<
                     "Cannot make `{:?}` transparent in `{:?}` as it would call a less-visible item.",
                     self.ctx.def_path_str(id), self.ctx.def_path_str(self.source_item)
                 ),
-            )
+            ).emit();
         }
     }
 
@@ -69,7 +69,7 @@ pub(crate) fn validate_opacity(ctx: &mut TranslationCtx, item: DefId) -> Option<
     if ctx.visibility(item) != Visibility::Restricted(parent_module(ctx.tcx, item))
         && util::opacity_witness_name(ctx.tcx, item).is_none()
     {
-        ctx.error(ctx.def_span(item), "Non private definitions must have an explicit transparency. Please add #[open(..)] to your definition", );
+        ctx.error(ctx.def_span(item), "Non private definitions must have an explicit transparency. Please add #[open(..)] to your definition").emit();
     }
 
     let opacity = ctx.opacity(item).scope();
@@ -93,7 +93,7 @@ pub(crate) fn validate_traits(ctx: &mut TranslationCtx) {
     }
 
     for (_, sp) in law_violations {
-        ctx.error(sp, "Laws cannot have additional generic parameters");
+        ctx.error(sp, "Laws cannot have additional generic parameters").emit();
     }
 }
 
@@ -120,7 +120,7 @@ pub(crate) fn validate_impls(ctx: &TranslationCtx) {
                     trait_ref.print_only_trait_name()
                 )
             };
-            ctx.error(ctx.def_span(impl_id.to_def_id()), &msg)
+            ctx.error(ctx.def_span(impl_id.to_def_id()), &msg).emit();
         }
 
         let implementors = ctx.impl_item_implementor_ids(impl_id.to_def_id());
@@ -132,20 +132,18 @@ pub(crate) fn validate_impls(ctx: &TranslationCtx) {
                 continue;
             };
 
-            if util::item_type(ctx.tcx, *trait_item) != util::item_type(ctx.tcx, *impl_item) {
-                eprintln!(
-                    "{:?} != {:?}",
-                    util::item_type(ctx.tcx, *trait_item),
-                    util::item_type(ctx.tcx, *impl_item)
-                );
+            let item_type = util::item_type(ctx.tcx, *impl_item);
+            let trait_type = util::item_type(ctx.tcx, *trait_item);
+            if !item_type.can_implement(trait_type) {
                 ctx.error(
                     ctx.def_span(impl_item),
                     &format!(
                         "Expected `{}` to be a {} as specified by the trait declaration",
                         ctx.item_name(*impl_item),
-                        util::item_type(ctx.tcx, *impl_item).to_str()
+                        trait_type.to_str()
                     ),
-                );
+                )
+                .emit();
             }
         }
     }
diff --git a/creusot/tests/should_fail/array.stderr b/creusot/tests/should_fail/array.stderr
index 6804624112..b46b252be3 100644
--- a/creusot/tests/should_fail/array.stderr
+++ b/creusot/tests/should_fail/array.stderr
@@ -10,7 +10,7 @@ error: Unsupported expression: Repeat
 13 | #[requires([0; 4] == x)]
    |            ^^^^^^
 
-error[creusot]: internal error
+error: internal error
 
 error: aborting due to 3 previous errors
 
diff --git a/creusot/tests/should_fail/bad_borrow.stderr b/creusot/tests/should_fail/bad_borrow.stderr
index 3463a35020..d56cfd433b 100644
--- a/creusot/tests/should_fail/bad_borrow.stderr
+++ b/creusot/tests/should_fail/bad_borrow.stderr
@@ -9,6 +9,6 @@ error[E0499]: cannot borrow `x` as mutable more than once at a time
 6 |     *a += *b;
   |     -------- first borrow later used here
 
-error: aborting due to previous error
+error: aborting due to 1 previous error
 
 For more information about this error, try `rustc --explain E0499`.
diff --git a/creusot/tests/should_fail/bad_law.stderr b/creusot/tests/should_fail/bad_law.stderr
index 0fa9046af0..8d2e34c4cf 100644
--- a/creusot/tests/should_fail/bad_law.stderr
+++ b/creusot/tests/should_fail/bad_law.stderr
@@ -1,11 +1,10 @@
-error[creusot]: Laws cannot have additional generic parameters
+error: Laws cannot have additional generic parameters
  --> bad_law.rs:6:5
   |
 6 |     fn my_law<T>(x: T);
   |     ^^^^^^^^^^^^^^^^^^^
 
-Logic != Program
-error[creusot]: Expected `my_law` to be a program function as specified by the trait declaration
+error: Expected `my_law` to be a logic function as specified by the trait declaration
   --> bad_law.rs:10:5
    |
 10 |     fn my_law<T>(_: T) {}
diff --git a/creusot/tests/should_fail/bug/01_resolve_unsoundness.mlcfg b/creusot/tests/should_fail/bug/01_resolve_unsoundness.mlcfg
index bc482ee4bc..23097a14ed 100644
--- a/creusot/tests/should_fail/bug/01_resolve_unsoundness.mlcfg
+++ b/creusot/tests/should_fail/bug/01_resolve_unsoundness.mlcfg
@@ -17,12 +17,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -88,7 +94,8 @@ module C01ResolveUnsoundness_MakeVecOfSize
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv3 (shallow_model0 self)
   val invariant0 (self : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -120,17 +127,18 @@ module C01ResolveUnsoundness_MakeVecOfSize
   var n : usize = n;
   var out : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global);
   var i : usize;
+  var _9 : bool;
   var _12 : ();
   var _13 : borrowed (Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global));
   {
     goto BB0
   }
   BB0 {
-    [#"../01_resolve_unsoundness.rs" 10 29 10 39] out <- ([#"../01_resolve_unsoundness.rs" 10 29 10 39] new0 ());
+    [#"../01_resolve_unsoundness.rs" 10 29 10 39] out <- ([#"../01_resolve_unsoundness.rs" 10 29 10 39] new0 ([#"../01_resolve_unsoundness.rs" 10 29 10 39] ()));
     goto BB1
   }
   BB1 {
-    [#"../01_resolve_unsoundness.rs" 11 16 11 17] i <- ([#"../01_resolve_unsoundness.rs" 11 16 11 17] [#"../01_resolve_unsoundness.rs" 11 16 11 17] (0 : usize));
+    [#"../01_resolve_unsoundness.rs" 11 16 11 17] i <- ([#"../01_resolve_unsoundness.rs" 11 16 11 17] (0 : usize));
     goto BB2
   }
   BB2 {
@@ -138,7 +146,8 @@ module C01ResolveUnsoundness_MakeVecOfSize
     goto BB3
   }
   BB3 {
-    switch ([#"../01_resolve_unsoundness.rs" 13 10 13 16] ([#"../01_resolve_unsoundness.rs" 13 10 13 11] i) <= ([#"../01_resolve_unsoundness.rs" 13 15 13 16] n))
+    [#"../01_resolve_unsoundness.rs" 13 10 13 16] _9 <- i <= n;
+    switch (_9)
       | False -> goto BB6
       | True -> goto BB4
       end
@@ -146,17 +155,17 @@ module C01ResolveUnsoundness_MakeVecOfSize
   BB4 {
     [#"../01_resolve_unsoundness.rs" 14 8 14 11] _13 <- Borrow.borrow_mut out;
     [#"../01_resolve_unsoundness.rs" 14 8 14 11] out <-  ^ _13;
-    [#"../01_resolve_unsoundness.rs" 14 8 14 23] _12 <- ([#"../01_resolve_unsoundness.rs" 14 8 14 23] push0 _13 ([#"../01_resolve_unsoundness.rs" 14 17 14 22] [#"../01_resolve_unsoundness.rs" 14 17 14 22] false));
+    [#"../01_resolve_unsoundness.rs" 14 8 14 23] _12 <- ([#"../01_resolve_unsoundness.rs" 14 8 14 23] push0 _13 ([#"../01_resolve_unsoundness.rs" 14 17 14 22] false));
     _13 <- any borrowed (Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global));
     goto BB5
   }
   BB5 {
-    [#"../01_resolve_unsoundness.rs" 15 8 15 14] i <- ([#"../01_resolve_unsoundness.rs" 15 8 15 14] i + ([#"../01_resolve_unsoundness.rs" 15 13 15 14] [#"../01_resolve_unsoundness.rs" 15 13 15 14] (1 : usize)));
+    [#"../01_resolve_unsoundness.rs" 15 8 15 14] i <- i + ([#"../01_resolve_unsoundness.rs" 15 13 15 14] (1 : usize));
     goto BB2
   }
   BB6 {
-    [#"../01_resolve_unsoundness.rs" 17 11 17 14] _0 <- ([#"../01_resolve_unsoundness.rs" 17 11 17 14] out);
-    [#"../01_resolve_unsoundness.rs" 17 11 17 14] out <- any Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global);
+    [#"../01_resolve_unsoundness.rs" 17 11 17 14] _0 <- out;
+    out <- any Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global);
     goto BB7
   }
   BB7 {
diff --git a/creusot/tests/should_fail/bug/211.stderr b/creusot/tests/should_fail/bug/211.stderr
index 3173bdfbd4..bbe3474416 100644
--- a/creusot/tests/should_fail/bug/211.stderr
+++ b/creusot/tests/should_fail/bug/211.stderr
@@ -5,15 +5,15 @@ error[E0004]: non-exhaustive patterns: `E::B` and `E::C` not covered
    |           ^^^ patterns `E::B` and `E::C` not covered
    |
 note: `E` defined here
-  --> 211.rs:3:5
+  --> 211.rs:1:10
    |
 1  | pub enum E {
-   |          -
+   |          ^
 2  |     A,
 3  |     B,
-   |     ^ not covered
+   |     - not covered
 4  |     C,
-   |     ^ not covered
+   |     - not covered
    = note: the matched value is of type `E`
 help: ensure that all possible cases are being handled by adding a match arm with a wildcard pattern, a match arm with multiple or-patterns as shown, or multiple match arms
    |
@@ -21,6 +21,6 @@ help: ensure that all possible cases are being handled by adding a match arm wit
 12 +         E::B | E::C => todo!()
    |
 
-error: aborting due to previous error
+error: aborting due to 1 previous error
 
 For more information about this error, try `rustc --explain E0004`.
diff --git a/creusot/tests/should_fail/bug/222.mlcfg b/creusot/tests/should_fail/bug/222.mlcfg
index 2e726e86df..a263640a46 100644
--- a/creusot/tests/should_fail/bug/222.mlcfg
+++ b/creusot/tests/should_fail/bug/222.mlcfg
@@ -6,11 +6,9 @@ module C222_A_IsTrue_Impl
   val mktrue0 [#"../222.rs" 7 4 7 22] (_1 : ()) : int
     ensures { result = mktrue0 _1 }
     
-  let rec ghost function is_true [#"../222.rs" 14 4 14 16] (_1 : ()) : ()
-    ensures { [#"../222.rs" 13 14 13 34] mktrue0 () <= 10 }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../222.rs" 15 8 15 10] ()
+  constant _1  : ()
+  function is_true [#"../222.rs" 14 4 14 16] (_1 : ()) : ()
+  goal vc_is_true : [#"../222.rs" 13 14 13 34] mktrue0 () <= 10
 end
 module Core_Option_Option_Type
   type t_option 't =
diff --git a/creusot/tests/should_fail/bug/222.rs b/creusot/tests/should_fail/bug/222.rs
index 26d339bc30..09688138ff 100644
--- a/creusot/tests/should_fail/bug/222.rs
+++ b/creusot/tests/should_fail/bug/222.rs
@@ -3,7 +3,7 @@ extern crate creusot_contracts;
 use creusot_contracts::{logic::Int, *};
 
 trait A {
-    #[ghost]
+    #[logic]
     fn mktrue() -> Int {
         pearlite! { 5 }
     }
@@ -17,7 +17,7 @@ trait A {
 }
 
 impl A for () {
-    #[ghost]
+    #[logic]
     fn mktrue() -> Int {
         pearlite! { 6 }
     }
diff --git a/creusot/tests/should_fail/bug/436_0.rs b/creusot/tests/should_fail/bug/436_0.rs
index a2eb958c4b..1fa6e050af 100644
--- a/creusot/tests/should_fail/bug/436_0.rs
+++ b/creusot/tests/should_fail/bug/436_0.rs
@@ -2,16 +2,16 @@ extern crate creusot_contracts;
 use creusot_contracts::*;
 
 struct S {
-    g: Ghost<i32>,
+    g: Snapshot<i32>,
 }
 
-#[ghost]
+#[logic(prophetic)]
 fn prophecy(x: &mut S) -> i32 {
     pearlite! { *(^x).g }
 }
 
 pub fn f() {
-    let b = &mut S { g: gh! { 1i32 } };
-    b.g = gh! { prophecy(b) + 1i32 };
+    let b = &mut S { g: snapshot! { 1i32 } };
+    b.g = snapshot! { prophecy(b) + 1i32 };
     proof_assert! { false }
 }
diff --git a/creusot/tests/should_fail/bug/436_0.stderr b/creusot/tests/should_fail/bug/436_0.stderr
index 180377c7a3..e8c45c99db 100644
--- a/creusot/tests/should_fail/bug/436_0.stderr
+++ b/creusot/tests/should_fail/bug/436_0.stderr
@@ -1,10 +1,8 @@
-error[creusot]: called Logic function in Ghost context "creusot_contracts::__stubs::fin"
-  --> 436_0.rs:10:5
+error: called Logic { prophetic: true } function in Logic { prophetic: false } context "prophecy"
+  --> 436_0.rs:15:23
    |
-10 |     pearlite! { *(^x).g }
-   |     ^^^^^^^^^^^^^^^^^^^^^
-   |
-   = note: this error originates in the macro `pearlite` (in Nightly builds, run with -Z macro-backtrace for more info)
+15 |     b.g = snapshot! { prophecy(b) + 1i32 };
+   |                       ^^^^^^^^
 
-error: aborting due to previous error
+error: aborting due to 1 previous error
 
diff --git a/creusot/tests/should_fail/bug/436_1.rs b/creusot/tests/should_fail/bug/436_1.rs
index e2b6bc1ebb..1ac4dc2c73 100644
--- a/creusot/tests/should_fail/bug/436_1.rs
+++ b/creusot/tests/should_fail/bug/436_1.rs
@@ -2,7 +2,7 @@ extern crate creusot_contracts;
 use creusot_contracts::*;
 
 struct S {
-    g: Ghost<bool>,
+    g: Snapshot<bool>,
 }
 
 #[predicate]
@@ -11,7 +11,7 @@ fn prophecy(x: &mut S) -> bool {
 }
 
 pub fn f() {
-    let b = &mut S { g: gh! { true } };
-    b.g = gh! { !prophecy(b) };
+    let b = &mut S { g: snapshot! { true } };
+    b.g = snapshot! { !prophecy(b) };
     proof_assert! { false }
 }
diff --git a/creusot/tests/should_fail/bug/436_1.stderr b/creusot/tests/should_fail/bug/436_1.stderr
index 832ef17013..c8282c215d 100644
--- a/creusot/tests/should_fail/bug/436_1.stderr
+++ b/creusot/tests/should_fail/bug/436_1.stderr
@@ -1,8 +1,10 @@
-error[creusot]: called Logic function in Ghost context "prophecy"
-  --> 436_1.rs:15:18
+error: called Logic { prophetic: true } function in Logic { prophetic: false } context "creusot_contracts::__stubs::fin"
+  --> 436_1.rs:10:5
    |
-15 |     b.g = gh! { !prophecy(b) };
-   |                  ^^^^^^^^
+10 |     pearlite! { *(^x).g }
+   |     ^^^^^^^^^^^^^^^^^^^^^
+   |
+   = note: this error originates in the macro `pearlite` (in Nightly builds, run with -Z macro-backtrace for more info)
 
-error: aborting due to previous error
+error: aborting due to 1 previous error
 
diff --git a/creusot/tests/should_fail/bug/436_2.rs b/creusot/tests/should_fail/bug/436_2.rs
index 2a678e4725..b426ec20ed 100644
--- a/creusot/tests/should_fail/bug/436_2.rs
+++ b/creusot/tests/should_fail/bug/436_2.rs
@@ -3,13 +3,13 @@ use creusot_contracts::*;
 
 enum Bad<'a> {
     None,
-    Some(Ghost<&'a mut Bad<'a>>),
+    Some(Snapshot<&'a mut Bad<'a>>),
 }
 
 pub fn test_bad() {
     let mut x = Bad::None;
     let m = &mut x;
-    let g = gh!(m);
+    let g = snapshot!(m);
     *m = Bad::Some(g);
     proof_assert!(*m == Bad::Some(g));
     proof_assert!(^*g == ^m);
diff --git a/creusot/tests/should_fail/bug/436_2.stderr b/creusot/tests/should_fail/bug/436_2.stderr
index cecee78ff4..66e06a655c 100644
--- a/creusot/tests/should_fail/bug/436_2.stderr
+++ b/creusot/tests/should_fail/bug/436_2.stderr
@@ -1,8 +1,8 @@
-error[creusot]: Illegal use of the Ghost type
+error: Illegal use of the Snapshot type
  --> 436_2.rs:6:10
   |
-6 |     Some(Ghost<&'a mut Bad<'a>>),
-  |          ^^^^^^^^^^^^^^^^^^^^^^
+6 |     Some(Snapshot<&'a mut Bad<'a>>),
+  |          ^^^^^^^^^^^^^^^^^^^^^^^^^
 
-error: aborting due to previous error
+error: aborting due to 1 previous error
 
diff --git a/creusot/tests/should_fail/bug/492.mlcfg b/creusot/tests/should_fail/bug/492.mlcfg
index 279f3ac10c..7e9c55d412 100644
--- a/creusot/tests/should_fail/bug/492.mlcfg
+++ b/creusot/tests/should_fail/bug/492.mlcfg
@@ -52,7 +52,7 @@ module C492_ReborrowTuple
     [#"../492.rs" 6 5 6 6] _3 <- Borrow.borrow_final ( * x) (Borrow.get_id x);
     [#"../492.rs" 6 5 6 6] x <- { x with current = ( ^ _3) ; };
     assume { inv0 ( ^ _3) };
-    [#"../492.rs" 6 4 6 11] _0 <- ([#"../492.rs" 6 4 6 11] (_3, ([#"../492.rs" 6 8 6 10] [#"../492.rs" 6 8 6 10] (32 : uint32))));
+    [#"../492.rs" 6 4 6 11] _0 <- (_3, ([#"../492.rs" 6 8 6 10] (32 : uint32)));
     _3 <- any borrowed t;
     assert { [@expl:type invariant] inv1 x };
     assume { resolve0 x };
@@ -119,7 +119,7 @@ module C492_Test
     goto BB0
   }
   BB0 {
-    [#"../492.rs" 11 16 11 17] x <- ([#"../492.rs" 11 16 11 17] [#"../492.rs" 11 16 11 17] (5 : int32));
+    [#"../492.rs" 11 16 11 17] x <- ([#"../492.rs" 11 16 11 17] (5 : int32));
     [#"../492.rs" 12 34 12 40] _6 <- Borrow.borrow_mut x;
     [#"../492.rs" 12 34 12 40] x <-  ^ _6;
     [#"../492.rs" 12 34 12 40] _5 <- Borrow.borrow_final ( * _6) (Borrow.get_id _6);
@@ -129,12 +129,12 @@ module C492_Test
     goto BB1
   }
   BB1 {
-    [#"../492.rs" 12 9 12 12] res <- ([#"../492.rs" 12 9 12 12] let (a, _) = _4 in a);
-    [#"../492.rs" 12 9 12 12] _4 <- (let (x0, x1) = _4 in (any borrowed int32, x1));
+    [#"../492.rs" 12 9 12 12] res <- (let (a, _) = _4 in a);
+    _4 <- (let (x0, x1) = _4 in (any borrowed int32, x1));
     assume { resolve0 _4 };
     assume { resolve1 _6 };
     assert { [@expl:assertion] [#"../492.rs" 13 18 13 30]  ^ res = (5 : int32) };
-    [#"../492.rs" 14 4 14 13] res <- { res with current = ([#"../492.rs" 14 4 14 13] [#"../492.rs" 14 11 14 13] (10 : int32)) ; };
+    [#"../492.rs" 14 4 14 13] res <- { res with current = ([#"../492.rs" 14 11 14 13] (10 : int32)) ; };
     assume { resolve1 res };
     [#"../492.rs" 10 14 15 1] _0 <- ([#"../492.rs" 10 14 15 1] ());
     return _0
diff --git a/creusot/tests/should_fail/bug/603.stderr b/creusot/tests/should_fail/bug/603.stderr
index 4cccc5e979..3e096228fa 100644
--- a/creusot/tests/should_fail/bug/603.stderr
+++ b/creusot/tests/should_fail/bug/603.stderr
@@ -15,7 +15,7 @@ error[E0277]: the trait bound `VecMap<K, V>: creusot_contracts::Default` is not
              usize
            and 22 others
 
-error[creusot]: error above
+error: error above
 
 error: aborting due to 2 previous errors
 
diff --git a/creusot/tests/should_fail/bug/692.mlcfg b/creusot/tests/should_fail/bug/692.mlcfg
index eaa1b43266..b4d9634b32 100644
--- a/creusot/tests/should_fail/bug/692.mlcfg
+++ b/creusot/tests/should_fail/bug/692.mlcfg
@@ -38,7 +38,10 @@ module C692_Incorrect
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv4 res}
     ensures { result = fn_mut_once0 self args res }
     
-  axiom fn_mut_once0_spec : forall self : c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv3 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv4 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed c . inv2 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve1 ( ^ s)))
+  axiom fn_mut_once0_spec : forall self : c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv1 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv3 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv4 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed c . inv2 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve1 ( ^ s)))
   predicate unnest0 (self : c) (_2 : c)
   val unnest0 (self : c) (_2 : c) : bool
     ensures { result = unnest0 self _2 }
@@ -52,13 +55,19 @@ module C692_Incorrect
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv1 c}
     ensures { result = unnest_trans0 self b c }
     
-  axiom unnest_trans0_spec : forall self : c, b : c, c : c . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv1 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv1 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
+  axiom unnest_trans0_spec : forall self : c, b : c, c : c . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv1 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv1 b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv1 c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
   function unnest_refl0 (self : c) : ()
   val unnest_refl0 (self : c) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv1 self}
     ensures { result = unnest_refl0 self }
     
-  axiom unnest_refl0_spec : forall self : c . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
+  axiom unnest_refl0_spec : forall self : c . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv1 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
   function postcondition_mut_unnest0 (self : borrowed c) (args : ()) (res : bool) : ()
   val postcondition_mut_unnest0 (self : borrowed c) (args : ()) (res : bool) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res}
@@ -67,7 +76,11 @@ module C692_Incorrect
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv4 res}
     ensures { result = postcondition_mut_unnest0 self args res }
     
-  axiom postcondition_mut_unnest0_spec : forall self : borrowed c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv3 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv4 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
+  axiom postcondition_mut_unnest0_spec : forall self : borrowed c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv3 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv4 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
   predicate invariant4 (self : bool) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant4 (self : bool) : bool
@@ -96,7 +109,10 @@ module C692_Incorrect
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv4 res}
     ensures { result = fn_once0 self args res }
     
-  axiom fn_once0_spec : forall self : c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv3 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv4 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once0 self args res = (resolve1 self /\ postcondition0 self args res))
+  axiom fn_once0_spec : forall self : c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv1 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv3 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv4 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once0 self args res = (resolve1 self /\ postcondition0 self args res))
   predicate resolve2 (self : borrowed c) =
     [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve2 (self : borrowed c) : bool
@@ -109,7 +125,10 @@ module C692_Incorrect
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv4 res}
     ensures { result = fn_mut0 self args res }
     
-  axiom fn_mut0_spec : forall self : borrowed c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv3 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv4 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve2 self /\ postcondition0 ( * self) args res))
+  axiom fn_mut0_spec : forall self : borrowed c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv3 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv4 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve2 self /\ postcondition0 ( * self) args res))
   predicate invariant1 (self : c)
   val invariant1 (self : c) : bool
     ensures { result = invariant1 self }
@@ -137,7 +156,8 @@ module C692_Incorrect
     ensures { result = resolve0 self }
     
   let rec cfg incorrect [#"../692.rs" 8 0 8 76] [@cfg:stackify] [@cfg:subregion_analysis] (cond : c) (branch : b) : ()
-    requires {[#"../692.rs" 5 0 6 87] precondition0 cond () /\ (forall b : bool . precondition1 branch (b) /\ (exists b : bool . forall b0 : bool . postcondition0 cond () b0 -> b0 = b))}
+    requires {[#"../692.rs" 5 0 6 87] precondition0 cond () /\ (forall b : bool . precondition1 branch (b) /\ (exists b : bool . forall b0 : bool . postcondition0 cond () b0
+     -> b0 = b))}
     requires {[#"../692.rs" 8 57 8 61] inv1 cond}
     requires {[#"../692.rs" 8 66 8 72] inv0 branch}
     ensures { [#"../692.rs" 7 10 7 15] false }
@@ -213,25 +233,25 @@ module C692_ValidNormal_Closure2
     goto BB0
   }
   BB0 {
-    switch ([#"../692.rs" 16 21 16 22] b)
+    switch (b)
       | False -> goto BB2
       | True -> goto BB1
       end
   }
   BB1 {
-    [#"../692.rs" 16 25 16 26] _4 <- ([#"../692.rs" 16 25 16 26] [#"../692.rs" 16 25 16 26] (2 : uint32));
+    [#"../692.rs" 16 25 16 26] _4 <- ([#"../692.rs" 16 25 16 26] (2 : uint32));
     goto BB3
   }
   BB2 {
-    [#"../692.rs" 16 36 16 37] _4 <- ([#"../692.rs" 16 36 16 37] [#"../692.rs" 16 36 16 37] (1 : uint32));
+    [#"../692.rs" 16 36 16 37] _4 <- ([#"../692.rs" 16 36 16 37] (1 : uint32));
     goto BB3
   }
   BB3 {
-    [#"../692.rs" 16 14 16 39] _1 <- { _1 with current = (let C692_ValidNormal_Closure2.C692_ValidNormal_Closure2 x0 =  * _1 in C692_ValidNormal_Closure2.C692_ValidNormal_Closure2 ({ (field_00 ( * _1)) with current = ([#"../692.rs" 16 14 16 39] _4) ; })) ; };
-    [#"../692.rs" 16 14 16 39] _4 <- any uint32;
+    [#"../692.rs" 16 14 16 39] _1 <- { _1 with current = (let C692_ValidNormal_Closure2.C692_ValidNormal_Closure2 x0 =  * _1 in C692_ValidNormal_Closure2.C692_ValidNormal_Closure2 ({ (field_00 ( * _1)) with current = _4 ; })) ; };
+    _4 <- any uint32;
     assume { resolve0 _1 };
     [#"../692.rs" 16 14 16 39] res <- ([#"../692.rs" 16 14 16 39] ());
-    [#"../692.rs" 15 17 15 64] _0 <- ([#"../692.rs" 15 17 15 64] res);
+    [#"../692.rs" 15 17 15 64] _0 <- res;
     return _0
   }
   
@@ -267,8 +287,8 @@ module C692_ValidNormal_Closure1
     goto BB0
   }
   BB0 {
-    [#"../692.rs" 14 7 14 15] res <- ([#"../692.rs" 14 7 14 15] ([#"../692.rs" 14 7 14 8] field_00 _1) > ([#"../692.rs" 14 11 14 15] [#"../692.rs" 14 11 14 15] (7 : uint32)));
-    [#"../692.rs" 13 15 13 47] _0 <- ([#"../692.rs" 13 15 13 47] res);
+    [#"../692.rs" 14 7 14 15] res <- field_00 _1 > ([#"../692.rs" 14 11 14 15] (7 : uint32));
+    [#"../692.rs" 13 15 13 47] _0 <- res;
     return _0
   }
   
@@ -319,7 +339,8 @@ module C692_ValidNormal
    =
     true
   val incorrect0 [#"../692.rs" 8 0 8 76] (cond : C692_ValidNormal_Closure1.c692_validnormal_closure1) (branch : C692_ValidNormal_Closure2.c692_validnormal_closure2) : ()
-    requires {[#"../692.rs" 5 0 6 87] precondition0 cond () /\ (forall b : bool . precondition1 branch (b) /\ (exists b : bool . forall b0 : bool . postcondition0 cond () b0 -> b0 = b))}
+    requires {[#"../692.rs" 5 0 6 87] precondition0 cond () /\ (forall b : bool . precondition1 branch (b) /\ (exists b : bool . forall b0 : bool . postcondition0 cond () b0
+     -> b0 = b))}
     requires {[#"../692.rs" 8 57 8 61] inv0 cond}
     requires {[#"../692.rs" 8 66 8 72] inv1 branch}
     ensures { [#"../692.rs" 7 10 7 15] false }
@@ -341,19 +362,19 @@ module C692_ValidNormal
     goto BB0
   }
   BB0 {
-    [#"../692.rs" 12 16 12 20] r <- ([#"../692.rs" 12 16 12 20] [#"../692.rs" 12 16 12 20] (0 : uint32));
-    [#"../692.rs" 13 15 13 47] cond <- ([#"../692.rs" 13 15 13 47] C692_ValidNormal_Closure1.C692_ValidNormal_Closure1 ([#"../692.rs" 13 15 13 47] n));
+    [#"../692.rs" 12 16 12 20] r <- ([#"../692.rs" 12 16 12 20] (0 : uint32));
+    [#"../692.rs" 13 15 13 47] cond <- C692_ValidNormal_Closure1.C692_ValidNormal_Closure1 n;
     [#"../692.rs" 15 17 15 64] _7 <- Borrow.borrow_mut r;
     [#"../692.rs" 15 17 15 64] r <-  ^ _7;
-    [#"../692.rs" 15 17 15 64] branch <- ([#"../692.rs" 15 17 15 64] C692_ValidNormal_Closure2.C692_ValidNormal_Closure2 _7);
+    [#"../692.rs" 15 17 15 64] branch <- C692_ValidNormal_Closure2.C692_ValidNormal_Closure2 _7;
     _7 <- any borrowed uint32;
     assume { resolve0 cond };
-    [#"../692.rs" 17 4 17 27] _8 <- ([#"../692.rs" 17 4 17 27] incorrect0 ([#"../692.rs" 17 14 17 18] cond) ([#"../692.rs" 17 20 17 26] branch));
-    [#"../692.rs" 17 20 17 26] branch <- any C692_ValidNormal_Closure2.c692_validnormal_closure2;
+    [#"../692.rs" 17 4 17 27] _8 <- ([#"../692.rs" 17 4 17 27] incorrect0 cond branch);
+    branch <- any C692_ValidNormal_Closure2.c692_validnormal_closure2;
     goto BB1
   }
   BB1 {
-    [#"../692.rs" 18 4 18 5] _0 <- ([#"../692.rs" 18 4 18 5] r);
+    [#"../692.rs" 18 4 18 5] _0 <- r;
     return _0
   }
   
diff --git a/creusot/tests/should_fail/bug/695.mlcfg b/creusot/tests/should_fail/bug/695.mlcfg
index a63365a0ce..bc33d15a90 100644
--- a/creusot/tests/should_fail/bug/695.mlcfg
+++ b/creusot/tests/should_fail/bug/695.mlcfg
@@ -38,7 +38,10 @@ module C695_InversedIf
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv4 res}
     ensures { result = fn_mut_once0 self args res }
     
-  axiom fn_mut_once0_spec : forall self : c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv3 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv4 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once1 self args res = (exists s : borrowed c . inv6 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
+  axiom fn_mut_once0_spec : forall self : c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv3 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv4 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once1 self args res = (exists s : borrowed c . inv6 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
   predicate unnest0 (self : c) (_2 : c)
   val unnest0 (self : c) (_2 : c) : bool
     ensures { result = unnest0 self _2 }
@@ -52,13 +55,19 @@ module C695_InversedIf
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c}
     ensures { result = unnest_trans0 self b c }
     
-  axiom unnest_trans0_spec : forall self : c, b : c, c : c . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
+  axiom unnest_trans0_spec : forall self : c, b : c, c : c . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv0 b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
   function unnest_refl0 (self : c) : ()
   val unnest_refl0 (self : c) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self}
     ensures { result = unnest_refl0 self }
     
-  axiom unnest_refl0_spec : forall self : c . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
+  axiom unnest_refl0_spec : forall self : c . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
   function postcondition_mut_unnest0 (self : borrowed c) (args : ()) (res : bool) : ()
   val postcondition_mut_unnest0 (self : borrowed c) (args : ()) (res : bool) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res}
@@ -67,7 +76,11 @@ module C695_InversedIf
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv4 res}
     ensures { result = postcondition_mut_unnest0 self args res }
     
-  axiom postcondition_mut_unnest0_spec : forall self : borrowed c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv3 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv4 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
+  axiom postcondition_mut_unnest0_spec : forall self : borrowed c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv3 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv4 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
   predicate invariant6 (self : borrowed c)
   val invariant6 (self : borrowed c) : bool
     ensures { result = invariant6 self }
@@ -115,7 +128,10 @@ module C695_InversedIf
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv4 res}
     ensures { result = fn_once0 self args res }
     
-  axiom fn_once0_spec : forall self : c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv3 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv4 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once1 self args res = (resolve0 self /\ postcondition0 self args res))
+  axiom fn_once0_spec : forall self : c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv3 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv4 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once1 self args res = (resolve0 self /\ postcondition0 self args res))
   predicate resolve1 (self : borrowed c) =
     [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve1 (self : borrowed c) : bool
@@ -128,7 +144,10 @@ module C695_InversedIf
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv4 res}
     ensures { result = fn_mut0 self args res }
     
-  axiom fn_mut0_spec : forall self : borrowed c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv3 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv4 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve1 self /\ postcondition0 ( * self) args res))
+  axiom fn_mut0_spec : forall self : borrowed c, args : (), res : bool . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv6 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv3 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv4 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve1 self /\ postcondition0 ( * self) args res))
   predicate invariant1 (self : b)
   val invariant1 (self : b) : bool
     ensures { result = invariant1 self }
@@ -180,6 +199,9 @@ module C695_InversedIf
   var cond : c = cond;
   var branch : b = branch;
   var _5 : bool;
+  var _7 : ();
+  var _9 : bool;
+  var _11 : bool;
   {
     goto BB0
   }
@@ -190,7 +212,9 @@ module C695_InversedIf
     goto BB2
   }
   BB2 {
-    [#"../695.rs" 7 8 7 14] _5 <- ([#"../695.rs" 7 8 7 14] call0 ([#"../695.rs" 7 8 7 12] cond) ([#"../695.rs" 7 8 7 14] ()));
+    [#"../695.rs" 7 8 7 14] _7 <- ();
+    [#"../695.rs" 7 8 7 14] _5 <- ([#"../695.rs" 7 8 7 14] call0 cond _7);
+    _7 <- any ();
     goto BB3
   }
   BB3 {
@@ -202,15 +226,19 @@ module C695_InversedIf
   BB4 {
     assert { [@expl:type invariant] inv0 cond };
     assume { resolve0 cond };
-    [#"../695.rs" 10 8 10 21] _0 <- ([#"../695.rs" 10 8 10 21] call_once0 ([#"../695.rs" 10 8 10 14] branch) ([#"../695.rs" 10 8 10 21] (([#"../695.rs" 10 15 10 20] [#"../695.rs" 10 15 10 20] false))));
-    [#"../695.rs" 10 8 10 14] branch <- any b;
+    [#"../695.rs" 10 8 10 21] _11 <- (([#"../695.rs" 10 15 10 20] false));
+    [#"../695.rs" 10 8 10 21] _0 <- ([#"../695.rs" 10 8 10 21] call_once0 branch _11);
+    branch <- any b;
+    _11 <- any bool;
     goto BB7
   }
   BB5 {
     assert { [@expl:type invariant] inv0 cond };
     assume { resolve0 cond };
-    [#"../695.rs" 8 8 8 20] _0 <- ([#"../695.rs" 8 8 8 20] call_once0 ([#"../695.rs" 8 8 8 14] branch) ([#"../695.rs" 8 8 8 20] (([#"../695.rs" 8 15 8 19] [#"../695.rs" 8 15 8 19] true))));
-    [#"../695.rs" 8 8 8 14] branch <- any b;
+    [#"../695.rs" 8 8 8 20] _9 <- (([#"../695.rs" 8 15 8 19] true));
+    [#"../695.rs" 8 8 8 20] _0 <- ([#"../695.rs" 8 8 8 20] call_once0 branch _9);
+    branch <- any b;
+    _9 <- any bool;
     goto BB6
   }
   BB6 {
@@ -273,25 +301,25 @@ module C695_Valid_Closure2
     goto BB0
   }
   BB0 {
-    switch ([#"../695.rs" 20 21 20 22] b)
+    switch (b)
       | False -> goto BB2
       | True -> goto BB1
       end
   }
   BB1 {
-    [#"../695.rs" 20 25 20 26] _4 <- ([#"../695.rs" 20 25 20 26] [#"../695.rs" 20 25 20 26] (2 : uint32));
+    [#"../695.rs" 20 25 20 26] _4 <- ([#"../695.rs" 20 25 20 26] (2 : uint32));
     goto BB3
   }
   BB2 {
-    [#"../695.rs" 20 36 20 37] _4 <- ([#"../695.rs" 20 36 20 37] [#"../695.rs" 20 36 20 37] (1 : uint32));
+    [#"../695.rs" 20 36 20 37] _4 <- ([#"../695.rs" 20 36 20 37] (1 : uint32));
     goto BB3
   }
   BB3 {
-    [#"../695.rs" 20 14 20 39] _1 <- { _1 with current = (let C695_Valid_Closure2.C695_Valid_Closure2 x0 =  * _1 in C695_Valid_Closure2.C695_Valid_Closure2 ({ (field_00 ( * _1)) with current = ([#"../695.rs" 20 14 20 39] _4) ; })) ; };
-    [#"../695.rs" 20 14 20 39] _4 <- any uint32;
+    [#"../695.rs" 20 14 20 39] _1 <- { _1 with current = (let C695_Valid_Closure2.C695_Valid_Closure2 x0 =  * _1 in C695_Valid_Closure2.C695_Valid_Closure2 ({ (field_00 ( * _1)) with current = _4 ; })) ; };
+    _4 <- any uint32;
     assume { resolve0 _1 };
     [#"../695.rs" 20 14 20 39] res <- ([#"../695.rs" 20 14 20 39] ());
-    [#"../695.rs" 19 17 19 64] _0 <- ([#"../695.rs" 19 17 19 64] res);
+    [#"../695.rs" 19 17 19 64] _0 <- res;
     return _0
   }
   
@@ -327,8 +355,8 @@ module C695_Valid_Closure1
     goto BB0
   }
   BB0 {
-    [#"../695.rs" 18 7 18 15] res <- ([#"../695.rs" 18 7 18 15] ([#"../695.rs" 18 7 18 8] field_00 _1) > ([#"../695.rs" 18 11 18 15] [#"../695.rs" 18 11 18 15] (7 : uint32)));
-    [#"../695.rs" 17 15 17 47] _0 <- ([#"../695.rs" 17 15 17 47] res);
+    [#"../695.rs" 18 7 18 15] res <- field_00 _1 > ([#"../695.rs" 18 11 18 15] (7 : uint32));
+    [#"../695.rs" 17 15 17 47] _0 <- res;
     return _0
   }
   
@@ -406,20 +434,20 @@ module C695_Valid
     goto BB0
   }
   BB0 {
-    [#"../695.rs" 16 16 16 20] r <- ([#"../695.rs" 16 16 16 20] [#"../695.rs" 16 16 16 20] (0 : uint32));
-    [#"../695.rs" 17 15 17 47] cond <- ([#"../695.rs" 17 15 17 47] C695_Valid_Closure1.C695_Valid_Closure1 ([#"../695.rs" 17 15 17 47] n));
+    [#"../695.rs" 16 16 16 20] r <- ([#"../695.rs" 16 16 16 20] (0 : uint32));
+    [#"../695.rs" 17 15 17 47] cond <- C695_Valid_Closure1.C695_Valid_Closure1 n;
     [#"../695.rs" 19 17 19 64] _7 <- Borrow.borrow_mut r;
     [#"../695.rs" 19 17 19 64] r <-  ^ _7;
-    [#"../695.rs" 19 17 19 64] branch <- ([#"../695.rs" 19 17 19 64] C695_Valid_Closure2.C695_Valid_Closure2 _7);
+    [#"../695.rs" 19 17 19 64] branch <- C695_Valid_Closure2.C695_Valid_Closure2 _7;
     _7 <- any borrowed uint32;
     assume { resolve0 cond };
-    [#"../695.rs" 21 4 21 29] _8 <- ([#"../695.rs" 21 4 21 29] inversed_if0 ([#"../695.rs" 21 16 21 20] cond) ([#"../695.rs" 21 22 21 28] branch));
-    [#"../695.rs" 21 22 21 28] branch <- any C695_Valid_Closure2.c695_valid_closure2;
+    [#"../695.rs" 21 4 21 29] _8 <- ([#"../695.rs" 21 4 21 29] inversed_if0 cond branch);
+    branch <- any C695_Valid_Closure2.c695_valid_closure2;
     goto BB1
   }
   BB1 {
     assert { [@expl:assertion] [#"../695.rs" 22 20 22 25] false };
-    [#"../695.rs" 23 4 23 5] _0 <- ([#"../695.rs" 23 4 23 5] r);
+    [#"../695.rs" 23 4 23 5] _0 <- r;
     return _0
   }
   
diff --git a/creusot/tests/should_fail/bug/869.mlcfg b/creusot/tests/should_fail/bug/869.mlcfg
index 2a9108e7b3..acbbc69fb9 100644
--- a/creusot/tests/should_fail/bug/869.mlcfg
+++ b/creusot/tests/should_fail/bug/869.mlcfg
@@ -1,59 +1,59 @@
 
 module C869_Unsound
-  use prelude.Ghost
+  use prelude.Snapshot
   use prelude.Borrow
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  predicate resolve0 (self : borrowed (Ghost.ghost_ty bool)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
-  val resolve0 (self : borrowed (Ghost.ghost_ty bool)) : bool
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  predicate resolve0 (self : borrowed (Snapshot.snap_ty bool)) =
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
+  val resolve0 (self : borrowed (Snapshot.snap_ty bool)) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   let rec cfg unsound [#"../869.rs" 4 0 4 16] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
-  var x : Ghost.ghost_ty bool;
-  var xm : borrowed (Ghost.ghost_ty bool);
-  var _4 : borrowed (Ghost.ghost_ty bool);
-  var b : borrowed (Ghost.ghost_ty bool);
-  var _6 : borrowed (Ghost.ghost_ty bool);
-  var bg : Ghost.ghost_ty (borrowed (Ghost.ghost_ty bool));
-  var evil : borrowed (Ghost.ghost_ty bool);
-  var _12 : borrowed (Ghost.ghost_ty bool);
-  var _15 : Ghost.ghost_ty bool;
+  var x : Snapshot.snap_ty bool;
+  var xm : borrowed (Snapshot.snap_ty bool);
+  var _4 : borrowed (Snapshot.snap_ty bool);
+  var b : borrowed (Snapshot.snap_ty bool);
+  var _6 : borrowed (Snapshot.snap_ty bool);
+  var bg : Snapshot.snap_ty (borrowed (Snapshot.snap_ty bool));
+  var evil : borrowed (Snapshot.snap_ty bool);
+  var _12 : borrowed (Snapshot.snap_ty bool);
+  var _15 : Snapshot.snap_ty bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../869.rs" 5 29 5 41] x <- ([#"../869.rs" 5 29 5 41] Ghost.new true);
+    [#"../869.rs" 5 32 5 50] x <- ([#"../869.rs" 5 32 5 50] Snapshot.new true);
     goto BB1
   }
   BB1 {
-    [#"../869.rs" 7 31 7 37] _4 <- Borrow.borrow_mut x;
-    [#"../869.rs" 7 31 7 37] x <-  ^ _4;
-    [#"../869.rs" 7 31 7 37] xm <- Borrow.borrow_final ( * _4) (Borrow.get_id _4);
-    [#"../869.rs" 7 31 7 37] _4 <- { _4 with current = ( ^ xm) ; };
+    [#"../869.rs" 7 34 7 40] _4 <- Borrow.borrow_mut x;
+    [#"../869.rs" 7 34 7 40] x <-  ^ _4;
+    [#"../869.rs" 7 34 7 40] xm <- Borrow.borrow_final ( * _4) (Borrow.get_id _4);
+    [#"../869.rs" 7 34 7 40] _4 <- { _4 with current = ( ^ xm) ; };
     assume { resolve0 _4 };
-    [#"../869.rs" 9 30 9 38] _6 <- Borrow.borrow_mut ( * xm);
-    [#"../869.rs" 9 30 9 38] xm <- { xm with current = ( ^ _6) ; };
-    [#"../869.rs" 9 30 9 38] b <- Borrow.borrow_final ( * _6) (Borrow.get_id _6);
-    [#"../869.rs" 9 30 9 38] _6 <- { _6 with current = ( ^ b) ; };
+    [#"../869.rs" 9 33 9 41] _6 <- Borrow.borrow_mut ( * xm);
+    [#"../869.rs" 9 33 9 41] xm <- { xm with current = ( ^ _6) ; };
+    [#"../869.rs" 9 33 9 41] b <- Borrow.borrow_final ( * _6) (Borrow.get_id _6);
+    [#"../869.rs" 9 33 9 41] _6 <- { _6 with current = ( ^ b) ; };
     assume { resolve0 b };
     assume { resolve0 _6 };
-    [#"../869.rs" 10 38 10 47] bg <- ([#"../869.rs" 10 38 10 47] Ghost.new b);
+    [#"../869.rs" 10 44 10 59] bg <- ([#"../869.rs" 10 44 10 59] Snapshot.new b);
     goto BB2
   }
   BB2 {
-    assert { [@expl:assertion] [#"../869.rs" 11 20 11 50] Ghost.inner ( * Ghost.inner bg) = true /\ Ghost.inner ( ^ Ghost.inner bg) = true };
-    [#"../869.rs" 13 33 13 41] _12 <- Borrow.borrow_final ( * xm) (Borrow.get_id xm);
-    [#"../869.rs" 13 33 13 41] xm <- { xm with current = ( ^ _12) ; };
-    [#"../869.rs" 13 33 13 41] evil <- Borrow.borrow_final ( * _12) (Borrow.get_id _12);
-    [#"../869.rs" 13 33 13 41] _12 <- { _12 with current = ( ^ evil) ; };
+    assert { [@expl:assertion] [#"../869.rs" 11 20 11 50] Snapshot.inner ( * Snapshot.inner bg) = true /\ Snapshot.inner ( ^ Snapshot.inner bg) = true };
+    [#"../869.rs" 13 36 13 44] _12 <- Borrow.borrow_final ( * xm) (Borrow.get_id xm);
+    [#"../869.rs" 13 36 13 44] xm <- { xm with current = ( ^ _12) ; };
+    [#"../869.rs" 13 36 13 44] evil <- Borrow.borrow_final ( * _12) (Borrow.get_id _12);
+    [#"../869.rs" 13 36 13 44] _12 <- { _12 with current = ( ^ evil) ; };
     assume { resolve0 _12 };
-    assert { [@expl:assertion] [#"../869.rs" 17 20 17 53] (evil = Ghost.inner bg) = (Ghost.inner ( ^ evil) = true) };
-    [#"../869.rs" 18 12 18 58] _15 <- ([#"../869.rs" 18 12 18 58] Ghost.new (if evil = Ghost.inner bg then
+    assert { [@expl:assertion] [#"../869.rs" 17 20 17 53] (evil = Snapshot.inner bg) = (Snapshot.inner ( ^ evil) = true) };
+    [#"../869.rs" 18 12 18 64] _15 <- ([#"../869.rs" 18 12 18 64] Snapshot.new (if evil = Snapshot.inner bg then
       false
     else
       true
@@ -61,12 +61,12 @@ module C869_Unsound
     goto BB3
   }
   BB3 {
-    [#"../869.rs" 18 4 18 58] evil <- { evil with current = ([#"../869.rs" 18 4 18 58] _15) ; };
-    [#"../869.rs" 18 4 18 58] _15 <- any Ghost.ghost_ty bool;
+    [#"../869.rs" 18 4 18 64] evil <- { evil with current = _15 ; };
+    _15 <- any Snapshot.snap_ty bool;
     assume { resolve0 evil };
     assume { resolve0 xm };
-    assert { [@expl:assertion] [#"../869.rs" 19 20 19 37] Ghost.inner ( * evil) = (not Ghost.inner ( ^ evil)) };
-    assert { [@expl:assertion] [#"../869.rs" 20 20 20 37] Ghost.inner ( * evil) = (not Ghost.inner ( * evil)) };
+    assert { [@expl:assertion] [#"../869.rs" 19 20 19 37] Snapshot.inner ( * evil) = (not Snapshot.inner ( ^ evil)) };
+    assert { [@expl:assertion] [#"../869.rs" 20 20 20 37] Snapshot.inner ( * evil) = (not Snapshot.inner ( * evil)) };
     [#"../869.rs" 4 17 21 1] _0 <- ([#"../869.rs" 4 17 21 1] ());
     return _0
   }
diff --git a/creusot/tests/should_fail/bug/869.rs b/creusot/tests/should_fail/bug/869.rs
index 968f0d43cc..1c03245f58 100644
--- a/creusot/tests/should_fail/bug/869.rs
+++ b/creusot/tests/should_fail/bug/869.rs
@@ -2,20 +2,20 @@ extern crate creusot_contracts;
 use creusot_contracts::*;
 
 pub fn unsound() {
-    let mut x: Ghost<bool> = gh! { true };
+    let mut x: Snapshot<bool> = snapshot! { true };
     //            id(xm)   = i1
-    let xm: &mut Ghost<bool> = &mut x;
+    let xm: &mut Snapshot<bool> = &mut x;
     // Not final: id(b)    = i2
-    let b: &mut Ghost<bool> = &mut *xm;
-    let bg: Ghost<&mut Ghost<bool>> = gh! { b };
+    let b: &mut Snapshot<bool> = &mut *xm;
+    let bg: Snapshot<&mut Snapshot<bool>> = snapshot! { b };
     proof_assert! { ***bg == true && *^*bg == true };
     // Final:     id(evil) = i1
-    let evil: &mut Ghost<bool> = &mut *xm;
+    let evil: &mut Snapshot<bool> = &mut *xm;
     // This proof_assert does not pass !
     // Indeed evil != *bg (because the id do not match), which causes the next line to put `true` inside `*evil`.
     // And thus *^evil == true, disproving the assertion.
     proof_assert! { (evil == *bg) == (*^evil == true) };
-    *evil = gh! { if evil == *bg { false } else { true } };
+    *evil = snapshot! { if evil == *bg { false } else { true } };
     proof_assert! { **evil == !*^evil };
     proof_assert! { **evil == !**evil };
 }
diff --git a/creusot/tests/should_fail/bug/borrowed_ghost.rs b/creusot/tests/should_fail/bug/borrowed_ghost.rs
index 7dee17a169..a76d4866e8 100644
--- a/creusot/tests/should_fail/bug/borrowed_ghost.rs
+++ b/creusot/tests/should_fail/bug/borrowed_ghost.rs
@@ -2,9 +2,9 @@ extern crate creusot_contracts;
 use creusot_contracts::*;
 
 pub fn use_borrowed() {
-    let mut x = gh! { true };
-    let r = &mut x; // x = ?, r = (gh true, x)
-    *r = gh! { !x.inner() }; // r = (gh (not (inner x)), x)
-                             // resolve r: x = gh (not (inner x))
+    let mut x = snapshot! { true };
+    let r = &mut x; // x = ?, r = (snapshot true, x)
+    *r = snapshot! { !x.inner() }; // r = (snapshot (not (inner x)), x)
+                                   // resolve r: x = snapshot (not (inner x))
     proof_assert! { x.inner() == !x.inner() } // UNSOUND!
 }
diff --git a/creusot/tests/should_fail/bug/borrowed_ghost.stderr b/creusot/tests/should_fail/bug/borrowed_ghost.stderr
index bcd2ec41da..76c6baf1ba 100644
--- a/creusot/tests/should_fail/bug/borrowed_ghost.stderr
+++ b/creusot/tests/should_fail/bug/borrowed_ghost.stderr
@@ -1,10 +1,10 @@
-error[creusot]: Use of borrowed variable x
+error: Use of borrowed variable x
  --> borrowed_ghost.rs:7:10
   |
-7 |     *r = gh! { !x.inner() }; // r = (gh (not (inner x)), x)
-  |          ^^^^^^^^^^^^^^^^^^
+7 |     *r = snapshot! { !x.inner() }; // r = (snapshot (not (inner x)), x)
+  |          ^^^^^^^^^^^^^^^^^^^^^^^^
   |
-  = note: this error originates in the macro `gh` (in Nightly builds, run with -Z macro-backtrace for more info)
+  = note: this error originates in the macro `snapshot` (in Nightly builds, run with -Z macro-backtrace for more info)
 
-error: aborting due to previous error
+error: aborting due to 1 previous error
 
diff --git a/creusot/tests/should_fail/bug/specialize.mlcfg b/creusot/tests/should_fail/bug/specialize.mlcfg
index 1168a6b820..78320ebb89 100644
--- a/creusot/tests/should_fail/bug/specialize.mlcfg
+++ b/creusot/tests/should_fail/bug/specialize.mlcfg
@@ -17,12 +17,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -56,8 +62,8 @@ module Specialize_F
     goto BB0
   }
   BB0 {
-    [#"../specialize.rs" 22 4 22 9] _2 <- ([#"../specialize.rs" 22 4 22 9] x0 ([#"../specialize.rs" 22 4 22 5] v));
-    [#"../specialize.rs" 22 4 22 5] v <- any Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global);
+    [#"../specialize.rs" 22 4 22 9] _2 <- ([#"../specialize.rs" 22 4 22 9] x0 v);
+    v <- any Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global);
     goto BB1
   }
   BB1 {
@@ -99,7 +105,8 @@ module Specialize_G
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model0 self)
   val invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -120,8 +127,8 @@ module Specialize_G
     goto BB0
   }
   BB0 {
-    [#"../specialize.rs" 28 4 28 9] _2 <- ([#"../specialize.rs" 28 4 28 9] x0 ([#"../specialize.rs" 28 4 28 5] v));
-    [#"../specialize.rs" 28 4 28 5] v <- any Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global);
+    [#"../specialize.rs" 28 4 28 9] _2 <- ([#"../specialize.rs" 28 4 28 9] x0 v);
+    v <- any Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global);
     goto BB1
   }
   BB1 {
@@ -164,7 +171,8 @@ module Specialize_H
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model0 self)
   val invariant0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -185,8 +193,8 @@ module Specialize_H
     goto BB0
   }
   BB0 {
-    [#"../specialize.rs" 35 4 35 9] _2 <- ([#"../specialize.rs" 35 4 35 9] x0 ([#"../specialize.rs" 35 4 35 5] v));
-    [#"../specialize.rs" 35 4 35 5] v <- any Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global);
+    [#"../specialize.rs" 35 4 35 9] _2 <- ([#"../specialize.rs" 35 4 35 9] x0 v);
+    v <- any Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global);
     goto BB1
   }
   BB1 {
@@ -228,14 +236,16 @@ module Specialize_Impl0
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec u (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec u (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec u (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model0 self)
   val invariant0 (self : Alloc_Vec_Vec_Type.t_vec u (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = invariant0 self }
     
   axiom inv0 : forall x : Alloc_Vec_Vec_Type.t_vec u (Alloc_Alloc_Global_Type.t_global) . inv0 x = true
-  goal x_refn : [#"../specialize.rs" 12 4 12 22] forall self : Alloc_Vec_Vec_Type.t_vec u (Alloc_Alloc_Global_Type.t_global) . inv0 self -> inv0 self
+  goal x_refn : [#"../specialize.rs" 12 4 12 22] forall self : Alloc_Vec_Vec_Type.t_vec u (Alloc_Alloc_Global_Type.t_global) . inv0 self
+   -> inv0 self
 end
 module Specialize_Impl1
   goal x_refn : [#"../specialize.rs" 18 4 18 14] true
diff --git a/creusot/tests/should_fail/bug/subregion.mlcfg b/creusot/tests/should_fail/bug/subregion.mlcfg
index 5f4eb60b5d..d2c2f0e23d 100644
--- a/creusot/tests/should_fail/bug/subregion.mlcfg
+++ b/creusot/tests/should_fail/bug/subregion.mlcfg
@@ -8,13 +8,14 @@ module Subregion_ListReversalH
   var _0 : usize;
   var l : usize = l;
   var r : usize;
+  var _7 : bool;
   var x : usize;
   var tmp : usize;
   {
     goto BB0
   }
   BB0 {
-    [#"../subregion.rs" 4 16 4 17] r <- ([#"../subregion.rs" 4 16 4 17] [#"../subregion.rs" 4 16 4 17] (0 : usize));
+    [#"../subregion.rs" 4 16 4 17] r <- ([#"../subregion.rs" 4 16 4 17] (0 : usize));
     goto BB1
   }
   BB1 {
@@ -22,20 +23,21 @@ module Subregion_ListReversalH
     goto BB2
   }
   BB2 {
-    switch ([#"../subregion.rs" 6 10 6 16] ([#"../subregion.rs" 6 10 6 11] l) <> ([#"../subregion.rs" 6 15 6 16] [#"../subregion.rs" 6 15 6 16] (0 : usize)))
+    [#"../subregion.rs" 6 10 6 16] _7 <- l <> ([#"../subregion.rs" 6 15 6 16] (0 : usize));
+    switch (_7)
       | False -> goto BB4
       | True -> goto BB3
       end
   }
   BB3 {
     assert { [@expl:assertion] [#"../subregion.rs" 7 22 7 27] false };
-    [#"../subregion.rs" 8 16 8 17] x <- ([#"../subregion.rs" 8 16 8 17] r);
-    [#"../subregion.rs" 9 18 9 19] tmp <- ([#"../subregion.rs" 9 18 9 19] l);
-    [#"../subregion.rs" 10 8 10 15] r <- ([#"../subregion.rs" 10 12 10 15] tmp);
+    [#"../subregion.rs" 8 16 8 17] x <- r;
+    [#"../subregion.rs" 9 18 9 19] tmp <- l;
+    [#"../subregion.rs" 10 8 10 15] r <- tmp;
     goto BB1
   }
   BB4 {
-    [#"../subregion.rs" 13 11 13 12] _0 <- ([#"../subregion.rs" 13 11 13 12] r);
+    [#"../subregion.rs" 13 11 13 12] _0 <- r;
     return _0
   }
   
diff --git a/creusot/tests/should_fail/builtin_with_contract.rs b/creusot/tests/should_fail/builtin_with_contract.rs
index 13658b1e8a..1490467a70 100644
--- a/creusot/tests/should_fail/builtin_with_contract.rs
+++ b/creusot/tests/should_fail/builtin_with_contract.rs
@@ -1,7 +1,7 @@
 extern crate creusot_contracts;
 use creusot_contracts::*;
 
-#[ghost]
+#[logic]
 #[ensures(true && false)]
 #[creusot::builtins = "dummy_function"]
 fn builtin_with_contract() {}
diff --git a/creusot/tests/should_fail/builtin_with_contract.stderr b/creusot/tests/should_fail/builtin_with_contract.stderr
index 58eef5563c..6f21779170 100644
--- a/creusot/tests/should_fail/builtin_with_contract.stderr
+++ b/creusot/tests/should_fail/builtin_with_contract.stderr
@@ -6,11 +6,11 @@ warning: function `builtin_with_contract` is never used
   |
   = note: `#[warn(dead_code)]` on by default
 
-error[creusot]: cannot specify both `creusot::builtins` and a contract on the same definition
+error: cannot specify both `creusot::builtins` and a contract on the same definition
  --> builtin_with_contract.rs:7:1
   |
 7 | fn builtin_with_contract() {}
   | ^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-error: aborting due to previous error; 1 warning emitted
+error: aborting due to 1 previous error; 1 warning emitted
 
diff --git a/creusot/tests/should_fail/cycle.stderr b/creusot/tests/should_fail/cycle.stderr
index 9f42165bfa..fe70dfa749 100644
--- a/creusot/tests/should_fail/cycle.stderr
+++ b/creusot/tests/should_fail/cycle.stderr
@@ -6,11 +6,11 @@ warning: unused import: `creusot_contracts::*`
   |
   = note: `#[warn(unused_imports)]` on by default
 
-error[creusot]: encountered a cycle during translation: [{Item(DefId(0:5 ~ cycle[28d6]::f))}, {Item(DefId(0:6 ~ cycle[28d6]::g))}, {Item(DefId(0:5 ~ cycle[28d6]::f))}]
+error: encountered a cycle during translation: [{Item(DefId(0:5 ~ cycle[4e30]::f))}, {Item(DefId(0:6 ~ cycle[4e30]::g))}, {Item(DefId(0:5 ~ cycle[4e30]::f))}]
  --> cycle.rs:4:1
   |
 4 | pub fn f() {
   | ^^^^^^^^^^
 
-error: aborting due to previous error; 1 warning emitted
+error: aborting due to 1 previous error; 1 warning emitted
 
diff --git a/creusot/tests/should_fail/final_borrows.mlcfg b/creusot/tests/should_fail/final_borrows.mlcfg
index 840ff5d640..207a4125e8 100644
--- a/creusot/tests/should_fail/final_borrows.mlcfg
+++ b/creusot/tests/should_fail/final_borrows.mlcfg
@@ -106,8 +106,8 @@ module FinalBorrows_StoreChangesProphecy
     goto BB1
   }
   BB1 {
-    [#"../final_borrows.rs" 14 4 14 8] bor <- { bor with current = ([#"../final_borrows.rs" 14 11 14 12] x) ; };
-    [#"../final_borrows.rs" 14 11 14 12] x <- any t;
+    [#"../final_borrows.rs" 14 4 14 8] bor <- { bor with current = x ; };
+    x <- any t;
     assert { [@expl:type invariant] inv0 ( * bor) };
     assume { resolve1 ( * bor) };
     assert { [@expl:type invariant] inv1 bor };
@@ -134,7 +134,7 @@ module FinalBorrows_CallChangesProphecy_Inner
     goto BB0
   }
   BB0 {
-    [#"../final_borrows.rs" 20 8 20 9] _0 <- ([#"../final_borrows.rs" 20 8 20 9] [#"../final_borrows.rs" 20 8 20 9] (2 : int32));
+    [#"../final_borrows.rs" 20 8 20 9] _0 <- ([#"../final_borrows.rs" 20 8 20 9] (2 : int32));
     return _0
   }
   
@@ -163,12 +163,12 @@ module FinalBorrows_CallChangesProphecy
     [#"../final_borrows.rs" 22 13 22 22] b1 <- Borrow.borrow_final ( * bor) (Borrow.get_id bor);
     [#"../final_borrows.rs" 22 13 22 22] bor <- { bor with current = ( ^ b1) ; };
     assume { resolve0 b1 };
-    [#"../final_borrows.rs" 24 11 24 18] _3 <- ([#"../final_borrows.rs" 24 11 24 18] inner0 ());
+    [#"../final_borrows.rs" 24 11 24 18] _3 <- ([#"../final_borrows.rs" 24 11 24 18] inner0 ([#"../final_borrows.rs" 24 11 24 18] ()));
     goto BB1
   }
   BB1 {
-    [#"../final_borrows.rs" 24 4 24 18] bor <- { bor with current = ([#"../final_borrows.rs" 24 4 24 18] _3) ; };
-    [#"../final_borrows.rs" 24 4 24 18] _3 <- any int32;
+    [#"../final_borrows.rs" 24 4 24 18] bor <- { bor with current = _3 ; };
+    _3 <- any int32;
     assume { resolve0 bor };
     assert { [@expl:assertion] [#"../final_borrows.rs" 25 18 25 27] b1 = bor };
     [#"../final_borrows.rs" 18 44 26 1] _0 <- ([#"../final_borrows.rs" 18 44 26 1] ());
@@ -322,7 +322,8 @@ module FinalBorrows_Indexing
     requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self}
     ensures { result = shallow_model1 self }
     
-  axiom shallow_model1_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv5 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
+  axiom shallow_model1_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv5 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
   function index_logic1 [@inline:trivial] (self : slice t) (ix : int) : t =
     [#"../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model1 self) ix
   val index_logic1 [@inline:trivial] (self : slice t) (ix : int) : t
@@ -339,7 +340,10 @@ module FinalBorrows_Indexing
     requires {[#"../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv2 self}
     ensures { result = to_mut_seq0 self }
     
-  axiom to_mut_seq0_spec : forall self : borrowed (slice t) . ([#"../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv2 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv3 (to_mut_seq0 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) ->  ^ Seq.get (to_mut_seq0 self) i = index_logic1 ( ^ self) i) && ([#"../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) ->  * Seq.get (to_mut_seq0 self) i = index_logic1 ( * self) i) && ([#"../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model0 self))
+  axiom to_mut_seq0_spec : forall self : borrowed (slice t) . ([#"../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv2 self)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv3 (to_mut_seq0 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self)
+   ->  ^ Seq.get (to_mut_seq0 self) i = index_logic1 ( ^ self) i) && ([#"../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self)
+   ->  * Seq.get (to_mut_seq0 self) i = index_logic1 ( * self) i) && ([#"../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model0 self))
   predicate resolve1 (self : borrowed (slice t)) =
     [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve1 (self : borrowed (slice t)) : bool
@@ -362,13 +366,15 @@ module FinalBorrows_Indexing
   var _2 : borrowed t;
   var _5 : borrowed t;
   var _6 : usize;
+  var _7 : usize;
   var _8 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../final_borrows.rs" 38 11 38 12] _6 <- ([#"../final_borrows.rs" 38 11 38 12] [#"../final_borrows.rs" 38 11 38 12] (0 : usize));
-    [#"../final_borrows.rs" 38 9 38 13] _8 <- ([#"../final_borrows.rs" 38 9 38 13] _6 < ([#"../final_borrows.rs" 38 9 38 13] Slice.length ( * x)));
+    [#"../final_borrows.rs" 38 11 38 12] _6 <- ([#"../final_borrows.rs" 38 11 38 12] (0 : usize));
+    [#"../final_borrows.rs" 38 9 38 13] _7 <- Slice.length ( * x);
+    [#"../final_borrows.rs" 38 9 38 13] _8 <- _6 < _7;
     assert { [@expl:index in bounds] [#"../final_borrows.rs" 38 9 38 13] _8 };
     goto BB1
   }
diff --git a/creusot/tests/should_fail/ghost_mapping.rs b/creusot/tests/should_fail/ghost_mapping.rs
index d351972ab3..9fdb87b0d4 100644
--- a/creusot/tests/should_fail/ghost_mapping.rs
+++ b/creusot/tests/should_fail/ghost_mapping.rs
@@ -1,22 +1,22 @@
 extern crate creusot_contracts;
 use creusot_contracts::{logic::Mapping, *};
 
-#[logic]
+#[logic(prophetic)]
 fn f(x: &mut i32) -> Mapping<(), i32> {
     pearlite! { |_| ^x }
 }
 
-#[ghost]
+#[logic]
 fn g(x: &mut i32) -> Mapping<(), i32> {
     pearlite! { |_| ^x }
 }
 
-#[logic]
+#[logic(prophetic)]
 fn h(y: &mut i32) -> bool {
     pearlite! { forall<_x:Int> ^y == 1i32 }
 }
 
-#[ghost]
+#[logic]
 fn i(y: &mut i32) -> bool {
     pearlite! { forall<_x:Int> ^y == 1i32 }
 }
diff --git a/creusot/tests/should_fail/ghost_mapping.stderr b/creusot/tests/should_fail/ghost_mapping.stderr
index 7d6ce9aaa4..7ca25d53d6 100644
--- a/creusot/tests/should_fail/ghost_mapping.stderr
+++ b/creusot/tests/should_fail/ghost_mapping.stderr
@@ -1,4 +1,4 @@
-error[creusot]: called Logic function in Ghost context "creusot_contracts::__stubs::fin"
+error: called Logic { prophetic: true } function in Logic { prophetic: false } context "creusot_contracts::__stubs::fin"
   --> ghost_mapping.rs:11:5
    |
 11 |     pearlite! { |_| ^x }
@@ -6,7 +6,7 @@ error[creusot]: called Logic function in Ghost context "creusot_contracts::__stu
    |
    = note: this error originates in the macro `pearlite` (in Nightly builds, run with -Z macro-backtrace for more info)
 
-error[creusot]: called Logic function in Ghost context "creusot_contracts::__stubs::fin"
+error: called Logic { prophetic: true } function in Logic { prophetic: false } context "creusot_contracts::__stubs::fin"
   --> ghost_mapping.rs:21:5
    |
 21 |     pearlite! { forall<_x:Int> ^y == 1i32 }
diff --git a/creusot/tests/should_fail/impure_functions.rs b/creusot/tests/should_fail/impure_functions.rs
index 29f4a5ab2a..a5869b7572 100644
--- a/creusot/tests/should_fail/impure_functions.rs
+++ b/creusot/tests/should_fail/impure_functions.rs
@@ -1,7 +1,7 @@
 extern crate creusot_contracts;
 use creusot_contracts::{logic::*, *};
 
-#[ghost]
+#[logic]
 fn x<T>(v: &Vec<T>) -> Int {
     pearlite! { v.len()@ }
 }
diff --git a/creusot/tests/should_fail/impure_functions.stderr b/creusot/tests/should_fail/impure_functions.stderr
index 34403eb4d8..c721f9399a 100644
--- a/creusot/tests/should_fail/impure_functions.stderr
+++ b/creusot/tests/should_fail/impure_functions.stderr
@@ -1,10 +1,10 @@
-error[creusot]: called Program function in Ghost context "std::vec::Vec::<T, A>::len"
+error: called Program function in Logic { prophetic: false } context "std::vec::Vec::<T, A>::len"
  --> impure_functions.rs:6:19
   |
 6 |     pearlite! { v.len()@ }
   |                   ^^^
 
-error[creusot]: called Ghost function in Program context "x"
+error: called Logic { prophetic: false } function in Program context "x"
   --> impure_functions.rs:10:13
    |
 10 |     let _ = x(&Vec::<()>::new());
diff --git a/creusot/tests/should_fail/inexhaustive_match.stderr b/creusot/tests/should_fail/inexhaustive_match.stderr
index 3bc07f1411..e8100ecbd2 100644
--- a/creusot/tests/should_fail/inexhaustive_match.stderr
+++ b/creusot/tests/should_fail/inexhaustive_match.stderr
@@ -5,12 +5,12 @@ error[E0004]: non-exhaustive patterns: `Option::Some(_)` not covered
   |           ^ pattern `Option::Some(_)` not covered
   |
 note: `Option<()>` defined here
- --> inexhaustive_match.rs:2:5
+ --> inexhaustive_match.rs:1:6
   |
 1 | enum Option<T> {
-  |      ------
+  |      ^^^^^^
 2 |     Some(T),
-  |     ^^^^ not covered
+  |     ---- not covered
   = note: the matched value is of type `Option<()>`
 help: ensure that all possible cases are being handled by adding a match arm with a wildcard pattern or an explicit pattern as shown
   |
@@ -18,6 +18,6 @@ help: ensure that all possible cases are being handled by adding a match arm wit
 10~         Option::Some(_) => todo!(),
   |
 
-error: aborting due to previous error
+error: aborting due to 1 previous error
 
 For more information about this error, try `rustc --explain E0004`.
diff --git a/creusot/tests/should_fail/infinite_size.stderr b/creusot/tests/should_fail/infinite_size.stderr
index d364f2e341..c9387c6d49 100644
--- a/creusot/tests/should_fail/infinite_size.stderr
+++ b/creusot/tests/should_fail/infinite_size.stderr
@@ -12,6 +12,6 @@ help: insert some indirection (e.g., a `Box`, `Rc`, or `&`) to break the cycle
 2 ~ struct Tree2(Box<Node2>);
   |
 
-error: aborting due to previous error
+error: aborting due to 1 previous error
 
 For more information about this error, try `rustc --explain E0072`.
diff --git a/creusot/tests/should_fail/logic_ghost_impl.stderr b/creusot/tests/should_fail/logic_ghost_impl.stderr
deleted file mode 100644
index 6f05bea770..0000000000
--- a/creusot/tests/should_fail/logic_ghost_impl.stderr
+++ /dev/null
@@ -1,9 +0,0 @@
-Logic != Ghost
-error[creusot]: Expected `f` to be a ghost function as specified by the trait declaration
-  --> logic_ghost_impl.rs:11:5
-   |
-11 |     fn f() {
-   |     ^^^^^^
-
-error: aborting due to previous error
-
diff --git a/creusot/tests/should_fail/logic_ghost_impl.rs b/creusot/tests/should_fail/logic_prophetic_impl.rs
similarity index 85%
rename from creusot/tests/should_fail/logic_ghost_impl.rs
rename to creusot/tests/should_fail/logic_prophetic_impl.rs
index 40ab38e93c..f71bb2a3d0 100644
--- a/creusot/tests/should_fail/logic_ghost_impl.rs
+++ b/creusot/tests/should_fail/logic_prophetic_impl.rs
@@ -7,7 +7,7 @@ trait T {
 }
 
 impl T for () {
-    #[ghost]
+    #[logic(prophetic)]
     fn f() {
         ()
     }
diff --git a/creusot/tests/should_fail/logic_prophetic_impl.stderr b/creusot/tests/should_fail/logic_prophetic_impl.stderr
new file mode 100644
index 0000000000..402d6fba87
--- /dev/null
+++ b/creusot/tests/should_fail/logic_prophetic_impl.stderr
@@ -0,0 +1,8 @@
+error: Expected `f` to be a logic function as specified by the trait declaration
+  --> logic_prophetic_impl.rs:11:5
+   |
+11 |     fn f() {
+   |     ^^^^^^
+
+error: aborting due to 1 previous error
+
diff --git a/creusot/tests/should_fail/non_bool_assertion.stderr b/creusot/tests/should_fail/non_bool_assertion.stderr
index a4a3e57609..dd767348d8 100644
--- a/creusot/tests/should_fail/non_bool_assertion.stderr
+++ b/creusot/tests/should_fail/non_bool_assertion.stderr
@@ -4,7 +4,7 @@ error[E0308]: mismatched types
 5 |     proof_assert! { 1 };
   |                     ^ expected `bool`, found `Int`
 
-error[creusot]: internal error
+error: internal error
 
 error: aborting due to 2 previous errors
 
diff --git a/creusot/tests/should_fail/opaque.stderr b/creusot/tests/should_fail/opaque.stderr
index bf7c194d19..a8859efbec 100644
--- a/creusot/tests/should_fail/opaque.stderr
+++ b/creusot/tests/should_fail/opaque.stderr
@@ -1,8 +1,8 @@
-error[creusot]: Cannot make `"x::priv_symbol"` transparent in `"x::bad"` as it would call a less-visible item.
+error: Cannot make `"x::priv_symbol"` transparent in `"x::bad"` as it would call a less-visible item.
   --> opaque.rs:17:9
    |
 17 |         priv_symbol()
    |         ^^^^^^^^^^^^^
 
-error: aborting due to previous error
+error: aborting due to 1 previous error
 
diff --git a/creusot/tests/should_fail/result_param.stderr b/creusot/tests/should_fail/result_param.stderr
index 823425bfaa..be444a0e04 100644
--- a/creusot/tests/should_fail/result_param.stderr
+++ b/creusot/tests/should_fail/result_param.stderr
@@ -6,11 +6,11 @@ warning: function `result_arg` is never used
   |
   = note: `#[warn(dead_code)]` on by default
 
-error[creusot]: `result` is not allowed as a parameter name
+error: `result` is not allowed as a parameter name
  --> result_param.rs:6:15
   |
 6 | fn result_arg(result: u32) {}
   |               ^^^^^^
 
-error: aborting due to previous error; 1 warning emitted
+error: aborting due to 1 previous error; 1 warning emitted
 
diff --git a/creusot/tests/should_fail/trait_item_types_mismatch.stderr b/creusot/tests/should_fail/trait_item_types_mismatch.stderr
index 9839639a5c..1f37ed9dda 100644
--- a/creusot/tests/should_fail/trait_item_types_mismatch.stderr
+++ b/creusot/tests/should_fail/trait_item_types_mismatch.stderr
@@ -1,11 +1,10 @@
-error[creusot]: Expected implementation of trait `Trusted` for `()` to be marked as `#[trusted]`
+error: Expected implementation of trait `Trusted` for `()` to be marked as `#[trusted]`
  --> trait_item_types_mismatch.rs:7:1
   |
 7 | impl Trusted for () {}
   | ^^^^^^^^^^^^^^^^^^^
 
-Predicate != Program
-error[creusot]: Expected `my_predicate` to be a program function as specified by the trait declaration
+error: Expected `my_predicate` to be a predicate as specified by the trait declaration
   --> trait_item_types_mismatch.rs:17:5
    |
 17 |     fn my_predicate() -> bool {
diff --git a/creusot/tests/should_fail/traits/17_impl_refinement.mlcfg b/creusot/tests/should_fail/traits/17_impl_refinement.mlcfg
index a5c6b6a316..d1733c93df 100644
--- a/creusot/tests/should_fail/traits/17_impl_refinement.mlcfg
+++ b/creusot/tests/should_fail/traits/17_impl_refinement.mlcfg
@@ -14,7 +14,7 @@ module C17ImplRefinement_Impl0_MyFunction
     goto BB0
   }
   BB0 {
-    [#"../17_impl_refinement.rs" 15 8 15 10] _0 <- ([#"../17_impl_refinement.rs" 15 8 15 10] [#"../17_impl_refinement.rs" 15 8 15 10] (20 : usize));
+    [#"../17_impl_refinement.rs" 15 8 15 10] _0 <- ([#"../17_impl_refinement.rs" 15 8 15 10] (20 : usize));
     return _0
   }
   
@@ -23,11 +23,9 @@ module C17ImplRefinement_Impl1_NeedFalse_Impl
   use prelude.UInt64
   use prelude.Int
   use prelude.UInt64
-  let rec ghost function need_false [#"../17_impl_refinement.rs" 29 4 29 25] (y : uint64) : ()
-    requires {[#"../17_impl_refinement.rs" 28 15 28 23] UInt64.to_int y >= 15}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../17_impl_refinement.rs" 27 4 27 12] ()
+  constant y  : uint64
+  function need_false [#"../17_impl_refinement.rs" 29 4 29 25] (y : uint64) : ()
+  goal vc_need_false : true
 end
 module C17ImplRefinement_Impl0
   predicate invariant0 (self : ()) =
@@ -44,11 +42,13 @@ module C17ImplRefinement_Impl0
   use prelude.UIntSize
   use prelude.Int
   use prelude.Borrow
-  goal my_function_refn : [#"../17_impl_refinement.rs" 14 4 14 34] forall self : () . inv0 self -> (forall result : usize . UIntSize.to_int result >= 15 -> UIntSize.to_int result >= 10)
+  goal my_function_refn : [#"../17_impl_refinement.rs" 14 4 14 34] forall self : () . inv0 self
+   -> (forall result : usize . UIntSize.to_int result >= 15  -> UIntSize.to_int result >= 10)
 end
 module C17ImplRefinement_Impl1
   use prelude.UInt64
   use prelude.UInt64
   use prelude.Int
-  goal need_false_refn : [#"../17_impl_refinement.rs" 29 4 29 25] forall x : uint64 . UInt64.to_int x >= 10 -> UInt64.to_int x >= 15
+  goal need_false_refn : [#"../17_impl_refinement.rs" 29 4 29 25] forall x : uint64 . UInt64.to_int x >= 10
+   -> UInt64.to_int x >= 15
 end
diff --git a/creusot/tests/should_fail/traits/17_impl_refinement.rs b/creusot/tests/should_fail/traits/17_impl_refinement.rs
index 47720c14e7..e80c05fb31 100644
--- a/creusot/tests/should_fail/traits/17_impl_refinement.rs
+++ b/creusot/tests/should_fail/traits/17_impl_refinement.rs
@@ -17,14 +17,14 @@ impl Tr for () {
 }
 
 trait ReqFalse {
-    #[ghost]
+    #[logic]
     #[requires(x@ >= 10)]
     fn need_false(x: u64) -> ();
 }
 
 impl ReqFalse for () {
     // This should not prove
-    #[ghost]
+    #[logic]
     #[requires(y@ >= 15)]
     fn need_false(y: u64) {}
 }
diff --git a/creusot/tests/should_fail/unsafe.stderr b/creusot/tests/should_fail/unsafe.stderr
index 6d434cf550..a6991069fb 100644
--- a/creusot/tests/should_fail/unsafe.stderr
+++ b/creusot/tests/should_fail/unsafe.stderr
@@ -6,7 +6,7 @@ warning: unused import: `std::*`
   |
   = note: `#[warn(unused_imports)]` on by default
 
-error[E0133]: call to unsafe function is unsafe and requires unsafe function or block
+error[E0133]: call to unsafe function `evil` is unsafe and requires unsafe function or block
  --> unsafe.rs:8:5
   |
 8 |     evil();
@@ -14,6 +14,6 @@ error[E0133]: call to unsafe function is unsafe and requires unsafe function or
   |
   = note: consult the function's documentation for information on how to avoid undefined behavior
 
-error: aborting due to previous error; 1 warning emitted
+error: aborting due to 1 previous error; 1 warning emitted
 
 For more information about this error, try `rustc --explain E0133`.
diff --git a/creusot/tests/should_fail/unsupported_binary_operations.stderr b/creusot/tests/should_fail/unsupported_binary_operations.stderr
index 96bae836cf..946e52a769 100644
--- a/creusot/tests/should_fail/unsupported_binary_operations.stderr
+++ b/creusot/tests/should_fail/unsupported_binary_operations.stderr
@@ -18,11 +18,11 @@ warning: function `bit_xor` is never used
 11 | fn bit_xor(a: u32, b: u32) -> u32 {
    |    ^^^^^^^
 
-error[creusot]: bitwise operations are currently unsupported
+error: bitwise operations are currently unsupported
  --> unsupported_binary_operations.rs:4:5
   |
 4 |     a & b
   |     ^^^^^
 
-error: aborting due to previous error; 3 warnings emitted
+error: aborting due to 1 previous error; 3 warnings emitted
 
diff --git a/creusot/tests/should_succeed/100doors.mlcfg b/creusot/tests/should_succeed/100doors.mlcfg
index 9f8fcc0d88..630aa7689f 100644
--- a/creusot/tests/should_succeed/100doors.mlcfg
+++ b/creusot/tests/should_succeed/100doors.mlcfg
@@ -30,12 +30,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -174,7 +180,8 @@ module C100doors_F
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv3 (shallow_model0 self)
   val invariant2 (self : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -207,7 +214,9 @@ module C100doors_F
   predicate produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize)
     
    =
-    [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
+    [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0
+     -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
   val produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool
     ensures { result = produces0 self visited o }
     
@@ -223,23 +232,31 @@ module C100doors_F
     requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv11 ab) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv11 bc) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv11 ab)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv11 bc)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
   val produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
     requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
   predicate invariant0 (self : Core_Ops_Range_Range_Type.t_range usize) =
     [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant0 (self : Core_Ops_Range_Range_Type.t_range usize) : bool
     ensures { result = invariant0 self }
     
   axiom inv0 : forall x : Core_Ops_Range_Range_Type.t_range usize . inv0 x = true
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate resolve3 (self : bool) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
+    [#"../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true
   val resolve3 (self : bool) : bool
     ensures { result = resolve3 self }
     
@@ -252,18 +269,20 @@ module C100doors_F
     ensures { result = index_logic0 self ix }
     
   predicate resolve2 (self : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global)) =
-    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve3 (index_logic0 self i)
+    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self)
+     -> resolve3 (index_logic0 self i)
   val resolve2 (self : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve2 self }
     
   predicate resolve1 (self : borrowed bool) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve1 (self : borrowed bool) : bool
     ensures { result = resolve1 self }
     
   use prelude.Slice
   predicate resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq bool) (fin : Seq.seq bool) =
-    [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i
+    [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old'
+     -> Seq.get old' i = Seq.get fin i
   val resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq bool) (fin : Seq.seq bool) : bool
     ensures { result = resolve_elswhere0 self old' fin }
     
@@ -280,7 +299,7 @@ module C100doors_F
   function shallow_model3 (self : borrowed (Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global))) : Seq.seq bool
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model0 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model0 ( * self)
   val shallow_model3 (self : borrowed (Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global))) : Seq.seq bool
     ensures { result = shallow_model3 self }
     
@@ -295,7 +314,7 @@ module C100doors_F
     ensures { inv10 result }
     
   function shallow_model2 (self : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global)) : Seq.seq bool =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model0 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model0 self
   val shallow_model2 (self : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global)) : Seq.seq bool
     ensures { result = shallow_model2 self }
     
@@ -308,7 +327,7 @@ module C100doors_F
     
   use seq.Seq
   predicate resolve0 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) : bool
     ensures { result = resolve0 self }
     
@@ -325,10 +344,10 @@ module C100doors_F
       end }
     ensures { inv5 result }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate into_iter_post0 (self : Core_Ops_Range_Range_Type.t_range usize) (res : Core_Ops_Range_Range_Type.t_range usize)
     
    =
@@ -350,7 +369,8 @@ module C100doors_F
   val from_elem0 (elem : bool) (n : usize) : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global)
     requires {inv1 elem}
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 157 22 157 41] Seq.length (shallow_model0 result) = UIntSize.to_int n }
-    ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n -> index_logic0 result i = elem }
+    ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n
+     -> index_logic0 result i = elem }
     ensures { inv2 result }
     
   let rec cfg f [#"../100doors.rs" 18 0 18 10] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
@@ -358,36 +378,42 @@ module C100doors_F
   var _0 : ();
   var door_open : Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global);
   var iter : Core_Ops_Range_Range_Type.t_range usize;
-  var iter_old : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range usize);
-  var produced : Ghost.ghost_ty (Seq.seq usize);
+  var _3 : Core_Ops_Range_Range_Type.t_range usize;
+  var iter_old : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range usize);
+  var produced : Snapshot.snap_ty (Seq.seq usize);
   var _11 : ();
   var _12 : Core_Option_Option_Type.t_option usize;
   var _13 : borrowed (Core_Ops_Range_Range_Type.t_range usize);
   var _14 : borrowed (Core_Ops_Range_Range_Type.t_range usize);
   var __creusot_proc_iter_elem : usize;
-  var _17 : Ghost.ghost_ty (Seq.seq usize);
+  var _17 : Snapshot.snap_ty (Seq.seq usize);
   var pass : usize;
   var door : usize;
+  var _23 : bool;
   var _26 : bool;
+  var _28 : usize;
   var _30 : borrowed bool;
   var _31 : borrowed (Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global));
+  var _32 : usize;
   {
     goto BB0
   }
   BB0 {
-    [#"../../../../creusot-contracts/src/lib.rs" 196 8 196 40] door_open <- ([#"../100doors.rs" 19 35 19 51] from_elem0 ([#"../100doors.rs" 19 40 19 45] [#"../100doors.rs" 19 40 19 45] false) ([#"../100doors.rs" 19 47 19 50] [#"../100doors.rs" 19 47 19 50] (100 : usize)));
+    [#"../100doors.rs" 19 35 19 51] door_open <- ([#"../100doors.rs" 19 35 19 51] from_elem0 ([#"../100doors.rs" 19 40 19 45] false) ([#"../100doors.rs" 19 47 19 50] (100 : usize)));
     goto BB1
   }
   BB1 {
-    [#"../100doors.rs" 20 4 20 41] iter <- ([#"../100doors.rs" 20 4 20 41] into_iter0 ([#"../100doors.rs" 21 16 21 22] Core_Ops_Range_Range_Type.C_Range ([#"../100doors.rs" 21 16 21 17] [#"../100doors.rs" 21 16 21 17] (1 : usize)) ([#"../100doors.rs" 21 19 21 22] [#"../100doors.rs" 21 19 21 22] (101 : usize))));
+    [#"../100doors.rs" 21 16 21 22] _3 <- Core_Ops_Range_Range_Type.C_Range ([#"../100doors.rs" 21 16 21 17] (1 : usize)) ([#"../100doors.rs" 21 19 21 22] (101 : usize));
+    [#"../100doors.rs" 20 4 20 41] iter <- ([#"../100doors.rs" 20 4 20 41] into_iter0 _3);
+    _3 <- any Core_Ops_Range_Range_Type.t_range usize;
     goto BB2
   }
   BB2 {
-    [#"../100doors.rs" 20 4 20 41] iter_old <- ([#"../100doors.rs" 20 4 20 41] Ghost.new iter);
+    [#"../100doors.rs" 20 4 20 41] iter_old <- ([#"../100doors.rs" 20 4 20 41] Snapshot.new iter);
     goto BB3
   }
   BB3 {
-    [#"../100doors.rs" 20 4 20 41] produced <- ([#"../100doors.rs" 20 4 20 41] Ghost.new (Seq.empty ));
+    [#"../100doors.rs" 20 4 20 41] produced <- ([#"../100doors.rs" 20 4 20 41] Snapshot.new (Seq.empty ));
     goto BB4
   }
   BB4 {
@@ -398,7 +424,7 @@ module C100doors_F
   }
   BB6 {
     invariant { [#"../100doors.rs" 20 4 20 41] inv0 iter };
-    invariant { [#"../100doors.rs" 20 4 20 41] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter };
+    invariant { [#"../100doors.rs" 20 4 20 41] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter };
     invariant { [#"../100doors.rs" 20 16 20 39] Seq.length (shallow_model0 door_open) = 100 };
     goto BB7
   }
@@ -432,15 +458,15 @@ module C100doors_F
     absurd
   }
   BB12 {
-    [#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _12);
-    [#"../100doors.rs" 20 4 20 41] _17 <- ([#"../100doors.rs" 20 4 20 41] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _12;
+    [#"../100doors.rs" 20 4 20 41] _17 <- ([#"../100doors.rs" 20 4 20 41] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB13
   }
   BB13 {
-    [#"../100doors.rs" 20 4 20 41] produced <- ([#"../100doors.rs" 20 4 20 41] _17);
-    [#"../100doors.rs" 20 4 20 41] _17 <- any Ghost.ghost_ty (Seq.seq usize);
-    [#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] pass <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem);
-    [#"../100doors.rs" 22 30 22 34] door <- ([#"../100doors.rs" 22 30 22 34] pass);
+    [#"../100doors.rs" 20 4 20 41] produced <- _17;
+    _17 <- any Snapshot.snap_ty (Seq.seq usize);
+    [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] pass <- __creusot_proc_iter_elem;
+    [#"../100doors.rs" 22 30 22 34] door <- pass;
     goto BB14
   }
   BB14 {
@@ -452,26 +478,31 @@ module C100doors_F
     goto BB16
   }
   BB16 {
-    switch ([#"../100doors.rs" 25 14 25 25] ([#"../100doors.rs" 25 14 25 18] door) <= ([#"../100doors.rs" 25 22 25 25] [#"../100doors.rs" 25 22 25 25] (100 : usize)))
+    [#"../100doors.rs" 25 14 25 25] _23 <- door <= ([#"../100doors.rs" 25 22 25 25] (100 : usize));
+    switch (_23)
       | False -> goto BB20
       | True -> goto BB17
       end
   }
   BB17 {
-    [#"../100doors.rs" 26 44 26 54] _26 <- ([#"../100doors.rs" 26 44 26 54] index0 ([#"../100doors.rs" 26 35 26 44] door_open) ([#"../100doors.rs" 26 45 26 53] ([#"../100doors.rs" 26 45 26 49] door) - ([#"../100doors.rs" 26 52 26 53] [#"../100doors.rs" 26 52 26 53] (1 : usize))));
+    [#"../100doors.rs" 26 45 26 53] _28 <- door - ([#"../100doors.rs" 26 52 26 53] (1 : usize));
+    [#"../100doors.rs" 26 44 26 54] _26 <- ([#"../100doors.rs" 26 44 26 54] index0 door_open _28);
+    _28 <- any usize;
     goto BB18
   }
   BB18 {
     [#"../100doors.rs" 26 12 26 21] _31 <- Borrow.borrow_mut door_open;
     [#"../100doors.rs" 26 12 26 21] door_open <-  ^ _31;
-    [#"../100doors.rs" 26 21 26 31] _30 <- ([#"../100doors.rs" 26 21 26 31] index_mut0 _31 ([#"../100doors.rs" 26 22 26 30] ([#"../100doors.rs" 26 22 26 26] door) - ([#"../100doors.rs" 26 29 26 30] [#"../100doors.rs" 26 29 26 30] (1 : usize))));
+    [#"../100doors.rs" 26 22 26 30] _32 <- door - ([#"../100doors.rs" 26 29 26 30] (1 : usize));
+    [#"../100doors.rs" 26 21 26 31] _30 <- ([#"../100doors.rs" 26 21 26 31] index_mut0 _31 _32);
     _31 <- any borrowed (Alloc_Vec_Vec_Type.t_vec bool (Alloc_Alloc_Global_Type.t_global));
+    _32 <- any usize;
     goto BB19
   }
   BB19 {
-    [#"../100doors.rs" 26 12 26 54] _30 <- { _30 with current = ([#"../100doors.rs" 26 12 26 54] not ([#"../100doors.rs" 26 35 26 54] _26)) ; };
+    [#"../100doors.rs" 26 12 26 54] _30 <- { _30 with current = (not _26) ; };
     assume { resolve1 _30 };
-    [#"../100doors.rs" 27 12 27 24] door <- ([#"../100doors.rs" 27 12 27 24] door + ([#"../100doors.rs" 27 20 27 24] pass));
+    [#"../100doors.rs" 27 12 27 24] door <- door + pass;
     [#"../100doors.rs" 25 26 28 9] _11 <- ([#"../100doors.rs" 25 26 28 9] ());
     goto BB15
   }
diff --git a/creusot/tests/should_succeed/100doors/why3session.xml b/creusot/tests/should_succeed/100doors/why3session.xml
index 9998709ce0..edc61a9ecf 100644
--- a/creusot/tests/should_succeed/100doors/why3session.xml
+++ b/creusot/tests/should_succeed/100doors/why3session.xml
@@ -7,7 +7,7 @@
 <path name=".."/><path name="100doors.mlcfg"/>
 <theory name="C100doors_F" proved="true">
  <goal name="f&#39;vc" expl="VC for f" proved="true">
- <proof prover="1"><result status="valid" time="0.122415" steps="677037"/></proof>
+ <proof prover="1"><result status="valid" time="0.122415" steps="775965"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/100doors/why3shapes.gz b/creusot/tests/should_succeed/100doors/why3shapes.gz
index 7919eb508f..8070c69fdf 100644
Binary files a/creusot/tests/should_succeed/100doors/why3shapes.gz and b/creusot/tests/should_succeed/100doors/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/all_zero.mlcfg b/creusot/tests/should_succeed/all_zero.mlcfg
index 2927e1711f..45ffaf003a 100644
--- a/creusot/tests/should_succeed/all_zero.mlcfg
+++ b/creusot/tests/should_succeed/all_zero.mlcfg
@@ -26,7 +26,7 @@ end
 module AllZero_AllZero
   use AllZero_List_Type as AllZero_List_Type
   use prelude.Borrow
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate resolve2 (self : borrowed (AllZero_List_Type.t_list)) =
     [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve2 (self : borrowed (AllZero_List_Type.t_list)) : bool
@@ -43,7 +43,7 @@ module AllZero_AllZero
   val resolve0 (self : borrowed uint32) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   use Core_Option_Option_Type as Core_Option_Option_Type
   use prelude.Int
   function get0 [#"../all_zero.rs" 21 4 21 40] (self : AllZero_List_Type.t_list) (ix : int) : Core_Option_Option_Type.t_option uint32
@@ -64,15 +64,16 @@ module AllZero_AllZero
   val len0 [#"../all_zero.rs" 13 4 13 23] (self : AllZero_List_Type.t_list) : int
     ensures { result = len0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   let rec cfg all_zero [#"../all_zero.rs" 34 0 34 29] [@cfg:stackify] [@cfg:subregion_analysis] (l : borrowed (AllZero_List_Type.t_list)) : ()
-    ensures { [#"../all_zero.rs" 32 0 32 77] forall i : int . 0 <= i /\ i < len0 ( * l) -> get0 ( ^ l) i = Core_Option_Option_Type.C_Some (0 : uint32) }
+    ensures { [#"../all_zero.rs" 32 0 32 77] forall i : int . 0 <= i /\ i < len0 ( * l)
+     -> get0 ( ^ l) i = Core_Option_Option_Type.C_Some (0 : uint32) }
     ensures { [#"../all_zero.rs" 33 10 33 34] len0 ( * l) = len0 ( ^ l) }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var l : borrowed (AllZero_List_Type.t_list) = l;
-  var old_l : Ghost.ghost_ty (borrowed (AllZero_List_Type.t_list));
+  var old_l : Snapshot.snap_ty (borrowed (AllZero_List_Type.t_list));
   var loop_l : borrowed (AllZero_List_Type.t_list);
   var value : borrowed uint32;
   var next : borrowed (AllZero_List_Type.t_list);
@@ -81,17 +82,21 @@ module AllZero_AllZero
     goto BB0
   }
   BB0 {
-    [#"../all_zero.rs" 36 16 36 25] old_l <- ([#"../all_zero.rs" 36 16 36 25] Ghost.new l);
+    [#"../all_zero.rs" 36 16 36 31] old_l <- ([#"../all_zero.rs" 36 16 36 31] Snapshot.new l);
     goto BB1
   }
   BB1 {
-    [#"../all_zero.rs" 37 21 37 22] loop_l <- ([#"../all_zero.rs" 37 21 37 22] l);
-    [#"../all_zero.rs" 37 21 37 22] l <- any borrowed (AllZero_List_Type.t_list);
+    [#"../all_zero.rs" 37 21 37 22] loop_l <- l;
+    l <- any borrowed (AllZero_List_Type.t_list);
     goto BB2
   }
   BB2 {
-    invariant { [#"../all_zero.rs" 39 4 41 88] (forall i : int . 0 <= i /\ i < len0 ( * loop_l) -> get0 ( ^ loop_l) i = Core_Option_Option_Type.C_Some (0 : uint32)) -> (forall i : int . 0 <= i /\ i < len0 ( * Ghost.inner old_l) -> get0 ( ^ Ghost.inner old_l) i = Core_Option_Option_Type.C_Some (0 : uint32)) };
-    invariant { [#"../all_zero.rs" 39 4 41 88] len0 ( ^ loop_l) = len0 ( * loop_l) -> len0 ( ^ Ghost.inner old_l) = len0 ( * Ghost.inner old_l) };
+    invariant { [#"../all_zero.rs" 39 4 41 88] (forall i : int . 0 <= i /\ i < len0 ( * loop_l)
+     -> get0 ( ^ loop_l) i = Core_Option_Option_Type.C_Some (0 : uint32))
+     -> (forall i : int . 0 <= i /\ i < len0 ( * Snapshot.inner old_l)
+     -> get0 ( ^ Snapshot.inner old_l) i = Core_Option_Option_Type.C_Some (0 : uint32)) };
+    invariant { [#"../all_zero.rs" 39 4 41 88] len0 ( ^ loop_l) = len0 ( * loop_l)
+     -> len0 ( ^ Snapshot.inner old_l) = len0 ( * Snapshot.inner old_l) };
     goto BB3
   }
   BB3 {
@@ -108,13 +113,13 @@ module AllZero_AllZero
     [#"../all_zero.rs" 43 19 43 24] loop_l <- { loop_l with current = (let AllZero_List_Type.C_Cons x0 x1 =  * loop_l in AllZero_List_Type.C_Cons ( ^ value) x1) ; };
     [#"../all_zero.rs" 43 26 43 30] next <- Borrow.borrow_final (AllZero_List_Type.cons_1 ( * loop_l)) (Borrow.inherit_id (Borrow.get_id loop_l) 2);
     [#"../all_zero.rs" 43 26 43 30] loop_l <- { loop_l with current = (let AllZero_List_Type.C_Cons x0 x1 =  * loop_l in AllZero_List_Type.C_Cons x0 ( ^ next)) ; };
-    [#"../all_zero.rs" 44 8 44 18] value <- { value with current = ([#"../all_zero.rs" 44 8 44 18] [#"../all_zero.rs" 44 17 44 18] (0 : uint32)) ; };
+    [#"../all_zero.rs" 44 8 44 18] value <- { value with current = ([#"../all_zero.rs" 44 17 44 18] (0 : uint32)) ; };
     assume { resolve0 value };
     [#"../all_zero.rs" 45 17 45 21] _13 <- Borrow.borrow_mut ( * next);
     [#"../all_zero.rs" 45 17 45 21] next <- { next with current = ( ^ _13) ; };
     assume { resolve1 loop_l };
-    [#"../all_zero.rs" 45 8 45 21] loop_l <- ([#"../all_zero.rs" 45 8 45 21] _13);
-    [#"../all_zero.rs" 45 8 45 21] _13 <- any borrowed (AllZero_List_Type.t_list);
+    [#"../all_zero.rs" 45 8 45 21] loop_l <- _13;
+    _13 <- any borrowed (AllZero_List_Type.t_list);
     assume { resolve2 next };
     goto BB2
   }
diff --git a/creusot/tests/should_succeed/all_zero.rs b/creusot/tests/should_succeed/all_zero.rs
index 30d2b8b62a..f48895b8ed 100644
--- a/creusot/tests/should_succeed/all_zero.rs
+++ b/creusot/tests/should_succeed/all_zero.rs
@@ -9,7 +9,7 @@ pub enum List {
 use List::*;
 
 impl List {
-    #[ghost]
+    #[logic]
     fn len(self) -> Int {
         match self {
             Cons(_, ls) => 1 + ls.len(),
@@ -17,7 +17,7 @@ impl List {
         }
     }
 
-    #[ghost]
+    #[logic]
     fn get(self, ix: Int) -> Option<u32> {
         match self {
             Cons(x, ls) => match pearlite! { ix == 0 } {
@@ -33,7 +33,7 @@ impl List {
 #[ensures((*l).len() == (^l).len())]
 pub fn all_zero(l: &mut List) {
     use List::*;
-    let old_l = gh! { l };
+    let old_l = snapshot! { l };
     let mut loop_l = l;
 
     #[invariant(
diff --git a/creusot/tests/should_succeed/bdd.mlcfg b/creusot/tests/should_succeed/bdd.mlcfg
index c6cc4b7452..997ce27f40 100644
--- a/creusot/tests/should_succeed/bdd.mlcfg
+++ b/creusot/tests/should_succeed/bdd.mlcfg
@@ -95,15 +95,21 @@ module Bdd_Hashmap_Impl2_Hash
     (64 : uint32)
   val wrapping_add0 (self : uint64) (rhs : uint64) : uint64
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt64.to_int result = EuclideanDivision.mod (UInt64.to_int self + UInt64.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt64.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt64.to_int self + UInt64.to_int rhs >= UInt64.to_int min0 /\ UInt64.to_int self + UInt64.to_int rhs <= UInt64.to_int max0 -> UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt64.to_int self + UInt64.to_int rhs < UInt64.to_int min0 -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs + k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt64.to_int self + UInt64.to_int rhs > UInt64.to_int max0 -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs - k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt64.to_int self + UInt64.to_int rhs >= UInt64.to_int min0 /\ UInt64.to_int self + UInt64.to_int rhs <= UInt64.to_int max0
+     -> UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt64.to_int self + UInt64.to_int rhs < UInt64.to_int min0
+     -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs + k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt64.to_int self + UInt64.to_int rhs > UInt64.to_int max0
+     -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs - k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) }
     
   val wrapping_mul0 (self : uint64) (rhs : uint64) : uint64
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt64.to_int result = EuclideanDivision.mod (UInt64.to_int self * UInt64.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt64.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt64.to_int self * UInt64.to_int rhs >= UInt64.to_int min0 /\ UInt64.to_int self * UInt64.to_int rhs <= UInt64.to_int max0 -> UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt64.to_int self * UInt64.to_int rhs < UInt64.to_int min0 -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs + k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt64.to_int self * UInt64.to_int rhs > UInt64.to_int max0 -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs - k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt64.to_int self * UInt64.to_int rhs >= UInt64.to_int min0 /\ UInt64.to_int self * UInt64.to_int rhs <= UInt64.to_int max0
+     -> UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt64.to_int self * UInt64.to_int rhs < UInt64.to_int min0
+     -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs + k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt64.to_int self * UInt64.to_int rhs > UInt64.to_int max0
+     -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs - k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) }
     
   function deep_model2 (self : v) : deep_model_ty1 =
     [#"../../../../creusot-contracts/src/model.rs" 70 8 70 28] deep_model5 self
@@ -141,17 +147,17 @@ module Bdd_Hashmap_Impl2_Hash
     goto BB0
   }
   BB0 {
-    [#"../bdd.rs" 77 12 77 25] _3 <- ([#"../bdd.rs" 77 12 77 25] hash0 ([#"../bdd.rs" 77 12 77 18] let (a, _) = self in a));
+    [#"../bdd.rs" 77 12 77 25] _3 <- ([#"../bdd.rs" 77 12 77 25] hash0 (let (a, _) = self in a));
     goto BB1
   }
   BB1 {
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../bdd.rs" 77 39 77 52] _6 <- ([#"../bdd.rs" 77 39 77 52] hash1 ([#"../bdd.rs" 77 39 77 45] let (_, a) = self in a));
+    [#"../bdd.rs" 77 39 77 52] _6 <- ([#"../bdd.rs" 77 39 77 52] hash1 (let (_, a) = self in a));
     goto BB2
   }
   BB2 {
-    [#"../bdd.rs" 77 39 77 69] _5 <- ([#"../bdd.rs" 77 39 77 69] wrapping_mul0 _6 ([#"../bdd.rs" 77 66 77 68] [#"../bdd.rs" 77 66 77 68] (17 : uint64)));
+    [#"../bdd.rs" 77 39 77 69] _5 <- ([#"../bdd.rs" 77 39 77 69] wrapping_mul0 _6 ([#"../bdd.rs" 77 66 77 68] (17 : uint64)));
     _6 <- any uint64;
     goto BB3
   }
@@ -207,7 +213,7 @@ end
 module Bdd_Node_Type
   use export Bdd_Bdd_Type
 end
-module Bdd_Impl13_AssertReceiverIsTotalEq
+module Bdd_Impl12_AssertReceiverIsTotalEq
   use Bdd_Node_Type as Bdd_Node_Type
   use prelude.Borrow
   let rec cfg assert_receiver_is_total_eq [#"../bdd.rs" 90 9 90 11] [@cfg:stackify] [@cfg:subregion_analysis] (self : Bdd_Node_Type.t_node) : ()
@@ -254,7 +260,7 @@ module Bdd_Impl7_Eq
     goto BB0
   }
   BB0 {
-    [#"../bdd.rs" 203 8 203 21] _0 <- ([#"../bdd.rs" 203 8 203 21] ([#"../bdd.rs" 203 8 203 14] Bdd_Bdd_Type.bdd_1 self) = ([#"../bdd.rs" 203 18 203 21] Bdd_Bdd_Type.bdd_1 o));
+    [#"../bdd.rs" 203 8 203 21] _0 <- Bdd_Bdd_Type.bdd_1 self = Bdd_Bdd_Type.bdd_1 o;
     return _0
   }
   
@@ -268,7 +274,7 @@ module Bdd_NodeLog_Type
     | C_If uint64 uint64 uint64
     
 end
-module Bdd_Impl14_Eq
+module Bdd_Impl13_Eq
   use Bdd_Bdd_Type as Bdd_Bdd_Type
   use Bdd_NodeLog_Type as Bdd_NodeLog_Type
   use Bdd_Node_Type as Bdd_Node_Type
@@ -353,7 +359,7 @@ module Bdd_Impl14_Eq
     goto BB0
   }
   BB0 {
-    [#"../bdd.rs" 90 13 90 22] _4 <- ([#"../bdd.rs" 90 13 90 22] (([#"../bdd.rs" 90 13 90 22] self), ([#"../bdd.rs" 90 13 90 22] rhs)));
+    [#"../bdd.rs" 90 13 90 22] _4 <- (self, rhs);
     switch (let (a, _) = _4 in a)
       | Bdd_Node_Type.C_False -> goto BB1
       | Bdd_Node_Type.C_True -> goto BB4
@@ -371,7 +377,7 @@ module Bdd_Impl14_Eq
   }
   BB3 {
     assume { resolve0 _4 };
-    [#"../bdd.rs" 90 13 90 22] _0 <- ([#"../bdd.rs" 90 13 90 22] [#"../bdd.rs" 90 13 90 22] false);
+    [#"../bdd.rs" 90 13 90 22] _0 <- ([#"../bdd.rs" 90 13 90 22] false);
     goto BB22
   }
   BB4 {
@@ -394,23 +400,23 @@ module Bdd_Impl14_Eq
   }
   BB8 {
     assume { resolve0 _4 };
-    [#"../bdd.rs" 90 13 90 22] _0 <- ([#"../bdd.rs" 90 13 90 22] [#"../bdd.rs" 90 13 90 22] true);
+    [#"../bdd.rs" 90 13 90 22] _0 <- ([#"../bdd.rs" 90 13 90 22] true);
     goto BB22
   }
   BB9 {
     assume { resolve0 _4 };
-    [#"../bdd.rs" 90 13 90 22] _0 <- ([#"../bdd.rs" 90 13 90 22] [#"../bdd.rs" 90 13 90 22] true);
+    [#"../bdd.rs" 90 13 90 22] _0 <- ([#"../bdd.rs" 90 13 90 22] true);
     goto BB22
   }
   BB10 {
-    [#"../bdd.rs" 94 9 94 10] v_1 <- ([#"../bdd.rs" 94 9 94 10] Bdd_Node_Type.if_v (let (a, _) = _4 in a));
-    [#"../bdd.rs" 94 17 94 23] childt_1 <- ([#"../bdd.rs" 94 17 94 23] Bdd_Node_Type.if_childt (let (a, _) = _4 in a));
-    [#"../bdd.rs" 94 38 94 44] childf_1 <- ([#"../bdd.rs" 94 38 94 44] Bdd_Node_Type.if_childf (let (a, _) = _4 in a));
-    [#"../bdd.rs" 94 9 94 10] v_2 <- ([#"../bdd.rs" 94 9 94 10] Bdd_Node_Type.if_v (let (_, a) = _4 in a));
-    [#"../bdd.rs" 94 17 94 23] childt_2 <- ([#"../bdd.rs" 94 17 94 23] Bdd_Node_Type.if_childt (let (_, a) = _4 in a));
-    [#"../bdd.rs" 94 38 94 44] childf_2 <- ([#"../bdd.rs" 94 38 94 44] Bdd_Node_Type.if_childf (let (_, a) = _4 in a));
+    [#"../bdd.rs" 94 9 94 10] v_1 <- Bdd_Node_Type.if_v (let (a, _) = _4 in a);
+    [#"../bdd.rs" 94 17 94 23] childt_1 <- Bdd_Node_Type.if_childt (let (a, _) = _4 in a);
+    [#"../bdd.rs" 94 38 94 44] childf_1 <- Bdd_Node_Type.if_childf (let (a, _) = _4 in a);
+    [#"../bdd.rs" 94 9 94 10] v_2 <- Bdd_Node_Type.if_v (let (_, a) = _4 in a);
+    [#"../bdd.rs" 94 17 94 23] childt_2 <- Bdd_Node_Type.if_childt (let (_, a) = _4 in a);
+    [#"../bdd.rs" 94 38 94 44] childf_2 <- Bdd_Node_Type.if_childf (let (_, a) = _4 in a);
     assume { resolve0 _4 };
-    [#"../bdd.rs" 90 13 90 22] _17 <- ([#"../bdd.rs" 90 13 90 22] eq0 ([#"../bdd.rs" 94 38 94 44] childf_1) ([#"../bdd.rs" 94 38 94 44] childf_2));
+    [#"../bdd.rs" 90 13 90 22] _17 <- ([#"../bdd.rs" 90 13 90 22] eq0 childf_1 childf_2);
     goto BB11
   }
   BB11 {
@@ -420,7 +426,7 @@ module Bdd_Impl14_Eq
       end
   }
   BB12 {
-    [#"../bdd.rs" 90 13 90 22] _20 <- ([#"../bdd.rs" 90 13 90 22] eq0 ([#"../bdd.rs" 94 17 94 23] childt_1) ([#"../bdd.rs" 94 17 94 23] childt_2));
+    [#"../bdd.rs" 90 13 90 22] _20 <- ([#"../bdd.rs" 90 13 90 22] eq0 childt_1 childt_2);
     goto BB13
   }
   BB13 {
@@ -430,7 +436,7 @@ module Bdd_Impl14_Eq
       end
   }
   BB14 {
-    [#"../bdd.rs" 90 13 90 22] _23 <- ([#"../bdd.rs" 90 13 90 22] eq1 ([#"../bdd.rs" 94 9 94 10] v_1) ([#"../bdd.rs" 94 9 94 10] v_2));
+    [#"../bdd.rs" 90 13 90 22] _23 <- ([#"../bdd.rs" 90 13 90 22] eq1 v_1 v_2);
     goto BB15
   }
   BB15 {
@@ -440,7 +446,7 @@ module Bdd_Impl14_Eq
       end
   }
   BB16 {
-    [#"../bdd.rs" 90 13 90 22] _0 <- ([#"../bdd.rs" 90 13 90 22] [#"../bdd.rs" 90 13 90 22] true);
+    [#"../bdd.rs" 90 13 90 22] _0 <- ([#"../bdd.rs" 90 13 90 22] true);
     goto BB21
   }
   BB17 {
@@ -453,7 +459,7 @@ module Bdd_Impl14_Eq
     goto BB20
   }
   BB20 {
-    [#"../bdd.rs" 90 13 90 22] _0 <- ([#"../bdd.rs" 90 13 90 22] [#"../bdd.rs" 90 13 90 22] false);
+    [#"../bdd.rs" 90 13 90 22] _0 <- ([#"../bdd.rs" 90 13 90 22] false);
     goto BB21
   }
   BB21 {
@@ -477,12 +483,12 @@ module Bdd_Impl0_Clone
     goto BB0
   }
   BB0 {
-    [#"../bdd.rs" 110 8 110 13] _0 <- ([#"../bdd.rs" 110 8 110 13] self);
+    [#"../bdd.rs" 110 8 110 13] _0 <- self;
     return _0
   }
   
 end
-module Bdd_Impl15_Clone
+module Bdd_Impl14_Clone
   use prelude.Borrow
   use Bdd_Bdd_Type as Bdd_Bdd_Type
   use prelude.UInt64
@@ -526,11 +532,11 @@ module Bdd_Impl15_Clone
     goto BB6
   }
   BB3 {
-    [#"../bdd.rs" 94 9 94 10] v_1 <- ([#"../bdd.rs" 94 9 94 10] Bdd_Node_Type.if_v self);
-    [#"../bdd.rs" 94 17 94 23] childt_1 <- ([#"../bdd.rs" 94 17 94 23] Bdd_Node_Type.if_childt self);
-    [#"../bdd.rs" 94 38 94 44] childf_1 <- ([#"../bdd.rs" 94 38 94 44] Bdd_Node_Type.if_childf self);
-    [#"../bdd.rs" 90 24 90 29] _9 <- ([#"../bdd.rs" 90 24 90 29] v_1);
-    [#"../bdd.rs" 90 24 90 29] _7 <- ([#"../bdd.rs" 90 24 90 29] clone0 ([#"../bdd.rs" 90 24 90 29] _9));
+    [#"../bdd.rs" 94 9 94 10] v_1 <- Bdd_Node_Type.if_v self;
+    [#"../bdd.rs" 94 17 94 23] childt_1 <- Bdd_Node_Type.if_childt self;
+    [#"../bdd.rs" 94 38 94 44] childf_1 <- Bdd_Node_Type.if_childf self;
+    [#"../bdd.rs" 90 24 90 29] _9 <- v_1;
+    [#"../bdd.rs" 90 24 90 29] _7 <- ([#"../bdd.rs" 90 24 90 29] clone0 _9);
     goto BB7
   }
   BB4 {
@@ -538,25 +544,25 @@ module Bdd_Impl15_Clone
     absurd
   }
   BB5 {
-    [#"../bdd.rs" 91 5 92 9] _0 <- ([#"../bdd.rs" 91 5 92 9] Bdd_Node_Type.C_False);
+    [#"../bdd.rs" 91 5 92 9] _0 <- Bdd_Node_Type.C_False;
     goto BB10
   }
   BB6 {
-    [#"../bdd.rs" 91 5 93 8] _0 <- ([#"../bdd.rs" 91 5 93 8] Bdd_Node_Type.C_True);
+    [#"../bdd.rs" 91 5 93 8] _0 <- Bdd_Node_Type.C_True;
     goto BB10
   }
   BB7 {
-    [#"../bdd.rs" 90 24 90 29] _12 <- ([#"../bdd.rs" 90 24 90 29] childt_1);
-    [#"../bdd.rs" 90 24 90 29] _10 <- ([#"../bdd.rs" 90 24 90 29] clone1 ([#"../bdd.rs" 90 24 90 29] _12));
+    [#"../bdd.rs" 90 24 90 29] _12 <- childt_1;
+    [#"../bdd.rs" 90 24 90 29] _10 <- ([#"../bdd.rs" 90 24 90 29] clone1 _12);
     goto BB8
   }
   BB8 {
-    [#"../bdd.rs" 90 24 90 29] _15 <- ([#"../bdd.rs" 90 24 90 29] childf_1);
-    [#"../bdd.rs" 90 24 90 29] _13 <- ([#"../bdd.rs" 90 24 90 29] clone1 ([#"../bdd.rs" 90 24 90 29] _15));
+    [#"../bdd.rs" 90 24 90 29] _15 <- childf_1;
+    [#"../bdd.rs" 90 24 90 29] _13 <- ([#"../bdd.rs" 90 24 90 29] clone1 _15);
     goto BB9
   }
   BB9 {
-    [#"../bdd.rs" 90 24 90 29] _0 <- ([#"../bdd.rs" 90 24 90 29] Bdd_Node_Type.C_If _7 _10 _13);
+    [#"../bdd.rs" 90 24 90 29] _0 <- Bdd_Node_Type.C_If _7 _10 _13;
     _7 <- any uint64;
     _10 <- any Bdd_Bdd_Type.t_bdd;
     _13 <- any Bdd_Bdd_Type.t_bdd;
@@ -567,7 +573,7 @@ module Bdd_Impl15_Clone
   }
   
 end
-module Bdd_Impl19_AssertReceiverIsTotalEq
+module Bdd_Impl17_AssertReceiverIsTotalEq
   use Bdd_Bdd_Type as Bdd_Bdd_Type
   use prelude.Borrow
   let rec cfg assert_receiver_is_total_eq [#"../bdd.rs" 104 15 104 17] [@cfg:stackify] [@cfg:subregion_analysis] (self : Bdd_Bdd_Type.t_bdd) : ()
@@ -631,15 +637,21 @@ module Bdd_Impl1_Hash
     (64 : uint32)
   val wrapping_add0 (self : uint64) (rhs : uint64) : uint64
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt64.to_int result = EuclideanDivision.mod (UInt64.to_int self + UInt64.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt64.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt64.to_int self + UInt64.to_int rhs >= UInt64.to_int min0 /\ UInt64.to_int self + UInt64.to_int rhs <= UInt64.to_int max0 -> UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt64.to_int self + UInt64.to_int rhs < UInt64.to_int min0 -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs + k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt64.to_int self + UInt64.to_int rhs > UInt64.to_int max0 -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs - k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt64.to_int self + UInt64.to_int rhs >= UInt64.to_int min0 /\ UInt64.to_int self + UInt64.to_int rhs <= UInt64.to_int max0
+     -> UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt64.to_int self + UInt64.to_int rhs < UInt64.to_int min0
+     -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs + k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt64.to_int self + UInt64.to_int rhs > UInt64.to_int max0
+     -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self + UInt64.to_int rhs - k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) }
     
   val wrapping_mul0 (self : uint64) (rhs : uint64) : uint64
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt64.to_int result = EuclideanDivision.mod (UInt64.to_int self * UInt64.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt64.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt64.to_int self * UInt64.to_int rhs >= UInt64.to_int min0 /\ UInt64.to_int self * UInt64.to_int rhs <= UInt64.to_int max0 -> UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt64.to_int self * UInt64.to_int rhs < UInt64.to_int min0 -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs + k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt64.to_int self * UInt64.to_int rhs > UInt64.to_int max0 -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs - k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt64.to_int self * UInt64.to_int rhs >= UInt64.to_int min0 /\ UInt64.to_int self * UInt64.to_int rhs <= UInt64.to_int max0
+     -> UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt64.to_int self * UInt64.to_int rhs < UInt64.to_int min0
+     -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs + k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt64.to_int self * UInt64.to_int rhs > UInt64.to_int max0
+     -> (exists k : int . k > 0 /\ UInt64.to_int result = UInt64.to_int self * UInt64.to_int rhs - k * (UInt64.to_int max0 - UInt64.to_int min0 + 1)) }
     
   let rec cfg hash [#"../bdd.rs" 116 4 116 25] [@cfg:stackify] [@cfg:subregion_analysis] (self : Bdd_Node_Type.t_node) : uint64
     ensures { [#"../bdd.rs" 115 14 115 46] UInt64.to_int result = hash_log0 (shallow_model1 self) }
@@ -670,10 +682,10 @@ module Bdd_Impl1_Hash
     goto BB6
   }
   BB3 {
-    [#"../bdd.rs" 120 17 120 18] v <- ([#"../bdd.rs" 120 17 120 18] Bdd_Node_Type.if_v self);
-    [#"../bdd.rs" 120 20 120 26] childt <- ([#"../bdd.rs" 120 20 120 26] Bdd_Node_Type.if_childt self);
-    [#"../bdd.rs" 120 28 120 34] childf <- ([#"../bdd.rs" 120 28 120 34] Bdd_Node_Type.if_childf self);
-    [#"../bdd.rs" 121 31 121 55] _9 <- ([#"../bdd.rs" 121 31 121 55] wrapping_mul0 ([#"../bdd.rs" 121 31 121 39] Bdd_Bdd_Type.bdd_1 childt) ([#"../bdd.rs" 121 53 121 54] [#"../bdd.rs" 121 53 121 54] (5 : uint64)));
+    [#"../bdd.rs" 120 17 120 18] v <- Bdd_Node_Type.if_v self;
+    [#"../bdd.rs" 120 20 120 26] childt <- Bdd_Node_Type.if_childt self;
+    [#"../bdd.rs" 120 28 120 34] childf <- Bdd_Node_Type.if_childf self;
+    [#"../bdd.rs" 121 31 121 55] _9 <- ([#"../bdd.rs" 121 31 121 55] wrapping_mul0 (Bdd_Bdd_Type.bdd_1 childt) ([#"../bdd.rs" 121 53 121 54] (5 : uint64)));
     goto BB7
   }
   BB4 {
@@ -681,20 +693,20 @@ module Bdd_Impl1_Hash
     absurd
   }
   BB5 {
-    [#"../bdd.rs" 118 21 118 22] _0 <- ([#"../bdd.rs" 118 21 118 22] [#"../bdd.rs" 118 21 118 22] (1 : uint64));
+    [#"../bdd.rs" 118 21 118 22] _0 <- ([#"../bdd.rs" 118 21 118 22] (1 : uint64));
     goto BB11
   }
   BB6 {
-    [#"../bdd.rs" 119 20 119 21] _0 <- ([#"../bdd.rs" 119 20 119 21] [#"../bdd.rs" 119 20 119 21] (2 : uint64));
+    [#"../bdd.rs" 119 20 119 21] _0 <- ([#"../bdd.rs" 119 20 119 21] (2 : uint64));
     goto BB11
   }
   BB7 {
-    [#"../bdd.rs" 121 16 121 56] _7 <- ([#"../bdd.rs" 121 16 121 56] wrapping_add0 ([#"../bdd.rs" 121 16 121 17] v) _9);
+    [#"../bdd.rs" 121 16 121 56] _7 <- ([#"../bdd.rs" 121 16 121 56] wrapping_add0 v _9);
     _9 <- any uint64;
     goto BB8
   }
   BB8 {
-    [#"../bdd.rs" 121 70 121 94] _11 <- ([#"../bdd.rs" 121 70 121 94] wrapping_mul0 ([#"../bdd.rs" 121 70 121 78] Bdd_Bdd_Type.bdd_1 childf) ([#"../bdd.rs" 121 92 121 93] [#"../bdd.rs" 121 92 121 93] (7 : uint64)));
+    [#"../bdd.rs" 121 70 121 94] _11 <- ([#"../bdd.rs" 121 70 121 94] wrapping_mul0 (Bdd_Bdd_Type.bdd_1 childf) ([#"../bdd.rs" 121 92 121 93] (7 : uint64)));
     goto BB9
   }
   BB9 {
@@ -747,7 +759,7 @@ module Bdd_Impl2_Hash
     goto BB0
   }
   BB0 {
-    [#"../bdd.rs" 143 8 143 14] _0 <- ([#"../bdd.rs" 143 8 143 14] Bdd_Bdd_Type.bdd_1 self);
+    [#"../bdd.rs" 143 8 143 14] _0 <- Bdd_Bdd_Type.bdd_1 self;
     return _0
   }
   
@@ -756,15 +768,15 @@ module Bdd_Impl8_Size_Impl
   use Bdd_Node_Type as Bdd_Node_Type
   use Bdd_Bdd_Type as Bdd_Bdd_Type
   use prelude.Int
-  let rec ghost function size [#"../bdd.rs" 224 4 224 24] (self : Bdd_Bdd_Type.t_bdd) : int
-    ensures { [#"../bdd.rs" 223 14 223 25] result >= 0 }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../bdd.rs" 226 12 234 13] match self with
-      | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_True) _ -> 0
-      | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_False) _ -> 0
-      | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_If _ childt childf) _ -> let ht = size childt in let hf = size childf in 1 + ht + hf
-      end
+  constant self  : Bdd_Bdd_Type.t_bdd
+  function size [#"../bdd.rs" 224 4 224 24] (self : Bdd_Bdd_Type.t_bdd) : int
+  goal vc_size : match self with
+    | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_True) _ -> [#"../bdd.rs" 223 14 223 25] 0 >= 0
+    | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_False) _ -> [#"../bdd.rs" 223 14 223 25] 0 >= 0
+    | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_If _ childt childf) _ -> ([#"../bdd.rs" 223 14 223 25] size childt >= 0)
+     -> (let ht = size childt in ([#"../bdd.rs" 223 14 223 25] size childf >= 0)
+     -> (let hf = size childf in [#"../bdd.rs" 223 14 223 25] 1 + ht + hf >= 0))
+    end
 end
 module Bdd_Context_Type
   use Bdd_Bdd_Type as Bdd_Bdd_Type
@@ -773,11 +785,11 @@ module Bdd_Context_Type
   use prelude.Int
   use Bdd_Node_Type as Bdd_Node_Type
   use map.Map
-  use prelude.Ghost
+  use prelude.Snapshot
   use Bdd_Bumpalo_Bump_Type as Bdd_Bumpalo_Bump_Type
   use prelude.Borrow
   type t_context  =
-    | C_Context (Bdd_Bumpalo_Bump_Type.t_bump) (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Node_Type.t_node) (Bdd_Bdd_Type.t_bdd)) (Ghost.ghost_ty (Map.map uint64 (Bdd_Node_Type.t_node))) (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd)) (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd, Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd)) uint64
+    | C_Context (Bdd_Bumpalo_Bump_Type.t_bump) (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Node_Type.t_node) (Bdd_Bdd_Type.t_bdd)) (Snapshot.snap_ty (Map.map uint64 (Bdd_Node_Type.t_node))) (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd)) (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd, Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd)) uint64
     
   let function context_hashcons (self : t_context) : Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Node_Type.t_node) (Bdd_Bdd_Type.t_bdd)
     
@@ -789,7 +801,7 @@ module Bdd_Context_Type
     match self with
       | C_Context _ _ _ _ _ a -> a
       end
-  let function context_hashcons_ghost (self : t_context) : Ghost.ghost_ty (Map.map uint64 (Bdd_Node_Type.t_node))
+  let function context_hashcons_ghost (self : t_context) : Snapshot.snap_ty (Map.map uint64 (Bdd_Node_Type.t_node))
    = [@vc:do_not_keep_trace] [@vc:sp]
     match self with
       | C_Context _ _ a _ _ _ -> a
@@ -897,7 +909,7 @@ module Bdd_Impl10_GrowsIsValidBdd_Impl
     ensures { result = is_valid_bdd0 self b }
     
   use map.Map
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) =
     [#"../bdd.rs" 318 12 327 13] match n with
       | Bdd_Node_Type.C_True -> true
@@ -909,14 +921,14 @@ module Bdd_Impl10_GrowsIsValidBdd_Impl
     
   predicate invariant1 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) =
     [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model1 (Bdd_Context_Type.context_hashcons self)) n with
-      | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
+      | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
       | Core_Option_Option_Type.C_None -> true
       end) /\ (forall bm : uint64 . match Map.get (shallow_model4 (Bdd_Context_Type.context_not_memo self)) bm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
+      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
       end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model5 (Bdd_Context_Type.context_and_memo self)) abm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
+      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
       end)
   val invariant1 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool
     ensures { result = invariant1 self }
@@ -946,14 +958,13 @@ module Bdd_Impl10_GrowsIsValidBdd_Impl
   val grows0 [#"../bdd.rs" 296 4 296 35] (self : borrowed (Bdd_Context_Type.t_context)) : bool
     ensures { result = grows0 self }
     
-  let rec ghost function grows_is_valid_bdd [#"../bdd.rs" 336 4 336 56] (self : borrowed (Bdd_Context_Type.t_context)) (b : Bdd_Bdd_Type.t_bdd) : ()
-    requires {[#"../bdd.rs" 333 15 333 27] grows0 self}
-    requires {[#"../bdd.rs" 334 15 334 35] is_valid_bdd0 ( * self) b}
-    requires {[#"../bdd.rs" 336 35 336 39] inv0 self}
-    ensures { [#"../bdd.rs" 335 14 335 37] is_valid_bdd0 ( ^ self) b }
+  constant self  : borrowed (Bdd_Context_Type.t_context)
+  constant b  : Bdd_Bdd_Type.t_bdd
+  function grows_is_valid_bdd [#"../bdd.rs" 336 4 336 56] (self : borrowed (Bdd_Context_Type.t_context)) (b : Bdd_Bdd_Type.t_bdd) : ()
     
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../bdd.rs" 331 4 331 12] ()
+  goal vc_grows_is_valid_bdd : ([#"../bdd.rs" 336 35 336 39] inv0 self)
+   -> ([#"../bdd.rs" 334 15 334 35] is_valid_bdd0 ( * self) b)
+   -> ([#"../bdd.rs" 333 15 333 27] grows0 self)  -> ([#"../bdd.rs" 335 14 335 37] is_valid_bdd0 ( ^ self) b)
 end
 module Bdd_Impl10_GrowsTrans_Impl
   use Bdd_Bdd_Type as Bdd_Bdd_Type
@@ -1041,7 +1052,7 @@ module Bdd_Impl10_GrowsTrans_Impl
     ensures { result = is_valid_bdd0 self b }
     
   use map.Map
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) =
     [#"../bdd.rs" 318 12 327 13] match n with
       | Bdd_Node_Type.C_True -> true
@@ -1053,14 +1064,14 @@ module Bdd_Impl10_GrowsTrans_Impl
     
   predicate invariant1 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) =
     [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model1 (Bdd_Context_Type.context_hashcons self)) n with
-      | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
+      | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
       | Core_Option_Option_Type.C_None -> true
       end) /\ (forall bm : uint64 . match Map.get (shallow_model3 (Bdd_Context_Type.context_not_memo self)) bm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
+      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
       end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model4 (Bdd_Context_Type.context_and_memo self)) abm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
+      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
       end)
   val invariant1 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool
     ensures { result = invariant1 self }
@@ -1090,18 +1101,18 @@ module Bdd_Impl10_GrowsTrans_Impl
   val grows0 [#"../bdd.rs" 296 4 296 35] (self : borrowed (Bdd_Context_Type.t_context)) : bool
     ensures { result = grows0 self }
     
-  let rec ghost function grows_trans [#"../bdd.rs" 345 4 345 62] (self : borrowed (Bdd_Context_Type.t_context)) (o : borrowed (Bdd_Context_Type.t_context)) (oo : borrowed (Bdd_Context_Type.t_context)) : ()
-    requires {[#"../bdd.rs" 340 15 340 27] grows0 self}
-    requires {[#"../bdd.rs" 341 15 341 24] grows0 o}
-    requires {[#"../bdd.rs" 342 15 342 26]  ^ self =  * o}
-    requires {[#"../bdd.rs" 343 15 343 43]  * self =  * oo /\  ^ self =  ^ oo}
-    requires {[#"../bdd.rs" 345 28 345 32] inv0 self}
-    requires {[#"../bdd.rs" 345 34 345 35] inv0 o}
-    requires {[#"../bdd.rs" 345 48 345 50] inv0 oo}
-    ensures { [#"../bdd.rs" 344 14 344 24] grows0 oo }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../bdd.rs" 338 4 338 12] ()
+  constant self  : borrowed (Bdd_Context_Type.t_context)
+  constant o  : borrowed (Bdd_Context_Type.t_context)
+  constant oo  : borrowed (Bdd_Context_Type.t_context)
+  function grows_trans [#"../bdd.rs" 345 4 345 62] (self : borrowed (Bdd_Context_Type.t_context)) (o : borrowed (Bdd_Context_Type.t_context)) (oo : borrowed (Bdd_Context_Type.t_context)) : ()
+    
+  goal vc_grows_trans : ([#"../bdd.rs" 345 48 345 50] inv0 oo)
+   -> ([#"../bdd.rs" 345 34 345 35] inv0 o)
+   -> ([#"../bdd.rs" 345 28 345 32] inv0 self)
+   -> ([#"../bdd.rs" 343 15 343 43]  * self =  * oo /\  ^ self =  ^ oo)
+   -> ([#"../bdd.rs" 342 15 342 26]  ^ self =  * o)
+   -> ([#"../bdd.rs" 341 15 341 24] grows0 o)
+   -> ([#"../bdd.rs" 340 15 340 27] grows0 self)  -> ([#"../bdd.rs" 344 14 344 24] grows0 oo)
 end
 module Bdd_Impl10_SetIrreleventVar_Impl
   use Bdd_Bdd_Type as Bdd_Bdd_Type
@@ -1189,7 +1200,7 @@ module Bdd_Impl10_SetIrreleventVar_Impl
     ensures { result = is_valid_bdd0 self b }
     
   use map.Map
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) =
     [#"../bdd.rs" 318 12 327 13] match n with
       | Bdd_Node_Type.C_True -> true
@@ -1201,14 +1212,14 @@ module Bdd_Impl10_SetIrreleventVar_Impl
     
   predicate invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) =
     [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model1 (Bdd_Context_Type.context_hashcons self)) n with
-      | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
+      | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
       | Core_Option_Option_Type.C_None -> true
       end) /\ (forall bm : uint64 . match Map.get (shallow_model5 (Bdd_Context_Type.context_not_memo self)) bm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
+      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
       end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model6 (Bdd_Context_Type.context_and_memo self)) abm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
+      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
       end)
   val invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool
     ensures { result = invariant0 self }
@@ -1221,17 +1232,22 @@ module Bdd_Impl10_SetIrreleventVar_Impl
     | Bdd_Context_Type.C_Context alloc hashcons hashcons_ghost not_memo and_memo cnt -> true
     end)
   use map.Map
-  let rec ghost function set_irrelevent_var [#"../bdd.rs" 351 4 351 87] (self : Bdd_Context_Type.t_context) (a : Bdd_Bdd_Type.t_bdd) (x : uint64) (v : Map.map uint64 bool) (b : bool) : ()
-    requires {[#"../bdd.rs" 348 15 348 35] is_valid_bdd0 self a}
-    requires {[#"../bdd.rs" 349 15 349 32] UInt64.to_int x < leastvar0 a}
-    requires {[#"../bdd.rs" 351 26 351 30] inv0 self}
-    ensures { [#"../bdd.rs" 350 14 350 50] interp0 a v = interp0 a (Map.set v x b) }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../bdd.rs" 353 12 359 13] match a with
-      | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_If _ childt childf) _ -> let _ = set_irrelevent_var self childt x v b in let _ = set_irrelevent_var self childf x v b in ()
-      | _ -> ()
-      end
+  constant self  : Bdd_Context_Type.t_context
+  constant a  : Bdd_Bdd_Type.t_bdd
+  constant x  : uint64
+  constant v  : Map.map uint64 bool
+  constant b  : bool
+  function set_irrelevent_var [#"../bdd.rs" 351 4 351 87] (self : Bdd_Context_Type.t_context) (a : Bdd_Bdd_Type.t_bdd) (x : uint64) (v : Map.map uint64 bool) (b : bool) : ()
+    
+  goal vc_set_irrelevent_var : ([#"../bdd.rs" 351 26 351 30] inv0 self)
+   -> ([#"../bdd.rs" 349 15 349 32] UInt64.to_int x < leastvar0 a)
+   -> ([#"../bdd.rs" 348 15 348 35] is_valid_bdd0 self a)
+   -> match a with
+    | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_If _ childt childf) _ -> (([#"../bdd.rs" 351 26 351 30] inv0 self) && ([#"../bdd.rs" 349 15 349 32] UInt64.to_int x < leastvar0 childt) && ([#"../bdd.rs" 348 15 348 35] is_valid_bdd0 self childt)) /\ (([#"../bdd.rs" 350 14 350 50] interp0 childt v = interp0 childt (Map.set v x b))
+     -> (let _ = set_irrelevent_var self childt x v b in (([#"../bdd.rs" 351 26 351 30] inv0 self) && ([#"../bdd.rs" 349 15 349 32] UInt64.to_int x < leastvar0 childf) && ([#"../bdd.rs" 348 15 348 35] is_valid_bdd0 self childf)) /\ (([#"../bdd.rs" 350 14 350 50] interp0 childf v = interp0 childf (Map.set v x b))
+     -> (let _ = set_irrelevent_var self childf x v b in [#"../bdd.rs" 350 14 350 50] interp0 a v = interp0 a (Map.set v x b)))))
+    | _ -> [#"../bdd.rs" 350 14 350 50] interp0 a v = interp0 a (Map.set v x b)
+    end
 end
 module Bdd_Impl10_DiscrValuation_Impl
   use Bdd_Bdd_Type as Bdd_Bdd_Type
@@ -1319,7 +1335,7 @@ module Bdd_Impl10_DiscrValuation_Impl
     ensures { result = is_valid_bdd0 self b }
     
   use map.Map
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) =
     [#"../bdd.rs" 318 12 327 13] match n with
       | Bdd_Node_Type.C_True -> true
@@ -1331,14 +1347,14 @@ module Bdd_Impl10_DiscrValuation_Impl
     
   predicate invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) =
     [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model0 (Bdd_Context_Type.context_hashcons self)) n with
-      | Core_Option_Option_Type.C_Some b -> shallow_model1 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
+      | Core_Option_Option_Type.C_Some b -> shallow_model1 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
       | Core_Option_Option_Type.C_None -> true
       end) /\ (forall bm : uint64 . match Map.get (shallow_model5 (Bdd_Context_Type.context_not_memo self)) bm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
+      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
       end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model6 (Bdd_Context_Type.context_and_memo self)) abm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
+      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
       end)
   val invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool
     ensures { result = invariant0 self }
@@ -1365,7 +1381,10 @@ module Bdd_Impl10_DiscrValuation_Impl
     requires {[#"../bdd.rs" 351 26 351 30] inv0 self}
     ensures { result = set_irrelevent_var0 self a x v b }
     
-  axiom set_irrelevent_var0_spec : forall self : Bdd_Context_Type.t_context, a : Bdd_Bdd_Type.t_bdd, x : uint64, v : Map.map uint64 bool, b : bool . ([#"../bdd.rs" 348 15 348 35] is_valid_bdd0 self a) -> ([#"../bdd.rs" 349 15 349 32] UInt64.to_int x < leastvar0 a) -> ([#"../bdd.rs" 351 26 351 30] inv0 self) -> ([#"../bdd.rs" 350 14 350 50] interp0 a v = interp0 a (Map.set v x b))
+  axiom set_irrelevent_var0_spec : forall self : Bdd_Context_Type.t_context, a : Bdd_Bdd_Type.t_bdd, x : uint64, v : Map.map uint64 bool, b : bool . ([#"../bdd.rs" 348 15 348 35] is_valid_bdd0 self a)
+   -> ([#"../bdd.rs" 349 15 349 32] UInt64.to_int x < leastvar0 a)
+   -> ([#"../bdd.rs" 351 26 351 30] inv0 self)
+   -> ([#"../bdd.rs" 350 14 350 50] interp0 a v = interp0 a (Map.set v x b))
   function size0 [#"../bdd.rs" 224 4 224 24] (self : Bdd_Bdd_Type.t_bdd) : int =
     [#"../bdd.rs" 226 12 234 13] match self with
       | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_True) _ -> 0
@@ -1376,48 +1395,49 @@ module Bdd_Impl10_DiscrValuation_Impl
     ensures { result = size0 self }
     
   axiom size0_spec : forall self : Bdd_Bdd_Type.t_bdd . [#"../bdd.rs" 223 14 223 25] size0 self >= 0
-  let rec ghost function discr_valuation [#"../bdd.rs" 370 4 370 82] (self : Bdd_Context_Type.t_context) (a : Bdd_Bdd_Type.t_bdd) (b : Bdd_Bdd_Type.t_bdd) : Map.map uint64 bool
-    requires {[#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self a}
-    requires {[#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self b}
-    requires {[#"../bdd.rs" 366 15 366 21] a <> b}
-    requires {[#"../bdd.rs" 370 23 370 27] inv0 self}
-    ensures { [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result }
-    variant {[#"../bdd.rs" 368 14 368 33] size0 a + size0 b}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../bdd.rs" 372 12 372 36] let _ = () in if let x1 = leastvar0 b in let x0 = leastvar0 a in pure {x0 < x1} then
-      match a with
-        | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_If v childt childf) _ -> if pure {childf <> b} then
-          let a' = discr_valuation self childf b in Map.set a' v false
-        else
-          let a' = discr_valuation self childt b in Map.set a' v true
-        
-        | _ -> Const.const true
+  constant self  : Bdd_Context_Type.t_context
+  constant a  : Bdd_Bdd_Type.t_bdd
+  constant b  : Bdd_Bdd_Type.t_bdd
+  function discr_valuation [#"../bdd.rs" 370 4 370 82] (self : Bdd_Context_Type.t_context) (a : Bdd_Bdd_Type.t_bdd) (b : Bdd_Bdd_Type.t_bdd) : Map.map uint64 bool
+    
+  goal vc_discr_valuation : ([#"../bdd.rs" 370 23 370 27] inv0 self)
+   -> ([#"../bdd.rs" 366 15 366 21] a <> b)
+   -> ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self b)
+   -> ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self a)
+   -> (let _ = set_irrelevent_var0 in match leastvar0 a < leastvar0 b with
+    | True -> match a with
+      | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_If v childt childf) _ -> match childf <> b with
+        | True -> ((([#"../bdd.rs" 370 23 370 27] inv0 self) && ([#"../bdd.rs" 366 15 366 21] childf <> b) && ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self b) && ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self childf)) /\ 0 <= ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b) /\ ([#"../bdd.rs" 368 14 368 33] size0 childf + size0 b) < ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b)) /\ (([#"../bdd.rs" 367 14 367 50] interp0 childf (discr_valuation self childf b) <> interp0 b (discr_valuation self childf b))
+         -> (let result = Map.set (discr_valuation self childf b) v false in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result))
+        | False -> ((([#"../bdd.rs" 370 23 370 27] inv0 self) && ([#"../bdd.rs" 366 15 366 21] childt <> b) && ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self b) && ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self childt)) /\ 0 <= ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b) /\ ([#"../bdd.rs" 368 14 368 33] size0 childt + size0 b) < ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b)) /\ (([#"../bdd.rs" 367 14 367 50] interp0 childt (discr_valuation self childt b) <> interp0 b (discr_valuation self childt b))
+         -> (let result = Map.set (discr_valuation self childt b) v true in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result))
         end
-    else
-      if let x1 = leastvar0 b in let x0 = leastvar0 a in pure {x0 > x1} then
-        match b with
-          | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_If v childt childf) _ -> if pure {childf <> a} then
-            let a' = discr_valuation self a childf in Map.set a' v false
-          else
-            let a' = discr_valuation self a childt in Map.set a' v true
-          
-          | _ -> Const.const true
+      | _ -> let result = Const.const true in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result
+      end
+    | False -> match leastvar0 a > leastvar0 b with
+      | True -> match b with
+        | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_If v childt childf) _ -> match childf <> a with
+          | True -> ((([#"../bdd.rs" 370 23 370 27] inv0 self) && ([#"../bdd.rs" 366 15 366 21] a <> childf) && ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self childf) && ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self a)) /\ 0 <= ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b) /\ ([#"../bdd.rs" 368 14 368 33] size0 a + size0 childf) < ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b)) /\ (([#"../bdd.rs" 367 14 367 50] interp0 a (discr_valuation self a childf) <> interp0 childf (discr_valuation self a childf))
+           -> (let result = Map.set (discr_valuation self a childf) v false in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result))
+          | False -> ((([#"../bdd.rs" 370 23 370 27] inv0 self) && ([#"../bdd.rs" 366 15 366 21] a <> childt) && ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self childt) && ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self a)) /\ 0 <= ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b) /\ ([#"../bdd.rs" 368 14 368 33] size0 a + size0 childt) < ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b)) /\ (([#"../bdd.rs" 367 14 367 50] interp0 a (discr_valuation self a childt) <> interp0 childt (discr_valuation self a childt))
+           -> (let result = Map.set (discr_valuation self a childt) v true in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result))
           end
-      else
-        match a with
-          | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_If v childta childfa) _ -> match b with
-            | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_If _ childtb childfb) _ -> if pure {childfa <> childfb} then
-              let a' = discr_valuation self childfa childfb in Map.set a' v false
-            else
-              let a' = discr_valuation self childta childtb in Map.set a' v true
-            
-            | _ -> Const.const true
+        | _ -> let result = Const.const true in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result
+        end
+      | False -> match a with
+        | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_If v childta childfa) _ -> match b with
+          | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_If _ childtb childfb) _ -> match childfa <> childfb with
+            | True -> ((([#"../bdd.rs" 370 23 370 27] inv0 self) && ([#"../bdd.rs" 366 15 366 21] childfa <> childfb) && ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self childfb) && ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self childfa)) /\ 0 <= ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b) /\ ([#"../bdd.rs" 368 14 368 33] size0 childfa + size0 childfb) < ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b)) /\ (([#"../bdd.rs" 367 14 367 50] interp0 childfa (discr_valuation self childfa childfb) <> interp0 childfb (discr_valuation self childfa childfb))
+             -> (let result = Map.set (discr_valuation self childfa childfb) v false in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result))
+            | False -> ((([#"../bdd.rs" 370 23 370 27] inv0 self) && ([#"../bdd.rs" 366 15 366 21] childta <> childtb) && ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self childtb) && ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self childta)) /\ 0 <= ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b) /\ ([#"../bdd.rs" 368 14 368 33] size0 childta + size0 childtb) < ([#"../bdd.rs" 368 14 368 33] size0 a + size0 b)) /\ (([#"../bdd.rs" 367 14 367 50] interp0 childta (discr_valuation self childta childtb) <> interp0 childtb (discr_valuation self childta childtb))
+             -> (let result = Map.set (discr_valuation self childta childtb) v true in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result))
             end
-          | _ -> Const.const true
+          | _ -> let result = Const.const true in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result
           end
-      
-    
+        | _ -> let result = Const.const true in [#"../bdd.rs" 367 14 367 50] interp0 a result <> interp0 b result
+        end
+      end
+    end)
 end
 module Bdd_Impl10_BddCanonical_Impl
   use Bdd_Bdd_Type as Bdd_Bdd_Type
@@ -1505,7 +1525,7 @@ module Bdd_Impl10_BddCanonical_Impl
     ensures { result = is_valid_bdd0 self b }
     
   use map.Map
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) =
     [#"../bdd.rs" 318 12 327 13] match n with
       | Bdd_Node_Type.C_True -> true
@@ -1517,14 +1537,14 @@ module Bdd_Impl10_BddCanonical_Impl
     
   predicate invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) =
     [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model0 (Bdd_Context_Type.context_hashcons self)) n with
-      | Core_Option_Option_Type.C_Some b -> shallow_model1 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
+      | Core_Option_Option_Type.C_Some b -> shallow_model1 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
       | Core_Option_Option_Type.C_None -> true
       end) /\ (forall bm : uint64 . match Map.get (shallow_model5 (Bdd_Context_Type.context_not_memo self)) bm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
+      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
       end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model6 (Bdd_Context_Type.context_and_memo self)) abm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
+      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
       end)
   val invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool
     ensures { result = invariant0 self }
@@ -1551,7 +1571,10 @@ module Bdd_Impl10_BddCanonical_Impl
     requires {[#"../bdd.rs" 351 26 351 30] inv0 self}
     ensures { result = set_irrelevent_var0 self a x v b }
     
-  axiom set_irrelevent_var0_spec : forall self : Bdd_Context_Type.t_context, a : Bdd_Bdd_Type.t_bdd, x : uint64, v : Map.map uint64 bool, b : bool . ([#"../bdd.rs" 348 15 348 35] is_valid_bdd0 self a) -> ([#"../bdd.rs" 349 15 349 32] UInt64.to_int x < leastvar0 a) -> ([#"../bdd.rs" 351 26 351 30] inv0 self) -> ([#"../bdd.rs" 350 14 350 50] interp0 a v = interp0 a (Map.set v x b))
+  axiom set_irrelevent_var0_spec : forall self : Bdd_Context_Type.t_context, a : Bdd_Bdd_Type.t_bdd, x : uint64, v : Map.map uint64 bool, b : bool . ([#"../bdd.rs" 348 15 348 35] is_valid_bdd0 self a)
+   -> ([#"../bdd.rs" 349 15 349 32] UInt64.to_int x < leastvar0 a)
+   -> ([#"../bdd.rs" 351 26 351 30] inv0 self)
+   -> ([#"../bdd.rs" 350 14 350 50] interp0 a v = interp0 a (Map.set v x b))
   function size0 [#"../bdd.rs" 224 4 224 24] (self : Bdd_Bdd_Type.t_bdd) : int =
     [#"../bdd.rs" 226 12 234 13] match self with
       | Bdd_Bdd_Type.C_Bdd (Bdd_Node_Type.C_True) _ -> 0
@@ -1604,16 +1627,21 @@ module Bdd_Impl10_BddCanonical_Impl
     requires {[#"../bdd.rs" 370 23 370 27] inv0 self}
     ensures { result = discr_valuation0 self a b }
     
-  axiom discr_valuation0_spec : forall self : Bdd_Context_Type.t_context, a : Bdd_Bdd_Type.t_bdd, b : Bdd_Bdd_Type.t_bdd . ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self a) -> ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self b) -> ([#"../bdd.rs" 366 15 366 21] a <> b) -> ([#"../bdd.rs" 370 23 370 27] inv0 self) -> ([#"../bdd.rs" 367 14 367 50] interp0 a (discr_valuation0 self a b) <> interp0 b (discr_valuation0 self a b))
-  let rec ghost function bdd_canonical [#"../bdd.rs" 418 4 418 62] (self : Bdd_Context_Type.t_context) (a : Bdd_Bdd_Type.t_bdd) (b : Bdd_Bdd_Type.t_bdd) : ()
-    requires {[#"../bdd.rs" 413 15 413 35] is_valid_bdd0 self a}
-    requires {[#"../bdd.rs" 414 15 414 35] is_valid_bdd0 self b}
-    requires {[#"../bdd.rs" 415 4 415 56] forall v : Map.map uint64 bool . interp0 a v = interp0 b v}
-    requires {[#"../bdd.rs" 418 25 418 29] inv0 self}
-    ensures { [#"../bdd.rs" 416 14 416 20] a = b }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../bdd.rs" 419 8 419 29] let _ = () in ()
+  axiom discr_valuation0_spec : forall self : Bdd_Context_Type.t_context, a : Bdd_Bdd_Type.t_bdd, b : Bdd_Bdd_Type.t_bdd . ([#"../bdd.rs" 364 15 364 35] is_valid_bdd0 self a)
+   -> ([#"../bdd.rs" 365 15 365 35] is_valid_bdd0 self b)
+   -> ([#"../bdd.rs" 366 15 366 21] a <> b)
+   -> ([#"../bdd.rs" 370 23 370 27] inv0 self)
+   -> ([#"../bdd.rs" 367 14 367 50] interp0 a (discr_valuation0 self a b) <> interp0 b (discr_valuation0 self a b))
+  constant self  : Bdd_Context_Type.t_context
+  constant a  : Bdd_Bdd_Type.t_bdd
+  constant b  : Bdd_Bdd_Type.t_bdd
+  function bdd_canonical [#"../bdd.rs" 418 4 418 62] (self : Bdd_Context_Type.t_context) (a : Bdd_Bdd_Type.t_bdd) (b : Bdd_Bdd_Type.t_bdd) : ()
+    
+  goal vc_bdd_canonical : ([#"../bdd.rs" 418 25 418 29] inv0 self)
+   -> ([#"../bdd.rs" 415 4 415 56] forall v : Map.map uint64 bool . interp0 a v = interp0 b v)
+   -> ([#"../bdd.rs" 414 15 414 35] is_valid_bdd0 self b)
+   -> ([#"../bdd.rs" 413 15 413 35] is_valid_bdd0 self a)
+   -> (let _ = discr_valuation0 in [#"../bdd.rs" 416 14 416 20] a = b)
 end
 module Bdd_Impl11_New
   use Bdd_Bdd_Type as Bdd_Bdd_Type
@@ -1701,7 +1729,7 @@ module Bdd_Impl11_New
     ensures { result = is_valid_bdd0 self b }
     
   use map.Map
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) =
     [#"../bdd.rs" 318 12 327 13] match n with
       | Bdd_Node_Type.C_True -> true
@@ -1713,14 +1741,14 @@ module Bdd_Impl11_New
     
   predicate invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) =
     [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model0 (Bdd_Context_Type.context_hashcons self)) n with
-      | Core_Option_Option_Type.C_Some b -> shallow_model3 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
+      | Core_Option_Option_Type.C_Some b -> shallow_model3 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
       | Core_Option_Option_Type.C_None -> true
       end) /\ (forall bm : uint64 . match Map.get (shallow_model1 (Bdd_Context_Type.context_not_memo self)) bm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
+      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
       end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model2 (Bdd_Context_Type.context_and_memo self)) abm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
+      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
       end)
   val invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool
     ensures { result = invariant0 self }
@@ -1733,7 +1761,7 @@ module Bdd_Impl11_New
     | Bdd_Context_Type.C_Context alloc hashcons hashcons_ghost not_memo and_memo cnt -> true
     end)
   use Bdd_Bumpalo_Bump_Type as Bdd_Bumpalo_Bump_Type
-  use prelude.Ghost
+  use prelude.Snapshot
   use map.Const
   val new3 [#"../bdd.rs" 69 8 69 28] (_1 : ()) : Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd, Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd)
     ensures { [#"../bdd.rs" 67 18 67 47] shallow_model2 result = Const.const (Core_Option_Option_Type.C_None) }
@@ -1742,14 +1770,14 @@ module Bdd_Impl11_New
   val new2 [#"../bdd.rs" 69 8 69 28] (_1 : ()) : Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd)
     ensures { [#"../bdd.rs" 67 18 67 47] shallow_model1 result = Const.const (Core_Option_Option_Type.C_None) }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   use map.Const
   use map.Const
   val new0 [#"../bdd.rs" 69 8 69 28] (_1 : ()) : Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Node_Type.t_node) (Bdd_Bdd_Type.t_bdd)
     ensures { [#"../bdd.rs" 67 18 67 47] shallow_model0 result = Const.const (Core_Option_Option_Type.C_None) }
     
   let constant promoted0 [#"../bdd.rs" 424 4 424 52]  : Bdd_Node_Type.t_node = [@vc:do_not_keep_trace] [@vc:sp]
-    let _1 = [#"../bdd.rs" 425 17 425 21] Bdd_Node_Type.C_True in let _0 = [#"../bdd.rs" 425 16 425 21] _1 in _0
+    let _1 = Bdd_Node_Type.C_True in let _0 = _1 in _0
   let rec cfg new [#"../bdd.rs" 424 4 424 52] [@cfg:stackify] [@cfg:subregion_analysis] (alloc : Bdd_Bumpalo_Bump_Type.t_bump) : Bdd_Context_Type.t_context
     ensures { [#"../bdd.rs" 424 48 424 52] inv0 result }
     
@@ -1758,7 +1786,7 @@ module Bdd_Impl11_New
   var alloc : Bdd_Bumpalo_Bump_Type.t_bump = alloc;
   var t : Bdd_Node_Type.t_node;
   var _5 : Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Node_Type.t_node) (Bdd_Bdd_Type.t_bdd);
-  var _6 : Ghost.ghost_ty (Map.map uint64 (Bdd_Node_Type.t_node));
+  var _6 : Snapshot.snap_ty (Map.map uint64 (Bdd_Node_Type.t_node));
   var _8 : Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd);
   var _9 : Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd, Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd);
   var _10 : Bdd_Node_Type.t_node;
@@ -1766,27 +1794,27 @@ module Bdd_Impl11_New
     goto BB0
   }
   BB0 {
-    [#"../bdd.rs" 425 16 425 21] _10 <- ([#"../bdd.rs" 425 16 425 21] [#"../bdd.rs" 425 16 425 21] promoted0);
-    [#"../bdd.rs" 425 16 425 21] t <- ([#"../bdd.rs" 425 16 425 21] _10);
-    [#"../bdd.rs" 428 22 428 47] _5 <- ([#"../bdd.rs" 428 22 428 47] new0 ());
+    [#"../bdd.rs" 425 16 425 21] _10 <- ([#"../bdd.rs" 425 16 425 21] promoted0);
+    [#"../bdd.rs" 425 16 425 21] t <- _10;
+    [#"../bdd.rs" 428 22 428 47] _5 <- ([#"../bdd.rs" 428 22 428 47] new0 ([#"../bdd.rs" 428 22 428 47] ()));
     goto BB1
   }
   BB1 {
-    [#"../bdd.rs" 429 28 429 51] _6 <- ([#"../bdd.rs" 429 28 429 51] Ghost.new (Const.const t));
+    [#"../bdd.rs" 429 28 429 57] _6 <- ([#"../bdd.rs" 429 28 429 57] Snapshot.new (Const.const t));
     goto BB2
   }
   BB2 {
-    [#"../bdd.rs" 430 22 430 47] _8 <- ([#"../bdd.rs" 430 22 430 47] new2 ());
+    [#"../bdd.rs" 430 22 430 47] _8 <- ([#"../bdd.rs" 430 22 430 47] new2 ([#"../bdd.rs" 430 22 430 47] ()));
     goto BB3
   }
   BB3 {
-    [#"../bdd.rs" 431 22 431 47] _9 <- ([#"../bdd.rs" 431 22 431 47] new3 ());
+    [#"../bdd.rs" 431 22 431 47] _9 <- ([#"../bdd.rs" 431 22 431 47] new3 ([#"../bdd.rs" 431 22 431 47] ()));
     goto BB4
   }
   BB4 {
-    [#"../bdd.rs" 426 8 433 9] _0 <- ([#"../bdd.rs" 426 8 433 9] Bdd_Context_Type.C_Context ([#"../bdd.rs" 427 12 427 17] alloc) _5 _6 _8 _9 ([#"../bdd.rs" 432 17 432 18] [#"../bdd.rs" 432 17 432 18] (0 : uint64)));
+    [#"../bdd.rs" 426 8 433 9] _0 <- Bdd_Context_Type.C_Context alloc _5 _6 _8 _9 ([#"../bdd.rs" 432 17 432 18] (0 : uint64));
     _5 <- any Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Node_Type.t_node) (Bdd_Bdd_Type.t_bdd);
-    _6 <- any Ghost.ghost_ty (Map.map uint64 (Bdd_Node_Type.t_node));
+    _6 <- any Snapshot.snap_ty (Map.map uint64 (Bdd_Node_Type.t_node));
     _8 <- any Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd);
     _9 <- any Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd, Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd);
     return _0
@@ -1879,7 +1907,7 @@ module Bdd_Impl11_Hashcons
     ensures { result = is_valid_bdd0 self b }
     
   use map.Map
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) =
     [#"../bdd.rs" 318 12 327 13] match n with
       | Bdd_Node_Type.C_True -> true
@@ -1891,14 +1919,14 @@ module Bdd_Impl11_Hashcons
     
   predicate invariant7 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) =
     [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model3 (Bdd_Context_Type.context_hashcons self)) n with
-      | Core_Option_Option_Type.C_Some b -> shallow_model0 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
+      | Core_Option_Option_Type.C_Some b -> shallow_model0 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
       | Core_Option_Option_Type.C_None -> true
       end) /\ (forall bm : uint64 . match Map.get (shallow_model7 (Bdd_Context_Type.context_not_memo self)) bm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
+      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
       end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model8 (Bdd_Context_Type.context_and_memo self)) abm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
+      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
       end)
   val invariant7 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool
     ensures { result = invariant7 self }
@@ -1988,8 +2016,8 @@ module Bdd_Impl11_Hashcons
   val grows0 [#"../bdd.rs" 296 4 296 35] (self : borrowed (Bdd_Context_Type.t_context)) : bool
     ensures { result = grows0 self }
     
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
   use map.Map
   function shallow_model4 (self : borrowed (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Node_Type.t_node) (Bdd_Bdd_Type.t_bdd))) : Map.map (Bdd_NodeLog_Type.t_nodelog) (Core_Option_Option_Type.t_option (Bdd_Bdd_Type.t_bdd))
     
@@ -2001,7 +2029,8 @@ module Bdd_Impl11_Hashcons
   val add0 [#"../bdd.rs" 54 8 54 45] (self : borrowed (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Node_Type.t_node) (Bdd_Bdd_Type.t_bdd))) (key : Bdd_Node_Type.t_node) (val' : Bdd_Bdd_Type.t_bdd) : ()
     requires {[#"../bdd.rs" 54 30 54 33] inv3 key}
     requires {[#"../bdd.rs" 54 38 54 41] inv5 val'}
-    ensures { [#"../bdd.rs" 52 8 52 128] forall i : Bdd_NodeLog_Type.t_nodelog . inv6 i -> Map.get (shallow_model3 ( ^ self)) i = (if i = deep_model1 key then
+    ensures { [#"../bdd.rs" 52 8 52 128] forall i : Bdd_NodeLog_Type.t_nodelog . inv6 i
+     -> Map.get (shallow_model3 ( ^ self)) i = (if i = deep_model1 key then
       Core_Option_Option_Type.C_Some val'
     else
       Map.get (shallow_model4 self) i
@@ -2061,13 +2090,15 @@ module Bdd_Impl11_Hashcons
   var _19 : borrowed (Bdd_Node_Type.t_node);
   var _23 : ();
   var _24 : borrowed (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Node_Type.t_node) (Bdd_Bdd_Type.t_bdd));
-  var _27 : Ghost.ghost_ty (Map.map uint64 (Bdd_Node_Type.t_node));
+  var _27 : Snapshot.snap_ty (Map.map uint64 (Bdd_Node_Type.t_node));
+  var _30 : bool;
+  var _32 : uint64;
   {
     goto BB0
   }
   BB0 {
-    [#"../bdd.rs" 441 44 441 46] _11 <- ([#"../bdd.rs" 441 44 441 46] n);
-    [#"../bdd.rs" 441 26 441 47] _8 <- ([#"../bdd.rs" 441 26 441 47] get0 ([#"../bdd.rs" 441 26 441 39] Bdd_Context_Type.context_hashcons ( * self)) ([#"../bdd.rs" 441 44 441 46] _11));
+    [#"../bdd.rs" 441 44 441 46] _11 <- n;
+    [#"../bdd.rs" 441 26 441 47] _8 <- ([#"../bdd.rs" 441 26 441 47] get0 (Bdd_Context_Type.context_hashcons ( * self)) _11);
     goto BB1
   }
   BB1 {
@@ -2080,34 +2111,37 @@ module Bdd_Impl11_Hashcons
     goto BB3
   }
   BB3 {
-    [#"../bdd.rs" 441 21 441 22] r <- ([#"../bdd.rs" 441 21 441 22] Core_Option_Option_Type.some_0 _8);
+    [#"../bdd.rs" 441 21 441 22] r <- Core_Option_Option_Type.some_0 _8;
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
     assert { [@expl:assertion] [#"../bdd.rs" 442 28 442 38] shallow_model0 (Bdd_Bdd_Type.bdd_0 r) = shallow_model1 n };
-    [#"../bdd.rs" 443 19 443 20] _0 <- ([#"../bdd.rs" 443 19 443 20] r);
+    [#"../bdd.rs" 443 19 443 20] _0 <- r;
     goto BB12
   }
   BB4 {
-    [#"../bdd.rs" 445 20 445 39] _19 <- ([#"../bdd.rs" 445 20 445 39] alloc0 ([#"../bdd.rs" 445 20 445 30] Bdd_Context_Type.context_alloc ( * self)) ([#"../bdd.rs" 445 37 445 38] n));
+    [#"../bdd.rs" 445 20 445 39] _19 <- ([#"../bdd.rs" 445 20 445 39] alloc0 (Bdd_Context_Type.context_alloc ( * self)) n);
     goto BB5
   }
   BB5 {
-    [#"../bdd.rs" 445 16 445 50] r1 <- ([#"../bdd.rs" 445 16 445 50] Bdd_Bdd_Type.C_Bdd ([#"../bdd.rs" 445 20 445 39]  * _19) ([#"../bdd.rs" 445 41 445 49] Bdd_Context_Type.context_cnt ( * self)));
+    [#"../bdd.rs" 445 16 445 50] r1 <- Bdd_Bdd_Type.C_Bdd ( * _19) (Bdd_Context_Type.context_cnt ( * self));
     assume { resolve1 _19 };
     [#"../bdd.rs" 446 8 446 21] _24 <- Borrow.borrow_final (Bdd_Context_Type.context_hashcons ( * self)) (Borrow.inherit_id (Borrow.get_id self) 2);
     [#"../bdd.rs" 446 8 446 21] self <- { self with current = (let Bdd_Context_Type.C_Context x0 x1 x2 x3 x4 x5 =  * self in Bdd_Context_Type.C_Context x0 ( ^ _24) x2 x3 x4 x5) ; };
-    [#"../bdd.rs" 446 8 446 31] _23 <- ([#"../bdd.rs" 446 8 446 31] add0 _24 ([#"../bdd.rs" 446 26 446 27] n) ([#"../bdd.rs" 446 29 446 30] r1));
+    [#"../bdd.rs" 446 8 446 31] _23 <- ([#"../bdd.rs" 446 8 446 31] add0 _24 n r1);
     _24 <- any borrowed (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Node_Type.t_node) (Bdd_Bdd_Type.t_bdd));
     goto BB6
   }
   BB6 {
-    [#"../bdd.rs" 447 30 447 71] _27 <- ([#"../bdd.rs" 447 30 447 71] Ghost.new (Map.set (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost ( * self))) (Bdd_Bdd_Type.bdd_1 r1) (Bdd_Bdd_Type.bdd_0 r1)));
+    [#"../bdd.rs" 447 30 447 77] _27 <- ([#"../bdd.rs" 447 30 447 77] Snapshot.new (Map.set (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost ( * self))) (Bdd_Bdd_Type.bdd_1 r1) (Bdd_Bdd_Type.bdd_0 r1)));
     goto BB7
   }
   BB7 {
-    [#"../bdd.rs" 447 8 447 71] self <- { self with current = (let Bdd_Context_Type.C_Context x0 x1 x2 x3 x4 x5 =  * self in Bdd_Context_Type.C_Context x0 x1 ([#"../bdd.rs" 447 8 447 71] _27) x3 x4 x5) ; };
-    [#"../bdd.rs" 447 8 447 71] _27 <- any Ghost.ghost_ty (Map.map uint64 (Bdd_Node_Type.t_node));
-    switch ([#"../bdd.rs" 448 11 448 34] ([#"../bdd.rs" 448 11 448 19] Bdd_Context_Type.context_cnt ( * self)) > ([#"../bdd.rs" 448 22 448 34] ([#"../bdd.rs" 448 22 448 30] [#"../bdd.rs" 448 22 448 30] (18446744073709551615 : uint64)) - ([#"../bdd.rs" 448 33 448 34] [#"../bdd.rs" 448 33 448 34] (1 : uint64))))
+    [#"../bdd.rs" 447 8 447 77] self <- { self with current = (let Bdd_Context_Type.C_Context x0 x1 x2 x3 x4 x5 =  * self in Bdd_Context_Type.C_Context x0 x1 _27 x3 x4 x5) ; };
+    _27 <- any Snapshot.snap_ty (Map.map uint64 (Bdd_Node_Type.t_node));
+    [#"../bdd.rs" 448 22 448 34] _32 <- ([#"../bdd.rs" 448 22 448 30] (18446744073709551615 : uint64)) - ([#"../bdd.rs" 448 33 448 34] (1 : uint64));
+    [#"../bdd.rs" 448 11 448 34] _30 <- Bdd_Context_Type.context_cnt ( * self) > _32;
+    _32 <- any uint64;
+    switch (_30)
       | False -> goto BB11
       | True -> goto BB8
       end
@@ -2119,14 +2153,14 @@ module Bdd_Impl11_Hashcons
     goto BB10
   }
   BB10 {
-    [#"../bdd.rs" 451 16 451 35] self <- { self with current = (let Bdd_Context_Type.C_Context x0 x1 x2 x3 x4 x5 =  * self in Bdd_Context_Type.C_Context x0 x1 x2 x3 x4 ([#"../bdd.rs" 451 27 451 35] Bdd_Context_Type.context_cnt ( * self))) ; };
+    [#"../bdd.rs" 451 16 451 35] self <- { self with current = (let Bdd_Context_Type.C_Context x0 x1 x2 x3 x4 x5 =  * self in Bdd_Context_Type.C_Context x0 x1 x2 x3 x4 (Bdd_Context_Type.context_cnt ( * self))) ; };
     goto BB9
   }
   BB11 {
-    [#"../bdd.rs" 454 8 454 21] self <- { self with current = (let Bdd_Context_Type.C_Context x0 x1 x2 x3 x4 x5 =  * self in Bdd_Context_Type.C_Context x0 x1 x2 x3 x4 ([#"../bdd.rs" 454 8 454 21] Bdd_Context_Type.context_cnt ( * self) + ([#"../bdd.rs" 454 20 454 21] [#"../bdd.rs" 454 20 454 21] (1 : uint64)))) ; };
+    [#"../bdd.rs" 454 8 454 21] self <- { self with current = (let Bdd_Context_Type.C_Context x0 x1 x2 x3 x4 x5 =  * self in Bdd_Context_Type.C_Context x0 x1 x2 x3 x4 (Bdd_Context_Type.context_cnt ( * self) + ([#"../bdd.rs" 454 20 454 21] (1 : uint64)))) ; };
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../bdd.rs" 455 8 455 9] _0 <- ([#"../bdd.rs" 455 8 455 9] r1);
+    [#"../bdd.rs" 455 8 455 9] _0 <- r1;
     goto BB12
   }
   BB12 {
@@ -2234,7 +2268,7 @@ module Bdd_Impl11_Node
     ensures { result = is_valid_bdd0 self b }
     
   use map.Map
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) =
     [#"../bdd.rs" 318 12 327 13] match n with
       | Bdd_Node_Type.C_True -> true
@@ -2246,14 +2280,14 @@ module Bdd_Impl11_Node
     
   predicate invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) =
     [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model2 (Bdd_Context_Type.context_hashcons self)) n with
-      | Core_Option_Option_Type.C_Some b -> shallow_model3 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
+      | Core_Option_Option_Type.C_Some b -> shallow_model3 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
       | Core_Option_Option_Type.C_None -> true
       end) /\ (forall bm : uint64 . match Map.get (shallow_model7 (Bdd_Context_Type.context_not_memo self)) bm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
+      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
       end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model8 (Bdd_Context_Type.context_and_memo self)) abm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
+      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
       end)
   val invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool
     ensures { result = invariant0 self }
@@ -2321,11 +2355,12 @@ module Bdd_Impl11_Node
   var childf : Bdd_Bdd_Type.t_bdd = childf;
   var _13 : bool;
   var _17 : borrowed (Bdd_Context_Type.t_context);
+  var _18 : Bdd_Node_Type.t_node;
   {
     goto BB0
   }
   BB0 {
-    [#"../bdd.rs" 466 11 466 27] _13 <- ([#"../bdd.rs" 466 11 466 27] eq0 ([#"../bdd.rs" 466 11 466 17] childt) ([#"../bdd.rs" 466 21 466 27] childf));
+    [#"../bdd.rs" 466 11 466 27] _13 <- ([#"../bdd.rs" 466 11 466 27] eq0 childt childf);
     goto BB1
   }
   BB1 {
@@ -2337,15 +2372,17 @@ module Bdd_Impl11_Node
   BB2 {
     assert { [@expl:type invariant] inv1 self };
     assume { resolve0 self };
-    [#"../bdd.rs" 467 19 467 25] _0 <- ([#"../bdd.rs" 467 19 467 25] childt);
+    [#"../bdd.rs" 467 19 467 25] _0 <- childt;
     goto BB5
   }
   BB3 {
     [#"../bdd.rs" 469 8 469 12] _17 <- Borrow.borrow_final ( * self) (Borrow.get_id self);
     [#"../bdd.rs" 469 8 469 12] self <- { self with current = ( ^ _17) ; };
     assume { inv0 ( ^ _17) };
-    [#"../bdd.rs" 469 8 469 50] _0 <- ([#"../bdd.rs" 469 8 469 50] hashcons0 _17 ([#"../bdd.rs" 469 22 469 49] Bdd_Node_Type.C_If ([#"../bdd.rs" 469 30 469 31] x) ([#"../bdd.rs" 469 33 469 39] childt) ([#"../bdd.rs" 469 41 469 47] childf)));
+    [#"../bdd.rs" 469 22 469 49] _18 <- Bdd_Node_Type.C_If x childt childf;
+    [#"../bdd.rs" 469 8 469 50] _0 <- ([#"../bdd.rs" 469 8 469 50] hashcons0 _17 _18);
     _17 <- any borrowed (Bdd_Context_Type.t_context);
+    _18 <- any Bdd_Node_Type.t_node;
     goto BB4
   }
   BB4 {
@@ -2458,7 +2495,7 @@ module Bdd_Impl11_True
     ensures { result = is_valid_bdd0 self b }
     
   use map.Map
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) =
     [#"../bdd.rs" 318 12 327 13] match n with
       | Bdd_Node_Type.C_True -> true
@@ -2470,14 +2507,14 @@ module Bdd_Impl11_True
     
   predicate invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) =
     [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model1 (Bdd_Context_Type.context_hashcons self)) n with
-      | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
+      | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
       | Core_Option_Option_Type.C_None -> true
       end) /\ (forall bm : uint64 . match Map.get (shallow_model5 (Bdd_Context_Type.context_not_memo self)) bm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
+      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
       end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model6 (Bdd_Context_Type.context_and_memo self)) abm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
+      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
       end)
   val invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool
     ensures { result = invariant0 self }
@@ -2516,6 +2553,7 @@ module Bdd_Impl11_True
   var _0 : Bdd_Bdd_Type.t_bdd;
   var self : borrowed (Bdd_Context_Type.t_context) = self;
   var _6 : borrowed (Bdd_Context_Type.t_context);
+  var _7 : Bdd_Node_Type.t_node;
   {
     goto BB0
   }
@@ -2523,8 +2561,10 @@ module Bdd_Impl11_True
     [#"../bdd.rs" 477 8 477 12] _6 <- Borrow.borrow_final ( * self) (Borrow.get_id self);
     [#"../bdd.rs" 477 8 477 12] self <- { self with current = ( ^ _6) ; };
     assume { inv0 ( ^ _6) };
-    [#"../bdd.rs" 477 8 477 27] _0 <- ([#"../bdd.rs" 477 8 477 27] hashcons0 _6 ([#"../bdd.rs" 477 22 477 26] Bdd_Node_Type.C_True));
+    [#"../bdd.rs" 477 22 477 26] _7 <- Bdd_Node_Type.C_True;
+    [#"../bdd.rs" 477 8 477 27] _0 <- ([#"../bdd.rs" 477 8 477 27] hashcons0 _6 _7);
     _6 <- any borrowed (Bdd_Context_Type.t_context);
+    _7 <- any Bdd_Node_Type.t_node;
     goto BB1
   }
   BB1 {
@@ -2634,7 +2674,7 @@ module Bdd_Impl11_False
     ensures { result = is_valid_bdd0 self b }
     
   use map.Map
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) =
     [#"../bdd.rs" 318 12 327 13] match n with
       | Bdd_Node_Type.C_True -> true
@@ -2646,14 +2686,14 @@ module Bdd_Impl11_False
     
   predicate invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) =
     [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model1 (Bdd_Context_Type.context_hashcons self)) n with
-      | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
+      | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
       | Core_Option_Option_Type.C_None -> true
       end) /\ (forall bm : uint64 . match Map.get (shallow_model5 (Bdd_Context_Type.context_not_memo self)) bm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
+      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
       end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model6 (Bdd_Context_Type.context_and_memo self)) abm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
+      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
       end)
   val invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool
     ensures { result = invariant0 self }
@@ -2692,6 +2732,7 @@ module Bdd_Impl11_False
   var _0 : Bdd_Bdd_Type.t_bdd;
   var self : borrowed (Bdd_Context_Type.t_context) = self;
   var _6 : borrowed (Bdd_Context_Type.t_context);
+  var _7 : Bdd_Node_Type.t_node;
   {
     goto BB0
   }
@@ -2699,8 +2740,10 @@ module Bdd_Impl11_False
     [#"../bdd.rs" 485 8 485 12] _6 <- Borrow.borrow_final ( * self) (Borrow.get_id self);
     [#"../bdd.rs" 485 8 485 12] self <- { self with current = ( ^ _6) ; };
     assume { inv0 ( ^ _6) };
-    [#"../bdd.rs" 485 8 485 28] _0 <- ([#"../bdd.rs" 485 8 485 28] hashcons0 _6 ([#"../bdd.rs" 485 22 485 27] Bdd_Node_Type.C_False));
+    [#"../bdd.rs" 485 22 485 27] _7 <- Bdd_Node_Type.C_False;
+    [#"../bdd.rs" 485 8 485 28] _0 <- ([#"../bdd.rs" 485 8 485 28] hashcons0 _6 _7);
     _6 <- any borrowed (Bdd_Context_Type.t_context);
+    _7 <- any Bdd_Node_Type.t_node;
     goto BB1
   }
   BB1 {
@@ -2810,7 +2853,7 @@ module Bdd_Impl11_V
     ensures { result = is_valid_bdd0 self b }
     
   use map.Map
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) =
     [#"../bdd.rs" 318 12 327 13] match n with
       | Bdd_Node_Type.C_True -> true
@@ -2822,14 +2865,14 @@ module Bdd_Impl11_V
     
   predicate invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) =
     [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model1 (Bdd_Context_Type.context_hashcons self)) n with
-      | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
+      | Core_Option_Option_Type.C_Some b -> shallow_model2 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
       | Core_Option_Option_Type.C_None -> true
       end) /\ (forall bm : uint64 . match Map.get (shallow_model5 (Bdd_Context_Type.context_not_memo self)) bm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
+      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
       end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model6 (Bdd_Context_Type.context_and_memo self)) abm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
+      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
       end)
   val invariant0 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool
     ensures { result = invariant0 self }
@@ -2916,7 +2959,7 @@ module Bdd_Impl11_V
     [#"../bdd.rs" 494 8 494 12] _10 <- Borrow.borrow_final ( * self) (Borrow.get_id self);
     [#"../bdd.rs" 494 8 494 12] self <- { self with current = ( ^ _10) ; };
     assume { inv0 ( ^ _10) };
-    [#"../bdd.rs" 494 8 494 26] _0 <- ([#"../bdd.rs" 494 8 494 26] node0 _10 ([#"../bdd.rs" 494 18 494 19] x) ([#"../bdd.rs" 494 21 494 22] t) ([#"../bdd.rs" 494 24 494 25] f));
+    [#"../bdd.rs" 494 8 494 26] _0 <- ([#"../bdd.rs" 494 8 494 26] node0 _10 x t f);
     _10 <- any borrowed (Bdd_Context_Type.t_context);
     goto BB3
   }
@@ -3053,7 +3096,7 @@ module Bdd_Impl11_Not
     ensures { result = is_valid_bdd0 self b }
     
   use map.Map
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) =
     [#"../bdd.rs" 318 12 327 13] match n with
       | Bdd_Node_Type.C_True -> true
@@ -3065,14 +3108,14 @@ module Bdd_Impl11_Not
     
   predicate invariant1 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) =
     [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model4 (Bdd_Context_Type.context_hashcons self)) n with
-      | Core_Option_Option_Type.C_Some b -> shallow_model5 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
+      | Core_Option_Option_Type.C_Some b -> shallow_model5 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
       | Core_Option_Option_Type.C_None -> true
       end) /\ (forall bm : uint64 . match Map.get (shallow_model2 (Bdd_Context_Type.context_not_memo self)) bm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
+      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
       end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model8 (Bdd_Context_Type.context_and_memo self)) abm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
+      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
       end)
   val invariant1 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool
     ensures { result = invariant1 self }
@@ -3127,7 +3170,8 @@ module Bdd_Impl11_Not
   val add0 [#"../bdd.rs" 54 8 54 45] (self : borrowed (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd))) (key : Bdd_Bdd_Type.t_bdd) (val' : Bdd_Bdd_Type.t_bdd) : ()
     requires {[#"../bdd.rs" 54 30 54 33] inv4 key}
     requires {[#"../bdd.rs" 54 38 54 41] inv4 val'}
-    ensures { [#"../bdd.rs" 52 8 52 128] forall i : uint64 . inv5 i -> Map.get (shallow_model2 ( ^ self)) i = (if i = deep_model1 key then
+    ensures { [#"../bdd.rs" 52 8 52 128] forall i : uint64 . inv5 i
+     -> Map.get (shallow_model2 ( ^ self)) i = (if i = deep_model1 key then
       Core_Option_Option_Type.C_Some val'
     else
       Map.get (shallow_model3 self) i
@@ -3219,56 +3263,56 @@ module Bdd_Impl11_Not
     goto BB0
   }
   BB0 {
-    [#"../bdd.rs" 504 43 504 45] _13 <- ([#"../bdd.rs" 504 43 504 45] x);
-    [#"../bdd.rs" 504 25 504 46] _10 <- ([#"../bdd.rs" 504 25 504 46] get0 ([#"../bdd.rs" 504 25 504 38] Bdd_Context_Type.context_not_memo ( * self)) ([#"../bdd.rs" 504 43 504 45] _13));
+    [#"../bdd.rs" 504 43 504 45] _13 <- x;
+    [#"../bdd.rs" 504 25 504 46] _10 <- ([#"../bdd.rs" 504 25 504 46] get0 (Bdd_Context_Type.context_not_memo ( * self)) _13);
     goto BB1
   }
   BB1 {
     switch (_10)
       | Core_Option_Option_Type.C_Some _ -> goto BB2
-      | _ -> goto BB5
+      | _ -> goto BB4
       end
   }
   BB2 {
     goto BB3
   }
   BB3 {
-    [#"../bdd.rs" 504 20 504 21] r <- ([#"../bdd.rs" 504 20 504 21] Core_Option_Option_Type.some_0 _10);
-    [#"../bdd.rs" 505 19 505 21] _0 <- ([#"../bdd.rs" 505 19 505 21] r);
+    [#"../bdd.rs" 504 20 504 21] r <- Core_Option_Option_Type.some_0 _10;
+    [#"../bdd.rs" 505 19 505 21] _0 <- r;
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
     goto BB18
   }
   BB4 {
-    assert { [@expl:type invariant] inv0 self };
-    assume { resolve0 self };
-    assert { [#"../bdd.rs" 504 47 506 9] false };
-    absurd
-  }
-  BB5 {
     switch (Bdd_Bdd_Type.bdd_0 x)
-      | Bdd_Node_Type.C_False -> goto BB6
-      | Bdd_Node_Type.C_True -> goto BB7
-      | Bdd_Node_Type.C_If _ _ _ -> goto BB8
+      | Bdd_Node_Type.C_False -> goto BB5
+      | Bdd_Node_Type.C_True -> goto BB6
+      | Bdd_Node_Type.C_If _ _ _ -> goto BB7
       end
   }
-  BB6 {
+  BB5 {
     goto BB11
   }
-  BB7 {
+  BB6 {
     goto BB9
   }
-  BB8 {
-    [#"../bdd.rs" 510 17 510 18] v <- ([#"../bdd.rs" 510 17 510 18] Bdd_Node_Type.if_v (Bdd_Bdd_Type.bdd_0 x));
-    [#"../bdd.rs" 510 20 510 26] childt <- ([#"../bdd.rs" 510 20 510 26] Bdd_Node_Type.if_childt (Bdd_Bdd_Type.bdd_0 x));
-    [#"../bdd.rs" 510 28 510 34] childf <- ([#"../bdd.rs" 510 28 510 34] Bdd_Node_Type.if_childf (Bdd_Bdd_Type.bdd_0 x));
+  BB7 {
+    [#"../bdd.rs" 510 17 510 18] v <- Bdd_Node_Type.if_v (Bdd_Bdd_Type.bdd_0 x);
+    [#"../bdd.rs" 510 20 510 26] childt <- Bdd_Node_Type.if_childt (Bdd_Bdd_Type.bdd_0 x);
+    [#"../bdd.rs" 510 28 510 34] childf <- Bdd_Node_Type.if_childf (Bdd_Bdd_Type.bdd_0 x);
     [#"../bdd.rs" 511 29 511 33] _25 <- Borrow.borrow_mut ( * self);
     [#"../bdd.rs" 511 29 511 33] self <- { self with current = ( ^ _25) ; };
     assume { inv1 ( ^ _25) };
-    [#"../bdd.rs" 511 29 511 45] childt1 <- ([#"../bdd.rs" 511 29 511 45] not' _25 ([#"../bdd.rs" 511 38 511 44] childt));
+    [#"../bdd.rs" 511 29 511 45] childt1 <- ([#"../bdd.rs" 511 29 511 45] not' _25 childt);
     _25 <- any borrowed (Bdd_Context_Type.t_context);
     goto BB13
   }
+  BB8 {
+    assert { [@expl:type invariant] inv0 self };
+    assume { resolve0 self };
+    assert { [#"../bdd.rs" 507 22 507 26] false };
+    absurd
+  }
   BB9 {
     [#"../bdd.rs" 508 20 508 24] _19 <- Borrow.borrow_mut ( * self);
     [#"../bdd.rs" 508 20 508 24] self <- { self with current = ( ^ _19) ; };
@@ -3295,7 +3339,7 @@ module Bdd_Impl11_Not
     [#"../bdd.rs" 512 29 512 33] _28 <- Borrow.borrow_mut ( * self);
     [#"../bdd.rs" 512 29 512 33] self <- { self with current = ( ^ _28) ; };
     assume { inv1 ( ^ _28) };
-    [#"../bdd.rs" 512 29 512 45] childf1 <- ([#"../bdd.rs" 512 29 512 45] not' _28 ([#"../bdd.rs" 512 38 512 44] childf));
+    [#"../bdd.rs" 512 29 512 45] childf1 <- ([#"../bdd.rs" 512 29 512 45] not' _28 childf);
     _28 <- any borrowed (Bdd_Context_Type.t_context);
     goto BB14
   }
@@ -3303,7 +3347,7 @@ module Bdd_Impl11_Not
     [#"../bdd.rs" 513 16 513 20] _30 <- Borrow.borrow_mut ( * self);
     [#"../bdd.rs" 513 16 513 20] self <- { self with current = ( ^ _30) ; };
     assume { inv1 ( ^ _30) };
-    [#"../bdd.rs" 513 16 513 44] r1 <- ([#"../bdd.rs" 513 16 513 44] node0 _30 ([#"../bdd.rs" 513 26 513 27] v) ([#"../bdd.rs" 513 29 513 35] childt1) ([#"../bdd.rs" 513 37 513 43] childf1));
+    [#"../bdd.rs" 513 16 513 44] r1 <- ([#"../bdd.rs" 513 16 513 44] node0 _30 v childt1 childf1);
     _30 <- any borrowed (Bdd_Context_Type.t_context);
     goto BB15
   }
@@ -3313,14 +3357,14 @@ module Bdd_Impl11_Not
   BB16 {
     [#"../bdd.rs" 516 8 516 21] _35 <- Borrow.borrow_final (Bdd_Context_Type.context_not_memo ( * self)) (Borrow.inherit_id (Borrow.get_id self) 4);
     [#"../bdd.rs" 516 8 516 21] self <- { self with current = (let Bdd_Context_Type.C_Context x0 x1 x2 x3 x4 x5 =  * self in Bdd_Context_Type.C_Context x0 x1 x2 ( ^ _35) x4 x5) ; };
-    [#"../bdd.rs" 516 8 516 31] _34 <- ([#"../bdd.rs" 516 8 516 31] add0 _35 ([#"../bdd.rs" 516 26 516 27] x) ([#"../bdd.rs" 516 29 516 30] r1));
+    [#"../bdd.rs" 516 8 516 31] _34 <- ([#"../bdd.rs" 516 8 516 31] add0 _35 x r1);
     _35 <- any borrowed (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd));
     goto BB17
   }
   BB17 {
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../bdd.rs" 517 8 517 9] _0 <- ([#"../bdd.rs" 517 8 517 9] r1);
+    [#"../bdd.rs" 517 8 517 9] _0 <- r1;
     goto BB18
   }
   BB18 {
@@ -3508,7 +3552,7 @@ module Bdd_Impl11_And
     ensures { result = is_valid_bdd0 self b }
     
   use map.Map
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate is_valid_node0 [#"../bdd.rs" 316 4 316 51] (self : Bdd_Context_Type.t_context) (n : Bdd_Node_Type.t_node) =
     [#"../bdd.rs" 318 12 327 13] match n with
       | Bdd_Node_Type.C_True -> true
@@ -3520,14 +3564,14 @@ module Bdd_Impl11_And
     
   predicate invariant1 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) =
     [#"../bdd.rs" 264 12 288 19] (forall n : Bdd_NodeLog_Type.t_nodelog . match Map.get (shallow_model4 (Bdd_Context_Type.context_hashcons self)) n with
-      | Core_Option_Option_Type.C_Some b -> shallow_model5 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
+      | Core_Option_Option_Type.C_Some b -> shallow_model5 (Bdd_Bdd_Type.bdd_0 b) = n /\ is_valid_node0 self (Bdd_Bdd_Type.bdd_0 b) /\ Bdd_Bdd_Type.bdd_1 b < Bdd_Context_Type.context_cnt self /\ Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (Bdd_Bdd_Type.bdd_1 b) = Bdd_Bdd_Type.bdd_0 b
       | Core_Option_Option_Type.C_None -> true
       end) /\ (forall bm : uint64 . match Map.get (shallow_model8 (Bdd_Context_Type.context_not_memo self)) bm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
+      | Core_Option_Option_Type.C_Some n -> let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) bm) bm in is_valid_bdd0 self n /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (not interp0 b v)) /\ leastvar0 b <= leastvar0 n
       end) /\ (forall abm : (uint64, uint64) . match Map.get (shallow_model2 (Bdd_Context_Type.context_and_memo self)) abm with
       | Core_Option_Option_Type.C_None -> true
-      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Ghost.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
+      | Core_Option_Option_Type.C_Some n -> let a = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (a, _) = abm in a)) (let (a, _) = abm in a) in let b = Bdd_Bdd_Type.C_Bdd (Map.get (Snapshot.inner (Bdd_Context_Type.context_hashcons_ghost self)) (let (_, a) = abm in a)) (let (_, a) = abm in a) in is_valid_bdd0 self n /\ is_valid_bdd0 self a /\ is_valid_bdd0 self b /\ (forall v : Map.map uint64 bool . interp0 n v = (interp0 a v /\ interp0 b v)) /\ (leastvar0 a <= leastvar0 n \/ leastvar0 b <= leastvar0 n)
       end)
   val invariant1 [#"../bdd.rs" 262 4 262 30] (self : Bdd_Context_Type.t_context) : bool
     ensures { result = invariant1 self }
@@ -3587,7 +3631,8 @@ module Bdd_Impl11_And
   val add0 [#"../bdd.rs" 54 8 54 45] (self : borrowed (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd, Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd))) (key : (Bdd_Bdd_Type.t_bdd, Bdd_Bdd_Type.t_bdd)) (val' : Bdd_Bdd_Type.t_bdd) : ()
     requires {[#"../bdd.rs" 54 30 54 33] inv4 key}
     requires {[#"../bdd.rs" 54 38 54 41] inv5 val'}
-    ensures { [#"../bdd.rs" 52 8 52 128] forall i : (uint64, uint64) . inv6 i -> Map.get (shallow_model2 ( ^ self)) i = (if i = deep_model2 key then
+    ensures { [#"../bdd.rs" 52 8 52 128] forall i : (uint64, uint64) . inv6 i
+     -> Map.get (shallow_model2 ( ^ self)) i = (if i = deep_model2 key then
       Core_Option_Option_Type.C_Some val'
     else
       Map.get (shallow_model3 self) i
@@ -3608,7 +3653,7 @@ module Bdd_Impl11_And
     ensures { [#"../bdd.rs" 464 14 464 37] UInt64.to_int x <= leastvar0 result }
     
   function cmp_log0 (self : int) (o : int) : Core_Cmp_Ordering_Type.t_ordering =
-    [#"../../../../creusot-contracts/src/logic/ord.rs" 137 12 146 17] if self < o then
+    [#"../../../../creusot-contracts/src/logic/ord.rs" 140 16 146 17] if self < o then
       Core_Cmp_Ordering_Type.C_Less
     else
       if self = o then Core_Cmp_Ordering_Type.C_Equal else Core_Cmp_Ordering_Type.C_Greater
@@ -3725,101 +3770,105 @@ module Bdd_Impl11_And
   var _74 : borrowed (Bdd_Context_Type.t_context);
   var _78 : ();
   var _79 : borrowed (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd, Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd));
+  var _80 : (Bdd_Bdd_Type.t_bdd, Bdd_Bdd_Type.t_bdd);
   {
     goto BB0
   }
   BB0 {
-    [#"../bdd.rs" 528 44 528 50] _16 <- ([#"../bdd.rs" 528 44 528 50] (([#"../bdd.rs" 528 45 528 46] a), ([#"../bdd.rs" 528 48 528 49] b)));
-    [#"../bdd.rs" 528 43 528 50] _15 <- ([#"../bdd.rs" 528 43 528 50] _16);
-    [#"../bdd.rs" 528 25 528 51] _12 <- ([#"../bdd.rs" 528 25 528 51] get0 ([#"../bdd.rs" 528 25 528 38] Bdd_Context_Type.context_and_memo ( * self)) ([#"../bdd.rs" 528 43 528 50] _15));
+    [#"../bdd.rs" 528 44 528 50] _16 <- (a, b);
+    [#"../bdd.rs" 528 43 528 50] _15 <- _16;
+    [#"../bdd.rs" 528 25 528 51] _12 <- ([#"../bdd.rs" 528 25 528 51] get0 (Bdd_Context_Type.context_and_memo ( * self)) _15);
     goto BB1
   }
   BB1 {
     assume { resolve0 _16 };
     switch (_12)
       | Core_Option_Option_Type.C_Some _ -> goto BB2
-      | _ -> goto BB5
+      | _ -> goto BB4
       end
   }
   BB2 {
     goto BB3
   }
   BB3 {
-    [#"../bdd.rs" 528 20 528 21] r <- ([#"../bdd.rs" 528 20 528 21] Core_Option_Option_Type.some_0 _12);
-    [#"../bdd.rs" 529 19 529 21] _0 <- ([#"../bdd.rs" 529 19 529 21] r);
+    [#"../bdd.rs" 528 20 528 21] r <- Core_Option_Option_Type.some_0 _12;
+    [#"../bdd.rs" 529 19 529 21] _0 <- r;
     assert { [@expl:type invariant] inv0 self };
     assume { resolve1 self };
-    goto BB35
+    goto BB36
   }
   BB4 {
-    assert { [#"../bdd.rs" 528 52 530 9] false };
-    absurd
-  }
-  BB5 {
-    [#"../bdd.rs" 531 22 531 34] _23 <- ([#"../bdd.rs" 531 22 531 34] (([#"../bdd.rs" 531 23 531 27] Bdd_Bdd_Type.bdd_0 a), ([#"../bdd.rs" 531 29 531 33] Bdd_Bdd_Type.bdd_0 b)));
+    [#"../bdd.rs" 531 22 531 34] _23 <- (Bdd_Bdd_Type.bdd_0 a, Bdd_Bdd_Type.bdd_0 b);
     switch (let (a, _) = _23 in a)
-      | Bdd_Node_Type.C_True -> goto BB7
-      | _ -> goto BB6
+      | Bdd_Node_Type.C_True -> goto BB6
+      | _ -> goto BB5
       end
   }
-  BB6 {
+  BB5 {
     switch (let (_, a) = _23 in a)
-      | Bdd_Node_Type.C_True -> goto BB9
-      | _ -> goto BB8
+      | Bdd_Node_Type.C_True -> goto BB8
+      | _ -> goto BB7
       end
   }
-  BB7 {
+  BB6 {
     goto BB15
   }
-  BB8 {
+  BB7 {
     switch (let (a, _) = _23 in a)
-      | Bdd_Node_Type.C_False -> goto BB10
-      | _ -> goto BB11
+      | Bdd_Node_Type.C_False -> goto BB9
+      | _ -> goto BB10
       end
   }
-  BB9 {
+  BB8 {
     goto BB16
   }
-  BB10 {
+  BB9 {
     goto BB17
   }
-  BB11 {
+  BB10 {
     switch (let (_, a) = _23 in a)
-      | Bdd_Node_Type.C_False -> goto BB12
+      | Bdd_Node_Type.C_False -> goto BB11
       | Bdd_Node_Type.C_If _ _ _ -> goto BB13
-      | _ -> goto BB38
+      | _ -> goto BB12
       end
   }
-  BB12 {
+  BB11 {
     goto BB17
   }
+  BB12 {
+    assert { [@expl:type invariant] inv0 self };
+    assume { resolve1 self };
+    assume { resolve2 _23 };
+    assert { [#"../bdd.rs" 531 22 531 34] false };
+    absurd
+  }
   BB13 {
     switch (let (a, _) = _23 in a)
       | Bdd_Node_Type.C_If _ _ _ -> goto BB14
-      | _ -> goto BB39
+      | _ -> goto BB12
       end
   }
   BB14 {
-    [#"../bdd.rs" 537 24 537 26] vb <- ([#"../bdd.rs" 537 24 537 26] Bdd_Node_Type.if_v (let (_, a) = _23 in a));
-    [#"../bdd.rs" 537 36 537 43] childtb <- ([#"../bdd.rs" 537 36 537 43] Bdd_Node_Type.if_childt (let (_, a) = _23 in a));
-    [#"../bdd.rs" 537 53 537 60] childfb <- ([#"../bdd.rs" 537 53 537 60] Bdd_Node_Type.if_childf (let (_, a) = _23 in a));
-    [#"../bdd.rs" 536 24 536 26] va <- ([#"../bdd.rs" 536 24 536 26] Bdd_Node_Type.if_v (let (a, _) = _23 in a));
-    [#"../bdd.rs" 536 36 536 43] childta <- ([#"../bdd.rs" 536 36 536 43] Bdd_Node_Type.if_childt (let (a, _) = _23 in a));
-    [#"../bdd.rs" 536 53 536 60] childfa <- ([#"../bdd.rs" 536 53 536 60] Bdd_Node_Type.if_childf (let (a, _) = _23 in a));
+    [#"../bdd.rs" 537 24 537 26] vb <- Bdd_Node_Type.if_v (let (_, a) = _23 in a);
+    [#"../bdd.rs" 537 36 537 43] childtb <- Bdd_Node_Type.if_childt (let (_, a) = _23 in a);
+    [#"../bdd.rs" 537 53 537 60] childfb <- Bdd_Node_Type.if_childf (let (_, a) = _23 in a);
+    [#"../bdd.rs" 536 24 536 26] va <- Bdd_Node_Type.if_v (let (a, _) = _23 in a);
+    [#"../bdd.rs" 536 36 536 43] childta <- Bdd_Node_Type.if_childt (let (a, _) = _23 in a);
+    [#"../bdd.rs" 536 53 536 60] childfa <- Bdd_Node_Type.if_childf (let (a, _) = _23 in a);
     assume { resolve2 _23 };
-    [#"../bdd.rs" 540 29 540 32] _45 <- ([#"../bdd.rs" 540 29 540 32] vb);
-    [#"../bdd.rs" 540 22 540 33] _42 <- ([#"../bdd.rs" 540 22 540 33] cmp0 ([#"../bdd.rs" 540 22 540 24] va) ([#"../bdd.rs" 540 29 540 32] _45));
+    [#"../bdd.rs" 540 29 540 32] _45 <- vb;
+    [#"../bdd.rs" 540 22 540 33] _42 <- ([#"../bdd.rs" 540 22 540 33] cmp0 va _45);
     goto BB19
   }
   BB15 {
     assume { resolve2 _23 };
-    [#"../bdd.rs" 532 25 532 26] r1 <- ([#"../bdd.rs" 532 25 532 26] b);
-    goto BB33
+    [#"../bdd.rs" 532 25 532 26] r1 <- b;
+    goto BB34
   }
   BB16 {
     assume { resolve2 _23 };
-    [#"../bdd.rs" 533 25 533 26] r1 <- ([#"../bdd.rs" 533 25 533 26] a);
-    goto BB33
+    [#"../bdd.rs" 533 25 533 26] r1 <- a;
+    goto BB34
   }
   BB17 {
     assume { resolve2 _23 };
@@ -3831,7 +3880,7 @@ module Bdd_Impl11_And
     goto BB18
   }
   BB18 {
-    goto BB33
+    goto BB34
   }
   BB19 {
     switch (_42)
@@ -3841,132 +3890,129 @@ module Bdd_Impl11_And
       end
   }
   BB20 {
-    goto BB26
+    goto BB27
   }
   BB21 {
-    [#"../bdd.rs" 552 24 552 30] v <- ([#"../bdd.rs" 552 28 552 30] va);
+    [#"../bdd.rs" 552 24 552 30] v <- va;
     [#"../bdd.rs" 553 33 553 37] _67 <- Borrow.borrow_mut ( * self);
     [#"../bdd.rs" 553 33 553 37] self <- { self with current = ( ^ _67) ; };
     assume { inv1 ( ^ _67) };
-    [#"../bdd.rs" 553 33 553 59] _66 <- ([#"../bdd.rs" 553 33 553 59] and _67 ([#"../bdd.rs" 553 42 553 49] childta) ([#"../bdd.rs" 553 51 553 58] childtb));
+    [#"../bdd.rs" 553 33 553 59] _66 <- ([#"../bdd.rs" 553 33 553 59] and _67 childta childtb);
     _67 <- any borrowed (Bdd_Context_Type.t_context);
-    goto BB29
+    goto BB30
   }
   BB22 {
-    goto BB23
+    goto BB24
   }
   BB23 {
-    [#"../bdd.rs" 542 24 542 30] v <- ([#"../bdd.rs" 542 28 542 30] vb);
+    assert { [@expl:type invariant] inv0 self };
+    assume { resolve1 self };
+    assert { [#"../bdd.rs" 540 22 540 33] false };
+    absurd
+  }
+  BB24 {
+    [#"../bdd.rs" 542 24 542 30] v <- vb;
     [#"../bdd.rs" 543 33 543 37] _49 <- Borrow.borrow_mut ( * self);
     [#"../bdd.rs" 543 33 543 37] self <- { self with current = ( ^ _49) ; };
     assume { inv1 ( ^ _49) };
-    [#"../bdd.rs" 543 33 543 53] _48 <- ([#"../bdd.rs" 543 33 543 53] and _49 ([#"../bdd.rs" 543 42 543 43] a) ([#"../bdd.rs" 543 45 543 52] childtb));
+    [#"../bdd.rs" 543 33 543 53] _48 <- ([#"../bdd.rs" 543 33 543 53] and _49 a childtb);
     _49 <- any borrowed (Bdd_Context_Type.t_context);
-    goto BB24
+    goto BB25
   }
-  BB24 {
-    [#"../bdd.rs" 543 24 543 53] childt <- ([#"../bdd.rs" 543 24 543 53] _48);
-    [#"../bdd.rs" 543 24 543 53] _48 <- any Bdd_Bdd_Type.t_bdd;
+  BB25 {
+    [#"../bdd.rs" 543 24 543 53] childt <- _48;
+    _48 <- any Bdd_Bdd_Type.t_bdd;
     [#"../bdd.rs" 544 33 544 37] _53 <- Borrow.borrow_mut ( * self);
     [#"../bdd.rs" 544 33 544 37] self <- { self with current = ( ^ _53) ; };
     assume { inv1 ( ^ _53) };
-    [#"../bdd.rs" 544 33 544 53] _52 <- ([#"../bdd.rs" 544 33 544 53] and _53 ([#"../bdd.rs" 544 42 544 43] a) ([#"../bdd.rs" 544 45 544 52] childfb));
+    [#"../bdd.rs" 544 33 544 53] _52 <- ([#"../bdd.rs" 544 33 544 53] and _53 a childfb);
     _53 <- any borrowed (Bdd_Context_Type.t_context);
-    goto BB25
+    goto BB26
   }
-  BB25 {
-    [#"../bdd.rs" 544 24 544 53] childf <- ([#"../bdd.rs" 544 24 544 53] _52);
-    [#"../bdd.rs" 544 24 544 53] _52 <- any Bdd_Bdd_Type.t_bdd;
+  BB26 {
+    [#"../bdd.rs" 544 24 544 53] childf <- _52;
+    _52 <- any Bdd_Bdd_Type.t_bdd;
     [#"../bdd.rs" 541 31 545 21] _41 <- ([#"../bdd.rs" 541 31 545 21] ());
-    goto BB31
+    goto BB32
   }
-  BB26 {
-    [#"../bdd.rs" 547 24 547 30] v <- ([#"../bdd.rs" 547 28 547 30] va);
+  BB27 {
+    [#"../bdd.rs" 547 24 547 30] v <- va;
     [#"../bdd.rs" 548 33 548 37] _58 <- Borrow.borrow_mut ( * self);
     [#"../bdd.rs" 548 33 548 37] self <- { self with current = ( ^ _58) ; };
     assume { inv1 ( ^ _58) };
-    [#"../bdd.rs" 548 33 548 53] _57 <- ([#"../bdd.rs" 548 33 548 53] and _58 ([#"../bdd.rs" 548 42 548 49] childta) ([#"../bdd.rs" 548 51 548 52] b));
+    [#"../bdd.rs" 548 33 548 53] _57 <- ([#"../bdd.rs" 548 33 548 53] and _58 childta b);
     _58 <- any borrowed (Bdd_Context_Type.t_context);
-    goto BB27
+    goto BB28
   }
-  BB27 {
-    [#"../bdd.rs" 548 24 548 53] childt <- ([#"../bdd.rs" 548 24 548 53] _57);
-    [#"../bdd.rs" 548 24 548 53] _57 <- any Bdd_Bdd_Type.t_bdd;
+  BB28 {
+    [#"../bdd.rs" 548 24 548 53] childt <- _57;
+    _57 <- any Bdd_Bdd_Type.t_bdd;
     [#"../bdd.rs" 549 33 549 37] _62 <- Borrow.borrow_mut ( * self);
     [#"../bdd.rs" 549 33 549 37] self <- { self with current = ( ^ _62) ; };
     assume { inv1 ( ^ _62) };
-    [#"../bdd.rs" 549 33 549 53] _61 <- ([#"../bdd.rs" 549 33 549 53] and _62 ([#"../bdd.rs" 549 42 549 49] childfa) ([#"../bdd.rs" 549 51 549 52] b));
+    [#"../bdd.rs" 549 33 549 53] _61 <- ([#"../bdd.rs" 549 33 549 53] and _62 childfa b);
     _62 <- any borrowed (Bdd_Context_Type.t_context);
-    goto BB28
+    goto BB29
   }
-  BB28 {
-    [#"../bdd.rs" 549 24 549 53] childf <- ([#"../bdd.rs" 549 24 549 53] _61);
-    [#"../bdd.rs" 549 24 549 53] _61 <- any Bdd_Bdd_Type.t_bdd;
+  BB29 {
+    [#"../bdd.rs" 549 24 549 53] childf <- _61;
+    _61 <- any Bdd_Bdd_Type.t_bdd;
     [#"../bdd.rs" 546 28 550 21] _41 <- ([#"../bdd.rs" 546 28 550 21] ());
-    goto BB31
+    goto BB32
   }
-  BB29 {
-    [#"../bdd.rs" 553 24 553 59] childt <- ([#"../bdd.rs" 553 24 553 59] _66);
-    [#"../bdd.rs" 553 24 553 59] _66 <- any Bdd_Bdd_Type.t_bdd;
+  BB30 {
+    [#"../bdd.rs" 553 24 553 59] childt <- _66;
+    _66 <- any Bdd_Bdd_Type.t_bdd;
     [#"../bdd.rs" 554 33 554 37] _71 <- Borrow.borrow_mut ( * self);
     [#"../bdd.rs" 554 33 554 37] self <- { self with current = ( ^ _71) ; };
     assume { inv1 ( ^ _71) };
-    [#"../bdd.rs" 554 33 554 59] _70 <- ([#"../bdd.rs" 554 33 554 59] and _71 ([#"../bdd.rs" 554 42 554 49] childfa) ([#"../bdd.rs" 554 51 554 58] childfb));
+    [#"../bdd.rs" 554 33 554 59] _70 <- ([#"../bdd.rs" 554 33 554 59] and _71 childfa childfb);
     _71 <- any borrowed (Bdd_Context_Type.t_context);
-    goto BB30
-  }
-  BB30 {
-    [#"../bdd.rs" 554 24 554 59] childf <- ([#"../bdd.rs" 554 24 554 59] _70);
-    [#"../bdd.rs" 554 24 554 59] _70 <- any Bdd_Bdd_Type.t_bdd;
-    [#"../bdd.rs" 551 29 555 21] _41 <- ([#"../bdd.rs" 551 29 555 21] ());
     goto BB31
   }
   BB31 {
+    [#"../bdd.rs" 554 24 554 59] childf <- _70;
+    _70 <- any Bdd_Bdd_Type.t_bdd;
+    [#"../bdd.rs" 551 29 555 21] _41 <- ([#"../bdd.rs" 551 29 555 21] ());
+    goto BB32
+  }
+  BB32 {
     [#"../bdd.rs" 557 16 557 20] _74 <- Borrow.borrow_mut ( * self);
     [#"../bdd.rs" 557 16 557 20] self <- { self with current = ( ^ _74) ; };
     assume { inv1 ( ^ _74) };
-    [#"../bdd.rs" 557 16 557 44] r1 <- ([#"../bdd.rs" 557 16 557 44] node0 _74 ([#"../bdd.rs" 557 26 557 27] v) ([#"../bdd.rs" 557 29 557 35] childt) ([#"../bdd.rs" 557 37 557 43] childf));
+    [#"../bdd.rs" 557 16 557 44] r1 <- ([#"../bdd.rs" 557 16 557 44] node0 _74 v childt childf);
     _74 <- any borrowed (Bdd_Context_Type.t_context);
-    goto BB32
-  }
-  BB32 {
     goto BB33
   }
   BB33 {
+    goto BB34
+  }
+  BB34 {
     [#"../bdd.rs" 560 8 560 21] _79 <- Borrow.borrow_final (Bdd_Context_Type.context_and_memo ( * self)) (Borrow.inherit_id (Borrow.get_id self) 5);
     [#"../bdd.rs" 560 8 560 21] self <- { self with current = (let Bdd_Context_Type.C_Context x0 x1 x2 x3 x4 x5 =  * self in Bdd_Context_Type.C_Context x0 x1 x2 x3 ( ^ _79) x5) ; };
-    [#"../bdd.rs" 560 8 560 36] _78 <- ([#"../bdd.rs" 560 8 560 36] add0 _79 ([#"../bdd.rs" 560 26 560 32] (([#"../bdd.rs" 560 27 560 28] a), ([#"../bdd.rs" 560 30 560 31] b))) ([#"../bdd.rs" 560 34 560 35] r1));
+    [#"../bdd.rs" 560 26 560 32] _80 <- (a, b);
+    [#"../bdd.rs" 560 8 560 36] _78 <- ([#"../bdd.rs" 560 8 560 36] add0 _79 _80 r1);
     _79 <- any borrowed (Bdd_Hashmap_MyHashMap_Type.t_myhashmap (Bdd_Bdd_Type.t_bdd, Bdd_Bdd_Type.t_bdd) (Bdd_Bdd_Type.t_bdd));
-    goto BB34
+    _80 <- any (Bdd_Bdd_Type.t_bdd, Bdd_Bdd_Type.t_bdd);
+    goto BB35
   }
-  BB34 {
+  BB35 {
     assert { [@expl:type invariant] inv0 self };
     assume { resolve1 self };
-    [#"../bdd.rs" 561 8 561 9] _0 <- ([#"../bdd.rs" 561 8 561 9] r1);
-    goto BB35
+    [#"../bdd.rs" 561 8 561 9] _0 <- r1;
+    goto BB36
   }
-  BB35 {
+  BB36 {
     return _0
   }
-  BB37 {
-    goto BB21
-  }
   BB38 {
-    assume { resolve2 _23 };
-    assert { [@expl:type invariant] inv0 self };
-    assume { resolve1 self };
-    goto BB4
+    goto BB20
   }
   BB39 {
-    assume { resolve2 _23 };
-    assert { [@expl:type invariant] inv0 self };
-    assume { resolve1 self };
-    goto BB4
+    goto BB20
   }
   BB40 {
-    assert { [@expl:type invariant] inv0 self };
-    assume { resolve1 self };
-    goto BB4
+    goto BB21
   }
   
 end
@@ -4031,7 +4077,9 @@ module Bdd_Hashmap_Impl2
   val deep_model0 (self : (u, v)) : (deep_model_ty0, deep_model_ty1)
     ensures { result = deep_model0 self }
     
-  goal hash_refn : [#"../bdd.rs" 76 8 76 29] forall self : (u, v) . inv0 self -> inv0 self /\ (forall result : uint64 . UInt64.to_int result = hash_log0 (deep_model0 self) -> UInt64.to_int result = hash_log0 (deep_model0 self))
+  goal hash_refn : [#"../bdd.rs" 76 8 76 29] forall self : (u, v) . inv0 self
+   -> inv0 self /\ (forall result : uint64 . UInt64.to_int result = hash_log0 (deep_model0 self)
+   -> UInt64.to_int result = hash_log0 (deep_model0 self))
 end
 module Bdd_Impl1
   use Bdd_Node_Type as Bdd_Node_Type
@@ -4086,7 +4134,9 @@ module Bdd_Impl1
   val shallow_model1 (self : Bdd_Node_Type.t_node) : Bdd_NodeLog_Type.t_nodelog
     ensures { result = shallow_model1 self }
     
-  goal hash_refn : [#"../bdd.rs" 116 4 116 25] forall self : Bdd_Node_Type.t_node . inv0 self -> (forall result : uint64 . UInt64.to_int result = hash_log0 (shallow_model1 self) -> UInt64.to_int result = hash_log0 (deep_model0 self))
+  goal hash_refn : [#"../bdd.rs" 116 4 116 25] forall self : Bdd_Node_Type.t_node . inv0 self
+   -> (forall result : uint64 . UInt64.to_int result = hash_log0 (shallow_model1 self)
+   -> UInt64.to_int result = hash_log0 (deep_model0 self))
 end
 module Bdd_Impl2
   use Bdd_Bdd_Type as Bdd_Bdd_Type
@@ -4129,21 +4179,17 @@ module Bdd_Impl2
   val shallow_model1 (self : Bdd_Bdd_Type.t_bdd) : uint64
     ensures { result = shallow_model1 self }
     
-  goal hash_refn : [#"../bdd.rs" 142 4 142 25] forall self : Bdd_Bdd_Type.t_bdd . inv0 self -> (forall result : uint64 . UInt64.to_int result = hash_log0 (shallow_model1 self) -> UInt64.to_int result = hash_log0 (deep_model0 self))
+  goal hash_refn : [#"../bdd.rs" 142 4 142 25] forall self : Bdd_Bdd_Type.t_bdd . inv0 self
+   -> (forall result : uint64 . UInt64.to_int result = hash_log0 (shallow_model1 self)
+   -> UInt64.to_int result = hash_log0 (deep_model0 self))
 end
 module Bdd_Impl12
-  
-end
-module Bdd_Impl18
-  
-end
-module Bdd_Impl13
   goal assert_receiver_is_total_eq_refn : [#"../bdd.rs" 90 9 90 11] true
 end
-module Bdd_Impl19
+module Bdd_Impl17
   goal assert_receiver_is_total_eq_refn : [#"../bdd.rs" 104 15 104 17] true
 end
-module Bdd_Impl14
+module Bdd_Impl13
   use Bdd_Node_Type as Bdd_Node_Type
   predicate invariant0 (self : Bdd_Node_Type.t_node) =
     [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
@@ -4172,7 +4218,9 @@ module Bdd_Impl14
   val deep_model0 (self : Bdd_Node_Type.t_node) : Bdd_NodeLog_Type.t_nodelog
     ensures { result = deep_model0 self }
     
-  goal eq_refn : [#"../bdd.rs" 90 13 90 22] forall self : Bdd_Node_Type.t_node . forall other : Bdd_Node_Type.t_node . inv0 other /\ inv0 self -> (forall result : bool . result = (deep_model0 self = deep_model0 other) -> result = (deep_model0 self = deep_model0 other))
+  goal eq_refn : [#"../bdd.rs" 90 13 90 22] forall self : Bdd_Node_Type.t_node . forall other : Bdd_Node_Type.t_node . inv0 other /\ inv0 self
+   -> (forall result : bool . result = (deep_model0 self = deep_model0 other)
+   -> result = (deep_model0 self = deep_model0 other))
 end
 module Bdd_Impl7
   use Bdd_Bdd_Type as Bdd_Bdd_Type
@@ -4209,9 +4257,11 @@ module Bdd_Impl7
   val shallow_model0 (self : Bdd_Bdd_Type.t_bdd) : uint64
     ensures { result = shallow_model0 self }
     
-  goal eq_refn : [#"../bdd.rs" 202 4 202 34] forall self : Bdd_Bdd_Type.t_bdd . forall other : Bdd_Bdd_Type.t_bdd . inv0 other /\ inv0 self -> (forall result : bool . result = (shallow_model0 self = shallow_model0 other) -> result = (deep_model0 self = deep_model0 other))
+  goal eq_refn : [#"../bdd.rs" 202 4 202 34] forall self : Bdd_Bdd_Type.t_bdd . forall other : Bdd_Bdd_Type.t_bdd . inv0 other /\ inv0 self
+   -> (forall result : bool . result = (shallow_model0 self = shallow_model0 other)
+   -> result = (deep_model0 self = deep_model0 other))
 end
-module Bdd_Impl15
+module Bdd_Impl14
   use Bdd_Node_Type as Bdd_Node_Type
   predicate invariant1 (self : Bdd_Node_Type.t_node) =
     [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
@@ -4234,7 +4284,8 @@ module Bdd_Impl15
     
   axiom inv0 : forall x : Bdd_Node_Type.t_node . inv0 x = true
   use prelude.Borrow
-  goal clone'_refn : [#"../bdd.rs" 90 24 90 29] forall self : Bdd_Node_Type.t_node . inv0 self -> (forall result : Bdd_Node_Type.t_node . result = self -> inv1 result /\ result = self)
+  goal clone'_refn : [#"../bdd.rs" 90 24 90 29] forall self : Bdd_Node_Type.t_node . inv0 self
+   -> (forall result : Bdd_Node_Type.t_node . result = self  -> inv1 result /\ result = self)
 end
 module Bdd_Impl0
   use Bdd_Bdd_Type as Bdd_Bdd_Type
@@ -4259,12 +4310,13 @@ module Bdd_Impl0
     
   axiom inv0 : forall x : Bdd_Bdd_Type.t_bdd . inv0 x = true
   use prelude.Borrow
-  goal clone'_refn : [#"../bdd.rs" 109 4 109 27] forall self : Bdd_Bdd_Type.t_bdd . inv0 self -> (forall result : Bdd_Bdd_Type.t_bdd . result = self -> inv1 result /\ result = self)
+  goal clone'_refn : [#"../bdd.rs" 109 4 109 27] forall self : Bdd_Bdd_Type.t_bdd . inv0 self
+   -> (forall result : Bdd_Bdd_Type.t_bdd . result = self  -> inv1 result /\ result = self)
 end
-module Bdd_Impl16
+module Bdd_Impl15
   
 end
-module Bdd_Impl17
+module Bdd_Impl16
   
 end
 module Bdd_Impl3
diff --git a/creusot/tests/should_succeed/bdd.rs b/creusot/tests/should_succeed/bdd.rs
index ba902cbec0..1c973686af 100644
--- a/creusot/tests/should_succeed/bdd.rs
+++ b/creusot/tests/should_succeed/bdd.rs
@@ -30,7 +30,7 @@ mod hashmap {
         #[ensures(result@ == Self::hash_log(self.deep_model()))]
         fn hash(&self) -> u64;
 
-        #[ghost]
+        #[logic]
         fn hash_log(_: Self::DeepModelTy) -> Int;
     }
 
@@ -40,7 +40,7 @@ mod hashmap {
     impl<K: Hash, V> ShallowModel for MyHashMap<K, V> {
         type ShallowModelTy = Mapping<K::DeepModelTy, Option<V>>;
 
-        #[ghost]
+        #[logic]
         #[open(self)]
         #[trusted]
         fn shallow_model(self) -> Self::ShallowModelTy {
@@ -78,7 +78,7 @@ mod hashmap {
         }
 
         #[open(self)]
-        #[ghost]
+        #[logic]
         fn hash_log(x: Self::DeepModelTy) -> Int {
             pearlite! { (U::hash_log(x.0) + V::hash_log(x.1) * 17) % (u64::MAX@ + 1) }
         }
@@ -124,7 +124,7 @@ impl<'arena> hashmap::Hash for Node<'arena> {
     }
 
     #[open(self)]
-    #[ghost]
+    #[logic]
     fn hash_log(x: Self::DeepModelTy) -> Int {
         pearlite! {
             match x {
@@ -144,7 +144,7 @@ impl<'arena> hashmap::Hash for Bdd<'arena> {
     }
 
     #[open(self)]
-    #[ghost]
+    #[logic]
     fn hash_log(x: Self::DeepModelTy) -> Int {
         pearlite! { x@ }
     }
@@ -154,7 +154,7 @@ impl<'arena> DeepModel for Node<'arena> {
     type DeepModelTy = NodeLog;
 
     #[open(self)]
-    #[ghost]
+    #[logic]
     fn deep_model(self) -> Self::DeepModelTy {
         pearlite! {
             match self {
@@ -171,7 +171,7 @@ impl<'arena> ShallowModel for Node<'arena> {
     type ShallowModelTy = NodeLog;
 
     #[open(self)]
-    #[ghost]
+    #[logic]
     fn shallow_model(self) -> Self::ShallowModelTy {
         pearlite! { self.deep_model() }
     }
@@ -181,7 +181,7 @@ impl<'arena> DeepModel for Bdd<'arena> {
     type DeepModelTy = u64;
 
     #[open(self)]
-    #[ghost]
+    #[logic]
     fn deep_model(self) -> Self::DeepModelTy {
         pearlite! { self.1 }
     }
@@ -191,7 +191,7 @@ impl<'arena> ShallowModel for Bdd<'arena> {
     type ShallowModelTy = u64;
 
     #[open(self)]
-    #[ghost]
+    #[logic]
     fn shallow_model(self) -> Self::ShallowModelTy {
         pearlite! { self.deep_model() }
     }
@@ -205,7 +205,7 @@ impl<'arena> PartialEq for Bdd<'arena> {
 }
 
 impl<'arena> Bdd<'arena> {
-    #[ghost]
+    #[logic]
     fn interp(self, vars: Mapping<u64, bool>) -> bool {
         pearlite! {
             match self {
@@ -219,7 +219,7 @@ impl<'arena> Bdd<'arena> {
         }
     }
 
-    #[ghost]
+    #[logic]
     #[ensures(result >= 0)]
     fn size(self) -> Int {
         pearlite! {
@@ -235,7 +235,7 @@ impl<'arena> Bdd<'arena> {
         }
     }
 
-    #[ghost]
+    #[logic]
     fn leastvar(self) -> Int {
         pearlite! {
             match self {
@@ -250,7 +250,7 @@ impl<'arena> Bdd<'arena> {
 pub struct Context<'arena> {
     alloc: &'arena bumpalo::Bump,
     hashcons: hashmap::MyHashMap<Node<'arena>, Bdd<'arena>>,
-    hashcons_ghost: Ghost<Mapping<u64, &'arena Node<'arena>>>,
+    hashcons_ghost: Snapshot<Mapping<u64, &'arena Node<'arena>>>,
     not_memo: hashmap::MyHashMap<Bdd<'arena>, Bdd<'arena>>,
     and_memo: hashmap::MyHashMap<(Bdd<'arena>, Bdd<'arena>), Bdd<'arena>>,
     cnt: u64,
@@ -292,7 +292,7 @@ impl<'arena> Invariant for Context<'arena> {
 
 impl<'arena> Context<'arena> {
     #[open(self)]
-    #[predicate]
+    #[predicate(prophetic)]
     pub fn grows(&mut self) -> bool {
         pearlite! {
             self.cnt@ <= (^self).cnt@ &&
@@ -328,14 +328,14 @@ impl<'arena> Context<'arena> {
         }
     }
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[requires(self.grows())]
     #[requires(self.is_valid_bdd(b))]
     #[ensures((^self).is_valid_bdd(b))]
     pub fn grows_is_valid_bdd(&mut self, b: Bdd<'arena>) {}
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[requires(self.grows())]
     #[requires(o.grows())]
@@ -344,7 +344,7 @@ impl<'arena> Context<'arena> {
     #[ensures(oo.grows())]
     pub fn grows_trans(&mut self, o: &mut Self, oo: &mut Self) {}
 
-    #[ghost]
+    #[logic]
     #[requires(self.is_valid_bdd(a))]
     #[requires(x@ < a.leastvar())]
     #[ensures(a.interp(v) == a.interp(v.set(x, b)))]
@@ -360,7 +360,7 @@ impl<'arena> Context<'arena> {
         }
     }
 
-    #[ghost]
+    #[logic]
     #[requires(self.is_valid_bdd(a))]
     #[requires(self.is_valid_bdd(b))]
     #[requires(a != b)]
@@ -408,7 +408,7 @@ impl<'arena> Context<'arena> {
         }
     }
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[requires(self.is_valid_bdd(a))]
     #[requires(self.is_valid_bdd(b))]
@@ -426,7 +426,7 @@ impl<'arena> Context<'arena> {
         Context {
             alloc,
             hashcons: hashmap::MyHashMap::new(),
-            hashcons_ghost: gh! { Mapping::cst(t) },
+            hashcons_ghost: snapshot! { Mapping::cst(t) },
             not_memo: hashmap::MyHashMap::new(),
             and_memo: hashmap::MyHashMap::new(),
             cnt: 0,
@@ -444,7 +444,7 @@ impl<'arena> Context<'arena> {
         }
         let r = Bdd(self.alloc.alloc(n), self.cnt);
         self.hashcons.add(n, r);
-        self.hashcons_ghost = gh! { self.hashcons_ghost.set(r.1, r.0) };
+        self.hashcons_ghost = snapshot! { self.hashcons_ghost.set(r.1, r.0) };
         if self.cnt > u64::MAX - 1 {
             loop {
                 // prevent self from being resolved
diff --git a/creusot/tests/should_succeed/bdd/why3session.xml b/creusot/tests/should_succeed/bdd/why3session.xml
index 7e2b51fade..23f722c495 100644
--- a/creusot/tests/should_succeed/bdd/why3session.xml
+++ b/creusot/tests/should_succeed/bdd/why3session.xml
@@ -17,9 +17,9 @@
  <proof prover="6"><result status="valid" time="0.003136" steps="539"/></proof>
  </goal>
 </theory>
-<theory name="Bdd_Impl14_Eq" proved="true">
+<theory name="Bdd_Impl13_Eq" proved="true">
  <goal name="eq&#39;vc" expl="VC for eq" proved="true">
- <proof prover="2"><result status="valid" time="0.127345" steps="431"/></proof>
+ <proof prover="2"><result status="valid" time="0.028391" steps="431"/></proof>
  </goal>
 </theory>
 <theory name="Bdd_Impl0_Clone" proved="true">
@@ -27,9 +27,9 @@
  <proof prover="6"><result status="valid" time="0.002978" steps="427"/></proof>
  </goal>
 </theory>
-<theory name="Bdd_Impl15_Clone" proved="true">
+<theory name="Bdd_Impl14_Clone" proved="true">
  <goal name="clone&#39;&#39;vc" expl="VC for clone&#39;" proved="true">
- <proof prover="2"><result status="valid" time="0.009700" steps="29"/></proof>
+ <proof prover="2"><result status="valid" time="0.009551" steps="29"/></proof>
  </goal>
 </theory>
 <theory name="Bdd_Impl1_Hash" proved="true">
@@ -43,158 +43,201 @@
  </goal>
 </theory>
 <theory name="Bdd_Impl8_Size_Impl" proved="true">
- <goal name="size&#39;vc" expl="VC for size" proved="true">
- <proof prover="6"><result status="valid" time="0.005392" steps="905"/></proof>
+ <goal name="vc_size" proved="true">
+ <proof prover="6"><result status="valid" time="0.005392" steps="704"/></proof>
  </goal>
 </theory>
 <theory name="Bdd_Impl10_GrowsIsValidBdd_Impl" proved="true">
- <goal name="grows_is_valid_bdd&#39;vc" expl="VC for grows_is_valid_bdd" proved="true">
+ <goal name="vc_grows_is_valid_bdd" proved="true">
  <proof prover="2"><result status="valid" time="0.019187" steps="34"/></proof>
  </goal>
 </theory>
 <theory name="Bdd_Impl10_GrowsTrans_Impl" proved="true">
- <goal name="grows_trans&#39;vc" expl="VC for grows_trans" proved="true">
- <proof prover="2"><result status="valid" time="0.018313" steps="130"/></proof>
+ <goal name="vc_grows_trans" proved="true">
+ <proof prover="2"><result status="valid" time="0.018313" steps="131"/></proof>
  </goal>
 </theory>
 <theory name="Bdd_Impl10_SetIrreleventVar_Impl" proved="true">
- <goal name="set_irrelevent_var&#39;vc" expl="VC for set_irrelevent_var" proved="true">
- <proof prover="0"><result status="valid" time="0.058851" steps="91912"/></proof>
+ <goal name="vc_set_irrelevent_var" proved="true">
+ <transf name="split_vc" proved="true" >
+  <goal name="vc_set_irrelevent_var.0" proved="true">
+  <proof prover="2"><result status="valid" time="0.009675" steps="18"/></proof>
+  </goal>
+  <goal name="vc_set_irrelevent_var.1" proved="true">
+  <proof prover="2"><result status="valid" time="0.023378" steps="271"/></proof>
+  </goal>
+  <goal name="vc_set_irrelevent_var.2" proved="true">
+  <proof prover="2"><result status="valid" time="0.028357" steps="430"/></proof>
+  </goal>
+  <goal name="vc_set_irrelevent_var.3" proved="true">
+  <proof prover="2"><result status="valid" time="0.007923" steps="18"/></proof>
+  </goal>
+  <goal name="vc_set_irrelevent_var.4" proved="true">
+  <proof prover="2"><result status="valid" time="0.019978" steps="274"/></proof>
+  </goal>
+  <goal name="vc_set_irrelevent_var.5" proved="true">
+  <proof prover="2"><result status="valid" time="0.026867" steps="432"/></proof>
+  </goal>
+  <goal name="vc_set_irrelevent_var.6" proved="true">
+  <proof prover="2"><result status="valid" time="0.015691" steps="262"/></proof>
+  </goal>
+  <goal name="vc_set_irrelevent_var.7" proved="true">
+  <proof prover="2"><result status="valid" time="0.009162" steps="64"/></proof>
+  </goal>
+ </transf>
  </goal>
 </theory>
 <theory name="Bdd_Impl10_DiscrValuation_Impl" proved="true">
- <goal name="discr_valuation&#39;vc" expl="VC for discr_valuation" proved="true">
+ <goal name="vc_discr_valuation" proved="true">
  <transf name="split_vc" proved="true" >
-  <goal name="discr_valuation&#39;vc.0" expl="variant decrease" proved="true">
-  <proof prover="2"><result status="valid" time="0.025812" steps="98"/></proof>
+  <goal name="vc_discr_valuation.0" proved="true">
+  <proof prover="2"><result status="valid" time="0.020664" steps="24"/></proof>
+  </goal>
+  <goal name="vc_discr_valuation.1" proved="true">
+  <proof prover="2"><result status="valid" time="0.032307" steps="24"/></proof>
+  </goal>
+  <goal name="vc_discr_valuation.2" proved="true">
+  <proof prover="2"><result status="valid" time="0.016162" steps="24"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.114471" steps="601"/></proof>
+  <goal name="vc_discr_valuation.3" proved="true">
+  <proof prover="2"><result status="valid" time="0.028853" steps="598"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.048569" steps="26"/></proof>
+  <goal name="vc_discr_valuation.4" proved="true">
+  <proof prover="2"><result status="valid" time="0.034610" steps="42"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.3" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.030356" steps="26"/></proof>
+  <goal name="vc_discr_valuation.5" proved="true">
+  <proof prover="2"><result status="valid" time="0.114471" steps="71"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.016204" steps="26"/></proof>
+  <goal name="vc_discr_valuation.6" proved="true">
+  <proof prover="2"><result status="valid" time="0.042678" steps="739"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.5" expl="variant decrease" proved="true">
-  <proof prover="2"><result status="valid" time="0.030290" steps="59"/></proof>
+  <goal name="vc_discr_valuation.7" proved="true">
+  <proof prover="2"><result status="valid" time="0.009565" steps="24"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.6" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.078481" steps="686"/></proof>
+  <goal name="vc_discr_valuation.8" proved="true">
+  <proof prover="2"><result status="valid" time="0.034402" steps="583"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.7" expl="precondition" proved="true">
+  <goal name="vc_discr_valuation.9" proved="true">
+  <proof prover="2"><result status="valid" time="0.117302" steps="26"/></proof>
+  </goal>
+  <goal name="vc_discr_valuation.10" proved="true">
+  <proof prover="2"><result status="valid" time="0.032639" steps="688"/></proof>
+  </goal>
+  <goal name="vc_discr_valuation.11" proved="true">
+  <proof prover="2"><result status="valid" time="0.030290" steps="46"/></proof>
+  </goal>
+  <goal name="vc_discr_valuation.12" proved="true">
+  <proof prover="2"><result status="valid" time="0.015638" steps="37"/></proof>
+  </goal>
+  <goal name="vc_discr_valuation.13" proved="true">
+  <proof prover="2"><result status="valid" time="0.043320" steps="1187"/></proof>
+  </goal>
+  <goal name="vc_discr_valuation.14" proved="true">
+  <proof prover="2"><result status="valid" time="0.048000" steps="416"/></proof>
+  </goal>
+  <goal name="vc_discr_valuation.15" proved="true">
   <proof prover="2"><result status="valid" time="0.089751" steps="26"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.8" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.117302" steps="738"/></proof>
+  <goal name="vc_discr_valuation.16" proved="true">
+  <proof prover="2"><result status="valid" time="0.013187" steps="26"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.017166" steps="28"/></proof>
+  <goal name="vc_discr_valuation.17" proved="true">
+  <proof prover="2"><result status="valid" time="0.016204" steps="601"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.10" expl="variant decrease" proved="true">
-  <proof prover="2"><result status="valid" time="0.037308" steps="101"/></proof>
+  <goal name="vc_discr_valuation.18" proved="true">
+  <transf name="split_vc" proved="true" >
+   <goal name="vc_discr_valuation.18.0" proved="true">
+   <proof prover="2"><result status="valid" time="0.007793" steps="28"/></proof>
+   </goal>
+  </transf>
   </goal>
-  <goal name="discr_valuation&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.009565" steps="26"/></proof>
+  <goal name="vc_discr_valuation.19" proved="true">
+  <proof prover="2"><result status="valid" time="0.048032" steps="43"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.030320" steps="605"/></proof>
+  <goal name="vc_discr_valuation.20" proved="true">
+  <proof prover="2"><result status="valid" time="0.012275" steps="73"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.016162" steps="28"/></proof>
+  <goal name="vc_discr_valuation.21" proved="true">
+  <proof prover="2"><result status="valid" time="0.066769" steps="710"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.028853" steps="28"/></proof>
+  <goal name="vc_discr_valuation.22" proved="true">
+  <proof prover="2"><result status="valid" time="0.089908" steps="26"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.15" expl="variant decrease" proved="true">
-  <proof prover="2"><result status="valid" time="0.048032" steps="60"/></proof>
+  <goal name="vc_discr_valuation.23" proved="true">
+  <proof prover="2"><result status="valid" time="0.019378" steps="586"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.096612" steps="26"/></proof>
+  <goal name="vc_discr_valuation.24" proved="true">
+  <proof prover="2"><result status="valid" time="0.013918" steps="691"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.17" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.089908" steps="687"/></proof>
+  <goal name="vc_discr_valuation.25" proved="true">
+  <proof prover="2"><result status="valid" time="0.009560" steps="30"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.18" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.131765" steps="742"/></proof>
+  <goal name="vc_discr_valuation.26" proved="true">
+  <proof prover="2"><result status="valid" time="0.012964" steps="47"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.19" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.026191" steps="30"/></proof>
+  <goal name="vc_discr_valuation.27" proved="true">
+  <proof prover="2"><result status="valid" time="0.078481" steps="39"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.20" expl="variant decrease" proved="true">
-  <proof prover="2"><result status="valid" time="0.019378" steps="173"/></proof>
+  <goal name="vc_discr_valuation.28" proved="true">
+  <proof prover="2"><result status="valid" time="0.045751" steps="872"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.21" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.035483" steps="599"/></proof>
+  <goal name="vc_discr_valuation.29" proved="true">
+  <proof prover="2"><result status="valid" time="0.022579" steps="422"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.22" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.012964" steps="798"/></proof>
+  <goal name="vc_discr_valuation.30" proved="true">
+  <proof prover="2"><result status="valid" time="0.096612" steps="28"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.23" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.013918" steps="32"/></proof>
+  <goal name="vc_discr_valuation.31" proved="true">
+  <proof prover="2"><result status="valid" time="0.008095" steps="28"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.24" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.011262" steps="32"/></proof>
+  <goal name="vc_discr_valuation.32" proved="true">
+  <proof prover="2"><result status="valid" time="0.011262" steps="598"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.25" expl="variant decrease" proved="true">
-  <proof prover="2"><result status="valid" time="0.034610" steps="159"/></proof>
+  <goal name="vc_discr_valuation.33" proved="true">
+  <proof prover="2"><result status="valid" time="0.026191" steps="794"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.26" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.146583" steps="638"/></proof>
+  <goal name="vc_discr_valuation.34" proved="true">
+  <proof prover="2"><result status="valid" time="0.037308" steps="59"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.27" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.015638" steps="837"/></proof>
+  <goal name="vc_discr_valuation.35" proved="true">
+  <proof prover="2"><result status="valid" time="0.035483" steps="132"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.28" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.032639" steps="188"/></proof>
+  <goal name="vc_discr_valuation.36" proved="true">
+  <proof prover="2"><result status="valid" time="0.051186" steps="795"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.29" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.020664" steps="34"/></proof>
+  <goal name="vc_discr_valuation.37" proved="true">
+  <proof prover="2"><result status="valid" time="0.048569" steps="28"/></proof>
   </goal>
-  <goal name="discr_valuation&#39;vc.30" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="discr_valuation&#39;vc.30.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.156011" steps="1102"/></proof>
-   </goal>
-   <goal name="discr_valuation&#39;vc.30.1" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.157314" steps="1944"/></proof>
-   </goal>
-   <goal name="discr_valuation&#39;vc.30.2" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.109293" steps="415"/></proof>
-   </goal>
-   <goal name="discr_valuation&#39;vc.30.3" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.142576" steps="1722"/></proof>
-   </goal>
-   <goal name="discr_valuation&#39;vc.30.4" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.221156" steps="2025"/></proof>
-   </goal>
-   <goal name="discr_valuation&#39;vc.30.5" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.126515" steps="421"/></proof>
-   </goal>
-   <goal name="discr_valuation&#39;vc.30.6" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.112556" steps="1487"/></proof>
-   </goal>
-   <goal name="discr_valuation&#39;vc.30.7" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.163507" steps="1609"/></proof>
-   </goal>
-   <goal name="discr_valuation&#39;vc.30.8" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.018590" steps="207"/></proof>
-   </goal>
-   <goal name="discr_valuation&#39;vc.30.9" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.065035" steps="1108"/></proof>
-   </goal>
-  </transf>
+  <goal name="vc_discr_valuation.38" proved="true">
+  <proof prover="2"><result status="valid" time="0.008233" steps="159"/></proof>
+  </goal>
+  <goal name="vc_discr_valuation.39" proved="true">
+  <proof prover="2"><result status="valid" time="0.017166" steps="641"/></proof>
+  </goal>
+  <goal name="vc_discr_valuation.40" proved="true">
+  <proof prover="2"><result status="valid" time="0.030356" steps="839"/></proof>
+  </goal>
+  <goal name="vc_discr_valuation.41" proved="true">
+  <proof prover="2"><result status="valid" time="0.025812" steps="63"/></proof>
+  </goal>
+  <goal name="vc_discr_valuation.42" proved="true">
+  <proof prover="2"><result status="valid" time="0.030320" steps="116"/></proof>
+  </goal>
+  <goal name="vc_discr_valuation.43" proved="true">
+  <proof prover="2"><result status="valid" time="0.044515" steps="838"/></proof>
+  </goal>
+  <goal name="vc_discr_valuation.44" proved="true">
+  <proof prover="2"><result status="valid" time="0.013710" steps="204"/></proof>
+  </goal>
+  <goal name="vc_discr_valuation.45" proved="true">
+  <proof prover="2"><result status="valid" time="0.033874" steps="825"/></proof>
   </goal>
  </transf>
  </goal>
 </theory>
 <theory name="Bdd_Impl10_BddCanonical_Impl" proved="true">
- <goal name="bdd_canonical&#39;vc" expl="VC for bdd_canonical" proved="true">
- <proof prover="6" timelimit="1"><result status="valid" time="0.062765" steps="17603"/></proof>
+ <goal name="vc_bdd_canonical" proved="true">
+ <proof prover="6" timelimit="1"><result status="valid" time="0.062765" steps="18902"/></proof>
  </goal>
 </theory>
 <theory name="Bdd_Impl11_New" proved="true">
@@ -247,7 +290,7 @@
   <proof prover="2"><result status="valid" time="0.030636" steps="84"/></proof>
   </goal>
   <goal name="hashcons&#39;vc.7" expl="integer overflow" proved="true">
-  <proof prover="2"><result status="valid" time="0.036734" steps="108"/></proof>
+  <proof prover="2"><result status="valid" time="0.036734" steps="110"/></proof>
   </goal>
   <goal name="hashcons&#39;vc.8" expl="type invariant" proved="true">
   <transf name="rewrite" proved="true" arg1="inv0">
@@ -262,52 +305,52 @@
        <goal name="hashcons&#39;vc.8.0.0.0.0.0" expl="VC for hashcons" proved="true">
        <transf name="split_vc" proved="true" >
         <goal name="hashcons&#39;vc.8.0.0.0.0.0.0" expl="VC for hashcons" proved="true">
-        <proof prover="2"><result status="valid" time="0.110409" steps="1553"/></proof>
+        <proof prover="2"><result status="valid" time="0.110409" steps="1170"/></proof>
         </goal>
         <goal name="hashcons&#39;vc.8.0.0.0.0.0.1" expl="VC for hashcons" proved="true">
-        <proof prover="6" timelimit="1"><result status="valid" time="0.635331" steps="52685"/></proof>
+        <proof prover="6" timelimit="1"><result status="valid" time="0.454523" steps="51792"/></proof>
         </goal>
         <goal name="hashcons&#39;vc.8.0.0.0.0.0.2" expl="VC for hashcons" proved="true">
-        <proof prover="2"><result status="valid" time="0.094482" steps="960"/></proof>
+        <proof prover="2"><result status="valid" time="0.094482" steps="958"/></proof>
         </goal>
         <goal name="hashcons&#39;vc.8.0.0.0.0.0.3" expl="VC for hashcons" proved="true">
-        <proof prover="2"><result status="valid" time="0.915675" steps="6832"/></proof>
+        <proof prover="2"><result status="valid" time="0.562310" steps="6832"/></proof>
         </goal>
         <goal name="hashcons&#39;vc.8.0.0.0.0.0.4" expl="VC for hashcons" proved="true">
-        <proof prover="0"><result status="valid" time="0.032625" steps="138001"/></proof>
+        <proof prover="0"><result status="valid" time="0.028391" steps="138150"/></proof>
         </goal>
         <goal name="hashcons&#39;vc.8.0.0.0.0.0.5" expl="VC for hashcons" proved="true">
-        <proof prover="0"><result status="valid" time="0.033041" steps="170927"/></proof>
+        <proof prover="0"><result status="valid" time="0.154632" steps="171094"/></proof>
         </goal>
         <goal name="hashcons&#39;vc.8.0.0.0.0.0.6" expl="VC for hashcons" proved="true">
-        <proof prover="6" timelimit="1"><result status="valid" time="0.425428" steps="44185"/></proof>
+        <proof prover="6" timelimit="1"><result status="valid" time="0.425428" steps="43553"/></proof>
         </goal>
         <goal name="hashcons&#39;vc.8.0.0.0.0.0.7" expl="VC for hashcons" proved="true">
-        <proof prover="0"><result status="valid" time="0.031228" steps="121158"/></proof>
+        <proof prover="0"><result status="valid" time="0.121809" steps="121325"/></proof>
         </goal>
         <goal name="hashcons&#39;vc.8.0.0.0.0.0.8" expl="VC for hashcons" proved="true">
-        <proof prover="0"><result status="valid" time="0.040674" steps="70392"/></proof>
+        <proof prover="0"><result status="valid" time="0.040674" steps="70563"/></proof>
         </goal>
         <goal name="hashcons&#39;vc.8.0.0.0.0.0.9" expl="VC for hashcons" proved="true">
-        <proof prover="0"><result status="valid" time="0.028391" steps="122658"/></proof>
+        <proof prover="0"><result status="valid" time="0.032625" steps="122825"/></proof>
         </goal>
         <goal name="hashcons&#39;vc.8.0.0.0.0.0.10" expl="VC for hashcons" proved="true">
-        <proof prover="0"><result status="valid" time="0.166327" steps="310895"/></proof>
+        <proof prover="0"><result status="valid" time="0.166327" steps="307519"/></proof>
         </goal>
         <goal name="hashcons&#39;vc.8.0.0.0.0.0.11" expl="VC for hashcons" proved="true">
-        <proof prover="0"><result status="valid" time="0.154632" steps="282353"/></proof>
+        <proof prover="0"><result status="valid" time="0.033041" steps="270215"/></proof>
         </goal>
         <goal name="hashcons&#39;vc.8.0.0.0.0.0.12" expl="VC for hashcons" proved="true">
-        <proof prover="0"><result status="valid" time="0.065605" steps="128497"/></proof>
+        <proof prover="0"><result status="valid" time="0.065605" steps="128660"/></proof>
         </goal>
         <goal name="hashcons&#39;vc.8.0.0.0.0.0.13" expl="VC for hashcons" proved="true">
-        <proof prover="0"><result status="valid" time="0.067905" steps="131691"/></proof>
+        <proof prover="0"><result status="valid" time="0.067905" steps="179154"/></proof>
         </goal>
         <goal name="hashcons&#39;vc.8.0.0.0.0.0.14" expl="VC for hashcons" proved="true">
-        <proof prover="0"><result status="valid" time="0.121809" steps="105283"/></proof>
+        <proof prover="0"><result status="valid" time="0.031228" steps="105448"/></proof>
         </goal>
         <goal name="hashcons&#39;vc.8.0.0.0.0.0.15" expl="VC for hashcons" proved="true">
-        <proof prover="0"><result status="valid" time="0.101807" steps="317286"/></proof>
+        <proof prover="0"><result status="valid" time="0.101807" steps="317453"/></proof>
         </goal>
        </transf>
        </goal>
@@ -318,7 +361,7 @@
     </transf>
     </goal>
     <goal name="hashcons&#39;vc.8.0.1" expl="VC for hashcons" proved="true">
-    <proof prover="2"><result status="valid" time="0.017977" steps="124"/></proof>
+    <proof prover="2"><result status="valid" time="0.017977" steps="125"/></proof>
     </goal>
    </transf>
    </goal>
@@ -327,18 +370,18 @@
   <goal name="hashcons&#39;vc.9" expl="postcondition" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="hashcons&#39;vc.9.0" expl="postcondition" proved="true">
-   <proof prover="6" timelimit="1"><result status="valid" time="0.209358" steps="26719"/></proof>
+   <proof prover="6" timelimit="1"><result status="valid" time="0.209358" steps="26610"/></proof>
    </goal>
    <goal name="hashcons&#39;vc.9.1" expl="postcondition" proved="true">
-   <proof prover="6" timelimit="1"><result status="valid" time="0.043739" steps="8329"/></proof>
+   <proof prover="6" timelimit="1"><result status="valid" time="0.043739" steps="8369"/></proof>
    </goal>
   </transf>
   </goal>
   <goal name="hashcons&#39;vc.10" expl="postcondition" proved="true">
-  <proof prover="6" timelimit="1"><result status="valid" time="0.182563" steps="23613"/></proof>
+  <proof prover="6" timelimit="1"><result status="valid" time="0.182563" steps="23805"/></proof>
   </goal>
   <goal name="hashcons&#39;vc.11" expl="postcondition" proved="true">
-  <proof prover="6" timelimit="1"><result status="valid" time="0.182360" steps="21948"/></proof>
+  <proof prover="6" timelimit="1"><result status="valid" time="0.182360" steps="22225"/></proof>
   </goal>
  </transf>
  </goal>
@@ -347,28 +390,28 @@
  <goal name="node&#39;vc" expl="VC for node" proved="true">
  <transf name="split_vc" proved="true" >
   <goal name="node&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.066813" steps="274"/></proof>
+  <proof prover="2"><result status="valid" time="0.066813" steps="275"/></proof>
   </goal>
   <goal name="node&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.028080" steps="43"/></proof>
+  <proof prover="2"><result status="valid" time="0.028080" steps="44"/></proof>
   </goal>
   <goal name="node&#39;vc.2" expl="type invariant" proved="true">
-  <proof prover="2"><result status="valid" time="0.026771" steps="46"/></proof>
+  <proof prover="2"><result status="valid" time="0.026771" steps="47"/></proof>
   </goal>
   <goal name="node&#39;vc.3" expl="type invariant" proved="true">
   <proof prover="2"><result status="valid" time="0.032788" steps="24"/></proof>
   </goal>
   <goal name="node&#39;vc.4" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.042761" steps="136"/></proof>
+  <proof prover="2"><result status="valid" time="0.042761" steps="138"/></proof>
   </goal>
   <goal name="node&#39;vc.5" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.034798" steps="105"/></proof>
+  <proof prover="2"><result status="valid" time="0.034798" steps="107"/></proof>
   </goal>
   <goal name="node&#39;vc.6" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.100856" steps="125115"/></proof>
+  <proof prover="0"><result status="valid" time="0.100856" steps="125196"/></proof>
   </goal>
   <goal name="node&#39;vc.7" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.071532" steps="230"/></proof>
+  <proof prover="2"><result status="valid" time="0.071532" steps="234"/></proof>
   </goal>
  </transf>
  </goal>
@@ -380,7 +423,7 @@
 </theory>
 <theory name="Bdd_Impl11_False" proved="true">
  <goal name="false_&#39;vc" expl="VC for false_" proved="true">
- <proof prover="2"><result status="valid" time="0.112015" steps="438"/></proof>
+ <proof prover="2"><result status="valid" time="0.112015" steps="437"/></proof>
  </goal>
 </theory>
 <theory name="Bdd_Impl11_V" proved="true">
@@ -552,55 +595,27 @@
   <goal name="and&#39;vc.25" expl="precondition" proved="true">
   <proof prover="2"><result status="valid" time="0.060713" steps="106"/></proof>
   </goal>
-  <goal name="and&#39;vc.26" expl="type invariant" proved="true">
-  <proof prover="2"><result status="valid" time="0.016388" steps="40"/></proof>
-  </goal>
-  <goal name="and&#39;vc.27" expl="type invariant" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="and&#39;vc.27.0" expl="type invariant" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="and&#39;vc.27.0.0" expl="type invariant" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="and&#39;vc.27.0.0.0" expl="type invariant" proved="true">
-     <transf name="split_vc" proved="true" >
-      <goal name="and&#39;vc.27.0.0.0.0" expl="type invariant" proved="true">
-      <proof prover="6" timelimit="30" memlimit="4000"><result status="valid" time="0.026674" steps="5461"/></proof>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-  </transf>
-  </goal>
-  <goal name="and&#39;vc.28" expl="assertion" proved="true">
-  <proof prover="6" timelimit="1"><result status="valid" time="0.085307" steps="5938"/></proof>
-  </goal>
-  <goal name="and&#39;vc.29" expl="unreachable point" proved="true">
-  <proof prover="2"><result status="valid" time="0.020772" steps="37"/></proof>
-  </goal>
-  <goal name="and&#39;vc.30" expl="precondition" proved="true">
+  <goal name="and&#39;vc.26" expl="precondition" proved="true">
   <proof prover="0"><result status="valid" time="0.099568" steps="252339"/></proof>
   </goal>
-  <goal name="and&#39;vc.31" expl="precondition" proved="true">
+  <goal name="and&#39;vc.27" expl="precondition" proved="true">
   <proof prover="6" timelimit="1"><result status="valid" time="0.059750" steps="8663"/></proof>
   </goal>
-  <goal name="and&#39;vc.32" expl="precondition" proved="true">
+  <goal name="and&#39;vc.28" expl="precondition" proved="true">
   <transf name="split_vc" proved="true" >
-   <goal name="and&#39;vc.32.0" expl="precondition" proved="true">
+   <goal name="and&#39;vc.28.0" expl="precondition" proved="true">
    <transf name="split_vc" proved="true" >
-    <goal name="and&#39;vc.32.0.0" expl="precondition" proved="true">
+    <goal name="and&#39;vc.28.0.0" expl="precondition" proved="true">
     <transf name="split_vc" proved="true" >
-     <goal name="and&#39;vc.32.0.0.0" expl="precondition" proved="true">
+     <goal name="and&#39;vc.28.0.0.0" expl="precondition" proved="true">
      <transf name="split_vc" proved="true" >
-      <goal name="and&#39;vc.32.0.0.0.0" expl="precondition" proved="true">
+      <goal name="and&#39;vc.28.0.0.0.0" expl="precondition" proved="true">
       <proof prover="6" timelimit="1"><result status="valid" time="0.370095" steps="42349"/></proof>
       </goal>
-      <goal name="and&#39;vc.32.0.0.0.1" expl="precondition" proved="true">
+      <goal name="and&#39;vc.28.0.0.0.1" expl="precondition" proved="true">
       <proof prover="0"><result status="valid" time="0.240882" steps="516338"/></proof>
       </goal>
-      <goal name="and&#39;vc.32.0.0.0.2" expl="precondition" proved="true">
+      <goal name="and&#39;vc.28.0.0.0.2" expl="precondition" proved="true">
       <proof prover="0"><result status="valid" time="0.343153" steps="494027"/></proof>
       </goal>
      </transf>
@@ -609,19 +624,19 @@
     </goal>
    </transf>
    </goal>
-   <goal name="and&#39;vc.32.1" expl="precondition" proved="true">
+   <goal name="and&#39;vc.28.1" expl="precondition" proved="true">
    <transf name="split_vc" proved="true" >
-    <goal name="and&#39;vc.32.1.0" expl="precondition" proved="true">
+    <goal name="and&#39;vc.28.1.0" expl="precondition" proved="true">
     <transf name="split_vc" proved="true" >
-     <goal name="and&#39;vc.32.1.0.0" expl="precondition" proved="true">
+     <goal name="and&#39;vc.28.1.0.0" expl="precondition" proved="true">
      <transf name="split_vc" proved="true" >
-      <goal name="and&#39;vc.32.1.0.0.0" expl="precondition" proved="true">
+      <goal name="and&#39;vc.28.1.0.0.0" expl="precondition" proved="true">
       <proof prover="0"><result status="valid" time="0.112833" steps="318662"/></proof>
       </goal>
-      <goal name="and&#39;vc.32.1.0.0.1" expl="precondition" proved="true">
+      <goal name="and&#39;vc.28.1.0.0.1" expl="precondition" proved="true">
       <proof prover="0"><result status="valid" time="0.050164" steps="308781"/></proof>
       </goal>
-      <goal name="and&#39;vc.32.1.0.0.2" expl="precondition" proved="true">
+      <goal name="and&#39;vc.28.1.0.0.2" expl="precondition" proved="true">
       <proof prover="0"><result status="valid" time="0.101796" steps="379717"/></proof>
       </goal>
      </transf>
@@ -632,35 +647,63 @@
    </goal>
   </transf>
   </goal>
-  <goal name="and&#39;vc.33" expl="precondition" proved="true">
+  <goal name="and&#39;vc.29" expl="precondition" proved="true">
   <proof prover="0"><result status="valid" time="0.042079" steps="140794"/></proof>
   </goal>
-  <goal name="and&#39;vc.34" expl="precondition" proved="true">
+  <goal name="and&#39;vc.30" expl="type invariant" proved="true">
+  <transf name="split_vc" proved="true" >
+   <goal name="and&#39;vc.30.0" expl="type invariant" proved="true">
+   <transf name="split_vc" proved="true" >
+    <goal name="and&#39;vc.30.0.0" expl="type invariant" proved="true">
+    <proof prover="2"><result status="valid" time="0.009827" steps="38"/></proof>
+    </goal>
+    <goal name="and&#39;vc.30.0.1" expl="type invariant" proved="true">
+    <transf name="split_vc" proved="true" >
+     <goal name="and&#39;vc.30.0.1.0" expl="type invariant" proved="true">
+     <transf name="split_vc" proved="true" >
+      <goal name="and&#39;vc.30.0.1.0.0" expl="type invariant" proved="true">
+      <proof prover="6" timelimit="30" memlimit="4000"><result status="valid" time="0.026674" steps="5440"/></proof>
+      </goal>
+     </transf>
+     </goal>
+    </transf>
+    </goal>
+   </transf>
+   </goal>
+  </transf>
+  </goal>
+  <goal name="and&#39;vc.31" expl="assertion" proved="true">
+  <proof prover="6" timelimit="1"><result status="valid" time="0.085307" steps="5914"/></proof>
+  </goal>
+  <goal name="and&#39;vc.32" expl="unreachable point" proved="true">
+  <proof prover="2"><result status="valid" time="0.020772" steps="32"/></proof>
+  </goal>
+  <goal name="and&#39;vc.33" expl="precondition" proved="true">
   <proof prover="0"><result status="valid" time="0.034477" steps="46150"/></proof>
   </goal>
-  <goal name="and&#39;vc.35" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.014341" steps="48"/></proof>
+  <goal name="and&#39;vc.34" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.014341" steps="51"/></proof>
   </goal>
-  <goal name="and&#39;vc.36" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.137980" steps="50"/></proof>
+  <goal name="and&#39;vc.35" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.137980" steps="52"/></proof>
   </goal>
-  <goal name="and&#39;vc.37" expl="type invariant" proved="true">
+  <goal name="and&#39;vc.36" expl="type invariant" proved="true">
   <transf name="split_vc" proved="true" >
-   <goal name="and&#39;vc.37.0" expl="type invariant" proved="true">
+   <goal name="and&#39;vc.36.0" expl="type invariant" proved="true">
    <transf name="split_vc" proved="true" >
-    <goal name="and&#39;vc.37.0.0" expl="type invariant" proved="true">
+    <goal name="and&#39;vc.36.0.0" expl="type invariant" proved="true">
     <transf name="split_vc" proved="true" >
-     <goal name="and&#39;vc.37.0.0.0" expl="type invariant" proved="true">
+     <goal name="and&#39;vc.36.0.0.0" expl="type invariant" proved="true">
      <transf name="split_vc" proved="true" >
-      <goal name="and&#39;vc.37.0.0.0.0" expl="type invariant" proved="true">
-      <proof prover="6" timelimit="10" memlimit="4000"><result status="valid" time="1.022186" steps="86392"/></proof>
+      <goal name="and&#39;vc.36.0.0.0.0" expl="type invariant" proved="true">
+      <proof prover="6" timelimit="10" memlimit="4000"><result status="valid" time="1.022186" steps="88549"/></proof>
       </goal>
      </transf>
      </goal>
-     <goal name="and&#39;vc.37.0.0.1" expl="type invariant" proved="true">
+     <goal name="and&#39;vc.36.0.0.1" expl="type invariant" proved="true">
      <transf name="split_vc" proved="true" >
-      <goal name="and&#39;vc.37.0.0.1.0" expl="type invariant" proved="true">
-      <proof prover="6" memlimit="2000"><result status="valid" time="1.106945" steps="81369"/></proof>
+      <goal name="and&#39;vc.36.0.0.1.0" expl="type invariant" proved="true">
+      <proof prover="6" memlimit="2000"><result status="valid" time="1.106945" steps="83156"/></proof>
       </goal>
      </transf>
      </goal>
@@ -668,20 +711,20 @@
     </goal>
    </transf>
    </goal>
-   <goal name="and&#39;vc.37.1" expl="type invariant" proved="true">
+   <goal name="and&#39;vc.36.1" expl="type invariant" proved="true">
    <transf name="split_vc" proved="true" >
-    <goal name="and&#39;vc.37.1.0" expl="type invariant" proved="true">
+    <goal name="and&#39;vc.36.1.0" expl="type invariant" proved="true">
     <transf name="split_vc" proved="true" >
-     <goal name="and&#39;vc.37.1.0.0" expl="type invariant" proved="true">
+     <goal name="and&#39;vc.36.1.0.0" expl="type invariant" proved="true">
      <transf name="split_vc" proved="true" >
-      <goal name="and&#39;vc.37.1.0.0.0" expl="type invariant" proved="true">
-      <proof prover="6" timelimit="10" memlimit="2000"><result status="valid" time="3.704138" steps="185143"/></proof>
+      <goal name="and&#39;vc.36.1.0.0.0" expl="type invariant" proved="true">
+      <proof prover="6" timelimit="10" memlimit="2000"><result status="valid" time="2.235251" steps="171085"/></proof>
       </goal>
-      <goal name="and&#39;vc.37.1.0.0.1" expl="type invariant" proved="true">
-      <proof prover="6" timelimit="10" memlimit="4000"><result status="valid" time="4.436816" steps="212108"/></proof>
+      <goal name="and&#39;vc.36.1.0.0.1" expl="type invariant" proved="true">
+      <proof prover="6" timelimit="10" memlimit="4000"><result status="valid" time="3.025925" steps="220111"/></proof>
       </goal>
-      <goal name="and&#39;vc.37.1.0.0.2" expl="type invariant" proved="true">
-      <proof prover="6" memlimit="2000"><result status="valid" time="3.978777" steps="194598"/></proof>
+      <goal name="and&#39;vc.36.1.0.0.2" expl="type invariant" proved="true">
+      <proof prover="6" memlimit="2000"><result status="valid" time="2.671487" steps="201897"/></proof>
       </goal>
      </transf>
      </goal>
@@ -689,17 +732,17 @@
     </goal>
    </transf>
    </goal>
-   <goal name="and&#39;vc.37.2" expl="type invariant" proved="true">
+   <goal name="and&#39;vc.36.2" expl="type invariant" proved="true">
    <transf name="split_vc" proved="true" >
-    <goal name="and&#39;vc.37.2.0" expl="type invariant" proved="true">
+    <goal name="and&#39;vc.36.2.0" expl="type invariant" proved="true">
     <transf name="split_vc" proved="true" >
-     <goal name="and&#39;vc.37.2.0.0" expl="type invariant" proved="true">
-     <proof prover="6" memlimit="2000"><result status="valid" time="1.696591" steps="111668"/></proof>
+     <goal name="and&#39;vc.36.2.0.0" expl="type invariant" proved="true">
+     <proof prover="6" memlimit="2000"><result status="valid" time="1.233999" steps="109950"/></proof>
      </goal>
-     <goal name="and&#39;vc.37.2.0.1" expl="type invariant" proved="true">
+     <goal name="and&#39;vc.36.2.0.1" expl="type invariant" proved="true">
      <transf name="split_vc" proved="true" >
-      <goal name="and&#39;vc.37.2.0.1.0" expl="type invariant" proved="true">
-      <proof prover="6" memlimit="2000"><result status="valid" time="2.419454" steps="147521"/></proof>
+      <goal name="and&#39;vc.36.2.0.1.0" expl="type invariant" proved="true">
+      <proof prover="6" memlimit="2000"><result status="valid" time="1.875914" steps="150636"/></proof>
       </goal>
      </transf>
      </goal>
@@ -709,46 +752,46 @@
    </goal>
   </transf>
   </goal>
+  <goal name="and&#39;vc.37" expl="postcondition" proved="true">
+  <proof prover="0"><result status="valid" time="0.337344" steps="604217"/></proof>
+  </goal>
   <goal name="and&#39;vc.38" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.337344" steps="533609"/></proof>
+  <proof prover="0"><result status="valid" time="0.073766" steps="278977"/></proof>
   </goal>
   <goal name="and&#39;vc.39" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.073766" steps="279179"/></proof>
-  </goal>
-  <goal name="and&#39;vc.40" expl="postcondition" proved="true">
   <transf name="split_vc" proved="true" >
-   <goal name="and&#39;vc.40.0" expl="postcondition" proved="true">
+   <goal name="and&#39;vc.39.0" expl="postcondition" proved="true">
    <transf name="split_vc" proved="true" >
-    <goal name="and&#39;vc.40.0.0" expl="postcondition" proved="true">
+    <goal name="and&#39;vc.39.0.0" expl="postcondition" proved="true">
     <proof prover="0"><result status="valid" time="0.089271" steps="161164"/></proof>
     </goal>
-    <goal name="and&#39;vc.40.0.1" expl="postcondition" proved="true">
-    <proof prover="0"><result status="valid" time="0.245881" steps="485801"/></proof>
+    <goal name="and&#39;vc.39.0.1" expl="postcondition" proved="true">
+    <proof prover="6" timelimit="1"><result status="valid" time="0.482601" steps="74098"/></proof>
     </goal>
    </transf>
    </goal>
-   <goal name="and&#39;vc.40.1" expl="postcondition" proved="true">
-   <proof prover="6" timelimit="1"><result status="valid" time="0.731618" steps="88270"/></proof>
+   <goal name="and&#39;vc.39.1" expl="postcondition" proved="true">
+   <proof prover="6" timelimit="1"><result status="valid" time="0.731618" steps="87565"/></proof>
    </goal>
-   <goal name="and&#39;vc.40.2" expl="postcondition" proved="true">
+   <goal name="and&#39;vc.39.2" expl="postcondition" proved="true">
    <transf name="split_vc" proved="true" >
-    <goal name="and&#39;vc.40.2.0" expl="postcondition" proved="true">
+    <goal name="and&#39;vc.39.2.0" expl="postcondition" proved="true">
     <proof prover="0"><result status="valid" time="0.072442" steps="224146"/></proof>
     </goal>
-    <goal name="and&#39;vc.40.2.1" expl="postcondition" proved="true">
-    <proof prover="6" timelimit="1"><result status="valid" time="0.641319" steps="69585"/></proof>
+    <goal name="and&#39;vc.39.2.1" expl="postcondition" proved="true">
+    <proof prover="6" timelimit="1"><result status="valid" time="0.641319" steps="70623"/></proof>
     </goal>
    </transf>
    </goal>
   </transf>
   </goal>
-  <goal name="and&#39;vc.41" expl="postcondition" proved="true">
+  <goal name="and&#39;vc.40" expl="postcondition" proved="true">
   <transf name="split_vc" proved="true" >
-   <goal name="and&#39;vc.41.0" expl="postcondition" proved="true">
+   <goal name="and&#39;vc.40.0" expl="postcondition" proved="true">
    <proof prover="0"><result status="valid" time="0.226651" steps="418425"/></proof>
    </goal>
-   <goal name="and&#39;vc.41.1" expl="postcondition" proved="true">
-   <proof prover="0"><result status="valid" time="0.070438" steps="228705"/></proof>
+   <goal name="and&#39;vc.40.1" expl="postcondition" proved="true">
+   <proof prover="0"><result status="valid" time="0.070438" steps="228897"/></proof>
    </goal>
   </transf>
   </goal>
@@ -770,19 +813,19 @@
  <proof prover="6"><result status="valid" time="0.003589" steps="439"/></proof>
  </goal>
 </theory>
-<theory name="Bdd_Impl13" proved="true">
+<theory name="Bdd_Impl12" proved="true">
  <goal name="assert_receiver_is_total_eq_refn" proved="true">
- <proof prover="6"><result status="valid" time="0.002133" steps="27"/></proof>
+ <proof prover="2"><result status="valid" time="0.005117" steps="0"/></proof>
  </goal>
 </theory>
-<theory name="Bdd_Impl19" proved="true">
+<theory name="Bdd_Impl17" proved="true">
  <goal name="assert_receiver_is_total_eq_refn" proved="true">
- <proof prover="2"><result status="valid" time="0.010356" steps="0"/></proof>
+ <proof prover="2"><result status="valid" time="0.005209" steps="0"/></proof>
  </goal>
 </theory>
-<theory name="Bdd_Impl14" proved="true">
+<theory name="Bdd_Impl13" proved="true">
  <goal name="eq_refn" proved="true">
- <proof prover="6"><result status="valid" time="0.003799" steps="437"/></proof>
+ <proof prover="6"><result status="valid" time="0.002133" steps="437"/></proof>
  </goal>
 </theory>
 <theory name="Bdd_Impl7" proved="true">
@@ -790,9 +833,9 @@
  <proof prover="6"><result status="valid" time="0.003839" steps="439"/></proof>
  </goal>
 </theory>
-<theory name="Bdd_Impl15" proved="true">
+<theory name="Bdd_Impl14" proved="true">
  <goal name="clone&#39;_refn" proved="true">
- <proof prover="2"><result status="valid" time="0.011794" steps="12"/></proof>
+ <proof prover="6"><result status="valid" time="0.003799" steps="633"/></proof>
  </goal>
 </theory>
 <theory name="Bdd_Impl0" proved="true">
diff --git a/creusot/tests/should_succeed/bdd/why3shapes.gz b/creusot/tests/should_succeed/bdd/why3shapes.gz
index 8a9e864eaa..744decffaf 100644
Binary files a/creusot/tests/should_succeed/bdd/why3shapes.gz and b/creusot/tests/should_succeed/bdd/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/binary_search.mlcfg b/creusot/tests/should_succeed/binary_search.mlcfg
index cda5fce41f..44aa71e564 100644
--- a/creusot/tests/should_succeed/binary_search.mlcfg
+++ b/creusot/tests/should_succeed/binary_search.mlcfg
@@ -28,15 +28,14 @@ module BinarySearch_Impl0_LenLogic_Impl
     
   axiom inv0 : forall x : BinarySearch_List_Type.t_list t . inv0 x = true
   use prelude.Int
-  let rec ghost function len_logic [#"../binary_search.rs" 22 4 22 29] (self : BinarySearch_List_Type.t_list t) : int
-    requires {[#"../binary_search.rs" 22 17 22 21] inv0 self}
-    ensures { [#"../binary_search.rs" 21 14 21 25] result >= 0 }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../binary_search.rs" 23 8 26 9] match self with
-      | BinarySearch_List_Type.C_Cons _ ls -> 1 + len_logic ls
-      | BinarySearch_List_Type.C_Nil -> 0
-      end
+  constant self  : BinarySearch_List_Type.t_list t
+  function len_logic [#"../binary_search.rs" 22 4 22 29] (self : BinarySearch_List_Type.t_list t) : int
+  goal vc_len_logic : ([#"../binary_search.rs" 22 17 22 21] inv0 self)
+   -> match self with
+    | BinarySearch_List_Type.C_Cons _ ls -> ([#"../binary_search.rs" 22 17 22 21] inv0 ls) /\ (([#"../binary_search.rs" 21 14 21 25] len_logic ls >= 0)
+     -> ([#"../binary_search.rs" 21 14 21 25] 1 + len_logic ls >= 0))
+    | BinarySearch_List_Type.C_Nil -> [#"../binary_search.rs" 21 14 21 25] 0 >= 0
+    end
 end
 module Core_Option_Option_Type
   type t_option 't =
@@ -114,7 +113,8 @@ module BinarySearch_Impl0_Index
     requires {[#"../binary_search.rs" 22 17 22 21] inv3 self}
     ensures { result = len_logic0 self }
     
-  axiom len_logic0_spec : forall self : BinarySearch_List_Type.t_list t . ([#"../binary_search.rs" 22 17 22 21] inv3 self) -> ([#"../binary_search.rs" 21 14 21 25] len_logic0 self >= 0)
+  axiom len_logic0_spec : forall self : BinarySearch_List_Type.t_list t . ([#"../binary_search.rs" 22 17 22 21] inv3 self)
+   -> ([#"../binary_search.rs" 21 14 21 25] len_logic0 self >= 0)
   use prelude.UIntSize
   predicate resolve0 (self : BinarySearch_List_Type.t_list t)
   val resolve0 (self : BinarySearch_List_Type.t_list t) : bool
@@ -134,13 +134,14 @@ module BinarySearch_Impl0_Index
   var l : BinarySearch_List_Type.t_list t;
   var t : t;
   var ls : BinarySearch_List_Type.t_list t;
+  var _14 : bool;
   var _17 : BinarySearch_List_Type.t_list t;
   {
     goto BB0
   }
   BB0 {
-    [#"../binary_search.rs" 46 22 46 24] orig_ix <- ([#"../binary_search.rs" 46 22 46 24] ix);
-    [#"../binary_search.rs" 47 20 47 24] l <- ([#"../binary_search.rs" 47 20 47 24] self);
+    [#"../binary_search.rs" 46 22 46 24] orig_ix <- ix;
+    [#"../binary_search.rs" 47 20 47 24] l <- self;
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
     goto BB1
@@ -160,11 +161,12 @@ module BinarySearch_Impl0_Index
     goto BB4
   }
   BB4 {
-    [#"../binary_search.rs" 51 23 51 24] t <- ([#"../binary_search.rs" 51 23 51 24] BinarySearch_List_Type.cons_0 l);
-    [#"../binary_search.rs" 51 26 51 28] ls <- ([#"../binary_search.rs" 51 26 51 28] BinarySearch_List_Type.cons_1 l);
+    [#"../binary_search.rs" 51 23 51 24] t <- BinarySearch_List_Type.cons_0 l;
+    [#"../binary_search.rs" 51 26 51 28] ls <- BinarySearch_List_Type.cons_1 l;
     assert { [@expl:type invariant] inv0 l };
     assume { resolve0 l };
-    switch ([#"../binary_search.rs" 52 15 52 21] ([#"../binary_search.rs" 52 15 52 17] ix) > ([#"../binary_search.rs" 52 20 52 21] [#"../binary_search.rs" 52 20 52 21] (0 : usize)))
+    [#"../binary_search.rs" 52 15 52 21] _14 <- ix > ([#"../binary_search.rs" 52 20 52 21] (0 : usize));
+    switch (_14)
       | False -> goto BB6
       | True -> goto BB5
       end
@@ -172,19 +174,19 @@ module BinarySearch_Impl0_Index
   BB5 {
     assert { [@expl:type invariant] inv2 t };
     assume { resolve2 t };
-    [#"../binary_search.rs" 53 20 53 24] _17 <- ([#"../binary_search.rs" 53 20 53 24] ls);
+    [#"../binary_search.rs" 53 20 53 24] _17 <- ls;
     assert { [@expl:type invariant] inv1 ls };
     assume { resolve1 ls };
     assert { [@expl:type invariant] inv1 _17 };
     assume { resolve1 _17 };
-    [#"../binary_search.rs" 53 16 53 24] l <- ([#"../binary_search.rs" 53 20 53 24] _17);
-    [#"../binary_search.rs" 54 16 54 23] ix <- ([#"../binary_search.rs" 54 16 54 23] ix - ([#"../binary_search.rs" 54 22 54 23] [#"../binary_search.rs" 54 22 54 23] (1 : usize)));
+    [#"../binary_search.rs" 53 16 53 24] l <- _17;
+    [#"../binary_search.rs" 54 16 54 23] ix <- ix - ([#"../binary_search.rs" 54 22 54 23] (1 : usize));
     goto BB1
   }
   BB6 {
     assert { [@expl:type invariant] inv1 ls };
     assume { resolve1 ls };
-    [#"../binary_search.rs" 56 23 56 24] _0 <- ([#"../binary_search.rs" 56 23 56 24] t);
+    [#"../binary_search.rs" 56 23 56 24] _0 <- t;
     assert { [@expl:type invariant] inv2 t };
     assume { resolve2 t };
     return _0
@@ -242,7 +244,8 @@ module BinarySearch_Impl0_Len
     requires {[#"../binary_search.rs" 22 17 22 21] inv2 self}
     ensures { result = len_logic0 self }
     
-  axiom len_logic0_spec : forall self : BinarySearch_List_Type.t_list t . ([#"../binary_search.rs" 22 17 22 21] inv2 self) -> ([#"../binary_search.rs" 21 14 21 25] len_logic0 self >= 0)
+  axiom len_logic0_spec : forall self : BinarySearch_List_Type.t_list t . ([#"../binary_search.rs" 22 17 22 21] inv2 self)
+   -> ([#"../binary_search.rs" 21 14 21 25] len_logic0 self >= 0)
   use prelude.UIntSize
   predicate resolve0 (self : BinarySearch_List_Type.t_list t)
   val resolve0 (self : BinarySearch_List_Type.t_list t) : bool
@@ -265,8 +268,8 @@ module BinarySearch_Impl0_Len
     goto BB0
   }
   BB0 {
-    [#"../binary_search.rs" 67 29 67 30] len <- ([#"../binary_search.rs" 67 29 67 30] [#"../binary_search.rs" 67 29 67 30] (0 : usize));
-    [#"../binary_search.rs" 68 20 68 24] l <- ([#"../binary_search.rs" 68 20 68 24] self);
+    [#"../binary_search.rs" 67 29 67 30] len <- ([#"../binary_search.rs" 67 29 67 30] (0 : usize));
+    [#"../binary_search.rs" 68 20 68 24] l <- self;
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
     goto BB1
@@ -285,19 +288,19 @@ module BinarySearch_Impl0_Len
     goto BB4
   }
   BB4 {
-    [#"../binary_search.rs" 70 26 70 28] ls <- ([#"../binary_search.rs" 70 26 70 28] BinarySearch_List_Type.cons_1 l);
+    [#"../binary_search.rs" 70 26 70 28] ls <- BinarySearch_List_Type.cons_1 l;
     assert { [@expl:type invariant] inv0 l };
     assume { resolve0 l };
-    [#"../binary_search.rs" 71 12 71 20] len <- ([#"../binary_search.rs" 71 12 71 20] len + ([#"../binary_search.rs" 71 19 71 20] [#"../binary_search.rs" 71 19 71 20] (1 : usize)));
+    [#"../binary_search.rs" 71 12 71 20] len <- len + ([#"../binary_search.rs" 71 19 71 20] (1 : usize));
     assert { [@expl:type invariant] inv1 ls };
     assume { resolve1 ls };
-    [#"../binary_search.rs" 72 12 72 18] l <- ([#"../binary_search.rs" 72 16 72 18] ls);
+    [#"../binary_search.rs" 72 12 72 18] l <- ls;
     goto BB1
   }
   BB5 {
     assert { [@expl:type invariant] inv0 l };
     assume { resolve0 l };
-    [#"../binary_search.rs" 74 8 74 11] _0 <- ([#"../binary_search.rs" 74 8 74 11] len);
+    [#"../binary_search.rs" 74 8 74 11] _0 <- len;
     return _0
   }
   
@@ -354,7 +357,8 @@ module BinarySearch_BinarySearch
     ensures { result = get0 self ix }
     
   predicate is_sorted0 [#"../binary_search.rs" 88 4 88 30] (self : BinarySearch_List_Type.t_list uint32) =
-    [#"../binary_search.rs" 90 12 97 13] forall x2 : int . forall x1 : int . x1 <= x2 -> match (get0 self x1, get0 self x2) with
+    [#"../binary_search.rs" 90 12 97 13] forall x2 : int . forall x1 : int . x1 <= x2
+     -> match (get0 self x1, get0 self x2) with
       | (Core_Option_Option_Type.C_Some v1, Core_Option_Option_Type.C_Some v2) -> v1 <= v2
       | (Core_Option_Option_Type.C_None, Core_Option_Option_Type.C_None) -> true
       | _ -> false
@@ -374,7 +378,8 @@ module BinarySearch_BinarySearch
     requires {[#"../binary_search.rs" 22 17 22 21] inv1 self}
     ensures { result = len_logic0 self }
     
-  axiom len_logic0_spec : forall self : BinarySearch_List_Type.t_list uint32 . ([#"../binary_search.rs" 22 17 22 21] inv1 self) -> ([#"../binary_search.rs" 21 14 21 25] len_logic0 self >= 0)
+  axiom len_logic0_spec : forall self : BinarySearch_List_Type.t_list uint32 . ([#"../binary_search.rs" 22 17 22 21] inv1 self)
+   -> ([#"../binary_search.rs" 21 14 21 25] len_logic0 self >= 0)
   use prelude.UIntSize
   val index0 [#"../binary_search.rs" 45 4 45 40] (self : BinarySearch_List_Type.t_list uint32) (ix : usize) : uint32
     requires {[#"../binary_search.rs" 43 15 43 37] UIntSize.to_int ix < len_logic0 self}
@@ -401,119 +406,140 @@ module BinarySearch_BinarySearch
   let rec cfg binary_search [#"../binary_search.rs" 109 0 109 72] [@cfg:stackify] [@cfg:subregion_analysis] (arr : BinarySearch_List_Type.t_list uint32) (elem : uint32) : Core_Result_Result_Type.t_result usize usize
     requires {[#"../binary_search.rs" 102 11 102 39] len_logic0 arr <= 1000000}
     requires {[#"../binary_search.rs" 103 11 103 26] is_sorted0 arr}
-    ensures { [#"../binary_search.rs" 104 0 104 73] forall x : usize . result = Core_Result_Result_Type.C_Ok x -> get0 arr (UIntSize.to_int x) = Core_Option_Option_Type.C_Some elem }
-    ensures { [#"../binary_search.rs" 105 0 106 78] forall x : usize . result = Core_Result_Result_Type.C_Err x -> (forall i : usize . 0 <= UIntSize.to_int i /\ UIntSize.to_int i < UIntSize.to_int x -> get_default0 arr (UIntSize.to_int i) (0 : uint32) <= elem) }
-    ensures { [#"../binary_search.rs" 107 0 108 90] forall x : usize . result = Core_Result_Result_Type.C_Err x -> (forall i : usize . UIntSize.to_int x < UIntSize.to_int i /\ UIntSize.to_int i < len_logic0 arr -> elem < get_default0 arr (UIntSize.to_int i) (0 : uint32)) }
+    ensures { [#"../binary_search.rs" 104 0 104 73] forall x : usize . result = Core_Result_Result_Type.C_Ok x
+     -> get0 arr (UIntSize.to_int x) = Core_Option_Option_Type.C_Some elem }
+    ensures { [#"../binary_search.rs" 105 0 106 78] forall x : usize . result = Core_Result_Result_Type.C_Err x
+     -> (forall i : usize . 0 <= UIntSize.to_int i /\ UIntSize.to_int i < UIntSize.to_int x
+     -> get_default0 arr (UIntSize.to_int i) (0 : uint32) <= elem) }
+    ensures { [#"../binary_search.rs" 107 0 108 90] forall x : usize . result = Core_Result_Result_Type.C_Err x
+     -> (forall i : usize . UIntSize.to_int x < UIntSize.to_int i /\ UIntSize.to_int i < len_logic0 arr
+     -> elem < get_default0 arr (UIntSize.to_int i) (0 : uint32)) }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : Core_Result_Result_Type.t_result usize usize;
   var arr : BinarySearch_List_Type.t_list uint32 = arr;
   var elem : uint32 = elem;
+  var _9 : bool;
   var _10 : usize;
   var size : usize;
   var base : usize;
+  var _21 : bool;
   var half : usize;
   var _25 : bool;
   var mid : usize;
   var _29 : usize;
+  var _30 : bool;
   var _32 : uint32;
   var cmp : uint32;
   var _41 : uint32;
+  var _44 : bool;
+  var _48 : bool;
+  var _51 : usize;
   {
     goto BB0
   }
   BB0 {
-    [#"../binary_search.rs" 110 7 110 16] _10 <- ([#"../binary_search.rs" 110 7 110 16] len0 ([#"../binary_search.rs" 110 7 110 10] arr));
+    [#"../binary_search.rs" 110 7 110 16] _10 <- ([#"../binary_search.rs" 110 7 110 16] len0 arr);
     goto BB1
   }
   BB1 {
-    switch ([#"../binary_search.rs" 110 7 110 21] _10 = ([#"../binary_search.rs" 110 20 110 21] [#"../binary_search.rs" 110 20 110 21] (0 : usize)))
+    [#"../binary_search.rs" 110 7 110 21] _9 <- _10 = ([#"../binary_search.rs" 110 20 110 21] (0 : usize));
+    _10 <- any usize;
+    switch (_9)
       | False -> goto BB3
       | True -> goto BB2
       end
   }
   BB2 {
-    [#"../binary_search.rs" 111 15 111 21] _0 <- ([#"../binary_search.rs" 111 15 111 21] Core_Result_Result_Type.C_Err ([#"../binary_search.rs" 111 19 111 20] [#"../binary_search.rs" 111 19 111 20] (0 : usize)));
+    [#"../binary_search.rs" 111 15 111 21] _0 <- Core_Result_Result_Type.C_Err ([#"../binary_search.rs" 111 19 111 20] (0 : usize));
     goto BB21
   }
   BB3 {
-    [#"../binary_search.rs" 113 19 113 28] size <- ([#"../binary_search.rs" 113 19 113 28] len0 ([#"../binary_search.rs" 113 19 113 22] arr));
+    [#"../binary_search.rs" 113 19 113 28] size <- ([#"../binary_search.rs" 113 19 113 28] len0 arr);
     goto BB4
   }
   BB4 {
-    [#"../binary_search.rs" 114 19 114 20] base <- ([#"../binary_search.rs" 114 19 114 20] [#"../binary_search.rs" 114 19 114 20] (0 : usize));
+    [#"../binary_search.rs" 114 19 114 20] base <- ([#"../binary_search.rs" 114 19 114 20] (0 : usize));
     goto BB5
   }
   BB5 {
     invariant { [#"../binary_search.rs" 116 16 116 63] 0 < UIntSize.to_int size /\ UIntSize.to_int size + UIntSize.to_int base <= len_logic0 arr };
-    invariant { [#"../binary_search.rs" 116 4 116 65] forall i : usize . i < base -> get_default0 arr (UIntSize.to_int i) (0 : uint32) <= elem };
-    invariant { [#"../binary_search.rs" 116 4 116 65] forall i : usize . UIntSize.to_int base + UIntSize.to_int size < UIntSize.to_int i /\ UIntSize.to_int i < len_logic0 arr -> elem < get_default0 arr (UIntSize.to_int i) (0 : uint32) };
+    invariant { [#"../binary_search.rs" 116 4 116 65] forall i : usize . i < base
+     -> get_default0 arr (UIntSize.to_int i) (0 : uint32) <= elem };
+    invariant { [#"../binary_search.rs" 116 4 116 65] forall i : usize . UIntSize.to_int base + UIntSize.to_int size < UIntSize.to_int i /\ UIntSize.to_int i < len_logic0 arr
+     -> elem < get_default0 arr (UIntSize.to_int i) (0 : uint32) };
     goto BB6
   }
   BB6 {
-    switch ([#"../binary_search.rs" 119 10 119 18] ([#"../binary_search.rs" 119 10 119 14] size) > ([#"../binary_search.rs" 119 17 119 18] [#"../binary_search.rs" 119 17 119 18] (1 : usize)))
+    [#"../binary_search.rs" 119 10 119 18] _21 <- size > ([#"../binary_search.rs" 119 17 119 18] (1 : usize));
+    switch (_21)
       | False -> goto BB13
       | True -> goto BB7
       end
   }
   BB7 {
-    [#"../binary_search.rs" 120 19 120 27] _25 <- ([#"../binary_search.rs" 120 19 120 27] ([#"../binary_search.rs" 120 26 120 27] [#"../binary_search.rs" 120 26 120 27] (2 : usize)) = ([#"../binary_search.rs" 120 19 120 27] [#"../binary_search.rs" 120 19 120 27] (0 : usize)));
+    [#"../binary_search.rs" 120 19 120 27] _25 <- ([#"../binary_search.rs" 120 26 120 27] (2 : usize)) = ([#"../binary_search.rs" 120 19 120 27] (0 : usize));
     assert { [@expl:division by zero] [#"../binary_search.rs" 120 19 120 27] not _25 };
     goto BB8
   }
   BB8 {
-    [#"../binary_search.rs" 120 19 120 27] half <- ([#"../binary_search.rs" 120 19 120 27] ([#"../binary_search.rs" 120 19 120 23] size) / ([#"../binary_search.rs" 120 26 120 27] [#"../binary_search.rs" 120 26 120 27] (2 : usize)));
-    [#"../binary_search.rs" 121 18 121 29] mid <- ([#"../binary_search.rs" 121 18 121 29] ([#"../binary_search.rs" 121 18 121 22] base) + ([#"../binary_search.rs" 121 25 121 29] half));
-    [#"../binary_search.rs" 123 19 123 33] _32 <- ([#"../binary_search.rs" 123 19 123 33] index0 ([#"../binary_search.rs" 123 19 123 22] arr) ([#"../binary_search.rs" 123 29 123 32] mid));
+    [#"../binary_search.rs" 120 19 120 27] half <- size / ([#"../binary_search.rs" 120 26 120 27] (2 : usize));
+    [#"../binary_search.rs" 121 18 121 29] mid <- base + half;
+    [#"../binary_search.rs" 123 19 123 33] _32 <- ([#"../binary_search.rs" 123 19 123 33] index0 arr mid);
     goto BB9
   }
   BB9 {
-    switch ([#"../binary_search.rs" 123 18 123 40] ([#"../binary_search.rs" 123 18 123 33] _32) > ([#"../binary_search.rs" 123 36 123 40] elem))
+    [#"../binary_search.rs" 123 18 123 40] _30 <- _32 > elem;
+    switch (_30)
       | False -> goto BB11
       | True -> goto BB10
       end
   }
   BB10 {
-    [#"../binary_search.rs" 123 43 123 47] _29 <- ([#"../binary_search.rs" 123 43 123 47] base);
+    [#"../binary_search.rs" 123 43 123 47] _29 <- base;
     goto BB12
   }
   BB11 {
-    [#"../binary_search.rs" 123 57 123 60] _29 <- ([#"../binary_search.rs" 123 57 123 60] mid);
+    [#"../binary_search.rs" 123 57 123 60] _29 <- mid;
     goto BB12
   }
   BB12 {
-    [#"../binary_search.rs" 123 8 123 62] base <- ([#"../binary_search.rs" 123 8 123 62] _29);
-    [#"../binary_search.rs" 123 8 123 62] _29 <- any usize;
-    [#"../binary_search.rs" 124 8 124 20] size <- ([#"../binary_search.rs" 124 8 124 20] size - ([#"../binary_search.rs" 124 16 124 20] half));
+    [#"../binary_search.rs" 123 8 123 62] base <- _29;
+    _29 <- any usize;
+    [#"../binary_search.rs" 124 8 124 20] size <- size - half;
     goto BB5
   }
   BB13 {
-    [#"../binary_search.rs" 127 15 127 30] _41 <- ([#"../binary_search.rs" 127 15 127 30] index0 ([#"../binary_search.rs" 127 15 127 18] arr) ([#"../binary_search.rs" 127 25 127 29] base));
+    [#"../binary_search.rs" 127 15 127 30] _41 <- ([#"../binary_search.rs" 127 15 127 30] index0 arr base);
     goto BB14
   }
   BB14 {
-    [#"../binary_search.rs" 127 14 127 30] cmp <- ([#"../binary_search.rs" 127 14 127 30] _41);
-    switch ([#"../binary_search.rs" 128 7 128 18] ([#"../binary_search.rs" 128 7 128 10] cmp) = ([#"../binary_search.rs" 128 14 128 18] elem))
+    [#"../binary_search.rs" 127 14 127 30] cmp <- _41;
+    [#"../binary_search.rs" 128 7 128 18] _44 <- cmp = elem;
+    switch (_44)
       | False -> goto BB16
       | True -> goto BB15
       end
   }
   BB15 {
-    [#"../binary_search.rs" 129 8 129 16] _0 <- ([#"../binary_search.rs" 129 8 129 16] Core_Result_Result_Type.C_Ok ([#"../binary_search.rs" 129 11 129 15] base));
+    [#"../binary_search.rs" 129 8 129 16] _0 <- Core_Result_Result_Type.C_Ok base;
     goto BB20
   }
   BB16 {
-    switch ([#"../binary_search.rs" 130 14 130 24] ([#"../binary_search.rs" 130 14 130 17] cmp) < ([#"../binary_search.rs" 130 20 130 24] elem))
+    [#"../binary_search.rs" 130 14 130 24] _48 <- cmp < elem;
+    switch (_48)
       | False -> goto BB18
       | True -> goto BB17
       end
   }
   BB17 {
-    [#"../binary_search.rs" 131 8 131 21] _0 <- ([#"../binary_search.rs" 131 8 131 21] Core_Result_Result_Type.C_Err ([#"../binary_search.rs" 131 12 131 20] ([#"../binary_search.rs" 131 12 131 16] base) + ([#"../binary_search.rs" 131 19 131 20] [#"../binary_search.rs" 131 19 131 20] (1 : usize))));
+    [#"../binary_search.rs" 131 12 131 20] _51 <- base + ([#"../binary_search.rs" 131 19 131 20] (1 : usize));
+    [#"../binary_search.rs" 131 8 131 21] _0 <- Core_Result_Result_Type.C_Err _51;
+    _51 <- any usize;
     goto BB19
   }
   BB18 {
-    [#"../binary_search.rs" 133 8 133 17] _0 <- ([#"../binary_search.rs" 133 8 133 17] Core_Result_Result_Type.C_Err ([#"../binary_search.rs" 133 12 133 16] base));
+    [#"../binary_search.rs" 133 8 133 17] _0 <- Core_Result_Result_Type.C_Err base;
     goto BB19
   }
   BB19 {
diff --git a/creusot/tests/should_succeed/binary_search.rs b/creusot/tests/should_succeed/binary_search.rs
index 16a58f13c4..3bbf583b76 100644
--- a/creusot/tests/should_succeed/binary_search.rs
+++ b/creusot/tests/should_succeed/binary_search.rs
@@ -17,7 +17,7 @@ pub enum List<T> {
 use List::*;
 
 impl<T> List<T> {
-    #[ghost]
+    #[logic]
     #[ensures(result >= 0)]
     fn len_logic(self) -> Int {
         match self {
@@ -26,7 +26,7 @@ impl<T> List<T> {
         }
     }
 
-    #[ghost]
+    #[logic]
     fn get(self, ix: Int) -> Option<T> {
         match self {
             Cons(t, ls) => {
@@ -74,7 +74,7 @@ impl<T> List<T> {
         len
     }
 
-    #[ghost]
+    #[logic]
     fn get_default(self, ix: Int, def: T) -> T {
         match self.get(ix) {
             Some(v) => v,
diff --git a/creusot/tests/should_succeed/binary_search/why3session.xml b/creusot/tests/should_succeed/binary_search/why3session.xml
index 61fddab936..f72f0b0ff8 100644
--- a/creusot/tests/should_succeed/binary_search/why3session.xml
+++ b/creusot/tests/should_succeed/binary_search/why3session.xml
@@ -6,13 +6,13 @@
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="binary_search.mlcfg"/>
 <theory name="BinarySearch_Impl0_LenLogic_Impl" proved="true">
- <goal name="len_logic&#39;vc" expl="VC for len_logic" proved="true">
- <proof prover="0"><result status="valid" time="0.010000" steps="27"/></proof>
+ <goal name="vc_len_logic" proved="true">
+ <proof prover="0"><result status="valid" time="0.010000" steps="8"/></proof>
  </goal>
 </theory>
 <theory name="BinarySearch_Impl0_Index" proved="true">
  <goal name="index&#39;vc" expl="VC for index" proved="true">
- <proof prover="0"><result status="valid" time="0.030000" steps="163"/></proof>
+ <proof prover="0"><result status="valid" time="0.030000" steps="239"/></proof>
  </goal>
 </theory>
 <theory name="BinarySearch_Impl0_Len" proved="true">
@@ -30,67 +30,67 @@
   <proof prover="0"><result status="valid" time="0.006300" steps="13"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.010000" steps="24"/></proof>
+  <proof prover="0"><result status="valid" time="0.010000" steps="25"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.3" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.008696" steps="29"/></proof>
+  <proof prover="0"><result status="valid" time="0.008696" steps="31"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.4" expl="loop invariant init" proved="true">
-  <proof prover="0"><result status="valid" time="0.010000" steps="34"/></proof>
+  <proof prover="0"><result status="valid" time="0.010000" steps="35"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.5" expl="loop invariant init" proved="true">
-  <proof prover="0"><result status="valid" time="0.010000" steps="64"/></proof>
+  <proof prover="0"><result status="valid" time="0.010000" steps="65"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.6" expl="loop invariant init" proved="true">
-  <proof prover="0"><result status="valid" time="0.070000" steps="48"/></proof>
+  <proof prover="0"><result status="valid" time="0.070000" steps="49"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.7" expl="division by zero" proved="true">
-  <proof prover="0"><result status="valid" time="0.020000" steps="51"/></proof>
+  <goal name="binary_search&#39;vc.7" expl="precondition" proved="true">
+  <proof prover="0"><result status="valid" time="0.020000" steps="53"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.8" expl="division by zero" proved="true">
-  <proof prover="0"><result status="valid" time="0.050000" steps="53"/></proof>
+  <goal name="binary_search&#39;vc.8" expl="precondition" proved="true">
+  <proof prover="0"><result status="valid" time="0.015004" steps="67"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.9" expl="integer overflow" proved="true">
-  <proof prover="0"><result status="valid" time="0.030000" steps="115"/></proof>
+  <proof prover="0"><result status="valid" time="0.060000" steps="94"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.10" expl="integer overflow" proved="true">
-  <proof prover="0"><result status="valid" time="0.040000" steps="564"/></proof>
+  <goal name="binary_search&#39;vc.10" expl="division by zero" proved="true">
+  <proof prover="0"><result status="valid" time="0.020000" steps="54"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.030000" steps="149"/></proof>
+  <goal name="binary_search&#39;vc.11" expl="division by zero" proved="true">
+  <proof prover="0"><result status="valid" time="0.050000" steps="56"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.015004" steps="127"/></proof>
+  <goal name="binary_search&#39;vc.12" expl="integer overflow" proved="true">
+  <proof prover="0"><result status="valid" time="0.030000" steps="118"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.020000" steps="50"/></proof>
+  <goal name="binary_search&#39;vc.13" expl="integer overflow" proved="true">
+  <proof prover="0"><result status="valid" time="0.040000" steps="570"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.025913" steps="65"/></proof>
+  <proof prover="0"><result status="valid" time="0.030000" steps="152"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.15" expl="integer overflow" proved="true">
-  <proof prover="0"><result status="valid" time="0.060000" steps="87"/></proof>
+  <goal name="binary_search&#39;vc.15" expl="precondition" proved="true">
+  <proof prover="0"><result status="valid" time="0.025913" steps="130"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.16" expl="integer overflow" proved="true">
-  <proof prover="0"><result status="valid" time="0.120000" steps="704"/></proof>
+  <proof prover="0"><result status="valid" time="0.120000" steps="797"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.17" expl="loop invariant preservation" proved="true">
-  <proof prover="0"><result status="valid" time="0.030000" steps="305"/></proof>
+  <proof prover="0"><result status="valid" time="0.030000" steps="346"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.18" expl="loop invariant preservation" proved="true">
-  <proof prover="0"><result status="valid" time="0.120000" steps="1073"/></proof>
+  <proof prover="0"><result status="valid" time="0.120000" steps="1188"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.19" expl="loop invariant preservation" proved="true">
-  <proof prover="0"><result status="valid" time="0.161160" steps="2341"/></proof>
+  <proof prover="0"><result status="valid" time="0.161160" steps="2768"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.20" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.090000" steps="800"/></proof>
+  <proof prover="0"><result status="valid" time="0.090000" steps="986"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.21" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.568309" steps="8489"/></proof>
+  <proof prover="0"><result status="valid" time="0.568309" steps="9945"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.22" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.511725" steps="8878"/></proof>
+  <proof prover="0"><result status="valid" time="0.511725" steps="10015"/></proof>
   </goal>
  </transf>
  </goal>
diff --git a/creusot/tests/should_succeed/binary_search/why3shapes.gz b/creusot/tests/should_succeed/binary_search/why3shapes.gz
index 43f2d834d4..789108b7ca 100644
Binary files a/creusot/tests/should_succeed/binary_search/why3shapes.gz and b/creusot/tests/should_succeed/binary_search/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/bug/02_derive.mlcfg b/creusot/tests/should_succeed/bug/02_derive.mlcfg
index f810252f63..a1c2553229 100644
--- a/creusot/tests/should_succeed/bug/02_derive.mlcfg
+++ b/creusot/tests/should_succeed/bug/02_derive.mlcfg
@@ -15,7 +15,7 @@ module C02Derive_Impl0_Clone
     goto BB0
   }
   BB0 {
-    [#"../02_derive.rs" 3 9 3 14] _0 <- ([#"../02_derive.rs" 3 9 3 14] C02Derive_Lit_Type.C_Lit);
+    [#"../02_derive.rs" 3 9 3 14] _0 <- C02Derive_Lit_Type.C_Lit;
     return _0
   }
   
@@ -43,5 +43,6 @@ module C02Derive_Impl0
     
   axiom inv0 : forall x : C02Derive_Lit_Type.t_lit . inv0 x = true
   use prelude.Borrow
-  goal clone'_refn : [#"../02_derive.rs" 3 9 3 14] forall self : C02Derive_Lit_Type.t_lit . inv0 self -> (forall result : C02Derive_Lit_Type.t_lit . inv1 result /\ result = self)
+  goal clone'_refn : [#"../02_derive.rs" 3 9 3 14] forall self : C02Derive_Lit_Type.t_lit . inv0 self
+   -> (forall result : C02Derive_Lit_Type.t_lit . inv1 result /\ result = self)
 end
diff --git a/creusot/tests/should_succeed/bug/168.mlcfg b/creusot/tests/should_succeed/bug/168.mlcfg
index 90ce3d79d0..44d49dffa9 100644
--- a/creusot/tests/should_succeed/bug/168.mlcfg
+++ b/creusot/tests/should_succeed/bug/168.mlcfg
@@ -9,7 +9,7 @@ module C168_MaxInt
     goto BB0
   }
   BB0 {
-    [#"../168.rs" 4 4 4 14] _0 <- ([#"../168.rs" 4 4 4 14] [#"../168.rs" 4 4 4 14] (18446744073709551615 : usize));
+    [#"../168.rs" 4 4 4 14] _0 <- ([#"../168.rs" 4 4 4 14] (18446744073709551615 : usize));
     return _0
   }
   
diff --git a/creusot/tests/should_succeed/bug/173.mlcfg b/creusot/tests/should_succeed/bug/173.mlcfg
index d7c037e886..ddd9bd8528 100644
--- a/creusot/tests/should_succeed/bug/173.mlcfg
+++ b/creusot/tests/should_succeed/bug/173.mlcfg
@@ -12,9 +12,9 @@ module C173_Test233
     goto BB0
   }
   BB0 {
-    [#"../173.rs" 20 12 20 14] x <- ([#"../173.rs" 20 12 20 14] [#"../173.rs" 20 12 20 14] (17 : int32));
+    [#"../173.rs" 20 12 20 14] x <- ([#"../173.rs" 20 12 20 14] (17 : int32));
     assert { [@expl:assertion] [#"../173.rs" 21 19 21 27] Int32.to_int x = 17 };
-    [#"../173.rs" 22 12 22 14] x1 <- ([#"../173.rs" 22 12 22 14] [#"../173.rs" 22 12 22 14] (42 : int32));
+    [#"../173.rs" 22 12 22 14] x1 <- ([#"../173.rs" 22 12 22 14] (42 : int32));
     assert { [@expl:assertion] [#"../173.rs" 23 19 23 27] Int32.to_int x1 = 42 };
     [#"../173.rs" 19 18 24 1] _0 <- ([#"../173.rs" 19 18 24 1] ());
     return _0
diff --git a/creusot/tests/should_succeed/bug/181_ident.rs b/creusot/tests/should_succeed/bug/181_ident.rs
index 202233d6b1..d601a86ee1 100644
--- a/creusot/tests/should_succeed/bug/181_ident.rs
+++ b/creusot/tests/should_succeed/bug/181_ident.rs
@@ -3,7 +3,7 @@ extern crate creusot_contracts;
 use creusot_contracts::{logic::Int, *};
 
 // Bug #181
-#[ghost]
+#[logic]
 #[open]
 pub fn max_int(a: Int, b: Int) -> Int {
     if a < b {
diff --git a/creusot/tests/should_succeed/bug/206.mlcfg b/creusot/tests/should_succeed/bug/206.mlcfg
index c8536c1bde..982aa2ab45 100644
--- a/creusot/tests/should_succeed/bug/206.mlcfg
+++ b/creusot/tests/should_succeed/bug/206.mlcfg
@@ -17,12 +17,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -81,7 +87,8 @@ module C206_U2_Impl
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model0 self)
   val invariant0 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -89,11 +96,9 @@ module C206_U2_Impl
     
   axiom inv0 : forall x : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . inv0 x = true
   use C206_A_Type as C206_A_Type
-  let rec ghost function u2 [#"../206.rs" 9 0 9 11] (a : C206_A_Type.t_a) : ()
-    ensures { [#"../206.rs" 8 10 8 22] shallow_model0 (C206_A_Type.a_0 a) = shallow_model0 (C206_A_Type.a_0 a) }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../206.rs" 7 0 7 8] ()
+  constant a  : C206_A_Type.t_a
+  function u2 [#"../206.rs" 9 0 9 11] (a : C206_A_Type.t_a) : ()
+  goal vc_u2 : [#"../206.rs" 8 10 8 22] shallow_model0 (C206_A_Type.a_0 a) = shallow_model0 (C206_A_Type.a_0 a)
 end
 module C206_Ex
   use prelude.UIntSize
@@ -124,7 +129,8 @@ module C206_Ex
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model0 self)
   val invariant0 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
diff --git a/creusot/tests/should_succeed/bug/206.rs b/creusot/tests/should_succeed/bug/206.rs
index d8b329f840..1e14851c50 100644
--- a/creusot/tests/should_succeed/bug/206.rs
+++ b/creusot/tests/should_succeed/bug/206.rs
@@ -4,11 +4,11 @@ use creusot_contracts::*;
 
 pub struct A(Vec<usize>);
 
-#[ghost]
+#[logic]
 #[ensures(a.0@ == a.0@)]
 fn u2(a: A) {}
 
-#[ghost]
+#[logic]
 #[open(self)]
 pub fn u(a: A) {
     pearlite! {
diff --git a/creusot/tests/should_succeed/bug/206/why3session.xml b/creusot/tests/should_succeed/bug/206/why3session.xml
index 9350a8b70b..b407b3d775 100644
--- a/creusot/tests/should_succeed/bug/206/why3session.xml
+++ b/creusot/tests/should_succeed/bug/206/why3session.xml
@@ -6,7 +6,7 @@
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="206.mlcfg"/>
 <theory name="C206_U2_Impl" proved="true">
- <goal name="u2&#39;vc" expl="VC for u2" proved="true">
+ <goal name="vc_u2" proved="true">
  <proof prover="0"><result status="valid" time="0.006573" steps="2"/></proof>
  </goal>
 </theory>
diff --git a/creusot/tests/should_succeed/bug/206/why3shapes.gz b/creusot/tests/should_succeed/bug/206/why3shapes.gz
index 18c61d460e..374517f9ef 100644
Binary files a/creusot/tests/should_succeed/bug/206/why3shapes.gz and b/creusot/tests/should_succeed/bug/206/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/bug/217.mlcfg b/creusot/tests/should_succeed/bug/217.mlcfg
index e146410542..bea29c6175 100644
--- a/creusot/tests/should_succeed/bug/217.mlcfg
+++ b/creusot/tests/should_succeed/bug/217.mlcfg
@@ -10,9 +10,11 @@ module C217_Ex_Impl
     ensures { result = tail0 self }
     
   use prelude.Int
-  let rec ghost function ex [#"../217.rs" 11 0 11 37] (c : Seq.seq int) (a : int) : int
-    variant {[#"../217.rs" 10 10 10 17] Seq.length c}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../217.rs" 9 0 9 8] if pure {Seq.length c = 0} then 0 else let a' = tail0 c in ex a' a
+  constant c  : Seq.seq int
+  constant a  : int
+  function ex [#"../217.rs" 11 0 11 37] (c : Seq.seq int) (a : int) : int
+  goal vc_ex : match Seq.length c = 0 with
+    | True -> true
+    | False -> 0 <= ([#"../217.rs" 10 10 10 17] Seq.length c) /\ ([#"../217.rs" 10 10 10 17] Seq.length (tail0 c)) < ([#"../217.rs" 10 10 10 17] Seq.length c)
+    end
 end
diff --git a/creusot/tests/should_succeed/bug/217.rs b/creusot/tests/should_succeed/bug/217.rs
index d9474e02ed..d27344e6f6 100644
--- a/creusot/tests/should_succeed/bug/217.rs
+++ b/creusot/tests/should_succeed/bug/217.rs
@@ -6,7 +6,7 @@ use creusot_contracts::{
 };
 
 #[open]
-#[ghost]
+#[logic]
 #[variant(c.len())]
 pub fn ex(c: Seq<Int>, a: Int) -> Int {
     if c.len() == 0 {
diff --git a/creusot/tests/should_succeed/bug/217/why3session.xml b/creusot/tests/should_succeed/bug/217/why3session.xml
index 626a388c9d..1cdddd223a 100644
--- a/creusot/tests/should_succeed/bug/217/why3session.xml
+++ b/creusot/tests/should_succeed/bug/217/why3session.xml
@@ -1,13 +1,13 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
-"http://why3.lri.fr/why3session.dtd">
+"https://www.why3.org/why3session.dtd">
 <why3session shape_version="6">
 <prover id="0" name="Alt-Ergo" version="2.4.3" timelimit="1" steplimit="0" memlimit="1000"/>
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="217.mlcfg"/>
 <theory name="C217_Ex_Impl" proved="true">
- <goal name="ex&#39;vc" expl="VC for ex" proved="true">
- <proof prover="0"><result status="valid" time="0.007474" steps="17"/></proof>
+ <goal name="vc_ex" proved="true">
+ <proof prover="0"><result status="valid" time="0.009151" steps="17"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/bug/217/why3shapes.gz b/creusot/tests/should_succeed/bug/217/why3shapes.gz
index 8e03a3911c..05ecd033d9 100644
Binary files a/creusot/tests/should_succeed/bug/217/why3shapes.gz and b/creusot/tests/should_succeed/bug/217/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/bug/235.mlcfg b/creusot/tests/should_succeed/bug/235.mlcfg
index 54e66782fd..bd9523302e 100644
--- a/creusot/tests/should_succeed/bug/235.mlcfg
+++ b/creusot/tests/should_succeed/bug/235.mlcfg
@@ -15,7 +15,7 @@ module C235_F
     goto BB2
   }
   BB2 {
-    switch ([#"../235.rs" 8 10 8 14] [#"../235.rs" 8 10 8 14] true)
+    switch ([#"../235.rs" 8 10 8 14] true)
       | False -> goto BB4
       | True -> goto BB3
       end
diff --git a/creusot/tests/should_succeed/bug/256.mlcfg b/creusot/tests/should_succeed/bug/256.mlcfg
index 31ead196f2..f4369f9877 100644
--- a/creusot/tests/should_succeed/bug/256.mlcfg
+++ b/creusot/tests/should_succeed/bug/256.mlcfg
@@ -11,7 +11,7 @@ module C256_U8Safe
     goto BB0
   }
   BB0 {
-    [#"../256.rs" 4 12 4 17] _2 <- ([#"../256.rs" 4 12 4 17] ([#"../256.rs" 4 12 4 13] u) + ([#"../256.rs" 4 16 4 17] [#"../256.rs" 4 16 4 17] (0 : uint8)));
+    [#"../256.rs" 4 12 4 17] _2 <- u + ([#"../256.rs" 4 16 4 17] (0 : uint8));
     [#"../256.rs" 3 22 5 1] _0 <- ([#"../256.rs" 3 22 5 1] ());
     return _0
   }
@@ -35,12 +35,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
diff --git a/creusot/tests/should_succeed/bug/265.rs b/creusot/tests/should_succeed/bug/265.rs
index 3fa3b918b8..3800d4948e 100644
--- a/creusot/tests/should_succeed/bug/265.rs
+++ b/creusot/tests/should_succeed/bug/265.rs
@@ -2,13 +2,13 @@ extern crate creusot_contracts;
 use creusot_contracts::*;
 
 #[open]
-#[ghost]
+#[logic]
 pub fn bool_to_bool(b: bool) -> bool {
     b
 }
 
 #[open]
-#[ghost]
+#[logic]
 pub fn ex() {
     pearlite! { bool_to_bool(!true) };
 }
diff --git a/creusot/tests/should_succeed/bug/269.rs b/creusot/tests/should_succeed/bug/269.rs
index d52bf783c1..bb8730c780 100644
--- a/creusot/tests/should_succeed/bug/269.rs
+++ b/creusot/tests/should_succeed/bug/269.rs
@@ -3,5 +3,5 @@ extern crate creusot_contracts;
 use creusot_contracts::*;
 
 #[open]
-#[ghost]
+#[logic]
 pub fn my_lemma() {}
diff --git a/creusot/tests/should_succeed/bug/271.mlcfg b/creusot/tests/should_succeed/bug/271.mlcfg
index ad30030cf4..1834729226 100644
--- a/creusot/tests/should_succeed/bug/271.mlcfg
+++ b/creusot/tests/should_succeed/bug/271.mlcfg
@@ -10,7 +10,7 @@ module C271_Ex
     goto BB0
   }
   BB0 {
-    [#"../271.rs" 6 12 6 13] a <- ([#"../271.rs" 6 12 6 13] [#"../271.rs" 6 12 6 13] (0 : int32));
+    [#"../271.rs" 6 12 6 13] a <- ([#"../271.rs" 6 12 6 13] (0 : int32));
     goto BB2
   }
   BB1 {
@@ -37,7 +37,7 @@ module C271_Ex2
     goto BB0
   }
   BB0 {
-    [#"../271.rs" 14 12 14 13] a <- ([#"../271.rs" 14 12 14 13] [#"../271.rs" 14 12 14 13] (0 : int32));
+    [#"../271.rs" 14 12 14 13] a <- ([#"../271.rs" 14 12 14 13] (0 : int32));
     switch (a = 0)
       | True -> goto BB1
       | False -> switch (a = 1)
@@ -89,7 +89,7 @@ module C271_Ex3
     goto BB0
   }
   BB0 {
-    [#"../271.rs" 23 12 23 13] a <- ([#"../271.rs" 23 12 23 13] [#"../271.rs" 23 12 23 13] (0 : int32));
+    [#"../271.rs" 23 12 23 13] a <- ([#"../271.rs" 23 12 23 13] (0 : int32));
     switch (a = 0)
       | True -> goto BB1
       | False -> switch (a = 1)
diff --git a/creusot/tests/should_succeed/bug/273.mlcfg b/creusot/tests/should_succeed/bug/273.mlcfg
index 7c4be7eafa..b536928236 100644
--- a/creusot/tests/should_succeed/bug/273.mlcfg
+++ b/creusot/tests/should_succeed/bug/273.mlcfg
@@ -21,7 +21,7 @@ module C273_Ex
     goto BB0
   }
   BB0 {
-    [#"../273.rs" 5 21 5 31] _1 <- ([#"../273.rs" 5 21 5 31] Core_Option_Option_Type.C_Some ([#"../273.rs" 5 26 5 30] [#"../273.rs" 5 26 5 30] true));
+    [#"../273.rs" 5 21 5 31] _1 <- Core_Option_Option_Type.C_Some ([#"../273.rs" 5 26 5 30] true);
     switch (_1)
       | Core_Option_Option_Type.C_Some _ -> goto BB1
       | _ -> goto BB3
@@ -31,7 +31,7 @@ module C273_Ex
     goto BB2
   }
   BB2 {
-    [#"../273.rs" 5 16 5 17] b <- ([#"../273.rs" 5 16 5 17] Core_Option_Option_Type.some_0 _1);
+    [#"../273.rs" 5 16 5 17] b <- Core_Option_Option_Type.some_0 _1;
     assert { [@expl:assertion] [#"../273.rs" 6 22 6 23] b };
     [#"../273.rs" 5 32 7 5] _0 <- ([#"../273.rs" 5 32 7 5] ());
     goto BB4
diff --git a/creusot/tests/should_succeed/bug/387.mlcfg b/creusot/tests/should_succeed/bug/387.mlcfg
index 97d8c50a50..8033a5e1b7 100644
--- a/creusot/tests/should_succeed/bug/387.mlcfg
+++ b/creusot/tests/should_succeed/bug/387.mlcfg
@@ -88,8 +88,10 @@ module C387_Impl0_Height
     ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 53 26 53 66] deep_model0 result >= deep_model0 self }
     ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 54 26 54 63] deep_model0 result >= deep_model0 other }
     ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 7 0 62 1] result = self \/ result = other }
-    ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 56 16 56 79] deep_model0 self <= deep_model0 other -> result = other }
-    ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 57 16 57 81] deep_model0 other < deep_model0 self -> result = self }
+    ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 56 16 56 79] deep_model0 self <= deep_model0 other
+     -> result = other }
+    ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 57 16 57 81] deep_model0 other < deep_model0 self
+     -> result = self }
     ensures { inv0 result }
     
   use C387_Node_Type as C387_Node_Type
@@ -117,8 +119,8 @@ module C387_Impl0_Height
     goto BB4
   }
   BB2 {
-    [#"../387.rs" 19 22 19 23] n <- ([#"../387.rs" 19 22 19 23] Core_Option_Option_Type.some_0 (C387_Tree_Type.tree_0 self));
-    [#"../387.rs" 19 29 19 44] _5 <- ([#"../387.rs" 19 29 19 44] height ([#"../387.rs" 19 29 19 35] C387_Node_Type.node_left n));
+    [#"../387.rs" 19 22 19 23] n <- Core_Option_Option_Type.some_0 (C387_Tree_Type.tree_0 self);
+    [#"../387.rs" 19 29 19 44] _5 <- ([#"../387.rs" 19 29 19 44] height (C387_Node_Type.node_left n));
     goto BB5
   }
   BB3 {
@@ -126,11 +128,11 @@ module C387_Impl0_Height
     absurd
   }
   BB4 {
-    [#"../387.rs" 18 26 18 27] _0 <- ([#"../387.rs" 18 26 18 27] [#"../387.rs" 18 26 18 27] (0 : uint64));
+    [#"../387.rs" 18 26 18 27] _0 <- ([#"../387.rs" 18 26 18 27] (0 : uint64));
     goto BB8
   }
   BB5 {
-    [#"../387.rs" 19 49 19 65] _7 <- ([#"../387.rs" 19 49 19 65] height ([#"../387.rs" 19 49 19 56] C387_Node_Type.node_right n));
+    [#"../387.rs" 19 49 19 65] _7 <- ([#"../387.rs" 19 49 19 65] height (C387_Node_Type.node_right n));
     goto BB6
   }
   BB6 {
@@ -140,7 +142,7 @@ module C387_Impl0_Height
     goto BB7
   }
   BB7 {
-    [#"../387.rs" 19 29 19 70] _0 <- ([#"../387.rs" 19 29 19 70] _4 + ([#"../387.rs" 19 69 19 70] [#"../387.rs" 19 69 19 70] (1 : uint64)));
+    [#"../387.rs" 19 29 19 70] _0 <- _4 + ([#"../387.rs" 19 69 19 70] (1 : uint64));
     _4 <- any uint64;
     goto BB8
   }
diff --git a/creusot/tests/should_succeed/bug/395.mlcfg b/creusot/tests/should_succeed/bug/395.mlcfg
index 256f6a0f9e..829d2fba43 100644
--- a/creusot/tests/should_succeed/bug/395.mlcfg
+++ b/creusot/tests/should_succeed/bug/395.mlcfg
@@ -7,29 +7,42 @@ module C395_SignedDivision
   var _0 : ();
   var x : int32;
   var y : int32;
+  var _4 : bool;
+  var _5 : int32;
   var _6 : int32;
   var _7 : int32;
   var _8 : bool;
+  var _9 : bool;
+  var _10 : bool;
   var _11 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../395.rs" 4 12 4 14] x <- ([#"../395.rs" 4 12 4 14] [#"../395.rs" 4 12 4 14] (10 : int32));
-    [#"../395.rs" 5 12 5 13] y <- ([#"../395.rs" 5 12 5 13] [#"../395.rs" 5 12 5 13] (1 : int32));
-    [#"../395.rs" 7 12 7 13] _6 <- ([#"../395.rs" 7 12 7 13] x);
-    [#"../395.rs" 7 16 7 17] _7 <- ([#"../395.rs" 7 16 7 17] y);
-    [#"../395.rs" 7 12 7 17] _8 <- ([#"../395.rs" 7 12 7 17] _7 = ([#"../395.rs" 7 12 7 17] [#"../395.rs" 7 12 7 17] (0 : int32)));
+    [#"../395.rs" 4 12 4 14] x <- ([#"../395.rs" 4 12 4 14] (10 : int32));
+    [#"../395.rs" 5 12 5 13] y <- ([#"../395.rs" 5 12 5 13] (1 : int32));
+    [#"../395.rs" 7 12 7 13] _6 <- x;
+    [#"../395.rs" 7 16 7 17] _7 <- y;
+    [#"../395.rs" 7 12 7 17] _8 <- _7 = ([#"../395.rs" 7 12 7 17] (0 : int32));
     assert { [@expl:division by zero] [#"../395.rs" 7 12 7 17] not _8 };
     goto BB1
   }
   BB1 {
-    [#"../395.rs" 7 12 7 17] _11 <- ([#"../395.rs" 7 12 7 17] ([#"../395.rs" 7 12 7 17] _7 = ([#"../395.rs" 7 12 7 17] [#"../395.rs" 7 12 7 17] (-1 : int32))) && ([#"../395.rs" 7 12 7 17] _6 = ([#"../395.rs" 7 12 7 17] [#"../395.rs" 7 12 7 17] (-2147483648 : int32))));
+    [#"../395.rs" 7 12 7 17] _9 <- _7 = ([#"../395.rs" 7 12 7 17] (-1 : int32));
+    [#"../395.rs" 7 12 7 17] _10 <- _6 = ([#"../395.rs" 7 12 7 17] (-2147483648 : int32));
+    [#"../395.rs" 7 12 7 17] _11 <- _9 && _10;
+    _9 <- any bool;
+    _10 <- any bool;
     assert { [@expl:Div overflow] [#"../395.rs" 7 12 7 17] not _11 };
     goto BB2
   }
   BB2 {
-    switch ([#"../395.rs" 7 12 7 23] ([#"../395.rs" 7 12 7 17] _6 / _7) = ([#"../395.rs" 7 21 7 23] [#"../395.rs" 7 21 7 23] (10 : int32)))
+    [#"../395.rs" 7 12 7 17] _5 <- _6 / _7;
+    _6 <- any int32;
+    _7 <- any int32;
+    [#"../395.rs" 7 12 7 23] _4 <- _5 = ([#"../395.rs" 7 21 7 23] (10 : int32));
+    _5 <- any int32;
+    switch (_4)
       | False -> goto BB4
       | True -> goto BB3
       end
diff --git a/creusot/tests/should_succeed/bug/395/why3session.xml b/creusot/tests/should_succeed/bug/395/why3session.xml
index a3a1bf3a69..3c77f7b5e8 100644
--- a/creusot/tests/should_succeed/bug/395/why3session.xml
+++ b/creusot/tests/should_succeed/bug/395/why3session.xml
@@ -7,7 +7,7 @@
 <path name=".."/><path name="395.mlcfg"/>
 <theory name="C395_SignedDivision" proved="true">
  <goal name="signed_division&#39;vc" expl="VC for signed_division" proved="true">
- <proof prover="0"><result status="valid" time="0.014763" steps="410"/></proof>
+ <proof prover="0"><result status="valid" time="0.014763" steps="336"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/bug/395/why3shapes.gz b/creusot/tests/should_succeed/bug/395/why3shapes.gz
index 145d22c4ce..f153c50072 100644
Binary files a/creusot/tests/should_succeed/bug/395/why3shapes.gz and b/creusot/tests/should_succeed/bug/395/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/bug/463.mlcfg b/creusot/tests/should_succeed/bug/463.mlcfg
index bcfbe448ed..872ee88137 100644
--- a/creusot/tests/should_succeed/bug/463.mlcfg
+++ b/creusot/tests/should_succeed/bug/463.mlcfg
@@ -26,9 +26,9 @@ module C463_Test_Closure0
     goto BB0
   }
   BB0 {
-    [#"../463.rs" 7 19 7 24] res1 <- ([#"../463.rs" 7 19 7 24] ([#"../463.rs" 7 19 7 20] x) + ([#"../463.rs" 7 23 7 24] [#"../463.rs" 7 23 7 24] (1 : usize)));
-    [#"../463.rs" 5 8 5 30] res <- ([#"../463.rs" 5 8 5 30] res1);
-    [#"../463.rs" 6 8 6 37] _0 <- ([#"../463.rs" 6 8 6 37] res);
+    [#"../463.rs" 7 19 7 24] res1 <- x + ([#"../463.rs" 7 23 7 24] (1 : usize));
+    [#"../463.rs" 5 8 5 30] res <- res1;
+    [#"../463.rs" 6 8 6 37] _0 <- res;
     return _0
   }
   
@@ -51,12 +51,15 @@ module C463_Test
   var _0 : ();
   var c : C463_Test_Closure0.c463_test_closure0;
   var y : usize;
+  var _4 : usize;
   {
     goto BB0
   }
   BB0 {
-    [#"../463.rs" 6 8 6 37] c <- ([#"../463.rs" 6 8 6 37] C463_Test_Closure0.C463_Test_Closure0);
-    [#"../463.rs" 9 12 9 16] y <- ([#"../463.rs" 9 12 9 16] let (a) = [#"../463.rs" 9 12 9 16] (([#"../463.rs" 9 14 9 15] [#"../463.rs" 9 14 9 15] (2 : usize))) in closure00 ([#"../463.rs" 9 12 9 13] c) a);
+    [#"../463.rs" 6 8 6 37] c <- C463_Test_Closure0.C463_Test_Closure0;
+    [#"../463.rs" 9 12 9 16] _4 <- (([#"../463.rs" 9 14 9 15] (2 : usize)));
+    [#"../463.rs" 9 12 9 16] y <- ([#"../463.rs" 9 12 9 16] let (a) = _4 in closure00 c a);
+    _4 <- any usize;
     goto BB1
   }
   BB1 {
diff --git a/creusot/tests/should_succeed/bug/463/why3session.xml b/creusot/tests/should_succeed/bug/463/why3session.xml
index 1af2d5d592..949c7766d3 100644
--- a/creusot/tests/should_succeed/bug/463/why3session.xml
+++ b/creusot/tests/should_succeed/bug/463/why3session.xml
@@ -12,7 +12,7 @@
 </theory>
 <theory name="C463_Test" proved="true">
  <goal name="test&#39;vc" expl="VC for test" proved="true">
- <proof prover="0"><result status="valid" time="0.007604" steps="6"/></proof>
+ <proof prover="0"><result status="valid" time="0.007604" steps="12"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/bug/463/why3shapes.gz b/creusot/tests/should_succeed/bug/463/why3shapes.gz
index 544b969f2a..d1ca6a8262 100644
Binary files a/creusot/tests/should_succeed/bug/463/why3shapes.gz and b/creusot/tests/should_succeed/bug/463/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/bug/464.mlcfg b/creusot/tests/should_succeed/bug/464.mlcfg
index 012385300c..05e57fe6c4 100644
--- a/creusot/tests/should_succeed/bug/464.mlcfg
+++ b/creusot/tests/should_succeed/bug/464.mlcfg
@@ -17,11 +17,11 @@ module C464_Impl1_Invariant_Impl
   val invariant0 [#"../464.rs" 23 4 23 30] (self : C464_AssocStruct_Type.t_assocstruct) : bool
     ensures { result = invariant0 self }
     
-  let rec ghost predicate invariant' [#"../464.rs" 34 4 34 50] (self : C464_Struct_Type.t_struct) (assoc : C464_AssocStruct_Type.t_assocstruct)
-    ensures { [#"../464.rs" 33 4 33 44] result -> invariant0 assoc }
+  constant self  : C464_Struct_Type.t_struct
+  constant assoc  : C464_AssocStruct_Type.t_assocstruct
+  predicate invariant' [#"../464.rs" 34 4 34 50] (self : C464_Struct_Type.t_struct) (assoc : C464_AssocStruct_Type.t_assocstruct)
     
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../464.rs" 35 8 35 12] true
+  goal vc_invariant' : [#"../464.rs" 33 4 33 44] true  -> invariant0 assoc
 end
 module C464_Impl0
   
@@ -54,5 +54,6 @@ module C464_Impl1
   val invariant0 [#"../464.rs" 23 4 23 30] (self : C464_AssocStruct_Type.t_assocstruct) : bool
     ensures { result = invariant0 self }
     
-  goal invariant'_refn : [#"../464.rs" 34 4 34 50] forall self : C464_Struct_Type.t_struct . forall assoc : C464_AssocStruct_Type.t_assocstruct . inv0 assoc /\ inv1 self -> (forall result : bool . result -> invariant0 assoc -> result -> invariant0 assoc)
+  goal invariant'_refn : [#"../464.rs" 34 4 34 50] forall self : C464_Struct_Type.t_struct . forall assoc : C464_AssocStruct_Type.t_assocstruct . inv0 assoc /\ inv1 self
+   -> (forall result : bool . result  -> invariant0 assoc  -> result  -> invariant0 assoc)
 end
diff --git a/creusot/tests/should_succeed/bug/486.mlcfg b/creusot/tests/should_succeed/bug/486.mlcfg
index 70a5ebf5ee..d195ef24eb 100644
--- a/creusot/tests/should_succeed/bug/486.mlcfg
+++ b/creusot/tests/should_succeed/bug/486.mlcfg
@@ -25,7 +25,7 @@ module C486_Test
     goto BB0
   }
   BB0 {
-    [#"../486.rs" 8 4 8 12] x <- (let C486_HasMutRef_Type.C_HasMutRef x0 = x in C486_HasMutRef_Type.C_HasMutRef ({ (C486_HasMutRef_Type.hasmutref_0 x) with current = ([#"../486.rs" 8 4 8 12] [#"../486.rs" 8 11 8 12] (5 : uint32)) ; }));
+    [#"../486.rs" 8 4 8 12] x <- (let C486_HasMutRef_Type.C_HasMutRef x0 = x in C486_HasMutRef_Type.C_HasMutRef ({ (C486_HasMutRef_Type.hasmutref_0 x) with current = ([#"../486.rs" 8 11 8 12] (5 : uint32)) ; }));
     [#"../486.rs" 8 4 8 12] _0 <- ([#"../486.rs" 8 4 8 12] ());
     return _0
   }
diff --git a/creusot/tests/should_succeed/bug/510.mlcfg b/creusot/tests/should_succeed/bug/510.mlcfg
index 4cfd6a83af..8ae4f2c100 100644
--- a/creusot/tests/should_succeed/bug/510.mlcfg
+++ b/creusot/tests/should_succeed/bug/510.mlcfg
@@ -12,7 +12,7 @@ module C510_TestBool
     goto BB0
   }
   BB0 {
-    [#"../510.rs" 4 16 4 25] _bing <- ([#"../510.rs" 4 16 4 25] UInt8.of_int (Bool.to_int ([#"../510.rs" 4 16 4 19] inp)));
+    [#"../510.rs" 4 16 4 25] _bing <- UInt8.of_int (Bool.to_int inp);
     [#"../510.rs" 3 28 5 1] _0 <- ([#"../510.rs" 3 28 5 1] ());
     return _0
   }
@@ -30,7 +30,7 @@ module C510_TestChar
     goto BB0
   }
   BB0 {
-    [#"../510.rs" 8 4 8 14] _1 <- ([#"../510.rs" 8 4 8 14] Char.chr (UInt8.to_int ([#"../510.rs" 8 4 8 6] [#"../510.rs" 8 4 8 6] (22 : uint8))));
+    [#"../510.rs" 8 4 8 14] _1 <- Char.chr (UInt8.to_int ([#"../510.rs" 8 4 8 6] (22 : uint8)));
     [#"../510.rs" 7 19 9 1] _0 <- ([#"../510.rs" 7 19 9 1] ());
     return _0
   }
diff --git a/creusot/tests/should_succeed/bug/511.mlcfg b/creusot/tests/should_succeed/bug/511.mlcfg
index 155900a2db..9d28ef5414 100644
--- a/creusot/tests/should_succeed/bug/511.mlcfg
+++ b/creusot/tests/should_succeed/bug/511.mlcfg
@@ -12,7 +12,7 @@ module C511_TestU8
     goto BB0
   }
   BB0 {
-    [#"../511.rs" 4 16 4 28] _bing <- ([#"../511.rs" 4 16 4 28] UIntSize.of_int (UInt8.to_int ([#"../511.rs" 4 16 4 19] inp)));
+    [#"../511.rs" 4 16 4 28] _bing <- UIntSize.of_int (UInt8.to_int inp);
     [#"../511.rs" 3 24 5 1] _0 <- ([#"../511.rs" 3 24 5 1] ());
     return _0
   }
@@ -31,7 +31,7 @@ module C511_TestU16
     goto BB0
   }
   BB0 {
-    [#"../511.rs" 8 16 8 28] _bing <- ([#"../511.rs" 8 16 8 28] UIntSize.of_int (UInt16.to_int ([#"../511.rs" 8 16 8 19] inp)));
+    [#"../511.rs" 8 16 8 28] _bing <- UIntSize.of_int (UInt16.to_int inp);
     [#"../511.rs" 7 26 9 1] _0 <- ([#"../511.rs" 7 26 9 1] ());
     return _0
   }
@@ -50,7 +50,7 @@ module C511_TestU128
     goto BB0
   }
   BB0 {
-    [#"../511.rs" 12 16 12 28] _bing <- ([#"../511.rs" 12 16 12 28] UIntSize.of_int (UInt128.to_int ([#"../511.rs" 12 16 12 19] inp)));
+    [#"../511.rs" 12 16 12 28] _bing <- UIntSize.of_int (UInt128.to_int inp);
     [#"../511.rs" 11 28 13 1] _0 <- ([#"../511.rs" 11 28 13 1] ());
     return _0
   }
@@ -69,7 +69,7 @@ module C511_TestI8
     goto BB0
   }
   BB0 {
-    [#"../511.rs" 16 16 16 28] _bing <- ([#"../511.rs" 16 16 16 28] UIntSize.of_int (Int8.to_int ([#"../511.rs" 16 16 16 19] inp)));
+    [#"../511.rs" 16 16 16 28] _bing <- UIntSize.of_int (Int8.to_int inp);
     [#"../511.rs" 15 24 17 1] _0 <- ([#"../511.rs" 15 24 17 1] ());
     return _0
   }
@@ -88,7 +88,7 @@ module C511_TestI16
     goto BB0
   }
   BB0 {
-    [#"../511.rs" 20 16 20 28] _bing <- ([#"../511.rs" 20 16 20 28] UIntSize.of_int (Int16.to_int ([#"../511.rs" 20 16 20 19] inp)));
+    [#"../511.rs" 20 16 20 28] _bing <- UIntSize.of_int (Int16.to_int inp);
     [#"../511.rs" 19 26 21 1] _0 <- ([#"../511.rs" 19 26 21 1] ());
     return _0
   }
@@ -107,7 +107,7 @@ module C511_TestI128
     goto BB0
   }
   BB0 {
-    [#"../511.rs" 24 16 24 28] _bing <- ([#"../511.rs" 24 16 24 28] UIntSize.of_int (Int128.to_int ([#"../511.rs" 24 16 24 19] inp)));
+    [#"../511.rs" 24 16 24 28] _bing <- UIntSize.of_int (Int128.to_int inp);
     [#"../511.rs" 23 28 25 1] _0 <- ([#"../511.rs" 23 28 25 1] ());
     return _0
   }
diff --git a/creusot/tests/should_succeed/bug/528.mlcfg b/creusot/tests/should_succeed/bug/528.mlcfg
index b28df86ddb..9e4e516f9e 100644
--- a/creusot/tests/should_succeed/bug/528.mlcfg
+++ b/creusot/tests/should_succeed/bug/528.mlcfg
@@ -10,7 +10,7 @@ module C528_Neq
     goto BB0
   }
   BB0 {
-    [#"../528.rs" 4 4 4 10] _0 <- ([#"../528.rs" 4 4 4 10] Bool.neqb ([#"../528.rs" 4 4 4 5] a) ([#"../528.rs" 4 9 4 10] b));
+    [#"../528.rs" 4 4 4 10] _0 <- Bool.neqb a b;
     return _0
   }
   
diff --git a/creusot/tests/should_succeed/bug/552.mlcfg b/creusot/tests/should_succeed/bug/552.mlcfg
index 1e2ce9a0be..c51757fa87 100644
--- a/creusot/tests/should_succeed/bug/552.mlcfg
+++ b/creusot/tests/should_succeed/bug/552.mlcfg
@@ -27,7 +27,7 @@ module C552_Impl1_Transition
     goto BB0
   }
   BB0 {
-    [#"../552.rs" 32 8 32 18] _0 <- ([#"../552.rs" 32 8 32 18] C552_Transition_Type.C_Transition);
+    [#"../552.rs" 32 8 32 18] _0 <- C552_Transition_Type.C_Transition;
     return _0
   }
   
@@ -61,12 +61,12 @@ module C552_Impl0_Step
     goto BB0
   }
   BB0 {
-    [#"../552.rs" 24 8 24 25] _4 <- ([#"../552.rs" 24 8 24 25] transition0 ([#"../552.rs" 24 8 24 12]  * self));
+    [#"../552.rs" 24 8 24 25] _4 <- ([#"../552.rs" 24 8 24 25] transition0 ( * self));
     goto BB1
   }
   BB1 {
     assume { resolve0 self };
-    [#"../552.rs" 25 8 25 13] _0 <- ([#"../552.rs" 25 8 25 13] [#"../552.rs" 25 8 25 13] false);
+    [#"../552.rs" 25 8 25 13] _0 <- ([#"../552.rs" 25 8 25 13] false);
     return _0
   }
   
@@ -89,5 +89,6 @@ module C552_Impl0
   val invariants0 [#"../552.rs" 18 4 18 31] (self : C552_Machine_Type.t_machine) : bool
     ensures { result = invariants0 self }
     
-  goal step_refn : [#"../552.rs" 23 4 23 30] forall self : borrowed (C552_Machine_Type.t_machine) . inv0 self /\ invariants0 ( * self) -> invariants0 ( * self) /\ (forall result : bool . invariants0 ( ^ self) -> invariants0 ( ^ self))
+  goal step_refn : [#"../552.rs" 23 4 23 30] forall self : borrowed (C552_Machine_Type.t_machine) . inv0 self /\ invariants0 ( * self)
+   -> invariants0 ( * self) /\ (forall result : bool . invariants0 ( ^ self)  -> invariants0 ( ^ self))
 end
diff --git a/creusot/tests/should_succeed/bug/564.mlcfg b/creusot/tests/should_succeed/bug/564.mlcfg
index 0f035c076a..d0b95f1f51 100644
--- a/creusot/tests/should_succeed/bug/564.mlcfg
+++ b/creusot/tests/should_succeed/bug/564.mlcfg
@@ -7,11 +7,9 @@ module C564_EmitsPureEq_Impl
   val invariants0 [#"../564.rs" 23 0 23 23] (_1 : ()) : bool
     ensures { result = invariants0 _1 }
     
-  let rec ghost function emits_pure_eq [#"../564.rs" 7 0 7 30] (_1 : ()) : bool
-    requires {[#"../564.rs" 6 11 6 23] invariants0 ()}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../564.rs" 9 8 9 30] let x0 = pure {(1 : int32) = (1 : int32)} in pure {x0 = true}
+  constant _1  : ()
+  function emits_pure_eq [#"../564.rs" 7 0 7 30] (_1 : ()) : bool
+  goal vc_emits_pure_eq : true
 end
 module C564_EmitsPureImplies_Impl
   use prelude.Int32
@@ -21,9 +19,7 @@ module C564_EmitsPureImplies_Impl
   val invariants0 [#"../564.rs" 23 0 23 23] (_1 : ()) : bool
     ensures { result = invariants0 _1 }
     
-  let rec ghost function emits_pure_implies [#"../564.rs" 16 0 16 35] (_1 : ()) : bool
-    requires {[#"../564.rs" 15 11 15 23] invariants0 ()}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../564.rs" 17 4 19 5] pure {true}
+  constant _1  : ()
+  function emits_pure_implies [#"../564.rs" 16 0 16 35] (_1 : ()) : bool
+  goal vc_emits_pure_implies : true
 end
diff --git a/creusot/tests/should_succeed/bug/564.rs b/creusot/tests/should_succeed/bug/564.rs
index a35c8dd2db..96a649271e 100644
--- a/creusot/tests/should_succeed/bug/564.rs
+++ b/creusot/tests/should_succeed/bug/564.rs
@@ -1,7 +1,7 @@
 extern crate creusot_contracts;
 use creusot_contracts::*;
 
-#[ghost]
+#[logic]
 #[open]
 #[requires(invariants())]
 pub fn emits_pure_eq() -> bool {
@@ -10,7 +10,7 @@ pub fn emits_pure_eq() -> bool {
     }
 }
 
-#[ghost]
+#[logic]
 #[open]
 #[requires(invariants())]
 pub fn emits_pure_implies() -> bool {
@@ -19,7 +19,7 @@ pub fn emits_pure_implies() -> bool {
     }
 }
 
-#[ghost]
+#[logic]
 fn invariants() -> bool {
     true
 }
diff --git a/creusot/tests/should_succeed/bug/570.mlcfg b/creusot/tests/should_succeed/bug/570.mlcfg
index 39b486da65..c6943b9349 100644
--- a/creusot/tests/should_succeed/bug/570.mlcfg
+++ b/creusot/tests/should_succeed/bug/570.mlcfg
@@ -50,7 +50,7 @@ module C570_TestAssign
     goto BB0
   }
   BB0 {
-    [#"../570.rs" 17 4 17 14] s <- (let C570_S2_Type.C_S2 x0 = s in C570_S2_Type.C_S2 (let C570_S1_Type.C_S1 x0 = C570_S2_Type.s2_s1 s in C570_S1_Type.C_S1 ([#"../570.rs" 17 4 17 14] [#"../570.rs" 17 13 17 14] (2 : int32))));
+    [#"../570.rs" 17 4 17 14] s <- (let C570_S2_Type.C_S2 x0 = s in C570_S2_Type.C_S2 (let C570_S1_Type.C_S1 x0 = C570_S2_Type.s2_s1 s in C570_S1_Type.C_S1 ([#"../570.rs" 17 13 17 14] (2 : int32))));
     [#"../570.rs" 16 30 18 1] _0 <- ([#"../570.rs" 16 30 18 1] ());
     return _0
   }
diff --git a/creusot/tests/should_succeed/bug/570.rs b/creusot/tests/should_succeed/bug/570.rs
index b05fdfb543..80a9793173 100644
--- a/creusot/tests/should_succeed/bug/570.rs
+++ b/creusot/tests/should_succeed/bug/570.rs
@@ -18,7 +18,7 @@ pub fn test_assign(mut s: S2) {
 }
 
 #[open]
-#[ghost]
+#[logic]
 pub fn test_logic(s: S2) {
     s.s1.f;
 }
diff --git a/creusot/tests/should_succeed/bug/594.mlcfg b/creusot/tests/should_succeed/bug/594.mlcfg
index 1c50f7ceb1..a3618a437e 100644
--- a/creusot/tests/should_succeed/bug/594.mlcfg
+++ b/creusot/tests/should_succeed/bug/594.mlcfg
@@ -23,9 +23,9 @@ module C594_TestProgram
     goto BB0
   }
   BB0 {
-    [#"../594.rs" 11 21 11 22] x <- ([#"../594.rs" 11 21 11 22] let (a, _) = _1 in a);
+    [#"../594.rs" 11 21 11 22] x <- (let (a, _) = _1 in a);
     assume { resolve0 _1 };
-    [#"../594.rs" 12 4 12 5] _0 <- ([#"../594.rs" 12 4 12 5] x);
+    [#"../594.rs" 12 4 12 5] _0 <- x;
     return _0
   }
   
@@ -66,11 +66,11 @@ module C594_TestClosure_Closure0
     goto BB0
   }
   BB0 {
-    [#"../594.rs" 17 10 17 12] _a <- ([#"../594.rs" 17 10 17 12] let (a, _) = _3 in a);
-    [#"../594.rs" 17 14 17 15] b <- ([#"../594.rs" 17 14 17 15] let (_, a) = _3 in a);
+    [#"../594.rs" 17 10 17 12] _a <- (let (a, _) = _3 in a);
+    [#"../594.rs" 17 14 17 15] b <- (let (_, a) = _3 in a);
     assume { resolve0 _3 };
-    [#"../594.rs" 17 18 17 19] res <- ([#"../594.rs" 17 18 17 19] b);
-    [#"../594.rs" 16 14 16 37] _0 <- ([#"../594.rs" 16 14 16 37] res);
+    [#"../594.rs" 17 18 17 19] res <- b;
+    [#"../594.rs" 16 14 16 37] _0 <- res;
     return _0
   }
   
@@ -111,11 +111,11 @@ module C594_TestClosure_Closure1
     goto BB0
   }
   BB0 {
-    [#"../594.rs" 19 6 19 8] _a <- ([#"../594.rs" 19 6 19 8] let (a, _) = _2 in a);
-    [#"../594.rs" 19 10 19 11] b <- ([#"../594.rs" 19 10 19 11] let (_, a) = _2 in a);
+    [#"../594.rs" 19 6 19 8] _a <- (let (a, _) = _2 in a);
+    [#"../594.rs" 19 10 19 11] b <- (let (_, a) = _2 in a);
     assume { resolve0 _2 };
-    [#"../594.rs" 19 14 19 15] res <- ([#"../594.rs" 19 14 19 15] b);
-    [#"../594.rs" 18 14 18 37] _0 <- ([#"../594.rs" 18 14 18 37] res);
+    [#"../594.rs" 19 14 19 15] res <- b;
+    [#"../594.rs" 18 14 18 37] _0 <- res;
     return _0
   }
   
@@ -153,19 +153,31 @@ module C594_TestClosure
   var cl1 : C594_TestClosure_Closure0.c594_testclosure_closure0;
   var cl2 : C594_TestClosure_Closure1.c594_testclosure_closure1;
   var _a : int32;
+  var _5 : (int32, (int32, int32));
+  var _6 : (int32, int32);
   var _b : int32;
+  var _9 : (int32, int32);
+  var _10 : (int32, int32);
   {
     goto BB0
   }
   BB0 {
-    [#"../594.rs" 16 14 16 37] cl1 <- ([#"../594.rs" 16 14 16 37] C594_TestClosure_Closure0.C594_TestClosure_Closure0);
-    [#"../594.rs" 18 14 18 37] cl2 <- ([#"../594.rs" 18 14 18 37] C594_TestClosure_Closure1.C594_TestClosure_Closure1);
-    [#"../594.rs" 20 13 20 29] _a <- ([#"../594.rs" 20 13 20 29] let (a, b) = [#"../594.rs" 20 13 20 29] (([#"../594.rs" 20 19 20 20] [#"../594.rs" 20 19 20 20] (4 : int32)), ([#"../594.rs" 20 22 20 28] (([#"../594.rs" 20 23 20 24] [#"../594.rs" 20 23 20 24] (0 : int32)), ([#"../594.rs" 20 26 20 27] [#"../594.rs" 20 26 20 27] (3 : int32))))) in closure00 ([#"../594.rs" 20 13 20 18] cl1) a b);
+    [#"../594.rs" 16 14 16 37] cl1 <- C594_TestClosure_Closure0.C594_TestClosure_Closure0;
+    [#"../594.rs" 18 14 18 37] cl2 <- C594_TestClosure_Closure1.C594_TestClosure_Closure1;
+    [#"../594.rs" 20 22 20 28] _6 <- (([#"../594.rs" 20 23 20 24] (0 : int32)), ([#"../594.rs" 20 26 20 27] (3 : int32)));
+    [#"../594.rs" 20 13 20 29] _5 <- (([#"../594.rs" 20 19 20 20] (4 : int32)), _6);
+    _6 <- any (int32, int32);
+    [#"../594.rs" 20 13 20 29] _a <- ([#"../594.rs" 20 13 20 29] let (a, b) = _5 in closure00 cl1 a b);
+    _5 <- any (int32, (int32, int32));
     goto BB1
   }
   BB1 {
     assume { resolve0 cl1 };
-    [#"../594.rs" 21 13 21 26] _b <- ([#"../594.rs" 21 13 21 26] let (a) = [#"../594.rs" 21 13 21 26] (([#"../594.rs" 21 19 21 25] (([#"../594.rs" 21 20 21 21] [#"../594.rs" 21 20 21 21] (0 : int32)), ([#"../594.rs" 21 23 21 24] [#"../594.rs" 21 23 21 24] (4 : int32))))) in closure10 ([#"../594.rs" 21 13 21 18] cl2) a);
+    [#"../594.rs" 21 19 21 25] _10 <- (([#"../594.rs" 21 20 21 21] (0 : int32)), ([#"../594.rs" 21 23 21 24] (4 : int32)));
+    [#"../594.rs" 21 13 21 26] _9 <- (_10);
+    _10 <- any (int32, int32);
+    [#"../594.rs" 21 13 21 26] _b <- ([#"../594.rs" 21 13 21 26] let (a) = _9 in closure10 cl2 a);
+    _9 <- any (int32, int32);
     goto BB2
   }
   BB2 {
@@ -207,9 +219,9 @@ module C594_Impl0_TestMethod
     goto BB0
   }
   BB0 {
-    [#"../594.rs" 33 30 33 31] x <- ([#"../594.rs" 33 30 33 31] let (a, _) = _2 in a);
+    [#"../594.rs" 33 30 33 31] x <- (let (a, _) = _2 in a);
     assume { resolve0 _2 };
-    [#"../594.rs" 34 8 34 9] _0 <- ([#"../594.rs" 34 8 34 9] x);
+    [#"../594.rs" 34 8 34 9] _0 <- x;
     return _0
   }
   
diff --git a/creusot/tests/should_succeed/bug/594.rs b/creusot/tests/should_succeed/bug/594.rs
index 3596bd72ae..4f4e2f532b 100644
--- a/creusot/tests/should_succeed/bug/594.rs
+++ b/creusot/tests/should_succeed/bug/594.rs
@@ -2,7 +2,7 @@ extern crate creusot_contracts;
 use creusot_contracts::*;
 
 #[open]
-#[ghost]
+#[logic]
 pub fn test_logic((x, _): (u32, u32)) -> u32 {
     x
 }
@@ -21,7 +21,7 @@ pub fn test_closure() {
     let _b = (cl2)((0, 4));
 }
 
-pub struct T(u32);
+pub struct T(pub u32);
 
 // #[ensures(result == x)]
 // pub fn test_struct_pat(T(x): T) {
diff --git a/creusot/tests/should_succeed/bug/653.mlcfg b/creusot/tests/should_succeed/bug/653.mlcfg
index 51cc10c951..1ee383f716 100644
--- a/creusot/tests/should_succeed/bug/653.mlcfg
+++ b/creusot/tests/should_succeed/bug/653.mlcfg
@@ -13,7 +13,7 @@ module C653_Omg
     goto BB0
   }
   BB0 {
-    [#"../653.rs" 7 4 7 5] _0 <- ([#"../653.rs" 7 4 7 5] n);
+    [#"../653.rs" 7 4 7 5] _0 <- n;
     return _0
   }
   
diff --git a/creusot/tests/should_succeed/bug/682.mlcfg b/creusot/tests/should_succeed/bug/682.mlcfg
index acbc439fbd..3ecb688f84 100644
--- a/creusot/tests/should_succeed/bug/682.mlcfg
+++ b/creusot/tests/should_succeed/bug/682.mlcfg
@@ -21,7 +21,7 @@ module C682_AddSome
     goto BB0
   }
   BB0 {
-    [#"../682.rs" 7 4 7 11] a <- { a with current = ([#"../682.rs" 7 4 7 11]  * a + ([#"../682.rs" 7 10 7 11] [#"../682.rs" 7 10 7 11] (1 : uint64))) ; };
+    [#"../682.rs" 7 4 7 11] a <- { a with current = ( * a + ([#"../682.rs" 7 10 7 11] (1 : uint64))) ; };
     assume { resolve0 a };
     [#"../682.rs" 6 25 8 1] _0 <- ([#"../682.rs" 6 25 8 1] ());
     return _0
@@ -30,8 +30,8 @@ module C682_AddSome
 end
 module C682_Foo
   use prelude.UInt64
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
   use prelude.Borrow
   predicate resolve0 (self : borrowed uint64) =
     [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
@@ -45,7 +45,7 @@ module C682_Foo
     requires {[#"../682.rs" 4 11 4 32]  * a <= div max0 (2 : uint64)}
     ensures { [#"../682.rs" 5 10 5 17]  ^ a >  * a }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   let rec cfg foo [#"../682.rs" 12 0 12 23] [@cfg:stackify] [@cfg:subregion_analysis] (a : borrowed uint64) : ()
     requires {[#"../682.rs" 10 11 10 21]  * a = (3 : uint64)}
     ensures { [#"../682.rs" 11 10 11 17]  ^ a >  * a }
@@ -53,14 +53,14 @@ module C682_Foo
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var a : borrowed uint64 = a;
-  var a_p : Ghost.ghost_ty uint64;
+  var a_p : Snapshot.snap_ty uint64;
   var _6 : ();
   var _7 : borrowed uint64;
   {
     goto BB0
   }
   BB0 {
-    [#"../682.rs" 13 26 13 33] a_p <- ([#"../682.rs" 13 26 13 33] Ghost.new ( * a));
+    [#"../682.rs" 13 29 13 42] a_p <- ([#"../682.rs" 13 29 13 42] Snapshot.new ( * a));
     goto BB1
   }
   BB1 {
@@ -72,7 +72,7 @@ module C682_Foo
   }
   BB2 {
     assume { resolve0 a };
-    assert { [@expl:assertion] [#"../682.rs" 15 18 15 27]  * a > Ghost.inner a_p };
+    assert { [@expl:assertion] [#"../682.rs" 15 18 15 27]  * a > Snapshot.inner a_p };
     [#"../682.rs" 12 24 16 1] _0 <- ([#"../682.rs" 12 24 16 1] ());
     return _0
   }
diff --git a/creusot/tests/should_succeed/bug/682.rs b/creusot/tests/should_succeed/bug/682.rs
index 869462f7e8..e26d997f37 100644
--- a/creusot/tests/should_succeed/bug/682.rs
+++ b/creusot/tests/should_succeed/bug/682.rs
@@ -10,7 +10,7 @@ fn add_some(a: &mut u64) {
 #[requires(*a == 3u64)]
 #[ensures(^a > *a)]
 pub fn foo(a: &mut u64) {
-    let a_p: Ghost<u64> = gh!(*a);
+    let a_p: Snapshot<u64> = snapshot!(*a);
     add_some(a);
     proof_assert!(*a > *a_p);
 }
diff --git a/creusot/tests/should_succeed/bug/691.mlcfg b/creusot/tests/should_succeed/bug/691.mlcfg
index 72883934cf..17b1695524 100644
--- a/creusot/tests/should_succeed/bug/691.mlcfg
+++ b/creusot/tests/should_succeed/bug/691.mlcfg
@@ -42,8 +42,8 @@ module C691_Example_Closure0
     goto BB0
   }
   BB0 {
-    [#"../691.rs" 11 7 11 9] res <- ([#"../691.rs" 11 7 11 9] ());
-    [#"../691.rs" 10 12 10 39] _0 <- ([#"../691.rs" 10 12 10 39] res);
+    [#"../691.rs" 11 7 11 9] res <- ();
+    [#"../691.rs" 10 12 10 39] _0 <- res;
     return _0
   }
   
@@ -65,8 +65,8 @@ module C691_Example
     goto BB0
   }
   BB0 {
-    [#"../691.rs" 9 12 9 29] c <- ([#"../691.rs" 9 12 9 29] C691_Foo_Type.C_Foo ([#"../691.rs" 9 23 9 27] [#"../691.rs" 9 23 9 27] (2 : uint32)));
-    [#"../691.rs" 10 12 10 39] _2 <- ([#"../691.rs" 10 12 10 39] C691_Example_Closure0.C691_Example_Closure0 ([#"../691.rs" 10 12 10 39] c));
+    [#"../691.rs" 9 12 9 29] c <- C691_Foo_Type.C_Foo ([#"../691.rs" 9 23 9 27] (2 : uint32));
+    [#"../691.rs" 10 12 10 39] _2 <- C691_Example_Closure0.C691_Example_Closure0 c;
     assume { resolve0 _2 };
     [#"../691.rs" 8 17 12 1] _0 <- ([#"../691.rs" 8 17 12 1] ());
     return _0
diff --git a/creusot/tests/should_succeed/bug/693.mlcfg b/creusot/tests/should_succeed/bug/693.mlcfg
index 406efe6074..f7448bd02b 100644
--- a/creusot/tests/should_succeed/bug/693.mlcfg
+++ b/creusot/tests/should_succeed/bug/693.mlcfg
@@ -57,7 +57,7 @@ module C693_G
     goto BB0
   }
   BB0 {
-    [#"../693.rs" 6 4 6 8] _0 <- ([#"../693.rs" 6 4 6 8] f0 ([#"../693.rs" 6 6 6 7] [#"../693.rs" 6 6 6 7] (0 : int32)));
+    [#"../693.rs" 6 4 6 8] _0 <- ([#"../693.rs" 6 4 6 8] f0 ([#"../693.rs" 6 6 6 7] (0 : int32)));
     goto BB1
   }
   BB1 {
diff --git a/creusot/tests/should_succeed/bug/768.rs b/creusot/tests/should_succeed/bug/768.rs
index 0baf4161d3..175c6947f2 100644
--- a/creusot/tests/should_succeed/bug/768.rs
+++ b/creusot/tests/should_succeed/bug/768.rs
@@ -8,7 +8,7 @@ pub struct A {
 
 impl A {
     #[open]
-    #[ghost]
+    #[logic]
     pub fn with_l(self, l: usize) -> Self {
         A { l, ..self }
     }
diff --git a/creusot/tests/should_succeed/bug/797.rs b/creusot/tests/should_succeed/bug/797.rs
index a65c40c744..df3951ecb4 100644
--- a/creusot/tests/should_succeed/bug/797.rs
+++ b/creusot/tests/should_succeed/bug/797.rs
@@ -2,7 +2,7 @@ extern crate creusot_contracts;
 use creusot_contracts::{logic::Mapping, *};
 
 #[open]
-#[ghost]
+#[logic]
 pub fn make_mapping() -> Mapping<(Int, Int), bool> {
     |(x, y)| x + y == 0
 }
diff --git a/creusot/tests/should_succeed/bug/874.mlcfg b/creusot/tests/should_succeed/bug/874.mlcfg
index e863d52d40..8ce0e46c61 100644
--- a/creusot/tests/should_succeed/bug/874.mlcfg
+++ b/creusot/tests/should_succeed/bug/874.mlcfg
@@ -17,12 +17,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -51,7 +57,7 @@ module Alloc_Vec_IntoIter_IntoIter_Type
   use Core_Marker_PhantomData_Type as Core_Marker_PhantomData_Type
   use Core_Ptr_NonNull_NonNull_Type as Core_Ptr_NonNull_NonNull_Type
   type t_intoiter 't 'a =
-    | C_IntoIter (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) usize (Core_Mem_ManuallyDrop_ManuallyDrop_Type.t_manuallydrop 'a) opaque_ptr opaque_ptr
+    | C_IntoIter (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) usize (Core_Mem_ManuallyDrop_ManuallyDrop_Type.t_manuallydrop 'a) (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) opaque_ptr
     
 end
 module Alloc_Boxed_Box_Type
@@ -111,7 +117,14 @@ module C874_CanExtend
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv5 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global), ab : Seq.seq int32, b : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global), bc : Seq.seq int32, c : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 248 15 248 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 249 15 249 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 22 251 23] inv5 a) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 31 251 33] inv3 ab) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 43 251 44] inv5 b) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 52 251 54] inv3 bc) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv5 c) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 250 14 250 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global), ab : Seq.seq int32, b : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global), bc : Seq.seq int32, c : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 248 15 248 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 249 15 249 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 22 251 23] inv5 a)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 31 251 33] inv3 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 43 251 44] inv5 b)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 52 251 54] inv3 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv5 c)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 250 14 250 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global)) : ()
     
@@ -121,7 +134,8 @@ module C874_CanExtend
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv5 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 243 14 243 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv5 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 243 14 243 45] produces0 self (Seq.empty ) self)
   predicate invariant5 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant5 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -173,7 +187,8 @@ module C874_CanExtend
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant1 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv3 (shallow_model0 self)
   val invariant1 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -192,7 +207,7 @@ module C874_CanExtend
   axiom inv0 : forall x : slice int32 . inv0 x = true
   use seq.Seq
   predicate resolve1 (self : int32) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
+    [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true
   val resolve1 (self : int32) : bool
     ensures { result = resolve1 self }
     
@@ -205,28 +220,29 @@ module C874_CanExtend
     ensures { result = index_logic0 self ix }
     
   predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) =
-    [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve1 (index_logic0 self i)
+    [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self)
+     -> resolve1 (index_logic0 self i)
   val resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve0 self }
     
   function shallow_model2 (self : borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global))) : Seq.seq int32
     
    =
-    [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model0 ( * self)
+    [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model0 ( * self)
   val shallow_model2 (self : borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global))) : Seq.seq int32
     ensures { result = shallow_model2 self }
     
   function shallow_model6 (self : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global))) : Seq.seq int32
     
    =
-    [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model5 ( * self)
+    [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model5 ( * self)
   val shallow_model6 (self : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global))) : Seq.seq int32
     ensures { result = shallow_model6 self }
     
   predicate resolve2 (self : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global)))
     
    =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve2 (self : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter int32 (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = resolve2 self }
     
@@ -261,7 +277,8 @@ module C874_CanExtend
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self}
     ensures { result = shallow_model4 self }
     
-  axiom shallow_model4_spec : forall self : slice int32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv3 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model4 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0)
+  axiom shallow_model4_spec : forall self : slice int32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv3 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model4 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0)
   function shallow_model1 (self : slice int32) : Seq.seq int32 =
     [#"../../../../../creusot-contracts/src/std/boxed.rs" 20 8 20 31] shallow_model4 self
   val shallow_model1 (self : slice int32) : Seq.seq int32
@@ -276,50 +293,59 @@ module C874_CanExtend
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var v : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global);
+  var _4 : array int32;
   var w : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global);
+  var _8 : array int32;
   var _9 : ();
   var _10 : borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global));
   var z : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global);
+  var _15 : array int32;
   {
     goto BB0
   }
   BB0 {
+    [#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] _4 <- (let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = ([#"../874.rs" 5 21 5 22] (1 : int32))}; assume {Seq.get (__arr_temp.elts) 1 = ([#"../874.rs" 5 24 5 25] (2 : int32))}; assume {Seq.get (__arr_temp.elts) 2 = ([#"../874.rs" 5 27 5 28] (3 : int32))}; assume {Slice.length __arr_temp = 3}; __arr_temp);
     goto BB1
   }
   BB1 {
     goto BB2
   }
   BB2 {
-    [#"../../../../../creusot-contracts/src/lib.rs" 199 8 199 58] v <- ([#"../874.rs" 5 16 5 29] into_vec0 ([#"../../../../../creusot-contracts/src/lib.rs" 199 47 199 56] let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = ([#"../874.rs" 5 21 5 22] [#"../874.rs" 5 21 5 22] (1 : int32))}; assume {Seq.get (__arr_temp.elts) 1 = ([#"../874.rs" 5 24 5 25] [#"../874.rs" 5 24 5 25] (2 : int32))}; assume {Seq.get (__arr_temp.elts) 2 = ([#"../874.rs" 5 27 5 28] [#"../874.rs" 5 27 5 28] (3 : int32))}; assume {Slice.length __arr_temp = 3}; __arr_temp));
+    [#"../874.rs" 5 16 5 29] v <- ([#"../874.rs" 5 16 5 29] into_vec0 _4);
+    _4 <- any array int32;
     goto BB3
   }
   BB3 {
+    [#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] _8 <- (let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = ([#"../874.rs" 6 17 6 18] (4 : int32))}; assume {Seq.get (__arr_temp.elts) 1 = ([#"../874.rs" 6 20 6 21] (5 : int32))}; assume {Seq.get (__arr_temp.elts) 2 = ([#"../874.rs" 6 23 6 24] (6 : int32))}; assume {Slice.length __arr_temp = 3}; __arr_temp);
     goto BB4
   }
   BB4 {
     goto BB5
   }
   BB5 {
-    [#"../../../../../creusot-contracts/src/lib.rs" 199 8 199 58] w <- ([#"../874.rs" 6 12 6 25] into_vec0 ([#"../../../../../creusot-contracts/src/lib.rs" 199 47 199 56] let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = ([#"../874.rs" 6 17 6 18] [#"../874.rs" 6 17 6 18] (4 : int32))}; assume {Seq.get (__arr_temp.elts) 1 = ([#"../874.rs" 6 20 6 21] [#"../874.rs" 6 20 6 21] (5 : int32))}; assume {Seq.get (__arr_temp.elts) 2 = ([#"../874.rs" 6 23 6 24] [#"../874.rs" 6 23 6 24] (6 : int32))}; assume {Slice.length __arr_temp = 3}; __arr_temp));
+    [#"../874.rs" 6 12 6 25] w <- ([#"../874.rs" 6 12 6 25] into_vec0 _8);
+    _8 <- any array int32;
     goto BB6
   }
   BB6 {
     [#"../874.rs" 7 4 7 5] _10 <- Borrow.borrow_mut v;
     [#"../874.rs" 7 4 7 5] v <-  ^ _10;
-    [#"../874.rs" 7 4 7 15] _9 <- ([#"../874.rs" 7 4 7 15] extend0 _10 ([#"../874.rs" 7 13 7 14] w));
+    [#"../874.rs" 7 4 7 15] _9 <- ([#"../874.rs" 7 4 7 15] extend0 _10 w);
     _10 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global));
-    [#"../874.rs" 7 13 7 14] w <- any Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global);
+    w <- any Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global);
     goto BB7
   }
   BB7 {
     assume { resolve0 v };
+    [#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] _15 <- (let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = ([#"../874.rs" 9 17 9 18] (1 : int32))}; assume {Seq.get (__arr_temp.elts) 1 = ([#"../874.rs" 9 20 9 21] (2 : int32))}; assume {Seq.get (__arr_temp.elts) 2 = ([#"../874.rs" 9 23 9 24] (3 : int32))}; assume {Seq.get (__arr_temp.elts) 3 = ([#"../874.rs" 9 26 9 27] (4 : int32))}; assume {Seq.get (__arr_temp.elts) 4 = ([#"../874.rs" 9 29 9 30] (5 : int32))}; assume {Seq.get (__arr_temp.elts) 5 = ([#"../874.rs" 9 32 9 33] (6 : int32))}; assume {Slice.length __arr_temp = 6}; __arr_temp);
     goto BB8
   }
   BB8 {
     goto BB9
   }
   BB9 {
-    [#"../../../../../creusot-contracts/src/lib.rs" 199 8 199 58] z <- ([#"../874.rs" 9 12 9 34] into_vec0 ([#"../../../../../creusot-contracts/src/lib.rs" 199 47 199 56] let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = ([#"../874.rs" 9 17 9 18] [#"../874.rs" 9 17 9 18] (1 : int32))}; assume {Seq.get (__arr_temp.elts) 1 = ([#"../874.rs" 9 20 9 21] [#"../874.rs" 9 20 9 21] (2 : int32))}; assume {Seq.get (__arr_temp.elts) 2 = ([#"../874.rs" 9 23 9 24] [#"../874.rs" 9 23 9 24] (3 : int32))}; assume {Seq.get (__arr_temp.elts) 3 = ([#"../874.rs" 9 26 9 27] [#"../874.rs" 9 26 9 27] (4 : int32))}; assume {Seq.get (__arr_temp.elts) 4 = ([#"../874.rs" 9 29 9 30] [#"../874.rs" 9 29 9 30] (5 : int32))}; assume {Seq.get (__arr_temp.elts) 5 = ([#"../874.rs" 9 32 9 33] [#"../874.rs" 9 32 9 33] (6 : int32))}; assume {Slice.length __arr_temp = 6}; __arr_temp));
+    [#"../874.rs" 9 12 9 34] z <- ([#"../874.rs" 9 12 9 34] into_vec0 _15);
+    _15 <- any array int32;
     goto BB10
   }
   BB10 {
diff --git a/creusot/tests/should_succeed/bug/874/why3session.xml b/creusot/tests/should_succeed/bug/874/why3session.xml
index a4efaab4aa..03e58888cf 100644
--- a/creusot/tests/should_succeed/bug/874/why3session.xml
+++ b/creusot/tests/should_succeed/bug/874/why3session.xml
@@ -7,7 +7,7 @@
 <path name=".."/><path name="874.mlcfg"/>
 <theory name="C874_CanExtend" proved="true">
  <goal name="can_extend&#39;vc" expl="VC for can_extend" proved="true">
- <proof prover="3"><result status="valid" time="0.039819" steps="702"/></proof>
+ <proof prover="3"><result status="valid" time="0.039819" steps="718"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/bug/874/why3shapes.gz b/creusot/tests/should_succeed/bug/874/why3shapes.gz
index 73aae1d83a..53f6d90f05 100644
Binary files a/creusot/tests/should_succeed/bug/874/why3shapes.gz and b/creusot/tests/should_succeed/bug/874/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/bug/949.mlcfg b/creusot/tests/should_succeed/bug/949.mlcfg
new file mode 100644
index 0000000000..1ed0429b90
--- /dev/null
+++ b/creusot/tests/should_succeed/bug/949.mlcfg
@@ -0,0 +1,300 @@
+
+module CreusotContracts_GhostPtr_GhostPtrToken_Type
+  type t_ghostptrtoken 't
+end
+module CreusotContracts_Logic_Fmap_FMap_Type
+  type t_fmap 'k 'v
+end
+module Core_Option_Option_Type
+  type t_option 't =
+    | C_None
+    | C_Some 't
+    
+end
+module Core_Ptr_NonNull_NonNull_Type
+  use prelude.Opaque
+  type t_nonnull 't =
+    | C_NonNull opaque_ptr
+    
+end
+module Core_Marker_PhantomData_Type
+  type t_phantomdata 't =
+    | C_PhantomData
+    
+end
+module Core_Ptr_Unique_Unique_Type
+  use Core_Marker_PhantomData_Type as Core_Marker_PhantomData_Type
+  use Core_Ptr_NonNull_NonNull_Type as Core_Ptr_NonNull_NonNull_Type
+  type t_unique 't =
+    | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
+    
+end
+module Alloc_Boxed_Box_Type
+  use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
+  type t_box 't 'a =
+    | C_Box (Core_Ptr_Unique_Unique_Type.t_unique 't) 'a
+    
+end
+module Alloc_Alloc_Global_Type
+  type t_global  =
+    | C_Global
+    
+end
+module C949_Main
+  use prelude.Int32
+  use Core_Option_Option_Type as Core_Option_Option_Type
+  predicate invariant6 (self : Core_Option_Option_Type.t_option int32) =
+    [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
+  val invariant6 (self : Core_Option_Option_Type.t_option int32) : bool
+    ensures { result = invariant6 self }
+    
+  predicate inv6 (_x : Core_Option_Option_Type.t_option int32)
+  val inv6 (_x : Core_Option_Option_Type.t_option int32) : bool
+    ensures { result = inv6 _x }
+    
+  axiom inv6 : forall x : Core_Option_Option_Type.t_option int32 . inv6 x = true
+  predicate invariant5 (self : int32) =
+    [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
+  val invariant5 (self : int32) : bool
+    ensures { result = invariant5 self }
+    
+  predicate inv5 (_x : int32)
+  val inv5 (_x : int32) : bool
+    ensures { result = inv5 _x }
+    
+  axiom inv5 : forall x : int32 . inv5 x = true
+  use prelude.Opaque
+  use map.Map
+  predicate invariant4 (self : Map.map opaque_ptr (Core_Option_Option_Type.t_option int32)) =
+    [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
+  val invariant4 (self : Map.map opaque_ptr (Core_Option_Option_Type.t_option int32)) : bool
+    ensures { result = invariant4 self }
+    
+  predicate inv4 (_x : Map.map opaque_ptr (Core_Option_Option_Type.t_option int32))
+  val inv4 (_x : Map.map opaque_ptr (Core_Option_Option_Type.t_option int32)) : bool
+    ensures { result = inv4 _x }
+    
+  axiom inv4 : forall x : Map.map opaque_ptr (Core_Option_Option_Type.t_option int32) . inv4 x = true
+  predicate invariant3 (self : int32) =
+    [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
+  val invariant3 (self : int32) : bool
+    ensures { result = invariant3 self }
+    
+  predicate inv3 (_x : int32)
+  val inv3 (_x : int32) : bool
+    ensures { result = inv3 _x }
+    
+  axiom inv3 : forall x : int32 . inv3 x = true
+  predicate invariant2 (self : opaque_ptr) =
+    [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
+  val invariant2 (self : opaque_ptr) : bool
+    ensures { result = invariant2 self }
+    
+  predicate inv2 (_x : opaque_ptr)
+  val inv2 (_x : opaque_ptr) : bool
+    ensures { result = inv2 _x }
+    
+  axiom inv2 : forall x : opaque_ptr . inv2 x = true
+  use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type
+  predicate invariant1 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) =
+    [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
+  val invariant1 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) : bool
+    ensures { result = invariant1 self }
+    
+  predicate inv1 (_x : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32)
+  val inv1 (_x : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) : bool
+    ensures { result = inv1 _x }
+    
+  axiom inv1 : forall x : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32 . inv1 x = true
+  predicate invariant0 (self : int32) =
+    [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
+  val invariant0 (self : int32) : bool
+    ensures { result = invariant0 self }
+    
+  predicate inv0 (_x : int32)
+  val inv0 (_x : int32) : bool
+    ensures { result = inv0 _x }
+    
+  use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type
+  axiom inv0 : forall x : int32 . inv0 x = true
+  predicate resolve1 (self : int32) =
+    [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true
+  val resolve1 (self : int32) : bool
+    ensures { result = resolve1 self }
+    
+  predicate resolve0 (self : int32) =
+    [#"../../../../../creusot-contracts/src/resolve.rs" 34 8 34 31] resolve1 self
+  val resolve0 (self : int32) : bool
+    ensures { result = resolve0 self }
+    
+  use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type
+  use prelude.Int
+  use map.Map
+  function mk0 (_m : Map.map opaque_ptr (Core_Option_Option_Type.t_option int32)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    
+  val mk0 (_m : Map.map opaque_ptr (Core_Option_Option_Type.t_option int32)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    ensures { result = mk0 _m }
+    
+  function view0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) : Map.map opaque_ptr (Core_Option_Option_Type.t_option int32)
+    
+  val view0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) : Map.map opaque_ptr (Core_Option_Option_Type.t_option int32)
+    requires {[#"../../../../../creusot-contracts/src/logic/fmap.rs" 28 16 28 20] inv1 self}
+    ensures { result = view0 self }
+    
+  axiom view0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32 . ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 28 16 28 20] inv1 self)
+   -> ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 28 4 28 35] inv4 (view0 self)) && ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 27 14 27 38] mk0 (view0 self) = self)
+  function get0 [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) : Core_Option_Option_Type.t_option int32
+    
+   =
+    [#"../../../../../creusot-contracts/src/logic/fmap.rs" 55 8 55 26] Map.get (view0 self) k
+  val get0 [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) : Core_Option_Option_Type.t_option int32
+    ensures { result = get0 self k }
+    
+  function contains0 [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) : bool
+    
+   =
+    [#"../../../../../creusot-contracts/src/logic/fmap.rs" 79 8 79 27] get0 self k <> Core_Option_Option_Type.C_None
+  val contains0 [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) : bool
+    ensures { result = contains0 self k }
+    
+  function len0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) : int
+  val len0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) : int
+    requires {[#"../../../../../creusot-contracts/src/logic/fmap.rs" 13 15 13 19] inv1 self}
+    ensures { result = len0 self }
+    
+  axiom len0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32 . ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 13 15 13 19] inv1 self)
+   -> ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len0 self >= 0)
+  use map.Map
+  function remove0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    
+  val remove0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    requires {[#"../../../../../creusot-contracts/src/logic/fmap.rs" 47 18 47 22] inv1 self}
+    requires {[#"../../../../../creusot-contracts/src/logic/fmap.rs" 47 24 47 25] inv2 k}
+    ensures { result = remove0 self k }
+    
+  axiom remove0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32, k : opaque_ptr . ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 47 18 47 22] inv1 self)
+   -> ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 47 24 47 25] inv2 k)
+   -> ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 47 4 47 37] inv1 (remove0 self k)) && ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 46 14 46 84] len0 (remove0 self k) = (if contains0 self k then
+    len0 self - 1
+  else
+    len0 self
+  )) && ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 45 14 45 55] view0 (remove0 self k) = Map.set (view0 self) k (Core_Option_Option_Type.C_None))
+  function unreachable0 (_1 : ()) : int32
+  val unreachable0 (_1 : ()) : int32
+    requires {[#"../../../../../creusot-contracts/src/util.rs" 24 11 24 16] false}
+    ensures { result = unreachable0 _1 }
+    
+  axiom unreachable0_spec : forall _1 : () . ([#"../../../../../creusot-contracts/src/util.rs" 24 11 24 16] false)
+   -> ([#"../../../../../creusot-contracts/src/util.rs" 27 0 27 28] inv0 (unreachable0 _1)) && ([#"../../../../../creusot-contracts/src/util.rs" 25 10 25 15] false)
+  function unwrap0 (op : Core_Option_Option_Type.t_option int32) : int32
+  val unwrap0 (op : Core_Option_Option_Type.t_option int32) : int32
+    requires {[#"../../../../../creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None}
+    requires {[#"../../../../../creusot-contracts/src/util.rs" 35 17 35 19] inv6 op}
+    ensures { result = unwrap0 op }
+    
+  axiom unwrap0_spec : forall op : Core_Option_Option_Type.t_option int32 . ([#"../../../../../creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None)
+   -> ([#"../../../../../creusot-contracts/src/util.rs" 35 17 35 19] inv6 op)
+   -> ([#"../../../../../creusot-contracts/src/util.rs" 35 0 35 36] inv0 (unwrap0 op)) && ([#"../../../../../creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap0 op) = op)
+  function lookup_unsized0 [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) : int32
+    
+   =
+    [#"../../../../../creusot-contracts/src/logic/fmap.rs" 62 8 62 27] unwrap0 (get0 self k)
+  val lookup_unsized0 [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) : int32
+    ensures { result = lookup_unsized0 self k }
+    
+  function shallow_model0 (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    
+  val shallow_model0 (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    ensures { result = shallow_model0 self }
+    
+  use prelude.Borrow
+  val ptr_to_box0 (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32)) (ptr : opaque_ptr) : int32
+    requires {[#"../../../../../creusot-contracts/src/ghost_ptr.rs" 96 4 96 39] contains0 (shallow_model0 ( * self)) ptr}
+    ensures { [#"../../../../../creusot-contracts/src/ghost_ptr.rs" 97 14 97 54] result = lookup_unsized0 (shallow_model0 ( * self)) ptr }
+    ensures { [#"../../../../../creusot-contracts/src/ghost_ptr.rs" 98 14 98 46] shallow_model0 ( ^ self) = remove0 (shallow_model0 ( * self)) ptr }
+    ensures { [#"../../../../../creusot-contracts/src/ghost_ptr.rs" 99 4 99 57] inv0 result }
+    
+  function make_sized0 (self : int32) : int32
+  val make_sized0 (self : int32) : int32
+    requires {[#"../../../../../creusot-contracts/src/util.rs" 16 19 16 23] inv5 self}
+    ensures { result = make_sized0 self }
+    
+  axiom make_sized0_spec : forall self : int32 . ([#"../../../../../creusot-contracts/src/util.rs" 16 19 16 23] inv5 self)
+   -> ([#"../../../../../creusot-contracts/src/util.rs" 16 4 16 40] inv0 (make_sized0 self)) && ([#"../../../../../creusot-contracts/src/util.rs" 15 14 15 30] make_sized0 self = self)
+  function insert0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) (v : int32) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    
+  val insert0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) (v : int32) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    requires {[#"../../../../../creusot-contracts/src/logic/fmap.rs" 38 18 38 22] inv1 self}
+    requires {[#"../../../../../creusot-contracts/src/logic/fmap.rs" 38 24 38 25] inv2 k}
+    requires {[#"../../../../../creusot-contracts/src/logic/fmap.rs" 38 30 38 31] inv3 v}
+    ensures { result = insert0 self k v }
+    
+  axiom insert0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32, k : opaque_ptr, v : int32 . ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 38 18 38 22] inv1 self)
+   -> ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 38 24 38 25] inv2 k)
+   -> ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 38 30 38 31] inv3 v)
+   -> ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 38 4 38 43] inv1 (insert0 self k v)) && ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not contains0 self k
+   -> len0 (insert0 self k v) = len0 self + 1) && ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 36 4 36 63] contains0 self k
+   -> len0 (insert0 self k v) = len0 self) && ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 35 14 35 71] view0 (insert0 self k v) = Map.set (view0 self) k (Core_Option_Option_Type.C_Some (make_sized0 v)))
+  val ptr_from_box0 (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32)) (val' : int32) : opaque_ptr
+    requires {[#"../../../../../creusot-contracts/src/ghost_ptr.rs" 71 35 71 38] inv0 val'}
+    ensures { [#"../../../../../creusot-contracts/src/ghost_ptr.rs" 67 4 67 42] not contains0 (shallow_model0 ( * self)) result }
+    ensures { [#"../../../../../creusot-contracts/src/ghost_ptr.rs" 70 14 70 55] shallow_model0 ( ^ self) = insert0 (shallow_model0 ( * self)) result val' }
+    
+  use map.Const
+  function empty0 (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+  val empty0 (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    ensures { result = empty0 _1 }
+    
+  axiom empty0_spec : forall _1 : () . ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 87 4 87 26] inv1 (empty0 _1)) && ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 86 14 86 49] view0 (empty0 _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../../creusot-contracts/src/logic/fmap.rs" 85 14 85 31] len0 (empty0 _1) = 0)
+  val new0 (_1 : ()) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32
+    ensures { [#"../../../../../creusot-contracts/src/ghost_ptr.rs" 41 14 41 38] shallow_model0 result = empty0 () }
+    
+  let rec cfg main [#"../949.rs" 4 0 4 13] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
+   = [@vc:do_not_keep_trace] [@vc:sp]
+  var _0 : ();
+  var tok : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32;
+  var b : int32;
+  var p : opaque_ptr;
+  var _4 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32);
+  var r : int32;
+  var _7 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32);
+  {
+    goto BB0
+  }
+  BB0 {
+    [#"../949.rs" 5 18 5 38] tok <- ([#"../949.rs" 5 18 5 38] new0 ([#"../949.rs" 5 18 5 38] ()));
+    goto BB1
+  }
+  BB1 {
+    [#"../949.rs" 6 12 6 23] b <- ([#"../949.rs" 6 21 6 22] (1 : int32));
+    goto BB2
+  }
+  BB2 {
+    [#"../949.rs" 7 12 7 15] _4 <- Borrow.borrow_mut tok;
+    [#"../949.rs" 7 12 7 15] tok <-  ^ _4;
+    [#"../949.rs" 7 12 7 31] p <- ([#"../949.rs" 7 12 7 31] ptr_from_box0 _4 b);
+    _4 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32);
+    b <- any int32;
+    goto BB3
+  }
+  BB3 {
+    [#"../949.rs" 8 16 8 19] _7 <- Borrow.borrow_mut tok;
+    [#"../949.rs" 8 16 8 19] tok <-  ^ _7;
+    [#"../949.rs" 8 16 8 33] r <- ([#"../949.rs" 8 16 8 33] ptr_to_box0 _7 p);
+    _7 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32);
+    goto BB4
+  }
+  BB4 {
+    [#"../949.rs" 9 4 9 11] r <- r + ([#"../949.rs" 9 10 9 11] (5 : int32));
+    assume { resolve0 r };
+    [#"../949.rs" 4 14 10 1] _0 <- ([#"../949.rs" 4 14 10 1] ());
+    goto BB5
+  }
+  BB5 {
+    goto BB6
+  }
+  BB6 {
+    return _0
+  }
+  
+end
diff --git a/creusot/tests/should_succeed/bug/949.rs b/creusot/tests/should_succeed/bug/949.rs
new file mode 100644
index 0000000000..2022939229
--- /dev/null
+++ b/creusot/tests/should_succeed/bug/949.rs
@@ -0,0 +1,10 @@
+extern crate creusot_contracts;
+use creusot_contracts::ghost_ptr::GhostPtrToken;
+
+pub fn main() {
+    let mut tok = GhostPtrToken::new();
+    let b = Box::new(1);
+    let p = tok.ptr_from_box(b);
+    let mut r = tok.ptr_to_box(p);
+    *r += 5;
+}
diff --git a/creusot/tests/should_succeed/bug/eq_panic.mlcfg b/creusot/tests/should_succeed/bug/eq_panic.mlcfg
index 3378ac7eef..ee14181ae0 100644
--- a/creusot/tests/should_succeed/bug/eq_panic.mlcfg
+++ b/creusot/tests/should_succeed/bug/eq_panic.mlcfg
@@ -56,7 +56,7 @@ module EqPanic_Omg
     goto BB0
   }
   BB0 {
-    [#"../eq_panic.rs" 7 4 7 10] _0 <- ([#"../eq_panic.rs" 7 4 7 10] eq0 ([#"../eq_panic.rs" 7 4 7 5] x) ([#"../eq_panic.rs" 7 9 7 10] y));
+    [#"../eq_panic.rs" 7 4 7 10] _0 <- ([#"../eq_panic.rs" 7 4 7 10] eq0 x y);
     goto BB1
   }
   BB1 {
diff --git a/creusot/tests/should_succeed/bug/final_borrows.mlcfg b/creusot/tests/should_succeed/bug/final_borrows.mlcfg
index c8f9b6ae6c..a27bd3f903 100644
--- a/creusot/tests/should_succeed/bug/final_borrows.mlcfg
+++ b/creusot/tests/should_succeed/bug/final_borrows.mlcfg
@@ -96,7 +96,7 @@ module FinalBorrows_Select
     goto BB0
   }
   BB0 {
-    switch ([#"../final_borrows.rs" 11 7 11 8] b)
+    switch (b)
       | False -> goto BB2
       | True -> goto BB1
       end
@@ -569,7 +569,7 @@ module FinalBorrows_Set7
     goto BB0
   }
   BB0 {
-    [#"../final_borrows.rs" 49 4 49 10] r <- { r with current = ([#"../final_borrows.rs" 49 4 49 10] [#"../final_borrows.rs" 49 9 49 10] (7 : int32)) ; };
+    [#"../final_borrows.rs" 49 4 49 10] r <- { r with current = ([#"../final_borrows.rs" 49 9 49 10] (7 : int32)) ; };
     assume { resolve0 r };
     [#"../final_borrows.rs" 48 22 50 1] _0 <- ([#"../final_borrows.rs" 48 22 50 1] ());
     return _0
@@ -604,7 +604,7 @@ module FinalBorrows_NotFinalBorrowWorks
     goto BB0
   }
   BB0 {
-    [#"../final_borrows.rs" 54 16 54 20] x <- ([#"../final_borrows.rs" 54 16 54 20] [#"../final_borrows.rs" 54 16 54 20] (1 : int32));
+    [#"../final_borrows.rs" 54 16 54 20] x <- ([#"../final_borrows.rs" 54 16 54 20] (1 : int32));
     [#"../final_borrows.rs" 55 12 55 18] r <- Borrow.borrow_mut x;
     [#"../final_borrows.rs" 55 12 55 18] x <-  ^ r;
     [#"../final_borrows.rs" 56 13 56 20] r1 <- Borrow.borrow_final ( * r) (Borrow.get_id r);
@@ -617,10 +617,10 @@ module FinalBorrows_NotFinalBorrowWorks
   }
   BB1 {
     assume { resolve0 r1 };
-    [#"../final_borrows.rs" 58 12 58 14] y <- ([#"../final_borrows.rs" 58 12 58 14]  * r);
-    [#"../final_borrows.rs" 59 4 59 10] r <- { r with current = ([#"../final_borrows.rs" 59 4 59 10] [#"../final_borrows.rs" 59 9 59 10] (2 : int32)) ; };
+    [#"../final_borrows.rs" 58 12 58 14] y <-  * r;
+    [#"../final_borrows.rs" 59 4 59 10] r <- { r with current = ([#"../final_borrows.rs" 59 9 59 10] (2 : int32)) ; };
     assume { resolve0 r };
-    [#"../final_borrows.rs" 60 11 60 16] _0 <- ([#"../final_borrows.rs" 60 11 60 16] ([#"../final_borrows.rs" 60 11 60 12] x) + ([#"../final_borrows.rs" 60 15 60 16] y));
+    [#"../final_borrows.rs" 60 11 60 16] _0 <- x + y;
     return _0
   }
   
@@ -653,14 +653,14 @@ module FinalBorrows_Branching
     goto BB0
   }
   BB0 {
-    [#"../final_borrows.rs" 65 16 65 17] x <- ([#"../final_borrows.rs" 65 16 65 17] [#"../final_borrows.rs" 65 16 65 17] (3 : int32));
+    [#"../final_borrows.rs" 65 16 65 17] x <- ([#"../final_borrows.rs" 65 16 65 17] (3 : int32));
     [#"../final_borrows.rs" 67 17 67 23] r1 <- Borrow.borrow_mut x;
     [#"../final_borrows.rs" 67 17 67 23] x <-  ^ r1;
     [#"../final_borrows.rs" 69 13 69 21] r2 <- Borrow.borrow_mut ( * r1);
     [#"../final_borrows.rs" 69 13 69 21] r1 <- { r1 with current = ( ^ r2) ; };
     assume { resolve0 r2 };
-    [#"../final_borrows.rs" 70 4 70 11] y <- ([#"../final_borrows.rs" 70 8 70 11]  * r2);
-    switch ([#"../final_borrows.rs" 71 7 71 8] b)
+    [#"../final_borrows.rs" 70 4 70 11] y <-  * r2;
+    switch (b)
       | False -> goto BB2
       | True -> goto BB1
       end
@@ -671,11 +671,11 @@ module FinalBorrows_Branching
     [#"../final_borrows.rs" 73 13 73 19] y <-  ^ _11;
     [#"../final_borrows.rs" 73 13 73 19] _10 <- Borrow.borrow_final ( * _11) (Borrow.get_id _11);
     [#"../final_borrows.rs" 73 13 73 19] _11 <- { _11 with current = ( ^ _10) ; };
-    [#"../final_borrows.rs" 73 8 73 19] r1 <- ([#"../final_borrows.rs" 73 8 73 19] _10);
-    [#"../final_borrows.rs" 73 8 73 19] _10 <- any borrowed int32;
+    [#"../final_borrows.rs" 73 8 73 19] r1 <- _10;
+    _10 <- any borrowed int32;
     assume { resolve0 _11 };
     assume { resolve0 r1 };
-    [#"../final_borrows.rs" 74 8 74 15] y <- ([#"../final_borrows.rs" 74 12 74 15]  * r1);
+    [#"../final_borrows.rs" 74 8 74 15] y <-  * r1;
     [#"../final_borrows.rs" 71 9 75 5] _8 <- ([#"../final_borrows.rs" 71 9 75 5] ());
     goto BB3
   }
@@ -683,13 +683,13 @@ module FinalBorrows_Branching
     [#"../final_borrows.rs" 77 17 77 25] r21 <- Borrow.borrow_final ( * r1) (Borrow.get_id r1);
     [#"../final_borrows.rs" 77 17 77 25] r1 <- { r1 with current = ( ^ r21) ; };
     assume { resolve0 r21 };
-    [#"../final_borrows.rs" 78 8 78 15] y <- ([#"../final_borrows.rs" 78 12 78 15]  * r21);
+    [#"../final_borrows.rs" 78 8 78 15] y <-  * r21;
     assume { resolve0 r1 };
     [#"../final_borrows.rs" 75 11 79 5] _8 <- ([#"../final_borrows.rs" 75 11 79 5] ());
     goto BB3
   }
   BB3 {
-    [#"../final_borrows.rs" 80 4 80 5] _0 <- ([#"../final_borrows.rs" 80 4 80 5] y);
+    [#"../final_borrows.rs" 80 4 80 5] _0 <- y;
     return _0
   }
   
@@ -842,8 +842,8 @@ module FinalBorrows_BoxDeref
     goto BB1
   }
   BB1 {
-    [#"../final_borrows.rs" 95 4 95 6] _0 <- ([#"../final_borrows.rs" 95 4 95 6] x);
-    [#"../final_borrows.rs" 95 4 95 6] x <- any t;
+    [#"../final_borrows.rs" 95 4 95 6] _0 <- x;
+    x <- any t;
     assert { [@expl:type invariant] inv0 x };
     assume { resolve0 x };
     goto BB2
@@ -997,7 +997,7 @@ module FinalBorrows_BoxReborrowIndirect
     assume { inv0 ( ^ borrow) };
     assert { [@expl:type invariant] inv1 _4 };
     assume { resolve0 _4 };
-    [#"../final_borrows.rs" 109 4 109 11] _0 <- ([#"../final_borrows.rs" 109 4 109 11]  * borrow);
+    [#"../final_borrows.rs" 109 4 109 11] _0 <-  * borrow;
     assert { [@expl:type invariant] inv1 borrow };
     assume { resolve0 borrow };
     assert { [@expl:type invariant] inv2 x };
@@ -1039,7 +1039,7 @@ module FinalBorrows_BoxReborrowInStruct
     [#"../final_borrows.rs" 115 27 115 37] borrow <- Borrow.borrow_final ( * _5) (Borrow.get_id _5);
     [#"../final_borrows.rs" 115 27 115 37] _5 <- { _5 with current = ( ^ borrow) ; };
     assume { resolve0 _5 };
-    [#"../final_borrows.rs" 116 4 116 11] _0 <- ([#"../final_borrows.rs" 116 4 116 11]  * borrow);
+    [#"../final_borrows.rs" 116 4 116 11] _0 <-  * borrow;
     assume { resolve0 borrow };
     assume { resolve1 x };
     return _0
@@ -1169,7 +1169,7 @@ module FinalBorrows_BorrowInBoxTuple1
     [#"../final_borrows.rs" 127 27 127 39] borrow <- Borrow.borrow_final ( * _5) (Borrow.get_id _5);
     [#"../final_borrows.rs" 127 27 127 39] _5 <- { _5 with current = ( ^ borrow) ; };
     assume { resolve0 _5 };
-    [#"../final_borrows.rs" 128 4 128 11] _0 <- ([#"../final_borrows.rs" 128 4 128 11]  * borrow);
+    [#"../final_borrows.rs" 128 4 128 11] _0 <-  * borrow;
     assume { resolve0 borrow };
     assume { resolve1 x };
     goto BB2
@@ -1225,7 +1225,7 @@ module FinalBorrows_BorrowInBoxTuple2
     [#"../final_borrows.rs" 134 27 134 39] borrow <- Borrow.borrow_final ( * _5) (Borrow.get_id _5);
     [#"../final_borrows.rs" 134 27 134 39] _5 <- { _5 with current = ( ^ borrow) ; };
     assume { resolve0 _5 };
-    [#"../final_borrows.rs" 135 4 135 11] _0 <- ([#"../final_borrows.rs" 135 4 135 11]  * borrow);
+    [#"../final_borrows.rs" 135 4 135 11] _0 <-  * borrow;
     assume { resolve0 borrow };
     assume { resolve1 x };
     goto BB2
@@ -1291,7 +1291,7 @@ module FinalBorrows_SharedBorrowNoGen
     assume { inv0 ( ^ b1) };
     assert { [@expl:type invariant] inv1 b1 };
     assume { resolve0 b1 };
-    [#"../final_borrows.rs" 151 18 151 22] _shared <- ([#"../final_borrows.rs" 151 18 151 22] bor);
+    [#"../final_borrows.rs" 151 18 151 22] _shared <- bor;
     assert { [@expl:type invariant] inv2 _shared };
     assume { resolve1 _shared };
     assert { [@expl:type invariant] inv1 bor };
@@ -1453,6 +1453,7 @@ module FinalBorrows_ShallowBorrowNoGen
   var _r : borrowed (Core_Option_Option_Type.t_option int32);
   var inner : int32;
   var inner1 : int32;
+  var _8 : bool;
   {
     goto BB0
   }
@@ -1473,9 +1474,10 @@ module FinalBorrows_ShallowBorrowNoGen
     goto BB3
   }
   BB3 {
-    [#"../final_borrows.rs" 174 13 174 22] inner <- ([#"../final_borrows.rs" 174 13 174 22] Core_Option_Option_Type.some_0 ( * x));
-    [#"../final_borrows.rs" 174 13 174 22] inner1 <- ([#"../final_borrows.rs" 174 13 174 22] inner);
-    switch ([#"../final_borrows.rs" 174 27 174 38] ([#"../final_borrows.rs" 174 27 174 33] inner1) = ([#"../final_borrows.rs" 174 37 174 38] [#"../final_borrows.rs" 174 37 174 38] (2 : int32)))
+    [#"../final_borrows.rs" 174 13 174 22] inner <- Core_Option_Option_Type.some_0 ( * x);
+    [#"../final_borrows.rs" 174 13 174 22] inner1 <- inner;
+    [#"../final_borrows.rs" 174 27 174 38] _8 <- inner1 = ([#"../final_borrows.rs" 174 37 174 38] (2 : int32));
+    switch (_8)
       | False -> goto BB5
       | True -> goto BB4
       end
diff --git a/creusot/tests/should_succeed/bug/final_borrows/why3session.xml b/creusot/tests/should_succeed/bug/final_borrows/why3session.xml
index b2d906e4a1..2f919458e1 100644
--- a/creusot/tests/should_succeed/bug/final_borrows/why3session.xml
+++ b/creusot/tests/should_succeed/bug/final_borrows/why3session.xml
@@ -109,7 +109,7 @@
 </theory>
 <theory name="FinalBorrows_ShallowBorrowNoGen" proved="true">
  <goal name="shallow_borrow_no_gen&#39;vc" expl="VC for shallow_borrow_no_gen" proved="true">
- <proof prover="2"><result status="valid" time="0.004012" steps="25"/></proof>
+ <proof prover="2"><result status="valid" time="0.004012" steps="27"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/bug/final_borrows/why3shapes.gz b/creusot/tests/should_succeed/bug/final_borrows/why3shapes.gz
index fc47d67e62..b9593b54d1 100644
Binary files a/creusot/tests/should_succeed/bug/final_borrows/why3shapes.gz and b/creusot/tests/should_succeed/bug/final_borrows/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/bug/pure_neq.mlcfg b/creusot/tests/should_succeed/bug/pure_neq.mlcfg
index d879bbbd44..e2fe9beecb 100644
--- a/creusot/tests/should_succeed/bug/pure_neq.mlcfg
+++ b/creusot/tests/should_succeed/bug/pure_neq.mlcfg
@@ -9,9 +9,9 @@ module PureNeq_F_Impl
   use prelude.Int
   use prelude.Int
   use Core_Option_Option_Type as Core_Option_Option_Type
-  let rec ghost function f [#"../pure_neq.rs" 7 0 7 48] (x : Core_Option_Option_Type.t_option int) (y : Core_Option_Option_Type.t_option int) : bool
-    ensures { [#"../pure_neq.rs" 6 10 6 29] result = (not x = y) }
+  constant x  : Core_Option_Option_Type.t_option int
+  constant y  : Core_Option_Option_Type.t_option int
+  function f [#"../pure_neq.rs" 7 0 7 48] (x : Core_Option_Option_Type.t_option int) (y : Core_Option_Option_Type.t_option int) : bool
     
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../pure_neq.rs" 8 16 8 22] pure {x <> y}
+  goal vc_f : [#"../pure_neq.rs" 6 10 6 29] (x <> y) = (not x = y)
 end
diff --git a/creusot/tests/should_succeed/bug/pure_neq.rs b/creusot/tests/should_succeed/bug/pure_neq.rs
index 09e55673a2..feff180fa1 100644
--- a/creusot/tests/should_succeed/bug/pure_neq.rs
+++ b/creusot/tests/should_succeed/bug/pure_neq.rs
@@ -2,7 +2,7 @@ extern crate creusot_contracts;
 use creusot_contracts::{logic::Int, *};
 
 #[open]
-#[ghost]
+#[logic]
 #[ensures(result == !(x == y))]
 pub fn f(x: Option<Int>, y: Option<Int>) -> bool {
     pearlite! { x != y }
diff --git a/creusot/tests/should_succeed/bug/pure_neq/why3session.xml b/creusot/tests/should_succeed/bug/pure_neq/why3session.xml
index 58a8feb931..462f47b14d 100644
--- a/creusot/tests/should_succeed/bug/pure_neq/why3session.xml
+++ b/creusot/tests/should_succeed/bug/pure_neq/why3session.xml
@@ -1,12 +1,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
-"http://why3.lri.fr/why3session.dtd">
+"https://www.why3.org/why3session.dtd">
 <why3session shape_version="6">
 <prover id="0" name="Alt-Ergo" version="2.4.3" timelimit="1" steplimit="0" memlimit="1000"/>
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="pure_neq.mlcfg"/>
 <theory name="PureNeq_F_Impl" proved="true">
- <goal name="f&#39;vc" expl="VC for f" proved="true">
+ <goal name="vc_f" proved="true">
  <proof prover="0"><result status="valid" time="0.006019" steps="0"/></proof>
  </goal>
 </theory>
diff --git a/creusot/tests/should_succeed/bug/pure_neq/why3shapes.gz b/creusot/tests/should_succeed/bug/pure_neq/why3shapes.gz
index fdf5d8e08b..082fa224ab 100644
Binary files a/creusot/tests/should_succeed/bug/pure_neq/why3shapes.gz and b/creusot/tests/should_succeed/bug/pure_neq/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/bug/two_phase.mlcfg b/creusot/tests/should_succeed/bug/two_phase.mlcfg
index 7ed8114225..b795f5b7a2 100644
--- a/creusot/tests/should_succeed/bug/two_phase.mlcfg
+++ b/creusot/tests/should_succeed/bug/two_phase.mlcfg
@@ -17,12 +17,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -67,7 +73,8 @@ module TwoPhase_Test
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self}
     ensures { result = shallow_model3 self }
     
-  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
+  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
   predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv4 (shallow_model3 self)
   val invariant3 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -155,7 +162,7 @@ module TwoPhase_Test
   BB0 {
     [#"../two_phase.rs" 7 4 7 5] _4 <- Borrow.borrow_final ( * v) (Borrow.get_id v);
     [#"../two_phase.rs" 7 4 7 5] v <- { v with current = ( ^ _4) ; };
-    [#"../two_phase.rs" 7 11 7 18] _5 <- ([#"../two_phase.rs" 7 11 7 18] len0 ([#"../two_phase.rs" 7 11 7 12]  * _4));
+    [#"../two_phase.rs" 7 11 7 18] _5 <- ([#"../two_phase.rs" 7 11 7 18] len0 ( * _4));
     goto BB1
   }
   BB1 {
diff --git a/creusot/tests/should_succeed/bug/two_phase/why3session.xml b/creusot/tests/should_succeed/bug/two_phase/why3session.xml
index 2c8674f0a4..c539ff1337 100644
--- a/creusot/tests/should_succeed/bug/two_phase/why3session.xml
+++ b/creusot/tests/should_succeed/bug/two_phase/why3session.xml
@@ -7,7 +7,7 @@
 <path name=".."/><path name="two_phase.mlcfg"/>
 <theory name="TwoPhase_Test" proved="true">
  <goal name="test&#39;vc" expl="VC for test" proved="true">
- <proof prover="0"><result status="valid" time="0.019451" steps="131"/></proof>
+ <proof prover="0"><result status="valid" time="0.019451" steps="132"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/bug/two_phase/why3shapes.gz b/creusot/tests/should_succeed/bug/two_phase/why3shapes.gz
index de6062b9b9..7958141099 100644
Binary files a/creusot/tests/should_succeed/bug/two_phase/why3shapes.gz and b/creusot/tests/should_succeed/bug/two_phase/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/cell/01.mlcfg b/creusot/tests/should_succeed/cell/01.mlcfg
index f9ccf2ef96..ca534c658f 100644
--- a/creusot/tests/should_succeed/cell/01.mlcfg
+++ b/creusot/tests/should_succeed/cell/01.mlcfg
@@ -74,23 +74,28 @@ module C01_AddsTwo
   var _0 : ();
   var c : C01_Cell_Type.t_cell uint32 (C01_Even_Type.t_even) = c;
   var v : uint32;
+  var _4 : bool;
   var _6 : ();
+  var _8 : uint32;
   var _10 : ();
   {
     goto BB0
   }
   BB0 {
-    [#"../01.rs" 41 12 41 19] v <- ([#"../01.rs" 41 12 41 19] get0 ([#"../01.rs" 41 12 41 13] c));
+    [#"../01.rs" 41 12 41 19] v <- ([#"../01.rs" 41 12 41 19] get0 c);
     goto BB1
   }
   BB1 {
-    switch ([#"../01.rs" 43 7 43 17] ([#"../01.rs" 43 7 43 8] v) < ([#"../01.rs" 43 11 43 17] [#"../01.rs" 43 11 43 17] (100000 : uint32)))
+    [#"../01.rs" 43 7 43 17] _4 <- v < ([#"../01.rs" 43 11 43 17] (100000 : uint32));
+    switch (_4)
       | False -> goto BB4
       | True -> goto BB2
       end
   }
   BB2 {
-    [#"../01.rs" 44 8 44 20] _6 <- ([#"../01.rs" 44 8 44 20] set0 ([#"../01.rs" 44 8 44 9] c) ([#"../01.rs" 44 14 44 19] ([#"../01.rs" 44 14 44 15] v) + ([#"../01.rs" 44 18 44 19] [#"../01.rs" 44 18 44 19] (2 : uint32))));
+    [#"../01.rs" 44 14 44 19] _8 <- v + ([#"../01.rs" 44 18 44 19] (2 : uint32));
+    [#"../01.rs" 44 8 44 20] _6 <- ([#"../01.rs" 44 8 44 20] set0 c _8);
+    _8 <- any uint32;
     goto BB3
   }
   BB3 {
@@ -98,7 +103,7 @@ module C01_AddsTwo
     goto BB6
   }
   BB4 {
-    [#"../01.rs" 46 8 46 16] _10 <- ([#"../01.rs" 46 8 46 16] set0 ([#"../01.rs" 46 8 46 9] c) ([#"../01.rs" 46 14 46 15] [#"../01.rs" 46 14 46 15] (0 : uint32)));
+    [#"../01.rs" 46 8 46 16] _10 <- ([#"../01.rs" 46 8 46 16] set0 c ([#"../01.rs" 46 14 46 15] (0 : uint32)));
     goto BB5
   }
   BB5 {
diff --git a/creusot/tests/should_succeed/cell/01/why3session.xml b/creusot/tests/should_succeed/cell/01/why3session.xml
index c1273f0f5c..450c0bb113 100644
--- a/creusot/tests/should_succeed/cell/01/why3session.xml
+++ b/creusot/tests/should_succeed/cell/01/why3session.xml
@@ -7,7 +7,7 @@
 <path name=".."/><path name="01.mlcfg"/>
 <theory name="C01_AddsTwo" proved="true">
  <goal name="adds_two&#39;vc" expl="VC for adds_two" proved="true">
- <proof prover="0"><result status="valid" time="0.033868" steps="679"/></proof>
+ <proof prover="0"><result status="valid" time="0.033868" steps="672"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/cell/01/why3shapes.gz b/creusot/tests/should_succeed/cell/01/why3shapes.gz
index 5695af0330..f9b6d4914e 100644
Binary files a/creusot/tests/should_succeed/cell/01/why3shapes.gz and b/creusot/tests/should_succeed/cell/01/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/cell/02.mlcfg b/creusot/tests/should_succeed/cell/02.mlcfg
index c9e4986344..0307cbd1e5 100644
--- a/creusot/tests/should_succeed/cell/02.mlcfg
+++ b/creusot/tests/should_succeed/cell/02.mlcfg
@@ -22,11 +22,15 @@ module C02_Cell_Type
 end
 module C02_Fib_Impl
   use prelude.Int
-  let rec ghost function fib [#"../02.rs" 32 0 32 25] (i : int) : int
-    variant {[#"../02.rs" 31 10 31 11] i}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../02.rs" 29 0 29 8] if pure {i <= 0} then 0 else if pure {i = 1} then 1 else fib (i - 1) + fib (i - 2)
+  constant i  : int
+  function fib [#"../02.rs" 32 0 32 25] (i : int) : int
+  goal vc_fib : match i <= 0 with
+    | True -> true
+    | False -> match i = 1 with
+      | True -> true
+      | False -> (0 <= ([#"../02.rs" 31 10 31 11] i) /\ ([#"../02.rs" 31 10 31 11] i - 1) < ([#"../02.rs" 31 10 31 11] i)) /\ 0 <= ([#"../02.rs" 31 10 31 11] i) /\ ([#"../02.rs" 31 10 31 11] i - 2) < ([#"../02.rs" 31 10 31 11] i)
+      end
+    end
 end
 module C02_LemmaFibBound_Impl
   use int.Power
@@ -40,17 +44,18 @@ module C02_LemmaFibBound_Impl
   val fib0 [#"../02.rs" 32 0 32 25] (i : int) : int
     ensures { result = fib0 i }
     
-  let rec ghost function lemma_fib_bound [#"../02.rs" 47 0 47 30] (i : int) : ()
-    requires {[#"../02.rs" 44 11 44 17] 0 <= i}
-    ensures { [#"../02.rs" 45 10 45 28] fib0 i <= Power.power 2 i }
-    variant {[#"../02.rs" 46 10 46 11] i}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../02.rs" 43 0 43 8] if pure {i = 0} then
-      ()
-    else
-      if pure {i = 1} then () else let _ = lemma_fib_bound (i - 2) in lemma_fib_bound (i - 1)
-    
+  constant i  : int
+  function lemma_fib_bound [#"../02.rs" 47 0 47 30] (i : int) : ()
+  goal vc_lemma_fib_bound : ([#"../02.rs" 44 11 44 17] 0 <= i)
+   -> match i = 0 with
+    | True -> [#"../02.rs" 45 10 45 28] fib0 i <= Power.power 2 i
+    | False -> match i = 1 with
+      | True -> [#"../02.rs" 45 10 45 28] fib0 i <= Power.power 2 i
+      | False -> (([#"../02.rs" 44 11 44 17] 0 <= i - 2) /\ 0 <= ([#"../02.rs" 46 10 46 11] i) /\ ([#"../02.rs" 46 10 46 11] i - 2) < ([#"../02.rs" 46 10 46 11] i)) /\ (([#"../02.rs" 45 10 45 28] fib0 (i - 2) <= Power.power 2 (i - 2))
+       -> (let _ = lemma_fib_bound (i - 2) in (([#"../02.rs" 44 11 44 17] 0 <= i - 1) /\ 0 <= ([#"../02.rs" 46 10 46 11] i) /\ ([#"../02.rs" 46 10 46 11] i - 1) < ([#"../02.rs" 46 10 46 11] i)) /\ (([#"../02.rs" 45 10 45 28] fib0 (i - 1) <= Power.power 2 (i - 1))
+       -> ([#"../02.rs" 45 10 45 28] fib0 i <= Power.power 2 i))))
+      end
+    end
 end
 module C02_Fib_Type
   use prelude.UIntSize
@@ -92,12 +97,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -149,7 +160,8 @@ module C02_FibMemo
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self}
     ensures { result = shallow_model2 self }
     
-  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec (C02_Cell_Type.t_cell (Core_Option_Option_Type.t_option usize) (C02_Fib_Type.t_fib)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
+  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec (C02_Cell_Type.t_cell (Core_Option_Option_Type.t_option usize) (C02_Fib_Type.t_fib)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
   predicate invariant4 (self : Alloc_Vec_Vec_Type.t_vec (C02_Cell_Type.t_cell (Core_Option_Option_Type.t_option usize) (C02_Fib_Type.t_fib)) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -224,7 +236,7 @@ module C02_FibMemo
   val fib_cell0 [#"../02.rs" 84 0 84 32] (v : Alloc_Vec_Vec_Type.t_vec (C02_Cell_Type.t_cell (Core_Option_Option_Type.t_option usize) (C02_Fib_Type.t_fib)) (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = fib_cell0 v }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   function fib0 [#"../02.rs" 32 0 32 25] (i : int) : int
   axiom fib0_def : forall i : int . fib0 i = ([#"../02.rs" 29 0 29 8] if i <= 0 then
     0
@@ -247,7 +259,7 @@ module C02_FibMemo
     requires {[#"../02.rs" 24 16 24 20] inv2 self}
     requires {[#"../02.rs" 24 22 24 23] inv4 v}
     
-  use prelude.Ghost
+  use prelude.Snapshot
   use int.Power
   function lemma_fib_bound0 [#"../02.rs" 47 0 47 30] (i : int) : ()
   axiom lemma_fib_bound0_def : forall i : int . lemma_fib_bound0 i = ([#"../02.rs" 43 0 43 8] if i = 0 then
@@ -259,8 +271,9 @@ module C02_FibMemo
     requires {[#"../02.rs" 44 11 44 17] 0 <= i}
     ensures { result = lemma_fib_bound0 i }
     
-  axiom lemma_fib_bound0_spec : forall i : int . ([#"../02.rs" 44 11 44 17] 0 <= i) -> ([#"../02.rs" 45 10 45 28] fib0 i <= Power.power 2 i)
-  use prelude.Ghost
+  axiom lemma_fib_bound0_spec : forall i : int . ([#"../02.rs" 44 11 44 17] 0 <= i)
+   -> ([#"../02.rs" 45 10 45 28] fib0 i <= Power.power 2 i)
+  use prelude.Snapshot
   function lemma_max_int0 [#"../02.rs" 62 0 62 22] (_1 : ()) : () =
     [#"../02.rs" 60 0 60 8] ()
   val lemma_max_int0 [#"../02.rs" 62 0 62 22] (_1 : ()) : ()
@@ -308,21 +321,26 @@ module C02_FibMemo
   var _9 : C02_Cell_Type.t_cell (Core_Option_Option_Type.t_option usize) (C02_Fib_Type.t_fib);
   var v : usize;
   var fib_i : usize;
-  var _19 : Ghost.ghost_ty ();
-  var _21 : Ghost.ghost_ty ();
+  var _15 : bool;
+  var _17 : bool;
+  var _19 : Snapshot.snap_ty ();
+  var _21 : Snapshot.snap_ty ();
   var _23 : usize;
+  var _25 : usize;
   var _27 : usize;
+  var _29 : usize;
   var _33 : ();
   var _35 : C02_Cell_Type.t_cell (Core_Option_Option_Type.t_option usize) (C02_Fib_Type.t_fib);
+  var _38 : Core_Option_Option_Type.t_option usize;
   {
     goto BB0
   }
   BB0 {
-    [#"../02.rs" 96 13 96 16] _9 <- ([#"../02.rs" 96 13 96 16] index0 ([#"../02.rs" 96 10 96 13] mem) ([#"../02.rs" 96 14 96 15] i));
+    [#"../02.rs" 96 13 96 16] _9 <- ([#"../02.rs" 96 13 96 16] index0 mem i);
     goto BB1
   }
   BB1 {
-    [#"../02.rs" 96 10 96 22] _7 <- ([#"../02.rs" 96 10 96 22] get0 ([#"../02.rs" 96 10 96 16] _9));
+    [#"../02.rs" 96 10 96 22] _7 <- ([#"../02.rs" 96 10 96 22] get0 _9);
     goto BB2
   }
   BB2 {
@@ -332,7 +350,8 @@ module C02_FibMemo
       end
   }
   BB3 {
-    switch ([#"../02.rs" 99 27 99 33] ([#"../02.rs" 99 27 99 28] i) = ([#"../02.rs" 99 32 99 33] [#"../02.rs" 99 32 99 33] (0 : usize)))
+    [#"../02.rs" 99 27 99 33] _15 <- i = ([#"../02.rs" 99 32 99 33] (0 : usize));
+    switch (_15)
       | False -> goto BB8
       | True -> goto BB7
       end
@@ -345,42 +364,47 @@ module C02_FibMemo
     absurd
   }
   BB6 {
-    [#"../02.rs" 97 13 97 14] v <- ([#"../02.rs" 97 13 97 14] Core_Option_Option_Type.some_0 _7);
-    [#"../02.rs" 97 19 97 20] _0 <- ([#"../02.rs" 97 19 97 20] v);
+    [#"../02.rs" 97 13 97 14] v <- Core_Option_Option_Type.some_0 _7;
+    [#"../02.rs" 97 19 97 20] _0 <- v;
     goto BB19
   }
   BB7 {
-    [#"../02.rs" 100 16 100 17] fib_i <- ([#"../02.rs" 100 16 100 17] [#"../02.rs" 100 16 100 17] (0 : usize));
+    [#"../02.rs" 100 16 100 17] fib_i <- ([#"../02.rs" 100 16 100 17] (0 : usize));
     goto BB16
   }
   BB8 {
-    switch ([#"../02.rs" 101 22 101 28] ([#"../02.rs" 101 22 101 23] i) = ([#"../02.rs" 101 27 101 28] [#"../02.rs" 101 27 101 28] (1 : usize)))
+    [#"../02.rs" 101 22 101 28] _17 <- i = ([#"../02.rs" 101 27 101 28] (1 : usize));
+    switch (_17)
       | False -> goto BB10
       | True -> goto BB9
       end
   }
   BB9 {
-    [#"../02.rs" 102 16 102 17] fib_i <- ([#"../02.rs" 102 16 102 17] [#"../02.rs" 102 16 102 17] (1 : usize));
+    [#"../02.rs" 102 16 102 17] fib_i <- ([#"../02.rs" 102 16 102 17] (1 : usize));
     goto BB15
   }
   BB10 {
-    [#"../02.rs" 104 16 104 37] _19 <- ([#"../02.rs" 104 16 104 37] Ghost.new ());
+    [#"../02.rs" 104 16 104 43] _19 <- ([#"../02.rs" 104 16 104 43] Snapshot.new ());
     goto BB11
   }
   BB11 {
-    [#"../02.rs" 105 16 105 39] _21 <- ([#"../02.rs" 105 16 105 39] Ghost.new ());
+    [#"../02.rs" 105 16 105 45] _21 <- ([#"../02.rs" 105 16 105 45] Snapshot.new ());
     goto BB12
   }
   BB12 {
-    [#"../02.rs" 106 16 106 36] _23 <- ([#"../02.rs" 106 16 106 36] fib_memo ([#"../02.rs" 106 25 106 28] mem) ([#"../02.rs" 106 30 106 35] ([#"../02.rs" 106 30 106 31] i) - ([#"../02.rs" 106 34 106 35] [#"../02.rs" 106 34 106 35] (1 : usize))));
+    [#"../02.rs" 106 30 106 35] _25 <- i - ([#"../02.rs" 106 34 106 35] (1 : usize));
+    [#"../02.rs" 106 16 106 36] _23 <- ([#"../02.rs" 106 16 106 36] fib_memo mem _25);
+    _25 <- any usize;
     goto BB13
   }
   BB13 {
-    [#"../02.rs" 106 39 106 59] _27 <- ([#"../02.rs" 106 39 106 59] fib_memo ([#"../02.rs" 106 48 106 51] mem) ([#"../02.rs" 106 53 106 58] ([#"../02.rs" 106 53 106 54] i) - ([#"../02.rs" 106 57 106 58] [#"../02.rs" 106 57 106 58] (2 : usize))));
+    [#"../02.rs" 106 53 106 58] _29 <- i - ([#"../02.rs" 106 57 106 58] (2 : usize));
+    [#"../02.rs" 106 39 106 59] _27 <- ([#"../02.rs" 106 39 106 59] fib_memo mem _29);
+    _29 <- any usize;
     goto BB14
   }
   BB14 {
-    [#"../02.rs" 106 16 106 59] fib_i <- ([#"../02.rs" 106 16 106 59] _23 + _27);
+    [#"../02.rs" 106 16 106 59] fib_i <- _23 + _27;
     _23 <- any usize;
     _27 <- any usize;
     goto BB15
@@ -390,15 +414,17 @@ module C02_FibMemo
   }
   BB16 {
     assert { [@expl:assertion] [#"../02.rs" 108 28 108 45] UIntSize.to_int fib_i = fib0 (UIntSize.to_int i) };
-    [#"../02.rs" 109 15 109 18] _35 <- ([#"../02.rs" 109 15 109 18] index0 ([#"../02.rs" 109 12 109 15] mem) ([#"../02.rs" 109 16 109 17] i));
+    [#"../02.rs" 109 15 109 18] _35 <- ([#"../02.rs" 109 15 109 18] index0 mem i);
     goto BB17
   }
   BB17 {
-    [#"../02.rs" 109 12 109 35] _33 <- ([#"../02.rs" 109 12 109 35] set0 ([#"../02.rs" 109 12 109 18] _35) ([#"../02.rs" 109 23 109 34] Core_Option_Option_Type.C_Some ([#"../02.rs" 109 28 109 33] fib_i)));
+    [#"../02.rs" 109 23 109 34] _38 <- Core_Option_Option_Type.C_Some fib_i;
+    [#"../02.rs" 109 12 109 35] _33 <- ([#"../02.rs" 109 12 109 35] set0 _35 _38);
+    _38 <- any Core_Option_Option_Type.t_option usize;
     goto BB18
   }
   BB18 {
-    [#"../02.rs" 110 12 110 17] _0 <- ([#"../02.rs" 110 12 110 17] fib_i);
+    [#"../02.rs" 110 12 110 17] _0 <- fib_i;
     goto BB19
   }
   BB19 {
diff --git a/creusot/tests/should_succeed/cell/02.rs b/creusot/tests/should_succeed/cell/02.rs
index 97186b6576..5bb5e2a2e9 100644
--- a/creusot/tests/should_succeed/cell/02.rs
+++ b/creusot/tests/should_succeed/cell/02.rs
@@ -26,7 +26,7 @@ impl<T: Copy, I: Inv<T>> Cell<T, I> {
     }
 }
 
-#[ghost]
+#[logic]
 #[open]
 #[variant(i)]
 pub fn fib(i: Int) -> Int {
@@ -40,7 +40,7 @@ pub fn fib(i: Int) -> Int {
 }
 
 #[open]
-#[ghost]
+#[logic]
 #[requires(0 <= i)]
 #[ensures(fib(i) <= 2.pow(i))]
 #[variant(i)]
@@ -57,7 +57,7 @@ pub fn lemma_fib_bound(i: Int) {
 
 #[trusted]
 #[open]
-#[ghost]
+#[logic]
 #[ensures(2.pow(63) < 0xffff_ffff_ffff_ffffusize@)]
 pub fn lemma_max_int() {}
 
@@ -101,8 +101,8 @@ pub fn fib_memo(mem: &FibCache, i: usize) -> usize {
             } else if i == 1 {
                 1
             } else {
-                gh! { lemma_max_int };
-                gh! { lemma_fib_bound };
+                snapshot! { lemma_max_int };
+                snapshot! { lemma_fib_bound };
                 fib_memo(mem, i - 1) + fib_memo(mem, i - 2)
             };
             proof_assert! { fib_i@ == fib(i@)};
diff --git a/creusot/tests/should_succeed/cell/02/why3session.xml b/creusot/tests/should_succeed/cell/02/why3session.xml
index c3d695a13c..d74c9b57c2 100644
--- a/creusot/tests/should_succeed/cell/02/why3session.xml
+++ b/creusot/tests/should_succeed/cell/02/why3session.xml
@@ -8,82 +8,76 @@
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="02.mlcfg"/>
 <theory name="C02_Fib_Impl" proved="true">
- <goal name="fib&#39;vc" expl="VC for fib" proved="true">
- <proof prover="0"><result status="valid" time="0.008499" steps="428"/></proof>
+ <goal name="vc_fib" proved="true">
+ <proof prover="0"><result status="valid" time="0.008499" steps="320"/></proof>
  </goal>
 </theory>
 <theory name="C02_LemmaFibBound_Impl" proved="true">
- <goal name="lemma_fib_bound&#39;vc" expl="VC for lemma_fib_bound" proved="true">
- <proof prover="0"><result status="valid" time="0.010987" steps="9108"/></proof>
+ <goal name="vc_lemma_fib_bound" proved="true">
+ <proof prover="0"><result status="valid" time="0.010987" steps="11725"/></proof>
  </goal>
 </theory>
 <theory name="C02_FibMemo" proved="true">
  <goal name="fib_memo&#39;vc" expl="VC for fib_memo" proved="true">
  <transf name="split_vc" proved="true" >
   <goal name="fib_memo&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.011911" steps="6896"/></proof>
-  <proof prover="5"><result status="valid" time="0.028068" steps="10"/></proof>
+  <proof prover="5"><result status="valid" time="0.008535" steps="10"/></proof>
   </goal>
   <goal name="fib_memo&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.029642" steps="22"/></proof>
+  <proof prover="5"><result status="valid" time="0.009702" steps="22"/></proof>
   </goal>
   <goal name="fib_memo&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.064765" steps="73203"/></proof>
-  <proof prover="5"><result status="valid" time="0.015501" steps="23"/></proof>
+  <proof prover="1"><result status="valid" time="0.068972" steps="10739"/></proof>
+  <proof prover="5"><result status="valid" time="0.029729" steps="23"/></proof>
   </goal>
   <goal name="fib_memo&#39;vc.3" expl="precondition" proved="true">
   <proof prover="5"><result status="valid" time="0.005338" steps="14"/></proof>
   </goal>
   <goal name="fib_memo&#39;vc.4" expl="integer overflow" proved="true">
-  <proof prover="5"><result status="valid" time="0.010993" steps="51"/></proof>
+  <proof prover="5"><result status="valid" time="0.010993" steps="53"/></proof>
   </goal>
   <goal name="fib_memo&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.009887" steps="34"/></proof>
+  <proof prover="5"><result status="valid" time="0.009887" steps="38"/></proof>
   </goal>
   <goal name="fib_memo&#39;vc.6" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.009296" steps="34"/></proof>
+  <proof prover="5"><result status="valid" time="0.009296" steps="38"/></proof>
   </goal>
   <goal name="fib_memo&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.009368" steps="35"/></proof>
+  <proof prover="5"><result status="valid" time="0.009368" steps="39"/></proof>
   </goal>
   <goal name="fib_memo&#39;vc.8" expl="integer overflow" proved="true">
-  <proof prover="5"><result status="valid" time="0.011951" steps="75"/></proof>
+  <proof prover="5"><result status="valid" time="0.011951" steps="78"/></proof>
   </goal>
   <goal name="fib_memo&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.009451" steps="38"/></proof>
+  <proof prover="5"><result status="valid" time="0.009451" steps="42"/></proof>
   </goal>
   <goal name="fib_memo&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.009582" steps="38"/></proof>
+  <proof prover="5"><result status="valid" time="0.009582" steps="42"/></proof>
   </goal>
   <goal name="fib_memo&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.009606" steps="39"/></proof>
+  <proof prover="5"><result status="valid" time="0.009606" steps="43"/></proof>
   </goal>
   <goal name="fib_memo&#39;vc.12" expl="integer overflow" proved="true">
-  <proof prover="5"><result status="valid" time="0.103941" steps="1029"/></proof>
+  <proof prover="5"><result status="valid" time="0.049109" steps="1040"/></proof>
   </goal>
   <goal name="fib_memo&#39;vc.13" expl="assertion" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="fib_memo&#39;vc.13.0" expl="assertion" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="fib_memo&#39;vc.13.0.0" expl="assertion" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="fib_memo&#39;vc.13.0.0.0" expl="assertion" proved="true">
-     <proof prover="1"><result status="valid" time="0.108316" steps="13046"/></proof>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
+   <proof prover="1"><result status="valid" time="0.042383" steps="13098"/></proof>
    </goal>
    <goal name="fib_memo&#39;vc.13.1" expl="assertion" proved="true">
    <transf name="split_vc" proved="true" >
     <goal name="fib_memo&#39;vc.13.1.0" expl="assertion" proved="true">
     <transf name="split_vc" proved="true" >
      <goal name="fib_memo&#39;vc.13.1.0.0" expl="assertion" proved="true">
-     <proof prover="0"><result status="valid" time="0.024054" steps="95398"/></proof>
-     <proof prover="5"><result status="valid" time="0.116927" steps="1840"/></proof>
-     </goal>
-     <goal name="fib_memo&#39;vc.13.1.0.1" expl="assertion" proved="true">
-     <proof prover="5"><result status="valid" time="0.022096" steps="249"/></proof>
+     <transf name="split_vc" proved="true" >
+      <goal name="fib_memo&#39;vc.13.1.0.0.0" expl="assertion" proved="true">
+      <proof prover="5"><result status="valid" time="0.019073" steps="251"/></proof>
+      </goal>
+      <goal name="fib_memo&#39;vc.13.1.0.0.1" expl="assertion" proved="true">
+      <proof prover="0"><result status="valid" time="0.022081" steps="95459"/></proof>
+      </goal>
+     </transf>
      </goal>
     </transf>
     </goal>
@@ -92,28 +86,29 @@
   </transf>
   </goal>
   <goal name="fib_memo&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.008535" steps="18"/></proof>
+  <proof prover="0"><result status="valid" time="0.011911" steps="9569"/></proof>
+  <proof prover="5"><result status="valid" time="0.028068" steps="18"/></proof>
   </goal>
   <goal name="fib_memo&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.009702" steps="55"/></proof>
+  <proof prover="5"><result status="valid" time="0.029642" steps="55"/></proof>
   </goal>
   <goal name="fib_memo&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.068972" steps="13910"/></proof>
-  <proof prover="5"><result status="valid" time="0.029729" steps="56"/></proof>
+  <proof prover="0"><result status="valid" time="0.064765" steps="84668"/></proof>
+  <proof prover="5"><result status="valid" time="0.015501" steps="56"/></proof>
   </goal>
   <goal name="fib_memo&#39;vc.17" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.008697" steps="333"/></proof>
+  <proof prover="5"><result status="valid" time="0.008697" steps="339"/></proof>
   </goal>
   <goal name="fib_memo&#39;vc.18" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.023987" steps="9036"/></proof>
-  <proof prover="5"><result status="valid" time="0.022739" steps="23"/></proof>
+  <proof prover="0"><result status="valid" time="0.023987" steps="9599"/></proof>
+  <proof prover="5"><result status="valid" time="0.022739" steps="25"/></proof>
   </goal>
   <goal name="fib_memo&#39;vc.19" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.021326" steps="96081"/></proof>
-  <proof prover="5"><result status="valid" time="0.012298" steps="60"/></proof>
+  <proof prover="0"><result status="valid" time="0.021326" steps="96666"/></proof>
+  <proof prover="5"><result status="valid" time="0.012298" steps="61"/></proof>
   </goal>
   <goal name="fib_memo&#39;vc.20" expl="postcondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.107580" steps="16500"/></proof>
+  <proof prover="1"><result status="valid" time="0.107580" steps="17148"/></proof>
   </goal>
  </transf>
  </goal>
diff --git a/creusot/tests/should_succeed/cell/02/why3shapes.gz b/creusot/tests/should_succeed/cell/02/why3shapes.gz
index 8c9f7ec2e6..00882d9e3b 100644
Binary files a/creusot/tests/should_succeed/cell/02/why3shapes.gz and b/creusot/tests/should_succeed/cell/02/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/checked_ops.mlcfg b/creusot/tests/should_succeed/checked_ops.mlcfg
index 9668eb767c..784f3028bd 100644
--- a/creusot/tests/should_succeed/checked_ops.mlcfg
+++ b/creusot/tests/should_succeed/checked_ops.mlcfg
@@ -68,21 +68,30 @@ module CheckedOps_TestU8AddExample
   use prelude.UInt8
   val overflowing_add0 (self : uint8) (rhs : uint8) : (uint8, bool)
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] UInt8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (UInt8.to_int self + UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0
+     -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0
+     -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0) }
     
   val saturating_add0 (self : uint8) (rhs : uint8) : uint8
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 -> UInt8.to_int result = UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int max0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0
+     -> UInt8.to_int result = UInt8.to_int min0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int max0 }
     
   val wrapping_add0 (self : uint8) (rhs : uint8) : uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt8.to_int result = EuclideanDivision.mod (UInt8.to_int self + UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0
+     -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0
+     -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
     
   use prelude.Borrow
   val is_none0 (self : Core_Option_Option_Type.t_option uint8) : bool
@@ -97,27 +106,37 @@ module CheckedOps_TestU8AddExample
     
   val checked_add0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = UInt8.to_int self + UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r
+     -> UInt8.to_int r = UInt8.to_int self + UInt8.to_int rhs }
     
   let rec cfg test_u8_add_example [#"../checked_ops.rs" 5 0 5 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
+  var _2 : bool;
   var _3 : uint8;
   var _4 : Core_Option_Option_Type.t_option uint8;
   var _7 : bool;
   var _9 : Core_Option_Option_Type.t_option uint8;
+  var _12 : bool;
   var _13 : uint8;
+  var _16 : bool;
   var _17 : uint8;
+  var _20 : bool;
   var _21 : uint8;
+  var _24 : bool;
   var _25 : uint8;
   var res : (uint8, bool);
+  var _29 : bool;
+  var _31 : bool;
   var res1 : (uint8, bool);
+  var _36 : bool;
+  var _38 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 6 12 6 31] _4 <- ([#"../checked_ops.rs" 6 12 6 31] checked_add0 ([#"../checked_ops.rs" 6 12 6 15] [#"../checked_ops.rs" 6 12 6 15] (5 : uint8)) ([#"../checked_ops.rs" 6 28 6 30] [#"../checked_ops.rs" 6 28 6 30] (10 : uint8)));
+    [#"../checked_ops.rs" 6 12 6 31] _4 <- ([#"../checked_ops.rs" 6 12 6 31] checked_add0 ([#"../checked_ops.rs" 6 12 6 15] (5 : uint8)) ([#"../checked_ops.rs" 6 28 6 30] (10 : uint8)));
     goto BB1
   }
   BB1 {
@@ -126,13 +145,15 @@ module CheckedOps_TestU8AddExample
     goto BB2
   }
   BB2 {
-    switch ([#"../checked_ops.rs" 6 12 6 46] _3 = ([#"../checked_ops.rs" 6 44 6 46] [#"../checked_ops.rs" 6 44 6 46] (15 : uint8)))
+    [#"../checked_ops.rs" 6 12 6 46] _2 <- _3 = ([#"../checked_ops.rs" 6 44 6 46] (15 : uint8));
+    _3 <- any uint8;
+    switch (_2)
       | False -> goto BB4
       | True -> goto BB3
       end
   }
   BB3 {
-    [#"../checked_ops.rs" 7 12 7 33] _9 <- ([#"../checked_ops.rs" 7 12 7 33] checked_add0 ([#"../checked_ops.rs" 7 12 7 17] [#"../checked_ops.rs" 7 12 7 17] (250 : uint8)) ([#"../checked_ops.rs" 7 30 7 32] [#"../checked_ops.rs" 7 30 7 32] (10 : uint8)));
+    [#"../checked_ops.rs" 7 12 7 33] _9 <- ([#"../checked_ops.rs" 7 12 7 33] checked_add0 ([#"../checked_ops.rs" 7 12 7 17] (250 : uint8)) ([#"../checked_ops.rs" 7 30 7 32] (10 : uint8)));
     goto BB5
   }
   BB4 {
@@ -140,7 +161,7 @@ module CheckedOps_TestU8AddExample
     absurd
   }
   BB5 {
-    [#"../checked_ops.rs" 7 12 7 43] _7 <- ([#"../checked_ops.rs" 7 12 7 43] is_none0 ([#"../checked_ops.rs" 7 12 7 33] _9));
+    [#"../checked_ops.rs" 7 12 7 43] _7 <- ([#"../checked_ops.rs" 7 12 7 43] is_none0 _9);
     goto BB6
   }
   BB6 {
@@ -150,7 +171,7 @@ module CheckedOps_TestU8AddExample
       end
   }
   BB7 {
-    [#"../checked_ops.rs" 9 12 9 32] _13 <- ([#"../checked_ops.rs" 9 12 9 32] wrapping_add0 ([#"../checked_ops.rs" 9 12 9 15] [#"../checked_ops.rs" 9 12 9 15] (5 : uint8)) ([#"../checked_ops.rs" 9 29 9 31] [#"../checked_ops.rs" 9 29 9 31] (10 : uint8)));
+    [#"../checked_ops.rs" 9 12 9 32] _13 <- ([#"../checked_ops.rs" 9 12 9 32] wrapping_add0 ([#"../checked_ops.rs" 9 12 9 15] (5 : uint8)) ([#"../checked_ops.rs" 9 29 9 31] (10 : uint8)));
     goto BB9
   }
   BB8 {
@@ -158,13 +179,15 @@ module CheckedOps_TestU8AddExample
     absurd
   }
   BB9 {
-    switch ([#"../checked_ops.rs" 9 12 9 38] _13 = ([#"../checked_ops.rs" 9 36 9 38] [#"../checked_ops.rs" 9 36 9 38] (15 : uint8)))
+    [#"../checked_ops.rs" 9 12 9 38] _12 <- _13 = ([#"../checked_ops.rs" 9 36 9 38] (15 : uint8));
+    _13 <- any uint8;
+    switch (_12)
       | False -> goto BB11
       | True -> goto BB10
       end
   }
   BB10 {
-    [#"../checked_ops.rs" 10 12 10 34] _17 <- ([#"../checked_ops.rs" 10 12 10 34] wrapping_add0 ([#"../checked_ops.rs" 10 12 10 17] [#"../checked_ops.rs" 10 12 10 17] (250 : uint8)) ([#"../checked_ops.rs" 10 31 10 33] [#"../checked_ops.rs" 10 31 10 33] (10 : uint8)));
+    [#"../checked_ops.rs" 10 12 10 34] _17 <- ([#"../checked_ops.rs" 10 12 10 34] wrapping_add0 ([#"../checked_ops.rs" 10 12 10 17] (250 : uint8)) ([#"../checked_ops.rs" 10 31 10 33] (10 : uint8)));
     goto BB12
   }
   BB11 {
@@ -172,13 +195,15 @@ module CheckedOps_TestU8AddExample
     absurd
   }
   BB12 {
-    switch ([#"../checked_ops.rs" 10 12 10 39] _17 = ([#"../checked_ops.rs" 10 38 10 39] [#"../checked_ops.rs" 10 38 10 39] (4 : uint8)))
+    [#"../checked_ops.rs" 10 12 10 39] _16 <- _17 = ([#"../checked_ops.rs" 10 38 10 39] (4 : uint8));
+    _17 <- any uint8;
+    switch (_16)
       | False -> goto BB14
       | True -> goto BB13
       end
   }
   BB13 {
-    [#"../checked_ops.rs" 12 12 12 34] _21 <- ([#"../checked_ops.rs" 12 12 12 34] saturating_add0 ([#"../checked_ops.rs" 12 12 12 15] [#"../checked_ops.rs" 12 12 12 15] (5 : uint8)) ([#"../checked_ops.rs" 12 31 12 33] [#"../checked_ops.rs" 12 31 12 33] (10 : uint8)));
+    [#"../checked_ops.rs" 12 12 12 34] _21 <- ([#"../checked_ops.rs" 12 12 12 34] saturating_add0 ([#"../checked_ops.rs" 12 12 12 15] (5 : uint8)) ([#"../checked_ops.rs" 12 31 12 33] (10 : uint8)));
     goto BB15
   }
   BB14 {
@@ -186,13 +211,15 @@ module CheckedOps_TestU8AddExample
     absurd
   }
   BB15 {
-    switch ([#"../checked_ops.rs" 12 12 12 40] _21 = ([#"../checked_ops.rs" 12 38 12 40] [#"../checked_ops.rs" 12 38 12 40] (15 : uint8)))
+    [#"../checked_ops.rs" 12 12 12 40] _20 <- _21 = ([#"../checked_ops.rs" 12 38 12 40] (15 : uint8));
+    _21 <- any uint8;
+    switch (_20)
       | False -> goto BB17
       | True -> goto BB16
       end
   }
   BB16 {
-    [#"../checked_ops.rs" 13 12 13 36] _25 <- ([#"../checked_ops.rs" 13 12 13 36] saturating_add0 ([#"../checked_ops.rs" 13 12 13 17] [#"../checked_ops.rs" 13 12 13 17] (250 : uint8)) ([#"../checked_ops.rs" 13 33 13 35] [#"../checked_ops.rs" 13 33 13 35] (10 : uint8)));
+    [#"../checked_ops.rs" 13 12 13 36] _25 <- ([#"../checked_ops.rs" 13 12 13 36] saturating_add0 ([#"../checked_ops.rs" 13 12 13 17] (250 : uint8)) ([#"../checked_ops.rs" 13 33 13 35] (10 : uint8)));
     goto BB18
   }
   BB17 {
@@ -200,13 +227,15 @@ module CheckedOps_TestU8AddExample
     absurd
   }
   BB18 {
-    switch ([#"../checked_ops.rs" 13 12 13 43] _25 = ([#"../checked_ops.rs" 13 40 13 43] [#"../checked_ops.rs" 13 40 13 43] (255 : uint8)))
+    [#"../checked_ops.rs" 13 12 13 43] _24 <- _25 = ([#"../checked_ops.rs" 13 40 13 43] (255 : uint8));
+    _25 <- any uint8;
+    switch (_24)
       | False -> goto BB20
       | True -> goto BB19
       end
   }
   BB19 {
-    [#"../checked_ops.rs" 15 14 15 37] res <- ([#"../checked_ops.rs" 15 14 15 37] overflowing_add0 ([#"../checked_ops.rs" 15 14 15 17] [#"../checked_ops.rs" 15 14 15 17] (5 : uint8)) ([#"../checked_ops.rs" 15 34 15 36] [#"../checked_ops.rs" 15 34 15 36] (10 : uint8)));
+    [#"../checked_ops.rs" 15 14 15 37] res <- ([#"../checked_ops.rs" 15 14 15 37] overflowing_add0 ([#"../checked_ops.rs" 15 14 15 17] (5 : uint8)) ([#"../checked_ops.rs" 15 34 15 36] (10 : uint8)));
     goto BB21
   }
   BB20 {
@@ -214,20 +243,22 @@ module CheckedOps_TestU8AddExample
     absurd
   }
   BB21 {
-    switch ([#"../checked_ops.rs" 16 12 16 23] ([#"../checked_ops.rs" 16 12 16 17] let (a, _) = res in a) = ([#"../checked_ops.rs" 16 21 16 23] [#"../checked_ops.rs" 16 21 16 23] (15 : uint8)))
+    [#"../checked_ops.rs" 16 12 16 23] _29 <- (let (a, _) = res in a) = ([#"../checked_ops.rs" 16 21 16 23] (15 : uint8));
+    switch (_29)
       | False -> goto BB25
       | True -> goto BB22
       end
   }
   BB22 {
     assume { resolve0 res };
-    switch ([#"../checked_ops.rs" 16 27 16 41] Bool.eqb ([#"../checked_ops.rs" 16 27 16 32] let (_, a) = res in a) ([#"../checked_ops.rs" 16 36 16 41] [#"../checked_ops.rs" 16 36 16 41] false))
+    [#"../checked_ops.rs" 16 27 16 41] _31 <- Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 16 36 16 41] false);
+    switch (_31)
       | False -> goto BB24
       | True -> goto BB23
       end
   }
   BB23 {
-    [#"../checked_ops.rs" 17 14 17 39] res1 <- ([#"../checked_ops.rs" 17 14 17 39] overflowing_add0 ([#"../checked_ops.rs" 17 14 17 19] [#"../checked_ops.rs" 17 14 17 19] (250 : uint8)) ([#"../checked_ops.rs" 17 36 17 38] [#"../checked_ops.rs" 17 36 17 38] (10 : uint8)));
+    [#"../checked_ops.rs" 17 14 17 39] res1 <- ([#"../checked_ops.rs" 17 14 17 39] overflowing_add0 ([#"../checked_ops.rs" 17 14 17 19] (250 : uint8)) ([#"../checked_ops.rs" 17 36 17 38] (10 : uint8)));
     goto BB27
   }
   BB24 {
@@ -242,14 +273,16 @@ module CheckedOps_TestU8AddExample
     absurd
   }
   BB27 {
-    switch ([#"../checked_ops.rs" 18 12 18 22] ([#"../checked_ops.rs" 18 12 18 17] let (a, _) = res1 in a) = ([#"../checked_ops.rs" 18 21 18 22] [#"../checked_ops.rs" 18 21 18 22] (4 : uint8)))
+    [#"../checked_ops.rs" 18 12 18 22] _36 <- (let (a, _) = res1 in a) = ([#"../checked_ops.rs" 18 21 18 22] (4 : uint8));
+    switch (_36)
       | False -> goto BB31
       | True -> goto BB28
       end
   }
   BB28 {
     assume { resolve0 res1 };
-    switch ([#"../checked_ops.rs" 18 26 18 39] Bool.eqb ([#"../checked_ops.rs" 18 26 18 31] let (_, a) = res1 in a) ([#"../checked_ops.rs" 18 35 18 39] [#"../checked_ops.rs" 18 35 18 39] true))
+    [#"../checked_ops.rs" 18 26 18 39] _38 <- Bool.eqb (let (_, a) = res1 in a) ([#"../checked_ops.rs" 18 35 18 39] true);
+    switch (_38)
       | False -> goto BB30
       | True -> goto BB29
       end
@@ -314,21 +347,30 @@ module CheckedOps_TestU8AddOverflow
     (8 : uint32)
   val overflowing_add0 (self : uint8) (rhs : uint8) : (uint8, bool)
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] UInt8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (UInt8.to_int self + UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0
+     -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0
+     -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0) }
     
   val saturating_add0 (self : uint8) (rhs : uint8) : uint8
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 -> UInt8.to_int result = UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int max0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0
+     -> UInt8.to_int result = UInt8.to_int min0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int max0 }
     
   val wrapping_add0 (self : uint8) (rhs : uint8) : uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt8.to_int result = EuclideanDivision.mod (UInt8.to_int self + UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0
+     -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0
+     -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
     
   use prelude.Borrow
   val is_none0 (self : Core_Option_Option_Type.t_option uint8) : bool
@@ -337,7 +379,8 @@ module CheckedOps_TestU8AddOverflow
     
   val checked_add0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = UInt8.to_int self + UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r
+     -> UInt8.to_int r = UInt8.to_int self + UInt8.to_int rhs }
     
   let rec cfg test_u8_add_overflow [#"../checked_ops.rs" 23 0 23 34] [@cfg:stackify] [@cfg:subregion_analysis] (a : uint8) : ()
     requires {[#"../checked_ops.rs" 22 11 22 18] UInt8.to_int a <> 0}
@@ -347,18 +390,24 @@ module CheckedOps_TestU8AddOverflow
   var a : uint8 = a;
   var _4 : bool;
   var _6 : Core_Option_Option_Type.t_option uint8;
+  var _10 : bool;
   var _11 : uint8;
+  var _13 : uint8;
+  var _17 : bool;
   var _18 : uint8;
   var res : (uint8, bool);
+  var _24 : bool;
+  var _26 : uint8;
+  var _28 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 24 12 24 32] _6 <- ([#"../checked_ops.rs" 24 12 24 32] checked_add0 ([#"../checked_ops.rs" 24 12 24 17] [#"../checked_ops.rs" 24 12 24 17] (255 : uint8)) ([#"../checked_ops.rs" 24 30 24 31] a));
+    [#"../checked_ops.rs" 24 12 24 32] _6 <- ([#"../checked_ops.rs" 24 12 24 32] checked_add0 ([#"../checked_ops.rs" 24 12 24 17] (255 : uint8)) a);
     goto BB1
   }
   BB1 {
-    [#"../checked_ops.rs" 24 12 24 42] _4 <- ([#"../checked_ops.rs" 24 12 24 42] is_none0 ([#"../checked_ops.rs" 24 12 24 32] _6));
+    [#"../checked_ops.rs" 24 12 24 42] _4 <- ([#"../checked_ops.rs" 24 12 24 42] is_none0 _6);
     goto BB2
   }
   BB2 {
@@ -368,7 +417,7 @@ module CheckedOps_TestU8AddOverflow
       end
   }
   BB3 {
-    [#"../checked_ops.rs" 25 12 25 33] _11 <- ([#"../checked_ops.rs" 25 12 25 33] wrapping_add0 ([#"../checked_ops.rs" 25 12 25 17] [#"../checked_ops.rs" 25 12 25 17] (255 : uint8)) ([#"../checked_ops.rs" 25 31 25 32] a));
+    [#"../checked_ops.rs" 25 12 25 33] _11 <- ([#"../checked_ops.rs" 25 12 25 33] wrapping_add0 ([#"../checked_ops.rs" 25 12 25 17] (255 : uint8)) a);
     goto BB5
   }
   BB4 {
@@ -376,13 +425,17 @@ module CheckedOps_TestU8AddOverflow
     absurd
   }
   BB5 {
-    switch ([#"../checked_ops.rs" 25 12 25 42] _11 = ([#"../checked_ops.rs" 25 37 25 42] ([#"../checked_ops.rs" 25 37 25 38] a) - ([#"../checked_ops.rs" 25 41 25 42] [#"../checked_ops.rs" 25 41 25 42] (1 : uint8))))
+    [#"../checked_ops.rs" 25 37 25 42] _13 <- a - ([#"../checked_ops.rs" 25 41 25 42] (1 : uint8));
+    [#"../checked_ops.rs" 25 12 25 42] _10 <- _11 = _13;
+    _11 <- any uint8;
+    _13 <- any uint8;
+    switch (_10)
       | False -> goto BB7
       | True -> goto BB6
       end
   }
   BB6 {
-    [#"../checked_ops.rs" 26 12 26 35] _18 <- ([#"../checked_ops.rs" 26 12 26 35] saturating_add0 ([#"../checked_ops.rs" 26 12 26 17] [#"../checked_ops.rs" 26 12 26 17] (255 : uint8)) ([#"../checked_ops.rs" 26 33 26 34] a));
+    [#"../checked_ops.rs" 26 12 26 35] _18 <- ([#"../checked_ops.rs" 26 12 26 35] saturating_add0 ([#"../checked_ops.rs" 26 12 26 17] (255 : uint8)) a);
     goto BB8
   }
   BB7 {
@@ -390,13 +443,15 @@ module CheckedOps_TestU8AddOverflow
     absurd
   }
   BB8 {
-    switch ([#"../checked_ops.rs" 26 12 26 42] _18 = ([#"../checked_ops.rs" 26 39 26 42] [#"../checked_ops.rs" 26 39 26 42] (255 : uint8)))
+    [#"../checked_ops.rs" 26 12 26 42] _17 <- _18 = ([#"../checked_ops.rs" 26 39 26 42] (255 : uint8));
+    _18 <- any uint8;
+    switch (_17)
       | False -> goto BB10
       | True -> goto BB9
       end
   }
   BB9 {
-    [#"../checked_ops.rs" 27 14 27 38] res <- ([#"../checked_ops.rs" 27 14 27 38] overflowing_add0 ([#"../checked_ops.rs" 27 14 27 19] [#"../checked_ops.rs" 27 14 27 19] (255 : uint8)) ([#"../checked_ops.rs" 27 36 27 37] a));
+    [#"../checked_ops.rs" 27 14 27 38] res <- ([#"../checked_ops.rs" 27 14 27 38] overflowing_add0 ([#"../checked_ops.rs" 27 14 27 19] (255 : uint8)) a);
     goto BB11
   }
   BB10 {
@@ -404,14 +459,18 @@ module CheckedOps_TestU8AddOverflow
     absurd
   }
   BB11 {
-    switch ([#"../checked_ops.rs" 28 12 28 26] ([#"../checked_ops.rs" 28 12 28 17] let (a, _) = res in a) = ([#"../checked_ops.rs" 28 21 28 26] ([#"../checked_ops.rs" 28 21 28 22] a) - ([#"../checked_ops.rs" 28 25 28 26] [#"../checked_ops.rs" 28 25 28 26] (1 : uint8))))
+    [#"../checked_ops.rs" 28 21 28 26] _26 <- a - ([#"../checked_ops.rs" 28 25 28 26] (1 : uint8));
+    [#"../checked_ops.rs" 28 12 28 26] _24 <- (let (a, _) = res in a) = _26;
+    _26 <- any uint8;
+    switch (_24)
       | False -> goto BB15
       | True -> goto BB12
       end
   }
   BB12 {
     assume { resolve0 res };
-    switch ([#"../checked_ops.rs" 28 30 28 43] Bool.eqb ([#"../checked_ops.rs" 28 30 28 35] let (_, a) = res in a) ([#"../checked_ops.rs" 28 39 28 43] [#"../checked_ops.rs" 28 39 28 43] true))
+    [#"../checked_ops.rs" 28 30 28 43] _28 <- Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 28 39 28 43] true);
+    switch (_28)
       | False -> goto BB14
       | True -> goto BB13
       end
@@ -449,9 +508,12 @@ module CheckedOps_TestU8WrappingAdd
     (8 : uint32)
   val wrapping_add0 (self : uint8) (rhs : uint8) : uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt8.to_int result = EuclideanDivision.mod (UInt8.to_int self + UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0
+     -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0
+     -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
     
   let rec cfg test_u8_wrapping_add [#"../checked_ops.rs" 34 0 34 47] [@cfg:stackify] [@cfg:subregion_analysis] (a : uint8) (b : uint8) : uint8
     ensures { [#"../checked_ops.rs" 33 10 33 56] UInt8.to_int result = UInt8.to_int a + UInt8.to_int b \/ UInt8.to_int result = UInt8.to_int a + UInt8.to_int b - 256 }
@@ -464,7 +526,7 @@ module CheckedOps_TestU8WrappingAdd
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 35 4 35 21] _0 <- ([#"../checked_ops.rs" 35 4 35 21] wrapping_add0 ([#"../checked_ops.rs" 35 4 35 5] a) ([#"../checked_ops.rs" 35 19 35 20] b));
+    [#"../checked_ops.rs" 35 4 35 21] _0 <- ([#"../checked_ops.rs" 35 4 35 21] wrapping_add0 a b);
     goto BB1
   }
   BB1 {
@@ -499,7 +561,8 @@ module CheckedOps_TestU8OverflowingAdd
   use prelude.UInt8
   val checked_add0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = UInt8.to_int self + UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r
+     -> UInt8.to_int r = UInt8.to_int self + UInt8.to_int rhs }
     
   use prelude.UInt32
   use int.EuclideanDivision
@@ -509,9 +572,12 @@ module CheckedOps_TestU8OverflowingAdd
     (8 : uint32)
   val wrapping_add0 (self : uint8) (rhs : uint8) : uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt8.to_int result = EuclideanDivision.mod (UInt8.to_int self + UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0
+     -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0
+     -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
     
   predicate resolve2 (self : bool) =
     [#"../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
@@ -530,9 +596,12 @@ module CheckedOps_TestU8OverflowingAdd
     
   val overflowing_add0 (self : uint8) (rhs : uint8) : (uint8, bool)
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] UInt8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (UInt8.to_int self + UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self + UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self + UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0
+     -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0
+     -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self + UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (UInt8.to_int self + UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self + UInt8.to_int rhs > UInt8.to_int max0) }
     
   let rec cfg test_u8_overflowing_add [#"../checked_ops.rs" 39 0 39 44] [@cfg:stackify] [@cfg:subregion_analysis] (a : uint8) (b : uint8) : ()
@@ -541,8 +610,10 @@ module CheckedOps_TestU8OverflowingAdd
   var _0 : ();
   var a : uint8 = a;
   var b : uint8 = b;
+  var _4 : bool;
   var _6 : (uint8, bool);
   var _9 : uint8;
+  var _14 : bool;
   var _16 : (uint8, bool);
   var _19 : bool;
   var _21 : Core_Option_Option_Type.t_option uint8;
@@ -550,22 +621,24 @@ module CheckedOps_TestU8OverflowingAdd
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 40 12 40 32] _6 <- ([#"../checked_ops.rs" 40 12 40 32] overflowing_add0 ([#"../checked_ops.rs" 40 12 40 13] a) ([#"../checked_ops.rs" 40 30 40 31] b));
+    [#"../checked_ops.rs" 40 12 40 32] _6 <- ([#"../checked_ops.rs" 40 12 40 32] overflowing_add0 a b);
     goto BB1
   }
   BB1 {
     assume { resolve0 _6 };
-    [#"../checked_ops.rs" 40 38 40 55] _9 <- ([#"../checked_ops.rs" 40 38 40 55] wrapping_add0 ([#"../checked_ops.rs" 40 38 40 39] a) ([#"../checked_ops.rs" 40 53 40 54] b));
+    [#"../checked_ops.rs" 40 38 40 55] _9 <- ([#"../checked_ops.rs" 40 38 40 55] wrapping_add0 a b);
     goto BB2
   }
   BB2 {
-    switch ([#"../checked_ops.rs" 40 12 40 55] ([#"../checked_ops.rs" 40 12 40 34] let (a, _) = _6 in a) = _9)
+    [#"../checked_ops.rs" 40 12 40 55] _4 <- (let (a, _) = _6 in a) = _9;
+    _9 <- any uint8;
+    switch (_4)
       | False -> goto BB4
       | True -> goto BB3
       end
   }
   BB3 {
-    [#"../checked_ops.rs" 41 12 41 32] _16 <- ([#"../checked_ops.rs" 41 12 41 32] overflowing_add0 ([#"../checked_ops.rs" 41 12 41 13] a) ([#"../checked_ops.rs" 41 30 41 31] b));
+    [#"../checked_ops.rs" 41 12 41 32] _16 <- ([#"../checked_ops.rs" 41 12 41 32] overflowing_add0 a b);
     goto BB5
   }
   BB4 {
@@ -574,15 +647,17 @@ module CheckedOps_TestU8OverflowingAdd
   }
   BB5 {
     assume { resolve0 _16 };
-    [#"../checked_ops.rs" 41 38 41 54] _21 <- ([#"../checked_ops.rs" 41 38 41 54] checked_add0 ([#"../checked_ops.rs" 41 38 41 39] a) ([#"../checked_ops.rs" 41 52 41 53] b));
+    [#"../checked_ops.rs" 41 38 41 54] _21 <- ([#"../checked_ops.rs" 41 38 41 54] checked_add0 a b);
     goto BB6
   }
   BB6 {
-    [#"../checked_ops.rs" 41 38 41 64] _19 <- ([#"../checked_ops.rs" 41 38 41 64] is_none0 ([#"../checked_ops.rs" 41 38 41 54] _21));
+    [#"../checked_ops.rs" 41 38 41 64] _19 <- ([#"../checked_ops.rs" 41 38 41 64] is_none0 _21);
     goto BB7
   }
   BB7 {
-    switch ([#"../checked_ops.rs" 41 12 41 64] Bool.eqb ([#"../checked_ops.rs" 41 12 41 34] let (_, a) = _16 in a) _19)
+    [#"../checked_ops.rs" 41 12 41 64] _14 <- Bool.eqb (let (_, a) = _16 in a) _19;
+    _19 <- any bool;
+    switch (_14)
       | False -> goto BB9
       | True -> goto BB8
       end
@@ -660,21 +735,30 @@ module CheckedOps_TestU8SubExample
   use prelude.UInt8
   val overflowing_sub0 (self : uint8) (rhs : uint8) : (uint8, bool)
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] UInt8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (UInt8.to_int self - UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0
+     -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0
+     -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0) }
     
   val saturating_sub0 (self : uint8) (rhs : uint8) : uint8
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 -> UInt8.to_int result = UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int max0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0
+     -> UInt8.to_int result = UInt8.to_int min0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int max0 }
     
   val wrapping_sub0 (self : uint8) (rhs : uint8) : uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt8.to_int result = EuclideanDivision.mod (UInt8.to_int self - UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0
+     -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0
+     -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
     
   val unwrap0 (self : Core_Option_Option_Type.t_option uint8) : uint8
     requires {[#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self <> Core_Option_Option_Type.C_None}
@@ -689,7 +773,8 @@ module CheckedOps_TestU8SubExample
     
   val checked_sub0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = UInt8.to_int self - UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r
+     -> UInt8.to_int r = UInt8.to_int self - UInt8.to_int rhs }
     
   let rec cfg test_u8_sub_example [#"../checked_ops.rs" 45 0 45 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
     
@@ -697,23 +782,32 @@ module CheckedOps_TestU8SubExample
   var _0 : ();
   var _2 : bool;
   var _4 : Core_Option_Option_Type.t_option uint8;
+  var _7 : bool;
   var _8 : uint8;
   var _9 : Core_Option_Option_Type.t_option uint8;
+  var _12 : bool;
   var _13 : uint8;
+  var _16 : bool;
   var _17 : uint8;
+  var _20 : bool;
   var _21 : uint8;
+  var _24 : bool;
   var _25 : uint8;
   var res : (uint8, bool);
+  var _29 : bool;
+  var _31 : bool;
   var res1 : (uint8, bool);
+  var _36 : bool;
+  var _38 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 46 12 46 31] _4 <- ([#"../checked_ops.rs" 46 12 46 31] checked_sub0 ([#"../checked_ops.rs" 46 12 46 15] [#"../checked_ops.rs" 46 12 46 15] (5 : uint8)) ([#"../checked_ops.rs" 46 28 46 30] [#"../checked_ops.rs" 46 28 46 30] (10 : uint8)));
+    [#"../checked_ops.rs" 46 12 46 31] _4 <- ([#"../checked_ops.rs" 46 12 46 31] checked_sub0 ([#"../checked_ops.rs" 46 12 46 15] (5 : uint8)) ([#"../checked_ops.rs" 46 28 46 30] (10 : uint8)));
     goto BB1
   }
   BB1 {
-    [#"../checked_ops.rs" 46 12 46 41] _2 <- ([#"../checked_ops.rs" 46 12 46 41] is_none0 ([#"../checked_ops.rs" 46 12 46 31] _4));
+    [#"../checked_ops.rs" 46 12 46 41] _2 <- ([#"../checked_ops.rs" 46 12 46 41] is_none0 _4);
     goto BB2
   }
   BB2 {
@@ -723,7 +817,7 @@ module CheckedOps_TestU8SubExample
       end
   }
   BB3 {
-    [#"../checked_ops.rs" 47 12 47 33] _9 <- ([#"../checked_ops.rs" 47 12 47 33] checked_sub0 ([#"../checked_ops.rs" 47 12 47 17] [#"../checked_ops.rs" 47 12 47 17] (250 : uint8)) ([#"../checked_ops.rs" 47 30 47 32] [#"../checked_ops.rs" 47 30 47 32] (10 : uint8)));
+    [#"../checked_ops.rs" 47 12 47 33] _9 <- ([#"../checked_ops.rs" 47 12 47 33] checked_sub0 ([#"../checked_ops.rs" 47 12 47 17] (250 : uint8)) ([#"../checked_ops.rs" 47 30 47 32] (10 : uint8)));
     goto BB5
   }
   BB4 {
@@ -736,13 +830,15 @@ module CheckedOps_TestU8SubExample
     goto BB6
   }
   BB6 {
-    switch ([#"../checked_ops.rs" 47 12 47 49] _8 = ([#"../checked_ops.rs" 47 46 47 49] [#"../checked_ops.rs" 47 46 47 49] (240 : uint8)))
+    [#"../checked_ops.rs" 47 12 47 49] _7 <- _8 = ([#"../checked_ops.rs" 47 46 47 49] (240 : uint8));
+    _8 <- any uint8;
+    switch (_7)
       | False -> goto BB8
       | True -> goto BB7
       end
   }
   BB7 {
-    [#"../checked_ops.rs" 49 12 49 32] _13 <- ([#"../checked_ops.rs" 49 12 49 32] wrapping_sub0 ([#"../checked_ops.rs" 49 12 49 15] [#"../checked_ops.rs" 49 12 49 15] (5 : uint8)) ([#"../checked_ops.rs" 49 29 49 31] [#"../checked_ops.rs" 49 29 49 31] (10 : uint8)));
+    [#"../checked_ops.rs" 49 12 49 32] _13 <- ([#"../checked_ops.rs" 49 12 49 32] wrapping_sub0 ([#"../checked_ops.rs" 49 12 49 15] (5 : uint8)) ([#"../checked_ops.rs" 49 29 49 31] (10 : uint8)));
     goto BB9
   }
   BB8 {
@@ -750,13 +846,15 @@ module CheckedOps_TestU8SubExample
     absurd
   }
   BB9 {
-    switch ([#"../checked_ops.rs" 49 12 49 39] _13 = ([#"../checked_ops.rs" 49 36 49 39] [#"../checked_ops.rs" 49 36 49 39] (251 : uint8)))
+    [#"../checked_ops.rs" 49 12 49 39] _12 <- _13 = ([#"../checked_ops.rs" 49 36 49 39] (251 : uint8));
+    _13 <- any uint8;
+    switch (_12)
       | False -> goto BB11
       | True -> goto BB10
       end
   }
   BB10 {
-    [#"../checked_ops.rs" 50 12 50 34] _17 <- ([#"../checked_ops.rs" 50 12 50 34] wrapping_sub0 ([#"../checked_ops.rs" 50 12 50 17] [#"../checked_ops.rs" 50 12 50 17] (250 : uint8)) ([#"../checked_ops.rs" 50 31 50 33] [#"../checked_ops.rs" 50 31 50 33] (10 : uint8)));
+    [#"../checked_ops.rs" 50 12 50 34] _17 <- ([#"../checked_ops.rs" 50 12 50 34] wrapping_sub0 ([#"../checked_ops.rs" 50 12 50 17] (250 : uint8)) ([#"../checked_ops.rs" 50 31 50 33] (10 : uint8)));
     goto BB12
   }
   BB11 {
@@ -764,13 +862,15 @@ module CheckedOps_TestU8SubExample
     absurd
   }
   BB12 {
-    switch ([#"../checked_ops.rs" 50 12 50 41] _17 = ([#"../checked_ops.rs" 50 38 50 41] [#"../checked_ops.rs" 50 38 50 41] (240 : uint8)))
+    [#"../checked_ops.rs" 50 12 50 41] _16 <- _17 = ([#"../checked_ops.rs" 50 38 50 41] (240 : uint8));
+    _17 <- any uint8;
+    switch (_16)
       | False -> goto BB14
       | True -> goto BB13
       end
   }
   BB13 {
-    [#"../checked_ops.rs" 52 12 52 34] _21 <- ([#"../checked_ops.rs" 52 12 52 34] saturating_sub0 ([#"../checked_ops.rs" 52 12 52 15] [#"../checked_ops.rs" 52 12 52 15] (5 : uint8)) ([#"../checked_ops.rs" 52 31 52 33] [#"../checked_ops.rs" 52 31 52 33] (10 : uint8)));
+    [#"../checked_ops.rs" 52 12 52 34] _21 <- ([#"../checked_ops.rs" 52 12 52 34] saturating_sub0 ([#"../checked_ops.rs" 52 12 52 15] (5 : uint8)) ([#"../checked_ops.rs" 52 31 52 33] (10 : uint8)));
     goto BB15
   }
   BB14 {
@@ -778,13 +878,15 @@ module CheckedOps_TestU8SubExample
     absurd
   }
   BB15 {
-    switch ([#"../checked_ops.rs" 52 12 52 39] _21 = ([#"../checked_ops.rs" 52 38 52 39] [#"../checked_ops.rs" 52 38 52 39] (0 : uint8)))
+    [#"../checked_ops.rs" 52 12 52 39] _20 <- _21 = ([#"../checked_ops.rs" 52 38 52 39] (0 : uint8));
+    _21 <- any uint8;
+    switch (_20)
       | False -> goto BB17
       | True -> goto BB16
       end
   }
   BB16 {
-    [#"../checked_ops.rs" 53 12 53 36] _25 <- ([#"../checked_ops.rs" 53 12 53 36] saturating_sub0 ([#"../checked_ops.rs" 53 12 53 17] [#"../checked_ops.rs" 53 12 53 17] (250 : uint8)) ([#"../checked_ops.rs" 53 33 53 35] [#"../checked_ops.rs" 53 33 53 35] (10 : uint8)));
+    [#"../checked_ops.rs" 53 12 53 36] _25 <- ([#"../checked_ops.rs" 53 12 53 36] saturating_sub0 ([#"../checked_ops.rs" 53 12 53 17] (250 : uint8)) ([#"../checked_ops.rs" 53 33 53 35] (10 : uint8)));
     goto BB18
   }
   BB17 {
@@ -792,13 +894,15 @@ module CheckedOps_TestU8SubExample
     absurd
   }
   BB18 {
-    switch ([#"../checked_ops.rs" 53 12 53 43] _25 = ([#"../checked_ops.rs" 53 40 53 43] [#"../checked_ops.rs" 53 40 53 43] (240 : uint8)))
+    [#"../checked_ops.rs" 53 12 53 43] _24 <- _25 = ([#"../checked_ops.rs" 53 40 53 43] (240 : uint8));
+    _25 <- any uint8;
+    switch (_24)
       | False -> goto BB20
       | True -> goto BB19
       end
   }
   BB19 {
-    [#"../checked_ops.rs" 55 14 55 37] res <- ([#"../checked_ops.rs" 55 14 55 37] overflowing_sub0 ([#"../checked_ops.rs" 55 14 55 17] [#"../checked_ops.rs" 55 14 55 17] (5 : uint8)) ([#"../checked_ops.rs" 55 34 55 36] [#"../checked_ops.rs" 55 34 55 36] (10 : uint8)));
+    [#"../checked_ops.rs" 55 14 55 37] res <- ([#"../checked_ops.rs" 55 14 55 37] overflowing_sub0 ([#"../checked_ops.rs" 55 14 55 17] (5 : uint8)) ([#"../checked_ops.rs" 55 34 55 36] (10 : uint8)));
     goto BB21
   }
   BB20 {
@@ -806,20 +910,22 @@ module CheckedOps_TestU8SubExample
     absurd
   }
   BB21 {
-    switch ([#"../checked_ops.rs" 56 12 56 24] ([#"../checked_ops.rs" 56 12 56 17] let (a, _) = res in a) = ([#"../checked_ops.rs" 56 21 56 24] [#"../checked_ops.rs" 56 21 56 24] (251 : uint8)))
+    [#"../checked_ops.rs" 56 12 56 24] _29 <- (let (a, _) = res in a) = ([#"../checked_ops.rs" 56 21 56 24] (251 : uint8));
+    switch (_29)
       | False -> goto BB25
       | True -> goto BB22
       end
   }
   BB22 {
     assume { resolve0 res };
-    switch ([#"../checked_ops.rs" 56 28 56 41] Bool.eqb ([#"../checked_ops.rs" 56 28 56 33] let (_, a) = res in a) ([#"../checked_ops.rs" 56 37 56 41] [#"../checked_ops.rs" 56 37 56 41] true))
+    [#"../checked_ops.rs" 56 28 56 41] _31 <- Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 56 37 56 41] true);
+    switch (_31)
       | False -> goto BB24
       | True -> goto BB23
       end
   }
   BB23 {
-    [#"../checked_ops.rs" 57 14 57 39] res1 <- ([#"../checked_ops.rs" 57 14 57 39] overflowing_sub0 ([#"../checked_ops.rs" 57 14 57 19] [#"../checked_ops.rs" 57 14 57 19] (250 : uint8)) ([#"../checked_ops.rs" 57 36 57 38] [#"../checked_ops.rs" 57 36 57 38] (10 : uint8)));
+    [#"../checked_ops.rs" 57 14 57 39] res1 <- ([#"../checked_ops.rs" 57 14 57 39] overflowing_sub0 ([#"../checked_ops.rs" 57 14 57 19] (250 : uint8)) ([#"../checked_ops.rs" 57 36 57 38] (10 : uint8)));
     goto BB27
   }
   BB24 {
@@ -834,14 +940,16 @@ module CheckedOps_TestU8SubExample
     absurd
   }
   BB27 {
-    switch ([#"../checked_ops.rs" 58 12 58 24] ([#"../checked_ops.rs" 58 12 58 17] let (a, _) = res1 in a) = ([#"../checked_ops.rs" 58 21 58 24] [#"../checked_ops.rs" 58 21 58 24] (240 : uint8)))
+    [#"../checked_ops.rs" 58 12 58 24] _36 <- (let (a, _) = res1 in a) = ([#"../checked_ops.rs" 58 21 58 24] (240 : uint8));
+    switch (_36)
       | False -> goto BB31
       | True -> goto BB28
       end
   }
   BB28 {
     assume { resolve0 res1 };
-    switch ([#"../checked_ops.rs" 58 28 58 42] Bool.eqb ([#"../checked_ops.rs" 58 28 58 33] let (_, a) = res1 in a) ([#"../checked_ops.rs" 58 37 58 42] [#"../checked_ops.rs" 58 37 58 42] false))
+    [#"../checked_ops.rs" 58 28 58 42] _38 <- Bool.eqb (let (_, a) = res1 in a) ([#"../checked_ops.rs" 58 37 58 42] false);
+    switch (_38)
       | False -> goto BB30
       | True -> goto BB29
       end
@@ -906,21 +1014,30 @@ module CheckedOps_TestU8SubOverflow
     (8 : uint32)
   val overflowing_sub0 (self : uint8) (rhs : uint8) : (uint8, bool)
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] UInt8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (UInt8.to_int self - UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0
+     -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0
+     -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0) }
     
   val saturating_sub0 (self : uint8) (rhs : uint8) : uint8
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 -> UInt8.to_int result = UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int max0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0
+     -> UInt8.to_int result = UInt8.to_int min0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int max0 }
     
   val wrapping_sub0 (self : uint8) (rhs : uint8) : uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt8.to_int result = EuclideanDivision.mod (UInt8.to_int self - UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0
+     -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0
+     -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
     
   use prelude.Borrow
   val is_none0 (self : Core_Option_Option_Type.t_option uint8) : bool
@@ -929,7 +1046,8 @@ module CheckedOps_TestU8SubOverflow
     
   val checked_sub0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = UInt8.to_int self - UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r
+     -> UInt8.to_int r = UInt8.to_int self - UInt8.to_int rhs }
     
   let rec cfg test_u8_sub_overflow [#"../checked_ops.rs" 63 0 63 34] [@cfg:stackify] [@cfg:subregion_analysis] (a : uint8) : ()
     requires {[#"../checked_ops.rs" 62 11 62 18] UInt8.to_int a <> 0}
@@ -939,18 +1057,26 @@ module CheckedOps_TestU8SubOverflow
   var a : uint8 = a;
   var _4 : bool;
   var _6 : Core_Option_Option_Type.t_option uint8;
+  var _10 : bool;
   var _11 : uint8;
+  var _13 : uint8;
+  var _14 : uint8;
+  var _18 : bool;
   var _19 : uint8;
   var res : (uint8, bool);
+  var _25 : bool;
+  var _27 : uint8;
+  var _28 : uint8;
+  var _30 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 64 12 64 30] _6 <- ([#"../checked_ops.rs" 64 12 64 30] checked_sub0 ([#"../checked_ops.rs" 64 12 64 15] [#"../checked_ops.rs" 64 12 64 15] (0 : uint8)) ([#"../checked_ops.rs" 64 28 64 29] a));
+    [#"../checked_ops.rs" 64 12 64 30] _6 <- ([#"../checked_ops.rs" 64 12 64 30] checked_sub0 ([#"../checked_ops.rs" 64 12 64 15] (0 : uint8)) a);
     goto BB1
   }
   BB1 {
-    [#"../checked_ops.rs" 64 12 64 40] _4 <- ([#"../checked_ops.rs" 64 12 64 40] is_none0 ([#"../checked_ops.rs" 64 12 64 30] _6));
+    [#"../checked_ops.rs" 64 12 64 40] _4 <- ([#"../checked_ops.rs" 64 12 64 40] is_none0 _6);
     goto BB2
   }
   BB2 {
@@ -960,7 +1086,7 @@ module CheckedOps_TestU8SubOverflow
       end
   }
   BB3 {
-    [#"../checked_ops.rs" 65 12 65 31] _11 <- ([#"../checked_ops.rs" 65 12 65 31] wrapping_sub0 ([#"../checked_ops.rs" 65 12 65 15] [#"../checked_ops.rs" 65 12 65 15] (0 : uint8)) ([#"../checked_ops.rs" 65 29 65 30] a));
+    [#"../checked_ops.rs" 65 12 65 31] _11 <- ([#"../checked_ops.rs" 65 12 65 31] wrapping_sub0 ([#"../checked_ops.rs" 65 12 65 15] (0 : uint8)) a);
     goto BB5
   }
   BB4 {
@@ -968,13 +1094,19 @@ module CheckedOps_TestU8SubOverflow
     absurd
   }
   BB5 {
-    switch ([#"../checked_ops.rs" 65 12 65 46] _11 = ([#"../checked_ops.rs" 65 35 65 46] ([#"../checked_ops.rs" 65 35 65 42] ([#"../checked_ops.rs" 65 35 65 38] [#"../checked_ops.rs" 65 35 65 38] (255 : uint8)) - ([#"../checked_ops.rs" 65 41 65 42] a)) + ([#"../checked_ops.rs" 65 45 65 46] [#"../checked_ops.rs" 65 45 65 46] (1 : uint8))))
+    [#"../checked_ops.rs" 65 35 65 42] _14 <- ([#"../checked_ops.rs" 65 35 65 38] (255 : uint8)) - a;
+    [#"../checked_ops.rs" 65 35 65 46] _13 <- _14 + ([#"../checked_ops.rs" 65 45 65 46] (1 : uint8));
+    _14 <- any uint8;
+    [#"../checked_ops.rs" 65 12 65 46] _10 <- _11 = _13;
+    _11 <- any uint8;
+    _13 <- any uint8;
+    switch (_10)
       | False -> goto BB7
       | True -> goto BB6
       end
   }
   BB6 {
-    [#"../checked_ops.rs" 66 12 66 33] _19 <- ([#"../checked_ops.rs" 66 12 66 33] saturating_sub0 ([#"../checked_ops.rs" 66 12 66 15] [#"../checked_ops.rs" 66 12 66 15] (0 : uint8)) ([#"../checked_ops.rs" 66 31 66 32] a));
+    [#"../checked_ops.rs" 66 12 66 33] _19 <- ([#"../checked_ops.rs" 66 12 66 33] saturating_sub0 ([#"../checked_ops.rs" 66 12 66 15] (0 : uint8)) a);
     goto BB8
   }
   BB7 {
@@ -982,13 +1114,15 @@ module CheckedOps_TestU8SubOverflow
     absurd
   }
   BB8 {
-    switch ([#"../checked_ops.rs" 66 12 66 38] _19 = ([#"../checked_ops.rs" 66 37 66 38] [#"../checked_ops.rs" 66 37 66 38] (0 : uint8)))
+    [#"../checked_ops.rs" 66 12 66 38] _18 <- _19 = ([#"../checked_ops.rs" 66 37 66 38] (0 : uint8));
+    _19 <- any uint8;
+    switch (_18)
       | False -> goto BB10
       | True -> goto BB9
       end
   }
   BB9 {
-    [#"../checked_ops.rs" 67 14 67 36] res <- ([#"../checked_ops.rs" 67 14 67 36] overflowing_sub0 ([#"../checked_ops.rs" 67 14 67 17] [#"../checked_ops.rs" 67 14 67 17] (0 : uint8)) ([#"../checked_ops.rs" 67 34 67 35] a));
+    [#"../checked_ops.rs" 67 14 67 36] res <- ([#"../checked_ops.rs" 67 14 67 36] overflowing_sub0 ([#"../checked_ops.rs" 67 14 67 17] (0 : uint8)) a);
     goto BB11
   }
   BB10 {
@@ -996,14 +1130,20 @@ module CheckedOps_TestU8SubOverflow
     absurd
   }
   BB11 {
-    switch ([#"../checked_ops.rs" 68 12 68 32] ([#"../checked_ops.rs" 68 12 68 17] let (a, _) = res in a) = ([#"../checked_ops.rs" 68 21 68 32] ([#"../checked_ops.rs" 68 21 68 28] ([#"../checked_ops.rs" 68 21 68 24] [#"../checked_ops.rs" 68 21 68 24] (255 : uint8)) - ([#"../checked_ops.rs" 68 27 68 28] a)) + ([#"../checked_ops.rs" 68 31 68 32] [#"../checked_ops.rs" 68 31 68 32] (1 : uint8))))
+    [#"../checked_ops.rs" 68 21 68 28] _28 <- ([#"../checked_ops.rs" 68 21 68 24] (255 : uint8)) - a;
+    [#"../checked_ops.rs" 68 21 68 32] _27 <- _28 + ([#"../checked_ops.rs" 68 31 68 32] (1 : uint8));
+    _28 <- any uint8;
+    [#"../checked_ops.rs" 68 12 68 32] _25 <- (let (a, _) = res in a) = _27;
+    _27 <- any uint8;
+    switch (_25)
       | False -> goto BB15
       | True -> goto BB12
       end
   }
   BB12 {
     assume { resolve0 res };
-    switch ([#"../checked_ops.rs" 68 36 68 49] Bool.eqb ([#"../checked_ops.rs" 68 36 68 41] let (_, a) = res in a) ([#"../checked_ops.rs" 68 45 68 49] [#"../checked_ops.rs" 68 45 68 49] true))
+    [#"../checked_ops.rs" 68 36 68 49] _30 <- Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 68 45 68 49] true);
+    switch (_30)
       | False -> goto BB14
       | True -> goto BB13
       end
@@ -1041,9 +1181,12 @@ module CheckedOps_TestU8WrappingSub
     (8 : uint32)
   val wrapping_sub0 (self : uint8) (rhs : uint8) : uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt8.to_int result = EuclideanDivision.mod (UInt8.to_int self - UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0
+     -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0
+     -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
     
   let rec cfg test_u8_wrapping_sub [#"../checked_ops.rs" 74 0 74 47] [@cfg:stackify] [@cfg:subregion_analysis] (a : uint8) (b : uint8) : uint8
     ensures { [#"../checked_ops.rs" 73 10 73 56] UInt8.to_int result = UInt8.to_int a - UInt8.to_int b \/ UInt8.to_int result = UInt8.to_int a - UInt8.to_int b + 256 }
@@ -1056,7 +1199,7 @@ module CheckedOps_TestU8WrappingSub
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 75 4 75 21] _0 <- ([#"../checked_ops.rs" 75 4 75 21] wrapping_sub0 ([#"../checked_ops.rs" 75 4 75 5] a) ([#"../checked_ops.rs" 75 19 75 20] b));
+    [#"../checked_ops.rs" 75 4 75 21] _0 <- ([#"../checked_ops.rs" 75 4 75 21] wrapping_sub0 a b);
     goto BB1
   }
   BB1 {
@@ -1091,7 +1234,8 @@ module CheckedOps_TestU8OverflowingSub
   use prelude.UInt8
   val checked_sub0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = UInt8.to_int self - UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r
+     -> UInt8.to_int r = UInt8.to_int self - UInt8.to_int rhs }
     
   use prelude.UInt32
   use int.EuclideanDivision
@@ -1101,9 +1245,12 @@ module CheckedOps_TestU8OverflowingSub
     (8 : uint32)
   val wrapping_sub0 (self : uint8) (rhs : uint8) : uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt8.to_int result = EuclideanDivision.mod (UInt8.to_int self - UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0
+     -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0
+     -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
     
   predicate resolve2 (self : bool) =
     [#"../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
@@ -1122,9 +1269,12 @@ module CheckedOps_TestU8OverflowingSub
     
   val overflowing_sub0 (self : uint8) (rhs : uint8) : (uint8, bool)
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] UInt8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (UInt8.to_int self - UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self - UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self - UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0
+     -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0
+     -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self - UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (UInt8.to_int self - UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self - UInt8.to_int rhs > UInt8.to_int max0) }
     
   let rec cfg test_u8_overflowing_sub [#"../checked_ops.rs" 79 0 79 44] [@cfg:stackify] [@cfg:subregion_analysis] (a : uint8) (b : uint8) : ()
@@ -1133,8 +1283,10 @@ module CheckedOps_TestU8OverflowingSub
   var _0 : ();
   var a : uint8 = a;
   var b : uint8 = b;
+  var _4 : bool;
   var _6 : (uint8, bool);
   var _9 : uint8;
+  var _14 : bool;
   var _16 : (uint8, bool);
   var _19 : bool;
   var _21 : Core_Option_Option_Type.t_option uint8;
@@ -1142,22 +1294,24 @@ module CheckedOps_TestU8OverflowingSub
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 80 12 80 32] _6 <- ([#"../checked_ops.rs" 80 12 80 32] overflowing_sub0 ([#"../checked_ops.rs" 80 12 80 13] a) ([#"../checked_ops.rs" 80 30 80 31] b));
+    [#"../checked_ops.rs" 80 12 80 32] _6 <- ([#"../checked_ops.rs" 80 12 80 32] overflowing_sub0 a b);
     goto BB1
   }
   BB1 {
     assume { resolve0 _6 };
-    [#"../checked_ops.rs" 80 38 80 55] _9 <- ([#"../checked_ops.rs" 80 38 80 55] wrapping_sub0 ([#"../checked_ops.rs" 80 38 80 39] a) ([#"../checked_ops.rs" 80 53 80 54] b));
+    [#"../checked_ops.rs" 80 38 80 55] _9 <- ([#"../checked_ops.rs" 80 38 80 55] wrapping_sub0 a b);
     goto BB2
   }
   BB2 {
-    switch ([#"../checked_ops.rs" 80 12 80 55] ([#"../checked_ops.rs" 80 12 80 34] let (a, _) = _6 in a) = _9)
+    [#"../checked_ops.rs" 80 12 80 55] _4 <- (let (a, _) = _6 in a) = _9;
+    _9 <- any uint8;
+    switch (_4)
       | False -> goto BB4
       | True -> goto BB3
       end
   }
   BB3 {
-    [#"../checked_ops.rs" 81 12 81 32] _16 <- ([#"../checked_ops.rs" 81 12 81 32] overflowing_sub0 ([#"../checked_ops.rs" 81 12 81 13] a) ([#"../checked_ops.rs" 81 30 81 31] b));
+    [#"../checked_ops.rs" 81 12 81 32] _16 <- ([#"../checked_ops.rs" 81 12 81 32] overflowing_sub0 a b);
     goto BB5
   }
   BB4 {
@@ -1166,15 +1320,17 @@ module CheckedOps_TestU8OverflowingSub
   }
   BB5 {
     assume { resolve0 _16 };
-    [#"../checked_ops.rs" 81 38 81 54] _21 <- ([#"../checked_ops.rs" 81 38 81 54] checked_sub0 ([#"../checked_ops.rs" 81 38 81 39] a) ([#"../checked_ops.rs" 81 52 81 53] b));
+    [#"../checked_ops.rs" 81 38 81 54] _21 <- ([#"../checked_ops.rs" 81 38 81 54] checked_sub0 a b);
     goto BB6
   }
   BB6 {
-    [#"../checked_ops.rs" 81 38 81 64] _19 <- ([#"../checked_ops.rs" 81 38 81 64] is_none0 ([#"../checked_ops.rs" 81 38 81 54] _21));
+    [#"../checked_ops.rs" 81 38 81 64] _19 <- ([#"../checked_ops.rs" 81 38 81 64] is_none0 _21);
     goto BB7
   }
   BB7 {
-    switch ([#"../checked_ops.rs" 81 12 81 64] Bool.eqb ([#"../checked_ops.rs" 81 12 81 34] let (_, a) = _16 in a) _19)
+    [#"../checked_ops.rs" 81 12 81 64] _14 <- Bool.eqb (let (_, a) = _16 in a) _19;
+    _19 <- any bool;
+    switch (_14)
       | False -> goto BB9
       | True -> goto BB8
       end
@@ -1252,21 +1408,30 @@ module CheckedOps_TestU8MulExample
   use prelude.UInt8
   val overflowing_mul0 (self : uint8) (rhs : uint8) : (uint8, bool)
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] UInt8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (UInt8.to_int self * UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0
+     -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0
+     -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0) }
     
   val saturating_mul0 (self : uint8) (rhs : uint8) : uint8
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 -> UInt8.to_int result = UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int max0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0
+     -> UInt8.to_int result = UInt8.to_int min0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int max0 }
     
   val wrapping_mul0 (self : uint8) (rhs : uint8) : uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt8.to_int result = EuclideanDivision.mod (UInt8.to_int self * UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0
+     -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0
+     -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
     
   use prelude.Borrow
   val is_none0 (self : Core_Option_Option_Type.t_option uint8) : bool
@@ -1281,27 +1446,37 @@ module CheckedOps_TestU8MulExample
     
   val checked_mul0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = UInt8.to_int self * UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r
+     -> UInt8.to_int r = UInt8.to_int self * UInt8.to_int rhs }
     
   let rec cfg test_u8_mul_example [#"../checked_ops.rs" 85 0 85 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
+  var _2 : bool;
   var _3 : uint8;
   var _4 : Core_Option_Option_Type.t_option uint8;
   var _7 : bool;
   var _9 : Core_Option_Option_Type.t_option uint8;
+  var _12 : bool;
   var _13 : uint8;
+  var _16 : bool;
   var _17 : uint8;
+  var _20 : bool;
   var _21 : uint8;
+  var _24 : bool;
   var _25 : uint8;
   var res : (uint8, bool);
+  var _29 : bool;
+  var _31 : bool;
   var res1 : (uint8, bool);
+  var _36 : bool;
+  var _38 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 86 12 86 31] _4 <- ([#"../checked_ops.rs" 86 12 86 31] checked_mul0 ([#"../checked_ops.rs" 86 12 86 15] [#"../checked_ops.rs" 86 12 86 15] (5 : uint8)) ([#"../checked_ops.rs" 86 28 86 30] [#"../checked_ops.rs" 86 28 86 30] (10 : uint8)));
+    [#"../checked_ops.rs" 86 12 86 31] _4 <- ([#"../checked_ops.rs" 86 12 86 31] checked_mul0 ([#"../checked_ops.rs" 86 12 86 15] (5 : uint8)) ([#"../checked_ops.rs" 86 28 86 30] (10 : uint8)));
     goto BB1
   }
   BB1 {
@@ -1310,13 +1485,15 @@ module CheckedOps_TestU8MulExample
     goto BB2
   }
   BB2 {
-    switch ([#"../checked_ops.rs" 86 12 86 46] _3 = ([#"../checked_ops.rs" 86 44 86 46] [#"../checked_ops.rs" 86 44 86 46] (50 : uint8)))
+    [#"../checked_ops.rs" 86 12 86 46] _2 <- _3 = ([#"../checked_ops.rs" 86 44 86 46] (50 : uint8));
+    _3 <- any uint8;
+    switch (_2)
       | False -> goto BB4
       | True -> goto BB3
       end
   }
   BB3 {
-    [#"../checked_ops.rs" 87 12 87 32] _9 <- ([#"../checked_ops.rs" 87 12 87 32] checked_mul0 ([#"../checked_ops.rs" 87 12 87 16] [#"../checked_ops.rs" 87 12 87 16] (50 : uint8)) ([#"../checked_ops.rs" 87 29 87 31] [#"../checked_ops.rs" 87 29 87 31] (10 : uint8)));
+    [#"../checked_ops.rs" 87 12 87 32] _9 <- ([#"../checked_ops.rs" 87 12 87 32] checked_mul0 ([#"../checked_ops.rs" 87 12 87 16] (50 : uint8)) ([#"../checked_ops.rs" 87 29 87 31] (10 : uint8)));
     goto BB5
   }
   BB4 {
@@ -1324,7 +1501,7 @@ module CheckedOps_TestU8MulExample
     absurd
   }
   BB5 {
-    [#"../checked_ops.rs" 87 12 87 42] _7 <- ([#"../checked_ops.rs" 87 12 87 42] is_none0 ([#"../checked_ops.rs" 87 12 87 32] _9));
+    [#"../checked_ops.rs" 87 12 87 42] _7 <- ([#"../checked_ops.rs" 87 12 87 42] is_none0 _9);
     goto BB6
   }
   BB6 {
@@ -1334,7 +1511,7 @@ module CheckedOps_TestU8MulExample
       end
   }
   BB7 {
-    [#"../checked_ops.rs" 89 12 89 32] _13 <- ([#"../checked_ops.rs" 89 12 89 32] wrapping_mul0 ([#"../checked_ops.rs" 89 12 89 15] [#"../checked_ops.rs" 89 12 89 15] (5 : uint8)) ([#"../checked_ops.rs" 89 29 89 31] [#"../checked_ops.rs" 89 29 89 31] (10 : uint8)));
+    [#"../checked_ops.rs" 89 12 89 32] _13 <- ([#"../checked_ops.rs" 89 12 89 32] wrapping_mul0 ([#"../checked_ops.rs" 89 12 89 15] (5 : uint8)) ([#"../checked_ops.rs" 89 29 89 31] (10 : uint8)));
     goto BB9
   }
   BB8 {
@@ -1342,13 +1519,15 @@ module CheckedOps_TestU8MulExample
     absurd
   }
   BB9 {
-    switch ([#"../checked_ops.rs" 89 12 89 38] _13 = ([#"../checked_ops.rs" 89 36 89 38] [#"../checked_ops.rs" 89 36 89 38] (50 : uint8)))
+    [#"../checked_ops.rs" 89 12 89 38] _12 <- _13 = ([#"../checked_ops.rs" 89 36 89 38] (50 : uint8));
+    _13 <- any uint8;
+    switch (_12)
       | False -> goto BB11
       | True -> goto BB10
       end
   }
   BB10 {
-    [#"../checked_ops.rs" 90 12 90 33] _17 <- ([#"../checked_ops.rs" 90 12 90 33] wrapping_mul0 ([#"../checked_ops.rs" 90 12 90 16] [#"../checked_ops.rs" 90 12 90 16] (50 : uint8)) ([#"../checked_ops.rs" 90 30 90 32] [#"../checked_ops.rs" 90 30 90 32] (10 : uint8)));
+    [#"../checked_ops.rs" 90 12 90 33] _17 <- ([#"../checked_ops.rs" 90 12 90 33] wrapping_mul0 ([#"../checked_ops.rs" 90 12 90 16] (50 : uint8)) ([#"../checked_ops.rs" 90 30 90 32] (10 : uint8)));
     goto BB12
   }
   BB11 {
@@ -1356,13 +1535,15 @@ module CheckedOps_TestU8MulExample
     absurd
   }
   BB12 {
-    switch ([#"../checked_ops.rs" 90 12 90 40] _17 = ([#"../checked_ops.rs" 90 37 90 40] [#"../checked_ops.rs" 90 37 90 40] (244 : uint8)))
+    [#"../checked_ops.rs" 90 12 90 40] _16 <- _17 = ([#"../checked_ops.rs" 90 37 90 40] (244 : uint8));
+    _17 <- any uint8;
+    switch (_16)
       | False -> goto BB14
       | True -> goto BB13
       end
   }
   BB13 {
-    [#"../checked_ops.rs" 92 12 92 34] _21 <- ([#"../checked_ops.rs" 92 12 92 34] saturating_mul0 ([#"../checked_ops.rs" 92 12 92 15] [#"../checked_ops.rs" 92 12 92 15] (5 : uint8)) ([#"../checked_ops.rs" 92 31 92 33] [#"../checked_ops.rs" 92 31 92 33] (10 : uint8)));
+    [#"../checked_ops.rs" 92 12 92 34] _21 <- ([#"../checked_ops.rs" 92 12 92 34] saturating_mul0 ([#"../checked_ops.rs" 92 12 92 15] (5 : uint8)) ([#"../checked_ops.rs" 92 31 92 33] (10 : uint8)));
     goto BB15
   }
   BB14 {
@@ -1370,13 +1551,15 @@ module CheckedOps_TestU8MulExample
     absurd
   }
   BB15 {
-    switch ([#"../checked_ops.rs" 92 12 92 40] _21 = ([#"../checked_ops.rs" 92 38 92 40] [#"../checked_ops.rs" 92 38 92 40] (50 : uint8)))
+    [#"../checked_ops.rs" 92 12 92 40] _20 <- _21 = ([#"../checked_ops.rs" 92 38 92 40] (50 : uint8));
+    _21 <- any uint8;
+    switch (_20)
       | False -> goto BB17
       | True -> goto BB16
       end
   }
   BB16 {
-    [#"../checked_ops.rs" 93 12 93 35] _25 <- ([#"../checked_ops.rs" 93 12 93 35] saturating_mul0 ([#"../checked_ops.rs" 93 12 93 16] [#"../checked_ops.rs" 93 12 93 16] (50 : uint8)) ([#"../checked_ops.rs" 93 32 93 34] [#"../checked_ops.rs" 93 32 93 34] (10 : uint8)));
+    [#"../checked_ops.rs" 93 12 93 35] _25 <- ([#"../checked_ops.rs" 93 12 93 35] saturating_mul0 ([#"../checked_ops.rs" 93 12 93 16] (50 : uint8)) ([#"../checked_ops.rs" 93 32 93 34] (10 : uint8)));
     goto BB18
   }
   BB17 {
@@ -1384,13 +1567,15 @@ module CheckedOps_TestU8MulExample
     absurd
   }
   BB18 {
-    switch ([#"../checked_ops.rs" 93 12 93 42] _25 = ([#"../checked_ops.rs" 93 39 93 42] [#"../checked_ops.rs" 93 39 93 42] (255 : uint8)))
+    [#"../checked_ops.rs" 93 12 93 42] _24 <- _25 = ([#"../checked_ops.rs" 93 39 93 42] (255 : uint8));
+    _25 <- any uint8;
+    switch (_24)
       | False -> goto BB20
       | True -> goto BB19
       end
   }
   BB19 {
-    [#"../checked_ops.rs" 95 14 95 37] res <- ([#"../checked_ops.rs" 95 14 95 37] overflowing_mul0 ([#"../checked_ops.rs" 95 14 95 17] [#"../checked_ops.rs" 95 14 95 17] (5 : uint8)) ([#"../checked_ops.rs" 95 34 95 36] [#"../checked_ops.rs" 95 34 95 36] (10 : uint8)));
+    [#"../checked_ops.rs" 95 14 95 37] res <- ([#"../checked_ops.rs" 95 14 95 37] overflowing_mul0 ([#"../checked_ops.rs" 95 14 95 17] (5 : uint8)) ([#"../checked_ops.rs" 95 34 95 36] (10 : uint8)));
     goto BB21
   }
   BB20 {
@@ -1398,20 +1583,22 @@ module CheckedOps_TestU8MulExample
     absurd
   }
   BB21 {
-    switch ([#"../checked_ops.rs" 96 12 96 23] ([#"../checked_ops.rs" 96 12 96 17] let (a, _) = res in a) = ([#"../checked_ops.rs" 96 21 96 23] [#"../checked_ops.rs" 96 21 96 23] (50 : uint8)))
+    [#"../checked_ops.rs" 96 12 96 23] _29 <- (let (a, _) = res in a) = ([#"../checked_ops.rs" 96 21 96 23] (50 : uint8));
+    switch (_29)
       | False -> goto BB25
       | True -> goto BB22
       end
   }
   BB22 {
     assume { resolve0 res };
-    switch ([#"../checked_ops.rs" 96 27 96 41] Bool.eqb ([#"../checked_ops.rs" 96 27 96 32] let (_, a) = res in a) ([#"../checked_ops.rs" 96 36 96 41] [#"../checked_ops.rs" 96 36 96 41] false))
+    [#"../checked_ops.rs" 96 27 96 41] _31 <- Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 96 36 96 41] false);
+    switch (_31)
       | False -> goto BB24
       | True -> goto BB23
       end
   }
   BB23 {
-    [#"../checked_ops.rs" 97 14 97 38] res1 <- ([#"../checked_ops.rs" 97 14 97 38] overflowing_mul0 ([#"../checked_ops.rs" 97 14 97 18] [#"../checked_ops.rs" 97 14 97 18] (50 : uint8)) ([#"../checked_ops.rs" 97 35 97 37] [#"../checked_ops.rs" 97 35 97 37] (10 : uint8)));
+    [#"../checked_ops.rs" 97 14 97 38] res1 <- ([#"../checked_ops.rs" 97 14 97 38] overflowing_mul0 ([#"../checked_ops.rs" 97 14 97 18] (50 : uint8)) ([#"../checked_ops.rs" 97 35 97 37] (10 : uint8)));
     goto BB27
   }
   BB24 {
@@ -1426,14 +1613,16 @@ module CheckedOps_TestU8MulExample
     absurd
   }
   BB27 {
-    switch ([#"../checked_ops.rs" 98 12 98 24] ([#"../checked_ops.rs" 98 12 98 17] let (a, _) = res1 in a) = ([#"../checked_ops.rs" 98 21 98 24] [#"../checked_ops.rs" 98 21 98 24] (244 : uint8)))
+    [#"../checked_ops.rs" 98 12 98 24] _36 <- (let (a, _) = res1 in a) = ([#"../checked_ops.rs" 98 21 98 24] (244 : uint8));
+    switch (_36)
       | False -> goto BB31
       | True -> goto BB28
       end
   }
   BB28 {
     assume { resolve0 res1 };
-    switch ([#"../checked_ops.rs" 98 28 98 41] Bool.eqb ([#"../checked_ops.rs" 98 28 98 33] let (_, a) = res1 in a) ([#"../checked_ops.rs" 98 37 98 41] [#"../checked_ops.rs" 98 37 98 41] true))
+    [#"../checked_ops.rs" 98 28 98 41] _38 <- Bool.eqb (let (_, a) = res1 in a) ([#"../checked_ops.rs" 98 37 98 41] true);
+    switch (_38)
       | False -> goto BB30
       | True -> goto BB29
       end
@@ -1508,21 +1697,30 @@ module CheckedOps_TestU8MulZero
   use prelude.UInt8
   val overflowing_mul0 (self : uint8) (rhs : uint8) : (uint8, bool)
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] UInt8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (UInt8.to_int self * UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0
+     -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0
+     -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0) }
     
   val saturating_mul0 (self : uint8) (rhs : uint8) : uint8
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 -> UInt8.to_int result = UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int max0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0
+     -> UInt8.to_int result = UInt8.to_int min0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int max0 }
     
   val wrapping_mul0 (self : uint8) (rhs : uint8) : uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt8.to_int result = EuclideanDivision.mod (UInt8.to_int self * UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0
+     -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0
+     -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
     
   val unwrap0 (self : Core_Option_Option_Type.t_option uint8) : uint8
     requires {[#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self <> Core_Option_Option_Type.C_None}
@@ -1532,23 +1730,29 @@ module CheckedOps_TestU8MulZero
     
   val checked_mul0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = UInt8.to_int self * UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r
+     -> UInt8.to_int r = UInt8.to_int self * UInt8.to_int rhs }
     
   let rec cfg test_u8_mul_zero [#"../checked_ops.rs" 102 0 102 30] [@cfg:stackify] [@cfg:subregion_analysis] (a : uint8) : ()
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var a : uint8 = a;
+  var _3 : bool;
   var _4 : uint8;
   var _5 : Core_Option_Option_Type.t_option uint8;
+  var _9 : bool;
   var _10 : uint8;
+  var _14 : bool;
   var _15 : uint8;
   var res : (uint8, bool);
+  var _21 : bool;
+  var _23 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 103 12 103 30] _5 <- ([#"../checked_ops.rs" 103 12 103 30] checked_mul0 ([#"../checked_ops.rs" 103 12 103 15] [#"../checked_ops.rs" 103 12 103 15] (0 : uint8)) ([#"../checked_ops.rs" 103 28 103 29] a));
+    [#"../checked_ops.rs" 103 12 103 30] _5 <- ([#"../checked_ops.rs" 103 12 103 30] checked_mul0 ([#"../checked_ops.rs" 103 12 103 15] (0 : uint8)) a);
     goto BB1
   }
   BB1 {
@@ -1557,13 +1761,15 @@ module CheckedOps_TestU8MulZero
     goto BB2
   }
   BB2 {
-    switch ([#"../checked_ops.rs" 103 12 103 44] _4 = ([#"../checked_ops.rs" 103 43 103 44] [#"../checked_ops.rs" 103 43 103 44] (0 : uint8)))
+    [#"../checked_ops.rs" 103 12 103 44] _3 <- _4 = ([#"../checked_ops.rs" 103 43 103 44] (0 : uint8));
+    _4 <- any uint8;
+    switch (_3)
       | False -> goto BB4
       | True -> goto BB3
       end
   }
   BB3 {
-    [#"../checked_ops.rs" 104 12 104 31] _10 <- ([#"../checked_ops.rs" 104 12 104 31] wrapping_mul0 ([#"../checked_ops.rs" 104 12 104 15] [#"../checked_ops.rs" 104 12 104 15] (0 : uint8)) ([#"../checked_ops.rs" 104 29 104 30] a));
+    [#"../checked_ops.rs" 104 12 104 31] _10 <- ([#"../checked_ops.rs" 104 12 104 31] wrapping_mul0 ([#"../checked_ops.rs" 104 12 104 15] (0 : uint8)) a);
     goto BB5
   }
   BB4 {
@@ -1571,13 +1777,15 @@ module CheckedOps_TestU8MulZero
     absurd
   }
   BB5 {
-    switch ([#"../checked_ops.rs" 104 12 104 36] _10 = ([#"../checked_ops.rs" 104 35 104 36] [#"../checked_ops.rs" 104 35 104 36] (0 : uint8)))
+    [#"../checked_ops.rs" 104 12 104 36] _9 <- _10 = ([#"../checked_ops.rs" 104 35 104 36] (0 : uint8));
+    _10 <- any uint8;
+    switch (_9)
       | False -> goto BB7
       | True -> goto BB6
       end
   }
   BB6 {
-    [#"../checked_ops.rs" 105 12 105 33] _15 <- ([#"../checked_ops.rs" 105 12 105 33] saturating_mul0 ([#"../checked_ops.rs" 105 12 105 15] [#"../checked_ops.rs" 105 12 105 15] (0 : uint8)) ([#"../checked_ops.rs" 105 31 105 32] a));
+    [#"../checked_ops.rs" 105 12 105 33] _15 <- ([#"../checked_ops.rs" 105 12 105 33] saturating_mul0 ([#"../checked_ops.rs" 105 12 105 15] (0 : uint8)) a);
     goto BB8
   }
   BB7 {
@@ -1585,13 +1793,15 @@ module CheckedOps_TestU8MulZero
     absurd
   }
   BB8 {
-    switch ([#"../checked_ops.rs" 105 12 105 38] _15 = ([#"../checked_ops.rs" 105 37 105 38] [#"../checked_ops.rs" 105 37 105 38] (0 : uint8)))
+    [#"../checked_ops.rs" 105 12 105 38] _14 <- _15 = ([#"../checked_ops.rs" 105 37 105 38] (0 : uint8));
+    _15 <- any uint8;
+    switch (_14)
       | False -> goto BB10
       | True -> goto BB9
       end
   }
   BB9 {
-    [#"../checked_ops.rs" 106 14 106 36] res <- ([#"../checked_ops.rs" 106 14 106 36] overflowing_mul0 ([#"../checked_ops.rs" 106 14 106 17] [#"../checked_ops.rs" 106 14 106 17] (0 : uint8)) ([#"../checked_ops.rs" 106 34 106 35] a));
+    [#"../checked_ops.rs" 106 14 106 36] res <- ([#"../checked_ops.rs" 106 14 106 36] overflowing_mul0 ([#"../checked_ops.rs" 106 14 106 17] (0 : uint8)) a);
     goto BB11
   }
   BB10 {
@@ -1599,14 +1809,16 @@ module CheckedOps_TestU8MulZero
     absurd
   }
   BB11 {
-    switch ([#"../checked_ops.rs" 107 12 107 22] ([#"../checked_ops.rs" 107 12 107 17] let (a, _) = res in a) = ([#"../checked_ops.rs" 107 21 107 22] [#"../checked_ops.rs" 107 21 107 22] (0 : uint8)))
+    [#"../checked_ops.rs" 107 12 107 22] _21 <- (let (a, _) = res in a) = ([#"../checked_ops.rs" 107 21 107 22] (0 : uint8));
+    switch (_21)
       | False -> goto BB15
       | True -> goto BB12
       end
   }
   BB12 {
     assume { resolve0 res };
-    switch ([#"../checked_ops.rs" 107 26 107 40] Bool.eqb ([#"../checked_ops.rs" 107 26 107 31] let (_, a) = res in a) ([#"../checked_ops.rs" 107 35 107 40] [#"../checked_ops.rs" 107 35 107 40] false))
+    [#"../checked_ops.rs" 107 26 107 40] _23 <- Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 107 35 107 40] false);
+    switch (_23)
       | False -> goto BB14
       | True -> goto BB13
       end
@@ -1655,7 +1867,8 @@ module CheckedOps_TestU8OverflowingMul
   use prelude.UInt8
   val checked_mul0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = UInt8.to_int self * UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : uint8 . result = Core_Option_Option_Type.C_Some r
+     -> UInt8.to_int r = UInt8.to_int self * UInt8.to_int rhs }
     
   use prelude.UInt32
   use int.EuclideanDivision
@@ -1665,9 +1878,12 @@ module CheckedOps_TestU8OverflowingMul
     (8 : uint32)
   val wrapping_mul0 (self : uint8) (rhs : uint8) : uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] UInt8.to_int result = EuclideanDivision.mod (UInt8.to_int self * UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0
+     -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0
+     -> (exists k : int . k > 0 /\ UInt8.to_int result = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
     
   predicate resolve2 (self : bool) =
     [#"../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
@@ -1686,9 +1902,12 @@ module CheckedOps_TestU8OverflowingMul
     
   val overflowing_mul0 (self : uint8) (rhs : uint8) : (uint8, bool)
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] UInt8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (UInt8.to_int self * UInt8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + UInt8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0 -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0 -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] UInt8.to_int self * UInt8.to_int rhs >= UInt8.to_int min0 /\ UInt8.to_int self * UInt8.to_int rhs <= UInt8.to_int max0
+     -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0
+     -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs + k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0
+     -> (exists k : int . k > 0 /\ UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self * UInt8.to_int rhs - k * (UInt8.to_int max0 - UInt8.to_int min0 + 1)) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (UInt8.to_int self * UInt8.to_int rhs < UInt8.to_int min0 \/ UInt8.to_int self * UInt8.to_int rhs > UInt8.to_int max0) }
     
   let rec cfg test_u8_overflowing_mul [#"../checked_ops.rs" 111 0 111 44] [@cfg:stackify] [@cfg:subregion_analysis] (a : uint8) (b : uint8) : ()
@@ -1697,8 +1916,10 @@ module CheckedOps_TestU8OverflowingMul
   var _0 : ();
   var a : uint8 = a;
   var b : uint8 = b;
+  var _4 : bool;
   var _6 : (uint8, bool);
   var _9 : uint8;
+  var _14 : bool;
   var _16 : (uint8, bool);
   var _19 : bool;
   var _21 : Core_Option_Option_Type.t_option uint8;
@@ -1706,22 +1927,24 @@ module CheckedOps_TestU8OverflowingMul
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 112 12 112 32] _6 <- ([#"../checked_ops.rs" 112 12 112 32] overflowing_mul0 ([#"../checked_ops.rs" 112 12 112 13] a) ([#"../checked_ops.rs" 112 30 112 31] b));
+    [#"../checked_ops.rs" 112 12 112 32] _6 <- ([#"../checked_ops.rs" 112 12 112 32] overflowing_mul0 a b);
     goto BB1
   }
   BB1 {
     assume { resolve0 _6 };
-    [#"../checked_ops.rs" 112 38 112 55] _9 <- ([#"../checked_ops.rs" 112 38 112 55] wrapping_mul0 ([#"../checked_ops.rs" 112 38 112 39] a) ([#"../checked_ops.rs" 112 53 112 54] b));
+    [#"../checked_ops.rs" 112 38 112 55] _9 <- ([#"../checked_ops.rs" 112 38 112 55] wrapping_mul0 a b);
     goto BB2
   }
   BB2 {
-    switch ([#"../checked_ops.rs" 112 12 112 55] ([#"../checked_ops.rs" 112 12 112 34] let (a, _) = _6 in a) = _9)
+    [#"../checked_ops.rs" 112 12 112 55] _4 <- (let (a, _) = _6 in a) = _9;
+    _9 <- any uint8;
+    switch (_4)
       | False -> goto BB4
       | True -> goto BB3
       end
   }
   BB3 {
-    [#"../checked_ops.rs" 113 12 113 32] _16 <- ([#"../checked_ops.rs" 113 12 113 32] overflowing_mul0 ([#"../checked_ops.rs" 113 12 113 13] a) ([#"../checked_ops.rs" 113 30 113 31] b));
+    [#"../checked_ops.rs" 113 12 113 32] _16 <- ([#"../checked_ops.rs" 113 12 113 32] overflowing_mul0 a b);
     goto BB5
   }
   BB4 {
@@ -1730,15 +1953,17 @@ module CheckedOps_TestU8OverflowingMul
   }
   BB5 {
     assume { resolve0 _16 };
-    [#"../checked_ops.rs" 113 38 113 54] _21 <- ([#"../checked_ops.rs" 113 38 113 54] checked_mul0 ([#"../checked_ops.rs" 113 38 113 39] a) ([#"../checked_ops.rs" 113 52 113 53] b));
+    [#"../checked_ops.rs" 113 38 113 54] _21 <- ([#"../checked_ops.rs" 113 38 113 54] checked_mul0 a b);
     goto BB6
   }
   BB6 {
-    [#"../checked_ops.rs" 113 38 113 64] _19 <- ([#"../checked_ops.rs" 113 38 113 64] is_none0 ([#"../checked_ops.rs" 113 38 113 54] _21));
+    [#"../checked_ops.rs" 113 38 113 64] _19 <- ([#"../checked_ops.rs" 113 38 113 64] is_none0 _21);
     goto BB7
   }
   BB7 {
-    switch ([#"../checked_ops.rs" 113 12 113 64] Bool.eqb ([#"../checked_ops.rs" 113 12 113 34] let (_, a) = _16 in a) _19)
+    [#"../checked_ops.rs" 113 12 113 64] _14 <- Bool.eqb (let (_, a) = _16 in a) _19;
+    _19 <- any bool;
+    switch (_14)
       | False -> goto BB9
       | True -> goto BB8
       end
@@ -1808,18 +2033,21 @@ module CheckedOps_TestU8DivExample
   use prelude.UInt8
   val overflowing_div0 (self : uint8) (rhs : uint8) : (uint8, bool)
     requires {[#"../../../../creusot-contracts/src/std/num.rs" 91 27 91 36] UInt8.to_int rhs <> 0}
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 93 16 93 87] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 93 16 93 87] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1
+     -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 95 26 95 91] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 \/ UInt8.to_int (let (a, _) = result in a) = div (UInt8.to_int self) (UInt8.to_int rhs) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 97 26 97 74] (let (_, a) = result in a) = (UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1) }
     
   val saturating_div0 (self : uint8) (rhs : uint8) : uint8
     requires {[#"../../../../creusot-contracts/src/std/num.rs" 82 27 82 36] UInt8.to_int rhs <> 0}
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 84 16 84 91] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 -> UInt8.to_int result = UInt8.to_int min0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 84 16 84 91] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1
+     -> UInt8.to_int result = UInt8.to_int min0 }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 86 26 86 89] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 \/ UInt8.to_int result = div (UInt8.to_int self) (UInt8.to_int rhs) }
     
   val wrapping_div0 (self : uint8) (rhs : uint8) : uint8
     requires {[#"../../../../creusot-contracts/src/std/num.rs" 73 27 73 36] UInt8.to_int rhs <> 0}
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 75 16 75 85] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 -> UInt8.to_int result = UInt8.to_int self }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 75 16 75 85] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1
+     -> UInt8.to_int result = UInt8.to_int self }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 77 26 77 89] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 \/ UInt8.to_int result = div (UInt8.to_int self) (UInt8.to_int rhs) }
     
   val unwrap0 (self : Core_Option_Option_Type.t_option uint8) : uint8
@@ -1835,7 +2063,8 @@ module CheckedOps_TestU8DivExample
     
   val checked_div0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 66 26 66 97] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int rhs = 0 \/ UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = div (UInt8.to_int self) (UInt8.to_int rhs) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : uint8 . result = Core_Option_Option_Type.C_Some r
+     -> UInt8.to_int r = div (UInt8.to_int self) (UInt8.to_int rhs) }
     
   let rec cfg test_u8_div_example [#"../checked_ops.rs" 117 0 117 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
     
@@ -1843,20 +2072,25 @@ module CheckedOps_TestU8DivExample
   var _0 : ();
   var _2 : bool;
   var _4 : Core_Option_Option_Type.t_option uint8;
+  var _7 : bool;
   var _8 : uint8;
   var _9 : Core_Option_Option_Type.t_option uint8;
+  var _12 : bool;
   var _13 : uint8;
+  var _16 : bool;
   var _17 : uint8;
   var res : (uint8, bool);
+  var _21 : bool;
+  var _23 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 118 12 118 30] _4 <- ([#"../checked_ops.rs" 118 12 118 30] checked_div0 ([#"../checked_ops.rs" 118 12 118 15] [#"../checked_ops.rs" 118 12 118 15] (5 : uint8)) ([#"../checked_ops.rs" 118 28 118 29] [#"../checked_ops.rs" 118 28 118 29] (0 : uint8)));
+    [#"../checked_ops.rs" 118 12 118 30] _4 <- ([#"../checked_ops.rs" 118 12 118 30] checked_div0 ([#"../checked_ops.rs" 118 12 118 15] (5 : uint8)) ([#"../checked_ops.rs" 118 28 118 29] (0 : uint8)));
     goto BB1
   }
   BB1 {
-    [#"../checked_ops.rs" 118 12 118 40] _2 <- ([#"../checked_ops.rs" 118 12 118 40] is_none0 ([#"../checked_ops.rs" 118 12 118 30] _4));
+    [#"../checked_ops.rs" 118 12 118 40] _2 <- ([#"../checked_ops.rs" 118 12 118 40] is_none0 _4);
     goto BB2
   }
   BB2 {
@@ -1866,7 +2100,7 @@ module CheckedOps_TestU8DivExample
       end
   }
   BB3 {
-    [#"../checked_ops.rs" 119 12 119 30] _9 <- ([#"../checked_ops.rs" 119 12 119 30] checked_div0 ([#"../checked_ops.rs" 119 12 119 15] [#"../checked_ops.rs" 119 12 119 15] (5 : uint8)) ([#"../checked_ops.rs" 119 28 119 29] [#"../checked_ops.rs" 119 28 119 29] (2 : uint8)));
+    [#"../checked_ops.rs" 119 12 119 30] _9 <- ([#"../checked_ops.rs" 119 12 119 30] checked_div0 ([#"../checked_ops.rs" 119 12 119 15] (5 : uint8)) ([#"../checked_ops.rs" 119 28 119 29] (2 : uint8)));
     goto BB5
   }
   BB4 {
@@ -1879,13 +2113,15 @@ module CheckedOps_TestU8DivExample
     goto BB6
   }
   BB6 {
-    switch ([#"../checked_ops.rs" 119 12 119 44] _8 = ([#"../checked_ops.rs" 119 43 119 44] [#"../checked_ops.rs" 119 43 119 44] (2 : uint8)))
+    [#"../checked_ops.rs" 119 12 119 44] _7 <- _8 = ([#"../checked_ops.rs" 119 43 119 44] (2 : uint8));
+    _8 <- any uint8;
+    switch (_7)
       | False -> goto BB8
       | True -> goto BB7
       end
   }
   BB7 {
-    [#"../checked_ops.rs" 120 12 120 31] _13 <- ([#"../checked_ops.rs" 120 12 120 31] wrapping_div0 ([#"../checked_ops.rs" 120 12 120 15] [#"../checked_ops.rs" 120 12 120 15] (5 : uint8)) ([#"../checked_ops.rs" 120 29 120 30] [#"../checked_ops.rs" 120 29 120 30] (2 : uint8)));
+    [#"../checked_ops.rs" 120 12 120 31] _13 <- ([#"../checked_ops.rs" 120 12 120 31] wrapping_div0 ([#"../checked_ops.rs" 120 12 120 15] (5 : uint8)) ([#"../checked_ops.rs" 120 29 120 30] (2 : uint8)));
     goto BB9
   }
   BB8 {
@@ -1893,13 +2129,15 @@ module CheckedOps_TestU8DivExample
     absurd
   }
   BB9 {
-    switch ([#"../checked_ops.rs" 120 12 120 36] _13 = ([#"../checked_ops.rs" 120 35 120 36] [#"../checked_ops.rs" 120 35 120 36] (2 : uint8)))
+    [#"../checked_ops.rs" 120 12 120 36] _12 <- _13 = ([#"../checked_ops.rs" 120 35 120 36] (2 : uint8));
+    _13 <- any uint8;
+    switch (_12)
       | False -> goto BB11
       | True -> goto BB10
       end
   }
   BB10 {
-    [#"../checked_ops.rs" 121 12 121 33] _17 <- ([#"../checked_ops.rs" 121 12 121 33] saturating_div0 ([#"../checked_ops.rs" 121 12 121 15] [#"../checked_ops.rs" 121 12 121 15] (5 : uint8)) ([#"../checked_ops.rs" 121 31 121 32] [#"../checked_ops.rs" 121 31 121 32] (2 : uint8)));
+    [#"../checked_ops.rs" 121 12 121 33] _17 <- ([#"../checked_ops.rs" 121 12 121 33] saturating_div0 ([#"../checked_ops.rs" 121 12 121 15] (5 : uint8)) ([#"../checked_ops.rs" 121 31 121 32] (2 : uint8)));
     goto BB12
   }
   BB11 {
@@ -1907,13 +2145,15 @@ module CheckedOps_TestU8DivExample
     absurd
   }
   BB12 {
-    switch ([#"../checked_ops.rs" 121 12 121 38] _17 = ([#"../checked_ops.rs" 121 37 121 38] [#"../checked_ops.rs" 121 37 121 38] (2 : uint8)))
+    [#"../checked_ops.rs" 121 12 121 38] _16 <- _17 = ([#"../checked_ops.rs" 121 37 121 38] (2 : uint8));
+    _17 <- any uint8;
+    switch (_16)
       | False -> goto BB14
       | True -> goto BB13
       end
   }
   BB13 {
-    [#"../checked_ops.rs" 122 14 122 36] res <- ([#"../checked_ops.rs" 122 14 122 36] overflowing_div0 ([#"../checked_ops.rs" 122 14 122 17] [#"../checked_ops.rs" 122 14 122 17] (5 : uint8)) ([#"../checked_ops.rs" 122 34 122 35] [#"../checked_ops.rs" 122 34 122 35] (2 : uint8)));
+    [#"../checked_ops.rs" 122 14 122 36] res <- ([#"../checked_ops.rs" 122 14 122 36] overflowing_div0 ([#"../checked_ops.rs" 122 14 122 17] (5 : uint8)) ([#"../checked_ops.rs" 122 34 122 35] (2 : uint8)));
     goto BB15
   }
   BB14 {
@@ -1921,14 +2161,16 @@ module CheckedOps_TestU8DivExample
     absurd
   }
   BB15 {
-    switch ([#"../checked_ops.rs" 123 12 123 22] ([#"../checked_ops.rs" 123 12 123 17] let (a, _) = res in a) = ([#"../checked_ops.rs" 123 21 123 22] [#"../checked_ops.rs" 123 21 123 22] (2 : uint8)))
+    [#"../checked_ops.rs" 123 12 123 22] _21 <- (let (a, _) = res in a) = ([#"../checked_ops.rs" 123 21 123 22] (2 : uint8));
+    switch (_21)
       | False -> goto BB19
       | True -> goto BB16
       end
   }
   BB16 {
     assume { resolve0 res };
-    switch ([#"../checked_ops.rs" 123 26 123 40] Bool.eqb ([#"../checked_ops.rs" 123 26 123 31] let (_, a) = res in a) ([#"../checked_ops.rs" 123 35 123 40] [#"../checked_ops.rs" 123 35 123 40] false))
+    [#"../checked_ops.rs" 123 26 123 40] _23 <- Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 123 35 123 40] false);
+    switch (_23)
       | False -> goto BB18
       | True -> goto BB17
       end
@@ -1995,18 +2237,21 @@ module CheckedOps_TestU8DivNoOverflow
     (0 : uint8)
   val overflowing_div0 (self : uint8) (rhs : uint8) : (uint8, bool)
     requires {[#"../../../../creusot-contracts/src/std/num.rs" 91 27 91 36] UInt8.to_int rhs <> 0}
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 93 16 93 87] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 93 16 93 87] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1
+     -> UInt8.to_int (let (a, _) = result in a) = UInt8.to_int self }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 95 26 95 91] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 \/ UInt8.to_int (let (a, _) = result in a) = div (UInt8.to_int self) (UInt8.to_int rhs) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 97 26 97 74] (let (_, a) = result in a) = (UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1) }
     
   val saturating_div0 (self : uint8) (rhs : uint8) : uint8
     requires {[#"../../../../creusot-contracts/src/std/num.rs" 82 27 82 36] UInt8.to_int rhs <> 0}
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 84 16 84 91] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 -> UInt8.to_int result = UInt8.to_int min0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 84 16 84 91] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1
+     -> UInt8.to_int result = UInt8.to_int min0 }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 86 26 86 89] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 \/ UInt8.to_int result = div (UInt8.to_int self) (UInt8.to_int rhs) }
     
   val wrapping_div0 (self : uint8) (rhs : uint8) : uint8
     requires {[#"../../../../creusot-contracts/src/std/num.rs" 73 27 73 36] UInt8.to_int rhs <> 0}
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 75 16 75 85] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 -> UInt8.to_int result = UInt8.to_int self }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 75 16 75 85] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1
+     -> UInt8.to_int result = UInt8.to_int self }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 77 26 77 89] UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1 \/ UInt8.to_int result = div (UInt8.to_int self) (UInt8.to_int rhs) }
     
   val unwrap0 (self : Core_Option_Option_Type.t_option uint8) : uint8
@@ -2017,7 +2262,8 @@ module CheckedOps_TestU8DivNoOverflow
     
   val checked_div0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 66 26 66 97] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int rhs = 0 \/ UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = div (UInt8.to_int self) (UInt8.to_int rhs) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : uint8 . result = Core_Option_Option_Type.C_Some r
+     -> UInt8.to_int r = div (UInt8.to_int self) (UInt8.to_int rhs) }
     
   let rec cfg test_u8_div_no_overflow [#"../checked_ops.rs" 128 0 128 44] [@cfg:stackify] [@cfg:subregion_analysis] (a : uint8) (b : uint8) : ()
     requires {[#"../checked_ops.rs" 127 11 127 18] UInt8.to_int b <> 0}
@@ -2026,24 +2272,33 @@ module CheckedOps_TestU8DivNoOverflow
   var _0 : ();
   var a : uint8 = a;
   var b : uint8 = b;
+  var _5 : bool;
   var _6 : uint8;
   var _7 : Core_Option_Option_Type.t_option uint8;
+  var _10 : uint8;
   var _12 : uint8;
   var _13 : bool;
+  var _16 : bool;
   var _17 : uint8;
+  var _20 : uint8;
   var _22 : uint8;
   var _23 : bool;
+  var _26 : bool;
   var _27 : uint8;
+  var _30 : uint8;
   var _32 : uint8;
   var _33 : bool;
   var res : (uint8, bool);
+  var _39 : bool;
+  var _41 : uint8;
   var _43 : uint8;
   var _44 : bool;
+  var _45 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 129 12 129 28] _7 <- ([#"../checked_ops.rs" 129 12 129 28] checked_div0 ([#"../checked_ops.rs" 129 12 129 13] a) ([#"../checked_ops.rs" 129 26 129 27] b));
+    [#"../checked_ops.rs" 129 12 129 28] _7 <- ([#"../checked_ops.rs" 129 12 129 28] checked_div0 a b);
     goto BB1
   }
   BB1 {
@@ -2052,19 +2307,24 @@ module CheckedOps_TestU8DivNoOverflow
     goto BB2
   }
   BB2 {
-    [#"../checked_ops.rs" 129 45 129 46] _12 <- ([#"../checked_ops.rs" 129 45 129 46] b);
-    [#"../checked_ops.rs" 129 41 129 46] _13 <- ([#"../checked_ops.rs" 129 41 129 46] _12 = ([#"../checked_ops.rs" 129 41 129 46] [#"../checked_ops.rs" 129 41 129 46] (0 : uint8)));
+    [#"../checked_ops.rs" 129 45 129 46] _12 <- b;
+    [#"../checked_ops.rs" 129 41 129 46] _13 <- _12 = ([#"../checked_ops.rs" 129 41 129 46] (0 : uint8));
     assert { [@expl:division by zero] [#"../checked_ops.rs" 129 41 129 46] not _13 };
     goto BB3
   }
   BB3 {
-    switch ([#"../checked_ops.rs" 129 12 129 46] _6 = ([#"../checked_ops.rs" 129 41 129 46] ([#"../checked_ops.rs" 129 41 129 42] a) / _12))
+    [#"../checked_ops.rs" 129 41 129 46] _10 <- a / _12;
+    _12 <- any uint8;
+    [#"../checked_ops.rs" 129 12 129 46] _5 <- _6 = _10;
+    _6 <- any uint8;
+    _10 <- any uint8;
+    switch (_5)
       | False -> goto BB5
       | True -> goto BB4
       end
   }
   BB4 {
-    [#"../checked_ops.rs" 130 12 130 29] _17 <- ([#"../checked_ops.rs" 130 12 130 29] wrapping_div0 ([#"../checked_ops.rs" 130 12 130 13] a) ([#"../checked_ops.rs" 130 27 130 28] b));
+    [#"../checked_ops.rs" 130 12 130 29] _17 <- ([#"../checked_ops.rs" 130 12 130 29] wrapping_div0 a b);
     goto BB6
   }
   BB5 {
@@ -2072,19 +2332,24 @@ module CheckedOps_TestU8DivNoOverflow
     absurd
   }
   BB6 {
-    [#"../checked_ops.rs" 130 37 130 38] _22 <- ([#"../checked_ops.rs" 130 37 130 38] b);
-    [#"../checked_ops.rs" 130 33 130 38] _23 <- ([#"../checked_ops.rs" 130 33 130 38] _22 = ([#"../checked_ops.rs" 130 33 130 38] [#"../checked_ops.rs" 130 33 130 38] (0 : uint8)));
+    [#"../checked_ops.rs" 130 37 130 38] _22 <- b;
+    [#"../checked_ops.rs" 130 33 130 38] _23 <- _22 = ([#"../checked_ops.rs" 130 33 130 38] (0 : uint8));
     assert { [@expl:division by zero] [#"../checked_ops.rs" 130 33 130 38] not _23 };
     goto BB7
   }
   BB7 {
-    switch ([#"../checked_ops.rs" 130 12 130 38] _17 = ([#"../checked_ops.rs" 130 33 130 38] ([#"../checked_ops.rs" 130 33 130 34] a) / _22))
+    [#"../checked_ops.rs" 130 33 130 38] _20 <- a / _22;
+    _22 <- any uint8;
+    [#"../checked_ops.rs" 130 12 130 38] _16 <- _17 = _20;
+    _17 <- any uint8;
+    _20 <- any uint8;
+    switch (_16)
       | False -> goto BB9
       | True -> goto BB8
       end
   }
   BB8 {
-    [#"../checked_ops.rs" 131 12 131 31] _27 <- ([#"../checked_ops.rs" 131 12 131 31] saturating_div0 ([#"../checked_ops.rs" 131 12 131 13] a) ([#"../checked_ops.rs" 131 29 131 30] b));
+    [#"../checked_ops.rs" 131 12 131 31] _27 <- ([#"../checked_ops.rs" 131 12 131 31] saturating_div0 a b);
     goto BB10
   }
   BB9 {
@@ -2092,19 +2357,24 @@ module CheckedOps_TestU8DivNoOverflow
     absurd
   }
   BB10 {
-    [#"../checked_ops.rs" 131 39 131 40] _32 <- ([#"../checked_ops.rs" 131 39 131 40] b);
-    [#"../checked_ops.rs" 131 35 131 40] _33 <- ([#"../checked_ops.rs" 131 35 131 40] _32 = ([#"../checked_ops.rs" 131 35 131 40] [#"../checked_ops.rs" 131 35 131 40] (0 : uint8)));
+    [#"../checked_ops.rs" 131 39 131 40] _32 <- b;
+    [#"../checked_ops.rs" 131 35 131 40] _33 <- _32 = ([#"../checked_ops.rs" 131 35 131 40] (0 : uint8));
     assert { [@expl:division by zero] [#"../checked_ops.rs" 131 35 131 40] not _33 };
     goto BB11
   }
   BB11 {
-    switch ([#"../checked_ops.rs" 131 12 131 40] _27 = ([#"../checked_ops.rs" 131 35 131 40] ([#"../checked_ops.rs" 131 35 131 36] a) / _32))
+    [#"../checked_ops.rs" 131 35 131 40] _30 <- a / _32;
+    _32 <- any uint8;
+    [#"../checked_ops.rs" 131 12 131 40] _26 <- _27 = _30;
+    _27 <- any uint8;
+    _30 <- any uint8;
+    switch (_26)
       | False -> goto BB13
       | True -> goto BB12
       end
   }
   BB12 {
-    [#"../checked_ops.rs" 132 14 132 34] res <- ([#"../checked_ops.rs" 132 14 132 34] overflowing_div0 ([#"../checked_ops.rs" 132 14 132 15] a) ([#"../checked_ops.rs" 132 32 132 33] b));
+    [#"../checked_ops.rs" 132 14 132 34] res <- ([#"../checked_ops.rs" 132 14 132 34] overflowing_div0 a b);
     goto BB14
   }
   BB13 {
@@ -2112,20 +2382,25 @@ module CheckedOps_TestU8DivNoOverflow
     absurd
   }
   BB14 {
-    [#"../checked_ops.rs" 133 25 133 26] _43 <- ([#"../checked_ops.rs" 133 25 133 26] b);
-    [#"../checked_ops.rs" 133 21 133 26] _44 <- ([#"../checked_ops.rs" 133 21 133 26] _43 = ([#"../checked_ops.rs" 133 21 133 26] [#"../checked_ops.rs" 133 21 133 26] (0 : uint8)));
+    [#"../checked_ops.rs" 133 25 133 26] _43 <- b;
+    [#"../checked_ops.rs" 133 21 133 26] _44 <- _43 = ([#"../checked_ops.rs" 133 21 133 26] (0 : uint8));
     assert { [@expl:division by zero] [#"../checked_ops.rs" 133 21 133 26] not _44 };
     goto BB15
   }
   BB15 {
-    switch ([#"../checked_ops.rs" 133 12 133 26] ([#"../checked_ops.rs" 133 12 133 17] let (a, _) = res in a) = ([#"../checked_ops.rs" 133 21 133 26] ([#"../checked_ops.rs" 133 21 133 22] a) / _43))
+    [#"../checked_ops.rs" 133 21 133 26] _41 <- a / _43;
+    _43 <- any uint8;
+    [#"../checked_ops.rs" 133 12 133 26] _39 <- (let (a, _) = res in a) = _41;
+    _41 <- any uint8;
+    switch (_39)
       | False -> goto BB19
       | True -> goto BB16
       end
   }
   BB16 {
     assume { resolve0 res };
-    switch ([#"../checked_ops.rs" 133 30 133 44] Bool.eqb ([#"../checked_ops.rs" 133 30 133 35] let (_, a) = res in a) ([#"../checked_ops.rs" 133 39 133 44] [#"../checked_ops.rs" 133 39 133 44] false))
+    [#"../checked_ops.rs" 133 30 133 44] _45 <- Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 133 39 133 44] false);
+    switch (_45)
       | False -> goto BB18
       | True -> goto BB17
       end
@@ -2171,7 +2446,8 @@ module CheckedOps_TestU8DivZero
   use prelude.UInt8
   val checked_div0 (self : uint8) (rhs : uint8) : Core_Option_Option_Type.t_option uint8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 66 26 66 97] (result = Core_Option_Option_Type.C_None) = (UInt8.to_int rhs = 0 \/ UInt8.to_int self = UInt8.to_int min0 /\ UInt8.to_int rhs = - 1) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : uint8 . result = Core_Option_Option_Type.C_Some r -> UInt8.to_int r = div (UInt8.to_int self) (UInt8.to_int rhs) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : uint8 . result = Core_Option_Option_Type.C_Some r
+     -> UInt8.to_int r = div (UInt8.to_int self) (UInt8.to_int rhs) }
     
   let rec cfg test_u8_div_zero [#"../checked_ops.rs" 137 0 137 30] [@cfg:stackify] [@cfg:subregion_analysis] (a : uint8) : ()
     
@@ -2184,11 +2460,11 @@ module CheckedOps_TestU8DivZero
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 138 12 138 28] _5 <- ([#"../checked_ops.rs" 138 12 138 28] checked_div0 ([#"../checked_ops.rs" 138 12 138 13] a) ([#"../checked_ops.rs" 138 26 138 27] [#"../checked_ops.rs" 138 26 138 27] (0 : uint8)));
+    [#"../checked_ops.rs" 138 12 138 28] _5 <- ([#"../checked_ops.rs" 138 12 138 28] checked_div0 a ([#"../checked_ops.rs" 138 26 138 27] (0 : uint8)));
     goto BB1
   }
   BB1 {
-    [#"../checked_ops.rs" 138 12 138 38] _3 <- ([#"../checked_ops.rs" 138 12 138 38] is_none0 ([#"../checked_ops.rs" 138 12 138 28] _5));
+    [#"../checked_ops.rs" 138 12 138 38] _3 <- ([#"../checked_ops.rs" 138 12 138 38] is_none0 _5);
     goto BB2
   }
   BB2 {
@@ -2270,21 +2546,30 @@ module CheckedOps_TestI8AddExample
   use prelude.Int8
   val overflowing_add0 (self : int8) (rhs : int8) : (int8, bool)
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] Int8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (Int8.to_int self + Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self + Int8.to_int rhs > Int8.to_int max0) }
     
   val saturating_add0 (self : int8) (rhs : int8) : int8
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> Int8.to_int result = Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> Int8.to_int result = Int8.to_int max0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0
+     -> Int8.to_int result = Int8.to_int min0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int max0 }
     
   val wrapping_add0 (self : int8) (rhs : int8) : int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self + Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     
   use prelude.Borrow
   val is_none0 (self : Core_Option_Option_Type.t_option int8) : bool
@@ -2299,32 +2584,46 @@ module CheckedOps_TestI8AddExample
     
   val checked_add0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self + Int8.to_int rhs > Int8.to_int max0) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = Int8.to_int self + Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r
+     -> Int8.to_int r = Int8.to_int self + Int8.to_int rhs }
     
   let rec cfg test_i8_add_example [#"../checked_ops.rs" 142 0 142 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
+  var _2 : bool;
   var _3 : int8;
   var _4 : Core_Option_Option_Type.t_option int8;
   var _7 : bool;
   var _9 : Core_Option_Option_Type.t_option int8;
   var _12 : bool;
   var _14 : Core_Option_Option_Type.t_option int8;
+  var _17 : bool;
   var _18 : int8;
+  var _21 : bool;
   var _22 : int8;
+  var _25 : bool;
   var _26 : int8;
+  var _29 : bool;
   var _30 : int8;
+  var _33 : bool;
   var _34 : int8;
+  var _37 : bool;
   var _38 : int8;
   var res : (int8, bool);
+  var _42 : bool;
+  var _44 : bool;
   var res1 : (int8, bool);
+  var _49 : bool;
+  var _51 : bool;
   var res2 : (int8, bool);
+  var _56 : bool;
+  var _58 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 143 12 143 31] _4 <- ([#"../checked_ops.rs" 143 12 143 31] checked_add0 ([#"../checked_ops.rs" 143 12 143 15] [#"../checked_ops.rs" 143 12 143 15] (5 : int8)) ([#"../checked_ops.rs" 143 28 143 30] [#"../checked_ops.rs" 143 28 143 30] (10 : int8)));
+    [#"../checked_ops.rs" 143 12 143 31] _4 <- ([#"../checked_ops.rs" 143 12 143 31] checked_add0 ([#"../checked_ops.rs" 143 12 143 15] (5 : int8)) ([#"../checked_ops.rs" 143 28 143 30] (10 : int8)));
     goto BB1
   }
   BB1 {
@@ -2333,13 +2632,15 @@ module CheckedOps_TestI8AddExample
     goto BB2
   }
   BB2 {
-    switch ([#"../checked_ops.rs" 143 12 143 46] _3 = ([#"../checked_ops.rs" 143 44 143 46] [#"../checked_ops.rs" 143 44 143 46] (15 : int8)))
+    [#"../checked_ops.rs" 143 12 143 46] _2 <- _3 = ([#"../checked_ops.rs" 143 44 143 46] (15 : int8));
+    _3 <- any int8;
+    switch (_2)
       | False -> goto BB4
       | True -> goto BB3
       end
   }
   BB3 {
-    [#"../checked_ops.rs" 144 12 144 33] _9 <- ([#"../checked_ops.rs" 144 12 144 33] checked_add0 ([#"../checked_ops.rs" 144 12 144 17] [#"../checked_ops.rs" 144 12 144 17] (120 : int8)) ([#"../checked_ops.rs" 144 30 144 32] [#"../checked_ops.rs" 144 30 144 32] (10 : int8)));
+    [#"../checked_ops.rs" 144 12 144 33] _9 <- ([#"../checked_ops.rs" 144 12 144 33] checked_add0 ([#"../checked_ops.rs" 144 12 144 17] (120 : int8)) ([#"../checked_ops.rs" 144 30 144 32] (10 : int8)));
     goto BB5
   }
   BB4 {
@@ -2347,7 +2648,7 @@ module CheckedOps_TestI8AddExample
     absurd
   }
   BB5 {
-    [#"../checked_ops.rs" 144 12 144 43] _7 <- ([#"../checked_ops.rs" 144 12 144 43] is_none0 ([#"../checked_ops.rs" 144 12 144 33] _9));
+    [#"../checked_ops.rs" 144 12 144 43] _7 <- ([#"../checked_ops.rs" 144 12 144 43] is_none0 _9);
     goto BB6
   }
   BB6 {
@@ -2357,7 +2658,7 @@ module CheckedOps_TestI8AddExample
       end
   }
   BB7 {
-    [#"../checked_ops.rs" 145 12 145 37] _14 <- ([#"../checked_ops.rs" 145 12 145 37] checked_add0 ([#"../checked_ops.rs" 145 12 145 20] [#"../checked_ops.rs" 145 12 145 20] (-120 : int8)) ([#"../checked_ops.rs" 145 33 145 36] [#"../checked_ops.rs" 145 33 145 36] (-10 : int8)));
+    [#"../checked_ops.rs" 145 12 145 37] _14 <- ([#"../checked_ops.rs" 145 12 145 37] checked_add0 ([#"../checked_ops.rs" 145 12 145 20] (-120 : int8)) ([#"../checked_ops.rs" 145 33 145 36] (-10 : int8)));
     goto BB9
   }
   BB8 {
@@ -2365,7 +2666,7 @@ module CheckedOps_TestI8AddExample
     absurd
   }
   BB9 {
-    [#"../checked_ops.rs" 145 12 145 47] _12 <- ([#"../checked_ops.rs" 145 12 145 47] is_none0 ([#"../checked_ops.rs" 145 12 145 37] _14));
+    [#"../checked_ops.rs" 145 12 145 47] _12 <- ([#"../checked_ops.rs" 145 12 145 47] is_none0 _14);
     goto BB10
   }
   BB10 {
@@ -2375,7 +2676,7 @@ module CheckedOps_TestI8AddExample
       end
   }
   BB11 {
-    [#"../checked_ops.rs" 147 12 147 32] _18 <- ([#"../checked_ops.rs" 147 12 147 32] wrapping_add0 ([#"../checked_ops.rs" 147 12 147 15] [#"../checked_ops.rs" 147 12 147 15] (5 : int8)) ([#"../checked_ops.rs" 147 29 147 31] [#"../checked_ops.rs" 147 29 147 31] (10 : int8)));
+    [#"../checked_ops.rs" 147 12 147 32] _18 <- ([#"../checked_ops.rs" 147 12 147 32] wrapping_add0 ([#"../checked_ops.rs" 147 12 147 15] (5 : int8)) ([#"../checked_ops.rs" 147 29 147 31] (10 : int8)));
     goto BB13
   }
   BB12 {
@@ -2383,13 +2684,15 @@ module CheckedOps_TestI8AddExample
     absurd
   }
   BB13 {
-    switch ([#"../checked_ops.rs" 147 12 147 38] _18 = ([#"../checked_ops.rs" 147 36 147 38] [#"../checked_ops.rs" 147 36 147 38] (15 : int8)))
+    [#"../checked_ops.rs" 147 12 147 38] _17 <- _18 = ([#"../checked_ops.rs" 147 36 147 38] (15 : int8));
+    _18 <- any int8;
+    switch (_17)
       | False -> goto BB15
       | True -> goto BB14
       end
   }
   BB14 {
-    [#"../checked_ops.rs" 148 12 148 34] _22 <- ([#"../checked_ops.rs" 148 12 148 34] wrapping_add0 ([#"../checked_ops.rs" 148 12 148 17] [#"../checked_ops.rs" 148 12 148 17] (120 : int8)) ([#"../checked_ops.rs" 148 31 148 33] [#"../checked_ops.rs" 148 31 148 33] (10 : int8)));
+    [#"../checked_ops.rs" 148 12 148 34] _22 <- ([#"../checked_ops.rs" 148 12 148 34] wrapping_add0 ([#"../checked_ops.rs" 148 12 148 17] (120 : int8)) ([#"../checked_ops.rs" 148 31 148 33] (10 : int8)));
     goto BB16
   }
   BB15 {
@@ -2397,13 +2700,15 @@ module CheckedOps_TestI8AddExample
     absurd
   }
   BB16 {
-    switch ([#"../checked_ops.rs" 148 12 148 42] _22 = ([#"../checked_ops.rs" 148 38 148 42] [#"../checked_ops.rs" 148 38 148 42] (-126 : int8)))
+    [#"../checked_ops.rs" 148 12 148 42] _21 <- _22 = ([#"../checked_ops.rs" 148 38 148 42] (-126 : int8));
+    _22 <- any int8;
+    switch (_21)
       | False -> goto BB18
       | True -> goto BB17
       end
   }
   BB17 {
-    [#"../checked_ops.rs" 149 12 149 38] _26 <- ([#"../checked_ops.rs" 149 12 149 38] wrapping_add0 ([#"../checked_ops.rs" 149 12 149 20] [#"../checked_ops.rs" 149 12 149 20] (-120 : int8)) ([#"../checked_ops.rs" 149 34 149 37] [#"../checked_ops.rs" 149 34 149 37] (-10 : int8)));
+    [#"../checked_ops.rs" 149 12 149 38] _26 <- ([#"../checked_ops.rs" 149 12 149 38] wrapping_add0 ([#"../checked_ops.rs" 149 12 149 20] (-120 : int8)) ([#"../checked_ops.rs" 149 34 149 37] (-10 : int8)));
     goto BB19
   }
   BB18 {
@@ -2411,13 +2716,15 @@ module CheckedOps_TestI8AddExample
     absurd
   }
   BB19 {
-    switch ([#"../checked_ops.rs" 149 12 149 45] _26 = ([#"../checked_ops.rs" 149 42 149 45] [#"../checked_ops.rs" 149 42 149 45] (126 : int8)))
+    [#"../checked_ops.rs" 149 12 149 45] _25 <- _26 = ([#"../checked_ops.rs" 149 42 149 45] (126 : int8));
+    _26 <- any int8;
+    switch (_25)
       | False -> goto BB21
       | True -> goto BB20
       end
   }
   BB20 {
-    [#"../checked_ops.rs" 151 12 151 34] _30 <- ([#"../checked_ops.rs" 151 12 151 34] saturating_add0 ([#"../checked_ops.rs" 151 12 151 15] [#"../checked_ops.rs" 151 12 151 15] (5 : int8)) ([#"../checked_ops.rs" 151 31 151 33] [#"../checked_ops.rs" 151 31 151 33] (10 : int8)));
+    [#"../checked_ops.rs" 151 12 151 34] _30 <- ([#"../checked_ops.rs" 151 12 151 34] saturating_add0 ([#"../checked_ops.rs" 151 12 151 15] (5 : int8)) ([#"../checked_ops.rs" 151 31 151 33] (10 : int8)));
     goto BB22
   }
   BB21 {
@@ -2425,13 +2732,15 @@ module CheckedOps_TestI8AddExample
     absurd
   }
   BB22 {
-    switch ([#"../checked_ops.rs" 151 12 151 40] _30 = ([#"../checked_ops.rs" 151 38 151 40] [#"../checked_ops.rs" 151 38 151 40] (15 : int8)))
+    [#"../checked_ops.rs" 151 12 151 40] _29 <- _30 = ([#"../checked_ops.rs" 151 38 151 40] (15 : int8));
+    _30 <- any int8;
+    switch (_29)
       | False -> goto BB24
       | True -> goto BB23
       end
   }
   BB23 {
-    [#"../checked_ops.rs" 152 12 152 36] _34 <- ([#"../checked_ops.rs" 152 12 152 36] saturating_add0 ([#"../checked_ops.rs" 152 12 152 17] [#"../checked_ops.rs" 152 12 152 17] (120 : int8)) ([#"../checked_ops.rs" 152 33 152 35] [#"../checked_ops.rs" 152 33 152 35] (10 : int8)));
+    [#"../checked_ops.rs" 152 12 152 36] _34 <- ([#"../checked_ops.rs" 152 12 152 36] saturating_add0 ([#"../checked_ops.rs" 152 12 152 17] (120 : int8)) ([#"../checked_ops.rs" 152 33 152 35] (10 : int8)));
     goto BB25
   }
   BB24 {
@@ -2439,13 +2748,15 @@ module CheckedOps_TestI8AddExample
     absurd
   }
   BB25 {
-    switch ([#"../checked_ops.rs" 152 12 152 43] _34 = ([#"../checked_ops.rs" 152 40 152 43] [#"../checked_ops.rs" 152 40 152 43] (127 : int8)))
+    [#"../checked_ops.rs" 152 12 152 43] _33 <- _34 = ([#"../checked_ops.rs" 152 40 152 43] (127 : int8));
+    _34 <- any int8;
+    switch (_33)
       | False -> goto BB27
       | True -> goto BB26
       end
   }
   BB26 {
-    [#"../checked_ops.rs" 153 12 153 40] _38 <- ([#"../checked_ops.rs" 153 12 153 40] saturating_add0 ([#"../checked_ops.rs" 153 12 153 20] [#"../checked_ops.rs" 153 12 153 20] (-120 : int8)) ([#"../checked_ops.rs" 153 36 153 39] [#"../checked_ops.rs" 153 36 153 39] (-10 : int8)));
+    [#"../checked_ops.rs" 153 12 153 40] _38 <- ([#"../checked_ops.rs" 153 12 153 40] saturating_add0 ([#"../checked_ops.rs" 153 12 153 20] (-120 : int8)) ([#"../checked_ops.rs" 153 36 153 39] (-10 : int8)));
     goto BB28
   }
   BB27 {
@@ -2453,13 +2764,15 @@ module CheckedOps_TestI8AddExample
     absurd
   }
   BB28 {
-    switch ([#"../checked_ops.rs" 153 12 153 48] _38 = ([#"../checked_ops.rs" 153 44 153 48] [#"../checked_ops.rs" 153 44 153 48] (-128 : int8)))
+    [#"../checked_ops.rs" 153 12 153 48] _37 <- _38 = ([#"../checked_ops.rs" 153 44 153 48] (-128 : int8));
+    _38 <- any int8;
+    switch (_37)
       | False -> goto BB30
       | True -> goto BB29
       end
   }
   BB29 {
-    [#"../checked_ops.rs" 155 14 155 37] res <- ([#"../checked_ops.rs" 155 14 155 37] overflowing_add0 ([#"../checked_ops.rs" 155 14 155 17] [#"../checked_ops.rs" 155 14 155 17] (5 : int8)) ([#"../checked_ops.rs" 155 34 155 36] [#"../checked_ops.rs" 155 34 155 36] (10 : int8)));
+    [#"../checked_ops.rs" 155 14 155 37] res <- ([#"../checked_ops.rs" 155 14 155 37] overflowing_add0 ([#"../checked_ops.rs" 155 14 155 17] (5 : int8)) ([#"../checked_ops.rs" 155 34 155 36] (10 : int8)));
     goto BB31
   }
   BB30 {
@@ -2467,20 +2780,22 @@ module CheckedOps_TestI8AddExample
     absurd
   }
   BB31 {
-    switch ([#"../checked_ops.rs" 156 12 156 23] ([#"../checked_ops.rs" 156 12 156 17] let (a, _) = res in a) = ([#"../checked_ops.rs" 156 21 156 23] [#"../checked_ops.rs" 156 21 156 23] (15 : int8)))
+    [#"../checked_ops.rs" 156 12 156 23] _42 <- (let (a, _) = res in a) = ([#"../checked_ops.rs" 156 21 156 23] (15 : int8));
+    switch (_42)
       | False -> goto BB35
       | True -> goto BB32
       end
   }
   BB32 {
     assume { resolve0 res };
-    switch ([#"../checked_ops.rs" 156 27 156 41] Bool.eqb ([#"../checked_ops.rs" 156 27 156 32] let (_, a) = res in a) ([#"../checked_ops.rs" 156 36 156 41] [#"../checked_ops.rs" 156 36 156 41] false))
+    [#"../checked_ops.rs" 156 27 156 41] _44 <- Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 156 36 156 41] false);
+    switch (_44)
       | False -> goto BB34
       | True -> goto BB33
       end
   }
   BB33 {
-    [#"../checked_ops.rs" 157 14 157 39] res1 <- ([#"../checked_ops.rs" 157 14 157 39] overflowing_add0 ([#"../checked_ops.rs" 157 14 157 19] [#"../checked_ops.rs" 157 14 157 19] (120 : int8)) ([#"../checked_ops.rs" 157 36 157 38] [#"../checked_ops.rs" 157 36 157 38] (10 : int8)));
+    [#"../checked_ops.rs" 157 14 157 39] res1 <- ([#"../checked_ops.rs" 157 14 157 39] overflowing_add0 ([#"../checked_ops.rs" 157 14 157 19] (120 : int8)) ([#"../checked_ops.rs" 157 36 157 38] (10 : int8)));
     goto BB37
   }
   BB34 {
@@ -2495,20 +2810,22 @@ module CheckedOps_TestI8AddExample
     absurd
   }
   BB37 {
-    switch ([#"../checked_ops.rs" 158 12 158 25] ([#"../checked_ops.rs" 158 12 158 17] let (a, _) = res1 in a) = ([#"../checked_ops.rs" 158 21 158 25] [#"../checked_ops.rs" 158 21 158 25] (-126 : int8)))
+    [#"../checked_ops.rs" 158 12 158 25] _49 <- (let (a, _) = res1 in a) = ([#"../checked_ops.rs" 158 21 158 25] (-126 : int8));
+    switch (_49)
       | False -> goto BB41
       | True -> goto BB38
       end
   }
   BB38 {
     assume { resolve0 res1 };
-    switch ([#"../checked_ops.rs" 158 29 158 42] Bool.eqb ([#"../checked_ops.rs" 158 29 158 34] let (_, a) = res1 in a) ([#"../checked_ops.rs" 158 38 158 42] [#"../checked_ops.rs" 158 38 158 42] true))
+    [#"../checked_ops.rs" 158 29 158 42] _51 <- Bool.eqb (let (_, a) = res1 in a) ([#"../checked_ops.rs" 158 38 158 42] true);
+    switch (_51)
       | False -> goto BB40
       | True -> goto BB39
       end
   }
   BB39 {
-    [#"../checked_ops.rs" 159 14 159 43] res2 <- ([#"../checked_ops.rs" 159 14 159 43] overflowing_add0 ([#"../checked_ops.rs" 159 14 159 22] [#"../checked_ops.rs" 159 14 159 22] (-120 : int8)) ([#"../checked_ops.rs" 159 39 159 42] [#"../checked_ops.rs" 159 39 159 42] (-10 : int8)));
+    [#"../checked_ops.rs" 159 14 159 43] res2 <- ([#"../checked_ops.rs" 159 14 159 43] overflowing_add0 ([#"../checked_ops.rs" 159 14 159 22] (-120 : int8)) ([#"../checked_ops.rs" 159 39 159 42] (-10 : int8)));
     goto BB43
   }
   BB40 {
@@ -2523,14 +2840,16 @@ module CheckedOps_TestI8AddExample
     absurd
   }
   BB43 {
-    switch ([#"../checked_ops.rs" 160 12 160 24] ([#"../checked_ops.rs" 160 12 160 17] let (a, _) = res2 in a) = ([#"../checked_ops.rs" 160 21 160 24] [#"../checked_ops.rs" 160 21 160 24] (126 : int8)))
+    [#"../checked_ops.rs" 160 12 160 24] _56 <- (let (a, _) = res2 in a) = ([#"../checked_ops.rs" 160 21 160 24] (126 : int8));
+    switch (_56)
       | False -> goto BB47
       | True -> goto BB44
       end
   }
   BB44 {
     assume { resolve0 res2 };
-    switch ([#"../checked_ops.rs" 160 28 160 41] Bool.eqb ([#"../checked_ops.rs" 160 28 160 33] let (_, a) = res2 in a) ([#"../checked_ops.rs" 160 37 160 41] [#"../checked_ops.rs" 160 37 160 41] true))
+    [#"../checked_ops.rs" 160 28 160 41] _58 <- Bool.eqb (let (_, a) = res2 in a) ([#"../checked_ops.rs" 160 37 160 41] true);
+    switch (_58)
       | False -> goto BB46
       | True -> goto BB45
       end
@@ -2595,21 +2914,30 @@ module CheckedOps_TestI8AddOverflowPos
     (8 : uint32)
   val overflowing_add0 (self : int8) (rhs : int8) : (int8, bool)
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] Int8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (Int8.to_int self + Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self + Int8.to_int rhs > Int8.to_int max0) }
     
   val saturating_add0 (self : int8) (rhs : int8) : int8
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> Int8.to_int result = Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> Int8.to_int result = Int8.to_int max0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0
+     -> Int8.to_int result = Int8.to_int min0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int max0 }
     
   val wrapping_add0 (self : int8) (rhs : int8) : int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self + Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     
   use prelude.Borrow
   val is_none0 (self : Core_Option_Option_Type.t_option int8) : bool
@@ -2618,7 +2946,8 @@ module CheckedOps_TestI8AddOverflowPos
     
   val checked_add0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self + Int8.to_int rhs > Int8.to_int max0) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = Int8.to_int self + Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r
+     -> Int8.to_int r = Int8.to_int self + Int8.to_int rhs }
     
   let rec cfg test_i8_add_overflow_pos [#"../checked_ops.rs" 165 0 165 38] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) : ()
     requires {[#"../checked_ops.rs" 164 11 164 17] Int8.to_int a > 0}
@@ -2628,18 +2957,26 @@ module CheckedOps_TestI8AddOverflowPos
   var a : int8 = a;
   var _4 : bool;
   var _6 : Core_Option_Option_Type.t_option int8;
+  var _10 : bool;
   var _11 : int8;
+  var _13 : int8;
+  var _14 : int8;
+  var _18 : bool;
   var _19 : int8;
   var res : (int8, bool);
+  var _25 : bool;
+  var _27 : int8;
+  var _28 : int8;
+  var _30 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 166 12 166 32] _6 <- ([#"../checked_ops.rs" 166 12 166 32] checked_add0 ([#"../checked_ops.rs" 166 12 166 17] [#"../checked_ops.rs" 166 12 166 17] (127 : int8)) ([#"../checked_ops.rs" 166 30 166 31] a));
+    [#"../checked_ops.rs" 166 12 166 32] _6 <- ([#"../checked_ops.rs" 166 12 166 32] checked_add0 ([#"../checked_ops.rs" 166 12 166 17] (127 : int8)) a);
     goto BB1
   }
   BB1 {
-    [#"../checked_ops.rs" 166 12 166 42] _4 <- ([#"../checked_ops.rs" 166 12 166 42] is_none0 ([#"../checked_ops.rs" 166 12 166 32] _6));
+    [#"../checked_ops.rs" 166 12 166 42] _4 <- ([#"../checked_ops.rs" 166 12 166 42] is_none0 _6);
     goto BB2
   }
   BB2 {
@@ -2649,7 +2986,7 @@ module CheckedOps_TestI8AddOverflowPos
       end
   }
   BB3 {
-    [#"../checked_ops.rs" 167 12 167 33] _11 <- ([#"../checked_ops.rs" 167 12 167 33] wrapping_add0 ([#"../checked_ops.rs" 167 12 167 17] [#"../checked_ops.rs" 167 12 167 17] (127 : int8)) ([#"../checked_ops.rs" 167 31 167 32] a));
+    [#"../checked_ops.rs" 167 12 167 33] _11 <- ([#"../checked_ops.rs" 167 12 167 33] wrapping_add0 ([#"../checked_ops.rs" 167 12 167 17] (127 : int8)) a);
     goto BB5
   }
   BB4 {
@@ -2657,13 +2994,19 @@ module CheckedOps_TestI8AddOverflowPos
     absurd
   }
   BB5 {
-    switch ([#"../checked_ops.rs" 167 12 167 48] _11 = ([#"../checked_ops.rs" 167 37 167 48] ([#"../checked_ops.rs" 167 37 167 44] ([#"../checked_ops.rs" 167 37 167 38] a) - ([#"../checked_ops.rs" 167 41 167 44] [#"../checked_ops.rs" 167 41 167 44] (127 : int8))) - ([#"../checked_ops.rs" 167 47 167 48] [#"../checked_ops.rs" 167 47 167 48] (2 : int8))))
+    [#"../checked_ops.rs" 167 37 167 44] _14 <- a - ([#"../checked_ops.rs" 167 41 167 44] (127 : int8));
+    [#"../checked_ops.rs" 167 37 167 48] _13 <- _14 - ([#"../checked_ops.rs" 167 47 167 48] (2 : int8));
+    _14 <- any int8;
+    [#"../checked_ops.rs" 167 12 167 48] _10 <- _11 = _13;
+    _11 <- any int8;
+    _13 <- any int8;
+    switch (_10)
       | False -> goto BB7
       | True -> goto BB6
       end
   }
   BB6 {
-    [#"../checked_ops.rs" 168 12 168 35] _19 <- ([#"../checked_ops.rs" 168 12 168 35] saturating_add0 ([#"../checked_ops.rs" 168 12 168 17] [#"../checked_ops.rs" 168 12 168 17] (127 : int8)) ([#"../checked_ops.rs" 168 33 168 34] a));
+    [#"../checked_ops.rs" 168 12 168 35] _19 <- ([#"../checked_ops.rs" 168 12 168 35] saturating_add0 ([#"../checked_ops.rs" 168 12 168 17] (127 : int8)) a);
     goto BB8
   }
   BB7 {
@@ -2671,13 +3014,15 @@ module CheckedOps_TestI8AddOverflowPos
     absurd
   }
   BB8 {
-    switch ([#"../checked_ops.rs" 168 12 168 42] _19 = ([#"../checked_ops.rs" 168 39 168 42] [#"../checked_ops.rs" 168 39 168 42] (127 : int8)))
+    [#"../checked_ops.rs" 168 12 168 42] _18 <- _19 = ([#"../checked_ops.rs" 168 39 168 42] (127 : int8));
+    _19 <- any int8;
+    switch (_18)
       | False -> goto BB10
       | True -> goto BB9
       end
   }
   BB9 {
-    [#"../checked_ops.rs" 169 14 169 38] res <- ([#"../checked_ops.rs" 169 14 169 38] overflowing_add0 ([#"../checked_ops.rs" 169 14 169 19] [#"../checked_ops.rs" 169 14 169 19] (127 : int8)) ([#"../checked_ops.rs" 169 36 169 37] a));
+    [#"../checked_ops.rs" 169 14 169 38] res <- ([#"../checked_ops.rs" 169 14 169 38] overflowing_add0 ([#"../checked_ops.rs" 169 14 169 19] (127 : int8)) a);
     goto BB11
   }
   BB10 {
@@ -2685,14 +3030,20 @@ module CheckedOps_TestI8AddOverflowPos
     absurd
   }
   BB11 {
-    switch ([#"../checked_ops.rs" 170 12 170 32] ([#"../checked_ops.rs" 170 12 170 17] let (a, _) = res in a) = ([#"../checked_ops.rs" 170 21 170 32] ([#"../checked_ops.rs" 170 21 170 28] ([#"../checked_ops.rs" 170 21 170 22] a) - ([#"../checked_ops.rs" 170 25 170 28] [#"../checked_ops.rs" 170 25 170 28] (127 : int8))) - ([#"../checked_ops.rs" 170 31 170 32] [#"../checked_ops.rs" 170 31 170 32] (2 : int8))))
+    [#"../checked_ops.rs" 170 21 170 28] _28 <- a - ([#"../checked_ops.rs" 170 25 170 28] (127 : int8));
+    [#"../checked_ops.rs" 170 21 170 32] _27 <- _28 - ([#"../checked_ops.rs" 170 31 170 32] (2 : int8));
+    _28 <- any int8;
+    [#"../checked_ops.rs" 170 12 170 32] _25 <- (let (a, _) = res in a) = _27;
+    _27 <- any int8;
+    switch (_25)
       | False -> goto BB15
       | True -> goto BB12
       end
   }
   BB12 {
     assume { resolve0 res };
-    switch ([#"../checked_ops.rs" 170 36 170 49] Bool.eqb ([#"../checked_ops.rs" 170 36 170 41] let (_, a) = res in a) ([#"../checked_ops.rs" 170 45 170 49] [#"../checked_ops.rs" 170 45 170 49] true))
+    [#"../checked_ops.rs" 170 36 170 49] _30 <- Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 170 45 170 49] true);
+    switch (_30)
       | False -> goto BB14
       | True -> goto BB13
       end
@@ -2757,21 +3108,30 @@ module CheckedOps_TestI8AddOverflowNeg
     (8 : uint32)
   val overflowing_add0 (self : int8) (rhs : int8) : (int8, bool)
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] Int8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (Int8.to_int self + Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self + Int8.to_int rhs > Int8.to_int max0) }
     
   val saturating_add0 (self : int8) (rhs : int8) : int8
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> Int8.to_int result = Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> Int8.to_int result = Int8.to_int max0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0
+     -> Int8.to_int result = Int8.to_int min0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int max0 }
     
   val wrapping_add0 (self : int8) (rhs : int8) : int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self + Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     
   use prelude.Borrow
   val is_none0 (self : Core_Option_Option_Type.t_option int8) : bool
@@ -2780,7 +3140,8 @@ module CheckedOps_TestI8AddOverflowNeg
     
   val checked_add0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self + Int8.to_int rhs > Int8.to_int max0) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = Int8.to_int self + Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r
+     -> Int8.to_int r = Int8.to_int self + Int8.to_int rhs }
     
   let rec cfg test_i8_add_overflow_neg [#"../checked_ops.rs" 175 0 175 38] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) : ()
     requires {[#"../checked_ops.rs" 174 11 174 17] Int8.to_int a < 0}
@@ -2790,18 +3151,26 @@ module CheckedOps_TestI8AddOverflowNeg
   var a : int8 = a;
   var _4 : bool;
   var _6 : Core_Option_Option_Type.t_option int8;
+  var _10 : bool;
   var _11 : int8;
+  var _13 : int8;
+  var _14 : int8;
+  var _18 : bool;
   var _19 : int8;
   var res : (int8, bool);
+  var _25 : bool;
+  var _27 : int8;
+  var _28 : int8;
+  var _30 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 176 12 176 35] _6 <- ([#"../checked_ops.rs" 176 12 176 35] checked_add0 ([#"../checked_ops.rs" 176 12 176 20] [#"../checked_ops.rs" 176 12 176 20] (-128 : int8)) ([#"../checked_ops.rs" 176 33 176 34] a));
+    [#"../checked_ops.rs" 176 12 176 35] _6 <- ([#"../checked_ops.rs" 176 12 176 35] checked_add0 ([#"../checked_ops.rs" 176 12 176 20] (-128 : int8)) a);
     goto BB1
   }
   BB1 {
-    [#"../checked_ops.rs" 176 12 176 45] _4 <- ([#"../checked_ops.rs" 176 12 176 45] is_none0 ([#"../checked_ops.rs" 176 12 176 35] _6));
+    [#"../checked_ops.rs" 176 12 176 45] _4 <- ([#"../checked_ops.rs" 176 12 176 45] is_none0 _6);
     goto BB2
   }
   BB2 {
@@ -2811,7 +3180,7 @@ module CheckedOps_TestI8AddOverflowNeg
       end
   }
   BB3 {
-    [#"../checked_ops.rs" 177 12 177 36] _11 <- ([#"../checked_ops.rs" 177 12 177 36] wrapping_add0 ([#"../checked_ops.rs" 177 12 177 20] [#"../checked_ops.rs" 177 12 177 20] (-128 : int8)) ([#"../checked_ops.rs" 177 34 177 35] a));
+    [#"../checked_ops.rs" 177 12 177 36] _11 <- ([#"../checked_ops.rs" 177 12 177 36] wrapping_add0 ([#"../checked_ops.rs" 177 12 177 20] (-128 : int8)) a);
     goto BB5
   }
   BB4 {
@@ -2819,13 +3188,19 @@ module CheckedOps_TestI8AddOverflowNeg
     absurd
   }
   BB5 {
-    switch ([#"../checked_ops.rs" 177 12 177 51] _11 = ([#"../checked_ops.rs" 177 40 177 51] ([#"../checked_ops.rs" 177 40 177 47] ([#"../checked_ops.rs" 177 40 177 41] a) + ([#"../checked_ops.rs" 177 44 177 47] [#"../checked_ops.rs" 177 44 177 47] (127 : int8))) + ([#"../checked_ops.rs" 177 50 177 51] [#"../checked_ops.rs" 177 50 177 51] (1 : int8))))
+    [#"../checked_ops.rs" 177 40 177 47] _14 <- a + ([#"../checked_ops.rs" 177 44 177 47] (127 : int8));
+    [#"../checked_ops.rs" 177 40 177 51] _13 <- _14 + ([#"../checked_ops.rs" 177 50 177 51] (1 : int8));
+    _14 <- any int8;
+    [#"../checked_ops.rs" 177 12 177 51] _10 <- _11 = _13;
+    _11 <- any int8;
+    _13 <- any int8;
+    switch (_10)
       | False -> goto BB7
       | True -> goto BB6
       end
   }
   BB6 {
-    [#"../checked_ops.rs" 178 12 178 38] _19 <- ([#"../checked_ops.rs" 178 12 178 38] saturating_add0 ([#"../checked_ops.rs" 178 12 178 20] [#"../checked_ops.rs" 178 12 178 20] (-128 : int8)) ([#"../checked_ops.rs" 178 36 178 37] a));
+    [#"../checked_ops.rs" 178 12 178 38] _19 <- ([#"../checked_ops.rs" 178 12 178 38] saturating_add0 ([#"../checked_ops.rs" 178 12 178 20] (-128 : int8)) a);
     goto BB8
   }
   BB7 {
@@ -2833,13 +3208,15 @@ module CheckedOps_TestI8AddOverflowNeg
     absurd
   }
   BB8 {
-    switch ([#"../checked_ops.rs" 178 12 178 46] _19 = ([#"../checked_ops.rs" 178 42 178 46] [#"../checked_ops.rs" 178 42 178 46] (-128 : int8)))
+    [#"../checked_ops.rs" 178 12 178 46] _18 <- _19 = ([#"../checked_ops.rs" 178 42 178 46] (-128 : int8));
+    _19 <- any int8;
+    switch (_18)
       | False -> goto BB10
       | True -> goto BB9
       end
   }
   BB9 {
-    [#"../checked_ops.rs" 179 14 179 41] res <- ([#"../checked_ops.rs" 179 14 179 41] overflowing_add0 ([#"../checked_ops.rs" 179 14 179 22] [#"../checked_ops.rs" 179 14 179 22] (-128 : int8)) ([#"../checked_ops.rs" 179 39 179 40] a));
+    [#"../checked_ops.rs" 179 14 179 41] res <- ([#"../checked_ops.rs" 179 14 179 41] overflowing_add0 ([#"../checked_ops.rs" 179 14 179 22] (-128 : int8)) a);
     goto BB11
   }
   BB10 {
@@ -2847,14 +3224,20 @@ module CheckedOps_TestI8AddOverflowNeg
     absurd
   }
   BB11 {
-    switch ([#"../checked_ops.rs" 180 12 180 32] ([#"../checked_ops.rs" 180 12 180 17] let (a, _) = res in a) = ([#"../checked_ops.rs" 180 21 180 32] ([#"../checked_ops.rs" 180 21 180 28] ([#"../checked_ops.rs" 180 21 180 22] a) + ([#"../checked_ops.rs" 180 25 180 28] [#"../checked_ops.rs" 180 25 180 28] (127 : int8))) + ([#"../checked_ops.rs" 180 31 180 32] [#"../checked_ops.rs" 180 31 180 32] (1 : int8))))
+    [#"../checked_ops.rs" 180 21 180 28] _28 <- a + ([#"../checked_ops.rs" 180 25 180 28] (127 : int8));
+    [#"../checked_ops.rs" 180 21 180 32] _27 <- _28 + ([#"../checked_ops.rs" 180 31 180 32] (1 : int8));
+    _28 <- any int8;
+    [#"../checked_ops.rs" 180 12 180 32] _25 <- (let (a, _) = res in a) = _27;
+    _27 <- any int8;
+    switch (_25)
       | False -> goto BB15
       | True -> goto BB12
       end
   }
   BB12 {
     assume { resolve0 res };
-    switch ([#"../checked_ops.rs" 180 36 180 49] Bool.eqb ([#"../checked_ops.rs" 180 36 180 41] let (_, a) = res in a) ([#"../checked_ops.rs" 180 45 180 49] [#"../checked_ops.rs" 180 45 180 49] true))
+    [#"../checked_ops.rs" 180 36 180 49] _30 <- Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 180 45 180 49] true);
+    switch (_30)
       | False -> goto BB14
       | True -> goto BB13
       end
@@ -2892,9 +3275,12 @@ module CheckedOps_TestI8WrappingAdd
     (8 : uint32)
   val wrapping_add0 (self : int8) (rhs : int8) : int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self + Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     
   let rec cfg test_i8_wrapping_add [#"../checked_ops.rs" 186 0 186 47] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) (b : int8) : int8
     ensures { [#"../checked_ops.rs" 185 10 185 84] Int8.to_int result = Int8.to_int a + Int8.to_int b \/ Int8.to_int result = Int8.to_int a + Int8.to_int b - 256 \/ Int8.to_int result = Int8.to_int a + Int8.to_int b + 256 }
@@ -2907,7 +3293,7 @@ module CheckedOps_TestI8WrappingAdd
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 187 4 187 21] _0 <- ([#"../checked_ops.rs" 187 4 187 21] wrapping_add0 ([#"../checked_ops.rs" 187 4 187 5] a) ([#"../checked_ops.rs" 187 19 187 20] b));
+    [#"../checked_ops.rs" 187 4 187 21] _0 <- ([#"../checked_ops.rs" 187 4 187 21] wrapping_add0 a b);
     goto BB1
   }
   BB1 {
@@ -2942,7 +3328,8 @@ module CheckedOps_TestI8OverflowingAdd
   use prelude.Int8
   val checked_add0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self + Int8.to_int rhs > Int8.to_int max0) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = Int8.to_int self + Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r
+     -> Int8.to_int r = Int8.to_int self + Int8.to_int rhs }
     
   use prelude.UInt32
   use int.EuclideanDivision
@@ -2952,9 +3339,12 @@ module CheckedOps_TestI8OverflowingAdd
     (8 : uint32)
   val wrapping_add0 (self : int8) (rhs : int8) : int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self + Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int self + Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     
   predicate resolve2 (self : bool) =
     [#"../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
@@ -2973,9 +3363,12 @@ module CheckedOps_TestI8OverflowingAdd
     
   val overflowing_add0 (self : int8) (rhs : int8) : (int8, bool)
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] Int8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (Int8.to_int self + Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self + Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self + Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self + Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self + Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self + Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (Int8.to_int self + Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self + Int8.to_int rhs > Int8.to_int max0) }
     
   let rec cfg test_i8_overflowing_add [#"../checked_ops.rs" 191 0 191 44] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) (b : int8) : ()
@@ -2984,8 +3377,10 @@ module CheckedOps_TestI8OverflowingAdd
   var _0 : ();
   var a : int8 = a;
   var b : int8 = b;
+  var _4 : bool;
   var _6 : (int8, bool);
   var _9 : int8;
+  var _14 : bool;
   var _16 : (int8, bool);
   var _19 : bool;
   var _21 : Core_Option_Option_Type.t_option int8;
@@ -2993,22 +3388,24 @@ module CheckedOps_TestI8OverflowingAdd
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 192 12 192 32] _6 <- ([#"../checked_ops.rs" 192 12 192 32] overflowing_add0 ([#"../checked_ops.rs" 192 12 192 13] a) ([#"../checked_ops.rs" 192 30 192 31] b));
+    [#"../checked_ops.rs" 192 12 192 32] _6 <- ([#"../checked_ops.rs" 192 12 192 32] overflowing_add0 a b);
     goto BB1
   }
   BB1 {
     assume { resolve0 _6 };
-    [#"../checked_ops.rs" 192 38 192 55] _9 <- ([#"../checked_ops.rs" 192 38 192 55] wrapping_add0 ([#"../checked_ops.rs" 192 38 192 39] a) ([#"../checked_ops.rs" 192 53 192 54] b));
+    [#"../checked_ops.rs" 192 38 192 55] _9 <- ([#"../checked_ops.rs" 192 38 192 55] wrapping_add0 a b);
     goto BB2
   }
   BB2 {
-    switch ([#"../checked_ops.rs" 192 12 192 55] ([#"../checked_ops.rs" 192 12 192 34] let (a, _) = _6 in a) = _9)
+    [#"../checked_ops.rs" 192 12 192 55] _4 <- (let (a, _) = _6 in a) = _9;
+    _9 <- any int8;
+    switch (_4)
       | False -> goto BB4
       | True -> goto BB3
       end
   }
   BB3 {
-    [#"../checked_ops.rs" 193 12 193 32] _16 <- ([#"../checked_ops.rs" 193 12 193 32] overflowing_add0 ([#"../checked_ops.rs" 193 12 193 13] a) ([#"../checked_ops.rs" 193 30 193 31] b));
+    [#"../checked_ops.rs" 193 12 193 32] _16 <- ([#"../checked_ops.rs" 193 12 193 32] overflowing_add0 a b);
     goto BB5
   }
   BB4 {
@@ -3017,15 +3414,17 @@ module CheckedOps_TestI8OverflowingAdd
   }
   BB5 {
     assume { resolve0 _16 };
-    [#"../checked_ops.rs" 193 38 193 54] _21 <- ([#"../checked_ops.rs" 193 38 193 54] checked_add0 ([#"../checked_ops.rs" 193 38 193 39] a) ([#"../checked_ops.rs" 193 52 193 53] b));
+    [#"../checked_ops.rs" 193 38 193 54] _21 <- ([#"../checked_ops.rs" 193 38 193 54] checked_add0 a b);
     goto BB6
   }
   BB6 {
-    [#"../checked_ops.rs" 193 38 193 64] _19 <- ([#"../checked_ops.rs" 193 38 193 64] is_none0 ([#"../checked_ops.rs" 193 38 193 54] _21));
+    [#"../checked_ops.rs" 193 38 193 64] _19 <- ([#"../checked_ops.rs" 193 38 193 64] is_none0 _21);
     goto BB7
   }
   BB7 {
-    switch ([#"../checked_ops.rs" 193 12 193 64] Bool.eqb ([#"../checked_ops.rs" 193 12 193 34] let (_, a) = _16 in a) _19)
+    [#"../checked_ops.rs" 193 12 193 64] _14 <- Bool.eqb (let (_, a) = _16 in a) _19;
+    _19 <- any bool;
+    switch (_14)
       | False -> goto BB9
       | True -> goto BB8
       end
@@ -3103,21 +3502,30 @@ module CheckedOps_TestI8SubExample
   use prelude.Int8
   val overflowing_sub0 (self : int8) (rhs : int8) : (int8, bool)
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] Int8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (Int8.to_int self - Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self - Int8.to_int rhs > Int8.to_int max0) }
     
   val saturating_sub0 (self : int8) (rhs : int8) : int8
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> Int8.to_int result = Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> Int8.to_int result = Int8.to_int max0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0
+     -> Int8.to_int result = Int8.to_int min0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int max0 }
     
   val wrapping_sub0 (self : int8) (rhs : int8) : int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self - Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     
   use prelude.Borrow
   val is_none0 (self : Core_Option_Option_Type.t_option int8) : bool
@@ -3132,32 +3540,47 @@ module CheckedOps_TestI8SubExample
     
   val checked_sub0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self - Int8.to_int rhs > Int8.to_int max0) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = Int8.to_int self - Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r
+     -> Int8.to_int r = Int8.to_int self - Int8.to_int rhs }
     
   let rec cfg test_i8_sub_example [#"../checked_ops.rs" 197 0 197 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
+  var _2 : bool;
   var _3 : int8;
   var _4 : Core_Option_Option_Type.t_option int8;
+  var _7 : bool;
   var _8 : int8;
   var _9 : Core_Option_Option_Type.t_option int8;
   var _12 : bool;
   var _14 : Core_Option_Option_Type.t_option int8;
+  var _17 : bool;
   var _18 : int8;
+  var _21 : bool;
   var _22 : int8;
+  var _25 : bool;
   var _26 : int8;
+  var _29 : bool;
   var _30 : int8;
+  var _33 : bool;
   var _34 : int8;
+  var _37 : bool;
   var _38 : int8;
   var res : (int8, bool);
+  var _42 : bool;
+  var _44 : bool;
   var res1 : (int8, bool);
+  var _49 : bool;
+  var _51 : bool;
   var res2 : (int8, bool);
+  var _56 : bool;
+  var _58 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 198 12 198 31] _4 <- ([#"../checked_ops.rs" 198 12 198 31] checked_sub0 ([#"../checked_ops.rs" 198 12 198 15] [#"../checked_ops.rs" 198 12 198 15] (5 : int8)) ([#"../checked_ops.rs" 198 28 198 30] [#"../checked_ops.rs" 198 28 198 30] (10 : int8)));
+    [#"../checked_ops.rs" 198 12 198 31] _4 <- ([#"../checked_ops.rs" 198 12 198 31] checked_sub0 ([#"../checked_ops.rs" 198 12 198 15] (5 : int8)) ([#"../checked_ops.rs" 198 28 198 30] (10 : int8)));
     goto BB1
   }
   BB1 {
@@ -3166,13 +3589,15 @@ module CheckedOps_TestI8SubExample
     goto BB2
   }
   BB2 {
-    switch ([#"../checked_ops.rs" 198 12 198 46] _3 = ([#"../checked_ops.rs" 198 44 198 46] [#"../checked_ops.rs" 198 44 198 46] (-5 : int8)))
+    [#"../checked_ops.rs" 198 12 198 46] _2 <- _3 = ([#"../checked_ops.rs" 198 44 198 46] (-5 : int8));
+    _3 <- any int8;
+    switch (_2)
       | False -> goto BB4
       | True -> goto BB3
       end
   }
   BB3 {
-    [#"../checked_ops.rs" 199 12 199 33] _9 <- ([#"../checked_ops.rs" 199 12 199 33] checked_sub0 ([#"../checked_ops.rs" 199 12 199 17] [#"../checked_ops.rs" 199 12 199 17] (120 : int8)) ([#"../checked_ops.rs" 199 30 199 32] [#"../checked_ops.rs" 199 30 199 32] (10 : int8)));
+    [#"../checked_ops.rs" 199 12 199 33] _9 <- ([#"../checked_ops.rs" 199 12 199 33] checked_sub0 ([#"../checked_ops.rs" 199 12 199 17] (120 : int8)) ([#"../checked_ops.rs" 199 30 199 32] (10 : int8)));
     goto BB5
   }
   BB4 {
@@ -3185,13 +3610,15 @@ module CheckedOps_TestI8SubExample
     goto BB6
   }
   BB6 {
-    switch ([#"../checked_ops.rs" 199 12 199 49] _8 = ([#"../checked_ops.rs" 199 46 199 49] [#"../checked_ops.rs" 199 46 199 49] (110 : int8)))
+    [#"../checked_ops.rs" 199 12 199 49] _7 <- _8 = ([#"../checked_ops.rs" 199 46 199 49] (110 : int8));
+    _8 <- any int8;
+    switch (_7)
       | False -> goto BB8
       | True -> goto BB7
       end
   }
   BB7 {
-    [#"../checked_ops.rs" 200 12 200 36] _14 <- ([#"../checked_ops.rs" 200 12 200 36] checked_sub0 ([#"../checked_ops.rs" 200 12 200 20] [#"../checked_ops.rs" 200 12 200 20] (-120 : int8)) ([#"../checked_ops.rs" 200 33 200 35] [#"../checked_ops.rs" 200 33 200 35] (10 : int8)));
+    [#"../checked_ops.rs" 200 12 200 36] _14 <- ([#"../checked_ops.rs" 200 12 200 36] checked_sub0 ([#"../checked_ops.rs" 200 12 200 20] (-120 : int8)) ([#"../checked_ops.rs" 200 33 200 35] (10 : int8)));
     goto BB9
   }
   BB8 {
@@ -3199,7 +3626,7 @@ module CheckedOps_TestI8SubExample
     absurd
   }
   BB9 {
-    [#"../checked_ops.rs" 200 12 200 46] _12 <- ([#"../checked_ops.rs" 200 12 200 46] is_none0 ([#"../checked_ops.rs" 200 12 200 36] _14));
+    [#"../checked_ops.rs" 200 12 200 46] _12 <- ([#"../checked_ops.rs" 200 12 200 46] is_none0 _14);
     goto BB10
   }
   BB10 {
@@ -3209,7 +3636,7 @@ module CheckedOps_TestI8SubExample
       end
   }
   BB11 {
-    [#"../checked_ops.rs" 202 12 202 32] _18 <- ([#"../checked_ops.rs" 202 12 202 32] wrapping_sub0 ([#"../checked_ops.rs" 202 12 202 15] [#"../checked_ops.rs" 202 12 202 15] (5 : int8)) ([#"../checked_ops.rs" 202 29 202 31] [#"../checked_ops.rs" 202 29 202 31] (10 : int8)));
+    [#"../checked_ops.rs" 202 12 202 32] _18 <- ([#"../checked_ops.rs" 202 12 202 32] wrapping_sub0 ([#"../checked_ops.rs" 202 12 202 15] (5 : int8)) ([#"../checked_ops.rs" 202 29 202 31] (10 : int8)));
     goto BB13
   }
   BB12 {
@@ -3217,13 +3644,15 @@ module CheckedOps_TestI8SubExample
     absurd
   }
   BB13 {
-    switch ([#"../checked_ops.rs" 202 12 202 38] _18 = ([#"../checked_ops.rs" 202 36 202 38] [#"../checked_ops.rs" 202 36 202 38] (-5 : int8)))
+    [#"../checked_ops.rs" 202 12 202 38] _17 <- _18 = ([#"../checked_ops.rs" 202 36 202 38] (-5 : int8));
+    _18 <- any int8;
+    switch (_17)
       | False -> goto BB15
       | True -> goto BB14
       end
   }
   BB14 {
-    [#"../checked_ops.rs" 203 12 203 34] _22 <- ([#"../checked_ops.rs" 203 12 203 34] wrapping_sub0 ([#"../checked_ops.rs" 203 12 203 17] [#"../checked_ops.rs" 203 12 203 17] (120 : int8)) ([#"../checked_ops.rs" 203 31 203 33] [#"../checked_ops.rs" 203 31 203 33] (10 : int8)));
+    [#"../checked_ops.rs" 203 12 203 34] _22 <- ([#"../checked_ops.rs" 203 12 203 34] wrapping_sub0 ([#"../checked_ops.rs" 203 12 203 17] (120 : int8)) ([#"../checked_ops.rs" 203 31 203 33] (10 : int8)));
     goto BB16
   }
   BB15 {
@@ -3231,13 +3660,15 @@ module CheckedOps_TestI8SubExample
     absurd
   }
   BB16 {
-    switch ([#"../checked_ops.rs" 203 12 203 41] _22 = ([#"../checked_ops.rs" 203 38 203 41] [#"../checked_ops.rs" 203 38 203 41] (110 : int8)))
+    [#"../checked_ops.rs" 203 12 203 41] _21 <- _22 = ([#"../checked_ops.rs" 203 38 203 41] (110 : int8));
+    _22 <- any int8;
+    switch (_21)
       | False -> goto BB18
       | True -> goto BB17
       end
   }
   BB17 {
-    [#"../checked_ops.rs" 204 12 204 37] _26 <- ([#"../checked_ops.rs" 204 12 204 37] wrapping_sub0 ([#"../checked_ops.rs" 204 12 204 20] [#"../checked_ops.rs" 204 12 204 20] (-120 : int8)) ([#"../checked_ops.rs" 204 34 204 36] [#"../checked_ops.rs" 204 34 204 36] (10 : int8)));
+    [#"../checked_ops.rs" 204 12 204 37] _26 <- ([#"../checked_ops.rs" 204 12 204 37] wrapping_sub0 ([#"../checked_ops.rs" 204 12 204 20] (-120 : int8)) ([#"../checked_ops.rs" 204 34 204 36] (10 : int8)));
     goto BB19
   }
   BB18 {
@@ -3245,13 +3676,15 @@ module CheckedOps_TestI8SubExample
     absurd
   }
   BB19 {
-    switch ([#"../checked_ops.rs" 204 12 204 44] _26 = ([#"../checked_ops.rs" 204 41 204 44] [#"../checked_ops.rs" 204 41 204 44] (126 : int8)))
+    [#"../checked_ops.rs" 204 12 204 44] _25 <- _26 = ([#"../checked_ops.rs" 204 41 204 44] (126 : int8));
+    _26 <- any int8;
+    switch (_25)
       | False -> goto BB21
       | True -> goto BB20
       end
   }
   BB20 {
-    [#"../checked_ops.rs" 206 12 206 34] _30 <- ([#"../checked_ops.rs" 206 12 206 34] saturating_sub0 ([#"../checked_ops.rs" 206 12 206 15] [#"../checked_ops.rs" 206 12 206 15] (5 : int8)) ([#"../checked_ops.rs" 206 31 206 33] [#"../checked_ops.rs" 206 31 206 33] (10 : int8)));
+    [#"../checked_ops.rs" 206 12 206 34] _30 <- ([#"../checked_ops.rs" 206 12 206 34] saturating_sub0 ([#"../checked_ops.rs" 206 12 206 15] (5 : int8)) ([#"../checked_ops.rs" 206 31 206 33] (10 : int8)));
     goto BB22
   }
   BB21 {
@@ -3259,13 +3692,15 @@ module CheckedOps_TestI8SubExample
     absurd
   }
   BB22 {
-    switch ([#"../checked_ops.rs" 206 12 206 40] _30 = ([#"../checked_ops.rs" 206 38 206 40] [#"../checked_ops.rs" 206 38 206 40] (-5 : int8)))
+    [#"../checked_ops.rs" 206 12 206 40] _29 <- _30 = ([#"../checked_ops.rs" 206 38 206 40] (-5 : int8));
+    _30 <- any int8;
+    switch (_29)
       | False -> goto BB24
       | True -> goto BB23
       end
   }
   BB23 {
-    [#"../checked_ops.rs" 207 12 207 36] _34 <- ([#"../checked_ops.rs" 207 12 207 36] saturating_sub0 ([#"../checked_ops.rs" 207 12 207 17] [#"../checked_ops.rs" 207 12 207 17] (120 : int8)) ([#"../checked_ops.rs" 207 33 207 35] [#"../checked_ops.rs" 207 33 207 35] (10 : int8)));
+    [#"../checked_ops.rs" 207 12 207 36] _34 <- ([#"../checked_ops.rs" 207 12 207 36] saturating_sub0 ([#"../checked_ops.rs" 207 12 207 17] (120 : int8)) ([#"../checked_ops.rs" 207 33 207 35] (10 : int8)));
     goto BB25
   }
   BB24 {
@@ -3273,13 +3708,15 @@ module CheckedOps_TestI8SubExample
     absurd
   }
   BB25 {
-    switch ([#"../checked_ops.rs" 207 12 207 43] _34 = ([#"../checked_ops.rs" 207 40 207 43] [#"../checked_ops.rs" 207 40 207 43] (110 : int8)))
+    [#"../checked_ops.rs" 207 12 207 43] _33 <- _34 = ([#"../checked_ops.rs" 207 40 207 43] (110 : int8));
+    _34 <- any int8;
+    switch (_33)
       | False -> goto BB27
       | True -> goto BB26
       end
   }
   BB26 {
-    [#"../checked_ops.rs" 208 12 208 39] _38 <- ([#"../checked_ops.rs" 208 12 208 39] saturating_sub0 ([#"../checked_ops.rs" 208 12 208 20] [#"../checked_ops.rs" 208 12 208 20] (-120 : int8)) ([#"../checked_ops.rs" 208 36 208 38] [#"../checked_ops.rs" 208 36 208 38] (10 : int8)));
+    [#"../checked_ops.rs" 208 12 208 39] _38 <- ([#"../checked_ops.rs" 208 12 208 39] saturating_sub0 ([#"../checked_ops.rs" 208 12 208 20] (-120 : int8)) ([#"../checked_ops.rs" 208 36 208 38] (10 : int8)));
     goto BB28
   }
   BB27 {
@@ -3287,13 +3724,15 @@ module CheckedOps_TestI8SubExample
     absurd
   }
   BB28 {
-    switch ([#"../checked_ops.rs" 208 12 208 47] _38 = ([#"../checked_ops.rs" 208 43 208 47] [#"../checked_ops.rs" 208 43 208 47] (-128 : int8)))
+    [#"../checked_ops.rs" 208 12 208 47] _37 <- _38 = ([#"../checked_ops.rs" 208 43 208 47] (-128 : int8));
+    _38 <- any int8;
+    switch (_37)
       | False -> goto BB30
       | True -> goto BB29
       end
   }
   BB29 {
-    [#"../checked_ops.rs" 210 14 210 37] res <- ([#"../checked_ops.rs" 210 14 210 37] overflowing_sub0 ([#"../checked_ops.rs" 210 14 210 17] [#"../checked_ops.rs" 210 14 210 17] (5 : int8)) ([#"../checked_ops.rs" 210 34 210 36] [#"../checked_ops.rs" 210 34 210 36] (10 : int8)));
+    [#"../checked_ops.rs" 210 14 210 37] res <- ([#"../checked_ops.rs" 210 14 210 37] overflowing_sub0 ([#"../checked_ops.rs" 210 14 210 17] (5 : int8)) ([#"../checked_ops.rs" 210 34 210 36] (10 : int8)));
     goto BB31
   }
   BB30 {
@@ -3301,20 +3740,22 @@ module CheckedOps_TestI8SubExample
     absurd
   }
   BB31 {
-    switch ([#"../checked_ops.rs" 211 12 211 23] ([#"../checked_ops.rs" 211 12 211 17] let (a, _) = res in a) = ([#"../checked_ops.rs" 211 21 211 23] [#"../checked_ops.rs" 211 21 211 23] (-5 : int8)))
+    [#"../checked_ops.rs" 211 12 211 23] _42 <- (let (a, _) = res in a) = ([#"../checked_ops.rs" 211 21 211 23] (-5 : int8));
+    switch (_42)
       | False -> goto BB35
       | True -> goto BB32
       end
   }
   BB32 {
     assume { resolve0 res };
-    switch ([#"../checked_ops.rs" 211 27 211 41] Bool.eqb ([#"../checked_ops.rs" 211 27 211 32] let (_, a) = res in a) ([#"../checked_ops.rs" 211 36 211 41] [#"../checked_ops.rs" 211 36 211 41] false))
+    [#"../checked_ops.rs" 211 27 211 41] _44 <- Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 211 36 211 41] false);
+    switch (_44)
       | False -> goto BB34
       | True -> goto BB33
       end
   }
   BB33 {
-    [#"../checked_ops.rs" 212 14 212 39] res1 <- ([#"../checked_ops.rs" 212 14 212 39] overflowing_sub0 ([#"../checked_ops.rs" 212 14 212 19] [#"../checked_ops.rs" 212 14 212 19] (120 : int8)) ([#"../checked_ops.rs" 212 36 212 38] [#"../checked_ops.rs" 212 36 212 38] (10 : int8)));
+    [#"../checked_ops.rs" 212 14 212 39] res1 <- ([#"../checked_ops.rs" 212 14 212 39] overflowing_sub0 ([#"../checked_ops.rs" 212 14 212 19] (120 : int8)) ([#"../checked_ops.rs" 212 36 212 38] (10 : int8)));
     goto BB37
   }
   BB34 {
@@ -3329,20 +3770,22 @@ module CheckedOps_TestI8SubExample
     absurd
   }
   BB37 {
-    switch ([#"../checked_ops.rs" 213 12 213 24] ([#"../checked_ops.rs" 213 12 213 17] let (a, _) = res1 in a) = ([#"../checked_ops.rs" 213 21 213 24] [#"../checked_ops.rs" 213 21 213 24] (110 : int8)))
+    [#"../checked_ops.rs" 213 12 213 24] _49 <- (let (a, _) = res1 in a) = ([#"../checked_ops.rs" 213 21 213 24] (110 : int8));
+    switch (_49)
       | False -> goto BB41
       | True -> goto BB38
       end
   }
   BB38 {
     assume { resolve0 res1 };
-    switch ([#"../checked_ops.rs" 213 28 213 42] Bool.eqb ([#"../checked_ops.rs" 213 28 213 33] let (_, a) = res1 in a) ([#"../checked_ops.rs" 213 37 213 42] [#"../checked_ops.rs" 213 37 213 42] false))
+    [#"../checked_ops.rs" 213 28 213 42] _51 <- Bool.eqb (let (_, a) = res1 in a) ([#"../checked_ops.rs" 213 37 213 42] false);
+    switch (_51)
       | False -> goto BB40
       | True -> goto BB39
       end
   }
   BB39 {
-    [#"../checked_ops.rs" 214 14 214 42] res2 <- ([#"../checked_ops.rs" 214 14 214 42] overflowing_sub0 ([#"../checked_ops.rs" 214 14 214 22] [#"../checked_ops.rs" 214 14 214 22] (-120 : int8)) ([#"../checked_ops.rs" 214 39 214 41] [#"../checked_ops.rs" 214 39 214 41] (10 : int8)));
+    [#"../checked_ops.rs" 214 14 214 42] res2 <- ([#"../checked_ops.rs" 214 14 214 42] overflowing_sub0 ([#"../checked_ops.rs" 214 14 214 22] (-120 : int8)) ([#"../checked_ops.rs" 214 39 214 41] (10 : int8)));
     goto BB43
   }
   BB40 {
@@ -3357,14 +3800,16 @@ module CheckedOps_TestI8SubExample
     absurd
   }
   BB43 {
-    switch ([#"../checked_ops.rs" 215 12 215 24] ([#"../checked_ops.rs" 215 12 215 17] let (a, _) = res2 in a) = ([#"../checked_ops.rs" 215 21 215 24] [#"../checked_ops.rs" 215 21 215 24] (126 : int8)))
+    [#"../checked_ops.rs" 215 12 215 24] _56 <- (let (a, _) = res2 in a) = ([#"../checked_ops.rs" 215 21 215 24] (126 : int8));
+    switch (_56)
       | False -> goto BB47
       | True -> goto BB44
       end
   }
   BB44 {
     assume { resolve0 res2 };
-    switch ([#"../checked_ops.rs" 215 28 215 41] Bool.eqb ([#"../checked_ops.rs" 215 28 215 33] let (_, a) = res2 in a) ([#"../checked_ops.rs" 215 37 215 41] [#"../checked_ops.rs" 215 37 215 41] true))
+    [#"../checked_ops.rs" 215 28 215 41] _58 <- Bool.eqb (let (_, a) = res2 in a) ([#"../checked_ops.rs" 215 37 215 41] true);
+    switch (_58)
       | False -> goto BB46
       | True -> goto BB45
       end
@@ -3429,21 +3874,30 @@ module CheckedOps_TestI8SubOverflowPos
     (8 : uint32)
   val overflowing_sub0 (self : int8) (rhs : int8) : (int8, bool)
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] Int8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (Int8.to_int self - Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self - Int8.to_int rhs > Int8.to_int max0) }
     
   val saturating_sub0 (self : int8) (rhs : int8) : int8
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> Int8.to_int result = Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> Int8.to_int result = Int8.to_int max0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0
+     -> Int8.to_int result = Int8.to_int min0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int max0 }
     
   val wrapping_sub0 (self : int8) (rhs : int8) : int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self - Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     
   use prelude.Borrow
   val is_none0 (self : Core_Option_Option_Type.t_option int8) : bool
@@ -3452,7 +3906,8 @@ module CheckedOps_TestI8SubOverflowPos
     
   val checked_sub0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self - Int8.to_int rhs > Int8.to_int max0) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = Int8.to_int self - Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r
+     -> Int8.to_int r = Int8.to_int self - Int8.to_int rhs }
     
   let rec cfg test_i8_sub_overflow_pos [#"../checked_ops.rs" 220 0 220 38] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) : ()
     requires {[#"../checked_ops.rs" 219 11 219 17] Int8.to_int a > 0}
@@ -3462,18 +3917,26 @@ module CheckedOps_TestI8SubOverflowPos
   var a : int8 = a;
   var _4 : bool;
   var _6 : Core_Option_Option_Type.t_option int8;
+  var _10 : bool;
   var _11 : int8;
+  var _13 : int8;
+  var _14 : int8;
+  var _18 : bool;
   var _19 : int8;
   var res : (int8, bool);
+  var _25 : bool;
+  var _27 : int8;
+  var _28 : int8;
+  var _30 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 221 12 221 35] _6 <- ([#"../checked_ops.rs" 221 12 221 35] checked_sub0 ([#"../checked_ops.rs" 221 12 221 20] [#"../checked_ops.rs" 221 12 221 20] (-128 : int8)) ([#"../checked_ops.rs" 221 33 221 34] a));
+    [#"../checked_ops.rs" 221 12 221 35] _6 <- ([#"../checked_ops.rs" 221 12 221 35] checked_sub0 ([#"../checked_ops.rs" 221 12 221 20] (-128 : int8)) a);
     goto BB1
   }
   BB1 {
-    [#"../checked_ops.rs" 221 12 221 45] _4 <- ([#"../checked_ops.rs" 221 12 221 45] is_none0 ([#"../checked_ops.rs" 221 12 221 35] _6));
+    [#"../checked_ops.rs" 221 12 221 45] _4 <- ([#"../checked_ops.rs" 221 12 221 45] is_none0 _6);
     goto BB2
   }
   BB2 {
@@ -3483,7 +3946,7 @@ module CheckedOps_TestI8SubOverflowPos
       end
   }
   BB3 {
-    [#"../checked_ops.rs" 222 12 222 36] _11 <- ([#"../checked_ops.rs" 222 12 222 36] wrapping_sub0 ([#"../checked_ops.rs" 222 12 222 20] [#"../checked_ops.rs" 222 12 222 20] (-128 : int8)) ([#"../checked_ops.rs" 222 34 222 35] a));
+    [#"../checked_ops.rs" 222 12 222 36] _11 <- ([#"../checked_ops.rs" 222 12 222 36] wrapping_sub0 ([#"../checked_ops.rs" 222 12 222 20] (-128 : int8)) a);
     goto BB5
   }
   BB4 {
@@ -3491,13 +3954,19 @@ module CheckedOps_TestI8SubOverflowPos
     absurd
   }
   BB5 {
-    switch ([#"../checked_ops.rs" 222 12 222 51] _11 = ([#"../checked_ops.rs" 222 40 222 51] ([#"../checked_ops.rs" 222 40 222 47] ([#"../checked_ops.rs" 222 40 222 43] [#"../checked_ops.rs" 222 40 222 43] (127 : int8)) - ([#"../checked_ops.rs" 222 46 222 47] a)) + ([#"../checked_ops.rs" 222 50 222 51] [#"../checked_ops.rs" 222 50 222 51] (1 : int8))))
+    [#"../checked_ops.rs" 222 40 222 47] _14 <- ([#"../checked_ops.rs" 222 40 222 43] (127 : int8)) - a;
+    [#"../checked_ops.rs" 222 40 222 51] _13 <- _14 + ([#"../checked_ops.rs" 222 50 222 51] (1 : int8));
+    _14 <- any int8;
+    [#"../checked_ops.rs" 222 12 222 51] _10 <- _11 = _13;
+    _11 <- any int8;
+    _13 <- any int8;
+    switch (_10)
       | False -> goto BB7
       | True -> goto BB6
       end
   }
   BB6 {
-    [#"../checked_ops.rs" 223 12 223 38] _19 <- ([#"../checked_ops.rs" 223 12 223 38] saturating_sub0 ([#"../checked_ops.rs" 223 12 223 20] [#"../checked_ops.rs" 223 12 223 20] (-128 : int8)) ([#"../checked_ops.rs" 223 36 223 37] a));
+    [#"../checked_ops.rs" 223 12 223 38] _19 <- ([#"../checked_ops.rs" 223 12 223 38] saturating_sub0 ([#"../checked_ops.rs" 223 12 223 20] (-128 : int8)) a);
     goto BB8
   }
   BB7 {
@@ -3505,13 +3974,15 @@ module CheckedOps_TestI8SubOverflowPos
     absurd
   }
   BB8 {
-    switch ([#"../checked_ops.rs" 223 12 223 46] _19 = ([#"../checked_ops.rs" 223 42 223 46] [#"../checked_ops.rs" 223 42 223 46] (-128 : int8)))
+    [#"../checked_ops.rs" 223 12 223 46] _18 <- _19 = ([#"../checked_ops.rs" 223 42 223 46] (-128 : int8));
+    _19 <- any int8;
+    switch (_18)
       | False -> goto BB10
       | True -> goto BB9
       end
   }
   BB9 {
-    [#"../checked_ops.rs" 224 14 224 41] res <- ([#"../checked_ops.rs" 224 14 224 41] overflowing_sub0 ([#"../checked_ops.rs" 224 14 224 22] [#"../checked_ops.rs" 224 14 224 22] (-128 : int8)) ([#"../checked_ops.rs" 224 39 224 40] a));
+    [#"../checked_ops.rs" 224 14 224 41] res <- ([#"../checked_ops.rs" 224 14 224 41] overflowing_sub0 ([#"../checked_ops.rs" 224 14 224 22] (-128 : int8)) a);
     goto BB11
   }
   BB10 {
@@ -3519,14 +3990,20 @@ module CheckedOps_TestI8SubOverflowPos
     absurd
   }
   BB11 {
-    switch ([#"../checked_ops.rs" 225 12 225 32] ([#"../checked_ops.rs" 225 12 225 17] let (a, _) = res in a) = ([#"../checked_ops.rs" 225 21 225 32] ([#"../checked_ops.rs" 225 21 225 28] ([#"../checked_ops.rs" 225 21 225 24] [#"../checked_ops.rs" 225 21 225 24] (127 : int8)) - ([#"../checked_ops.rs" 225 27 225 28] a)) + ([#"../checked_ops.rs" 225 31 225 32] [#"../checked_ops.rs" 225 31 225 32] (1 : int8))))
+    [#"../checked_ops.rs" 225 21 225 28] _28 <- ([#"../checked_ops.rs" 225 21 225 24] (127 : int8)) - a;
+    [#"../checked_ops.rs" 225 21 225 32] _27 <- _28 + ([#"../checked_ops.rs" 225 31 225 32] (1 : int8));
+    _28 <- any int8;
+    [#"../checked_ops.rs" 225 12 225 32] _25 <- (let (a, _) = res in a) = _27;
+    _27 <- any int8;
+    switch (_25)
       | False -> goto BB15
       | True -> goto BB12
       end
   }
   BB12 {
     assume { resolve0 res };
-    switch ([#"../checked_ops.rs" 225 36 225 49] Bool.eqb ([#"../checked_ops.rs" 225 36 225 41] let (_, a) = res in a) ([#"../checked_ops.rs" 225 45 225 49] [#"../checked_ops.rs" 225 45 225 49] true))
+    [#"../checked_ops.rs" 225 36 225 49] _30 <- Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 225 45 225 49] true);
+    switch (_30)
       | False -> goto BB14
       | True -> goto BB13
       end
@@ -3591,21 +4068,30 @@ module CheckedOps_TestI8SubOverflowNeg
     (8 : uint32)
   val overflowing_sub0 (self : int8) (rhs : int8) : (int8, bool)
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] Int8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (Int8.to_int self - Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self - Int8.to_int rhs > Int8.to_int max0) }
     
   val saturating_sub0 (self : int8) (rhs : int8) : int8
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> Int8.to_int result = Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> Int8.to_int result = Int8.to_int max0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0
+     -> Int8.to_int result = Int8.to_int min0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int max0 }
     
   val wrapping_sub0 (self : int8) (rhs : int8) : int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self - Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     
   use prelude.Borrow
   val is_none0 (self : Core_Option_Option_Type.t_option int8) : bool
@@ -3614,7 +4100,8 @@ module CheckedOps_TestI8SubOverflowNeg
     
   val checked_sub0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self - Int8.to_int rhs > Int8.to_int max0) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = Int8.to_int self - Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r
+     -> Int8.to_int r = Int8.to_int self - Int8.to_int rhs }
     
   let rec cfg test_i8_sub_overflow_neg [#"../checked_ops.rs" 230 0 230 38] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) : ()
     requires {[#"../checked_ops.rs" 229 11 229 17] Int8.to_int a < 0}
@@ -3624,18 +4111,28 @@ module CheckedOps_TestI8SubOverflowNeg
   var a : int8 = a;
   var _4 : bool;
   var _6 : Core_Option_Option_Type.t_option int8;
+  var _10 : bool;
   var _11 : int8;
+  var _13 : int8;
+  var _14 : int8;
+  var _15 : int8;
+  var _19 : bool;
   var _20 : int8;
   var res : (int8, bool);
+  var _26 : bool;
+  var _28 : int8;
+  var _29 : int8;
+  var _30 : int8;
+  var _32 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 231 12 231 32] _6 <- ([#"../checked_ops.rs" 231 12 231 32] checked_sub0 ([#"../checked_ops.rs" 231 12 231 17] [#"../checked_ops.rs" 231 12 231 17] (127 : int8)) ([#"../checked_ops.rs" 231 30 231 31] a));
+    [#"../checked_ops.rs" 231 12 231 32] _6 <- ([#"../checked_ops.rs" 231 12 231 32] checked_sub0 ([#"../checked_ops.rs" 231 12 231 17] (127 : int8)) a);
     goto BB1
   }
   BB1 {
-    [#"../checked_ops.rs" 231 12 231 42] _4 <- ([#"../checked_ops.rs" 231 12 231 42] is_none0 ([#"../checked_ops.rs" 231 12 231 32] _6));
+    [#"../checked_ops.rs" 231 12 231 42] _4 <- ([#"../checked_ops.rs" 231 12 231 42] is_none0 _6);
     goto BB2
   }
   BB2 {
@@ -3645,7 +4142,7 @@ module CheckedOps_TestI8SubOverflowNeg
       end
   }
   BB3 {
-    [#"../checked_ops.rs" 232 12 232 33] _11 <- ([#"../checked_ops.rs" 232 12 232 33] wrapping_sub0 ([#"../checked_ops.rs" 232 12 232 17] [#"../checked_ops.rs" 232 12 232 17] (127 : int8)) ([#"../checked_ops.rs" 232 31 232 32] a));
+    [#"../checked_ops.rs" 232 12 232 33] _11 <- ([#"../checked_ops.rs" 232 12 232 33] wrapping_sub0 ([#"../checked_ops.rs" 232 12 232 17] (127 : int8)) a);
     goto BB5
   }
   BB4 {
@@ -3653,13 +4150,21 @@ module CheckedOps_TestI8SubOverflowNeg
     absurd
   }
   BB5 {
-    switch ([#"../checked_ops.rs" 232 12 232 51] _11 = ([#"../checked_ops.rs" 232 37 232 51] ([#"../checked_ops.rs" 232 37 232 45] - ([#"../checked_ops.rs" 232 38 232 45] ([#"../checked_ops.rs" 232 39 232 40] [#"../checked_ops.rs" 232 39 232 40] (2 : int8)) + ([#"../checked_ops.rs" 232 43 232 44] a))) - ([#"../checked_ops.rs" 232 48 232 51] [#"../checked_ops.rs" 232 48 232 51] (127 : int8))))
+    [#"../checked_ops.rs" 232 38 232 45] _15 <- ([#"../checked_ops.rs" 232 39 232 40] (2 : int8)) + a;
+    [#"../checked_ops.rs" 232 37 232 45] _14 <- - _15;
+    _15 <- any int8;
+    [#"../checked_ops.rs" 232 37 232 51] _13 <- _14 - ([#"../checked_ops.rs" 232 48 232 51] (127 : int8));
+    _14 <- any int8;
+    [#"../checked_ops.rs" 232 12 232 51] _10 <- _11 = _13;
+    _11 <- any int8;
+    _13 <- any int8;
+    switch (_10)
       | False -> goto BB7
       | True -> goto BB6
       end
   }
   BB6 {
-    [#"../checked_ops.rs" 233 12 233 35] _20 <- ([#"../checked_ops.rs" 233 12 233 35] saturating_sub0 ([#"../checked_ops.rs" 233 12 233 17] [#"../checked_ops.rs" 233 12 233 17] (127 : int8)) ([#"../checked_ops.rs" 233 33 233 34] a));
+    [#"../checked_ops.rs" 233 12 233 35] _20 <- ([#"../checked_ops.rs" 233 12 233 35] saturating_sub0 ([#"../checked_ops.rs" 233 12 233 17] (127 : int8)) a);
     goto BB8
   }
   BB7 {
@@ -3667,13 +4172,15 @@ module CheckedOps_TestI8SubOverflowNeg
     absurd
   }
   BB8 {
-    switch ([#"../checked_ops.rs" 233 12 233 42] _20 = ([#"../checked_ops.rs" 233 39 233 42] [#"../checked_ops.rs" 233 39 233 42] (127 : int8)))
+    [#"../checked_ops.rs" 233 12 233 42] _19 <- _20 = ([#"../checked_ops.rs" 233 39 233 42] (127 : int8));
+    _20 <- any int8;
+    switch (_19)
       | False -> goto BB10
       | True -> goto BB9
       end
   }
   BB9 {
-    [#"../checked_ops.rs" 234 14 234 38] res <- ([#"../checked_ops.rs" 234 14 234 38] overflowing_sub0 ([#"../checked_ops.rs" 234 14 234 19] [#"../checked_ops.rs" 234 14 234 19] (127 : int8)) ([#"../checked_ops.rs" 234 36 234 37] a));
+    [#"../checked_ops.rs" 234 14 234 38] res <- ([#"../checked_ops.rs" 234 14 234 38] overflowing_sub0 ([#"../checked_ops.rs" 234 14 234 19] (127 : int8)) a);
     goto BB11
   }
   BB10 {
@@ -3681,14 +4188,22 @@ module CheckedOps_TestI8SubOverflowNeg
     absurd
   }
   BB11 {
-    switch ([#"../checked_ops.rs" 235 12 235 35] ([#"../checked_ops.rs" 235 12 235 17] let (a, _) = res in a) = ([#"../checked_ops.rs" 235 21 235 35] ([#"../checked_ops.rs" 235 21 235 29] - ([#"../checked_ops.rs" 235 22 235 29] ([#"../checked_ops.rs" 235 23 235 24] [#"../checked_ops.rs" 235 23 235 24] (2 : int8)) + ([#"../checked_ops.rs" 235 27 235 28] a))) - ([#"../checked_ops.rs" 235 32 235 35] [#"../checked_ops.rs" 235 32 235 35] (127 : int8))))
+    [#"../checked_ops.rs" 235 22 235 29] _30 <- ([#"../checked_ops.rs" 235 23 235 24] (2 : int8)) + a;
+    [#"../checked_ops.rs" 235 21 235 29] _29 <- - _30;
+    _30 <- any int8;
+    [#"../checked_ops.rs" 235 21 235 35] _28 <- _29 - ([#"../checked_ops.rs" 235 32 235 35] (127 : int8));
+    _29 <- any int8;
+    [#"../checked_ops.rs" 235 12 235 35] _26 <- (let (a, _) = res in a) = _28;
+    _28 <- any int8;
+    switch (_26)
       | False -> goto BB15
       | True -> goto BB12
       end
   }
   BB12 {
     assume { resolve0 res };
-    switch ([#"../checked_ops.rs" 235 39 235 52] Bool.eqb ([#"../checked_ops.rs" 235 39 235 44] let (_, a) = res in a) ([#"../checked_ops.rs" 235 48 235 52] [#"../checked_ops.rs" 235 48 235 52] true))
+    [#"../checked_ops.rs" 235 39 235 52] _32 <- Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 235 48 235 52] true);
+    switch (_32)
       | False -> goto BB14
       | True -> goto BB13
       end
@@ -3726,9 +4241,12 @@ module CheckedOps_TestI8WrappingSub
     (8 : uint32)
   val wrapping_sub0 (self : int8) (rhs : int8) : int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self - Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     
   let rec cfg test_i8_wrapping_sub [#"../checked_ops.rs" 241 0 241 47] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) (b : int8) : int8
     ensures { [#"../checked_ops.rs" 240 10 240 84] Int8.to_int result = Int8.to_int a - Int8.to_int b \/ Int8.to_int result = Int8.to_int a - Int8.to_int b + 256 \/ Int8.to_int result = Int8.to_int a - Int8.to_int b - 256 }
@@ -3741,7 +4259,7 @@ module CheckedOps_TestI8WrappingSub
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 242 4 242 21] _0 <- ([#"../checked_ops.rs" 242 4 242 21] wrapping_sub0 ([#"../checked_ops.rs" 242 4 242 5] a) ([#"../checked_ops.rs" 242 19 242 20] b));
+    [#"../checked_ops.rs" 242 4 242 21] _0 <- ([#"../checked_ops.rs" 242 4 242 21] wrapping_sub0 a b);
     goto BB1
   }
   BB1 {
@@ -3776,7 +4294,8 @@ module CheckedOps_TestI8OverflowingSub
   use prelude.Int8
   val checked_sub0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self - Int8.to_int rhs > Int8.to_int max0) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = Int8.to_int self - Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r
+     -> Int8.to_int r = Int8.to_int self - Int8.to_int rhs }
     
   use prelude.UInt32
   use int.EuclideanDivision
@@ -3786,9 +4305,12 @@ module CheckedOps_TestI8OverflowingSub
     (8 : uint32)
   val wrapping_sub0 (self : int8) (rhs : int8) : int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self - Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int self - Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     
   predicate resolve2 (self : bool) =
     [#"../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
@@ -3807,9 +4329,12 @@ module CheckedOps_TestI8OverflowingSub
     
   val overflowing_sub0 (self : int8) (rhs : int8) : (int8, bool)
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] Int8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (Int8.to_int self - Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self - Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self - Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self - Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self - Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self - Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (Int8.to_int self - Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self - Int8.to_int rhs > Int8.to_int max0) }
     
   let rec cfg test_i8_overflowing_sub [#"../checked_ops.rs" 246 0 246 44] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) (b : int8) : ()
@@ -3818,8 +4343,10 @@ module CheckedOps_TestI8OverflowingSub
   var _0 : ();
   var a : int8 = a;
   var b : int8 = b;
+  var _4 : bool;
   var _6 : (int8, bool);
   var _9 : int8;
+  var _14 : bool;
   var _16 : (int8, bool);
   var _19 : bool;
   var _21 : Core_Option_Option_Type.t_option int8;
@@ -3827,22 +4354,24 @@ module CheckedOps_TestI8OverflowingSub
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 247 12 247 32] _6 <- ([#"../checked_ops.rs" 247 12 247 32] overflowing_sub0 ([#"../checked_ops.rs" 247 12 247 13] a) ([#"../checked_ops.rs" 247 30 247 31] b));
+    [#"../checked_ops.rs" 247 12 247 32] _6 <- ([#"../checked_ops.rs" 247 12 247 32] overflowing_sub0 a b);
     goto BB1
   }
   BB1 {
     assume { resolve0 _6 };
-    [#"../checked_ops.rs" 247 38 247 55] _9 <- ([#"../checked_ops.rs" 247 38 247 55] wrapping_sub0 ([#"../checked_ops.rs" 247 38 247 39] a) ([#"../checked_ops.rs" 247 53 247 54] b));
+    [#"../checked_ops.rs" 247 38 247 55] _9 <- ([#"../checked_ops.rs" 247 38 247 55] wrapping_sub0 a b);
     goto BB2
   }
   BB2 {
-    switch ([#"../checked_ops.rs" 247 12 247 55] ([#"../checked_ops.rs" 247 12 247 34] let (a, _) = _6 in a) = _9)
+    [#"../checked_ops.rs" 247 12 247 55] _4 <- (let (a, _) = _6 in a) = _9;
+    _9 <- any int8;
+    switch (_4)
       | False -> goto BB4
       | True -> goto BB3
       end
   }
   BB3 {
-    [#"../checked_ops.rs" 248 12 248 32] _16 <- ([#"../checked_ops.rs" 248 12 248 32] overflowing_sub0 ([#"../checked_ops.rs" 248 12 248 13] a) ([#"../checked_ops.rs" 248 30 248 31] b));
+    [#"../checked_ops.rs" 248 12 248 32] _16 <- ([#"../checked_ops.rs" 248 12 248 32] overflowing_sub0 a b);
     goto BB5
   }
   BB4 {
@@ -3851,15 +4380,17 @@ module CheckedOps_TestI8OverflowingSub
   }
   BB5 {
     assume { resolve0 _16 };
-    [#"../checked_ops.rs" 248 38 248 54] _21 <- ([#"../checked_ops.rs" 248 38 248 54] checked_sub0 ([#"../checked_ops.rs" 248 38 248 39] a) ([#"../checked_ops.rs" 248 52 248 53] b));
+    [#"../checked_ops.rs" 248 38 248 54] _21 <- ([#"../checked_ops.rs" 248 38 248 54] checked_sub0 a b);
     goto BB6
   }
   BB6 {
-    [#"../checked_ops.rs" 248 38 248 64] _19 <- ([#"../checked_ops.rs" 248 38 248 64] is_none0 ([#"../checked_ops.rs" 248 38 248 54] _21));
+    [#"../checked_ops.rs" 248 38 248 64] _19 <- ([#"../checked_ops.rs" 248 38 248 64] is_none0 _21);
     goto BB7
   }
   BB7 {
-    switch ([#"../checked_ops.rs" 248 12 248 64] Bool.eqb ([#"../checked_ops.rs" 248 12 248 34] let (_, a) = _16 in a) _19)
+    [#"../checked_ops.rs" 248 12 248 64] _14 <- Bool.eqb (let (_, a) = _16 in a) _19;
+    _19 <- any bool;
+    switch (_14)
       | False -> goto BB9
       | True -> goto BB8
       end
@@ -3937,21 +4468,30 @@ module CheckedOps_TestI8MulExample
   use prelude.Int8
   val overflowing_mul0 (self : int8) (rhs : int8) : (int8, bool)
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] Int8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (Int8.to_int self * Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self * Int8.to_int rhs > Int8.to_int max0) }
     
   val saturating_mul0 (self : int8) (rhs : int8) : int8
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self * Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 -> Int8.to_int result = Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 -> Int8.to_int result = Int8.to_int max0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int self * Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0
+     -> Int8.to_int result = Int8.to_int min0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int max0 }
     
   val wrapping_mul0 (self : int8) (rhs : int8) : int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self * Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self * Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int self * Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     
   use prelude.Borrow
   val is_none0 (self : Core_Option_Option_Type.t_option int8) : bool
@@ -3966,32 +4506,46 @@ module CheckedOps_TestI8MulExample
     
   val checked_mul0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self * Int8.to_int rhs > Int8.to_int max0) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = Int8.to_int self * Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r
+     -> Int8.to_int r = Int8.to_int self * Int8.to_int rhs }
     
   let rec cfg test_i8_mul_example [#"../checked_ops.rs" 252 0 252 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
+  var _2 : bool;
   var _3 : int8;
   var _4 : Core_Option_Option_Type.t_option int8;
   var _7 : bool;
   var _9 : Core_Option_Option_Type.t_option int8;
   var _12 : bool;
   var _14 : Core_Option_Option_Type.t_option int8;
+  var _17 : bool;
   var _18 : int8;
+  var _21 : bool;
   var _22 : int8;
+  var _25 : bool;
   var _26 : int8;
+  var _29 : bool;
   var _30 : int8;
+  var _33 : bool;
   var _34 : int8;
+  var _37 : bool;
   var _38 : int8;
   var res : (int8, bool);
+  var _42 : bool;
+  var _44 : bool;
   var res1 : (int8, bool);
+  var _49 : bool;
+  var _51 : bool;
   var res2 : (int8, bool);
+  var _56 : bool;
+  var _58 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 253 12 253 31] _4 <- ([#"../checked_ops.rs" 253 12 253 31] checked_mul0 ([#"../checked_ops.rs" 253 12 253 15] [#"../checked_ops.rs" 253 12 253 15] (5 : int8)) ([#"../checked_ops.rs" 253 28 253 30] [#"../checked_ops.rs" 253 28 253 30] (10 : int8)));
+    [#"../checked_ops.rs" 253 12 253 31] _4 <- ([#"../checked_ops.rs" 253 12 253 31] checked_mul0 ([#"../checked_ops.rs" 253 12 253 15] (5 : int8)) ([#"../checked_ops.rs" 253 28 253 30] (10 : int8)));
     goto BB1
   }
   BB1 {
@@ -4000,13 +4554,15 @@ module CheckedOps_TestI8MulExample
     goto BB2
   }
   BB2 {
-    switch ([#"../checked_ops.rs" 253 12 253 46] _3 = ([#"../checked_ops.rs" 253 44 253 46] [#"../checked_ops.rs" 253 44 253 46] (50 : int8)))
+    [#"../checked_ops.rs" 253 12 253 46] _2 <- _3 = ([#"../checked_ops.rs" 253 44 253 46] (50 : int8));
+    _3 <- any int8;
+    switch (_2)
       | False -> goto BB4
       | True -> goto BB3
       end
   }
   BB3 {
-    [#"../checked_ops.rs" 254 12 254 32] _9 <- ([#"../checked_ops.rs" 254 12 254 32] checked_mul0 ([#"../checked_ops.rs" 254 12 254 16] [#"../checked_ops.rs" 254 12 254 16] (50 : int8)) ([#"../checked_ops.rs" 254 29 254 31] [#"../checked_ops.rs" 254 29 254 31] (10 : int8)));
+    [#"../checked_ops.rs" 254 12 254 32] _9 <- ([#"../checked_ops.rs" 254 12 254 32] checked_mul0 ([#"../checked_ops.rs" 254 12 254 16] (50 : int8)) ([#"../checked_ops.rs" 254 29 254 31] (10 : int8)));
     goto BB5
   }
   BB4 {
@@ -4014,7 +4570,7 @@ module CheckedOps_TestI8MulExample
     absurd
   }
   BB5 {
-    [#"../checked_ops.rs" 254 12 254 42] _7 <- ([#"../checked_ops.rs" 254 12 254 42] is_none0 ([#"../checked_ops.rs" 254 12 254 32] _9));
+    [#"../checked_ops.rs" 254 12 254 42] _7 <- ([#"../checked_ops.rs" 254 12 254 42] is_none0 _9);
     goto BB6
   }
   BB6 {
@@ -4024,7 +4580,7 @@ module CheckedOps_TestI8MulExample
       end
   }
   BB7 {
-    [#"../checked_ops.rs" 255 12 255 33] _14 <- ([#"../checked_ops.rs" 255 12 255 33] checked_mul0 ([#"../checked_ops.rs" 255 12 255 16] [#"../checked_ops.rs" 255 12 255 16] (50 : int8)) ([#"../checked_ops.rs" 255 29 255 32] [#"../checked_ops.rs" 255 29 255 32] (-10 : int8)));
+    [#"../checked_ops.rs" 255 12 255 33] _14 <- ([#"../checked_ops.rs" 255 12 255 33] checked_mul0 ([#"../checked_ops.rs" 255 12 255 16] (50 : int8)) ([#"../checked_ops.rs" 255 29 255 32] (-10 : int8)));
     goto BB9
   }
   BB8 {
@@ -4032,7 +4588,7 @@ module CheckedOps_TestI8MulExample
     absurd
   }
   BB9 {
-    [#"../checked_ops.rs" 255 12 255 43] _12 <- ([#"../checked_ops.rs" 255 12 255 43] is_none0 ([#"../checked_ops.rs" 255 12 255 33] _14));
+    [#"../checked_ops.rs" 255 12 255 43] _12 <- ([#"../checked_ops.rs" 255 12 255 43] is_none0 _14);
     goto BB10
   }
   BB10 {
@@ -4042,7 +4598,7 @@ module CheckedOps_TestI8MulExample
       end
   }
   BB11 {
-    [#"../checked_ops.rs" 257 12 257 32] _18 <- ([#"../checked_ops.rs" 257 12 257 32] wrapping_mul0 ([#"../checked_ops.rs" 257 12 257 15] [#"../checked_ops.rs" 257 12 257 15] (5 : int8)) ([#"../checked_ops.rs" 257 29 257 31] [#"../checked_ops.rs" 257 29 257 31] (10 : int8)));
+    [#"../checked_ops.rs" 257 12 257 32] _18 <- ([#"../checked_ops.rs" 257 12 257 32] wrapping_mul0 ([#"../checked_ops.rs" 257 12 257 15] (5 : int8)) ([#"../checked_ops.rs" 257 29 257 31] (10 : int8)));
     goto BB13
   }
   BB12 {
@@ -4050,13 +4606,15 @@ module CheckedOps_TestI8MulExample
     absurd
   }
   BB13 {
-    switch ([#"../checked_ops.rs" 257 12 257 38] _18 = ([#"../checked_ops.rs" 257 36 257 38] [#"../checked_ops.rs" 257 36 257 38] (50 : int8)))
+    [#"../checked_ops.rs" 257 12 257 38] _17 <- _18 = ([#"../checked_ops.rs" 257 36 257 38] (50 : int8));
+    _18 <- any int8;
+    switch (_17)
       | False -> goto BB15
       | True -> goto BB14
       end
   }
   BB14 {
-    [#"../checked_ops.rs" 258 12 258 33] _22 <- ([#"../checked_ops.rs" 258 12 258 33] wrapping_mul0 ([#"../checked_ops.rs" 258 12 258 16] [#"../checked_ops.rs" 258 12 258 16] (50 : int8)) ([#"../checked_ops.rs" 258 30 258 32] [#"../checked_ops.rs" 258 30 258 32] (10 : int8)));
+    [#"../checked_ops.rs" 258 12 258 33] _22 <- ([#"../checked_ops.rs" 258 12 258 33] wrapping_mul0 ([#"../checked_ops.rs" 258 12 258 16] (50 : int8)) ([#"../checked_ops.rs" 258 30 258 32] (10 : int8)));
     goto BB16
   }
   BB15 {
@@ -4064,13 +4622,15 @@ module CheckedOps_TestI8MulExample
     absurd
   }
   BB16 {
-    switch ([#"../checked_ops.rs" 258 12 258 40] _22 = ([#"../checked_ops.rs" 258 37 258 40] [#"../checked_ops.rs" 258 37 258 40] (-12 : int8)))
+    [#"../checked_ops.rs" 258 12 258 40] _21 <- _22 = ([#"../checked_ops.rs" 258 37 258 40] (-12 : int8));
+    _22 <- any int8;
+    switch (_21)
       | False -> goto BB18
       | True -> goto BB17
       end
   }
   BB17 {
-    [#"../checked_ops.rs" 259 12 259 34] _26 <- ([#"../checked_ops.rs" 259 12 259 34] wrapping_mul0 ([#"../checked_ops.rs" 259 12 259 16] [#"../checked_ops.rs" 259 12 259 16] (50 : int8)) ([#"../checked_ops.rs" 259 30 259 33] [#"../checked_ops.rs" 259 30 259 33] (-10 : int8)));
+    [#"../checked_ops.rs" 259 12 259 34] _26 <- ([#"../checked_ops.rs" 259 12 259 34] wrapping_mul0 ([#"../checked_ops.rs" 259 12 259 16] (50 : int8)) ([#"../checked_ops.rs" 259 30 259 33] (-10 : int8)));
     goto BB19
   }
   BB18 {
@@ -4078,13 +4638,15 @@ module CheckedOps_TestI8MulExample
     absurd
   }
   BB19 {
-    switch ([#"../checked_ops.rs" 259 12 259 40] _26 = ([#"../checked_ops.rs" 259 38 259 40] [#"../checked_ops.rs" 259 38 259 40] (12 : int8)))
+    [#"../checked_ops.rs" 259 12 259 40] _25 <- _26 = ([#"../checked_ops.rs" 259 38 259 40] (12 : int8));
+    _26 <- any int8;
+    switch (_25)
       | False -> goto BB21
       | True -> goto BB20
       end
   }
   BB20 {
-    [#"../checked_ops.rs" 261 12 261 34] _30 <- ([#"../checked_ops.rs" 261 12 261 34] saturating_mul0 ([#"../checked_ops.rs" 261 12 261 15] [#"../checked_ops.rs" 261 12 261 15] (5 : int8)) ([#"../checked_ops.rs" 261 31 261 33] [#"../checked_ops.rs" 261 31 261 33] (10 : int8)));
+    [#"../checked_ops.rs" 261 12 261 34] _30 <- ([#"../checked_ops.rs" 261 12 261 34] saturating_mul0 ([#"../checked_ops.rs" 261 12 261 15] (5 : int8)) ([#"../checked_ops.rs" 261 31 261 33] (10 : int8)));
     goto BB22
   }
   BB21 {
@@ -4092,13 +4654,15 @@ module CheckedOps_TestI8MulExample
     absurd
   }
   BB22 {
-    switch ([#"../checked_ops.rs" 261 12 261 40] _30 = ([#"../checked_ops.rs" 261 38 261 40] [#"../checked_ops.rs" 261 38 261 40] (50 : int8)))
+    [#"../checked_ops.rs" 261 12 261 40] _29 <- _30 = ([#"../checked_ops.rs" 261 38 261 40] (50 : int8));
+    _30 <- any int8;
+    switch (_29)
       | False -> goto BB24
       | True -> goto BB23
       end
   }
   BB23 {
-    [#"../checked_ops.rs" 262 12 262 35] _34 <- ([#"../checked_ops.rs" 262 12 262 35] saturating_mul0 ([#"../checked_ops.rs" 262 12 262 16] [#"../checked_ops.rs" 262 12 262 16] (50 : int8)) ([#"../checked_ops.rs" 262 32 262 34] [#"../checked_ops.rs" 262 32 262 34] (10 : int8)));
+    [#"../checked_ops.rs" 262 12 262 35] _34 <- ([#"../checked_ops.rs" 262 12 262 35] saturating_mul0 ([#"../checked_ops.rs" 262 12 262 16] (50 : int8)) ([#"../checked_ops.rs" 262 32 262 34] (10 : int8)));
     goto BB25
   }
   BB24 {
@@ -4106,13 +4670,15 @@ module CheckedOps_TestI8MulExample
     absurd
   }
   BB25 {
-    switch ([#"../checked_ops.rs" 262 12 262 42] _34 = ([#"../checked_ops.rs" 262 39 262 42] [#"../checked_ops.rs" 262 39 262 42] (127 : int8)))
+    [#"../checked_ops.rs" 262 12 262 42] _33 <- _34 = ([#"../checked_ops.rs" 262 39 262 42] (127 : int8));
+    _34 <- any int8;
+    switch (_33)
       | False -> goto BB27
       | True -> goto BB26
       end
   }
   BB26 {
-    [#"../checked_ops.rs" 263 12 263 36] _38 <- ([#"../checked_ops.rs" 263 12 263 36] saturating_mul0 ([#"../checked_ops.rs" 263 12 263 16] [#"../checked_ops.rs" 263 12 263 16] (50 : int8)) ([#"../checked_ops.rs" 263 32 263 35] [#"../checked_ops.rs" 263 32 263 35] (-10 : int8)));
+    [#"../checked_ops.rs" 263 12 263 36] _38 <- ([#"../checked_ops.rs" 263 12 263 36] saturating_mul0 ([#"../checked_ops.rs" 263 12 263 16] (50 : int8)) ([#"../checked_ops.rs" 263 32 263 35] (-10 : int8)));
     goto BB28
   }
   BB27 {
@@ -4120,13 +4686,15 @@ module CheckedOps_TestI8MulExample
     absurd
   }
   BB28 {
-    switch ([#"../checked_ops.rs" 263 12 263 44] _38 = ([#"../checked_ops.rs" 263 40 263 44] [#"../checked_ops.rs" 263 40 263 44] (-128 : int8)))
+    [#"../checked_ops.rs" 263 12 263 44] _37 <- _38 = ([#"../checked_ops.rs" 263 40 263 44] (-128 : int8));
+    _38 <- any int8;
+    switch (_37)
       | False -> goto BB30
       | True -> goto BB29
       end
   }
   BB29 {
-    [#"../checked_ops.rs" 265 14 265 37] res <- ([#"../checked_ops.rs" 265 14 265 37] overflowing_mul0 ([#"../checked_ops.rs" 265 14 265 17] [#"../checked_ops.rs" 265 14 265 17] (5 : int8)) ([#"../checked_ops.rs" 265 34 265 36] [#"../checked_ops.rs" 265 34 265 36] (10 : int8)));
+    [#"../checked_ops.rs" 265 14 265 37] res <- ([#"../checked_ops.rs" 265 14 265 37] overflowing_mul0 ([#"../checked_ops.rs" 265 14 265 17] (5 : int8)) ([#"../checked_ops.rs" 265 34 265 36] (10 : int8)));
     goto BB31
   }
   BB30 {
@@ -4134,20 +4702,22 @@ module CheckedOps_TestI8MulExample
     absurd
   }
   BB31 {
-    switch ([#"../checked_ops.rs" 266 12 266 23] ([#"../checked_ops.rs" 266 12 266 17] let (a, _) = res in a) = ([#"../checked_ops.rs" 266 21 266 23] [#"../checked_ops.rs" 266 21 266 23] (50 : int8)))
+    [#"../checked_ops.rs" 266 12 266 23] _42 <- (let (a, _) = res in a) = ([#"../checked_ops.rs" 266 21 266 23] (50 : int8));
+    switch (_42)
       | False -> goto BB35
       | True -> goto BB32
       end
   }
   BB32 {
     assume { resolve0 res };
-    switch ([#"../checked_ops.rs" 266 27 266 41] Bool.eqb ([#"../checked_ops.rs" 266 27 266 32] let (_, a) = res in a) ([#"../checked_ops.rs" 266 36 266 41] [#"../checked_ops.rs" 266 36 266 41] false))
+    [#"../checked_ops.rs" 266 27 266 41] _44 <- Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 266 36 266 41] false);
+    switch (_44)
       | False -> goto BB34
       | True -> goto BB33
       end
   }
   BB33 {
-    [#"../checked_ops.rs" 267 14 267 38] res1 <- ([#"../checked_ops.rs" 267 14 267 38] overflowing_mul0 ([#"../checked_ops.rs" 267 14 267 18] [#"../checked_ops.rs" 267 14 267 18] (50 : int8)) ([#"../checked_ops.rs" 267 35 267 37] [#"../checked_ops.rs" 267 35 267 37] (10 : int8)));
+    [#"../checked_ops.rs" 267 14 267 38] res1 <- ([#"../checked_ops.rs" 267 14 267 38] overflowing_mul0 ([#"../checked_ops.rs" 267 14 267 18] (50 : int8)) ([#"../checked_ops.rs" 267 35 267 37] (10 : int8)));
     goto BB37
   }
   BB34 {
@@ -4162,20 +4732,22 @@ module CheckedOps_TestI8MulExample
     absurd
   }
   BB37 {
-    switch ([#"../checked_ops.rs" 268 12 268 24] ([#"../checked_ops.rs" 268 12 268 17] let (a, _) = res1 in a) = ([#"../checked_ops.rs" 268 21 268 24] [#"../checked_ops.rs" 268 21 268 24] (-12 : int8)))
+    [#"../checked_ops.rs" 268 12 268 24] _49 <- (let (a, _) = res1 in a) = ([#"../checked_ops.rs" 268 21 268 24] (-12 : int8));
+    switch (_49)
       | False -> goto BB41
       | True -> goto BB38
       end
   }
   BB38 {
     assume { resolve0 res1 };
-    switch ([#"../checked_ops.rs" 268 28 268 41] Bool.eqb ([#"../checked_ops.rs" 268 28 268 33] let (_, a) = res1 in a) ([#"../checked_ops.rs" 268 37 268 41] [#"../checked_ops.rs" 268 37 268 41] true))
+    [#"../checked_ops.rs" 268 28 268 41] _51 <- Bool.eqb (let (_, a) = res1 in a) ([#"../checked_ops.rs" 268 37 268 41] true);
+    switch (_51)
       | False -> goto BB40
       | True -> goto BB39
       end
   }
   BB39 {
-    [#"../checked_ops.rs" 269 14 269 39] res2 <- ([#"../checked_ops.rs" 269 14 269 39] overflowing_mul0 ([#"../checked_ops.rs" 269 14 269 18] [#"../checked_ops.rs" 269 14 269 18] (50 : int8)) ([#"../checked_ops.rs" 269 35 269 38] [#"../checked_ops.rs" 269 35 269 38] (-10 : int8)));
+    [#"../checked_ops.rs" 269 14 269 39] res2 <- ([#"../checked_ops.rs" 269 14 269 39] overflowing_mul0 ([#"../checked_ops.rs" 269 14 269 18] (50 : int8)) ([#"../checked_ops.rs" 269 35 269 38] (-10 : int8)));
     goto BB43
   }
   BB40 {
@@ -4190,14 +4762,16 @@ module CheckedOps_TestI8MulExample
     absurd
   }
   BB43 {
-    switch ([#"../checked_ops.rs" 270 12 270 23] ([#"../checked_ops.rs" 270 12 270 17] let (a, _) = res2 in a) = ([#"../checked_ops.rs" 270 21 270 23] [#"../checked_ops.rs" 270 21 270 23] (12 : int8)))
+    [#"../checked_ops.rs" 270 12 270 23] _56 <- (let (a, _) = res2 in a) = ([#"../checked_ops.rs" 270 21 270 23] (12 : int8));
+    switch (_56)
       | False -> goto BB47
       | True -> goto BB44
       end
   }
   BB44 {
     assume { resolve0 res2 };
-    switch ([#"../checked_ops.rs" 270 27 270 40] Bool.eqb ([#"../checked_ops.rs" 270 27 270 32] let (_, a) = res2 in a) ([#"../checked_ops.rs" 270 36 270 40] [#"../checked_ops.rs" 270 36 270 40] true))
+    [#"../checked_ops.rs" 270 27 270 40] _58 <- Bool.eqb (let (_, a) = res2 in a) ([#"../checked_ops.rs" 270 36 270 40] true);
+    switch (_58)
       | False -> goto BB46
       | True -> goto BB45
       end
@@ -4272,21 +4846,30 @@ module CheckedOps_TestI8MulZero
   use prelude.Int8
   val overflowing_mul0 (self : int8) (rhs : int8) : (int8, bool)
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] Int8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (Int8.to_int self * Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self * Int8.to_int rhs > Int8.to_int max0) }
     
   val saturating_mul0 (self : int8) (rhs : int8) : int8
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self * Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 -> Int8.to_int result = Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 -> Int8.to_int result = Int8.to_int max0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 161 16 164 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int self * Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 166 16 166 85] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0
+     -> Int8.to_int result = Int8.to_int min0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 167 16 167 85] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int max0 }
     
   val wrapping_mul0 (self : int8) (rhs : int8) : int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self * Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self * Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int self * Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     
   val unwrap0 (self : Core_Option_Option_Type.t_option int8) : int8
     requires {[#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self <> Core_Option_Option_Type.C_None}
@@ -4296,23 +4879,29 @@ module CheckedOps_TestI8MulZero
     
   val checked_mul0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self * Int8.to_int rhs > Int8.to_int max0) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = Int8.to_int self * Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r
+     -> Int8.to_int r = Int8.to_int self * Int8.to_int rhs }
     
   let rec cfg test_i8_mul_zero [#"../checked_ops.rs" 274 0 274 30] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) : ()
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var a : int8 = a;
+  var _3 : bool;
   var _4 : int8;
   var _5 : Core_Option_Option_Type.t_option int8;
+  var _9 : bool;
   var _10 : int8;
+  var _14 : bool;
   var _15 : int8;
   var res : (int8, bool);
+  var _21 : bool;
+  var _23 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 275 12 275 30] _5 <- ([#"../checked_ops.rs" 275 12 275 30] checked_mul0 ([#"../checked_ops.rs" 275 12 275 15] [#"../checked_ops.rs" 275 12 275 15] (0 : int8)) ([#"../checked_ops.rs" 275 28 275 29] a));
+    [#"../checked_ops.rs" 275 12 275 30] _5 <- ([#"../checked_ops.rs" 275 12 275 30] checked_mul0 ([#"../checked_ops.rs" 275 12 275 15] (0 : int8)) a);
     goto BB1
   }
   BB1 {
@@ -4321,13 +4910,15 @@ module CheckedOps_TestI8MulZero
     goto BB2
   }
   BB2 {
-    switch ([#"../checked_ops.rs" 275 12 275 44] _4 = ([#"../checked_ops.rs" 275 43 275 44] [#"../checked_ops.rs" 275 43 275 44] (0 : int8)))
+    [#"../checked_ops.rs" 275 12 275 44] _3 <- _4 = ([#"../checked_ops.rs" 275 43 275 44] (0 : int8));
+    _4 <- any int8;
+    switch (_3)
       | False -> goto BB4
       | True -> goto BB3
       end
   }
   BB3 {
-    [#"../checked_ops.rs" 276 12 276 31] _10 <- ([#"../checked_ops.rs" 276 12 276 31] wrapping_mul0 ([#"../checked_ops.rs" 276 12 276 15] [#"../checked_ops.rs" 276 12 276 15] (0 : int8)) ([#"../checked_ops.rs" 276 29 276 30] a));
+    [#"../checked_ops.rs" 276 12 276 31] _10 <- ([#"../checked_ops.rs" 276 12 276 31] wrapping_mul0 ([#"../checked_ops.rs" 276 12 276 15] (0 : int8)) a);
     goto BB5
   }
   BB4 {
@@ -4335,13 +4926,15 @@ module CheckedOps_TestI8MulZero
     absurd
   }
   BB5 {
-    switch ([#"../checked_ops.rs" 276 12 276 36] _10 = ([#"../checked_ops.rs" 276 35 276 36] [#"../checked_ops.rs" 276 35 276 36] (0 : int8)))
+    [#"../checked_ops.rs" 276 12 276 36] _9 <- _10 = ([#"../checked_ops.rs" 276 35 276 36] (0 : int8));
+    _10 <- any int8;
+    switch (_9)
       | False -> goto BB7
       | True -> goto BB6
       end
   }
   BB6 {
-    [#"../checked_ops.rs" 277 12 277 33] _15 <- ([#"../checked_ops.rs" 277 12 277 33] saturating_mul0 ([#"../checked_ops.rs" 277 12 277 15] [#"../checked_ops.rs" 277 12 277 15] (0 : int8)) ([#"../checked_ops.rs" 277 31 277 32] a));
+    [#"../checked_ops.rs" 277 12 277 33] _15 <- ([#"../checked_ops.rs" 277 12 277 33] saturating_mul0 ([#"../checked_ops.rs" 277 12 277 15] (0 : int8)) a);
     goto BB8
   }
   BB7 {
@@ -4349,13 +4942,15 @@ module CheckedOps_TestI8MulZero
     absurd
   }
   BB8 {
-    switch ([#"../checked_ops.rs" 277 12 277 38] _15 = ([#"../checked_ops.rs" 277 37 277 38] [#"../checked_ops.rs" 277 37 277 38] (0 : int8)))
+    [#"../checked_ops.rs" 277 12 277 38] _14 <- _15 = ([#"../checked_ops.rs" 277 37 277 38] (0 : int8));
+    _15 <- any int8;
+    switch (_14)
       | False -> goto BB10
       | True -> goto BB9
       end
   }
   BB9 {
-    [#"../checked_ops.rs" 278 14 278 36] res <- ([#"../checked_ops.rs" 278 14 278 36] overflowing_mul0 ([#"../checked_ops.rs" 278 14 278 17] [#"../checked_ops.rs" 278 14 278 17] (0 : int8)) ([#"../checked_ops.rs" 278 34 278 35] a));
+    [#"../checked_ops.rs" 278 14 278 36] res <- ([#"../checked_ops.rs" 278 14 278 36] overflowing_mul0 ([#"../checked_ops.rs" 278 14 278 17] (0 : int8)) a);
     goto BB11
   }
   BB10 {
@@ -4363,14 +4958,16 @@ module CheckedOps_TestI8MulZero
     absurd
   }
   BB11 {
-    switch ([#"../checked_ops.rs" 279 12 279 22] ([#"../checked_ops.rs" 279 12 279 17] let (a, _) = res in a) = ([#"../checked_ops.rs" 279 21 279 22] [#"../checked_ops.rs" 279 21 279 22] (0 : int8)))
+    [#"../checked_ops.rs" 279 12 279 22] _21 <- (let (a, _) = res in a) = ([#"../checked_ops.rs" 279 21 279 22] (0 : int8));
+    switch (_21)
       | False -> goto BB15
       | True -> goto BB12
       end
   }
   BB12 {
     assume { resolve0 res };
-    switch ([#"../checked_ops.rs" 279 26 279 40] Bool.eqb ([#"../checked_ops.rs" 279 26 279 31] let (_, a) = res in a) ([#"../checked_ops.rs" 279 35 279 40] [#"../checked_ops.rs" 279 35 279 40] false))
+    [#"../checked_ops.rs" 279 26 279 40] _23 <- Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 279 35 279 40] false);
+    switch (_23)
       | False -> goto BB14
       | True -> goto BB13
       end
@@ -4419,7 +5016,8 @@ module CheckedOps_TestI8OverflowingMul
   use prelude.Int8
   val checked_mul0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 124 20 125 89] (result = Core_Option_Option_Type.C_None) = (Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self * Int8.to_int rhs > Int8.to_int max0) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = Int8.to_int self * Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 128 16 128 89] forall r : int8 . result = Core_Option_Option_Type.C_Some r
+     -> Int8.to_int r = Int8.to_int self * Int8.to_int rhs }
     
   use prelude.UInt32
   use int.EuclideanDivision
@@ -4429,9 +5027,12 @@ module CheckedOps_TestI8OverflowingMul
     (8 : uint32)
   val wrapping_mul0 (self : int8) (rhs : int8) : int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 135 20 135 93] Int8.to_int result = EuclideanDivision.mod (Int8.to_int self * Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int result = Int8.to_int self * Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 138 16 141 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int result = Int8.to_int self * Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 145 16 149 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 150 16 154 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int result = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     
   predicate resolve2 (self : bool) =
     [#"../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
@@ -4450,9 +5051,12 @@ module CheckedOps_TestI8OverflowingMul
     
   val overflowing_mul0 (self : int8) (rhs : int8) : (int8, bool)
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 175 20 175 95] Int8.to_int (let (a, _) = result in a) = EuclideanDivision.mod (Int8.to_int self * Int8.to_int rhs) (Power.power 2 (UInt32.to_int bits0)) + Int8.to_int min0 }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0 -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 178 16 181 18] Int8.to_int self * Int8.to_int rhs >= Int8.to_int min0 /\ Int8.to_int self * Int8.to_int rhs <= Int8.to_int max0
+     -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 185 16 189 18] Int8.to_int self * Int8.to_int rhs < Int8.to_int min0
+     -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs + k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 190 16 194 18] Int8.to_int self * Int8.to_int rhs > Int8.to_int max0
+     -> (exists k : int . k > 0 /\ Int8.to_int (let (a, _) = result in a) = Int8.to_int self * Int8.to_int rhs - k * (Int8.to_int max0 - Int8.to_int min0 + 1)) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 197 20 197 98] (let (_, a) = result in a) = (Int8.to_int self * Int8.to_int rhs < Int8.to_int min0 \/ Int8.to_int self * Int8.to_int rhs > Int8.to_int max0) }
     
   let rec cfg test_i8_overflowing_mul [#"../checked_ops.rs" 283 0 283 44] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) (b : int8) : ()
@@ -4461,8 +5065,10 @@ module CheckedOps_TestI8OverflowingMul
   var _0 : ();
   var a : int8 = a;
   var b : int8 = b;
+  var _4 : bool;
   var _6 : (int8, bool);
   var _9 : int8;
+  var _14 : bool;
   var _16 : (int8, bool);
   var _19 : bool;
   var _21 : Core_Option_Option_Type.t_option int8;
@@ -4470,22 +5076,24 @@ module CheckedOps_TestI8OverflowingMul
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 284 12 284 32] _6 <- ([#"../checked_ops.rs" 284 12 284 32] overflowing_mul0 ([#"../checked_ops.rs" 284 12 284 13] a) ([#"../checked_ops.rs" 284 30 284 31] b));
+    [#"../checked_ops.rs" 284 12 284 32] _6 <- ([#"../checked_ops.rs" 284 12 284 32] overflowing_mul0 a b);
     goto BB1
   }
   BB1 {
     assume { resolve0 _6 };
-    [#"../checked_ops.rs" 284 38 284 55] _9 <- ([#"../checked_ops.rs" 284 38 284 55] wrapping_mul0 ([#"../checked_ops.rs" 284 38 284 39] a) ([#"../checked_ops.rs" 284 53 284 54] b));
+    [#"../checked_ops.rs" 284 38 284 55] _9 <- ([#"../checked_ops.rs" 284 38 284 55] wrapping_mul0 a b);
     goto BB2
   }
   BB2 {
-    switch ([#"../checked_ops.rs" 284 12 284 55] ([#"../checked_ops.rs" 284 12 284 34] let (a, _) = _6 in a) = _9)
+    [#"../checked_ops.rs" 284 12 284 55] _4 <- (let (a, _) = _6 in a) = _9;
+    _9 <- any int8;
+    switch (_4)
       | False -> goto BB4
       | True -> goto BB3
       end
   }
   BB3 {
-    [#"../checked_ops.rs" 285 12 285 32] _16 <- ([#"../checked_ops.rs" 285 12 285 32] overflowing_mul0 ([#"../checked_ops.rs" 285 12 285 13] a) ([#"../checked_ops.rs" 285 30 285 31] b));
+    [#"../checked_ops.rs" 285 12 285 32] _16 <- ([#"../checked_ops.rs" 285 12 285 32] overflowing_mul0 a b);
     goto BB5
   }
   BB4 {
@@ -4494,15 +5102,17 @@ module CheckedOps_TestI8OverflowingMul
   }
   BB5 {
     assume { resolve0 _16 };
-    [#"../checked_ops.rs" 285 38 285 54] _21 <- ([#"../checked_ops.rs" 285 38 285 54] checked_mul0 ([#"../checked_ops.rs" 285 38 285 39] a) ([#"../checked_ops.rs" 285 52 285 53] b));
+    [#"../checked_ops.rs" 285 38 285 54] _21 <- ([#"../checked_ops.rs" 285 38 285 54] checked_mul0 a b);
     goto BB6
   }
   BB6 {
-    [#"../checked_ops.rs" 285 38 285 64] _19 <- ([#"../checked_ops.rs" 285 38 285 64] is_none0 ([#"../checked_ops.rs" 285 38 285 54] _21));
+    [#"../checked_ops.rs" 285 38 285 64] _19 <- ([#"../checked_ops.rs" 285 38 285 64] is_none0 _21);
     goto BB7
   }
   BB7 {
-    switch ([#"../checked_ops.rs" 285 12 285 64] Bool.eqb ([#"../checked_ops.rs" 285 12 285 34] let (_, a) = _16 in a) _19)
+    [#"../checked_ops.rs" 285 12 285 64] _14 <- Bool.eqb (let (_, a) = _16 in a) _19;
+    _19 <- any bool;
+    switch (_14)
       | False -> goto BB9
       | True -> goto BB8
       end
@@ -4572,18 +5182,21 @@ module CheckedOps_TestI8DivExample
   use prelude.Int8
   val overflowing_div0 (self : int8) (rhs : int8) : (int8, bool)
     requires {[#"../../../../creusot-contracts/src/std/num.rs" 91 27 91 36] Int8.to_int rhs <> 0}
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 93 16 93 87] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 93 16 93 87] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1
+     -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 95 26 95 91] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 \/ Int8.to_int (let (a, _) = result in a) = div (Int8.to_int self) (Int8.to_int rhs) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 97 26 97 74] (let (_, a) = result in a) = (Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1) }
     
   val saturating_div0 (self : int8) (rhs : int8) : int8
     requires {[#"../../../../creusot-contracts/src/std/num.rs" 82 27 82 36] Int8.to_int rhs <> 0}
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 84 16 84 91] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 -> Int8.to_int result = Int8.to_int min0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 84 16 84 91] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1
+     -> Int8.to_int result = Int8.to_int min0 }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 86 26 86 89] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 \/ Int8.to_int result = div (Int8.to_int self) (Int8.to_int rhs) }
     
   val wrapping_div0 (self : int8) (rhs : int8) : int8
     requires {[#"../../../../creusot-contracts/src/std/num.rs" 73 27 73 36] Int8.to_int rhs <> 0}
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 75 16 75 85] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 -> Int8.to_int result = Int8.to_int self }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 75 16 75 85] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1
+     -> Int8.to_int result = Int8.to_int self }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 77 26 77 89] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 \/ Int8.to_int result = div (Int8.to_int self) (Int8.to_int rhs) }
     
   val unwrap0 (self : Core_Option_Option_Type.t_option int8) : int8
@@ -4599,7 +5212,8 @@ module CheckedOps_TestI8DivExample
     
   val checked_div0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 66 26 66 97] (result = Core_Option_Option_Type.C_None) = (Int8.to_int rhs = 0 \/ Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = div (Int8.to_int self) (Int8.to_int rhs) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : int8 . result = Core_Option_Option_Type.C_Some r
+     -> Int8.to_int r = div (Int8.to_int self) (Int8.to_int rhs) }
     
   let rec cfg test_i8_div_example [#"../checked_ops.rs" 289 0 289 28] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
     
@@ -4607,30 +5221,44 @@ module CheckedOps_TestI8DivExample
   var _0 : ();
   var _2 : bool;
   var _4 : Core_Option_Option_Type.t_option int8;
+  var _7 : bool;
   var _8 : int8;
   var _9 : Core_Option_Option_Type.t_option int8;
+  var _12 : bool;
   var _13 : int8;
   var _14 : Core_Option_Option_Type.t_option int8;
   var _17 : bool;
   var _19 : Core_Option_Option_Type.t_option int8;
+  var _22 : bool;
   var _23 : int8;
+  var _26 : bool;
   var _27 : int8;
+  var _30 : bool;
   var _31 : int8;
+  var _34 : bool;
   var _35 : int8;
+  var _38 : bool;
   var _39 : int8;
+  var _42 : bool;
   var _43 : int8;
   var res : (int8, bool);
+  var _47 : bool;
+  var _49 : bool;
   var res1 : (int8, bool);
+  var _54 : bool;
+  var _56 : bool;
   var res2 : (int8, bool);
+  var _61 : bool;
+  var _63 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 290 12 290 30] _4 <- ([#"../checked_ops.rs" 290 12 290 30] checked_div0 ([#"../checked_ops.rs" 290 12 290 15] [#"../checked_ops.rs" 290 12 290 15] (5 : int8)) ([#"../checked_ops.rs" 290 28 290 29] [#"../checked_ops.rs" 290 28 290 29] (0 : int8)));
+    [#"../checked_ops.rs" 290 12 290 30] _4 <- ([#"../checked_ops.rs" 290 12 290 30] checked_div0 ([#"../checked_ops.rs" 290 12 290 15] (5 : int8)) ([#"../checked_ops.rs" 290 28 290 29] (0 : int8)));
     goto BB1
   }
   BB1 {
-    [#"../checked_ops.rs" 290 12 290 40] _2 <- ([#"../checked_ops.rs" 290 12 290 40] is_none0 ([#"../checked_ops.rs" 290 12 290 30] _4));
+    [#"../checked_ops.rs" 290 12 290 40] _2 <- ([#"../checked_ops.rs" 290 12 290 40] is_none0 _4);
     goto BB2
   }
   BB2 {
@@ -4640,7 +5268,7 @@ module CheckedOps_TestI8DivExample
       end
   }
   BB3 {
-    [#"../checked_ops.rs" 291 12 291 30] _9 <- ([#"../checked_ops.rs" 291 12 291 30] checked_div0 ([#"../checked_ops.rs" 291 12 291 15] [#"../checked_ops.rs" 291 12 291 15] (5 : int8)) ([#"../checked_ops.rs" 291 28 291 29] [#"../checked_ops.rs" 291 28 291 29] (2 : int8)));
+    [#"../checked_ops.rs" 291 12 291 30] _9 <- ([#"../checked_ops.rs" 291 12 291 30] checked_div0 ([#"../checked_ops.rs" 291 12 291 15] (5 : int8)) ([#"../checked_ops.rs" 291 28 291 29] (2 : int8)));
     goto BB5
   }
   BB4 {
@@ -4653,13 +5281,15 @@ module CheckedOps_TestI8DivExample
     goto BB6
   }
   BB6 {
-    switch ([#"../checked_ops.rs" 291 12 291 44] _8 = ([#"../checked_ops.rs" 291 43 291 44] [#"../checked_ops.rs" 291 43 291 44] (2 : int8)))
+    [#"../checked_ops.rs" 291 12 291 44] _7 <- _8 = ([#"../checked_ops.rs" 291 43 291 44] (2 : int8));
+    _8 <- any int8;
+    switch (_7)
       | False -> goto BB8
       | True -> goto BB7
       end
   }
   BB7 {
-    [#"../checked_ops.rs" 292 12 292 31] _14 <- ([#"../checked_ops.rs" 292 12 292 31] checked_div0 ([#"../checked_ops.rs" 292 12 292 15] [#"../checked_ops.rs" 292 12 292 15] (5 : int8)) ([#"../checked_ops.rs" 292 28 292 30] [#"../checked_ops.rs" 292 28 292 30] (-2 : int8)));
+    [#"../checked_ops.rs" 292 12 292 31] _14 <- ([#"../checked_ops.rs" 292 12 292 31] checked_div0 ([#"../checked_ops.rs" 292 12 292 15] (5 : int8)) ([#"../checked_ops.rs" 292 28 292 30] (-2 : int8)));
     goto BB9
   }
   BB8 {
@@ -4672,13 +5302,15 @@ module CheckedOps_TestI8DivExample
     goto BB10
   }
   BB10 {
-    switch ([#"../checked_ops.rs" 292 12 292 46] _13 = ([#"../checked_ops.rs" 292 44 292 46] [#"../checked_ops.rs" 292 44 292 46] (-2 : int8)))
+    [#"../checked_ops.rs" 292 12 292 46] _12 <- _13 = ([#"../checked_ops.rs" 292 44 292 46] (-2 : int8));
+    _13 <- any int8;
+    switch (_12)
       | False -> goto BB12
       | True -> goto BB11
       end
   }
   BB11 {
-    [#"../checked_ops.rs" 293 12 293 36] _19 <- ([#"../checked_ops.rs" 293 12 293 36] checked_div0 ([#"../checked_ops.rs" 293 12 293 20] [#"../checked_ops.rs" 293 12 293 20] (-128 : int8)) ([#"../checked_ops.rs" 293 33 293 35] [#"../checked_ops.rs" 293 33 293 35] (-1 : int8)));
+    [#"../checked_ops.rs" 293 12 293 36] _19 <- ([#"../checked_ops.rs" 293 12 293 36] checked_div0 ([#"../checked_ops.rs" 293 12 293 20] (-128 : int8)) ([#"../checked_ops.rs" 293 33 293 35] (-1 : int8)));
     goto BB13
   }
   BB12 {
@@ -4686,7 +5318,7 @@ module CheckedOps_TestI8DivExample
     absurd
   }
   BB13 {
-    [#"../checked_ops.rs" 293 12 293 46] _17 <- ([#"../checked_ops.rs" 293 12 293 46] is_none0 ([#"../checked_ops.rs" 293 12 293 36] _19));
+    [#"../checked_ops.rs" 293 12 293 46] _17 <- ([#"../checked_ops.rs" 293 12 293 46] is_none0 _19);
     goto BB14
   }
   BB14 {
@@ -4696,7 +5328,7 @@ module CheckedOps_TestI8DivExample
       end
   }
   BB15 {
-    [#"../checked_ops.rs" 295 12 295 31] _23 <- ([#"../checked_ops.rs" 295 12 295 31] wrapping_div0 ([#"../checked_ops.rs" 295 12 295 15] [#"../checked_ops.rs" 295 12 295 15] (5 : int8)) ([#"../checked_ops.rs" 295 29 295 30] [#"../checked_ops.rs" 295 29 295 30] (2 : int8)));
+    [#"../checked_ops.rs" 295 12 295 31] _23 <- ([#"../checked_ops.rs" 295 12 295 31] wrapping_div0 ([#"../checked_ops.rs" 295 12 295 15] (5 : int8)) ([#"../checked_ops.rs" 295 29 295 30] (2 : int8)));
     goto BB17
   }
   BB16 {
@@ -4704,13 +5336,15 @@ module CheckedOps_TestI8DivExample
     absurd
   }
   BB17 {
-    switch ([#"../checked_ops.rs" 295 12 295 36] _23 = ([#"../checked_ops.rs" 295 35 295 36] [#"../checked_ops.rs" 295 35 295 36] (2 : int8)))
+    [#"../checked_ops.rs" 295 12 295 36] _22 <- _23 = ([#"../checked_ops.rs" 295 35 295 36] (2 : int8));
+    _23 <- any int8;
+    switch (_22)
       | False -> goto BB19
       | True -> goto BB18
       end
   }
   BB18 {
-    [#"../checked_ops.rs" 296 12 296 32] _27 <- ([#"../checked_ops.rs" 296 12 296 32] wrapping_div0 ([#"../checked_ops.rs" 296 12 296 15] [#"../checked_ops.rs" 296 12 296 15] (5 : int8)) ([#"../checked_ops.rs" 296 29 296 31] [#"../checked_ops.rs" 296 29 296 31] (-2 : int8)));
+    [#"../checked_ops.rs" 296 12 296 32] _27 <- ([#"../checked_ops.rs" 296 12 296 32] wrapping_div0 ([#"../checked_ops.rs" 296 12 296 15] (5 : int8)) ([#"../checked_ops.rs" 296 29 296 31] (-2 : int8)));
     goto BB20
   }
   BB19 {
@@ -4718,13 +5352,15 @@ module CheckedOps_TestI8DivExample
     absurd
   }
   BB20 {
-    switch ([#"../checked_ops.rs" 296 12 296 38] _27 = ([#"../checked_ops.rs" 296 36 296 38] [#"../checked_ops.rs" 296 36 296 38] (-2 : int8)))
+    [#"../checked_ops.rs" 296 12 296 38] _26 <- _27 = ([#"../checked_ops.rs" 296 36 296 38] (-2 : int8));
+    _27 <- any int8;
+    switch (_26)
       | False -> goto BB22
       | True -> goto BB21
       end
   }
   BB21 {
-    [#"../checked_ops.rs" 297 12 297 37] _31 <- ([#"../checked_ops.rs" 297 12 297 37] wrapping_div0 ([#"../checked_ops.rs" 297 12 297 20] [#"../checked_ops.rs" 297 12 297 20] (-128 : int8)) ([#"../checked_ops.rs" 297 34 297 36] [#"../checked_ops.rs" 297 34 297 36] (-1 : int8)));
+    [#"../checked_ops.rs" 297 12 297 37] _31 <- ([#"../checked_ops.rs" 297 12 297 37] wrapping_div0 ([#"../checked_ops.rs" 297 12 297 20] (-128 : int8)) ([#"../checked_ops.rs" 297 34 297 36] (-1 : int8)));
     goto BB23
   }
   BB22 {
@@ -4732,13 +5368,15 @@ module CheckedOps_TestI8DivExample
     absurd
   }
   BB23 {
-    switch ([#"../checked_ops.rs" 297 12 297 45] _31 = ([#"../checked_ops.rs" 297 41 297 45] [#"../checked_ops.rs" 297 41 297 45] (-128 : int8)))
+    [#"../checked_ops.rs" 297 12 297 45] _30 <- _31 = ([#"../checked_ops.rs" 297 41 297 45] (-128 : int8));
+    _31 <- any int8;
+    switch (_30)
       | False -> goto BB25
       | True -> goto BB24
       end
   }
   BB24 {
-    [#"../checked_ops.rs" 299 12 299 33] _35 <- ([#"../checked_ops.rs" 299 12 299 33] saturating_div0 ([#"../checked_ops.rs" 299 12 299 15] [#"../checked_ops.rs" 299 12 299 15] (5 : int8)) ([#"../checked_ops.rs" 299 31 299 32] [#"../checked_ops.rs" 299 31 299 32] (2 : int8)));
+    [#"../checked_ops.rs" 299 12 299 33] _35 <- ([#"../checked_ops.rs" 299 12 299 33] saturating_div0 ([#"../checked_ops.rs" 299 12 299 15] (5 : int8)) ([#"../checked_ops.rs" 299 31 299 32] (2 : int8)));
     goto BB26
   }
   BB25 {
@@ -4746,13 +5384,15 @@ module CheckedOps_TestI8DivExample
     absurd
   }
   BB26 {
-    switch ([#"../checked_ops.rs" 299 12 299 38] _35 = ([#"../checked_ops.rs" 299 37 299 38] [#"../checked_ops.rs" 299 37 299 38] (2 : int8)))
+    [#"../checked_ops.rs" 299 12 299 38] _34 <- _35 = ([#"../checked_ops.rs" 299 37 299 38] (2 : int8));
+    _35 <- any int8;
+    switch (_34)
       | False -> goto BB28
       | True -> goto BB27
       end
   }
   BB27 {
-    [#"../checked_ops.rs" 300 12 300 34] _39 <- ([#"../checked_ops.rs" 300 12 300 34] saturating_div0 ([#"../checked_ops.rs" 300 12 300 15] [#"../checked_ops.rs" 300 12 300 15] (5 : int8)) ([#"../checked_ops.rs" 300 31 300 33] [#"../checked_ops.rs" 300 31 300 33] (-2 : int8)));
+    [#"../checked_ops.rs" 300 12 300 34] _39 <- ([#"../checked_ops.rs" 300 12 300 34] saturating_div0 ([#"../checked_ops.rs" 300 12 300 15] (5 : int8)) ([#"../checked_ops.rs" 300 31 300 33] (-2 : int8)));
     goto BB29
   }
   BB28 {
@@ -4760,13 +5400,15 @@ module CheckedOps_TestI8DivExample
     absurd
   }
   BB29 {
-    switch ([#"../checked_ops.rs" 300 12 300 40] _39 = ([#"../checked_ops.rs" 300 38 300 40] [#"../checked_ops.rs" 300 38 300 40] (-2 : int8)))
+    [#"../checked_ops.rs" 300 12 300 40] _38 <- _39 = ([#"../checked_ops.rs" 300 38 300 40] (-2 : int8));
+    _39 <- any int8;
+    switch (_38)
       | False -> goto BB31
       | True -> goto BB30
       end
   }
   BB30 {
-    [#"../checked_ops.rs" 301 12 301 39] _43 <- ([#"../checked_ops.rs" 301 12 301 39] saturating_div0 ([#"../checked_ops.rs" 301 12 301 20] [#"../checked_ops.rs" 301 12 301 20] (-128 : int8)) ([#"../checked_ops.rs" 301 36 301 38] [#"../checked_ops.rs" 301 36 301 38] (-1 : int8)));
+    [#"../checked_ops.rs" 301 12 301 39] _43 <- ([#"../checked_ops.rs" 301 12 301 39] saturating_div0 ([#"../checked_ops.rs" 301 12 301 20] (-128 : int8)) ([#"../checked_ops.rs" 301 36 301 38] (-1 : int8)));
     goto BB32
   }
   BB31 {
@@ -4774,13 +5416,15 @@ module CheckedOps_TestI8DivExample
     absurd
   }
   BB32 {
-    switch ([#"../checked_ops.rs" 301 12 301 47] _43 = ([#"../checked_ops.rs" 301 43 301 47] [#"../checked_ops.rs" 301 43 301 47] (-128 : int8)))
+    [#"../checked_ops.rs" 301 12 301 47] _42 <- _43 = ([#"../checked_ops.rs" 301 43 301 47] (-128 : int8));
+    _43 <- any int8;
+    switch (_42)
       | False -> goto BB34
       | True -> goto BB33
       end
   }
   BB33 {
-    [#"../checked_ops.rs" 303 14 303 36] res <- ([#"../checked_ops.rs" 303 14 303 36] overflowing_div0 ([#"../checked_ops.rs" 303 14 303 17] [#"../checked_ops.rs" 303 14 303 17] (5 : int8)) ([#"../checked_ops.rs" 303 34 303 35] [#"../checked_ops.rs" 303 34 303 35] (2 : int8)));
+    [#"../checked_ops.rs" 303 14 303 36] res <- ([#"../checked_ops.rs" 303 14 303 36] overflowing_div0 ([#"../checked_ops.rs" 303 14 303 17] (5 : int8)) ([#"../checked_ops.rs" 303 34 303 35] (2 : int8)));
     goto BB35
   }
   BB34 {
@@ -4788,20 +5432,22 @@ module CheckedOps_TestI8DivExample
     absurd
   }
   BB35 {
-    switch ([#"../checked_ops.rs" 304 12 304 22] ([#"../checked_ops.rs" 304 12 304 17] let (a, _) = res in a) = ([#"../checked_ops.rs" 304 21 304 22] [#"../checked_ops.rs" 304 21 304 22] (2 : int8)))
+    [#"../checked_ops.rs" 304 12 304 22] _47 <- (let (a, _) = res in a) = ([#"../checked_ops.rs" 304 21 304 22] (2 : int8));
+    switch (_47)
       | False -> goto BB39
       | True -> goto BB36
       end
   }
   BB36 {
     assume { resolve0 res };
-    switch ([#"../checked_ops.rs" 304 26 304 40] Bool.eqb ([#"../checked_ops.rs" 304 26 304 31] let (_, a) = res in a) ([#"../checked_ops.rs" 304 35 304 40] [#"../checked_ops.rs" 304 35 304 40] false))
+    [#"../checked_ops.rs" 304 26 304 40] _49 <- Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 304 35 304 40] false);
+    switch (_49)
       | False -> goto BB38
       | True -> goto BB37
       end
   }
   BB37 {
-    [#"../checked_ops.rs" 305 14 305 37] res1 <- ([#"../checked_ops.rs" 305 14 305 37] overflowing_div0 ([#"../checked_ops.rs" 305 14 305 17] [#"../checked_ops.rs" 305 14 305 17] (5 : int8)) ([#"../checked_ops.rs" 305 34 305 36] [#"../checked_ops.rs" 305 34 305 36] (-2 : int8)));
+    [#"../checked_ops.rs" 305 14 305 37] res1 <- ([#"../checked_ops.rs" 305 14 305 37] overflowing_div0 ([#"../checked_ops.rs" 305 14 305 17] (5 : int8)) ([#"../checked_ops.rs" 305 34 305 36] (-2 : int8)));
     goto BB41
   }
   BB38 {
@@ -4816,20 +5462,22 @@ module CheckedOps_TestI8DivExample
     absurd
   }
   BB41 {
-    switch ([#"../checked_ops.rs" 306 12 306 23] ([#"../checked_ops.rs" 306 12 306 17] let (a, _) = res1 in a) = ([#"../checked_ops.rs" 306 21 306 23] [#"../checked_ops.rs" 306 21 306 23] (-2 : int8)))
+    [#"../checked_ops.rs" 306 12 306 23] _54 <- (let (a, _) = res1 in a) = ([#"../checked_ops.rs" 306 21 306 23] (-2 : int8));
+    switch (_54)
       | False -> goto BB45
       | True -> goto BB42
       end
   }
   BB42 {
     assume { resolve0 res1 };
-    switch ([#"../checked_ops.rs" 306 27 306 41] Bool.eqb ([#"../checked_ops.rs" 306 27 306 32] let (_, a) = res1 in a) ([#"../checked_ops.rs" 306 36 306 41] [#"../checked_ops.rs" 306 36 306 41] false))
+    [#"../checked_ops.rs" 306 27 306 41] _56 <- Bool.eqb (let (_, a) = res1 in a) ([#"../checked_ops.rs" 306 36 306 41] false);
+    switch (_56)
       | False -> goto BB44
       | True -> goto BB43
       end
   }
   BB43 {
-    [#"../checked_ops.rs" 307 14 307 42] res2 <- ([#"../checked_ops.rs" 307 14 307 42] overflowing_div0 ([#"../checked_ops.rs" 307 14 307 22] [#"../checked_ops.rs" 307 14 307 22] (-128 : int8)) ([#"../checked_ops.rs" 307 39 307 41] [#"../checked_ops.rs" 307 39 307 41] (-1 : int8)));
+    [#"../checked_ops.rs" 307 14 307 42] res2 <- ([#"../checked_ops.rs" 307 14 307 42] overflowing_div0 ([#"../checked_ops.rs" 307 14 307 22] (-128 : int8)) ([#"../checked_ops.rs" 307 39 307 41] (-1 : int8)));
     goto BB47
   }
   BB44 {
@@ -4844,14 +5492,16 @@ module CheckedOps_TestI8DivExample
     absurd
   }
   BB47 {
-    switch ([#"../checked_ops.rs" 308 12 308 25] ([#"../checked_ops.rs" 308 12 308 17] let (a, _) = res2 in a) = ([#"../checked_ops.rs" 308 21 308 25] [#"../checked_ops.rs" 308 21 308 25] (-128 : int8)))
+    [#"../checked_ops.rs" 308 12 308 25] _61 <- (let (a, _) = res2 in a) = ([#"../checked_ops.rs" 308 21 308 25] (-128 : int8));
+    switch (_61)
       | False -> goto BB51
       | True -> goto BB48
       end
   }
   BB48 {
     assume { resolve0 res2 };
-    switch ([#"../checked_ops.rs" 308 29 308 42] Bool.eqb ([#"../checked_ops.rs" 308 29 308 34] let (_, a) = res2 in a) ([#"../checked_ops.rs" 308 38 308 42] [#"../checked_ops.rs" 308 38 308 42] true))
+    [#"../checked_ops.rs" 308 29 308 42] _63 <- Bool.eqb (let (_, a) = res2 in a) ([#"../checked_ops.rs" 308 38 308 42] true);
+    switch (_63)
       | False -> goto BB50
       | True -> goto BB49
       end
@@ -4918,18 +5568,21 @@ module CheckedOps_TestI8DivNoOverflow
     (-128 : int8)
   val overflowing_div0 (self : int8) (rhs : int8) : (int8, bool)
     requires {[#"../../../../creusot-contracts/src/std/num.rs" 91 27 91 36] Int8.to_int rhs <> 0}
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 93 16 93 87] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 93 16 93 87] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1
+     -> Int8.to_int (let (a, _) = result in a) = Int8.to_int self }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 95 26 95 91] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 \/ Int8.to_int (let (a, _) = result in a) = div (Int8.to_int self) (Int8.to_int rhs) }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 97 26 97 74] (let (_, a) = result in a) = (Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1) }
     
   val saturating_div0 (self : int8) (rhs : int8) : int8
     requires {[#"../../../../creusot-contracts/src/std/num.rs" 82 27 82 36] Int8.to_int rhs <> 0}
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 84 16 84 91] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 -> Int8.to_int result = Int8.to_int min0 }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 84 16 84 91] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1
+     -> Int8.to_int result = Int8.to_int min0 }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 86 26 86 89] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 \/ Int8.to_int result = div (Int8.to_int self) (Int8.to_int rhs) }
     
   val wrapping_div0 (self : int8) (rhs : int8) : int8
     requires {[#"../../../../creusot-contracts/src/std/num.rs" 73 27 73 36] Int8.to_int rhs <> 0}
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 75 16 75 85] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 -> Int8.to_int result = Int8.to_int self }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 75 16 75 85] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1
+     -> Int8.to_int result = Int8.to_int self }
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 77 26 77 89] Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1 \/ Int8.to_int result = div (Int8.to_int self) (Int8.to_int rhs) }
     
   val unwrap0 (self : Core_Option_Option_Type.t_option int8) : int8
@@ -4940,7 +5593,8 @@ module CheckedOps_TestI8DivNoOverflow
     
   val checked_div0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 66 26 66 97] (result = Core_Option_Option_Type.C_None) = (Int8.to_int rhs = 0 \/ Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = div (Int8.to_int self) (Int8.to_int rhs) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : int8 . result = Core_Option_Option_Type.C_Some r
+     -> Int8.to_int r = div (Int8.to_int self) (Int8.to_int rhs) }
     
   let rec cfg test_i8_div_no_overflow [#"../checked_ops.rs" 313 0 313 44] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) (b : int8) : ()
     requires {[#"../checked_ops.rs" 312 11 312 46] Int8.to_int b <> 0 /\ (Int8.to_int a <> - 128 \/ Int8.to_int b <> - 1)}
@@ -4949,32 +5603,49 @@ module CheckedOps_TestI8DivNoOverflow
   var _0 : ();
   var a : int8 = a;
   var b : int8 = b;
+  var _5 : bool;
   var _6 : int8;
   var _7 : Core_Option_Option_Type.t_option int8;
+  var _10 : int8;
   var _11 : int8;
   var _12 : int8;
   var _13 : bool;
+  var _14 : bool;
+  var _15 : bool;
   var _16 : bool;
+  var _19 : bool;
   var _20 : int8;
+  var _23 : int8;
   var _24 : int8;
   var _25 : int8;
   var _26 : bool;
+  var _27 : bool;
+  var _28 : bool;
   var _29 : bool;
+  var _32 : bool;
   var _33 : int8;
+  var _36 : int8;
   var _37 : int8;
   var _38 : int8;
   var _39 : bool;
+  var _40 : bool;
+  var _41 : bool;
   var _42 : bool;
   var res : (int8, bool);
+  var _48 : bool;
+  var _50 : int8;
   var _51 : int8;
   var _52 : int8;
   var _53 : bool;
+  var _54 : bool;
+  var _55 : bool;
   var _56 : bool;
+  var _57 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 314 12 314 28] _7 <- ([#"../checked_ops.rs" 314 12 314 28] checked_div0 ([#"../checked_ops.rs" 314 12 314 13] a) ([#"../checked_ops.rs" 314 26 314 27] b));
+    [#"../checked_ops.rs" 314 12 314 28] _7 <- ([#"../checked_ops.rs" 314 12 314 28] checked_div0 a b);
     goto BB1
   }
   BB1 {
@@ -4983,25 +5654,35 @@ module CheckedOps_TestI8DivNoOverflow
     goto BB2
   }
   BB2 {
-    [#"../checked_ops.rs" 314 41 314 42] _11 <- ([#"../checked_ops.rs" 314 41 314 42] a);
-    [#"../checked_ops.rs" 314 45 314 46] _12 <- ([#"../checked_ops.rs" 314 45 314 46] b);
-    [#"../checked_ops.rs" 314 41 314 46] _13 <- ([#"../checked_ops.rs" 314 41 314 46] _12 = ([#"../checked_ops.rs" 314 41 314 46] [#"../checked_ops.rs" 314 41 314 46] (0 : int8)));
+    [#"../checked_ops.rs" 314 41 314 42] _11 <- a;
+    [#"../checked_ops.rs" 314 45 314 46] _12 <- b;
+    [#"../checked_ops.rs" 314 41 314 46] _13 <- _12 = ([#"../checked_ops.rs" 314 41 314 46] (0 : int8));
     assert { [@expl:division by zero] [#"../checked_ops.rs" 314 41 314 46] not _13 };
     goto BB3
   }
   BB3 {
-    [#"../checked_ops.rs" 314 41 314 46] _16 <- ([#"../checked_ops.rs" 314 41 314 46] ([#"../checked_ops.rs" 314 41 314 46] _12 = ([#"../checked_ops.rs" 314 41 314 46] [#"../checked_ops.rs" 314 41 314 46] (-1 : int8))) && ([#"../checked_ops.rs" 314 41 314 46] _11 = ([#"../checked_ops.rs" 314 41 314 46] [#"../checked_ops.rs" 314 41 314 46] (-128 : int8))));
+    [#"../checked_ops.rs" 314 41 314 46] _14 <- _12 = ([#"../checked_ops.rs" 314 41 314 46] (-1 : int8));
+    [#"../checked_ops.rs" 314 41 314 46] _15 <- _11 = ([#"../checked_ops.rs" 314 41 314 46] (-128 : int8));
+    [#"../checked_ops.rs" 314 41 314 46] _16 <- _14 && _15;
+    _14 <- any bool;
+    _15 <- any bool;
     assert { [@expl:Div overflow] [#"../checked_ops.rs" 314 41 314 46] not _16 };
     goto BB4
   }
   BB4 {
-    switch ([#"../checked_ops.rs" 314 12 314 46] _6 = ([#"../checked_ops.rs" 314 41 314 46] _11 / _12))
+    [#"../checked_ops.rs" 314 41 314 46] _10 <- _11 / _12;
+    _11 <- any int8;
+    _12 <- any int8;
+    [#"../checked_ops.rs" 314 12 314 46] _5 <- _6 = _10;
+    _6 <- any int8;
+    _10 <- any int8;
+    switch (_5)
       | False -> goto BB6
       | True -> goto BB5
       end
   }
   BB5 {
-    [#"../checked_ops.rs" 315 12 315 29] _20 <- ([#"../checked_ops.rs" 315 12 315 29] wrapping_div0 ([#"../checked_ops.rs" 315 12 315 13] a) ([#"../checked_ops.rs" 315 27 315 28] b));
+    [#"../checked_ops.rs" 315 12 315 29] _20 <- ([#"../checked_ops.rs" 315 12 315 29] wrapping_div0 a b);
     goto BB7
   }
   BB6 {
@@ -5009,25 +5690,35 @@ module CheckedOps_TestI8DivNoOverflow
     absurd
   }
   BB7 {
-    [#"../checked_ops.rs" 315 33 315 34] _24 <- ([#"../checked_ops.rs" 315 33 315 34] a);
-    [#"../checked_ops.rs" 315 37 315 38] _25 <- ([#"../checked_ops.rs" 315 37 315 38] b);
-    [#"../checked_ops.rs" 315 33 315 38] _26 <- ([#"../checked_ops.rs" 315 33 315 38] _25 = ([#"../checked_ops.rs" 315 33 315 38] [#"../checked_ops.rs" 315 33 315 38] (0 : int8)));
+    [#"../checked_ops.rs" 315 33 315 34] _24 <- a;
+    [#"../checked_ops.rs" 315 37 315 38] _25 <- b;
+    [#"../checked_ops.rs" 315 33 315 38] _26 <- _25 = ([#"../checked_ops.rs" 315 33 315 38] (0 : int8));
     assert { [@expl:division by zero] [#"../checked_ops.rs" 315 33 315 38] not _26 };
     goto BB8
   }
   BB8 {
-    [#"../checked_ops.rs" 315 33 315 38] _29 <- ([#"../checked_ops.rs" 315 33 315 38] ([#"../checked_ops.rs" 315 33 315 38] _25 = ([#"../checked_ops.rs" 315 33 315 38] [#"../checked_ops.rs" 315 33 315 38] (-1 : int8))) && ([#"../checked_ops.rs" 315 33 315 38] _24 = ([#"../checked_ops.rs" 315 33 315 38] [#"../checked_ops.rs" 315 33 315 38] (-128 : int8))));
+    [#"../checked_ops.rs" 315 33 315 38] _27 <- _25 = ([#"../checked_ops.rs" 315 33 315 38] (-1 : int8));
+    [#"../checked_ops.rs" 315 33 315 38] _28 <- _24 = ([#"../checked_ops.rs" 315 33 315 38] (-128 : int8));
+    [#"../checked_ops.rs" 315 33 315 38] _29 <- _27 && _28;
+    _27 <- any bool;
+    _28 <- any bool;
     assert { [@expl:Div overflow] [#"../checked_ops.rs" 315 33 315 38] not _29 };
     goto BB9
   }
   BB9 {
-    switch ([#"../checked_ops.rs" 315 12 315 38] _20 = ([#"../checked_ops.rs" 315 33 315 38] _24 / _25))
+    [#"../checked_ops.rs" 315 33 315 38] _23 <- _24 / _25;
+    _24 <- any int8;
+    _25 <- any int8;
+    [#"../checked_ops.rs" 315 12 315 38] _19 <- _20 = _23;
+    _20 <- any int8;
+    _23 <- any int8;
+    switch (_19)
       | False -> goto BB11
       | True -> goto BB10
       end
   }
   BB10 {
-    [#"../checked_ops.rs" 316 12 316 31] _33 <- ([#"../checked_ops.rs" 316 12 316 31] saturating_div0 ([#"../checked_ops.rs" 316 12 316 13] a) ([#"../checked_ops.rs" 316 29 316 30] b));
+    [#"../checked_ops.rs" 316 12 316 31] _33 <- ([#"../checked_ops.rs" 316 12 316 31] saturating_div0 a b);
     goto BB12
   }
   BB11 {
@@ -5035,25 +5726,35 @@ module CheckedOps_TestI8DivNoOverflow
     absurd
   }
   BB12 {
-    [#"../checked_ops.rs" 316 35 316 36] _37 <- ([#"../checked_ops.rs" 316 35 316 36] a);
-    [#"../checked_ops.rs" 316 39 316 40] _38 <- ([#"../checked_ops.rs" 316 39 316 40] b);
-    [#"../checked_ops.rs" 316 35 316 40] _39 <- ([#"../checked_ops.rs" 316 35 316 40] _38 = ([#"../checked_ops.rs" 316 35 316 40] [#"../checked_ops.rs" 316 35 316 40] (0 : int8)));
+    [#"../checked_ops.rs" 316 35 316 36] _37 <- a;
+    [#"../checked_ops.rs" 316 39 316 40] _38 <- b;
+    [#"../checked_ops.rs" 316 35 316 40] _39 <- _38 = ([#"../checked_ops.rs" 316 35 316 40] (0 : int8));
     assert { [@expl:division by zero] [#"../checked_ops.rs" 316 35 316 40] not _39 };
     goto BB13
   }
   BB13 {
-    [#"../checked_ops.rs" 316 35 316 40] _42 <- ([#"../checked_ops.rs" 316 35 316 40] ([#"../checked_ops.rs" 316 35 316 40] _38 = ([#"../checked_ops.rs" 316 35 316 40] [#"../checked_ops.rs" 316 35 316 40] (-1 : int8))) && ([#"../checked_ops.rs" 316 35 316 40] _37 = ([#"../checked_ops.rs" 316 35 316 40] [#"../checked_ops.rs" 316 35 316 40] (-128 : int8))));
+    [#"../checked_ops.rs" 316 35 316 40] _40 <- _38 = ([#"../checked_ops.rs" 316 35 316 40] (-1 : int8));
+    [#"../checked_ops.rs" 316 35 316 40] _41 <- _37 = ([#"../checked_ops.rs" 316 35 316 40] (-128 : int8));
+    [#"../checked_ops.rs" 316 35 316 40] _42 <- _40 && _41;
+    _40 <- any bool;
+    _41 <- any bool;
     assert { [@expl:Div overflow] [#"../checked_ops.rs" 316 35 316 40] not _42 };
     goto BB14
   }
   BB14 {
-    switch ([#"../checked_ops.rs" 316 12 316 40] _33 = ([#"../checked_ops.rs" 316 35 316 40] _37 / _38))
+    [#"../checked_ops.rs" 316 35 316 40] _36 <- _37 / _38;
+    _37 <- any int8;
+    _38 <- any int8;
+    [#"../checked_ops.rs" 316 12 316 40] _32 <- _33 = _36;
+    _33 <- any int8;
+    _36 <- any int8;
+    switch (_32)
       | False -> goto BB16
       | True -> goto BB15
       end
   }
   BB15 {
-    [#"../checked_ops.rs" 317 14 317 34] res <- ([#"../checked_ops.rs" 317 14 317 34] overflowing_div0 ([#"../checked_ops.rs" 317 14 317 15] a) ([#"../checked_ops.rs" 317 32 317 33] b));
+    [#"../checked_ops.rs" 317 14 317 34] res <- ([#"../checked_ops.rs" 317 14 317 34] overflowing_div0 a b);
     goto BB17
   }
   BB16 {
@@ -5061,26 +5762,36 @@ module CheckedOps_TestI8DivNoOverflow
     absurd
   }
   BB17 {
-    [#"../checked_ops.rs" 318 21 318 22] _51 <- ([#"../checked_ops.rs" 318 21 318 22] a);
-    [#"../checked_ops.rs" 318 25 318 26] _52 <- ([#"../checked_ops.rs" 318 25 318 26] b);
-    [#"../checked_ops.rs" 318 21 318 26] _53 <- ([#"../checked_ops.rs" 318 21 318 26] _52 = ([#"../checked_ops.rs" 318 21 318 26] [#"../checked_ops.rs" 318 21 318 26] (0 : int8)));
+    [#"../checked_ops.rs" 318 21 318 22] _51 <- a;
+    [#"../checked_ops.rs" 318 25 318 26] _52 <- b;
+    [#"../checked_ops.rs" 318 21 318 26] _53 <- _52 = ([#"../checked_ops.rs" 318 21 318 26] (0 : int8));
     assert { [@expl:division by zero] [#"../checked_ops.rs" 318 21 318 26] not _53 };
     goto BB18
   }
   BB18 {
-    [#"../checked_ops.rs" 318 21 318 26] _56 <- ([#"../checked_ops.rs" 318 21 318 26] ([#"../checked_ops.rs" 318 21 318 26] _52 = ([#"../checked_ops.rs" 318 21 318 26] [#"../checked_ops.rs" 318 21 318 26] (-1 : int8))) && ([#"../checked_ops.rs" 318 21 318 26] _51 = ([#"../checked_ops.rs" 318 21 318 26] [#"../checked_ops.rs" 318 21 318 26] (-128 : int8))));
+    [#"../checked_ops.rs" 318 21 318 26] _54 <- _52 = ([#"../checked_ops.rs" 318 21 318 26] (-1 : int8));
+    [#"../checked_ops.rs" 318 21 318 26] _55 <- _51 = ([#"../checked_ops.rs" 318 21 318 26] (-128 : int8));
+    [#"../checked_ops.rs" 318 21 318 26] _56 <- _54 && _55;
+    _54 <- any bool;
+    _55 <- any bool;
     assert { [@expl:Div overflow] [#"../checked_ops.rs" 318 21 318 26] not _56 };
     goto BB19
   }
   BB19 {
-    switch ([#"../checked_ops.rs" 318 12 318 26] ([#"../checked_ops.rs" 318 12 318 17] let (a, _) = res in a) = ([#"../checked_ops.rs" 318 21 318 26] _51 / _52))
+    [#"../checked_ops.rs" 318 21 318 26] _50 <- _51 / _52;
+    _51 <- any int8;
+    _52 <- any int8;
+    [#"../checked_ops.rs" 318 12 318 26] _48 <- (let (a, _) = res in a) = _50;
+    _50 <- any int8;
+    switch (_48)
       | False -> goto BB23
       | True -> goto BB20
       end
   }
   BB20 {
     assume { resolve0 res };
-    switch ([#"../checked_ops.rs" 318 30 318 44] Bool.eqb ([#"../checked_ops.rs" 318 30 318 35] let (_, a) = res in a) ([#"../checked_ops.rs" 318 39 318 44] [#"../checked_ops.rs" 318 39 318 44] false))
+    [#"../checked_ops.rs" 318 30 318 44] _57 <- Bool.eqb (let (_, a) = res in a) ([#"../checked_ops.rs" 318 39 318 44] false);
+    switch (_57)
       | False -> goto BB22
       | True -> goto BB21
       end
@@ -5126,7 +5837,8 @@ module CheckedOps_TestI8DivZero
   use prelude.Int8
   val checked_div0 (self : int8) (rhs : int8) : Core_Option_Option_Type.t_option int8
     ensures { [#"../../../../creusot-contracts/src/std/num.rs" 66 26 66 97] (result = Core_Option_Option_Type.C_None) = (Int8.to_int rhs = 0 \/ Int8.to_int self = Int8.to_int min0 /\ Int8.to_int rhs = - 1) }
-    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : int8 . result = Core_Option_Option_Type.C_Some r -> Int8.to_int r = div (Int8.to_int self) (Int8.to_int rhs) }
+    ensures { [#"../../../../creusot-contracts/src/std/num.rs" 68 16 68 85] forall r : int8 . result = Core_Option_Option_Type.C_Some r
+     -> Int8.to_int r = div (Int8.to_int self) (Int8.to_int rhs) }
     
   let rec cfg test_i8_div_zero [#"../checked_ops.rs" 322 0 322 30] [@cfg:stackify] [@cfg:subregion_analysis] (a : int8) : ()
     
@@ -5139,11 +5851,11 @@ module CheckedOps_TestI8DivZero
     goto BB0
   }
   BB0 {
-    [#"../checked_ops.rs" 323 12 323 28] _5 <- ([#"../checked_ops.rs" 323 12 323 28] checked_div0 ([#"../checked_ops.rs" 323 12 323 13] a) ([#"../checked_ops.rs" 323 26 323 27] [#"../checked_ops.rs" 323 26 323 27] (0 : int8)));
+    [#"../checked_ops.rs" 323 12 323 28] _5 <- ([#"../checked_ops.rs" 323 12 323 28] checked_div0 a ([#"../checked_ops.rs" 323 26 323 27] (0 : int8)));
     goto BB1
   }
   BB1 {
-    [#"../checked_ops.rs" 323 12 323 38] _3 <- ([#"../checked_ops.rs" 323 12 323 38] is_none0 ([#"../checked_ops.rs" 323 12 323 28] _5));
+    [#"../checked_ops.rs" 323 12 323 38] _3 <- ([#"../checked_ops.rs" 323 12 323 38] is_none0 _5);
     goto BB2
   }
   BB2 {
diff --git a/creusot/tests/should_succeed/checked_ops/why3session.xml b/creusot/tests/should_succeed/checked_ops/why3session.xml
index d6a1e024ed..759ec6ca8b 100644
--- a/creusot/tests/should_succeed/checked_ops/why3session.xml
+++ b/creusot/tests/should_succeed/checked_ops/why3session.xml
@@ -9,12 +9,12 @@
 <path name=".."/><path name="checked_ops.mlcfg"/>
 <theory name="CheckedOps_TestU8AddExample" proved="true">
  <goal name="test_u8_add_example&#39;vc" expl="VC for test_u8_add_example" proved="true">
- <proof prover="3"><result status="valid" time="0.171540" steps="24381"/></proof>
+ <proof prover="3"><result status="valid" time="0.171540" steps="26739"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestU8AddOverflow" proved="true">
  <goal name="test_u8_add_overflow&#39;vc" expl="VC for test_u8_add_overflow" proved="true">
- <proof prover="3"><result status="valid" time="0.174892" steps="25652"/></proof>
+ <proof prover="3"><result status="valid" time="0.174892" steps="27255"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestU8WrappingAdd" proved="true">
@@ -24,17 +24,17 @@
 </theory>
 <theory name="CheckedOps_TestU8OverflowingAdd" proved="true">
  <goal name="test_u8_overflowing_add&#39;vc" expl="VC for test_u8_overflowing_add" proved="true">
- <proof prover="3"><result status="valid" time="0.119107" steps="9606"/></proof>
+ <proof prover="3"><result status="valid" time="0.119107" steps="10057"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestU8SubExample" proved="true">
  <goal name="test_u8_sub_example&#39;vc" expl="VC for test_u8_sub_example" proved="true">
- <proof prover="3"><result status="valid" time="0.245991" steps="29138"/></proof>
+ <proof prover="3"><result status="valid" time="0.245991" steps="31449"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestU8SubOverflow" proved="true">
  <goal name="test_u8_sub_overflow&#39;vc" expl="VC for test_u8_sub_overflow" proved="true">
- <proof prover="3"><result status="valid" time="0.241533" steps="23573"/></proof>
+ <proof prover="3"><result status="valid" time="0.241533" steps="26187"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestU8WrappingSub" proved="true">
@@ -44,32 +44,32 @@
 </theory>
 <theory name="CheckedOps_TestU8OverflowingSub" proved="true">
  <goal name="test_u8_overflowing_sub&#39;vc" expl="VC for test_u8_overflowing_sub" proved="true">
- <proof prover="3"><result status="valid" time="0.136109" steps="9643"/></proof>
+ <proof prover="3"><result status="valid" time="0.136109" steps="10094"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestU8MulExample" proved="true">
  <goal name="test_u8_mul_example&#39;vc" expl="VC for test_u8_mul_example" proved="true">
- <proof prover="3"><result status="valid" time="0.206994" steps="24476"/></proof>
+ <proof prover="3"><result status="valid" time="0.206994" steps="26834"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestU8MulZero" proved="true">
  <goal name="test_u8_mul_zero&#39;vc" expl="VC for test_u8_mul_zero" proved="true">
- <proof prover="3"><result status="valid" time="0.110589" steps="10387"/></proof>
+ <proof prover="3"><result status="valid" time="0.110589" steps="11087"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestU8OverflowingMul" proved="true">
  <goal name="test_u8_overflowing_mul&#39;vc" expl="VC for test_u8_overflowing_mul" proved="true">
- <proof prover="3"><result status="valid" time="0.113614" steps="9496"/></proof>
+ <proof prover="3"><result status="valid" time="0.113614" steps="9931"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestU8DivExample" proved="true">
  <goal name="test_u8_div_example&#39;vc" expl="VC for test_u8_div_example" proved="true">
- <proof prover="1"><result status="valid" time="0.013333" steps="18895"/></proof>
+ <proof prover="1"><result status="valid" time="0.013333" steps="19972"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestU8DivNoOverflow" proved="true">
  <goal name="test_u8_div_no_overflow&#39;vc" expl="VC for test_u8_div_no_overflow" proved="true">
- <proof prover="1"><result status="valid" time="0.019153" steps="33003"/></proof>
+ <proof prover="1"><result status="valid" time="0.019153" steps="38508"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestU8DivZero" proved="true">
@@ -79,17 +79,17 @@
 </theory>
 <theory name="CheckedOps_TestI8AddExample" proved="true">
  <goal name="test_i8_add_example&#39;vc" expl="VC for test_i8_add_example" proved="true">
- <proof prover="3"><result status="valid" time="0.410887" steps="45429"/></proof>
+ <proof prover="3"><result status="valid" time="0.410887" steps="50661"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestI8AddOverflowPos" proved="true">
  <goal name="test_i8_add_overflow_pos&#39;vc" expl="VC for test_i8_add_overflow_pos" proved="true">
- <proof prover="3"><result status="valid" time="0.193894" steps="28252"/></proof>
+ <proof prover="3"><result status="valid" time="0.332443" steps="30894"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestI8AddOverflowNeg" proved="true">
  <goal name="test_i8_add_overflow_neg&#39;vc" expl="VC for test_i8_add_overflow_neg" proved="true">
- <proof prover="3"><result status="valid" time="0.199007" steps="28356"/></proof>
+ <proof prover="3"><result status="valid" time="0.346620" steps="30966"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestI8WrappingAdd" proved="true">
@@ -99,22 +99,22 @@
 </theory>
 <theory name="CheckedOps_TestI8OverflowingAdd" proved="true">
  <goal name="test_i8_overflowing_add&#39;vc" expl="VC for test_i8_overflowing_add" proved="true">
- <proof prover="3"><result status="valid" time="0.140895" steps="10428"/></proof>
+ <proof prover="3"><result status="valid" time="0.140895" steps="10887"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestI8SubExample" proved="true">
  <goal name="test_i8_sub_example&#39;vc" expl="VC for test_i8_sub_example" proved="true">
- <proof prover="3"><result status="valid" time="0.303115" steps="39807"/></proof>
+ <proof prover="3"><result status="valid" time="0.303115" steps="46045"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestI8SubOverflowPos" proved="true">
  <goal name="test_i8_sub_overflow_pos&#39;vc" expl="VC for test_i8_sub_overflow_pos" proved="true">
- <proof prover="3"><result status="valid" time="0.329305" steps="28694"/></proof>
+ <proof prover="3"><result status="valid" time="0.329305" steps="31428"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestI8SubOverflowNeg" proved="true">
  <goal name="test_i8_sub_overflow_neg&#39;vc" expl="VC for test_i8_sub_overflow_neg" proved="true">
- <proof prover="3"><result status="valid" time="0.288242" steps="26655"/></proof>
+ <proof prover="3"><result status="valid" time="0.288242" steps="30752"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestI8WrappingSub" proved="true">
@@ -124,32 +124,32 @@
 </theory>
 <theory name="CheckedOps_TestI8OverflowingSub" proved="true">
  <goal name="test_i8_overflowing_sub&#39;vc" expl="VC for test_i8_overflowing_sub" proved="true">
- <proof prover="3"><result status="valid" time="0.131299" steps="10465"/></proof>
+ <proof prover="3"><result status="valid" time="0.131299" steps="10924"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestI8MulExample" proved="true">
  <goal name="test_i8_mul_example&#39;vc" expl="VC for test_i8_mul_example" proved="true">
- <proof prover="3"><result status="valid" time="0.421070" steps="46379"/></proof>
+ <proof prover="3"><result status="valid" time="0.421070" steps="51611"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestI8MulZero" proved="true">
  <goal name="test_i8_mul_zero&#39;vc" expl="VC for test_i8_mul_zero" proved="true">
- <proof prover="3"><result status="valid" time="0.108364" steps="10449"/></proof>
+ <proof prover="3"><result status="valid" time="0.108364" steps="11157"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestI8OverflowingMul" proved="true">
  <goal name="test_i8_overflowing_mul&#39;vc" expl="VC for test_i8_overflowing_mul" proved="true">
- <proof prover="3"><result status="valid" time="0.118072" steps="10306"/></proof>
+ <proof prover="3"><result status="valid" time="0.118072" steps="10749"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestI8DivExample" proved="true">
  <goal name="test_i8_div_example&#39;vc" expl="VC for test_i8_div_example" proved="true">
- <proof prover="1"><result status="valid" time="0.023227" steps="43770"/></proof>
+ <proof prover="1"><result status="valid" time="0.023227" steps="48850"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestI8DivNoOverflow" proved="true">
  <goal name="test_i8_div_no_overflow&#39;vc" expl="VC for test_i8_div_no_overflow" proved="true">
- <proof prover="1"><result status="valid" time="0.024961" steps="47026"/></proof>
+ <proof prover="1"><result status="valid" time="0.024961" steps="56180"/></proof>
  </goal>
 </theory>
 <theory name="CheckedOps_TestI8DivZero" proved="true">
diff --git a/creusot/tests/should_succeed/checked_ops/why3shapes.gz b/creusot/tests/should_succeed/checked_ops/why3shapes.gz
index 046f3283e6..ff6caa343f 100644
Binary files a/creusot/tests/should_succeed/checked_ops/why3shapes.gz and b/creusot/tests/should_succeed/checked_ops/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/clones/01.mlcfg b/creusot/tests/should_succeed/clones/01.mlcfg
index 4f78788119..3467d37415 100644
--- a/creusot/tests/should_succeed/clones/01.mlcfg
+++ b/creusot/tests/should_succeed/clones/01.mlcfg
@@ -21,7 +21,7 @@ module C01_Func2
     goto BB0
   }
   BB0 {
-    [#"../01.rs" 9 4 9 11] _0 <- ([#"../01.rs" 9 4 9 11] func10 ());
+    [#"../01.rs" 9 4 9 11] _0 <- ([#"../01.rs" 9 4 9 11] func10 ([#"../01.rs" 9 4 9 11] ()));
     goto BB1
   }
   BB1 {
@@ -38,7 +38,7 @@ module C01_Func3
     goto BB0
   }
   BB0 {
-    [#"../01.rs" 13 4 13 11] _0 <- ([#"../01.rs" 13 4 13 11] func20 ());
+    [#"../01.rs" 13 4 13 11] _0 <- ([#"../01.rs" 13 4 13 11] func20 ([#"../01.rs" 13 4 13 11] ()));
     goto BB1
   }
   BB1 {
diff --git a/creusot/tests/should_succeed/clones/02.rs b/creusot/tests/should_succeed/clones/02.rs
index 074c8831d2..5131557d90 100644
--- a/creusot/tests/should_succeed/clones/02.rs
+++ b/creusot/tests/should_succeed/clones/02.rs
@@ -5,12 +5,12 @@ use creusot_contracts::*;
 // Here we want to ensure that `program` properly shares
 // the implementation of simple between itself and `uses_simple`.
 
-#[ghost]
+#[logic]
 fn simple() -> bool {
     true
 }
 
-#[ghost]
+#[logic]
 fn uses_simple() -> bool {
     simple()
 }
diff --git a/creusot/tests/should_succeed/clones/03.mlcfg b/creusot/tests/should_succeed/clones/03.mlcfg
index cacc974bb0..1c1aa6f0a5 100644
--- a/creusot/tests/should_succeed/clones/03.mlcfg
+++ b/creusot/tests/should_succeed/clones/03.mlcfg
@@ -81,7 +81,7 @@ module C03_Prog2
     goto BB0
   }
   BB0 {
-    [#"../03.rs" 15 4 15 11] _2 <- ([#"../03.rs" 15 4 15 11] prog0 ([#"../03.rs" 15 9 15 10] [#"../03.rs" 15 9 15 10] (0 : int32)));
+    [#"../03.rs" 15 4 15 11] _2 <- ([#"../03.rs" 15 4 15 11] prog0 ([#"../03.rs" 15 9 15 10] (0 : int32)));
     goto BB1
   }
   BB1 {
diff --git a/creusot/tests/should_succeed/clones/03.rs b/creusot/tests/should_succeed/clones/03.rs
index 85afc4d94b..acc5f3c8f6 100644
--- a/creusot/tests/should_succeed/clones/03.rs
+++ b/creusot/tests/should_succeed/clones/03.rs
@@ -2,7 +2,7 @@ extern crate creusot_contracts;
 
 use creusot_contracts::*;
 
-#[ghost]
+#[logic]
 fn omg<T>(_x: T) -> bool {
     true
 }
diff --git a/creusot/tests/should_succeed/clones/04.rs b/creusot/tests/should_succeed/clones/04.rs
index 2c9ec822d8..0d3827e3e4 100644
--- a/creusot/tests/should_succeed/clones/04.rs
+++ b/creusot/tests/should_succeed/clones/04.rs
@@ -2,17 +2,17 @@ extern crate creusot_contracts;
 
 use creusot_contracts::*;
 
-#[ghost]
+#[logic]
 fn a(x: u32) -> bool {
     x > 0u32
 }
 
-#[ghost]
+#[logic]
 fn b(x: u32) -> bool {
     x > 10u32 && a(x)
 }
 
-#[ghost]
+#[logic]
 fn c(x: u32) -> bool {
     x < 50u32 && b(x)
 }
diff --git a/creusot/tests/should_succeed/closures/01_basic.mlcfg b/creusot/tests/should_succeed/closures/01_basic.mlcfg
index 498949ca9a..4413ff95f8 100644
--- a/creusot/tests/should_succeed/closures/01_basic.mlcfg
+++ b/creusot/tests/should_succeed/closures/01_basic.mlcfg
@@ -26,7 +26,7 @@ module C01Basic_UsesClosure_Closure0
     goto BB0
   }
   BB0 {
-    [#"../01_basic.rs" 6 17 6 18] _0 <- ([#"../01_basic.rs" 6 17 6 18] field_00 _1);
+    [#"../01_basic.rs" 6 17 6 18] _0 <- field_00 _1;
     return _0
   }
   
@@ -51,13 +51,16 @@ module C01Basic_UsesClosure
   var y : bool;
   var _x : bool;
   var _4 : C01Basic_UsesClosure_Closure0.c01basic_usesclosure_closure0;
+  var _6 : ();
   {
     goto BB0
   }
   BB0 {
-    [#"../01_basic.rs" 5 12 5 16] y <- ([#"../01_basic.rs" 5 12 5 16] [#"../01_basic.rs" 5 12 5 16] true);
-    [#"../01_basic.rs" 6 13 6 19] _4 <- ([#"../01_basic.rs" 6 13 6 19] C01Basic_UsesClosure_Closure0.C01Basic_UsesClosure_Closure0 ([#"../01_basic.rs" 6 13 6 19] y));
-    [#"../01_basic.rs" 6 13 6 21] _x <- ([#"../01_basic.rs" 6 13 6 21] let () = [#"../01_basic.rs" 6 13 6 21] () in closure00 ([#"../01_basic.rs" 6 13 6 19] _4));
+    [#"../01_basic.rs" 5 12 5 16] y <- ([#"../01_basic.rs" 5 12 5 16] true);
+    [#"../01_basic.rs" 6 13 6 19] _4 <- C01Basic_UsesClosure_Closure0.C01Basic_UsesClosure_Closure0 y;
+    [#"../01_basic.rs" 6 13 6 21] _6 <- ();
+    [#"../01_basic.rs" 6 13 6 21] _x <- ([#"../01_basic.rs" 6 13 6 21] let () = _6 in closure00 _4);
+    _6 <- any ();
     goto BB1
   }
   BB1 {
@@ -90,7 +93,7 @@ module C01Basic_MultiArg_Closure0
     goto BB0
   }
   BB0 {
-    [#"../01_basic.rs" 10 19 10 24] _0 <- ([#"../01_basic.rs" 10 19 10 24] ([#"../01_basic.rs" 10 19 10 20] a) + ([#"../01_basic.rs" 10 23 10 24] b));
+    [#"../01_basic.rs" 10 19 10 24] _0 <- a + b;
     return _0
   }
   
@@ -110,12 +113,15 @@ module C01Basic_MultiArg
   var _0 : ();
   var x : C01Basic_MultiArg_Closure0.c01basic_multiarg_closure0;
   var _a : int32;
+  var _4 : (int32, int32);
   {
     goto BB0
   }
   BB0 {
-    [#"../01_basic.rs" 10 12 10 24] x <- ([#"../01_basic.rs" 10 12 10 24] C01Basic_MultiArg_Closure0.C01Basic_MultiArg_Closure0);
-    [#"../01_basic.rs" 11 13 11 22] _a <- ([#"../01_basic.rs" 11 13 11 22] let (a, b) = [#"../01_basic.rs" 11 13 11 22] (([#"../01_basic.rs" 11 17 11 18] [#"../01_basic.rs" 11 17 11 18] (0 : int32)), ([#"../01_basic.rs" 11 20 11 21] [#"../01_basic.rs" 11 20 11 21] (3 : int32))) in closure00 ([#"../01_basic.rs" 11 13 11 16] x) a b);
+    [#"../01_basic.rs" 10 12 10 24] x <- C01Basic_MultiArg_Closure0.C01Basic_MultiArg_Closure0;
+    [#"../01_basic.rs" 11 13 11 22] _4 <- (([#"../01_basic.rs" 11 17 11 18] (0 : int32)), ([#"../01_basic.rs" 11 20 11 21] (3 : int32)));
+    [#"../01_basic.rs" 11 13 11 22] _a <- ([#"../01_basic.rs" 11 13 11 22] let (a, b) = _4 in closure00 x a b);
+    _4 <- any (int32, int32);
     goto BB1
   }
   BB1 {
@@ -166,7 +172,7 @@ module C01Basic_MoveClosure_Closure0
     goto BB0
   }
   BB0 {
-    [#"../01_basic.rs" 20 8 20 15] _1 <- { _1 with current = (let C01Basic_MoveClosure_Closure0.C01Basic_MoveClosure_Closure0 x0 =  * _1 in C01Basic_MoveClosure_Closure0.C01Basic_MoveClosure_Closure0 ({ (field_00 ( * _1)) with current = ([#"../01_basic.rs" 20 8 20 15]  * field_00 ( * _1) + ([#"../01_basic.rs" 20 14 20 15] [#"../01_basic.rs" 20 14 20 15] (1 : int32))) ; })) ; };
+    [#"../01_basic.rs" 20 8 20 15] _1 <- { _1 with current = (let C01Basic_MoveClosure_Closure0.C01Basic_MoveClosure_Closure0 x0 =  * _1 in C01Basic_MoveClosure_Closure0.C01Basic_MoveClosure_Closure0 ({ (field_00 ( * _1)) with current = ( * field_00 ( * _1) + ([#"../01_basic.rs" 20 14 20 15] (1 : int32))) ; })) ; };
     assume { resolve0 _1 };
     [#"../01_basic.rs" 19 24 21 5] _0 <- ([#"../01_basic.rs" 19 24 21 5] ());
     return _0
@@ -214,28 +220,34 @@ module C01Basic_MoveClosure
   var x : C01Basic_MoveClosure_Closure0.c01basic_moveclosure_closure0;
   var _4 : ();
   var _5 : borrowed C01Basic_MoveClosure_Closure0.c01basic_moveclosure_closure0;
+  var _6 : ();
   var _7 : ();
   var _8 : borrowed C01Basic_MoveClosure_Closure0.c01basic_moveclosure_closure0;
+  var _9 : ();
   {
     goto BB0
   }
   BB0 {
-    [#"../01_basic.rs" 17 17 17 21] _2 <- ([#"../01_basic.rs" 17 17 17 21] [#"../01_basic.rs" 17 17 17 21] (0 : int32));
+    [#"../01_basic.rs" 17 17 17 21] _2 <- ([#"../01_basic.rs" 17 17 17 21] (0 : int32));
     [#"../01_basic.rs" 17 12 17 21] a <- Borrow.borrow_mut _2;
     [#"../01_basic.rs" 17 12 17 21] _2 <-  ^ a;
-    [#"../01_basic.rs" 19 16 21 5] x <- ([#"../01_basic.rs" 19 16 21 5] C01Basic_MoveClosure_Closure0.C01Basic_MoveClosure_Closure0 a);
+    [#"../01_basic.rs" 19 16 21 5] x <- C01Basic_MoveClosure_Closure0.C01Basic_MoveClosure_Closure0 a;
     a <- any borrowed int32;
     [#"../01_basic.rs" 23 4 23 7] _5 <- Borrow.borrow_mut x;
     [#"../01_basic.rs" 23 4 23 7] x <-  ^ _5;
-    [#"../01_basic.rs" 23 4 23 9] _4 <- ([#"../01_basic.rs" 23 4 23 9] let () = [#"../01_basic.rs" 23 4 23 9] () in closure00 _5);
+    [#"../01_basic.rs" 23 4 23 9] _6 <- ();
+    [#"../01_basic.rs" 23 4 23 9] _4 <- ([#"../01_basic.rs" 23 4 23 9] let () = _6 in closure00 _5);
     _5 <- any borrowed C01Basic_MoveClosure_Closure0.c01basic_moveclosure_closure0;
+    _6 <- any ();
     goto BB1
   }
   BB1 {
     [#"../01_basic.rs" 24 4 24 7] _8 <- Borrow.borrow_mut x;
     [#"../01_basic.rs" 24 4 24 7] x <-  ^ _8;
-    [#"../01_basic.rs" 24 4 24 9] _7 <- ([#"../01_basic.rs" 24 4 24 9] let () = [#"../01_basic.rs" 24 4 24 9] () in closure00 _8);
+    [#"../01_basic.rs" 24 4 24 9] _9 <- ();
+    [#"../01_basic.rs" 24 4 24 9] _7 <- ([#"../01_basic.rs" 24 4 24 9] let () = _9 in closure00 _8);
     _8 <- any borrowed C01Basic_MoveClosure_Closure0.c01basic_moveclosure_closure0;
+    _9 <- any ();
     goto BB2
   }
   BB2 {
@@ -306,14 +318,14 @@ module C01Basic_MoveMut_Closure0
     goto BB0
   }
   BB0 {
-    [#"../01_basic.rs" 36 12 36 21] _3 <- ([#"../01_basic.rs" 36 12 36 21] new_ref0 ());
+    [#"../01_basic.rs" 36 12 36 21] _3 <- ([#"../01_basic.rs" 36 12 36 21] new_ref0 ([#"../01_basic.rs" 36 12 36 21] ()));
     goto BB1
   }
   BB1 {
     [#"../01_basic.rs" 36 12 36 21] _2 <- Borrow.borrow_final ( * _3) (Borrow.get_id _3);
     [#"../01_basic.rs" 36 12 36 21] _3 <- { _3 with current = ( ^ _2) ; };
-    [#"../01_basic.rs" 36 8 36 21] _1 <- { _1 with current = (let C01Basic_MoveMut_Closure0.C01Basic_MoveMut_Closure0 x0 =  * _1 in C01Basic_MoveMut_Closure0.C01Basic_MoveMut_Closure0 ([#"../01_basic.rs" 36 8 36 21] _2)) ; };
-    [#"../01_basic.rs" 36 8 36 21] _2 <- any borrowed uint32;
+    [#"../01_basic.rs" 36 8 36 21] _1 <- { _1 with current = (let C01Basic_MoveMut_Closure0.C01Basic_MoveMut_Closure0 x0 =  * _1 in C01Basic_MoveMut_Closure0.C01Basic_MoveMut_Closure0 _2) ; };
+    _2 <- any borrowed uint32;
     assume { resolve0 (field_00 ( * _1)) };
     assume { resolve1 _1 };
     assume { resolve0 _3 };
@@ -375,28 +387,34 @@ module C01Basic_MoveMut
   var a : C01Basic_MoveMut_Closure0.c01basic_movemut_closure0;
   var _4 : ();
   var _5 : borrowed C01Basic_MoveMut_Closure0.c01basic_movemut_closure0;
+  var _6 : ();
   var _7 : ();
   var _8 : borrowed C01Basic_MoveMut_Closure0.c01basic_movemut_closure0;
+  var _9 : ();
   {
     goto BB0
   }
   BB0 {
-    [#"../01_basic.rs" 33 21 33 25] _2 <- ([#"../01_basic.rs" 33 21 33 25] [#"../01_basic.rs" 33 21 33 25] (0 : uint32));
+    [#"../01_basic.rs" 33 21 33 25] _2 <- ([#"../01_basic.rs" 33 21 33 25] (0 : uint32));
     [#"../01_basic.rs" 33 16 33 25] x <- Borrow.borrow_mut _2;
     [#"../01_basic.rs" 33 16 33 25] _2 <-  ^ x;
-    [#"../01_basic.rs" 35 16 37 5] a <- ([#"../01_basic.rs" 35 16 37 5] C01Basic_MoveMut_Closure0.C01Basic_MoveMut_Closure0 x);
+    [#"../01_basic.rs" 35 16 37 5] a <- C01Basic_MoveMut_Closure0.C01Basic_MoveMut_Closure0 x;
     x <- any borrowed uint32;
     [#"../01_basic.rs" 38 4 38 7] _5 <- Borrow.borrow_mut a;
     [#"../01_basic.rs" 38 4 38 7] a <-  ^ _5;
-    [#"../01_basic.rs" 38 4 38 9] _4 <- ([#"../01_basic.rs" 38 4 38 9] let () = [#"../01_basic.rs" 38 4 38 9] () in closure00 _5);
+    [#"../01_basic.rs" 38 4 38 9] _6 <- ();
+    [#"../01_basic.rs" 38 4 38 9] _4 <- ([#"../01_basic.rs" 38 4 38 9] let () = _6 in closure00 _5);
     _5 <- any borrowed C01Basic_MoveMut_Closure0.c01basic_movemut_closure0;
+    _6 <- any ();
     goto BB1
   }
   BB1 {
     [#"../01_basic.rs" 39 4 39 7] _8 <- Borrow.borrow_mut a;
     [#"../01_basic.rs" 39 4 39 7] a <-  ^ _8;
-    [#"../01_basic.rs" 39 4 39 9] _7 <- ([#"../01_basic.rs" 39 4 39 9] let () = [#"../01_basic.rs" 39 4 39 9] () in closure00 _8);
+    [#"../01_basic.rs" 39 4 39 9] _9 <- ();
+    [#"../01_basic.rs" 39 4 39 9] _7 <- ([#"../01_basic.rs" 39 4 39 9] let () = _9 in closure00 _8);
     _8 <- any borrowed C01Basic_MoveMut_Closure0.c01basic_movemut_closure0;
+    _9 <- any ();
     goto BB2
   }
   BB2 {
diff --git a/creusot/tests/should_succeed/closures/02_nested.mlcfg b/creusot/tests/should_succeed/closures/02_nested.mlcfg
index 32d2394222..0c2417e6dc 100644
--- a/creusot/tests/should_succeed/closures/02_nested.mlcfg
+++ b/creusot/tests/should_succeed/closures/02_nested.mlcfg
@@ -26,7 +26,7 @@ module C02Nested_NestedClosure_Closure0_Closure0
     goto BB0
   }
   BB0 {
-    [#"../02_nested.rs" 6 21 6 22] _0 <- ([#"../02_nested.rs" 6 21 6 22] field_00 _1);
+    [#"../02_nested.rs" 6 21 6 22] _0 <- field_00 _1;
     return _0
   }
   
@@ -69,12 +69,15 @@ module C02Nested_NestedClosure_Closure0
   var _0 : bool;
   var _1 : C02Nested_NestedClosure_Closure0.c02nested_nestedclosure_closure0 = _1;
   var omg : C02Nested_NestedClosure_Closure0_Closure0.c02nested_nestedclosure_closure0_closure0;
+  var _5 : ();
   {
     goto BB0
   }
   BB0 {
-    [#"../02_nested.rs" 6 18 6 22] omg <- ([#"../02_nested.rs" 6 18 6 22] C02Nested_NestedClosure_Closure0_Closure0.C02Nested_NestedClosure_Closure0_Closure0 ([#"../02_nested.rs" 6 18 6 22] field_00 _1));
-    [#"../02_nested.rs" 7 8 7 15] _0 <- ([#"../02_nested.rs" 7 8 7 15] let () = [#"../02_nested.rs" 7 8 7 15] () in closure00 ([#"../02_nested.rs" 7 8 7 13] omg));
+    [#"../02_nested.rs" 6 18 6 22] omg <- C02Nested_NestedClosure_Closure0_Closure0.C02Nested_NestedClosure_Closure0_Closure0 (field_00 _1);
+    [#"../02_nested.rs" 7 8 7 15] _5 <- ();
+    [#"../02_nested.rs" 7 8 7 15] _0 <- ([#"../02_nested.rs" 7 8 7 15] let () = _5 in closure00 omg);
+    _5 <- any ();
     goto BB1
   }
   BB1 {
@@ -120,13 +123,16 @@ module C02Nested_NestedClosure
   var a : bool;
   var _a : bool;
   var _4 : C02Nested_NestedClosure_Closure0.c02nested_nestedclosure_closure0;
+  var _6 : ();
   {
     goto BB0
   }
   BB0 {
-    [#"../02_nested.rs" 4 12 4 16] a <- ([#"../02_nested.rs" 4 12 4 16] [#"../02_nested.rs" 4 12 4 16] true);
-    [#"../02_nested.rs" 5 13 8 6] _4 <- ([#"../02_nested.rs" 5 13 8 6] C02Nested_NestedClosure_Closure0.C02Nested_NestedClosure_Closure0 ([#"../02_nested.rs" 5 13 8 6] a));
-    [#"../02_nested.rs" 5 13 8 8] _a <- ([#"../02_nested.rs" 5 13 8 8] let () = [#"../02_nested.rs" 5 13 8 8] () in closure00 ([#"../02_nested.rs" 5 13 8 6] _4));
+    [#"../02_nested.rs" 4 12 4 16] a <- ([#"../02_nested.rs" 4 12 4 16] true);
+    [#"../02_nested.rs" 5 13 8 6] _4 <- C02Nested_NestedClosure_Closure0.C02Nested_NestedClosure_Closure0 a;
+    [#"../02_nested.rs" 5 13 8 8] _6 <- ();
+    [#"../02_nested.rs" 5 13 8 8] _a <- ([#"../02_nested.rs" 5 13 8 8] let () = _6 in closure00 _4);
+    _6 <- any ();
     goto BB1
   }
   BB1 {
diff --git a/creusot/tests/should_succeed/closures/03_generic_bound.mlcfg b/creusot/tests/should_succeed/closures/03_generic_bound.mlcfg
index 418cdfe963..42fd159ca4 100644
--- a/creusot/tests/should_succeed/closures/03_generic_bound.mlcfg
+++ b/creusot/tests/should_succeed/closures/03_generic_bound.mlcfg
@@ -38,7 +38,10 @@ module C03GenericBound_ClosureParam
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv3 res}
     ensures { result = fn_mut_once0 self args res }
     
-  axiom fn_mut_once0_spec : forall self : f, args : uint32, res : () . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv2 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv4 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
+  axiom fn_mut_once0_spec : forall self : f, args : uint32, res : () . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv2 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv3 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv4 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
   predicate unnest0 (self : f) (_2 : f)
   val unnest0 (self : f) (_2 : f) : bool
     ensures { result = unnest0 self _2 }
@@ -52,13 +55,19 @@ module C03GenericBound_ClosureParam
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c}
     ensures { result = unnest_trans0 self b c }
     
-  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
+  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv0 b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
   function unnest_refl0 (self : f) : ()
   val unnest_refl0 (self : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self}
     ensures { result = unnest_refl0 self }
     
-  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
+  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
   function postcondition_mut_unnest0 (self : borrowed f) (args : uint32) (res : ()) : ()
   val postcondition_mut_unnest0 (self : borrowed f) (args : uint32) (res : ()) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res}
@@ -67,7 +76,11 @@ module C03GenericBound_ClosureParam
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv3 res}
     ensures { result = postcondition_mut_unnest0 self args res }
     
-  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : uint32, res : () . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv2 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
+  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : uint32, res : () . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv4 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv2 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv3 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
   predicate invariant4 (self : borrowed f)
   val invariant4 (self : borrowed f) : bool
     ensures { result = invariant4 self }
@@ -90,7 +103,10 @@ module C03GenericBound_ClosureParam
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv3 res}
     ensures { result = fn_once0 self args res }
     
-  axiom fn_once0_spec : forall self : f, args : uint32, res : () . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv2 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once0 self args res = (resolve0 self /\ postcondition0 self args res))
+  axiom fn_once0_spec : forall self : f, args : uint32, res : () . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv2 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv3 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once0 self args res = (resolve0 self /\ postcondition0 self args res))
   predicate resolve1 (self : borrowed f) =
     [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve1 (self : borrowed f) : bool
@@ -103,7 +119,10 @@ module C03GenericBound_ClosureParam
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv3 res}
     ensures { result = fn_mut0 self args res }
     
-  axiom fn_mut0_spec : forall self : borrowed f, args : uint32, res : () . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv2 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve1 self /\ postcondition0 ( * self) args res))
+  axiom fn_mut0_spec : forall self : borrowed f, args : uint32, res : () . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv4 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv2 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv3 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve1 self /\ postcondition0 ( * self) args res))
   predicate invariant2 (self : uint32) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant2 (self : uint32) : bool
@@ -142,11 +161,14 @@ module C03GenericBound_ClosureParam
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var f : f = f;
+  var _3 : uint32;
   {
     goto BB0
   }
   BB0 {
-    [#"../03_generic_bound.rs" 4 4 4 10] _0 <- ([#"../03_generic_bound.rs" 4 4 4 10] call0 ([#"../03_generic_bound.rs" 4 4 4 7] f) ([#"../03_generic_bound.rs" 4 4 4 10] (([#"../03_generic_bound.rs" 4 8 4 9] [#"../03_generic_bound.rs" 4 8 4 9] (0 : uint32)))));
+    [#"../03_generic_bound.rs" 4 4 4 10] _3 <- (([#"../03_generic_bound.rs" 4 8 4 9] (0 : uint32)));
+    [#"../03_generic_bound.rs" 4 4 4 10] _0 <- ([#"../03_generic_bound.rs" 4 4 4 10] call0 f _3);
+    _3 <- any uint32;
     goto BB1
   }
   BB1 {
@@ -180,7 +202,7 @@ module C03GenericBound_Caller_Closure0
     goto BB0
   }
   BB0 {
-    [#"../03_generic_bound.rs" 8 28 8 30] _0 <- ([#"../03_generic_bound.rs" 8 28 8 30] ());
+    [#"../03_generic_bound.rs" 8 28 8 30] _0 <- ();
     return _0
   }
   
@@ -205,11 +227,14 @@ module C03GenericBound_Caller
   let rec cfg caller [#"../03_generic_bound.rs" 7 0 7 15] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
+  var _1 : C03GenericBound_Caller_Closure0.c03genericbound_caller_closure0;
   {
     goto BB0
   }
   BB0 {
-    [#"../03_generic_bound.rs" 8 4 8 31] _0 <- ([#"../03_generic_bound.rs" 8 4 8 31] closure_param0 ([#"../03_generic_bound.rs" 8 18 8 30] C03GenericBound_Caller_Closure0.C03GenericBound_Caller_Closure0));
+    [#"../03_generic_bound.rs" 8 18 8 30] _1 <- C03GenericBound_Caller_Closure0.C03GenericBound_Caller_Closure0;
+    [#"../03_generic_bound.rs" 8 4 8 31] _0 <- ([#"../03_generic_bound.rs" 8 4 8 31] closure_param0 _1);
+    _1 <- any C03GenericBound_Caller_Closure0.c03genericbound_caller_closure0;
     goto BB1
   }
   BB1 {
diff --git a/creusot/tests/should_succeed/closures/04_generic_closure.mlcfg b/creusot/tests/should_succeed/closures/04_generic_closure.mlcfg
index 24a5f0083e..d4cc8fcee1 100644
--- a/creusot/tests/should_succeed/closures/04_generic_closure.mlcfg
+++ b/creusot/tests/should_succeed/closures/04_generic_closure.mlcfg
@@ -39,7 +39,10 @@ module C04GenericClosure_GenericClosure
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res}
     ensures { result = fn_mut_once0 self args res }
     
-  axiom fn_mut_once0_spec : forall self : f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv4 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv5 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
+  axiom fn_mut_once0_spec : forall self : f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv4 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv5 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
   predicate unnest0 (self : f) (_2 : f)
   val unnest0 (self : f) (_2 : f) : bool
     ensures { result = unnest0 self _2 }
@@ -53,13 +56,19 @@ module C04GenericClosure_GenericClosure
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c}
     ensures { result = unnest_trans0 self b c }
     
-  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
+  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv0 b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
   function unnest_refl0 (self : f) : ()
   val unnest_refl0 (self : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self}
     ensures { result = unnest_refl0 self }
     
-  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
+  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
   function postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : b) : ()
   val postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : b) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res}
@@ -68,7 +77,11 @@ module C04GenericClosure_GenericClosure
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res}
     ensures { result = postcondition_mut_unnest0 self args res }
     
-  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv4 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
+  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv5 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv4 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
   predicate invariant5 (self : borrowed f)
   val invariant5 (self : borrowed f) : bool
     ensures { result = invariant5 self }
@@ -85,7 +98,10 @@ module C04GenericClosure_GenericClosure
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv2 res}
     ensures { result = fn_once0 self args res }
     
-  axiom fn_once0_spec : forall self : f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv4 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once0 self args res = (resolve0 self /\ postcondition0 self args res))
+  axiom fn_once0_spec : forall self : f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv4 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv2 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once0 self args res = (resolve0 self /\ postcondition0 self args res))
   predicate resolve1 (self : borrowed f) =
     [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve1 (self : borrowed f) : bool
@@ -98,7 +114,10 @@ module C04GenericClosure_GenericClosure
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv2 res}
     ensures { result = fn_mut0 self args res }
     
-  axiom fn_mut0_spec : forall self : borrowed f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv4 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve1 self /\ postcondition0 ( * self) args res))
+  axiom fn_mut0_spec : forall self : borrowed f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv5 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv4 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv2 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve1 self /\ postcondition0 ( * self) args res))
   predicate invariant4 (self : a)
   val invariant4 (self : a) : bool
     ensures { result = invariant4 self }
@@ -152,12 +171,15 @@ module C04GenericClosure_GenericClosure
   var _0 : b;
   var f : f = f;
   var a : a = a;
+  var _4 : a;
   {
     goto BB0
   }
   BB0 {
-    [#"../04_generic_closure.rs" 4 4 4 8] _0 <- ([#"../04_generic_closure.rs" 4 4 4 8] call0 ([#"../04_generic_closure.rs" 4 4 4 5] f) ([#"../04_generic_closure.rs" 4 4 4 8] (([#"../04_generic_closure.rs" 4 6 4 7] a))));
-    [#"../04_generic_closure.rs" 4 6 4 7] a <- any a;
+    [#"../04_generic_closure.rs" 4 4 4 8] _4 <- (a);
+    a <- any a;
+    [#"../04_generic_closure.rs" 4 4 4 8] _0 <- ([#"../04_generic_closure.rs" 4 4 4 8] call0 f _4);
+    _4 <- any a;
     goto BB1
   }
   BB1 {
@@ -215,7 +237,7 @@ module C04GenericClosure_Mapper_Closure0
     goto BB0
   }
   BB0 {
-    [#"../04_generic_closure.rs" 8 33 8 35] _0 <- ([#"../04_generic_closure.rs" 8 33 8 35] ());
+    [#"../04_generic_closure.rs" 8 33 8 35] _0 <- ();
     assert { [@expl:type invariant] inv0 _a };
     assume { resolve0 _a };
     assume { resolve1 _1 };
@@ -270,12 +292,15 @@ module C04GenericClosure_Mapper
   var _0 : ();
   var x : a = x;
   var _2 : ();
+  var _3 : C04GenericClosure_Mapper_Closure0.c04genericclosure_mapper_closure0 a;
   {
     goto BB0
   }
   BB0 {
-    [#"../04_generic_closure.rs" 8 12 8 39] _2 <- ([#"../04_generic_closure.rs" 8 12 8 39] generic_closure0 ([#"../04_generic_closure.rs" 8 28 8 35] C04GenericClosure_Mapper_Closure0.C04GenericClosure_Mapper_Closure0) ([#"../04_generic_closure.rs" 8 37 8 38] x));
-    [#"../04_generic_closure.rs" 8 37 8 38] x <- any a;
+    [#"../04_generic_closure.rs" 8 28 8 35] _3 <- C04GenericClosure_Mapper_Closure0.C04GenericClosure_Mapper_Closure0;
+    [#"../04_generic_closure.rs" 8 12 8 39] _2 <- ([#"../04_generic_closure.rs" 8 12 8 39] generic_closure0 _3 x);
+    _3 <- any C04GenericClosure_Mapper_Closure0.c04genericclosure_mapper_closure0 a;
+    x <- any a;
     goto BB1
   }
   BB1 {
diff --git a/creusot/tests/should_succeed/closures/05_map.mlcfg b/creusot/tests/should_succeed/closures/05_map.mlcfg
index 499b9a2cb1..e036bec76a 100644
--- a/creusot/tests/should_succeed/closures/05_map.mlcfg
+++ b/creusot/tests/should_succeed/closures/05_map.mlcfg
@@ -69,7 +69,10 @@ module C05Map_Impl0_Next
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv7 res}
     ensures { result = fn_mut_once0 self args res }
     
-  axiom fn_mut_once0_spec : forall self : f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv9 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv7 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv8 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve3 ( ^ s)))
+  axiom fn_mut_once0_spec : forall self : f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv9 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv6 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv7 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv8 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve3 ( ^ s)))
   predicate unnest0 (self : f) (_2 : f)
   val unnest0 (self : f) (_2 : f) : bool
     ensures { result = unnest0 self _2 }
@@ -83,13 +86,19 @@ module C05Map_Impl0_Next
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv9 c}
     ensures { result = unnest_trans0 self b c }
     
-  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv9 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv9 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv9 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
+  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv9 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv9 b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv9 c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
   function unnest_refl0 (self : f) : ()
   val unnest_refl0 (self : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv9 self}
     ensures { result = unnest_refl0 self }
     
-  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv9 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
+  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv9 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
   function postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : b) : ()
   val postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : b) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res}
@@ -98,7 +107,11 @@ module C05Map_Impl0_Next
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv7 res}
     ensures { result = postcondition_mut_unnest0 self args res }
     
-  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv8 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv7 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
+  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv8 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv6 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv7 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
   predicate invariant8 (self : borrowed f)
   val invariant8 (self : borrowed f) : bool
     ensures { result = invariant8 self }
@@ -120,7 +133,10 @@ module C05Map_Impl0_Next
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv7 res}
     ensures { result = fn_once0 self args res }
     
-  axiom fn_once0_spec : forall self : f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv9 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv7 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once0 self args res = (resolve3 self /\ postcondition0 self args res))
+  axiom fn_once0_spec : forall self : f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv9 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv6 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv7 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once0 self args res = (resolve3 self /\ postcondition0 self args res))
   predicate resolve2 (self : borrowed f) =
     [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve2 (self : borrowed f) : bool
@@ -133,7 +149,10 @@ module C05Map_Impl0_Next
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv7 res}
     ensures { result = fn_mut0 self args res }
     
-  axiom fn_mut0_spec : forall self : borrowed f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv8 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv7 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve2 self /\ postcondition0 ( * self) args res))
+  axiom fn_mut0_spec : forall self : borrowed f, args : a, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv8 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv6 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv7 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve2 self /\ postcondition0 ( * self) args res))
   predicate invariant6 (self : a)
   val invariant6 (self : a) : bool
     ensures { result = invariant6 self }
@@ -230,6 +249,7 @@ module C05Map_Impl0_Next
   var _3 : borrowed i;
   var e : a;
   var _6 : b;
+  var _8 : a;
   {
     goto BB0
   }
@@ -251,19 +271,21 @@ module C05Map_Impl0_Next
     goto BB5
   }
   BB3 {
-    [#"../05_map.rs" 20 17 20 18] e <- ([#"../05_map.rs" 20 17 20 18] Core_Option_Option_Type.some_0 _2);
-    [#"../05_map.rs" 20 17 20 18] _2 <- (let Core_Option_Option_Type.C_Some x0 = _2 in Core_Option_Option_Type.C_Some (any a));
+    [#"../05_map.rs" 20 17 20 18] e <- Core_Option_Option_Type.some_0 _2;
+    _2 <- (let Core_Option_Option_Type.C_Some x0 = _2 in Core_Option_Option_Type.C_Some (any a));
     assert { [@expl:type invariant] inv1 _2 };
     assume { resolve0 _2 };
-    [#"../05_map.rs" 20 28 20 42] _6 <- ([#"../05_map.rs" 20 28 20 42] call0 ([#"../05_map.rs" 20 28 20 39] C05Map_Map_Type.map_func ( * self)) ([#"../05_map.rs" 20 28 20 42] (([#"../05_map.rs" 20 40 20 41] e))));
-    [#"../05_map.rs" 20 40 20 41] e <- any a;
+    [#"../05_map.rs" 20 28 20 42] _8 <- (e);
+    e <- any a;
+    [#"../05_map.rs" 20 28 20 42] _6 <- ([#"../05_map.rs" 20 28 20 42] call0 (C05Map_Map_Type.map_func ( * self)) _8);
+    _8 <- any a;
     goto BB6
   }
   BB4 {
-    assert { [@expl:type invariant] inv1 _2 };
-    assume { resolve0 _2 };
     assert { [@expl:type invariant] inv2 self };
     assume { resolve1 self };
+    assert { [@expl:type invariant] inv1 _2 };
+    assume { resolve0 _2 };
     assert { [#"../05_map.rs" 18 14 18 30] false };
     absurd
   }
@@ -272,7 +294,7 @@ module C05Map_Impl0_Next
     assume { resolve0 _2 };
     assert { [@expl:type invariant] inv2 self };
     assume { resolve1 self };
-    [#"../05_map.rs" 19 20 19 24] _0 <- ([#"../05_map.rs" 19 20 19 24] Core_Option_Option_Type.C_None);
+    [#"../05_map.rs" 19 20 19 24] _0 <- Core_Option_Option_Type.C_None;
     goto BB10
   }
   BB6 {
@@ -281,7 +303,7 @@ module C05Map_Impl0_Next
   BB7 {
     assert { [@expl:type invariant] inv2 self };
     assume { resolve1 self };
-    [#"../05_map.rs" 20 23 20 43] _0 <- ([#"../05_map.rs" 20 23 20 43] Core_Option_Option_Type.C_Some _6);
+    [#"../05_map.rs" 20 23 20 43] _0 <- Core_Option_Option_Type.C_Some _6;
     _6 <- any b;
     goto BB8
   }
@@ -325,5 +347,6 @@ module C05Map_Impl0
     ensures { result = inv0 _x }
     
   axiom inv0 : forall x : borrowed (C05Map_Map_Type.t_map i f) . inv0 x = true
-  goal next_refn : [#"../05_map.rs" 17 4 17 44] forall self : borrowed (C05Map_Map_Type.t_map i f) . inv0 self -> inv0 self /\ (forall result : Core_Option_Option_Type.t_option b . inv1 result -> inv1 result)
+  goal next_refn : [#"../05_map.rs" 17 4 17 44] forall self : borrowed (C05Map_Map_Type.t_map i f) . inv0 self
+   -> inv0 self /\ (forall result : Core_Option_Option_Type.t_option b . inv1 result  -> inv1 result)
 end
diff --git a/creusot/tests/should_succeed/closures/06_fn_specs.mlcfg b/creusot/tests/should_succeed/closures/06_fn_specs.mlcfg
index 24b48682ce..63a947898e 100644
--- a/creusot/tests/should_succeed/closures/06_fn_specs.mlcfg
+++ b/creusot/tests/should_succeed/closures/06_fn_specs.mlcfg
@@ -66,9 +66,9 @@ module C06FnSpecs_Weaken3
     goto BB2
   }
   BB2 {
-    [#"../06_fn_specs.rs" 33 4 33 27] _0 <- ([#"../06_fn_specs.rs" 33 4 33 27] call_once0 ([#"../06_fn_specs.rs" 33 22 33 23] f) ([#"../06_fn_specs.rs" 33 25 33 26] a));
-    [#"../06_fn_specs.rs" 33 22 33 23] f <- any f;
-    [#"../06_fn_specs.rs" 33 25 33 26] a <- any a;
+    [#"../06_fn_specs.rs" 33 4 33 27] _0 <- ([#"../06_fn_specs.rs" 33 4 33 27] call_once0 f a);
+    f <- any f;
+    a <- any a;
     goto BB3
   }
   BB3 {
@@ -127,7 +127,10 @@ module C06FnSpecs_Weaken2
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 43 37 43 40] inv3 res}
     ensures { result = fn_mut_once0 self args res }
     
-  axiom fn_mut_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 19 43 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 25 43 29] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 37 43 40] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 42 14 42 135] postcondition_once0 self args res = (exists s : borrowed f . inv2 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
+  axiom fn_mut_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 19 43 23] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 25 43 29] inv1 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 37 43 40] inv3 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 42 14 42 135] postcondition_once0 self args res = (exists s : borrowed f . inv2 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
   predicate unnest0 (self : f) (_2 : f)
   val unnest0 (self : f) (_2 : f) : bool
     ensures { result = unnest0 self _2 }
@@ -141,13 +144,19 @@ module C06FnSpecs_Weaken2
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 39 35 39 36] inv0 c}
     ensures { result = unnest_trans0 self b c }
     
-  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 36 15 36 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 37 15 37 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 20 39 24] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 26 39 27] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 35 39 36] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 38 14 38 28] unnest0 self c)
+  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 36 15 36 29] unnest0 self b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 37 15 37 26] unnest0 b c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 20 39 24] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 26 39 27] inv0 b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 35 39 36] inv0 c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 38 14 38 28] unnest0 self c)
   function unnest_refl0 (self : f) : ()
   val unnest_refl0 (self : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 33 19 33 23] inv0 self}
     ensures { result = unnest_refl0 self }
     
-  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 33 19 33 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 32 14 32 31] unnest0 self self)
+  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 33 19 33 23] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 32 14 32 31] unnest0 self self)
   function postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : output0) : ()
   val postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : output0) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 27 15 27 48] postcondition_mut0 self args res}
@@ -156,7 +165,11 @@ module C06FnSpecs_Weaken2
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 29 55 29 58] inv3 res}
     ensures { result = postcondition_mut_unnest0 self args res }
     
-  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 27 15 27 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 37 29 41] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 43 29 47] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 55 29 58] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 28 14 28 35] unnest0 ( * self) ( ^ self))
+  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 27 15 27 48] postcondition_mut0 self args res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 37 29 41] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 43 29 47] inv1 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 55 29 58] inv3 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 28 14 28 35] unnest0 ( * self) ( ^ self))
   predicate invariant2 (self : borrowed f)
   val invariant2 (self : borrowed f) : bool
     ensures { result = invariant2 self }
@@ -204,9 +217,9 @@ module C06FnSpecs_Weaken2
     goto BB2
   }
   BB2 {
-    [#"../06_fn_specs.rs" 21 4 21 18] _0 <- ([#"../06_fn_specs.rs" 21 4 21 18] weaken_30 ([#"../06_fn_specs.rs" 21 13 21 14] f) ([#"../06_fn_specs.rs" 21 16 21 17] a));
-    [#"../06_fn_specs.rs" 21 13 21 14] f <- any f;
-    [#"../06_fn_specs.rs" 21 16 21 17] a <- any a;
+    [#"../06_fn_specs.rs" 21 4 21 18] _0 <- ([#"../06_fn_specs.rs" 21 4 21 18] weaken_30 f a);
+    f <- any f;
+    a <- any a;
     goto BB3
   }
   BB3 {
@@ -260,7 +273,10 @@ module C06FnSpecs_Weaken
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 43 37 43 40] inv2 res}
     ensures { result = fn_mut_once0 self args res }
     
-  axiom fn_mut_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 19 43 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 25 43 29] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 37 43 40] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 42 14 42 135] postcondition_once0 self args res = (exists s : borrowed f . inv3 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
+  axiom fn_mut_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 19 43 23] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 25 43 29] inv1 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 43 37 43 40] inv2 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 42 14 42 135] postcondition_once0 self args res = (exists s : borrowed f . inv3 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
   predicate unnest0 (self : f) (_2 : f)
   val unnest0 (self : f) (_2 : f) : bool
     ensures { result = unnest0 self _2 }
@@ -274,13 +290,19 @@ module C06FnSpecs_Weaken
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 39 35 39 36] inv0 c}
     ensures { result = unnest_trans0 self b c }
     
-  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 36 15 36 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 37 15 37 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 20 39 24] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 26 39 27] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 35 39 36] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 38 14 38 28] unnest0 self c)
+  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 36 15 36 29] unnest0 self b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 37 15 37 26] unnest0 b c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 20 39 24] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 26 39 27] inv0 b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 39 35 39 36] inv0 c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 38 14 38 28] unnest0 self c)
   function unnest_refl0 (self : f) : ()
   val unnest_refl0 (self : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 33 19 33 23] inv0 self}
     ensures { result = unnest_refl0 self }
     
-  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 33 19 33 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 32 14 32 31] unnest0 self self)
+  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 33 19 33 23] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 32 14 32 31] unnest0 self self)
   function postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : output0) : ()
   val postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : output0) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 27 15 27 48] postcondition_mut0 self args res}
@@ -289,7 +311,11 @@ module C06FnSpecs_Weaken
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 29 55 29 58] inv2 res}
     ensures { result = postcondition_mut_unnest0 self args res }
     
-  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 27 15 27 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 37 29 41] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 43 29 47] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 55 29 58] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 28 14 28 35] unnest0 ( * self) ( ^ self))
+  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 27 15 27 48] postcondition_mut0 self args res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 37 29 41] inv3 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 43 29 47] inv1 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 29 55 29 58] inv2 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 28 14 28 35] unnest0 ( * self) ( ^ self))
   predicate invariant3 (self : borrowed f)
   val invariant3 (self : borrowed f) : bool
     ensures { result = invariant3 self }
@@ -311,7 +337,10 @@ module C06FnSpecs_Weaken
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 61 33 61 36] inv2 res}
     ensures { result = fn_once0 self args res }
     
-  axiom fn_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 61 15 61 19] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 61 21 61 25] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 61 33 61 36] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 60 14 60 101] postcondition_once0 self args res = (resolve0 self /\ postcondition0 self args res))
+  axiom fn_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 61 15 61 19] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 61 21 61 25] inv1 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 61 33 61 36] inv2 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 60 14 60 101] postcondition_once0 self args res = (resolve0 self /\ postcondition0 self args res))
   predicate resolve1 (self : borrowed f) =
     [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve1 (self : borrowed f) : bool
@@ -324,7 +353,10 @@ module C06FnSpecs_Weaken
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 57 37 57 40] inv2 res}
     ensures { result = fn_mut0 self args res }
     
-  axiom fn_mut0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 57 19 57 23] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 57 25 57 29] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 57 37 57 40] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 56 14 56 100] postcondition_mut0 self args res = (resolve1 self /\ postcondition0 ( * self) args res))
+  axiom fn_mut0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 57 19 57 23] inv3 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 57 25 57 29] inv1 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 57 37 57 40] inv2 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 56 14 56 100] postcondition_mut0 self args res = (resolve1 self /\ postcondition0 ( * self) args res))
   predicate invariant1 (self : a)
   val invariant1 (self : a) : bool
     ensures { result = invariant1 self }
@@ -367,9 +399,9 @@ module C06FnSpecs_Weaken
     goto BB2
   }
   BB2 {
-    [#"../06_fn_specs.rs" 9 4 9 18] _0 <- ([#"../06_fn_specs.rs" 9 4 9 18] weaken_20 ([#"../06_fn_specs.rs" 9 13 9 14] f) ([#"../06_fn_specs.rs" 9 16 9 17] a));
-    [#"../06_fn_specs.rs" 9 13 9 14] f <- any f;
-    [#"../06_fn_specs.rs" 9 16 9 17] a <- any a;
+    [#"../06_fn_specs.rs" 9 4 9 18] _0 <- ([#"../06_fn_specs.rs" 9 4 9 18] weaken_20 f a);
+    f <- any f;
+    a <- any a;
     goto BB3
   }
   BB3 {
@@ -450,9 +482,9 @@ module C06FnSpecs_Weaken3Std
     goto BB2
   }
   BB2 {
-    [#"../06_fn_specs.rs" 39 4 39 27] _0 <- ([#"../06_fn_specs.rs" 39 4 39 27] call_once0 ([#"../06_fn_specs.rs" 39 22 39 23] f) ([#"../06_fn_specs.rs" 39 25 39 26] a));
-    [#"../06_fn_specs.rs" 39 22 39 23] f <- any f;
-    [#"../06_fn_specs.rs" 39 25 39 26] a <- any a;
+    [#"../06_fn_specs.rs" 39 4 39 27] _0 <- ([#"../06_fn_specs.rs" 39 4 39 27] call_once0 f a);
+    f <- any f;
+    a <- any a;
     goto BB3
   }
   BB3 {
@@ -511,7 +543,10 @@ module C06FnSpecs_Weaken2Std
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv3 res}
     ensures { result = fn_mut_once0 self args res }
     
-  axiom fn_mut_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv2 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
+  axiom fn_mut_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv1 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv3 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv2 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
   predicate unnest0 (self : f) (_2 : f)
   val unnest0 (self : f) (_2 : f) : bool
     ensures { result = unnest0 self _2 }
@@ -525,13 +560,19 @@ module C06FnSpecs_Weaken2Std
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c}
     ensures { result = unnest_trans0 self b c }
     
-  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
+  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv0 b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
   function unnest_refl0 (self : f) : ()
   val unnest_refl0 (self : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self}
     ensures { result = unnest_refl0 self }
     
-  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
+  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
   function postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : output0) : ()
   val postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : output0) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res}
@@ -540,7 +581,11 @@ module C06FnSpecs_Weaken2Std
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv3 res}
     ensures { result = postcondition_mut_unnest0 self args res }
     
-  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
+  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv1 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv3 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
   predicate invariant2 (self : borrowed f)
   val invariant2 (self : borrowed f) : bool
     ensures { result = invariant2 self }
@@ -588,9 +633,9 @@ module C06FnSpecs_Weaken2Std
     goto BB2
   }
   BB2 {
-    [#"../06_fn_specs.rs" 27 4 27 22] _0 <- ([#"../06_fn_specs.rs" 27 4 27 22] weaken_3_std0 ([#"../06_fn_specs.rs" 27 17 27 18] f) ([#"../06_fn_specs.rs" 27 20 27 21] a));
-    [#"../06_fn_specs.rs" 27 17 27 18] f <- any f;
-    [#"../06_fn_specs.rs" 27 20 27 21] a <- any a;
+    [#"../06_fn_specs.rs" 27 4 27 22] _0 <- ([#"../06_fn_specs.rs" 27 4 27 22] weaken_3_std0 f a);
+    f <- any f;
+    a <- any a;
     goto BB3
   }
   BB3 {
@@ -644,7 +689,10 @@ module C06FnSpecs_WeakenStd
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res}
     ensures { result = fn_mut_once0 self args res }
     
-  axiom fn_mut_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv3 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
+  axiom fn_mut_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv1 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv3 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
   predicate unnest0 (self : f) (_2 : f)
   val unnest0 (self : f) (_2 : f) : bool
     ensures { result = unnest0 self _2 }
@@ -658,13 +706,19 @@ module C06FnSpecs_WeakenStd
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c}
     ensures { result = unnest_trans0 self b c }
     
-  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
+  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv0 b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv0 c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
   function unnest_refl0 (self : f) : ()
   val unnest_refl0 (self : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self}
     ensures { result = unnest_refl0 self }
     
-  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
+  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
   function postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : output0) : ()
   val postcondition_mut_unnest0 (self : borrowed f) (args : a) (res : output0) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res}
@@ -673,7 +727,11 @@ module C06FnSpecs_WeakenStd
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res}
     ensures { result = postcondition_mut_unnest0 self args res }
     
-  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
+  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv3 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv1 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
   predicate invariant3 (self : borrowed f)
   val invariant3 (self : borrowed f) : bool
     ensures { result = invariant3 self }
@@ -695,7 +753,10 @@ module C06FnSpecs_WeakenStd
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv2 res}
     ensures { result = fn_once0 self args res }
     
-  axiom fn_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once0 self args res = (resolve0 self /\ postcondition0 self args res))
+  axiom fn_once0_spec : forall self : f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 15 145 19] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 21 145 25] inv1 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 145 33 145 36] inv2 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 144 14 144 101] postcondition_once0 self args res = (resolve0 self /\ postcondition0 self args res))
   predicate resolve1 (self : borrowed f) =
     [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve1 (self : borrowed f) : bool
@@ -708,7 +769,10 @@ module C06FnSpecs_WeakenStd
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv2 res}
     ensures { result = fn_mut0 self args res }
     
-  axiom fn_mut0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv1 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve1 self /\ postcondition0 ( * self) args res))
+  axiom fn_mut0_spec : forall self : borrowed f, args : a, res : output0 . ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 19 139 23] inv3 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 25 139 29] inv1 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 139 37 139 40] inv2 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 138 14 138 100] postcondition_mut0 self args res = (resolve1 self /\ postcondition0 ( * self) args res))
   predicate invariant1 (self : a)
   val invariant1 (self : a) : bool
     ensures { result = invariant1 self }
@@ -751,9 +815,9 @@ module C06FnSpecs_WeakenStd
     goto BB2
   }
   BB2 {
-    [#"../06_fn_specs.rs" 15 4 15 22] _0 <- ([#"../06_fn_specs.rs" 15 4 15 22] weaken_2_std0 ([#"../06_fn_specs.rs" 15 17 15 18] f) ([#"../06_fn_specs.rs" 15 20 15 21] a));
-    [#"../06_fn_specs.rs" 15 17 15 18] f <- any f;
-    [#"../06_fn_specs.rs" 15 20 15 21] a <- any a;
+    [#"../06_fn_specs.rs" 15 4 15 22] _0 <- ([#"../06_fn_specs.rs" 15 4 15 22] weaken_2_std0 f a);
+    f <- any f;
+    a <- any a;
     goto BB3
   }
   BB3 {
@@ -822,6 +886,7 @@ module C06FnSpecs_FnOnceUser
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var f : f = f;
+  var _4 : usize;
   {
     goto BB0
   }
@@ -829,8 +894,10 @@ module C06FnSpecs_FnOnceUser
     goto BB1
   }
   BB1 {
-    [#"../06_fn_specs.rs" 45 4 45 8] _0 <- ([#"../06_fn_specs.rs" 45 4 45 8] call_once0 ([#"../06_fn_specs.rs" 45 4 45 5] f) ([#"../06_fn_specs.rs" 45 4 45 8] (([#"../06_fn_specs.rs" 45 6 45 7] [#"../06_fn_specs.rs" 45 6 45 7] (0 : usize)))));
-    [#"../06_fn_specs.rs" 45 4 45 5] f <- any f;
+    [#"../06_fn_specs.rs" 45 4 45 8] _4 <- (([#"../06_fn_specs.rs" 45 6 45 7] (0 : usize)));
+    [#"../06_fn_specs.rs" 45 4 45 8] _0 <- ([#"../06_fn_specs.rs" 45 4 45 8] call_once0 f _4);
+    f <- any f;
+    _4 <- any usize;
     goto BB2
   }
   BB2 {
@@ -864,7 +931,7 @@ module C06FnSpecs_Caller_Closure0
     goto BB0
   }
   BB0 {
-    [#"../06_fn_specs.rs" 49 21 49 23] _0 <- ([#"../06_fn_specs.rs" 49 21 49 23] ());
+    [#"../06_fn_specs.rs" 49 21 49 23] _0 <- ();
     assume { resolve0 _1 };
     return _0
   }
@@ -896,11 +963,14 @@ module C06FnSpecs_Caller
   let rec cfg caller [#"../06_fn_specs.rs" 48 0 48 15] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
+  var _1 : C06FnSpecs_Caller_Closure0.c06fnspecs_caller_closure0;
   {
     goto BB0
   }
   BB0 {
-    [#"../06_fn_specs.rs" 49 4 49 24] _0 <- ([#"../06_fn_specs.rs" 49 4 49 24] fn_once_user0 ([#"../06_fn_specs.rs" 49 17 49 23] C06FnSpecs_Caller_Closure0.C06FnSpecs_Caller_Closure0));
+    [#"../06_fn_specs.rs" 49 17 49 23] _1 <- C06FnSpecs_Caller_Closure0.C06FnSpecs_Caller_Closure0;
+    [#"../06_fn_specs.rs" 49 4 49 24] _0 <- ([#"../06_fn_specs.rs" 49 4 49 24] fn_once_user0 _1);
+    _1 <- any C06FnSpecs_Caller_Closure0.c06fnspecs_caller_closure0;
     goto BB1
   }
   BB1 {
diff --git a/creusot/tests/should_succeed/closures/06_fn_specs/why3session.xml b/creusot/tests/should_succeed/closures/06_fn_specs/why3session.xml
index 82f34b3b23..e680c575f1 100644
--- a/creusot/tests/should_succeed/closures/06_fn_specs/why3session.xml
+++ b/creusot/tests/should_succeed/closures/06_fn_specs/why3session.xml
@@ -38,7 +38,7 @@
 </theory>
 <theory name="C06FnSpecs_FnOnceUser" proved="true">
  <goal name="fn_once_user&#39;vc" expl="VC for fn_once_user" proved="true">
- <proof prover="3"><result status="valid" time="0.006310" steps="10"/></proof>
+ <proof prover="3"><result status="valid" time="0.006310" steps="12"/></proof>
  </goal>
 </theory>
 <theory name="C06FnSpecs_Caller" proved="true">
diff --git a/creusot/tests/should_succeed/closures/06_fn_specs/why3shapes.gz b/creusot/tests/should_succeed/closures/06_fn_specs/why3shapes.gz
index 3bea0ccc11..294a6c6a55 100644
Binary files a/creusot/tests/should_succeed/closures/06_fn_specs/why3shapes.gz and b/creusot/tests/should_succeed/closures/06_fn_specs/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/closures/07_mutable_capture.mlcfg b/creusot/tests/should_succeed/closures/07_mutable_capture.mlcfg
index 80e9471d6b..6b526ae0ea 100644
--- a/creusot/tests/should_succeed/closures/07_mutable_capture.mlcfg
+++ b/creusot/tests/should_succeed/closures/07_mutable_capture.mlcfg
@@ -47,11 +47,11 @@ module C07MutableCapture_TestFnmut_Closure1
     goto BB0
   }
   BB0 {
-    [#"../07_mutable_capture.rs" 10 12 10 18] _1 <- { _1 with current = (let C07MutableCapture_TestFnmut_Closure1.C07MutableCapture_TestFnmut_Closure1 x0 =  * _1 in C07MutableCapture_TestFnmut_Closure1.C07MutableCapture_TestFnmut_Closure1 ({ (field_00 ( * _1)) with current = ([#"../07_mutable_capture.rs" 10 12 10 18]  * field_00 ( * _1) + ([#"../07_mutable_capture.rs" 10 17 10 18] [#"../07_mutable_capture.rs" 10 17 10 18] (1 : uint32))) ; })) ; };
+    [#"../07_mutable_capture.rs" 10 12 10 18] _1 <- { _1 with current = (let C07MutableCapture_TestFnmut_Closure1.C07MutableCapture_TestFnmut_Closure1 x0 =  * _1 in C07MutableCapture_TestFnmut_Closure1.C07MutableCapture_TestFnmut_Closure1 ({ (field_00 ( * _1)) with current = ( * field_00 ( * _1) + ([#"../07_mutable_capture.rs" 10 17 10 18] (1 : uint32))) ; })) ; };
     assume { resolve0 _1 };
-    [#"../07_mutable_capture.rs" 11 12 11 13] res1 <- ([#"../07_mutable_capture.rs" 11 12 11 13] [#"../07_mutable_capture.rs" 11 12 11 13] (5 : int32));
-    [#"../07_mutable_capture.rs" 7 8 7 35] res <- ([#"../07_mutable_capture.rs" 7 8 7 35] res1);
-    [#"../07_mutable_capture.rs" 8 8 8 37] _0 <- ([#"../07_mutable_capture.rs" 8 8 8 37] res);
+    [#"../07_mutable_capture.rs" 11 12 11 13] res1 <- ([#"../07_mutable_capture.rs" 11 12 11 13] (5 : int32));
+    [#"../07_mutable_capture.rs" 7 8 7 35] res <- res1;
+    [#"../07_mutable_capture.rs" 8 8 8 37] _0 <- res;
     return _0
   }
   
@@ -104,27 +104,33 @@ module C07MutableCapture_TestFnmut
   var _4 : borrowed uint32;
   var _5 : int32;
   var _6 : borrowed C07MutableCapture_TestFnmut_Closure1.c07mutablecapture_testfnmut_closure1;
+  var _7 : ();
   var _8 : int32;
   var _9 : borrowed C07MutableCapture_TestFnmut_Closure1.c07mutablecapture_testfnmut_closure1;
+  var _10 : ();
   {
     goto BB0
   }
   BB0 {
     [#"../07_mutable_capture.rs" 8 8 8 37] _4 <- Borrow.borrow_mut x;
     [#"../07_mutable_capture.rs" 8 8 8 37] x <-  ^ _4;
-    [#"../07_mutable_capture.rs" 8 8 8 37] c <- ([#"../07_mutable_capture.rs" 8 8 8 37] C07MutableCapture_TestFnmut_Closure1.C07MutableCapture_TestFnmut_Closure1 _4);
+    [#"../07_mutable_capture.rs" 8 8 8 37] c <- C07MutableCapture_TestFnmut_Closure1.C07MutableCapture_TestFnmut_Closure1 _4;
     _4 <- any borrowed uint32;
     [#"../07_mutable_capture.rs" 14 4 14 5] _6 <- Borrow.borrow_mut c;
     [#"../07_mutable_capture.rs" 14 4 14 5] c <-  ^ _6;
-    [#"../07_mutable_capture.rs" 14 4 14 7] _5 <- ([#"../07_mutable_capture.rs" 14 4 14 7] let () = [#"../07_mutable_capture.rs" 14 4 14 7] () in closure10 _6);
+    [#"../07_mutable_capture.rs" 14 4 14 7] _7 <- ();
+    [#"../07_mutable_capture.rs" 14 4 14 7] _5 <- ([#"../07_mutable_capture.rs" 14 4 14 7] let () = _7 in closure10 _6);
     _6 <- any borrowed C07MutableCapture_TestFnmut_Closure1.c07mutablecapture_testfnmut_closure1;
+    _7 <- any ();
     goto BB1
   }
   BB1 {
     [#"../07_mutable_capture.rs" 15 4 15 5] _9 <- Borrow.borrow_mut c;
     [#"../07_mutable_capture.rs" 15 4 15 5] c <-  ^ _9;
-    [#"../07_mutable_capture.rs" 15 4 15 7] _8 <- ([#"../07_mutable_capture.rs" 15 4 15 7] let () = [#"../07_mutable_capture.rs" 15 4 15 7] () in closure10 _9);
+    [#"../07_mutable_capture.rs" 15 4 15 7] _10 <- ();
+    [#"../07_mutable_capture.rs" 15 4 15 7] _8 <- ([#"../07_mutable_capture.rs" 15 4 15 7] let () = _10 in closure10 _9);
     _9 <- any borrowed C07MutableCapture_TestFnmut_Closure1.c07mutablecapture_testfnmut_closure1;
+    _10 <- any ();
     goto BB2
   }
   BB2 {
diff --git a/creusot/tests/should_succeed/closures/07_mutable_capture/why3shapes.gz b/creusot/tests/should_succeed/closures/07_mutable_capture/why3shapes.gz
index e46260f538..99257d1192 100644
Binary files a/creusot/tests/should_succeed/closures/07_mutable_capture/why3shapes.gz and b/creusot/tests/should_succeed/closures/07_mutable_capture/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/closures/08_multiple_calls.mlcfg b/creusot/tests/should_succeed/closures/08_multiple_calls.mlcfg
index 7bce55509c..834bfee044 100644
--- a/creusot/tests/should_succeed/closures/08_multiple_calls.mlcfg
+++ b/creusot/tests/should_succeed/closures/08_multiple_calls.mlcfg
@@ -37,8 +37,8 @@ module C08MultipleCalls_MultiUse_Closure0
   }
   BB0 {
     assume { resolve0 _1 };
-    [#"../08_multiple_calls.rs" 8 8 8 9] res <- ([#"../08_multiple_calls.rs" 8 8 8 9] [#"../08_multiple_calls.rs" 8 8 8 9] (0 : uint32));
-    [#"../08_multiple_calls.rs" 5 12 5 31] _0 <- ([#"../08_multiple_calls.rs" 5 12 5 31] res);
+    [#"../08_multiple_calls.rs" 8 8 8 9] res <- ([#"../08_multiple_calls.rs" 8 8 8 9] (0 : uint32));
+    [#"../08_multiple_calls.rs" 5 12 5 31] _0 <- res;
     return _0
   }
   
@@ -121,9 +121,9 @@ module C08MultipleCalls_MultiUse
     goto BB0
   }
   BB0 {
-    [#"../08_multiple_calls.rs" 5 12 5 31] c <- ([#"../08_multiple_calls.rs" 5 12 5 31] C08MultipleCalls_MultiUse_Closure0.C08MultipleCalls_MultiUse_Closure0 ([#"../08_multiple_calls.rs" 5 12 5 31] x));
+    [#"../08_multiple_calls.rs" 5 12 5 31] c <- C08MultipleCalls_MultiUse_Closure0.C08MultipleCalls_MultiUse_Closure0 x;
     assume { resolve0 c };
-    [#"../08_multiple_calls.rs" 11 4 11 14] _4 <- ([#"../08_multiple_calls.rs" 11 4 11 14] uses_fn0 ([#"../08_multiple_calls.rs" 11 12 11 13] c));
+    [#"../08_multiple_calls.rs" 11 4 11 14] _4 <- ([#"../08_multiple_calls.rs" 11 4 11 14] uses_fn0 c);
     goto BB1
   }
   BB1 {
diff --git a/creusot/tests/should_succeed/constrained_types.mlcfg b/creusot/tests/should_succeed/constrained_types.mlcfg
index 61364a686a..82289bb425 100644
--- a/creusot/tests/should_succeed/constrained_types.mlcfg
+++ b/creusot/tests/should_succeed/constrained_types.mlcfg
@@ -105,7 +105,7 @@ module ConstrainedTypes_UsesConcreteInstance
     goto BB0
   }
   BB0 {
-    [#"../constrained_types.rs" 15 4 15 9] _0 <- ([#"../constrained_types.rs" 15 4 15 9] lt0 ([#"../constrained_types.rs" 15 4 15 5] x) ([#"../constrained_types.rs" 15 8 15 9] y));
+    [#"../constrained_types.rs" 15 4 15 9] _0 <- ([#"../constrained_types.rs" 15 4 15 9] lt0 x y);
     goto BB1
   }
   BB1 {
diff --git a/creusot/tests/should_succeed/drop_pair.mlcfg b/creusot/tests/should_succeed/drop_pair.mlcfg
index 60fb84fe55..d25fb89c07 100644
--- a/creusot/tests/should_succeed/drop_pair.mlcfg
+++ b/creusot/tests/should_succeed/drop_pair.mlcfg
@@ -83,8 +83,8 @@ module DropPair_Drop
     assume { resolve0 _x };
     [#"../drop_pair.rs" 16 9 16 10] _3 <- Borrow.borrow_final ( * y) (Borrow.get_id y);
     [#"../drop_pair.rs" 16 9 16 10] y <- { y with current = ( ^ _3) ; };
-    [#"../drop_pair.rs" 16 4 16 10] _x <- ([#"../drop_pair.rs" 16 4 16 10] _3);
-    [#"../drop_pair.rs" 16 4 16 10] _3 <- any borrowed uint32;
+    [#"../drop_pair.rs" 16 4 16 10] _x <- _3;
+    _3 <- any borrowed uint32;
     assume { resolve0 _x };
     [#"../drop_pair.rs" 15 53 17 1] _0 <- ([#"../drop_pair.rs" 15 53 17 1] ());
     assume { resolve0 y };
diff --git a/creusot/tests/should_succeed/duration.mlcfg b/creusot/tests/should_succeed/duration.mlcfg
index bdd2e42a0c..bd5cc7b16e 100644
--- a/creusot/tests/should_succeed/duration.mlcfg
+++ b/creusot/tests/should_succeed/duration.mlcfg
@@ -74,20 +74,26 @@ module Duration_TestDuration
     
   use prelude.UInt32
   val checked_div0 (self : Core_Time_Duration_Type.t_duration) (rhs : uint32) : Core_Option_Option_Type.t_option (Core_Time_Duration_Type.t_duration)
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 137 16 137 58] rhs = (0 : uint32) -> result = Core_Option_Option_Type.C_None }
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 138 16 138 85] rhs <> (0 : uint32) -> deep_model0 result = Core_Option_Option_Type.C_Some (div (shallow_model0 self) (UInt32.to_int rhs)) }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 137 16 137 58] rhs = (0 : uint32)
+     -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 138 16 138 85] rhs <> (0 : uint32)
+     -> deep_model0 result = Core_Option_Option_Type.C_Some (div (shallow_model0 self) (UInt32.to_int rhs)) }
     
   function nanos_to_secs0 (nanos : int) : int
   val nanos_to_secs0 (nanos : int) : int
     ensures { result = nanos_to_secs0 nanos }
     
   val checked_mul0 (self : Core_Time_Duration_Type.t_duration) (rhs : uint32) : Core_Option_Option_Type.t_option (Core_Time_Duration_Type.t_duration)
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 133 16 133 86] nanos_to_secs0 (shallow_model0 self * UInt32.to_int rhs) > UInt64.to_int max0 -> result = Core_Option_Option_Type.C_None }
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 134 16 134 114] nanos_to_secs0 (shallow_model0 self * UInt32.to_int rhs) <= UInt64.to_int max0 -> deep_model0 result = Core_Option_Option_Type.C_Some (shallow_model0 self * UInt32.to_int rhs) }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 133 16 133 86] nanos_to_secs0 (shallow_model0 self * UInt32.to_int rhs) > UInt64.to_int max0
+     -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 134 16 134 114] nanos_to_secs0 (shallow_model0 self * UInt32.to_int rhs) <= UInt64.to_int max0
+     -> deep_model0 result = Core_Option_Option_Type.C_Some (shallow_model0 self * UInt32.to_int rhs) }
     
   val checked_sub0 (self : Core_Time_Duration_Type.t_duration) (rhs : Core_Time_Duration_Type.t_duration) : Core_Option_Option_Type.t_option (Core_Time_Duration_Type.t_duration)
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 129 16 129 63] shallow_model0 self - shallow_model0 rhs < 0 -> result = Core_Option_Option_Type.C_None }
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 130 16 130 91] shallow_model0 self - shallow_model0 rhs >= 0 -> deep_model0 result = Core_Option_Option_Type.C_Some (shallow_model0 self - shallow_model0 rhs) }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 129 16 129 63] shallow_model0 self - shallow_model0 rhs < 0
+     -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 130 16 130 91] shallow_model0 self - shallow_model0 rhs >= 0
+     -> deep_model0 result = Core_Option_Option_Type.C_Some (shallow_model0 self - shallow_model0 rhs) }
     
   use prelude.Borrow
   val is_some0 (self : Core_Option_Option_Type.t_option (Core_Time_Duration_Type.t_duration)) : bool
@@ -99,8 +105,10 @@ module Duration_TestDuration
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 36 26 36 51] result = (self = Core_Option_Option_Type.C_None) }
     
   val checked_add0 (self : Core_Time_Duration_Type.t_duration) (rhs : Core_Time_Duration_Type.t_duration) : Core_Option_Option_Type.t_option (Core_Time_Duration_Type.t_duration)
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 125 16 125 86] nanos_to_secs0 (shallow_model0 self + shallow_model0 rhs) > UInt64.to_int max0 -> result = Core_Option_Option_Type.C_None }
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 126 16 126 114] nanos_to_secs0 (shallow_model0 self + shallow_model0 rhs) <= UInt64.to_int max0 -> deep_model0 result = Core_Option_Option_Type.C_Some (shallow_model0 self + shallow_model0 rhs) }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 125 16 125 86] nanos_to_secs0 (shallow_model0 self + shallow_model0 rhs) > UInt64.to_int max0
+     -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 126 16 126 114] nanos_to_secs0 (shallow_model0 self + shallow_model0 rhs) <= UInt64.to_int max0
+     -> deep_model0 result = Core_Option_Option_Type.C_Some (shallow_model0 self + shallow_model0 rhs) }
     
   use prelude.UInt128
   function nanos_to_micros0 (nanos : int) : int
@@ -139,8 +147,9 @@ module Duration_TestDuration
     ensures { [#"../../../../creusot-contracts/src/std/time.rs" 100 26 100 57] UInt64.to_int result = nanos_to_secs0 (shallow_model4 self) }
     
   val is_zero0 (self : Core_Time_Duration_Type.t_duration) : bool
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 96 16 96 57] shallow_model4 self = 0 -> result = true }
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 97 16 97 58] shallow_model4 self <> 0 -> result = false }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 96 16 96 57] shallow_model4 self = 0  -> result = true }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 97 16 97 58] shallow_model4 self <> 0
+     -> result = false }
     
   val from_nanos0 (nanos : uint64) : Core_Time_Duration_Type.t_duration
     ensures { [#"../../../../creusot-contracts/src/std/time.rs" 93 26 93 43] shallow_model0 result = UInt64.to_int nanos }
@@ -166,6 +175,7 @@ module Duration_TestDuration
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var zero : Core_Time_Duration_Type.t_duration;
+  var _5 : bool;
   var _6 : uint128;
   var max : Core_Time_Duration_Type.t_duration;
   var d_secs : Core_Time_Duration_Type.t_duration;
@@ -174,14 +184,24 @@ module Duration_TestDuration
   var d_nanos : Core_Time_Duration_Type.t_duration;
   var _23 : bool;
   var _27 : bool;
+  var _31 : bool;
   var _32 : uint64;
+  var _36 : bool;
   var _37 : uint32;
+  var _41 : bool;
   var _42 : uint32;
+  var _46 : bool;
   var _47 : uint32;
+  var _51 : bool;
+  var _52 : uint128;
   var _53 : uint32;
   var _55 : uint128;
+  var _59 : bool;
+  var _60 : uint128;
   var _61 : uint32;
   var _63 : uint128;
+  var _67 : bool;
+  var _68 : uint128;
   var _69 : uint32;
   var _71 : uint128;
   var _75 : bool;
@@ -206,22 +226,24 @@ module Duration_TestDuration
     goto BB0
   }
   BB0 {
-    [#"../duration.rs" 8 15 8 34] zero <- ([#"../duration.rs" 8 15 8 34] new0 ([#"../duration.rs" 8 29 8 30] [#"../duration.rs" 8 29 8 30] (0 : uint64)) ([#"../duration.rs" 8 32 8 33] [#"../duration.rs" 8 32 8 33] (0 : uint32)));
+    [#"../duration.rs" 8 15 8 34] zero <- ([#"../duration.rs" 8 15 8 34] new0 ([#"../duration.rs" 8 29 8 30] (0 : uint64)) ([#"../duration.rs" 8 32 8 33] (0 : uint32)));
     goto BB1
   }
   BB1 {
     assert { [@expl:assertion] [#"../duration.rs" 9 18 9 28] shallow_model0 zero = 0 };
-    [#"../duration.rs" 10 12 10 27] _6 <- ([#"../duration.rs" 10 12 10 27] as_nanos0 ([#"../duration.rs" 10 12 10 16] zero));
+    [#"../duration.rs" 10 12 10 27] _6 <- ([#"../duration.rs" 10 12 10 27] as_nanos0 zero);
     goto BB2
   }
   BB2 {
-    switch ([#"../duration.rs" 10 12 10 32] _6 = ([#"../duration.rs" 10 31 10 32] [#"../duration.rs" 10 31 10 32] (0 : uint128)))
+    [#"../duration.rs" 10 12 10 32] _5 <- _6 = ([#"../duration.rs" 10 31 10 32] (0 : uint128));
+    _6 <- any uint128;
+    switch (_5)
       | False -> goto BB4
       | True -> goto BB3
       end
   }
   BB3 {
-    [#"../duration.rs" 12 14 12 50] max <- ([#"../duration.rs" 12 14 12 50] new0 ([#"../duration.rs" 12 28 12 36] [#"../duration.rs" 12 28 12 36] (18446744073709551615 : uint64)) ([#"../duration.rs" 12 38 12 49] [#"../duration.rs" 12 38 12 49] (999999999 : uint32)));
+    [#"../duration.rs" 12 14 12 50] max <- ([#"../duration.rs" 12 14 12 50] new0 ([#"../duration.rs" 12 28 12 36] (18446744073709551615 : uint64)) ([#"../duration.rs" 12 38 12 49] (999999999 : uint32)));
     goto BB5
   }
   BB4 {
@@ -229,27 +251,27 @@ module Duration_TestDuration
     absurd
   }
   BB5 {
-    [#"../duration.rs" 14 17 14 39] d_secs <- ([#"../duration.rs" 14 17 14 39] from_secs0 ([#"../duration.rs" 14 37 14 38] [#"../duration.rs" 14 37 14 38] (1 : uint64)));
+    [#"../duration.rs" 14 17 14 39] d_secs <- ([#"../duration.rs" 14 17 14 39] from_secs0 ([#"../duration.rs" 14 37 14 38] (1 : uint64)));
     goto BB6
   }
   BB6 {
     assert { [@expl:assertion] [#"../duration.rs" 15 18 15 42] shallow_model0 d_secs = 1000000000 };
-    [#"../duration.rs" 17 19 17 43] d_millis <- ([#"../duration.rs" 17 19 17 43] from_millis0 ([#"../duration.rs" 17 41 17 42] [#"../duration.rs" 17 41 17 42] (1 : uint64)));
+    [#"../duration.rs" 17 19 17 43] d_millis <- ([#"../duration.rs" 17 19 17 43] from_millis0 ([#"../duration.rs" 17 41 17 42] (1 : uint64)));
     goto BB7
   }
   BB7 {
     assert { [@expl:assertion] [#"../duration.rs" 18 18 18 40] shallow_model0 d_millis = 1000000 };
-    [#"../duration.rs" 20 19 20 43] d_micros <- ([#"../duration.rs" 20 19 20 43] from_micros0 ([#"../duration.rs" 20 41 20 42] [#"../duration.rs" 20 41 20 42] (1 : uint64)));
+    [#"../duration.rs" 20 19 20 43] d_micros <- ([#"../duration.rs" 20 19 20 43] from_micros0 ([#"../duration.rs" 20 41 20 42] (1 : uint64)));
     goto BB8
   }
   BB8 {
     assert { [@expl:assertion] [#"../duration.rs" 21 18 21 36] shallow_model0 d_micros = 1000 };
-    [#"../duration.rs" 23 18 23 41] d_nanos <- ([#"../duration.rs" 23 18 23 41] from_nanos0 ([#"../duration.rs" 23 39 23 40] [#"../duration.rs" 23 39 23 40] (1 : uint64)));
+    [#"../duration.rs" 23 18 23 41] d_nanos <- ([#"../duration.rs" 23 18 23 41] from_nanos0 ([#"../duration.rs" 23 39 23 40] (1 : uint64)));
     goto BB9
   }
   BB9 {
     assert { [@expl:assertion] [#"../duration.rs" 24 18 24 31] shallow_model0 d_nanos = 1 };
-    [#"../duration.rs" 26 12 26 26] _23 <- ([#"../duration.rs" 26 12 26 26] is_zero0 ([#"../duration.rs" 26 12 26 16] zero));
+    [#"../duration.rs" 26 12 26 26] _23 <- ([#"../duration.rs" 26 12 26 26] is_zero0 zero);
     goto BB10
   }
   BB10 {
@@ -259,7 +281,7 @@ module Duration_TestDuration
       end
   }
   BB11 {
-    [#"../duration.rs" 27 13 27 29] _27 <- ([#"../duration.rs" 27 13 27 29] is_zero0 ([#"../duration.rs" 27 13 27 19] d_secs));
+    [#"../duration.rs" 27 13 27 29] _27 <- ([#"../duration.rs" 27 13 27 29] is_zero0 d_secs);
     goto BB13
   }
   BB12 {
@@ -277,17 +299,19 @@ module Duration_TestDuration
     absurd
   }
   BB15 {
-    [#"../duration.rs" 29 17 29 33] _32 <- ([#"../duration.rs" 29 17 29 33] as_secs0 ([#"../duration.rs" 29 17 29 23] d_secs));
+    [#"../duration.rs" 29 17 29 33] _32 <- ([#"../duration.rs" 29 17 29 33] as_secs0 d_secs);
     goto BB16
   }
   BB16 {
-    switch ([#"../duration.rs" 29 12 29 33] ([#"../duration.rs" 29 12 29 13] [#"../duration.rs" 29 12 29 13] (1 : uint64)) = _32)
+    [#"../duration.rs" 29 12 29 33] _31 <- ([#"../duration.rs" 29 12 29 13] (1 : uint64)) = _32;
+    _32 <- any uint64;
+    switch (_31)
       | False -> goto BB18
       | True -> goto BB17
       end
   }
   BB17 {
-    [#"../duration.rs" 30 17 30 39] _37 <- ([#"../duration.rs" 30 17 30 39] subsec_millis0 ([#"../duration.rs" 30 17 30 23] d_secs));
+    [#"../duration.rs" 30 17 30 39] _37 <- ([#"../duration.rs" 30 17 30 39] subsec_millis0 d_secs);
     goto BB19
   }
   BB18 {
@@ -295,13 +319,15 @@ module Duration_TestDuration
     absurd
   }
   BB19 {
-    switch ([#"../duration.rs" 30 12 30 39] ([#"../duration.rs" 30 12 30 13] [#"../duration.rs" 30 12 30 13] (0 : uint32)) = _37)
+    [#"../duration.rs" 30 12 30 39] _36 <- ([#"../duration.rs" 30 12 30 13] (0 : uint32)) = _37;
+    _37 <- any uint32;
+    switch (_36)
       | False -> goto BB21
       | True -> goto BB20
       end
   }
   BB20 {
-    [#"../duration.rs" 31 17 31 39] _42 <- ([#"../duration.rs" 31 17 31 39] subsec_micros0 ([#"../duration.rs" 31 17 31 23] d_secs));
+    [#"../duration.rs" 31 17 31 39] _42 <- ([#"../duration.rs" 31 17 31 39] subsec_micros0 d_secs);
     goto BB22
   }
   BB21 {
@@ -309,13 +335,15 @@ module Duration_TestDuration
     absurd
   }
   BB22 {
-    switch ([#"../duration.rs" 31 12 31 39] ([#"../duration.rs" 31 12 31 13] [#"../duration.rs" 31 12 31 13] (0 : uint32)) = _42)
+    [#"../duration.rs" 31 12 31 39] _41 <- ([#"../duration.rs" 31 12 31 13] (0 : uint32)) = _42;
+    _42 <- any uint32;
+    switch (_41)
       | False -> goto BB24
       | True -> goto BB23
       end
   }
   BB23 {
-    [#"../duration.rs" 32 17 32 38] _47 <- ([#"../duration.rs" 32 17 32 38] subsec_nanos0 ([#"../duration.rs" 32 17 32 23] d_secs));
+    [#"../duration.rs" 32 17 32 38] _47 <- ([#"../duration.rs" 32 17 32 38] subsec_nanos0 d_secs);
     goto BB25
   }
   BB24 {
@@ -323,13 +351,15 @@ module Duration_TestDuration
     absurd
   }
   BB25 {
-    switch ([#"../duration.rs" 32 12 32 38] ([#"../duration.rs" 32 12 32 13] [#"../duration.rs" 32 12 32 13] (0 : uint32)) = _47)
+    [#"../duration.rs" 32 12 32 38] _46 <- ([#"../duration.rs" 32 12 32 13] (0 : uint32)) = _47;
+    _47 <- any uint32;
+    switch (_46)
       | False -> goto BB27
       | True -> goto BB26
       end
   }
   BB26 {
-    [#"../duration.rs" 34 12 34 36] _53 <- ([#"../duration.rs" 34 12 34 36] subsec_millis0 ([#"../duration.rs" 34 12 34 20] d_millis));
+    [#"../duration.rs" 34 12 34 36] _53 <- ([#"../duration.rs" 34 12 34 36] subsec_millis0 d_millis);
     goto BB28
   }
   BB27 {
@@ -337,17 +367,22 @@ module Duration_TestDuration
     absurd
   }
   BB28 {
-    [#"../duration.rs" 34 48 34 68] _55 <- ([#"../duration.rs" 34 48 34 68] as_millis0 ([#"../duration.rs" 34 48 34 56] d_millis));
+    [#"../duration.rs" 34 12 34 44] _52 <- UInt128.of_int (UInt32.to_int _53);
+    _53 <- any uint32;
+    [#"../duration.rs" 34 48 34 68] _55 <- ([#"../duration.rs" 34 48 34 68] as_millis0 d_millis);
     goto BB29
   }
   BB29 {
-    switch ([#"../duration.rs" 34 12 34 68] ([#"../duration.rs" 34 12 34 44] UInt128.of_int (UInt32.to_int _53)) = _55)
+    [#"../duration.rs" 34 12 34 68] _51 <- _52 = _55;
+    _52 <- any uint128;
+    _55 <- any uint128;
+    switch (_51)
       | False -> goto BB31
       | True -> goto BB30
       end
   }
   BB30 {
-    [#"../duration.rs" 35 12 35 36] _61 <- ([#"../duration.rs" 35 12 35 36] subsec_micros0 ([#"../duration.rs" 35 12 35 20] d_micros));
+    [#"../duration.rs" 35 12 35 36] _61 <- ([#"../duration.rs" 35 12 35 36] subsec_micros0 d_micros);
     goto BB32
   }
   BB31 {
@@ -355,17 +390,22 @@ module Duration_TestDuration
     absurd
   }
   BB32 {
-    [#"../duration.rs" 35 48 35 68] _63 <- ([#"../duration.rs" 35 48 35 68] as_micros0 ([#"../duration.rs" 35 48 35 56] d_micros));
+    [#"../duration.rs" 35 12 35 44] _60 <- UInt128.of_int (UInt32.to_int _61);
+    _61 <- any uint32;
+    [#"../duration.rs" 35 48 35 68] _63 <- ([#"../duration.rs" 35 48 35 68] as_micros0 d_micros);
     goto BB33
   }
   BB33 {
-    switch ([#"../duration.rs" 35 12 35 68] ([#"../duration.rs" 35 12 35 44] UInt128.of_int (UInt32.to_int _61)) = _63)
+    [#"../duration.rs" 35 12 35 68] _59 <- _60 = _63;
+    _60 <- any uint128;
+    _63 <- any uint128;
+    switch (_59)
       | False -> goto BB35
       | True -> goto BB34
       end
   }
   BB34 {
-    [#"../duration.rs" 36 12 36 34] _69 <- ([#"../duration.rs" 36 12 36 34] subsec_nanos0 ([#"../duration.rs" 36 12 36 19] d_nanos));
+    [#"../duration.rs" 36 12 36 34] _69 <- ([#"../duration.rs" 36 12 36 34] subsec_nanos0 d_nanos);
     goto BB36
   }
   BB35 {
@@ -373,17 +413,22 @@ module Duration_TestDuration
     absurd
   }
   BB36 {
-    [#"../duration.rs" 36 46 36 64] _71 <- ([#"../duration.rs" 36 46 36 64] as_nanos0 ([#"../duration.rs" 36 46 36 53] d_nanos));
+    [#"../duration.rs" 36 12 36 42] _68 <- UInt128.of_int (UInt32.to_int _69);
+    _69 <- any uint32;
+    [#"../duration.rs" 36 46 36 64] _71 <- ([#"../duration.rs" 36 46 36 64] as_nanos0 d_nanos);
     goto BB37
   }
   BB37 {
-    switch ([#"../duration.rs" 36 12 36 64] ([#"../duration.rs" 36 12 36 42] UInt128.of_int (UInt32.to_int _69)) = _71)
+    [#"../duration.rs" 36 12 36 64] _67 <- _68 = _71;
+    _68 <- any uint128;
+    _71 <- any uint128;
+    switch (_67)
       | False -> goto BB39
       | True -> goto BB38
       end
   }
   BB38 {
-    [#"../duration.rs" 38 12 38 35] _77 <- ([#"../duration.rs" 38 12 38 35] checked_add0 ([#"../duration.rs" 38 12 38 18] d_secs) ([#"../duration.rs" 38 31 38 34] max));
+    [#"../duration.rs" 38 12 38 35] _77 <- ([#"../duration.rs" 38 12 38 35] checked_add0 d_secs max);
     goto BB40
   }
   BB39 {
@@ -391,7 +436,7 @@ module Duration_TestDuration
     absurd
   }
   BB40 {
-    [#"../duration.rs" 38 12 38 45] _75 <- ([#"../duration.rs" 38 12 38 45] is_none0 ([#"../duration.rs" 38 12 38 35] _77));
+    [#"../duration.rs" 38 12 38 45] _75 <- ([#"../duration.rs" 38 12 38 45] is_none0 _77);
     goto BB41
   }
   BB41 {
@@ -401,7 +446,7 @@ module Duration_TestDuration
       end
   }
   BB42 {
-    [#"../duration.rs" 39 12 39 38] _84 <- ([#"../duration.rs" 39 12 39 38] checked_add0 ([#"../duration.rs" 39 12 39 18] d_secs) ([#"../duration.rs" 39 31 39 37] d_secs));
+    [#"../duration.rs" 39 12 39 38] _84 <- ([#"../duration.rs" 39 12 39 38] checked_add0 d_secs d_secs);
     goto BB44
   }
   BB43 {
@@ -409,7 +454,7 @@ module Duration_TestDuration
     absurd
   }
   BB44 {
-    [#"../duration.rs" 39 12 39 48] _82 <- ([#"../duration.rs" 39 12 39 48] is_some0 ([#"../duration.rs" 39 12 39 38] _84));
+    [#"../duration.rs" 39 12 39 48] _82 <- ([#"../duration.rs" 39 12 39 48] is_some0 _84);
     goto BB45
   }
   BB45 {
@@ -419,7 +464,7 @@ module Duration_TestDuration
       end
   }
   BB46 {
-    [#"../duration.rs" 41 12 41 35] _91 <- ([#"../duration.rs" 41 12 41 35] checked_sub0 ([#"../duration.rs" 41 12 41 18] d_secs) ([#"../duration.rs" 41 31 41 34] max));
+    [#"../duration.rs" 41 12 41 35] _91 <- ([#"../duration.rs" 41 12 41 35] checked_sub0 d_secs max);
     goto BB48
   }
   BB47 {
@@ -427,7 +472,7 @@ module Duration_TestDuration
     absurd
   }
   BB48 {
-    [#"../duration.rs" 41 12 41 45] _89 <- ([#"../duration.rs" 41 12 41 45] is_none0 ([#"../duration.rs" 41 12 41 35] _91));
+    [#"../duration.rs" 41 12 41 45] _89 <- ([#"../duration.rs" 41 12 41 45] is_none0 _91);
     goto BB49
   }
   BB49 {
@@ -437,7 +482,7 @@ module Duration_TestDuration
       end
   }
   BB50 {
-    [#"../duration.rs" 42 12 42 40] _98 <- ([#"../duration.rs" 42 12 42 40] checked_sub0 ([#"../duration.rs" 42 12 42 18] d_secs) ([#"../duration.rs" 42 31 42 39] d_millis));
+    [#"../duration.rs" 42 12 42 40] _98 <- ([#"../duration.rs" 42 12 42 40] checked_sub0 d_secs d_millis);
     goto BB52
   }
   BB51 {
@@ -445,7 +490,7 @@ module Duration_TestDuration
     absurd
   }
   BB52 {
-    [#"../duration.rs" 42 12 42 50] _96 <- ([#"../duration.rs" 42 12 42 50] is_some0 ([#"../duration.rs" 42 12 42 40] _98));
+    [#"../duration.rs" 42 12 42 50] _96 <- ([#"../duration.rs" 42 12 42 50] is_some0 _98);
     goto BB53
   }
   BB53 {
@@ -455,7 +500,7 @@ module Duration_TestDuration
       end
   }
   BB54 {
-    [#"../duration.rs" 44 12 44 30] _105 <- ([#"../duration.rs" 44 12 44 30] checked_mul0 ([#"../duration.rs" 44 12 44 15] max) ([#"../duration.rs" 44 28 44 29] [#"../duration.rs" 44 28 44 29] (2 : uint32)));
+    [#"../duration.rs" 44 12 44 30] _105 <- ([#"../duration.rs" 44 12 44 30] checked_mul0 max ([#"../duration.rs" 44 28 44 29] (2 : uint32)));
     goto BB56
   }
   BB55 {
@@ -463,7 +508,7 @@ module Duration_TestDuration
     absurd
   }
   BB56 {
-    [#"../duration.rs" 44 12 44 40] _103 <- ([#"../duration.rs" 44 12 44 40] is_none0 ([#"../duration.rs" 44 12 44 30] _105));
+    [#"../duration.rs" 44 12 44 40] _103 <- ([#"../duration.rs" 44 12 44 40] is_none0 _105);
     goto BB57
   }
   BB57 {
@@ -473,7 +518,7 @@ module Duration_TestDuration
       end
   }
   BB58 {
-    [#"../duration.rs" 45 12 45 34] _111 <- ([#"../duration.rs" 45 12 45 34] checked_mul0 ([#"../duration.rs" 45 12 45 18] d_secs) ([#"../duration.rs" 45 31 45 33] [#"../duration.rs" 45 31 45 33] (10 : uint32)));
+    [#"../duration.rs" 45 12 45 34] _111 <- ([#"../duration.rs" 45 12 45 34] checked_mul0 d_secs ([#"../duration.rs" 45 31 45 33] (10 : uint32)));
     goto BB60
   }
   BB59 {
@@ -481,7 +526,7 @@ module Duration_TestDuration
     absurd
   }
   BB60 {
-    [#"../duration.rs" 45 12 45 44] _109 <- ([#"../duration.rs" 45 12 45 44] is_some0 ([#"../duration.rs" 45 12 45 34] _111));
+    [#"../duration.rs" 45 12 45 44] _109 <- ([#"../duration.rs" 45 12 45 44] is_some0 _111);
     goto BB61
   }
   BB61 {
@@ -491,7 +536,7 @@ module Duration_TestDuration
       end
   }
   BB62 {
-    [#"../duration.rs" 47 12 47 33] _117 <- ([#"../duration.rs" 47 12 47 33] checked_div0 ([#"../duration.rs" 47 12 47 18] d_secs) ([#"../duration.rs" 47 31 47 32] [#"../duration.rs" 47 31 47 32] (0 : uint32)));
+    [#"../duration.rs" 47 12 47 33] _117 <- ([#"../duration.rs" 47 12 47 33] checked_div0 d_secs ([#"../duration.rs" 47 31 47 32] (0 : uint32)));
     goto BB64
   }
   BB63 {
@@ -499,7 +544,7 @@ module Duration_TestDuration
     absurd
   }
   BB64 {
-    [#"../duration.rs" 47 12 47 43] _115 <- ([#"../duration.rs" 47 12 47 43] is_none0 ([#"../duration.rs" 47 12 47 33] _117));
+    [#"../duration.rs" 47 12 47 43] _115 <- ([#"../duration.rs" 47 12 47 43] is_none0 _117);
     goto BB65
   }
   BB65 {
@@ -509,7 +554,7 @@ module Duration_TestDuration
       end
   }
   BB66 {
-    [#"../duration.rs" 48 12 48 34] _123 <- ([#"../duration.rs" 48 12 48 34] checked_div0 ([#"../duration.rs" 48 12 48 18] d_secs) ([#"../duration.rs" 48 31 48 33] [#"../duration.rs" 48 31 48 33] (10 : uint32)));
+    [#"../duration.rs" 48 12 48 34] _123 <- ([#"../duration.rs" 48 12 48 34] checked_div0 d_secs ([#"../duration.rs" 48 31 48 33] (10 : uint32)));
     goto BB68
   }
   BB67 {
@@ -517,7 +562,7 @@ module Duration_TestDuration
     absurd
   }
   BB68 {
-    [#"../duration.rs" 48 12 48 44] _121 <- ([#"../duration.rs" 48 12 48 44] is_some0 ([#"../duration.rs" 48 12 48 34] _123));
+    [#"../duration.rs" 48 12 48 44] _121 <- ([#"../duration.rs" 48 12 48 44] is_some0 _123);
     goto BB69
   }
   BB69 {
@@ -527,7 +572,7 @@ module Duration_TestDuration
       end
   }
   BB70 {
-    [#"../duration.rs" 50 14 50 33] sum <- ([#"../duration.rs" 50 14 50 33] add0 ([#"../duration.rs" 50 14 50 22] d_millis) ([#"../duration.rs" 50 25 50 33] d_micros));
+    [#"../duration.rs" 50 14 50 33] sum <- ([#"../duration.rs" 50 14 50 33] add0 d_millis d_micros);
     goto BB72
   }
   BB71 {
@@ -535,7 +580,7 @@ module Duration_TestDuration
     absurd
   }
   BB72 {
-    [#"../duration.rs" 51 21 51 40] difference <- ([#"../duration.rs" 51 21 51 40] sub0 ([#"../duration.rs" 51 21 51 29] d_millis) ([#"../duration.rs" 51 32 51 40] d_micros));
+    [#"../duration.rs" 51 21 51 40] difference <- ([#"../duration.rs" 51 21 51 40] sub0 d_millis d_micros);
     goto BB73
   }
   BB73 {
diff --git a/creusot/tests/should_succeed/filter_positive.mlcfg b/creusot/tests/should_succeed/filter_positive.mlcfg
index 055646ecfd..5461997934 100644
--- a/creusot/tests/should_succeed/filter_positive.mlcfg
+++ b/creusot/tests/should_succeed/filter_positive.mlcfg
@@ -5,15 +5,17 @@ module FilterPositive_NumOfPos_Impl
   use prelude.Int32
   use seq.Seq
   use prelude.Int
-  let rec ghost function num_of_pos [#"../filter_positive.rs" 37 0 37 49] (i : int) (j : int) (t : Seq.seq int32) : int
-    variant {[#"../filter_positive.rs" 36 10 36 13] j - i}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../filter_positive.rs" 38 4 46 5] if pure {i >= j} then
-      0
-    else
-      if pure {Int32.to_int (Seq.get t (j - 1)) > 0} then num_of_pos i (j - 1) t + 1 else num_of_pos i (j - 1) t
-    
+  constant i  : int
+  constant j  : int
+  constant t  : Seq.seq int32
+  function num_of_pos [#"../filter_positive.rs" 37 0 37 49] (i : int) (j : int) (t : Seq.seq int32) : int
+  goal vc_num_of_pos : match i >= j with
+    | True -> true
+    | False -> match Int32.to_int (Seq.get t (j - 1)) > 0 with
+      | True -> 0 <= ([#"../filter_positive.rs" 36 10 36 13] j - i) /\ ([#"../filter_positive.rs" 36 10 36 13] j - 1 - i) < ([#"../filter_positive.rs" 36 10 36 13] j - i)
+      | False -> 0 <= ([#"../filter_positive.rs" 36 10 36 13] j - i) /\ ([#"../filter_positive.rs" 36 10 36 13] j - 1 - i) < ([#"../filter_positive.rs" 36 10 36 13] j - i)
+      end
+    end
 end
 module FilterPositive_LemmaNumOfPosIncreasing_Impl
   use prelude.Int32
@@ -30,13 +32,18 @@ module FilterPositive_LemmaNumOfPosIncreasing_Impl
   val num_of_pos0 [#"../filter_positive.rs" 37 0 37 49] (i : int) (j : int) (t : Seq.seq int32) : int
     ensures { result = num_of_pos0 i j t }
     
-  let rec ghost function lemma_num_of_pos_increasing [#"../filter_positive.rs" 65 0 65 67] (i : int) (j : int) (k : int) (t : Seq.seq int32) : ()
-    requires {[#"../filter_positive.rs" 62 11 62 17] j <= k}
-    ensures { [#"../filter_positive.rs" 63 10 63 48] num_of_pos0 i j t <= num_of_pos0 i k t }
-    variant {[#"../filter_positive.rs" 64 10 64 13] k - j}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../filter_positive.rs" 67 8 69 9] if pure {j < k} then lemma_num_of_pos_increasing i (j + 1) k t else ()
+  constant i  : int
+  constant j  : int
+  constant k  : int
+  constant t  : Seq.seq int32
+  function lemma_num_of_pos_increasing [#"../filter_positive.rs" 65 0 65 67] (i : int) (j : int) (k : int) (t : Seq.seq int32) : ()
+    
+  goal vc_lemma_num_of_pos_increasing : ([#"../filter_positive.rs" 62 11 62 17] j <= k)
+   -> match j < k with
+    | True -> (([#"../filter_positive.rs" 62 11 62 17] j + 1 <= k) /\ 0 <= ([#"../filter_positive.rs" 64 10 64 13] k - j) /\ ([#"../filter_positive.rs" 64 10 64 13] k - (j + 1)) < ([#"../filter_positive.rs" 64 10 64 13] k - j)) /\ (([#"../filter_positive.rs" 63 10 63 48] num_of_pos0 i (j + 1) t <= num_of_pos0 i k t)
+     -> ([#"../filter_positive.rs" 63 10 63 48] num_of_pos0 i j t <= num_of_pos0 i k t))
+    | False -> [#"../filter_positive.rs" 63 10 63 48] num_of_pos0 i j t <= num_of_pos0 i k t
+    end
 end
 module FilterPositive_LemmaNumOfPosStrictlyIncreasing_Impl
   use prelude.Int32
@@ -54,13 +61,12 @@ module FilterPositive_LemmaNumOfPosStrictlyIncreasing_Impl
     ensures { result = num_of_pos0 i j t }
     
   use seq.Seq
-  let rec ghost function lemma_num_of_pos_strictly_increasing [#"../filter_positive.rs" 79 0 79 60] (i : int) (t : Seq.seq int32) : ()
-    requires {[#"../filter_positive.rs" 76 11 76 32] 0 <= i /\ i < Seq.length t}
-    requires {[#"../filter_positive.rs" 77 11 77 20] Int32.to_int (Seq.get t i) > 0}
-    ensures { [#"../filter_positive.rs" 78 10 78 49] num_of_pos0 0 i t < num_of_pos0 0 (i + 1) t }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../filter_positive.rs" 75 0 75 8] ()
+  constant i  : int
+  constant t  : Seq.seq int32
+  function lemma_num_of_pos_strictly_increasing [#"../filter_positive.rs" 79 0 79 60] (i : int) (t : Seq.seq int32) : ()
+  goal vc_lemma_num_of_pos_strictly_increasing : ([#"../filter_positive.rs" 77 11 77 20] Int32.to_int (Seq.get t i) > 0)
+   -> ([#"../filter_positive.rs" 76 11 76 32] 0 <= i /\ i < Seq.length t)
+   -> ([#"../filter_positive.rs" 78 10 78 49] num_of_pos0 0 i t < num_of_pos0 0 (i + 1) t)
 end
 module Core_Ptr_NonNull_NonNull_Type
   use prelude.Opaque
@@ -80,12 +86,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -192,7 +204,8 @@ module FilterPositive_M
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model1 self }
     
-  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
+  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
   predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model1 self)
   val invariant0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -200,14 +213,15 @@ module FilterPositive_M
     
   axiom inv0 : forall x : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . inv0 x = true
   predicate resolve1 (self : borrowed int32) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve1 (self : borrowed int32) : bool
     ensures { result = resolve1 self }
     
   use prelude.Slice
   use seq.Seq
   predicate resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq int32) (fin : Seq.seq int32) =
-    [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i
+    [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old'
+     -> Seq.get old' i = Seq.get fin i
   val resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq int32) (fin : Seq.seq int32) : bool
     ensures { result = resolve_elswhere0 self old' fin }
     
@@ -224,7 +238,7 @@ module FilterPositive_M
   function shallow_model4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global))) : Seq.seq int32
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model1 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model1 ( * self)
   val shallow_model4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global))) : Seq.seq int32
     ensures { result = shallow_model4 self }
     
@@ -259,7 +273,8 @@ module FilterPositive_M
     requires {[#"../filter_positive.rs" 62 11 62 17] j <= k}
     ensures { result = lemma_num_of_pos_increasing0 i j k t }
     
-  axiom lemma_num_of_pos_increasing0_spec : forall i : int, j : int, k : int, t : Seq.seq int32 . ([#"../filter_positive.rs" 62 11 62 17] j <= k) -> ([#"../filter_positive.rs" 63 10 63 48] num_of_pos0 i j t <= num_of_pos0 i k t)
+  axiom lemma_num_of_pos_increasing0_spec : forall i : int, j : int, k : int, t : Seq.seq int32 . ([#"../filter_positive.rs" 62 11 62 17] j <= k)
+   -> ([#"../filter_positive.rs" 63 10 63 48] num_of_pos0 i j t <= num_of_pos0 i k t)
   function lemma_num_of_pos_strictly_increasing0 [#"../filter_positive.rs" 79 0 79 60] (i : int) (t : Seq.seq int32) : ()
     
    =
@@ -269,9 +284,11 @@ module FilterPositive_M
     requires {[#"../filter_positive.rs" 77 11 77 20] Int32.to_int (Seq.get t i) > 0}
     ensures { result = lemma_num_of_pos_strictly_increasing0 i t }
     
-  axiom lemma_num_of_pos_strictly_increasing0_spec : forall i : int, t : Seq.seq int32 . ([#"../filter_positive.rs" 76 11 76 32] 0 <= i /\ i < Seq.length t) -> ([#"../filter_positive.rs" 77 11 77 20] Int32.to_int (Seq.get t i) > 0) -> ([#"../filter_positive.rs" 78 10 78 49] num_of_pos0 0 i t < num_of_pos0 0 (i + 1) t)
+  axiom lemma_num_of_pos_strictly_increasing0_spec : forall i : int, t : Seq.seq int32 . ([#"../filter_positive.rs" 76 11 76 32] 0 <= i /\ i < Seq.length t)
+   -> ([#"../filter_positive.rs" 77 11 77 20] Int32.to_int (Seq.get t i) > 0)
+   -> ([#"../filter_positive.rs" 78 10 78 49] num_of_pos0 0 i t < num_of_pos0 0 (i + 1) t)
   function shallow_model3 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : Seq.seq int32 =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model1 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model1 self
   val shallow_model3 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : Seq.seq int32
     ensures { result = shallow_model3 self }
     
@@ -283,7 +300,7 @@ module FilterPositive_M
     ensures { inv5 result }
     
   predicate resolve2 (self : int32) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
+    [#"../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true
   val resolve2 (self : int32) : bool
     ensures { result = resolve2 self }
     
@@ -295,14 +312,16 @@ module FilterPositive_M
     ensures { result = index_logic1 self ix }
     
   predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) =
-    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self) -> resolve2 (index_logic1 self i)
+    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self)
+     -> resolve2 (index_logic1 self i)
   val resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve0 self }
     
   val from_elem0 (elem : int32) (n : usize) : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)
     requires {inv3 elem}
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 157 22 157 41] Seq.length (shallow_model1 result) = UIntSize.to_int n }
-    ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n -> index_logic1 result i = elem }
+    ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n
+     -> index_logic1 result i = elem }
     ensures { inv0 result }
     
   val len1 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : usize
@@ -317,12 +336,16 @@ module FilterPositive_M
   var count : usize;
   var i : usize;
   var _9 : ();
+  var _10 : bool;
   var _12 : usize;
   var _14 : ();
+  var _15 : bool;
   var _17 : int32;
   var u : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global);
+  var _28 : bool;
   var _30 : usize;
   var _32 : ();
+  var _33 : bool;
   var _35 : int32;
   var _43 : int32;
   var _46 : borrowed int32;
@@ -331,8 +354,8 @@ module FilterPositive_M
     goto BB0
   }
   BB0 {
-    [#"../filter_positive.rs" 83 27 83 28] count <- ([#"../filter_positive.rs" 83 27 83 28] [#"../filter_positive.rs" 83 27 83 28] (0 : usize));
-    [#"../filter_positive.rs" 84 23 84 24] i <- ([#"../filter_positive.rs" 84 23 84 24] [#"../filter_positive.rs" 84 23 84 24] (0 : usize));
+    [#"../filter_positive.rs" 83 27 83 28] count <- ([#"../filter_positive.rs" 83 27 83 28] (0 : usize));
+    [#"../filter_positive.rs" 84 23 84 24] i <- ([#"../filter_positive.rs" 84 23 84 24] (0 : usize));
     goto BB1
   }
   BB1 {
@@ -348,27 +371,30 @@ module FilterPositive_M
     goto BB4
   }
   BB4 {
-    [#"../filter_positive.rs" 89 14 89 21] _12 <- ([#"../filter_positive.rs" 89 14 89 21] len1 ([#"../filter_positive.rs" 89 14 89 15] t));
+    [#"../filter_positive.rs" 89 14 89 21] _12 <- ([#"../filter_positive.rs" 89 14 89 21] len1 t);
     goto BB5
   }
   BB5 {
-    switch ([#"../filter_positive.rs" 89 10 89 21] ([#"../filter_positive.rs" 89 10 89 11] i) < _12)
+    [#"../filter_positive.rs" 89 10 89 21] _10 <- i < _12;
+    _12 <- any usize;
+    switch (_10)
       | False -> goto BB11
       | True -> goto BB6
       end
   }
   BB6 {
-    [#"../filter_positive.rs" 90 12 90 15] _17 <- ([#"../filter_positive.rs" 90 12 90 15] index0 ([#"../filter_positive.rs" 90 11 90 12] t) ([#"../filter_positive.rs" 90 13 90 14] i));
+    [#"../filter_positive.rs" 90 12 90 15] _17 <- ([#"../filter_positive.rs" 90 12 90 15] index0 t i);
     goto BB7
   }
   BB7 {
-    switch ([#"../filter_positive.rs" 90 11 90 19] ([#"../filter_positive.rs" 90 11 90 15] _17) > ([#"../filter_positive.rs" 90 18 90 19] [#"../filter_positive.rs" 90 18 90 19] (0 : int32)))
+    [#"../filter_positive.rs" 90 11 90 19] _15 <- _17 > ([#"../filter_positive.rs" 90 18 90 19] (0 : int32));
+    switch (_15)
       | False -> goto BB9
       | True -> goto BB8
       end
   }
   BB8 {
-    [#"../filter_positive.rs" 91 12 91 22] count <- ([#"../filter_positive.rs" 91 12 91 22] count + ([#"../filter_positive.rs" 91 21 91 22] [#"../filter_positive.rs" 91 21 91 22] (1 : usize)));
+    [#"../filter_positive.rs" 91 12 91 22] count <- count + ([#"../filter_positive.rs" 91 21 91 22] (1 : usize));
     [#"../filter_positive.rs" 91 12 91 22] _14 <- ([#"../filter_positive.rs" 91 12 91 22] ());
     goto BB10
   }
@@ -377,17 +403,17 @@ module FilterPositive_M
     goto BB10
   }
   BB10 {
-    [#"../filter_positive.rs" 93 8 93 14] i <- ([#"../filter_positive.rs" 93 8 93 14] i + ([#"../filter_positive.rs" 93 13 93 14] [#"../filter_positive.rs" 93 13 93 14] (1 : usize)));
+    [#"../filter_positive.rs" 93 8 93 14] i <- i + ([#"../filter_positive.rs" 93 13 93 14] (1 : usize));
     [#"../filter_positive.rs" 89 22 94 5] _9 <- ([#"../filter_positive.rs" 89 22 94 5] ());
     goto BB3
   }
   BB11 {
-    [#"../../../../creusot-contracts/src/lib.rs" 196 8 196 40] u <- ([#"../filter_positive.rs" 95 26 95 40] from_elem0 ([#"../filter_positive.rs" 95 31 95 32] [#"../filter_positive.rs" 95 31 95 32] (0 : int32)) ([#"../filter_positive.rs" 95 34 95 39] count));
+    [#"../filter_positive.rs" 95 26 95 40] u <- ([#"../filter_positive.rs" 95 26 95 40] from_elem0 ([#"../filter_positive.rs" 95 31 95 32] (0 : int32)) count);
     goto BB12
   }
   BB12 {
-    [#"../filter_positive.rs" 96 4 96 13] count <- ([#"../filter_positive.rs" 96 4 96 13] [#"../filter_positive.rs" 96 12 96 13] (0 : usize));
-    [#"../filter_positive.rs" 98 4 98 9] i <- ([#"../filter_positive.rs" 98 4 98 9] [#"../filter_positive.rs" 98 8 98 9] (0 : usize));
+    [#"../filter_positive.rs" 96 4 96 13] count <- ([#"../filter_positive.rs" 96 12 96 13] (0 : usize));
+    [#"../filter_positive.rs" 98 4 98 9] i <- ([#"../filter_positive.rs" 98 8 98 9] (0 : usize));
     goto BB13
   }
   BB13 {
@@ -402,21 +428,24 @@ module FilterPositive_M
     goto BB16
   }
   BB16 {
-    [#"../filter_positive.rs" 102 14 102 21] _30 <- ([#"../filter_positive.rs" 102 14 102 21] len1 ([#"../filter_positive.rs" 102 14 102 15] t));
+    [#"../filter_positive.rs" 102 14 102 21] _30 <- ([#"../filter_positive.rs" 102 14 102 21] len1 t);
     goto BB17
   }
   BB17 {
-    switch ([#"../filter_positive.rs" 102 10 102 21] ([#"../filter_positive.rs" 102 10 102 11] i) < _30)
+    [#"../filter_positive.rs" 102 10 102 21] _28 <- i < _30;
+    _30 <- any usize;
+    switch (_28)
       | False -> goto BB27
       | True -> goto BB18
       end
   }
   BB18 {
-    [#"../filter_positive.rs" 103 12 103 15] _35 <- ([#"../filter_positive.rs" 103 12 103 15] index0 ([#"../filter_positive.rs" 103 11 103 12] t) ([#"../filter_positive.rs" 103 13 103 14] i));
+    [#"../filter_positive.rs" 103 12 103 15] _35 <- ([#"../filter_positive.rs" 103 12 103 15] index0 t i);
     goto BB19
   }
   BB19 {
-    switch ([#"../filter_positive.rs" 103 11 103 19] ([#"../filter_positive.rs" 103 11 103 15] _35) > ([#"../filter_positive.rs" 103 18 103 19] [#"../filter_positive.rs" 103 18 103 19] (0 : int32)))
+    [#"../filter_positive.rs" 103 11 103 19] _33 <- _35 > ([#"../filter_positive.rs" 103 18 103 19] (0 : int32));
+    switch (_33)
       | False -> goto BB25
       | True -> goto BB20
       end
@@ -430,20 +459,20 @@ module FilterPositive_M
     goto BB22
   }
   BB22 {
-    [#"../filter_positive.rs" 113 24 113 27] _43 <- ([#"../filter_positive.rs" 113 24 113 27] index0 ([#"../filter_positive.rs" 113 23 113 24] t) ([#"../filter_positive.rs" 113 25 113 26] i));
+    [#"../filter_positive.rs" 113 24 113 27] _43 <- ([#"../filter_positive.rs" 113 24 113 27] index0 t i);
     goto BB23
   }
   BB23 {
     [#"../filter_positive.rs" 113 12 113 13] _47 <- Borrow.borrow_mut u;
     [#"../filter_positive.rs" 113 12 113 13] u <-  ^ _47;
-    [#"../filter_positive.rs" 113 13 113 20] _46 <- ([#"../filter_positive.rs" 113 13 113 20] index_mut0 _47 ([#"../filter_positive.rs" 113 14 113 19] count));
+    [#"../filter_positive.rs" 113 13 113 20] _46 <- ([#"../filter_positive.rs" 113 13 113 20] index_mut0 _47 count);
     _47 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global));
     goto BB24
   }
   BB24 {
-    [#"../filter_positive.rs" 113 12 113 27] _46 <- { _46 with current = ([#"../filter_positive.rs" 113 23 113 27] _43) ; };
+    [#"../filter_positive.rs" 113 12 113 27] _46 <- { _46 with current = _43 ; };
     assume { resolve1 _46 };
-    [#"../filter_positive.rs" 114 12 114 22] count <- ([#"../filter_positive.rs" 114 12 114 22] count + ([#"../filter_positive.rs" 114 21 114 22] [#"../filter_positive.rs" 114 21 114 22] (1 : usize)));
+    [#"../filter_positive.rs" 114 12 114 22] count <- count + ([#"../filter_positive.rs" 114 21 114 22] (1 : usize));
     [#"../filter_positive.rs" 103 20 115 9] _32 <- ([#"../filter_positive.rs" 103 20 115 9] ());
     goto BB26
   }
@@ -452,14 +481,14 @@ module FilterPositive_M
     goto BB26
   }
   BB26 {
-    [#"../filter_positive.rs" 116 8 116 14] i <- ([#"../filter_positive.rs" 116 8 116 14] i + ([#"../filter_positive.rs" 116 13 116 14] [#"../filter_positive.rs" 116 13 116 14] (1 : usize)));
+    [#"../filter_positive.rs" 116 8 116 14] i <- i + ([#"../filter_positive.rs" 116 13 116 14] (1 : usize));
     [#"../filter_positive.rs" 102 22 117 5] _9 <- ([#"../filter_positive.rs" 102 22 117 5] ());
     goto BB15
   }
   BB27 {
     assume { resolve0 t };
-    [#"../filter_positive.rs" 118 11 118 12] _0 <- ([#"../filter_positive.rs" 118 11 118 12] u);
-    [#"../filter_positive.rs" 118 11 118 12] u <- any Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global);
+    [#"../filter_positive.rs" 118 11 118 12] _0 <- u;
+    u <- any Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global);
     goto BB28
   }
   BB28 {
diff --git a/creusot/tests/should_succeed/filter_positive.rs b/creusot/tests/should_succeed/filter_positive.rs
index 40888e945a..e5fbef896d 100644
--- a/creusot/tests/should_succeed/filter_positive.rs
+++ b/creusot/tests/should_succeed/filter_positive.rs
@@ -32,7 +32,7 @@ use creusot_contracts::{
 
 // number of positive elements of `t` between `i` (included) and `j`
 // (excluded)
-#[ghost]
+#[logic]
 #[variant(j-i)]
 fn num_of_pos(i: Int, j: Int, t: Seq<i32>) -> Int {
     pearlite! {
@@ -58,7 +58,7 @@ fn num_of_pos(i: Int, j: Int, t: Seq<i32>) -> Int {
 //
 
 // lemma: `num_of_pos` is increasing
-#[ghost]
+#[logic]
 #[requires(j <= k)]
 #[ensures(num_of_pos(i,j,t) <= num_of_pos(i,k,t))]
 #[variant(k-j)]
@@ -72,7 +72,7 @@ fn lemma_num_of_pos_increasing(i: Int, j: Int, k: Int, t: Seq<i32>) {
 
 // lemma: `num_of_pos` is strictly increasing when a positive element
 // is met
-#[ghost]
+#[logic]
 #[requires(0 <= i && i < t.len())]
 #[requires(t[i]@ > 0)]
 #[ensures(num_of_pos(0,i,t) < num_of_pos(0,i+1,t))]
diff --git a/creusot/tests/should_succeed/filter_positive/why3session.xml b/creusot/tests/should_succeed/filter_positive/why3session.xml
index 292fd0ed57..8d1abbb75a 100644
--- a/creusot/tests/should_succeed/filter_positive/why3session.xml
+++ b/creusot/tests/should_succeed/filter_positive/why3session.xml
@@ -7,23 +7,23 @@
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="filter_positive.mlcfg"/>
 <theory name="FilterPositive_NumOfPos_Impl" proved="true">
- <goal name="num_of_pos&#39;vc" expl="VC for num_of_pos" proved="true">
+ <goal name="vc_num_of_pos" proved="true">
  <proof prover="4"><result status="valid" time="0.006805" steps="2"/></proof>
  </goal>
 </theory>
 <theory name="FilterPositive_LemmaNumOfPosIncreasing_Impl" proved="true">
- <goal name="lemma_num_of_pos_increasing&#39;vc" expl="VC for lemma_num_of_pos_increasing" proved="true">
- <proof prover="0"><result status="valid" time="0.015897" steps="39523"/></proof>
+ <goal name="vc_lemma_num_of_pos_increasing" proved="true">
+ <proof prover="0"><result status="valid" time="0.015897" steps="26541"/></proof>
  </goal>
 </theory>
 <theory name="FilterPositive_LemmaNumOfPosStrictlyIncreasing_Impl" proved="true">
- <goal name="lemma_num_of_pos_strictly_increasing&#39;vc" expl="VC for lemma_num_of_pos_strictly_increasing" proved="true">
+ <goal name="vc_lemma_num_of_pos_strictly_increasing" proved="true">
  <proof prover="4"><result status="valid" time="0.008797" steps="31"/></proof>
  </goal>
 </theory>
 <theory name="FilterPositive_M" proved="true">
  <goal name="m&#39;vc" expl="VC for m" proved="true">
- <proof prover="0"><result status="valid" time="0.034295" steps="123611"/></proof>
+ <proof prover="0"><result status="valid" time="0.034295" steps="123909"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/filter_positive/why3shapes.gz b/creusot/tests/should_succeed/filter_positive/why3shapes.gz
index b339fc225a..878d0edfab 100644
Binary files a/creusot/tests/should_succeed/filter_positive/why3shapes.gz and b/creusot/tests/should_succeed/filter_positive/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/ghost_ptr_token.mlcfg b/creusot/tests/should_succeed/ghost_ptr_token.mlcfg
new file mode 100644
index 0000000000..ddaae83526
--- /dev/null
+++ b/creusot/tests/should_succeed/ghost_ptr_token.mlcfg
@@ -0,0 +1,529 @@
+
+module CreusotContracts_GhostPtr_GhostPtrToken_Type
+  type t_ghostptrtoken 't
+end
+module CreusotContracts_GhostPtr_GhostPtrTokenMut_Type
+  type t_ghostptrtokenmut 't
+end
+module CreusotContracts_Logic_Fmap_FMap_Type
+  type t_fmap 'k 'v
+end
+module Core_Panicking_AssertKind_Type
+  type t_assertkind  =
+    | C_Eq
+    | C_Ne
+    | C_Match
+    
+end
+module Core_Option_Option_Type
+  type t_option 't =
+    | C_None
+    | C_Some 't
+    
+end
+module Core_Ptr_NonNull_NonNull_Type
+  use prelude.Opaque
+  type t_nonnull 't =
+    | C_NonNull opaque_ptr
+    
+end
+module Core_Marker_PhantomData_Type
+  type t_phantomdata 't =
+    | C_PhantomData
+    
+end
+module Core_Ptr_Unique_Unique_Type
+  use Core_Marker_PhantomData_Type as Core_Marker_PhantomData_Type
+  use Core_Ptr_NonNull_NonNull_Type as Core_Ptr_NonNull_NonNull_Type
+  type t_unique 't =
+    | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
+    
+end
+module Alloc_Boxed_Box_Type
+  use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
+  type t_box 't 'a =
+    | C_Box (Core_Ptr_Unique_Unique_Type.t_unique 't) 'a
+    
+end
+module Alloc_Alloc_Global_Type
+  type t_global  =
+    | C_Global
+    
+end
+module GhostPtrToken_Test
+  use prelude.Int32
+  use Core_Option_Option_Type as Core_Option_Option_Type
+  predicate invariant7 (self : Core_Option_Option_Type.t_option int32) =
+    [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
+  val invariant7 (self : Core_Option_Option_Type.t_option int32) : bool
+    ensures { result = invariant7 self }
+    
+  predicate inv7 (_x : Core_Option_Option_Type.t_option int32)
+  val inv7 (_x : Core_Option_Option_Type.t_option int32) : bool
+    ensures { result = inv7 _x }
+    
+  axiom inv7 : forall x : Core_Option_Option_Type.t_option int32 . inv7 x = true
+  use prelude.Opaque
+  use map.Map
+  predicate invariant6 (self : Map.map opaque_ptr (Core_Option_Option_Type.t_option int32)) =
+    [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
+  val invariant6 (self : Map.map opaque_ptr (Core_Option_Option_Type.t_option int32)) : bool
+    ensures { result = invariant6 self }
+    
+  predicate inv6 (_x : Map.map opaque_ptr (Core_Option_Option_Type.t_option int32))
+  val inv6 (_x : Map.map opaque_ptr (Core_Option_Option_Type.t_option int32)) : bool
+    ensures { result = inv6 _x }
+    
+  axiom inv6 : forall x : Map.map opaque_ptr (Core_Option_Option_Type.t_option int32) . inv6 x = true
+  predicate invariant5 (self : int32) =
+    [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
+  val invariant5 (self : int32) : bool
+    ensures { result = invariant5 self }
+    
+  predicate inv5 (_x : int32)
+  val inv5 (_x : int32) : bool
+    ensures { result = inv5 _x }
+    
+  axiom inv5 : forall x : int32 . inv5 x = true
+  predicate invariant4 (self : opaque_ptr) =
+    [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
+  val invariant4 (self : opaque_ptr) : bool
+    ensures { result = invariant4 self }
+    
+  predicate inv4 (_x : opaque_ptr)
+  val inv4 (_x : opaque_ptr) : bool
+    ensures { result = inv4 _x }
+    
+  axiom inv4 : forall x : opaque_ptr . inv4 x = true
+  use CreusotContracts_Logic_Fmap_FMap_Type as CreusotContracts_Logic_Fmap_FMap_Type
+  predicate invariant3 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) =
+    [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
+  val invariant3 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) : bool
+    ensures { result = invariant3 self }
+    
+  predicate inv3 (_x : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32)
+  val inv3 (_x : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) : bool
+    ensures { result = inv3 _x }
+    
+  axiom inv3 : forall x : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32 . inv3 x = true
+  predicate invariant2 (self : int32) =
+    [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
+  val invariant2 (self : int32) : bool
+    ensures { result = invariant2 self }
+    
+  predicate inv2 (_x : int32)
+  val inv2 (_x : int32) : bool
+    ensures { result = inv2 _x }
+    
+  axiom inv2 : forall x : int32 . inv2 x = true
+  use prelude.Borrow
+  predicate invariant1 (self : borrowed int32) =
+    [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
+  val invariant1 (self : borrowed int32) : bool
+    ensures { result = invariant1 self }
+    
+  predicate inv1 (_x : borrowed int32)
+  val inv1 (_x : borrowed int32) : bool
+    ensures { result = inv1 _x }
+    
+  axiom inv1 : forall x : borrowed int32 . inv1 x = true
+  predicate invariant0 (self : int32) =
+    [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
+  val invariant0 (self : int32) : bool
+    ensures { result = invariant0 self }
+    
+  predicate inv0 (_x : int32)
+  val inv0 (_x : int32) : bool
+    ensures { result = inv0 _x }
+    
+  use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type
+  axiom inv0 : forall x : int32 . inv0 x = true
+  use CreusotContracts_GhostPtr_GhostPtrToken_Type as CreusotContracts_GhostPtr_GhostPtrToken_Type
+  function unreachable0 (_1 : ()) : int32
+  val unreachable0 (_1 : ()) : int32
+    requires {[#"../../../../creusot-contracts/src/util.rs" 24 11 24 16] false}
+    ensures { result = unreachable0 _1 }
+    
+  axiom unreachable0_spec : forall _1 : () . ([#"../../../../creusot-contracts/src/util.rs" 24 11 24 16] false)
+   -> ([#"../../../../creusot-contracts/src/util.rs" 27 0 27 28] inv0 (unreachable0 _1)) && ([#"../../../../creusot-contracts/src/util.rs" 25 10 25 15] false)
+  function unwrap0 (op : Core_Option_Option_Type.t_option int32) : int32
+  val unwrap0 (op : Core_Option_Option_Type.t_option int32) : int32
+    requires {[#"../../../../creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None}
+    requires {[#"../../../../creusot-contracts/src/util.rs" 35 17 35 19] inv7 op}
+    ensures { result = unwrap0 op }
+    
+  axiom unwrap0_spec : forall op : Core_Option_Option_Type.t_option int32 . ([#"../../../../creusot-contracts/src/util.rs" 33 11 33 21] op <> Core_Option_Option_Type.C_None)
+   -> ([#"../../../../creusot-contracts/src/util.rs" 35 17 35 19] inv7 op)
+   -> ([#"../../../../creusot-contracts/src/util.rs" 35 0 35 36] inv0 (unwrap0 op)) && ([#"../../../../creusot-contracts/src/util.rs" 34 10 34 28] Core_Option_Option_Type.C_Some (unwrap0 op) = op)
+  use map.Map
+  function mk0 (_m : Map.map opaque_ptr (Core_Option_Option_Type.t_option int32)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    
+  val mk0 (_m : Map.map opaque_ptr (Core_Option_Option_Type.t_option int32)) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    ensures { result = mk0 _m }
+    
+  function view0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) : Map.map opaque_ptr (Core_Option_Option_Type.t_option int32)
+    
+  val view0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) : Map.map opaque_ptr (Core_Option_Option_Type.t_option int32)
+    requires {[#"../../../../creusot-contracts/src/logic/fmap.rs" 28 16 28 20] inv3 self}
+    ensures { result = view0 self }
+    
+  axiom view0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32 . ([#"../../../../creusot-contracts/src/logic/fmap.rs" 28 16 28 20] inv3 self)
+   -> ([#"../../../../creusot-contracts/src/logic/fmap.rs" 28 4 28 35] inv6 (view0 self)) && ([#"../../../../creusot-contracts/src/logic/fmap.rs" 27 14 27 38] mk0 (view0 self) = self)
+  function get0 [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) : Core_Option_Option_Type.t_option int32
+    
+   =
+    [#"../../../../creusot-contracts/src/logic/fmap.rs" 55 8 55 26] Map.get (view0 self) k
+  val get0 [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) : Core_Option_Option_Type.t_option int32
+    ensures { result = get0 self k }
+    
+  function lookup_unsized0 [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) : int32
+    
+   =
+    [#"../../../../creusot-contracts/src/logic/fmap.rs" 62 8 62 27] unwrap0 (get0 self k)
+  val lookup_unsized0 [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) : int32
+    ensures { result = lookup_unsized0 self k }
+    
+  function contains0 [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) : bool
+    
+   =
+    [#"../../../../creusot-contracts/src/logic/fmap.rs" 79 8 79 27] get0 self k <> Core_Option_Option_Type.C_None
+  val contains0 [@inline:trivial] (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) : bool
+    ensures { result = contains0 self k }
+    
+  function shallow_model0 (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    
+  val shallow_model0 (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    ensures { result = shallow_model0 self }
+    
+  function shallow_model1 (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    
+   =
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model0 self
+  val shallow_model1 (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    ensures { result = shallow_model1 self }
+    
+  val ptr_as_ref0 (self : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32) (ptr : opaque_ptr) : int32
+    requires {[#"../../../../creusot-contracts/src/ghost_ptr.rs" 79 4 79 36] contains0 (shallow_model1 self) ptr}
+    ensures { [#"../../../../creusot-contracts/src/ghost_ptr.rs" 80 14 80 51] result = lookup_unsized0 (shallow_model1 self) ptr }
+    ensures { [#"../../../../creusot-contracts/src/ghost_ptr.rs" 81 4 81 49] inv2 result }
+    
+  val swap0 (x : borrowed int32) (y : borrowed int32) : ()
+    requires {inv1 x}
+    requires {inv1 y}
+    ensures { [#"../../../../creusot-contracts/src/std/mem.rs" 11 22 11 30]  ^ x =  * y }
+    ensures { [#"../../../../creusot-contracts/src/std/mem.rs" 12 22 12 30]  ^ y =  * x }
+    
+  use Core_Panicking_AssertKind_Type as Core_Panicking_AssertKind_Type
+  predicate resolve2 (self : borrowed int32) =
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
+  val resolve2 (self : borrowed int32) : bool
+    ensures { result = resolve2 self }
+    
+  predicate resolve3 (self : int32) =
+    [#"../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true
+  val resolve3 (self : int32) : bool
+    ensures { result = resolve3 self }
+    
+  predicate resolve1 (self : (int32, int32)) =
+    [#"../../../../creusot-contracts/src/resolve.rs" 16 8 16 60] resolve3 (let (a, _) = self in a) /\ resolve3 (let (_, a) = self in a)
+  val resolve1 (self : (int32, int32)) : bool
+    ensures { result = resolve1 self }
+    
+  use CreusotContracts_GhostPtr_GhostPtrTokenMut_Type as CreusotContracts_GhostPtr_GhostPtrTokenMut_Type
+  function fin0 (self : CreusotContracts_GhostPtr_GhostPtrTokenMut_Type.t_ghostptrtokenmut int32) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    
+  val fin0 (self : CreusotContracts_GhostPtr_GhostPtrTokenMut_Type.t_ghostptrtokenmut int32) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    ensures { result = fin0 self }
+    
+  function cur0 (self : CreusotContracts_GhostPtr_GhostPtrTokenMut_Type.t_ghostptrtokenmut int32) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    
+  val cur0 (self : CreusotContracts_GhostPtr_GhostPtrTokenMut_Type.t_ghostptrtokenmut int32) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    ensures { result = cur0 self }
+    
+  predicate resolve0 (self : CreusotContracts_GhostPtr_GhostPtrTokenMut_Type.t_ghostptrtokenmut int32) =
+    [#"../../../../creusot-contracts/src/ghost_ptr.rs" 263 8 263 32] cur0 self = fin0 self
+  val resolve0 (self : CreusotContracts_GhostPtr_GhostPtrTokenMut_Type.t_ghostptrtokenmut int32) : bool
+    ensures { result = resolve0 self }
+    
+  use prelude.Int
+  function len0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) : int
+  val len0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) : int
+    requires {[#"../../../../creusot-contracts/src/logic/fmap.rs" 13 15 13 19] inv3 self}
+    ensures { result = len0 self }
+    
+  axiom len0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32 . ([#"../../../../creusot-contracts/src/logic/fmap.rs" 13 15 13 19] inv3 self)
+   -> ([#"../../../../creusot-contracts/src/logic/fmap.rs" 12 14 12 25] len0 self >= 0)
+  use map.Map
+  function make_sized0 (self : int32) : int32
+  val make_sized0 (self : int32) : int32
+    requires {[#"../../../../creusot-contracts/src/util.rs" 16 19 16 23] inv2 self}
+    ensures { result = make_sized0 self }
+    
+  axiom make_sized0_spec : forall self : int32 . ([#"../../../../creusot-contracts/src/util.rs" 16 19 16 23] inv2 self)
+   -> ([#"../../../../creusot-contracts/src/util.rs" 16 4 16 40] inv0 (make_sized0 self)) && ([#"../../../../creusot-contracts/src/util.rs" 15 14 15 30] make_sized0 self = self)
+  function insert0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) (v : int32) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    
+  val insert0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) (v : int32) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    requires {[#"../../../../creusot-contracts/src/logic/fmap.rs" 38 18 38 22] inv3 self}
+    requires {[#"../../../../creusot-contracts/src/logic/fmap.rs" 38 24 38 25] inv4 k}
+    requires {[#"../../../../creusot-contracts/src/logic/fmap.rs" 38 30 38 31] inv5 v}
+    ensures { result = insert0 self k v }
+    
+  axiom insert0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32, k : opaque_ptr, v : int32 . ([#"../../../../creusot-contracts/src/logic/fmap.rs" 38 18 38 22] inv3 self)
+   -> ([#"../../../../creusot-contracts/src/logic/fmap.rs" 38 24 38 25] inv4 k)
+   -> ([#"../../../../creusot-contracts/src/logic/fmap.rs" 38 30 38 31] inv5 v)
+   -> ([#"../../../../creusot-contracts/src/logic/fmap.rs" 38 4 38 43] inv3 (insert0 self k v)) && ([#"../../../../creusot-contracts/src/logic/fmap.rs" 37 4 37 68] not contains0 self k
+   -> len0 (insert0 self k v) = len0 self + 1) && ([#"../../../../creusot-contracts/src/logic/fmap.rs" 36 4 36 63] contains0 self k
+   -> len0 (insert0 self k v) = len0 self) && ([#"../../../../creusot-contracts/src/logic/fmap.rs" 35 14 35 71] view0 (insert0 self k v) = Map.set (view0 self) k (Core_Option_Option_Type.C_Some (make_sized0 v)))
+  function remove0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    
+  val remove0 (self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32) (k : opaque_ptr) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    requires {[#"../../../../creusot-contracts/src/logic/fmap.rs" 47 18 47 22] inv3 self}
+    requires {[#"../../../../creusot-contracts/src/logic/fmap.rs" 47 24 47 25] inv4 k}
+    ensures { result = remove0 self k }
+    
+  axiom remove0_spec : forall self : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32, k : opaque_ptr . ([#"../../../../creusot-contracts/src/logic/fmap.rs" 47 18 47 22] inv3 self)
+   -> ([#"../../../../creusot-contracts/src/logic/fmap.rs" 47 24 47 25] inv4 k)
+   -> ([#"../../../../creusot-contracts/src/logic/fmap.rs" 47 4 47 37] inv3 (remove0 self k)) && ([#"../../../../creusot-contracts/src/logic/fmap.rs" 46 14 46 84] len0 (remove0 self k) = (if contains0 self k then
+    len0 self - 1
+  else
+    len0 self
+  )) && ([#"../../../../creusot-contracts/src/logic/fmap.rs" 45 14 45 55] view0 (remove0 self k) = Map.set (view0 self) k (Core_Option_Option_Type.C_None))
+  val take_mut0 (self : borrowed (CreusotContracts_GhostPtr_GhostPtrTokenMut_Type.t_ghostptrtokenmut int32)) (ptr : opaque_ptr) : borrowed int32
+    requires {[#"../../../../creusot-contracts/src/ghost_ptr.rs" 229 15 229 42] contains0 (cur0 ( * self)) ptr}
+    ensures { [#"../../../../creusot-contracts/src/ghost_ptr.rs" 230 14 230 59]  * result = lookup_unsized0 (cur0 ( * self)) ptr }
+    ensures { [#"../../../../creusot-contracts/src/ghost_ptr.rs" 231 14 231 56] cur0 ( ^ self) = remove0 (cur0 ( * self)) ptr }
+    ensures { [#"../../../../creusot-contracts/src/ghost_ptr.rs" 232 14 232 65] fin0 ( * self) = insert0 (fin0 ( ^ self)) ptr ( ^ result) }
+    ensures { [#"../../../../creusot-contracts/src/ghost_ptr.rs" 233 14 233 42] not contains0 (fin0 ( ^ self)) ptr }
+    ensures { [#"../../../../creusot-contracts/src/ghost_ptr.rs" 234 4 234 58] inv1 result }
+    
+  val borrow_mut0 (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32)) : CreusotContracts_GhostPtr_GhostPtrTokenMut_Type.t_ghostptrtokenmut int32
+    ensures { [#"../../../../creusot-contracts/src/ghost_ptr.rs" 124 14 124 38] cur0 result = shallow_model0 ( * self) }
+    ensures { [#"../../../../creusot-contracts/src/ghost_ptr.rs" 125 14 125 38] fin0 result = shallow_model0 ( ^ self) }
+    
+  val ptr_from_box0 (self : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32)) (val' : int32) : opaque_ptr
+    requires {[#"../../../../creusot-contracts/src/ghost_ptr.rs" 71 35 71 38] inv0 val'}
+    ensures { [#"../../../../creusot-contracts/src/ghost_ptr.rs" 67 4 67 42] not contains0 (shallow_model0 ( * self)) result }
+    ensures { [#"../../../../creusot-contracts/src/ghost_ptr.rs" 70 14 70 55] shallow_model0 ( ^ self) = insert0 (shallow_model0 ( * self)) result val' }
+    
+  use map.Const
+  function empty0 (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+  val empty0 (_1 : ()) : CreusotContracts_Logic_Fmap_FMap_Type.t_fmap opaque_ptr int32
+    ensures { result = empty0 _1 }
+    
+  axiom empty0_spec : forall _1 : () . ([#"../../../../creusot-contracts/src/logic/fmap.rs" 87 4 87 26] inv3 (empty0 _1)) && ([#"../../../../creusot-contracts/src/logic/fmap.rs" 86 14 86 49] view0 (empty0 _1) = Const.const (Core_Option_Option_Type.C_None)) && ([#"../../../../creusot-contracts/src/logic/fmap.rs" 85 14 85 31] len0 (empty0 _1) = 0)
+  val new0 (_1 : ()) : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32
+    ensures { [#"../../../../creusot-contracts/src/ghost_ptr.rs" 41 14 41 38] shallow_model0 result = empty0 () }
+    
+  let constant promoted0 [#"../ghost_ptr_token.rs" 3 0 3 13]  : int32 = [@vc:do_not_keep_trace] [@vc:sp]
+    let _1 = [#"../ghost_ptr_token.rs" 17 40 17 41] (1 : int32) in let _0 = _1 in _0
+  let constant promoted1 [#"../ghost_ptr_token.rs" 3 0 3 13]  : int32 = [@vc:do_not_keep_trace] [@vc:sp]
+    let _1 = [#"../ghost_ptr_token.rs" 16 40 16 41] (2 : int32) in let _0 = _1 in _0
+  let constant promoted2 [#"../ghost_ptr_token.rs" 3 0 3 13]  : int32 = [@vc:do_not_keep_trace] [@vc:sp]
+    let _1 = [#"../ghost_ptr_token.rs" 13 20 13 21] (2 : int32) in let _0 = _1 in _0
+  let constant promoted3 [#"../ghost_ptr_token.rs" 3 0 3 13]  : int32 = [@vc:do_not_keep_trace] [@vc:sp]
+    let _1 = [#"../ghost_ptr_token.rs" 12 20 12 21] (1 : int32) in let _0 = _1 in _0
+  let rec cfg test [#"../ghost_ptr_token.rs" 3 0 3 13] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
+   = [@vc:do_not_keep_trace] [@vc:sp]
+  var _0 : ();
+  var token : CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32;
+  var ptr1 : opaque_ptr;
+  var _3 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32);
+  var ptr2 : opaque_ptr;
+  var _6 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32);
+  var token_mut : CreusotContracts_GhostPtr_GhostPtrTokenMut_Type.t_ghostptrtokenmut int32;
+  var _9 : borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32);
+  var m1 : borrowed int32;
+  var _11 : borrowed (CreusotContracts_GhostPtr_GhostPtrTokenMut_Type.t_ghostptrtokenmut int32);
+  var m2 : borrowed int32;
+  var _14 : borrowed (CreusotContracts_GhostPtr_GhostPtrTokenMut_Type.t_ghostptrtokenmut int32);
+  var _17 : (int32, int32);
+  var left_val : int32;
+  var right_val : int32;
+  var _23 : bool;
+  var kind : Core_Panicking_AssertKind_Type.t_assertkind;
+  var _31 : int32;
+  var _33 : int32;
+  var _36 : (int32, int32);
+  var left_val1 : int32;
+  var right_val1 : int32;
+  var _42 : bool;
+  var kind1 : Core_Panicking_AssertKind_Type.t_assertkind;
+  var _50 : int32;
+  var _52 : int32;
+  var _54 : ();
+  var _55 : borrowed int32;
+  var _56 : borrowed int32;
+  var _58 : (int32, int32);
+  var _60 : int32;
+  var left_val2 : int32;
+  var right_val2 : int32;
+  var _67 : bool;
+  var kind2 : Core_Panicking_AssertKind_Type.t_assertkind;
+  var _75 : int32;
+  var _77 : int32;
+  var _80 : (int32, int32);
+  var _82 : int32;
+  var left_val3 : int32;
+  var right_val3 : int32;
+  var _89 : bool;
+  var kind3 : Core_Panicking_AssertKind_Type.t_assertkind;
+  var _97 : int32;
+  var _99 : int32;
+  var _101 : int32;
+  var _102 : int32;
+  var _103 : int32;
+  var _104 : int32;
+  {
+    goto BB0
+  }
+  BB0 {
+    [#"../ghost_ptr_token.rs" 4 20 4 40] token <- ([#"../ghost_ptr_token.rs" 4 20 4 40] new0 ([#"../ghost_ptr_token.rs" 4 20 4 40] ()));
+    goto BB1
+  }
+  BB1 {
+    [#"../ghost_ptr_token.rs" 5 15 5 20] _3 <- Borrow.borrow_mut token;
+    [#"../ghost_ptr_token.rs" 5 15 5 20] token <-  ^ _3;
+    goto BB2
+  }
+  BB2 {
+    [#"../ghost_ptr_token.rs" 5 15 5 46] ptr1 <- ([#"../ghost_ptr_token.rs" 5 15 5 46] ptr_from_box0 _3 ([#"../ghost_ptr_token.rs" 5 43 5 44] (1 : int32)));
+    _3 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32);
+    goto BB3
+  }
+  BB3 {
+    [#"../ghost_ptr_token.rs" 6 15 6 20] _6 <- Borrow.borrow_mut token;
+    [#"../ghost_ptr_token.rs" 6 15 6 20] token <-  ^ _6;
+    goto BB4
+  }
+  BB4 {
+    [#"../ghost_ptr_token.rs" 6 15 6 46] ptr2 <- ([#"../ghost_ptr_token.rs" 6 15 6 46] ptr_from_box0 _6 ([#"../ghost_ptr_token.rs" 6 43 6 44] (2 : int32)));
+    _6 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32);
+    goto BB5
+  }
+  BB5 {
+    [#"../ghost_ptr_token.rs" 8 24 8 29] _9 <- Borrow.borrow_mut token;
+    [#"../ghost_ptr_token.rs" 8 24 8 29] token <-  ^ _9;
+    [#"../ghost_ptr_token.rs" 8 24 8 42] token_mut <- ([#"../ghost_ptr_token.rs" 8 24 8 42] borrow_mut0 _9);
+    _9 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrToken_Type.t_ghostptrtoken int32);
+    goto BB6
+  }
+  BB6 {
+    [#"../ghost_ptr_token.rs" 9 13 9 22] _11 <- Borrow.borrow_mut token_mut;
+    [#"../ghost_ptr_token.rs" 9 13 9 22] token_mut <-  ^ _11;
+    [#"../ghost_ptr_token.rs" 9 13 9 37] m1 <- ([#"../ghost_ptr_token.rs" 9 13 9 37] take_mut0 _11 ptr1);
+    _11 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrTokenMut_Type.t_ghostptrtokenmut int32);
+    goto BB7
+  }
+  BB7 {
+    [#"../ghost_ptr_token.rs" 10 13 10 22] _14 <- Borrow.borrow_mut token_mut;
+    [#"../ghost_ptr_token.rs" 10 13 10 22] token_mut <-  ^ _14;
+    [#"../ghost_ptr_token.rs" 10 13 10 37] m2 <- ([#"../ghost_ptr_token.rs" 10 13 10 37] take_mut0 _14 ptr2);
+    _14 <- any borrowed (CreusotContracts_GhostPtr_GhostPtrTokenMut_Type.t_ghostptrtokenmut int32);
+    goto BB8
+  }
+  BB8 {
+    assume { resolve0 token_mut };
+    _104 <- promoted3;
+    _17 <- ( * m1, _104);
+    left_val <- (let (a, _) = _17 in a);
+    right_val <- (let (_, a) = _17 in a);
+    assume { resolve1 _17 };
+    _23 <- left_val = right_val;
+    switch (_23)
+      | False -> goto BB10
+      | True -> goto BB9
+      end
+  }
+  BB9 {
+    _103 <- promoted2;
+    _36 <- ( * m2, _103);
+    left_val1 <- (let (a, _) = _36 in a);
+    right_val1 <- (let (_, a) = _36 in a);
+    assume { resolve1 _36 };
+    _42 <- left_val1 = right_val1;
+    switch (_42)
+      | False -> goto BB12
+      | True -> goto BB11
+      end
+  }
+  BB10 {
+    assume { resolve2 m2 };
+    kind <- Core_Panicking_AssertKind_Type.C_Eq;
+    _31 <- left_val;
+    _33 <- right_val;
+    assert { false };
+    absurd
+  }
+  BB11 {
+    [#"../ghost_ptr_token.rs" 15 20 15 22] _55 <- Borrow.borrow_final ( * m1) (Borrow.get_id m1);
+    [#"../ghost_ptr_token.rs" 15 20 15 22] m1 <- { m1 with current = ( ^ _55) ; };
+    [#"../ghost_ptr_token.rs" 15 24 15 26] _56 <- Borrow.borrow_final ( * m2) (Borrow.get_id m2);
+    [#"../ghost_ptr_token.rs" 15 24 15 26] m2 <- { m2 with current = ( ^ _56) ; };
+    [#"../ghost_ptr_token.rs" 15 4 15 27] _54 <- ([#"../ghost_ptr_token.rs" 15 4 15 27] swap0 _55 _56);
+    _55 <- any borrowed int32;
+    _56 <- any borrowed int32;
+    goto BB13
+  }
+  BB12 {
+    assume { resolve2 m1 };
+    kind1 <- Core_Panicking_AssertKind_Type.C_Eq;
+    _50 <- left_val1;
+    _52 <- right_val1;
+    assert { false };
+    absurd
+  }
+  BB13 {
+    assume { resolve2 m2 };
+    assume { resolve2 m1 };
+    [#"../ghost_ptr_token.rs" 16 16 16 38] _60 <- ([#"../ghost_ptr_token.rs" 16 16 16 38] ptr_as_ref0 token ptr1);
+    goto BB14
+  }
+  BB14 {
+    _102 <- promoted1;
+    _58 <- (_60, _102);
+    left_val2 <- (let (a, _) = _58 in a);
+    right_val2 <- (let (_, a) = _58 in a);
+    assume { resolve1 _58 };
+    _67 <- left_val2 = right_val2;
+    switch (_67)
+      | False -> goto BB16
+      | True -> goto BB15
+      end
+  }
+  BB15 {
+    [#"../ghost_ptr_token.rs" 17 16 17 38] _82 <- ([#"../ghost_ptr_token.rs" 17 16 17 38] ptr_as_ref0 token ptr2);
+    goto BB17
+  }
+  BB16 {
+    kind2 <- Core_Panicking_AssertKind_Type.C_Eq;
+    _75 <- left_val2;
+    _77 <- right_val2;
+    assert { false };
+    absurd
+  }
+  BB17 {
+    _101 <- promoted0;
+    _80 <- (_82, _101);
+    left_val3 <- (let (a, _) = _80 in a);
+    right_val3 <- (let (_, a) = _80 in a);
+    assume { resolve1 _80 };
+    _89 <- left_val3 = right_val3;
+    switch (_89)
+      | False -> goto BB19
+      | True -> goto BB18
+      end
+  }
+  BB18 {
+    [#"../ghost_ptr_token.rs" 3 14 18 1] _0 <- ([#"../ghost_ptr_token.rs" 3 14 18 1] ());
+    return _0
+  }
+  BB19 {
+    kind3 <- Core_Panicking_AssertKind_Type.C_Eq;
+    _97 <- left_val3;
+    _99 <- right_val3;
+    assert { false };
+    absurd
+  }
+  
+end
diff --git a/creusot/tests/should_succeed/ghost_ptr_token.rs b/creusot/tests/should_succeed/ghost_ptr_token.rs
new file mode 100644
index 0000000000..eb91e8f54b
--- /dev/null
+++ b/creusot/tests/should_succeed/ghost_ptr_token.rs
@@ -0,0 +1,18 @@
+extern crate creusot_contracts;
+use creusot_contracts::ghost_ptr::GhostPtrToken;
+pub fn test() {
+    let mut token = GhostPtrToken::new();
+    let ptr1 = token.ptr_from_box(Box::new(1));
+    let ptr2 = token.ptr_from_box(Box::new(2));
+
+    let mut token_mut = token.borrow_mut();
+    let m1 = token_mut.take_mut(ptr1);
+    let m2 = token_mut.take_mut(ptr2);
+
+    assert_eq!(*m1, 1);
+    assert_eq!(*m2, 2);
+
+    core::mem::swap(m1, m2);
+    assert_eq!(*token.ptr_as_ref(ptr1), 2);
+    assert_eq!(*token.ptr_as_ref(ptr2), 1);
+}
diff --git a/creusot/tests/should_succeed/ghost_ptr_token/why3session.xml b/creusot/tests/should_succeed/ghost_ptr_token/why3session.xml
new file mode 100644
index 0000000000..6dc293cec8
--- /dev/null
+++ b/creusot/tests/should_succeed/ghost_ptr_token/why3session.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
+"https://www.why3.org/why3session.dtd">
+<why3session shape_version="6">
+<prover id="0" name="Z3" version="4.12.4" timelimit="5" steplimit="0" memlimit="1000"/>
+<file format="mlcfg" proved="true">
+<path name=".."/><path name="ghost_ptr_token.mlcfg"/>
+<theory name="GhostPtrToken_Test" proved="true">
+ <goal name="test&#39;vc" expl="VC for test" proved="true">
+ <proof prover="0"><result status="valid" time="0.031281" steps="116371"/></proof>
+ </goal>
+</theory>
+</file>
+</why3session>
diff --git a/creusot/tests/should_succeed/ghost_ptr_token/why3shapes.gz b/creusot/tests/should_succeed/ghost_ptr_token/why3shapes.gz
new file mode 100644
index 0000000000..8c53fe111a
Binary files /dev/null and b/creusot/tests/should_succeed/ghost_ptr_token/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/hashmap.mlcfg b/creusot/tests/should_succeed/hashmap.mlcfg
index eaaebdc4f6..aaf2da7a66 100644
--- a/creusot/tests/should_succeed/hashmap.mlcfg
+++ b/creusot/tests/should_succeed/hashmap.mlcfg
@@ -38,7 +38,7 @@ module Hashmap_Impl2_Hash
   use prelude.Int
   use prelude.Borrow
   function deep_model0 (self : usize) : int =
-    [#"../../../../creusot-contracts/src/model.rs" 70 8 70 28] deep_model1 self
+    [#"../../../../creusot-contracts/src/model.rs" 74 8 74 28] deep_model1 self
   val deep_model0 (self : usize) : int
     ensures { result = deep_model0 self }
     
@@ -54,7 +54,7 @@ module Hashmap_Impl2_Hash
     goto BB0
   }
   BB0 {
-    [#"../hashmap.rs" 60 8 60 20] _0 <- ([#"../hashmap.rs" 60 8 60 20] UInt64.of_int (UIntSize.to_int ([#"../hashmap.rs" 60 8 60 13] self)));
+    [#"../hashmap.rs" 60 8 60 20] _0 <- UInt64.of_int (UIntSize.to_int self);
     return _0
   }
   
@@ -77,12 +77,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -153,7 +159,8 @@ module Hashmap_Impl5_New
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self}
     ensures { result = shallow_model2 self }
     
-  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model2 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
+  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model2 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
   predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -258,26 +265,30 @@ module Hashmap_Impl5_New
   predicate good_bucket0 [#"../hashmap.rs" 200 4 200 57] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) (l : Hashmap_List_Type.t_list (k, v)) (h : int)
     
    =
-    [#"../hashmap.rs" 201 8 203 9] forall v : v . forall k : deep_model_ty0 . inv5 v -> inv0 k -> get1 l k = Core_Option_Option_Type.C_Some v -> bucket_ix0 self k = h
+    [#"../hashmap.rs" 201 8 203 9] forall v : v . forall k : deep_model_ty0 . inv5 v
+     -> inv0 k  -> get1 l k = Core_Option_Option_Type.C_Some v  -> bucket_ix0 self k = h
   val good_bucket0 [#"../hashmap.rs" 200 4 200 57] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) (l : Hashmap_List_Type.t_list (k, v)) (h : int) : bool
     ensures { result = good_bucket0 self l h }
     
   use prelude.Borrow
   predicate hashmap_inv0 [#"../hashmap.rs" 209 4 209 33] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) =
-    [#"../hashmap.rs" 210 8 213 9] 0 < Seq.length (shallow_model2 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model2 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) -> good_bucket0 self (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i) i /\ no_double_binding0 (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i))
+    [#"../hashmap.rs" 210 8 213 9] 0 < Seq.length (shallow_model2 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model2 (Hashmap_MyHashMap_Type.myhashmap_buckets self))
+     -> good_bucket0 self (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i) i /\ no_double_binding0 (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i))
   val hashmap_inv0 [#"../hashmap.rs" 209 4 209 33] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) : bool
     ensures { result = hashmap_inv0 self }
     
   val from_elem0 (elem : Hashmap_List_Type.t_list (k, v)) (n : usize) : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global)
     requires {inv2 elem}
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 157 22 157 41] Seq.length (shallow_model2 result) = UIntSize.to_int n }
-    ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n -> index_logic0 result i = elem }
+    ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n
+     -> index_logic0 result i = elem }
     ensures { inv3 result }
     
   let rec cfg new [#"../hashmap.rs" 98 4 98 46] [@cfg:stackify] [@cfg:subregion_analysis] (size : usize) : Hashmap_MyHashMap_Type.t_myhashmap k v
     requires {[#"../hashmap.rs" 95 15 95 24] 0 < UIntSize.to_int size}
     ensures { [#"../hashmap.rs" 96 14 96 34] hashmap_inv0 result }
-    ensures { [#"../hashmap.rs" 97 4 97 64] forall i : deep_model_ty0 . inv0 i -> Map.get (shallow_model1 result) i = Core_Option_Option_Type.C_None }
+    ensures { [#"../hashmap.rs" 97 4 97 64] forall i : deep_model_ty0 . inv0 i
+     -> Map.get (shallow_model1 result) i = Core_Option_Option_Type.C_None }
     ensures { [#"../hashmap.rs" 98 31 98 46] inv1 result }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -285,21 +296,24 @@ module Hashmap_Impl5_New
   var size : usize = size;
   var res : Hashmap_MyHashMap_Type.t_myhashmap k v;
   var _6 : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global);
+  var _7 : Hashmap_List_Type.t_list (k, v);
   {
     goto BB0
   }
   BB0 {
-    [#"../../../../creusot-contracts/src/lib.rs" 196 8 196 40] _6 <- ([#"../hashmap.rs" 99 39 99 60] from_elem0 ([#"../hashmap.rs" 99 44 99 53] Hashmap_List_Type.C_Nil) ([#"../hashmap.rs" 99 55 99 59] size));
+    [#"../hashmap.rs" 99 44 99 53] _7 <- Hashmap_List_Type.C_Nil;
+    [#"../hashmap.rs" 99 39 99 60] _6 <- ([#"../hashmap.rs" 99 39 99 60] from_elem0 _7 size);
+    _7 <- any Hashmap_List_Type.t_list (k, v);
     goto BB1
   }
   BB1 {
-    [#"../hashmap.rs" 99 18 99 62] res <- ([#"../hashmap.rs" 99 18 99 62] Hashmap_MyHashMap_Type.C_MyHashMap _6);
+    [#"../hashmap.rs" 99 18 99 62] res <- Hashmap_MyHashMap_Type.C_MyHashMap _6;
     _6 <- any Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global);
     goto BB2
   }
   BB2 {
-    [#"../hashmap.rs" 100 8 100 11] _0 <- ([#"../hashmap.rs" 100 8 100 11] res);
-    [#"../hashmap.rs" 100 8 100 11] res <- any Hashmap_MyHashMap_Type.t_myhashmap k v;
+    [#"../hashmap.rs" 100 8 100 11] _0 <- res;
+    res <- any Hashmap_MyHashMap_Type.t_myhashmap k v;
     goto BB3
   }
   BB3 {
@@ -445,16 +459,16 @@ module Hashmap_Impl5_Add
     ensures { result = inv5 _x }
     
   axiom inv5 : forall x : deep_model_ty0 . inv5 x = true
-  use prelude.Ghost
-  predicate invariant4 (self : Ghost.ghost_ty (borrowed (Hashmap_List_Type.t_list (k, v))))
-  val invariant4 (self : Ghost.ghost_ty (borrowed (Hashmap_List_Type.t_list (k, v)))) : bool
+  use prelude.Snapshot
+  predicate invariant4 (self : Snapshot.snap_ty (borrowed (Hashmap_List_Type.t_list (k, v))))
+  val invariant4 (self : Snapshot.snap_ty (borrowed (Hashmap_List_Type.t_list (k, v)))) : bool
     ensures { result = invariant4 self }
     
-  predicate inv4 (_x : Ghost.ghost_ty (borrowed (Hashmap_List_Type.t_list (k, v))))
-  val inv4 (_x : Ghost.ghost_ty (borrowed (Hashmap_List_Type.t_list (k, v)))) : bool
+  predicate inv4 (_x : Snapshot.snap_ty (borrowed (Hashmap_List_Type.t_list (k, v))))
+  val inv4 (_x : Snapshot.snap_ty (borrowed (Hashmap_List_Type.t_list (k, v)))) : bool
     ensures { result = inv4 _x }
     
-  axiom inv4 : forall x : Ghost.ghost_ty (borrowed (Hashmap_List_Type.t_list (k, v))) . inv4 x = true
+  axiom inv4 : forall x : Snapshot.snap_ty (borrowed (Hashmap_List_Type.t_list (k, v))) . inv4 x = true
   predicate invariant3 (self : borrowed (Hashmap_List_Type.t_list (k, v)))
   val invariant3 (self : borrowed (Hashmap_List_Type.t_list (k, v))) : bool
     ensures { result = invariant3 self }
@@ -488,7 +502,8 @@ module Hashmap_Impl5_Add
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self}
     ensures { result = shallow_model6 self }
     
-  axiom shallow_model6_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv17 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0)
+  axiom shallow_model6_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv17 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0)
   predicate invariant1 (self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -497,15 +512,15 @@ module Hashmap_Impl5_Add
     ensures { result = invariant1 self }
     
   axiom inv1 : forall x : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global) . inv1 x = true
-  predicate invariant0 (self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)))
-  val invariant0 (self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool
+  predicate invariant0 (self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)))
+  val invariant0 (self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool
     ensures { result = invariant0 self }
     
-  predicate inv0 (_x : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)))
-  val inv0 (_x : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool
+  predicate inv0 (_x : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)))
+  val inv0 (_x : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) . inv0 x = true
+  axiom inv0 : forall x : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) . inv0 x = true
   use prelude.Mapping
   function deep_model0 (self : k) : deep_model_ty0
   val deep_model0 (self : k) : deep_model_ty0
@@ -564,7 +579,7 @@ module Hashmap_Impl5_Add
   function shallow_model2 (self : borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model1 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model1 ( * self)
   val shallow_model2 (self : borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)
     ensures { result = shallow_model2 self }
     
@@ -584,17 +599,19 @@ module Hashmap_Impl5_Add
   predicate good_bucket0 [#"../hashmap.rs" 200 4 200 57] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) (l : Hashmap_List_Type.t_list (k, v)) (h : int)
     
    =
-    [#"../hashmap.rs" 201 8 203 9] forall v : v . forall k : deep_model_ty0 . inv7 v -> inv5 k -> get0 l k = Core_Option_Option_Type.C_Some v -> bucket_ix0 self k = h
+    [#"../hashmap.rs" 201 8 203 9] forall v : v . forall k : deep_model_ty0 . inv7 v
+     -> inv5 k  -> get0 l k = Core_Option_Option_Type.C_Some v  -> bucket_ix0 self k = h
   val good_bucket0 [#"../hashmap.rs" 200 4 200 57] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) (l : Hashmap_List_Type.t_list (k, v)) (h : int) : bool
     ensures { result = good_bucket0 self l h }
     
   predicate hashmap_inv0 [#"../hashmap.rs" 209 4 209 33] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) =
-    [#"../hashmap.rs" 210 8 213 9] 0 < Seq.length (shallow_model6 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model6 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) -> good_bucket0 self (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i) i /\ no_double_binding0 (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i))
+    [#"../hashmap.rs" 210 8 213 9] 0 < Seq.length (shallow_model6 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model6 (Hashmap_MyHashMap_Type.myhashmap_buckets self))
+     -> good_bucket0 self (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i) i /\ no_double_binding0 (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i))
   val hashmap_inv0 [#"../hashmap.rs" 209 4 209 33] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) : bool
     ensures { result = hashmap_inv0 self }
     
   predicate resolve8 (self : borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve8 (self : borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) : bool
     ensures { result = resolve8 self }
     
@@ -607,22 +624,22 @@ module Hashmap_Impl5_Add
     ensures { result = resolve6 self }
     
   predicate resolve5 (self : borrowed (Hashmap_List_Type.t_list (k, v))) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve5 (self : borrowed (Hashmap_List_Type.t_list (k, v))) : bool
     ensures { result = resolve5 self }
     
   predicate resolve4 (self : borrowed k) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve4 (self : borrowed k) : bool
     ensures { result = resolve4 self }
     
   predicate resolve3 (self : borrowed v) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve3 (self : borrowed v) : bool
     ensures { result = resolve3 self }
     
   function deep_model1 (self : k) : deep_model_ty0 =
-    [#"../../../../creusot-contracts/src/model.rs" 70 8 70 28] deep_model0 self
+    [#"../../../../creusot-contracts/src/model.rs" 74 8 74 28] deep_model0 self
   val deep_model1 (self : k) : deep_model_ty0
     ensures { result = deep_model1 self }
     
@@ -631,16 +648,16 @@ module Hashmap_Impl5_Add
     requires {inv14 other}
     ensures { [#"../../../../creusot-contracts/src/std/cmp.rs" 11 26 11 75] result = (deep_model1 self = deep_model1 other) }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  predicate resolve2 (self : Ghost.ghost_ty (borrowed (Hashmap_List_Type.t_list (k, v))))
-  val resolve2 (self : Ghost.ghost_ty (borrowed (Hashmap_List_Type.t_list (k, v)))) : bool
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  predicate resolve2 (self : Snapshot.snap_ty (borrowed (Hashmap_List_Type.t_list (k, v))))
+  val resolve2 (self : Snapshot.snap_ty (borrowed (Hashmap_List_Type.t_list (k, v)))) : bool
     ensures { result = resolve2 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate resolve1 (self : borrowed (Hashmap_List_Type.t_list (k, v))) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve1 (self : borrowed (Hashmap_List_Type.t_list (k, v))) : bool
     ensures { result = resolve1 self }
     
@@ -648,7 +665,8 @@ module Hashmap_Impl5_Add
   predicate resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq (Hashmap_List_Type.t_list (k, v))) (fin : Seq.seq (Hashmap_List_Type.t_list (k, v)))
     
    =
-    [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i
+    [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old'
+     -> Seq.get old' i = Seq.get fin i
   val resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq (Hashmap_List_Type.t_list (k, v))) (fin : Seq.seq (Hashmap_List_Type.t_list (k, v))) : bool
     ensures { result = resolve_elswhere0 self old' fin }
     
@@ -667,7 +685,7 @@ module Hashmap_Impl5_Add
   function shallow_model5 (self : borrowed (Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global))) : Seq.seq (Hashmap_List_Type.t_list (k, v))
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model6 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model6 ( * self)
   val shallow_model5 (self : borrowed (Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global))) : Seq.seq (Hashmap_List_Type.t_list (k, v))
     ensures { result = shallow_model5 self }
     
@@ -690,7 +708,7 @@ module Hashmap_Impl5_Add
   function shallow_model3 (self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global)) : Seq.seq (Hashmap_List_Type.t_list (k, v))
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model6 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model6 self
   val shallow_model3 (self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global)) : Seq.seq (Hashmap_List_Type.t_list (k, v))
     ensures { result = shallow_model3 self }
     
@@ -698,18 +716,19 @@ module Hashmap_Impl5_Add
     requires {inv13 self}
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 75 26 75 48] UIntSize.to_int result = Seq.length (shallow_model3 self) }
     
-  predicate resolve0 (self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)))
-  val resolve0 (self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool
+  predicate resolve0 (self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)))
+  val resolve0 (self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   let rec cfg add [#"../hashmap.rs" 106 4 106 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) (key : k) (val' : v) : ()
     requires {[#"../hashmap.rs" 103 15 103 36] hashmap_inv0 ( * self)}
     requires {[#"../hashmap.rs" 106 20 106 24] inv12 self}
     requires {[#"../hashmap.rs" 106 26 106 29] inv6 key}
     requires {[#"../hashmap.rs" 106 34 106 37] inv7 val'}
     ensures { [#"../hashmap.rs" 104 14 104 35] hashmap_inv0 ( ^ self) }
-    ensures { [#"../hashmap.rs" 105 4 105 124] forall i : deep_model_ty0 . inv5 i -> Map.get (shallow_model1 ( ^ self)) i = (if i = deep_model0 key then
+    ensures { [#"../hashmap.rs" 105 4 105 124] forall i : deep_model_ty0 . inv5 i
+     -> Map.get (shallow_model1 ( ^ self)) i = (if i = deep_model0 key then
       Core_Option_Option_Type.C_Some val'
     else
       Map.get (shallow_model2 self) i
@@ -720,9 +739,10 @@ module Hashmap_Impl5_Add
   var self : borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v) = self;
   var key : k = key;
   var val' : v = val';
-  var old_self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v));
+  var old_self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v));
   var length : usize;
   var index : usize;
+  var _12 : usize;
   var _13 : uint64;
   var _15 : usize;
   var _16 : bool;
@@ -730,7 +750,7 @@ module Hashmap_Impl5_Add
   var _18 : borrowed (Hashmap_List_Type.t_list (k, v));
   var _19 : borrowed (Hashmap_List_Type.t_list (k, v));
   var _20 : borrowed (Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global));
-  var old_l : Ghost.ghost_ty (borrowed (Hashmap_List_Type.t_list (k, v)));
+  var old_l : Snapshot.snap_ty (borrowed (Hashmap_List_Type.t_list (k, v)));
   var k : borrowed k;
   var v : borrowed v;
   var tl : borrowed (Hashmap_List_Type.t_list (k, v));
@@ -738,37 +758,42 @@ module Hashmap_Impl5_Add
   var _38 : bool;
   var _45 : borrowed (Hashmap_List_Type.t_list (k, v));
   var _46 : borrowed (Hashmap_List_Type.t_list (k, v));
+  var _50 : Hashmap_List_Type.t_list (k, v);
+  var _51 : (k, v);
+  var _55 : Hashmap_List_Type.t_list (k, v);
   {
     goto BB0
   }
   BB0 {
-    [#"../hashmap.rs" 108 23 108 35] old_self <- ([#"../hashmap.rs" 108 23 108 35] Ghost.new self);
+    [#"../hashmap.rs" 108 23 108 41] old_self <- ([#"../hashmap.rs" 108 23 108 41] Snapshot.new self);
     goto BB1
   }
   BB1 {
     assert { [@expl:type invariant] inv0 old_self };
     assume { resolve0 old_self };
-    [#"../hashmap.rs" 109 21 109 39] length <- ([#"../hashmap.rs" 109 21 109 39] len0 ([#"../hashmap.rs" 109 21 109 33] Hashmap_MyHashMap_Type.myhashmap_buckets ( * self)));
+    [#"../hashmap.rs" 109 21 109 39] length <- ([#"../hashmap.rs" 109 21 109 39] len0 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * self)));
     goto BB2
   }
   BB2 {
-    [#"../hashmap.rs" 110 27 110 37] _13 <- ([#"../hashmap.rs" 110 27 110 37] hash0 ([#"../hashmap.rs" 110 27 110 30] key));
+    [#"../hashmap.rs" 110 27 110 37] _13 <- ([#"../hashmap.rs" 110 27 110 37] hash0 key);
     goto BB3
   }
   BB3 {
-    [#"../hashmap.rs" 110 49 110 55] _15 <- ([#"../hashmap.rs" 110 49 110 55] length);
-    [#"../hashmap.rs" 110 27 110 55] _16 <- ([#"../hashmap.rs" 110 27 110 55] _15 = ([#"../hashmap.rs" 110 27 110 55] [#"../hashmap.rs" 110 27 110 55] (0 : usize)));
+    [#"../hashmap.rs" 110 27 110 46] _12 <- UIntSize.of_int (UInt64.to_int _13);
+    _13 <- any uint64;
+    [#"../hashmap.rs" 110 49 110 55] _15 <- length;
+    [#"../hashmap.rs" 110 27 110 55] _16 <- _15 = ([#"../hashmap.rs" 110 27 110 55] (0 : usize));
     assert { [@expl:remainder by zero] [#"../hashmap.rs" 110 27 110 55] not _16 };
     goto BB4
   }
   BB4 {
-    [#"../hashmap.rs" 110 27 110 55] index <- ([#"../hashmap.rs" 110 27 110 55] ([#"../hashmap.rs" 110 27 110 46] UIntSize.of_int (UInt64.to_int _13)) % _15);
-    _13 <- any uint64;
+    [#"../hashmap.rs" 110 27 110 55] index <- _12 % _15;
+    _12 <- any usize;
     _15 <- any usize;
     [#"../hashmap.rs" 111 39 111 51] _20 <- Borrow.borrow_final (Hashmap_MyHashMap_Type.myhashmap_buckets ( * self)) (Borrow.inherit_id (Borrow.get_id self) 1);
     [#"../hashmap.rs" 111 39 111 51] self <- { self with current = (let Hashmap_MyHashMap_Type.C_MyHashMap x0 =  * self in Hashmap_MyHashMap_Type.C_MyHashMap ( ^ _20)) ; };
     assume { inv1 ( ^ _20) };
-    [#"../hashmap.rs" 111 51 111 58] _19 <- ([#"../hashmap.rs" 111 51 111 58] index_mut0 _20 ([#"../hashmap.rs" 111 52 111 57] index));
+    [#"../hashmap.rs" 111 51 111 58] _19 <- ([#"../hashmap.rs" 111 51 111 58] index_mut0 _20 index);
     _20 <- any borrowed (Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global));
     goto BB5
   }
@@ -781,7 +806,7 @@ module Hashmap_Impl5_Add
     assume { inv2 ( ^ l) };
     assert { [@expl:type invariant] inv3 _18 };
     assume { resolve1 _18 };
-    [#"../hashmap.rs" 112 20 112 29] old_l <- ([#"../hashmap.rs" 112 20 112 29] Ghost.new l);
+    [#"../hashmap.rs" 112 20 112 35] old_l <- ([#"../hashmap.rs" 112 20 112 35] Snapshot.new l);
     goto BB6
   }
   BB6 {
@@ -790,12 +815,17 @@ module Hashmap_Impl5_Add
     goto BB7
   }
   BB7 {
-    invariant { [#"../hashmap.rs" 114 20 114 52] good_bucket0 ( * Ghost.inner old_self) ( * l) (UIntSize.to_int index) };
-    invariant { [#"../hashmap.rs" 114 8 114 54] good_bucket0 ( * Ghost.inner old_self) ( ^ l) (UIntSize.to_int index) -> good_bucket0 ( * Ghost.inner old_self) ( ^ Ghost.inner old_l) (UIntSize.to_int index) };
-    invariant { [#"../hashmap.rs" 114 8 114 54] get0 ( ^ l) (deep_model0 key) = Core_Option_Option_Type.C_Some val' -> get0 ( ^ Ghost.inner old_l) (deep_model0 key) = Core_Option_Option_Type.C_Some val' };
-    invariant { [#"../hashmap.rs" 114 8 114 54] forall i : deep_model_ty0 . inv5 i -> get0 ( ^ l) i = get0 ( * l) i -> get0 ( ^ Ghost.inner old_l) i = get0 ( * Ghost.inner old_l) i };
+    invariant { [#"../hashmap.rs" 114 20 114 52] good_bucket0 ( * Snapshot.inner old_self) ( * l) (UIntSize.to_int index) };
+    invariant { [#"../hashmap.rs" 114 8 114 54] good_bucket0 ( * Snapshot.inner old_self) ( ^ l) (UIntSize.to_int index)
+     -> good_bucket0 ( * Snapshot.inner old_self) ( ^ Snapshot.inner old_l) (UIntSize.to_int index) };
+    invariant { [#"../hashmap.rs" 114 8 114 54] get0 ( ^ l) (deep_model0 key) = Core_Option_Option_Type.C_Some val'
+     -> get0 ( ^ Snapshot.inner old_l) (deep_model0 key) = Core_Option_Option_Type.C_Some val' };
+    invariant { [#"../hashmap.rs" 114 8 114 54] forall i : deep_model_ty0 . inv5 i
+     -> get0 ( ^ l) i = get0 ( * l) i  -> get0 ( ^ Snapshot.inner old_l) i = get0 ( * Snapshot.inner old_l) i };
     invariant { [#"../hashmap.rs" 118 20 118 44] no_double_binding0 ( * l) };
-    invariant { [#"../hashmap.rs" 114 8 114 54] (forall i : deep_model_ty0 . inv5 i -> get0 ( * l) i = get0 ( ^ l) i \/ i = deep_model0 key) /\ no_double_binding0 ( ^ l) -> no_double_binding0 ( ^ Ghost.inner old_l) };
+    invariant { [#"../hashmap.rs" 114 8 114 54] (forall i : deep_model_ty0 . inv5 i
+     -> get0 ( * l) i = get0 ( ^ l) i \/ i = deep_model0 key) /\ no_double_binding0 ( ^ l)
+     -> no_double_binding0 ( ^ Snapshot.inner old_l) };
     goto BB8
   }
   BB8 {
@@ -817,9 +847,9 @@ module Hashmap_Impl5_Add
     [#"../hashmap.rs" 121 31 121 33] tl <- Borrow.borrow_final (Hashmap_List_Type.cons_1 ( * l)) (Borrow.inherit_id (Borrow.get_id l) 2);
     [#"../hashmap.rs" 121 31 121 33] l <- { l with current = (let Hashmap_List_Type.C_Cons x0 x1 =  * l in Hashmap_List_Type.C_Cons x0 ( ^ tl)) ; };
     assume { inv8 ( ^ tl) };
-    [#"../hashmap.rs" 122 21 122 23] tl1 <- ([#"../hashmap.rs" 122 21 122 23] tl);
-    [#"../hashmap.rs" 122 21 122 23] tl <- any borrowed (Hashmap_List_Type.t_list (k, v));
-    [#"../hashmap.rs" 123 15 123 24] _38 <- ([#"../hashmap.rs" 123 15 123 24] eq0 ([#"../hashmap.rs" 123 15 123 17]  * k) ([#"../hashmap.rs" 123 21 123 24] key));
+    [#"../hashmap.rs" 122 21 122 23] tl1 <- tl;
+    tl <- any borrowed (Hashmap_List_Type.t_list (k, v));
+    [#"../hashmap.rs" 123 15 123 24] _38 <- ([#"../hashmap.rs" 123 15 123 24] eq0 ( * k) key);
     goto BB11
   }
   BB11 {
@@ -837,7 +867,7 @@ module Hashmap_Impl5_Add
     assume { resolve6 key };
     assert { [@expl:type invariant] inv7 val' };
     assume { resolve7 val' };
-    [#"../hashmap.rs" 124 16 124 24] v <- { v with current = ([#"../hashmap.rs" 124 21 124 24] val') ; };
+    [#"../hashmap.rs" 124 16 124 24] v <- { v with current = val' ; };
     assert { [@expl:type invariant] inv7 ( * v) };
     assume { resolve7 ( * v) };
     assert { [@expl:type invariant] inv9 v };
@@ -865,8 +895,8 @@ module Hashmap_Impl5_Add
     assume { inv2 ( ^ _45) };
     assert { [@expl:type invariant] inv3 l };
     assume { resolve1 l };
-    [#"../hashmap.rs" 128 12 128 25] l <- ([#"../hashmap.rs" 128 12 128 25] _45);
-    [#"../hashmap.rs" 128 12 128 25] _45 <- any borrowed (Hashmap_List_Type.t_list (k, v));
+    [#"../hashmap.rs" 128 12 128 25] l <- _45;
+    _45 <- any borrowed (Hashmap_List_Type.t_list (k, v));
     assert { [@expl:type invariant] inv3 _46 };
     assume { resolve1 _46 };
     assert { [@expl:type invariant] inv11 tl1 };
@@ -878,16 +908,22 @@ module Hashmap_Impl5_Add
     assume { resolve6 key };
     assert { [@expl:type invariant] inv7 val' };
     assume { resolve7 val' };
+    [#"../hashmap.rs" 131 18 131 28] _51 <- (key, val');
+    [#"../hashmap.rs" 131 39 131 42] _55 <- Hashmap_List_Type.C_Nil;
     goto BB15
   }
   BB15 {
+    [#"../hashmap.rs" 131 13 131 44] _50 <- Hashmap_List_Type.C_Cons _51 _55;
+    _51 <- any (k, v);
+    _55 <- any Hashmap_List_Type.t_list (k, v);
     goto BB16
   }
   BB16 {
     goto BB17
   }
   BB17 {
-    [#"../hashmap.rs" 131 8 131 10] l <- { l with current = ([#"../hashmap.rs" 131 13 131 44] Hashmap_List_Type.C_Cons ([#"../hashmap.rs" 131 18 131 28] (([#"../hashmap.rs" 131 19 131 22] key), ([#"../hashmap.rs" 131 24 131 27] val'))) ([#"../hashmap.rs" 131 39 131 42] Hashmap_List_Type.C_Nil)) ; };
+    [#"../hashmap.rs" 131 8 131 10] l <- { l with current = _50 ; };
+    _50 <- any Hashmap_List_Type.t_list (k, v);
     assert { [@expl:type invariant] inv2 ( * l) };
     assume { resolve9 ( * l) };
     assert { [@expl:type invariant] inv3 l };
@@ -959,7 +995,8 @@ module Hashmap_Impl5_Get
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self}
     ensures { result = shallow_model4 self }
     
-  axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0)
+  axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0)
   predicate invariant9 (self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -1112,7 +1149,7 @@ module Hashmap_Impl5_Get
   function shallow_model0 (self : Hashmap_MyHashMap_Type.t_myhashmap k v) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model5 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model5 self
   val shallow_model0 (self : Hashmap_MyHashMap_Type.t_myhashmap k v) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)
     ensures { result = shallow_model0 self }
     
@@ -1127,12 +1164,14 @@ module Hashmap_Impl5_Get
   predicate good_bucket0 [#"../hashmap.rs" 200 4 200 57] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) (l : Hashmap_List_Type.t_list (k, v)) (h : int)
     
    =
-    [#"../hashmap.rs" 201 8 203 9] forall v : v . forall k : deep_model_ty0 . inv11 v -> inv12 k -> get0 l k = Core_Option_Option_Type.C_Some v -> bucket_ix0 self k = h
+    [#"../hashmap.rs" 201 8 203 9] forall v : v . forall k : deep_model_ty0 . inv11 v
+     -> inv12 k  -> get0 l k = Core_Option_Option_Type.C_Some v  -> bucket_ix0 self k = h
   val good_bucket0 [#"../hashmap.rs" 200 4 200 57] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) (l : Hashmap_List_Type.t_list (k, v)) (h : int) : bool
     ensures { result = good_bucket0 self l h }
     
   predicate hashmap_inv0 [#"../hashmap.rs" 209 4 209 33] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) =
-    [#"../hashmap.rs" 210 8 213 9] 0 < Seq.length (shallow_model4 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) -> good_bucket0 self (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i) i /\ no_double_binding0 (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i))
+    [#"../hashmap.rs" 210 8 213 9] 0 < Seq.length (shallow_model4 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 (Hashmap_MyHashMap_Type.myhashmap_buckets self))
+     -> good_bucket0 self (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i) i /\ no_double_binding0 (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i))
   val hashmap_inv0 [#"../hashmap.rs" 209 4 209 33] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) : bool
     ensures { result = hashmap_inv0 self }
     
@@ -1149,7 +1188,7 @@ module Hashmap_Impl5_Get
     ensures { result = resolve3 self }
     
   function deep_model1 (self : k) : deep_model_ty0 =
-    [#"../../../../creusot-contracts/src/model.rs" 70 8 70 28] deep_model0 self
+    [#"../../../../creusot-contracts/src/model.rs" 74 8 74 28] deep_model0 self
   val deep_model1 (self : k) : deep_model_ty0
     ensures { result = deep_model1 self }
     
@@ -1182,7 +1221,7 @@ module Hashmap_Impl5_Get
   function shallow_model3 (self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global)) : Seq.seq (Hashmap_List_Type.t_list (k, v))
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model4 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model4 self
   val shallow_model3 (self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global)) : Seq.seq (Hashmap_List_Type.t_list (k, v))
     ensures { result = shallow_model3 self }
     
@@ -1197,11 +1236,11 @@ module Hashmap_Impl5_Get
   val resolve0 (self : Hashmap_MyHashMap_Type.t_myhashmap k v) : bool
     ensures { result = resolve0 self }
     
-  use prelude.UInt64
   val len0 (self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global)) : usize
     requires {inv7 self}
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 75 26 75 48] UIntSize.to_int result = Seq.length (shallow_model3 self) }
     
+  use prelude.UInt64
   use prelude.UInt64
   val hash0 [#"../hashmap.rs" 51 4 51 26] (self : k) : uint64
     requires {[#"../hashmap.rs" 51 13 51 17] inv2 self}
@@ -1222,6 +1261,7 @@ module Hashmap_Impl5_Get
   var self : Hashmap_MyHashMap_Type.t_myhashmap k v = self;
   var key : k = key;
   var index : usize;
+  var _7 : usize;
   var _8 : uint64;
   var _10 : usize;
   var _12 : bool;
@@ -1236,29 +1276,31 @@ module Hashmap_Impl5_Get
     goto BB0
   }
   BB0 {
-    [#"../hashmap.rs" 142 27 142 37] _8 <- ([#"../hashmap.rs" 142 27 142 37] hash0 ([#"../hashmap.rs" 142 27 142 30] key));
+    [#"../hashmap.rs" 142 27 142 37] _8 <- ([#"../hashmap.rs" 142 27 142 37] hash0 key);
     goto BB1
   }
   BB1 {
-    [#"../hashmap.rs" 142 49 142 67] _10 <- ([#"../hashmap.rs" 142 49 142 67] len0 ([#"../hashmap.rs" 142 49 142 61] Hashmap_MyHashMap_Type.myhashmap_buckets self));
+    [#"../hashmap.rs" 142 27 142 46] _7 <- UIntSize.of_int (UInt64.to_int _8);
+    _8 <- any uint64;
+    [#"../hashmap.rs" 142 49 142 67] _10 <- ([#"../hashmap.rs" 142 49 142 67] len0 (Hashmap_MyHashMap_Type.myhashmap_buckets self));
     goto BB2
   }
   BB2 {
-    [#"../hashmap.rs" 142 27 142 67] _12 <- ([#"../hashmap.rs" 142 27 142 67] _10 = ([#"../hashmap.rs" 142 27 142 67] [#"../hashmap.rs" 142 27 142 67] (0 : usize)));
+    [#"../hashmap.rs" 142 27 142 67] _12 <- _10 = ([#"../hashmap.rs" 142 27 142 67] (0 : usize));
     assert { [@expl:remainder by zero] [#"../hashmap.rs" 142 27 142 67] not _12 };
     goto BB3
   }
   BB3 {
-    [#"../hashmap.rs" 142 27 142 67] index <- ([#"../hashmap.rs" 142 27 142 67] ([#"../hashmap.rs" 142 27 142 46] UIntSize.of_int (UInt64.to_int _8)) % _10);
-    _8 <- any uint64;
+    [#"../hashmap.rs" 142 27 142 67] index <- _7 % _10;
+    _7 <- any usize;
     _10 <- any usize;
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../hashmap.rs" 143 33 143 40] _14 <- ([#"../hashmap.rs" 143 33 143 40] index0 ([#"../hashmap.rs" 143 21 143 33] Hashmap_MyHashMap_Type.myhashmap_buckets self) ([#"../hashmap.rs" 143 34 143 39] index));
+    [#"../hashmap.rs" 143 33 143 40] _14 <- ([#"../hashmap.rs" 143 33 143 40] index0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) index);
     goto BB4
   }
   BB4 {
-    [#"../hashmap.rs" 143 20 143 40] l <- ([#"../hashmap.rs" 143 20 143 40] _14);
+    [#"../hashmap.rs" 143 20 143 40] l <- _14;
     assert { [@expl:type invariant] inv1 _14 };
     assume { resolve1 _14 };
     goto BB5
@@ -1277,14 +1319,14 @@ module Hashmap_Impl5_Get
     goto BB8
   }
   BB8 {
-    [#"../hashmap.rs" 146 30 146 31] k <- ([#"../hashmap.rs" 146 30 146 31] let (a, _) = Hashmap_List_Type.cons_0 l in a);
-    [#"../hashmap.rs" 146 33 146 34] v <- ([#"../hashmap.rs" 146 33 146 34] let (_, a) = Hashmap_List_Type.cons_0 l in a);
-    [#"../hashmap.rs" 146 37 146 39] tl <- ([#"../hashmap.rs" 146 37 146 39] Hashmap_List_Type.cons_1 l);
+    [#"../hashmap.rs" 146 30 146 31] k <- (let (a, _) = Hashmap_List_Type.cons_0 l in a);
+    [#"../hashmap.rs" 146 33 146 34] v <- (let (_, a) = Hashmap_List_Type.cons_0 l in a);
+    [#"../hashmap.rs" 146 37 146 39] tl <- Hashmap_List_Type.cons_1 l;
     assert { [@expl:type invariant] inv1 l };
     assume { resolve1 l };
     assert { [@expl:type invariant] inv2 k };
     assume { resolve2 k };
-    [#"../hashmap.rs" 147 15 147 24] _25 <- ([#"../hashmap.rs" 147 15 147 24] eq0 ([#"../hashmap.rs" 147 15 147 17] k) ([#"../hashmap.rs" 147 21 147 24] key));
+    [#"../hashmap.rs" 147 15 147 24] _25 <- ([#"../hashmap.rs" 147 15 147 24] eq0 k key);
     goto BB9
   }
   BB9 {
@@ -1300,18 +1342,18 @@ module Hashmap_Impl5_Get
     assume { resolve5 key };
     assert { [@expl:type invariant] inv3 v };
     assume { resolve3 v };
-    [#"../hashmap.rs" 148 23 148 30] _0 <- ([#"../hashmap.rs" 148 23 148 30] Core_Option_Option_Type.C_Some ([#"../hashmap.rs" 148 28 148 29] v));
+    [#"../hashmap.rs" 148 23 148 30] _0 <- Core_Option_Option_Type.C_Some v;
     goto BB13
   }
   BB11 {
     assert { [@expl:type invariant] inv3 v };
     assume { resolve3 v };
-    [#"../hashmap.rs" 150 16 150 21] _31 <- ([#"../hashmap.rs" 150 16 150 21] tl);
+    [#"../hashmap.rs" 150 16 150 21] _31 <- tl;
     assert { [@expl:type invariant] inv4 tl };
     assume { resolve4 tl };
     assert { [@expl:type invariant] inv1 _31 };
     assume { resolve1 _31 };
-    [#"../hashmap.rs" 150 12 150 21] l <- ([#"../hashmap.rs" 150 16 150 21] _31);
+    [#"../hashmap.rs" 150 12 150 21] l <- _31;
     goto BB5
   }
   BB12 {
@@ -1319,7 +1361,7 @@ module Hashmap_Impl5_Get
     assume { resolve1 l };
     assert { [@expl:type invariant] inv5 key };
     assume { resolve5 key };
-    [#"../hashmap.rs" 152 15 152 19] _0 <- ([#"../hashmap.rs" 152 15 152 19] Core_Option_Option_Type.C_None);
+    [#"../hashmap.rs" 152 15 152 19] _0 <- Core_Option_Option_Type.C_None;
     goto BB13
   }
   BB13 {
@@ -1436,7 +1478,8 @@ module Hashmap_Impl5_Resize
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self}
     ensures { result = shallow_model3 self }
     
-  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv11 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
+  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv11 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
   predicate invariant4 (self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -1474,16 +1517,16 @@ module Hashmap_Impl5_Resize
     ensures { result = inv1 _x }
     
   axiom inv1 : forall x : deep_model_ty0 . inv1 x = true
-  use prelude.Ghost
-  predicate invariant0 (self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)))
-  val invariant0 (self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool
+  use prelude.Snapshot
+  predicate invariant0 (self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)))
+  val invariant0 (self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool
     ensures { result = invariant0 self }
     
-  predicate inv0 (_x : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)))
-  val inv0 (_x : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool
+  predicate inv0 (_x : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)))
+  val inv0 (_x : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) . inv0 x = true
+  axiom inv0 : forall x : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) . inv0 x = true
   use prelude.Mapping
   function deep_model0 (self : k) : deep_model_ty0
   val deep_model0 (self : k) : deep_model_ty0
@@ -1542,7 +1585,7 @@ module Hashmap_Impl5_Resize
   function shallow_model4 (self : borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model2 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model2 ( * self)
   val shallow_model4 (self : borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)
     ensures { result = shallow_model4 self }
     
@@ -1551,7 +1594,7 @@ module Hashmap_Impl5_Resize
     ensures { result = resolve4 self }
     
   predicate resolve7 (self : Hashmap_List_Type.t_list (k, v)) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 36 8 36 31] resolve4 self
+    [#"../../../../creusot-contracts/src/resolve.rs" 34 8 34 31] resolve4 self
   val resolve7 (self : Hashmap_List_Type.t_list (k, v)) : bool
     ensures { result = resolve7 self }
     
@@ -1567,12 +1610,14 @@ module Hashmap_Impl5_Resize
   predicate good_bucket0 [#"../hashmap.rs" 200 4 200 57] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) (l : Hashmap_List_Type.t_list (k, v)) (h : int)
     
    =
-    [#"../hashmap.rs" 201 8 203 9] forall v : v . forall k : deep_model_ty0 . inv8 v -> inv1 k -> get1 l k = Core_Option_Option_Type.C_Some v -> bucket_ix0 self k = h
+    [#"../hashmap.rs" 201 8 203 9] forall v : v . forall k : deep_model_ty0 . inv8 v
+     -> inv1 k  -> get1 l k = Core_Option_Option_Type.C_Some v  -> bucket_ix0 self k = h
   val good_bucket0 [#"../hashmap.rs" 200 4 200 57] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) (l : Hashmap_List_Type.t_list (k, v)) (h : int) : bool
     ensures { result = good_bucket0 self l h }
     
   predicate hashmap_inv0 [#"../hashmap.rs" 209 4 209 33] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) =
-    [#"../hashmap.rs" 210 8 213 9] 0 < Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) -> good_bucket0 self (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i) i /\ no_double_binding0 (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i))
+    [#"../hashmap.rs" 210 8 213 9] 0 < Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets self))
+     -> good_bucket0 self (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i) i /\ no_double_binding0 (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i))
   val hashmap_inv0 [#"../hashmap.rs" 209 4 209 33] (self : Hashmap_MyHashMap_Type.t_myhashmap k v) : bool
     ensures { result = hashmap_inv0 self }
     
@@ -1582,7 +1627,8 @@ module Hashmap_Impl5_Resize
     requires {[#"../hashmap.rs" 106 26 106 29] inv7 key}
     requires {[#"../hashmap.rs" 106 34 106 37] inv8 val'}
     ensures { [#"../hashmap.rs" 104 14 104 35] hashmap_inv0 ( ^ self) }
-    ensures { [#"../hashmap.rs" 105 4 105 124] forall i : deep_model_ty0 . inv1 i -> Map.get (shallow_model2 ( ^ self)) i = (if i = deep_model0 key then
+    ensures { [#"../hashmap.rs" 105 4 105 124] forall i : deep_model_ty0 . inv1 i
+     -> Map.get (shallow_model2 ( ^ self)) i = (if i = deep_model0 key then
       Core_Option_Option_Type.C_Some val'
     else
       Map.get (shallow_model4 self) i
@@ -1597,7 +1643,7 @@ module Hashmap_Impl5_Resize
     ensures { result = resolve5 self }
     
   predicate resolve3 (self : borrowed (Hashmap_List_Type.t_list (k, v))) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve3 (self : borrowed (Hashmap_List_Type.t_list (k, v))) : bool
     ensures { result = resolve3 self }
     
@@ -1612,7 +1658,8 @@ module Hashmap_Impl5_Resize
   predicate resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq (Hashmap_List_Type.t_list (k, v))) (fin : Seq.seq (Hashmap_List_Type.t_list (k, v)))
     
    =
-    [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i
+    [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old'
+     -> Seq.get old' i = Seq.get fin i
   val resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq (Hashmap_List_Type.t_list (k, v))) (fin : Seq.seq (Hashmap_List_Type.t_list (k, v))) : bool
     ensures { result = resolve_elswhere0 self old' fin }
     
@@ -1631,7 +1678,7 @@ module Hashmap_Impl5_Resize
   function shallow_model7 (self : borrowed (Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global))) : Seq.seq (Hashmap_List_Type.t_list (k, v))
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model3 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model3 ( * self)
   val shallow_model7 (self : borrowed (Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global))) : Seq.seq (Hashmap_List_Type.t_list (k, v))
     ensures { result = shallow_model7 self }
     
@@ -1646,7 +1693,7 @@ module Hashmap_Impl5_Resize
     ensures { inv6 result }
     
   predicate resolve2 (self : borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve2 (self : borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) : bool
     ensures { result = resolve2 self }
     
@@ -1654,32 +1701,33 @@ module Hashmap_Impl5_Resize
   val resolve1 (self : Hashmap_MyHashMap_Type.t_myhashmap k v) : bool
     ensures { result = resolve1 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   function shallow_model6 (self : borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model4 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model4 self
   val shallow_model6 (self : borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)
     ensures { result = shallow_model6 self }
     
-  use prelude.Ghost
-  function shallow_model1 (self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)
+  use prelude.Snapshot
+  function shallow_model1 (self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)
     
    =
-    [#"../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model6 (Ghost.inner self)
-  val shallow_model1 (self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)
+    [#"../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model6 (Snapshot.inner self)
+  val shallow_model1 (self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)
     ensures { result = shallow_model1 self }
     
   val new1 [#"../hashmap.rs" 98 4 98 46] (size : usize) : Hashmap_MyHashMap_Type.t_myhashmap k v
     requires {[#"../hashmap.rs" 95 15 95 24] 0 < UIntSize.to_int size}
     ensures { [#"../hashmap.rs" 96 14 96 34] hashmap_inv0 result }
-    ensures { [#"../hashmap.rs" 97 4 97 64] forall i : deep_model_ty0 . inv1 i -> Map.get (shallow_model2 result) i = Core_Option_Option_Type.C_None }
+    ensures { [#"../hashmap.rs" 97 4 97 64] forall i : deep_model_ty0 . inv1 i
+     -> Map.get (shallow_model2 result) i = Core_Option_Option_Type.C_None }
     ensures { [#"../hashmap.rs" 98 31 98 46] inv2 result }
     
   function shallow_model5 (self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global)) : Seq.seq (Hashmap_List_Type.t_list (k, v))
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model3 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model3 self
   val shallow_model5 (self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global)) : Seq.seq (Hashmap_List_Type.t_list (k, v))
     ensures { result = shallow_model5 self }
     
@@ -1687,32 +1735,36 @@ module Hashmap_Impl5_Resize
     requires {inv10 self}
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 75 26 75 48] UIntSize.to_int result = Seq.length (shallow_model5 self) }
     
-  predicate resolve0 (self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)))
-  val resolve0 (self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool
+  predicate resolve0 (self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)))
+  val resolve0 (self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v))) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   let rec cfg resize [#"../hashmap.rs" 161 4 161 24] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v)) : ()
     requires {[#"../hashmap.rs" 156 15 156 41] Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * self))) < 1000}
     requires {[#"../hashmap.rs" 157 15 157 36] hashmap_inv0 ( * self)}
     requires {[#"../hashmap.rs" 161 19 161 23] inv3 self}
     ensures { [#"../hashmap.rs" 158 14 158 35] hashmap_inv0 ( ^ self) }
-    ensures { [#"../hashmap.rs" 159 4 159 74] forall k : deep_model_ty0 . inv1 k -> Map.get (shallow_model2 ( ^ self)) k = Map.get (shallow_model4 self) k }
+    ensures { [#"../hashmap.rs" 159 4 159 74] forall k : deep_model_ty0 . inv1 k
+     -> Map.get (shallow_model2 ( ^ self)) k = Map.get (shallow_model4 self) k }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var self : borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v) = self;
-  var old_self : Ghost.ghost_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v));
+  var old_self : Snapshot.snap_ty (borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v));
   var new : Hashmap_MyHashMap_Type.t_myhashmap k v;
+  var _9 : usize;
   var _10 : usize;
   var i : usize;
   var _21 : ();
+  var _22 : bool;
   var _24 : usize;
   var l : Hashmap_List_Type.t_list (k, v);
   var _27 : borrowed (Hashmap_List_Type.t_list (k, v));
   var _28 : borrowed (Hashmap_List_Type.t_list (k, v));
   var _29 : borrowed (Hashmap_List_Type.t_list (k, v));
   var _30 : borrowed (Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global));
+  var _32 : Hashmap_List_Type.t_list (k, v);
   var k : k;
   var v : v;
   var tl : Hashmap_List_Type.t_list (k, v);
@@ -1722,22 +1774,24 @@ module Hashmap_Impl5_Resize
     goto BB0
   }
   BB0 {
-    [#"../hashmap.rs" 162 23 162 35] old_self <- ([#"../hashmap.rs" 162 23 162 35] Ghost.new self);
+    [#"../hashmap.rs" 162 23 162 41] old_self <- ([#"../hashmap.rs" 162 23 162 41] Snapshot.new self);
     goto BB1
   }
   BB1 {
     assert { [@expl:type invariant] inv0 old_self };
     assume { resolve0 old_self };
-    [#"../hashmap.rs" 163 32 163 50] _10 <- ([#"../hashmap.rs" 163 32 163 50] len0 ([#"../hashmap.rs" 163 32 163 44] Hashmap_MyHashMap_Type.myhashmap_buckets ( * self)));
+    [#"../hashmap.rs" 163 32 163 50] _10 <- ([#"../hashmap.rs" 163 32 163 50] len0 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * self)));
     goto BB2
   }
   BB2 {
-    [#"../hashmap.rs" 163 22 163 55] new <- ([#"../hashmap.rs" 163 22 163 55] new1 ([#"../hashmap.rs" 163 32 163 54] _10 * ([#"../hashmap.rs" 163 53 163 54] [#"../hashmap.rs" 163 53 163 54] (2 : usize))));
+    [#"../hashmap.rs" 163 32 163 54] _9 <- _10 * ([#"../hashmap.rs" 163 53 163 54] (2 : usize));
     _10 <- any usize;
+    [#"../hashmap.rs" 163 22 163 55] new <- ([#"../hashmap.rs" 163 22 163 55] new1 _9);
+    _9 <- any usize;
     goto BB3
   }
   BB3 {
-    [#"../hashmap.rs" 165 27 165 28] i <- ([#"../hashmap.rs" 165 27 165 28] [#"../hashmap.rs" 165 27 165 28] (0 : usize));
+    [#"../hashmap.rs" 165 27 165 28] i <- ([#"../hashmap.rs" 165 27 165 28] (0 : usize));
     goto BB4
   }
   BB4 {
@@ -1747,21 +1801,28 @@ module Hashmap_Impl5_Resize
     goto BB6
   }
   BB6 {
-    invariant { [#"../hashmap.rs" 166 8 166 111] forall k : deep_model_ty0 . inv1 k -> bucket_ix0 ( * Ghost.inner old_self) k < UIntSize.to_int i -> Map.get (shallow_model1 old_self) k = Map.get (shallow_model2 new) k };
-    invariant { [#"../hashmap.rs" 166 8 166 111] forall k : deep_model_ty0 . inv1 k -> UIntSize.to_int i <= bucket_ix0 ( * Ghost.inner old_self) k /\ bucket_ix0 ( * Ghost.inner old_self) k <= Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Ghost.inner old_self))) -> Map.get (shallow_model2 new) k = Core_Option_Option_Type.C_None };
-    invariant { [#"../hashmap.rs" 166 8 166 111] forall j : int . UIntSize.to_int i <= j /\ j < Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Ghost.inner old_self))) -> index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * self)) j = index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Ghost.inner old_self)) j };
+    invariant { [#"../hashmap.rs" 166 8 166 111] forall k : deep_model_ty0 . inv1 k
+     -> bucket_ix0 ( * Snapshot.inner old_self) k < UIntSize.to_int i
+     -> Map.get (shallow_model1 old_self) k = Map.get (shallow_model2 new) k };
+    invariant { [#"../hashmap.rs" 166 8 166 111] forall k : deep_model_ty0 . inv1 k
+     -> UIntSize.to_int i <= bucket_ix0 ( * Snapshot.inner old_self) k /\ bucket_ix0 ( * Snapshot.inner old_self) k <= Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Snapshot.inner old_self)))
+     -> Map.get (shallow_model2 new) k = Core_Option_Option_Type.C_None };
+    invariant { [#"../hashmap.rs" 166 8 166 111] forall j : int . UIntSize.to_int i <= j /\ j < Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Snapshot.inner old_self)))
+     -> index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * self)) j = index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Snapshot.inner old_self)) j };
     invariant { [#"../hashmap.rs" 172 20 172 37] hashmap_inv0 new };
-    invariant { [#"../hashmap.rs" 173 20 173 46]  ^ Ghost.inner old_self =  ^ self };
-    invariant { [#"../hashmap.rs" 174 20 174 66] Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Ghost.inner old_self))) = Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * self))) };
+    invariant { [#"../hashmap.rs" 173 20 173 46]  ^ Snapshot.inner old_self =  ^ self };
+    invariant { [#"../hashmap.rs" 174 20 174 66] Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Snapshot.inner old_self))) = Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * self))) };
     invariant { [#"../hashmap.rs" 175 20 175 45] UIntSize.to_int i <= Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * self))) };
     goto BB7
   }
   BB7 {
-    [#"../hashmap.rs" 176 18 176 36] _24 <- ([#"../hashmap.rs" 176 18 176 36] len0 ([#"../hashmap.rs" 176 18 176 30] Hashmap_MyHashMap_Type.myhashmap_buckets ( * self)));
+    [#"../hashmap.rs" 176 18 176 36] _24 <- ([#"../hashmap.rs" 176 18 176 36] len0 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * self)));
     goto BB8
   }
   BB8 {
-    switch ([#"../hashmap.rs" 176 14 176 36] ([#"../hashmap.rs" 176 14 176 15] i) < _24)
+    [#"../hashmap.rs" 176 14 176 36] _22 <- i < _24;
+    _24 <- any usize;
+    switch (_22)
       | False -> goto BB29
       | True -> goto BB9
       end
@@ -1770,7 +1831,7 @@ module Hashmap_Impl5_Resize
     [#"../hashmap.rs" 177 56 177 68] _30 <- Borrow.borrow_mut (Hashmap_MyHashMap_Type.myhashmap_buckets ( * self));
     [#"../hashmap.rs" 177 56 177 68] self <- { self with current = (let Hashmap_MyHashMap_Type.C_MyHashMap x0 =  * self in Hashmap_MyHashMap_Type.C_MyHashMap ( ^ _30)) ; };
     assume { inv4 ( ^ _30) };
-    [#"../hashmap.rs" 177 68 177 71] _29 <- ([#"../hashmap.rs" 177 68 177 71] index_mut0 _30 ([#"../hashmap.rs" 177 69 177 70] i));
+    [#"../hashmap.rs" 177 68 177 71] _29 <- ([#"../hashmap.rs" 177 68 177 71] index_mut0 _30 i);
     _30 <- any borrowed (Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (k, v)) (Alloc_Alloc_Global_Type.t_global));
     goto BB10
   }
@@ -1781,8 +1842,10 @@ module Hashmap_Impl5_Resize
     [#"../hashmap.rs" 177 51 177 71] _27 <- Borrow.borrow_final ( * _28) (Borrow.get_id _28);
     [#"../hashmap.rs" 177 51 177 71] _28 <- { _28 with current = ( ^ _27) ; };
     assume { inv5 ( ^ _27) };
-    [#"../hashmap.rs" 177 33 177 83] l <- ([#"../hashmap.rs" 177 33 177 83] replace0 _27 ([#"../hashmap.rs" 177 73 177 82] Hashmap_List_Type.C_Nil));
+    [#"../hashmap.rs" 177 73 177 82] _32 <- Hashmap_List_Type.C_Nil;
+    [#"../hashmap.rs" 177 33 177 83] l <- ([#"../hashmap.rs" 177 33 177 83] replace0 _27 _32);
     _27 <- any borrowed (Hashmap_List_Type.t_list (k, v));
+    _32 <- any Hashmap_List_Type.t_list (k, v);
     goto BB11
   }
   BB11 {
@@ -1809,14 +1872,20 @@ module Hashmap_Impl5_Resize
   }
   BB17 {
     invariant { [#"../hashmap.rs" 179 24 179 41] hashmap_inv0 new };
-    invariant { [#"../hashmap.rs" 179 12 179 43] forall k : deep_model_ty0 . inv1 k -> bucket_ix0 ( * Ghost.inner old_self) k < UIntSize.to_int i -> Map.get (shallow_model1 old_self) k = Map.get (shallow_model2 new) k };
-    invariant { [#"../hashmap.rs" 179 12 179 43] forall k : deep_model_ty0 . inv1 k -> UIntSize.to_int i < bucket_ix0 ( * Ghost.inner old_self) k /\ bucket_ix0 ( * Ghost.inner old_self) k <= Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Ghost.inner old_self))) -> Map.get (shallow_model2 new) k = Core_Option_Option_Type.C_None };
-    invariant { [#"../hashmap.rs" 179 12 179 43] forall k : deep_model_ty0 . inv1 k -> bucket_ix0 ( * Ghost.inner old_self) k = UIntSize.to_int i -> Map.get (shallow_model1 old_self) k = match get1 l k with
+    invariant { [#"../hashmap.rs" 179 12 179 43] forall k : deep_model_ty0 . inv1 k
+     -> bucket_ix0 ( * Snapshot.inner old_self) k < UIntSize.to_int i
+     -> Map.get (shallow_model1 old_self) k = Map.get (shallow_model2 new) k };
+    invariant { [#"../hashmap.rs" 179 12 179 43] forall k : deep_model_ty0 . inv1 k
+     -> UIntSize.to_int i < bucket_ix0 ( * Snapshot.inner old_self) k /\ bucket_ix0 ( * Snapshot.inner old_self) k <= Seq.length (shallow_model3 (Hashmap_MyHashMap_Type.myhashmap_buckets ( * Snapshot.inner old_self)))
+     -> Map.get (shallow_model2 new) k = Core_Option_Option_Type.C_None };
+    invariant { [#"../hashmap.rs" 179 12 179 43] forall k : deep_model_ty0 . inv1 k
+     -> bucket_ix0 ( * Snapshot.inner old_self) k = UIntSize.to_int i
+     -> Map.get (shallow_model1 old_self) k = match get1 l k with
       | Core_Option_Option_Type.C_None -> Map.get (shallow_model2 new) k
       | Core_Option_Option_Type.C_Some v -> Core_Option_Option_Type.C_Some v
       end };
     invariant { [#"../hashmap.rs" 186 24 186 45] no_double_binding0 l };
-    invariant { [#"../hashmap.rs" 187 24 187 51] good_bucket0 ( * Ghost.inner old_self) l (UIntSize.to_int i) };
+    invariant { [#"../hashmap.rs" 187 24 187 51] good_bucket0 ( * Snapshot.inner old_self) l (UIntSize.to_int i) };
     goto BB18
   }
   BB18 {
@@ -1829,10 +1898,10 @@ module Hashmap_Impl5_Resize
     goto BB20
   }
   BB20 {
-    [#"../hashmap.rs" 188 34 188 35] k <- ([#"../hashmap.rs" 188 34 188 35] let (a, _) = Hashmap_List_Type.cons_0 l in a);
-    [#"../hashmap.rs" 188 37 188 38] v <- ([#"../hashmap.rs" 188 37 188 38] let (_, a) = Hashmap_List_Type.cons_0 l in a);
-    [#"../hashmap.rs" 188 41 188 43] tl <- ([#"../hashmap.rs" 188 41 188 43] Hashmap_List_Type.cons_1 l);
-    [#"../hashmap.rs" 188 41 188 43] l <- (let Hashmap_List_Type.C_Cons x0 x1 = l in Hashmap_List_Type.C_Cons x0 (any Hashmap_List_Type.t_list (k, v)));
+    [#"../hashmap.rs" 188 34 188 35] k <- (let (a, _) = Hashmap_List_Type.cons_0 l in a);
+    [#"../hashmap.rs" 188 37 188 38] v <- (let (_, a) = Hashmap_List_Type.cons_0 l in a);
+    [#"../hashmap.rs" 188 41 188 43] tl <- Hashmap_List_Type.cons_1 l;
+    l <- (let Hashmap_List_Type.C_Cons x0 x1 = l in Hashmap_List_Type.C_Cons x0 (any Hashmap_List_Type.t_list (k, v)));
     assert { [@expl:type invariant] inv5 l };
     assume { resolve4 l };
     [#"../hashmap.rs" 189 16 189 19] _45 <- Borrow.borrow_mut new;
@@ -1842,7 +1911,7 @@ module Hashmap_Impl5_Resize
     assume { resolve5 k };
     assert { [@expl:type invariant] inv8 v };
     assume { resolve6 v };
-    [#"../hashmap.rs" 189 16 189 29] _44 <- ([#"../hashmap.rs" 189 16 189 29] add0 _45 ([#"../hashmap.rs" 189 24 189 25] k) ([#"../hashmap.rs" 189 27 189 28] v));
+    [#"../hashmap.rs" 189 16 189 29] _44 <- ([#"../hashmap.rs" 189 16 189 29] add0 _45 k v);
     _45 <- any borrowed (Hashmap_MyHashMap_Type.t_myhashmap k v);
     goto BB21
   }
@@ -1852,8 +1921,8 @@ module Hashmap_Impl5_Resize
     goto BB22
   }
   BB22 {
-    [#"../hashmap.rs" 190 16 190 17] l <- ([#"../hashmap.rs" 190 20 190 23] tl);
-    [#"../hashmap.rs" 190 20 190 23] tl <- any Hashmap_List_Type.t_list (k, v);
+    [#"../hashmap.rs" 190 16 190 17] l <- tl;
+    tl <- any Hashmap_List_Type.t_list (k, v);
     goto BB24
   }
   BB24 {
@@ -1863,14 +1932,16 @@ module Hashmap_Impl5_Resize
   BB25 {
     assert { [@expl:type invariant] inv5 l };
     assume { resolve4 l };
-    assert { [@expl:assertion] [#"../hashmap.rs" 192 12 192 121] forall k : deep_model_ty0 . inv1 k -> bucket_ix0 ( * Ghost.inner old_self) k = UIntSize.to_int i -> Map.get (shallow_model1 old_self) k = Map.get (shallow_model2 new) k };
+    assert { [@expl:assertion] [#"../hashmap.rs" 192 12 192 121] forall k : deep_model_ty0 . inv1 k
+     -> bucket_ix0 ( * Snapshot.inner old_self) k = UIntSize.to_int i
+     -> Map.get (shallow_model1 old_self) k = Map.get (shallow_model2 new) k };
     goto BB27
   }
   BB26 {
     goto BB17
   }
   BB27 {
-    [#"../hashmap.rs" 193 12 193 18] i <- ([#"../hashmap.rs" 193 12 193 18] i + ([#"../hashmap.rs" 193 17 193 18] [#"../hashmap.rs" 193 17 193 18] (1 : usize)));
+    [#"../hashmap.rs" 193 12 193 18] i <- i + ([#"../hashmap.rs" 193 17 193 18] (1 : usize));
     [#"../hashmap.rs" 176 37 194 9] _21 <- ([#"../hashmap.rs" 176 37 194 9] ());
     goto BB28
   }
@@ -1881,8 +1952,8 @@ module Hashmap_Impl5_Resize
     goto BB30
   }
   BB30 {
-    [#"../hashmap.rs" 196 8 196 13] self <- { self with current = ([#"../hashmap.rs" 196 16 196 19] new) ; };
-    [#"../hashmap.rs" 196 16 196 19] new <- any Hashmap_MyHashMap_Type.t_myhashmap k v;
+    [#"../hashmap.rs" 196 8 196 13] self <- { self with current = new ; };
+    new <- any Hashmap_MyHashMap_Type.t_myhashmap k v;
     assert { [@expl:type invariant] inv2 ( * self) };
     assume { resolve1 ( * self) };
     assert { [@expl:type invariant] inv3 self };
@@ -1931,7 +2002,8 @@ module Hashmap_Main
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self}
     ensures { result = shallow_model4 self }
     
-  axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (usize, isize)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0)
+  axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (usize, isize)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0)
   predicate invariant7 (self : Alloc_Vec_Vec_Type.t_vec (Hashmap_List_Type.t_list (usize, isize)) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -2073,7 +2145,7 @@ module Hashmap_Main
   function shallow_model3 (self : borrowed (Hashmap_MyHashMap_Type.t_myhashmap usize isize)) : Map.map int (Core_Option_Option_Type.t_option isize)
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model1 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model1 ( * self)
   val shallow_model3 (self : borrowed (Hashmap_MyHashMap_Type.t_myhashmap usize isize)) : Map.map int (Core_Option_Option_Type.t_option isize)
     ensures { result = shallow_model3 self }
     
@@ -2089,12 +2161,14 @@ module Hashmap_Main
   predicate good_bucket0 [#"../hashmap.rs" 200 4 200 57] (self : Hashmap_MyHashMap_Type.t_myhashmap usize isize) (l : Hashmap_List_Type.t_list (usize, isize)) (h : int)
     
    =
-    [#"../hashmap.rs" 201 8 203 9] forall v : isize . forall k : int . inv6 v -> inv0 k -> get2 l k = Core_Option_Option_Type.C_Some v -> bucket_ix0 self k = h
+    [#"../hashmap.rs" 201 8 203 9] forall v : isize . forall k : int . inv6 v
+     -> inv0 k  -> get2 l k = Core_Option_Option_Type.C_Some v  -> bucket_ix0 self k = h
   val good_bucket0 [#"../hashmap.rs" 200 4 200 57] (self : Hashmap_MyHashMap_Type.t_myhashmap usize isize) (l : Hashmap_List_Type.t_list (usize, isize)) (h : int) : bool
     ensures { result = good_bucket0 self l h }
     
   predicate hashmap_inv0 [#"../hashmap.rs" 209 4 209 33] (self : Hashmap_MyHashMap_Type.t_myhashmap usize isize) =
-    [#"../hashmap.rs" 210 8 213 9] 0 < Seq.length (shallow_model4 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) -> good_bucket0 self (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i) i /\ no_double_binding0 (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i))
+    [#"../hashmap.rs" 210 8 213 9] 0 < Seq.length (shallow_model4 (Hashmap_MyHashMap_Type.myhashmap_buckets self)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 (Hashmap_MyHashMap_Type.myhashmap_buckets self))
+     -> good_bucket0 self (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i) i /\ no_double_binding0 (index_logic0 (Hashmap_MyHashMap_Type.myhashmap_buckets self) i))
   val hashmap_inv0 [#"../hashmap.rs" 209 4 209 33] (self : Hashmap_MyHashMap_Type.t_myhashmap usize isize) : bool
     ensures { result = hashmap_inv0 self }
     
@@ -2104,7 +2178,8 @@ module Hashmap_Main
     requires {[#"../hashmap.rs" 106 26 106 29] inv3 key}
     requires {[#"../hashmap.rs" 106 34 106 37] inv6 val'}
     ensures { [#"../hashmap.rs" 104 14 104 35] hashmap_inv0 ( ^ self) }
-    ensures { [#"../hashmap.rs" 105 4 105 124] forall i : int . inv0 i -> Map.get (shallow_model1 ( ^ self)) i = (if i = deep_model0 key then
+    ensures { [#"../hashmap.rs" 105 4 105 124] forall i : int . inv0 i
+     -> Map.get (shallow_model1 ( ^ self)) i = (if i = deep_model0 key then
       Core_Option_Option_Type.C_Some val'
     else
       Map.get (shallow_model3 self) i
@@ -2113,7 +2188,7 @@ module Hashmap_Main
   function shallow_model2 (self : Hashmap_MyHashMap_Type.t_myhashmap usize isize) : Map.map int (Core_Option_Option_Type.t_option isize)
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model1 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model1 self
   val shallow_model2 (self : Hashmap_MyHashMap_Type.t_myhashmap usize isize) : Map.map int (Core_Option_Option_Type.t_option isize)
     ensures { result = shallow_model2 self }
     
@@ -2130,7 +2205,8 @@ module Hashmap_Main
   val new0 [#"../hashmap.rs" 98 4 98 46] (size : usize) : Hashmap_MyHashMap_Type.t_myhashmap usize isize
     requires {[#"../hashmap.rs" 95 15 95 24] 0 < UIntSize.to_int size}
     ensures { [#"../hashmap.rs" 96 14 96 34] hashmap_inv0 result }
-    ensures { [#"../hashmap.rs" 97 4 97 64] forall i : int . inv0 i -> Map.get (shallow_model1 result) i = Core_Option_Option_Type.C_None }
+    ensures { [#"../hashmap.rs" 97 4 97 64] forall i : int . inv0 i
+     -> Map.get (shallow_model1 result) i = Core_Option_Option_Type.C_None }
     ensures { [#"../hashmap.rs" 98 31 98 46] inv1 result }
     
   let rec cfg main [#"../hashmap.rs" 217 0 217 13] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
@@ -2158,92 +2234,92 @@ module Hashmap_Main
     goto BB0
   }
   BB0 {
-    [#"../hashmap.rs" 224 42 224 60] h1 <- ([#"../hashmap.rs" 224 42 224 60] new0 ([#"../hashmap.rs" 224 57 224 59] [#"../hashmap.rs" 224 57 224 59] (17 : usize)));
+    [#"../hashmap.rs" 224 42 224 60] h1 <- ([#"../hashmap.rs" 224 42 224 60] new0 ([#"../hashmap.rs" 224 57 224 59] (17 : usize)));
     goto BB1
   }
   BB1 {
-    [#"../hashmap.rs" 225 42 225 60] h2 <- ([#"../hashmap.rs" 225 42 225 60] new0 ([#"../hashmap.rs" 225 57 225 59] [#"../hashmap.rs" 225 57 225 59] (42 : usize)));
+    [#"../hashmap.rs" 225 42 225 60] h2 <- ([#"../hashmap.rs" 225 42 225 60] new0 ([#"../hashmap.rs" 225 57 225 59] (42 : usize)));
     goto BB2
   }
   BB2 {
-    [#"../hashmap.rs" 226 17 226 26] _x <- ([#"../hashmap.rs" 226 17 226 26] get0 ([#"../hashmap.rs" 226 17 226 19] h1) ([#"../hashmap.rs" 226 24 226 25] [#"../hashmap.rs" 226 24 226 25] (1 : usize)));
+    [#"../hashmap.rs" 226 17 226 26] _x <- ([#"../hashmap.rs" 226 17 226 26] get0 h1 ([#"../hashmap.rs" 226 24 226 25] (1 : usize)));
     goto BB3
   }
   BB3 {
-    [#"../hashmap.rs" 227 17 227 26] _y <- ([#"../hashmap.rs" 227 17 227 26] get0 ([#"../hashmap.rs" 227 17 227 19] h1) ([#"../hashmap.rs" 227 24 227 25] [#"../hashmap.rs" 227 24 227 25] (2 : usize)));
+    [#"../hashmap.rs" 227 17 227 26] _y <- ([#"../hashmap.rs" 227 17 227 26] get0 h1 ([#"../hashmap.rs" 227 24 227 25] (2 : usize)));
     goto BB4
   }
   BB4 {
-    [#"../hashmap.rs" 228 17 228 26] _z <- ([#"../hashmap.rs" 228 17 228 26] get0 ([#"../hashmap.rs" 228 17 228 19] h2) ([#"../hashmap.rs" 228 24 228 25] [#"../hashmap.rs" 228 24 228 25] (1 : usize)));
+    [#"../hashmap.rs" 228 17 228 26] _z <- ([#"../hashmap.rs" 228 17 228 26] get0 h2 ([#"../hashmap.rs" 228 24 228 25] (1 : usize)));
     goto BB5
   }
   BB5 {
-    [#"../hashmap.rs" 229 17 229 26] _t <- ([#"../hashmap.rs" 229 17 229 26] get0 ([#"../hashmap.rs" 229 17 229 19] h2) ([#"../hashmap.rs" 229 24 229 25] [#"../hashmap.rs" 229 24 229 25] (2 : usize)));
+    [#"../hashmap.rs" 229 17 229 26] _t <- ([#"../hashmap.rs" 229 17 229 26] get0 h2 ([#"../hashmap.rs" 229 24 229 25] (2 : usize)));
     goto BB6
   }
   BB6 {
     [#"../hashmap.rs" 233 4 233 6] _12 <- Borrow.borrow_mut h1;
     [#"../hashmap.rs" 233 4 233 6] h1 <-  ^ _12;
-    [#"../hashmap.rs" 233 4 233 17] _11 <- ([#"../hashmap.rs" 233 4 233 17] add0 _12 ([#"../hashmap.rs" 233 11 233 12] [#"../hashmap.rs" 233 11 233 12] (1 : usize)) ([#"../hashmap.rs" 233 14 233 16] [#"../hashmap.rs" 233 14 233 16] (17 : isize)));
+    [#"../hashmap.rs" 233 4 233 17] _11 <- ([#"../hashmap.rs" 233 4 233 17] add0 _12 ([#"../hashmap.rs" 233 11 233 12] (1 : usize)) ([#"../hashmap.rs" 233 14 233 16] (17 : isize)));
     _12 <- any borrowed (Hashmap_MyHashMap_Type.t_myhashmap usize isize);
     goto BB7
   }
   BB7 {
-    [#"../hashmap.rs" 234 9 234 18] _13 <- ([#"../hashmap.rs" 234 9 234 18] get0 ([#"../hashmap.rs" 234 9 234 11] h1) ([#"../hashmap.rs" 234 16 234 17] [#"../hashmap.rs" 234 16 234 17] (1 : usize)));
+    [#"../hashmap.rs" 234 9 234 18] _13 <- ([#"../hashmap.rs" 234 9 234 18] get0 h1 ([#"../hashmap.rs" 234 16 234 17] (1 : usize)));
     goto BB8
   }
   BB8 {
-    [#"../hashmap.rs" 234 4 234 18] _x <- ([#"../hashmap.rs" 234 4 234 18] _13);
-    [#"../hashmap.rs" 234 4 234 18] _13 <- any Core_Option_Option_Type.t_option isize;
-    [#"../hashmap.rs" 235 9 235 18] _15 <- ([#"../hashmap.rs" 235 9 235 18] get0 ([#"../hashmap.rs" 235 9 235 11] h1) ([#"../hashmap.rs" 235 16 235 17] [#"../hashmap.rs" 235 16 235 17] (2 : usize)));
+    [#"../hashmap.rs" 234 4 234 18] _x <- _13;
+    _13 <- any Core_Option_Option_Type.t_option isize;
+    [#"../hashmap.rs" 235 9 235 18] _15 <- ([#"../hashmap.rs" 235 9 235 18] get0 h1 ([#"../hashmap.rs" 235 16 235 17] (2 : usize)));
     goto BB9
   }
   BB9 {
-    [#"../hashmap.rs" 235 4 235 18] _y <- ([#"../hashmap.rs" 235 4 235 18] _15);
-    [#"../hashmap.rs" 235 4 235 18] _15 <- any Core_Option_Option_Type.t_option isize;
-    [#"../hashmap.rs" 236 9 236 18] _17 <- ([#"../hashmap.rs" 236 9 236 18] get0 ([#"../hashmap.rs" 236 9 236 11] h2) ([#"../hashmap.rs" 236 16 236 17] [#"../hashmap.rs" 236 16 236 17] (1 : usize)));
+    [#"../hashmap.rs" 235 4 235 18] _y <- _15;
+    _15 <- any Core_Option_Option_Type.t_option isize;
+    [#"../hashmap.rs" 236 9 236 18] _17 <- ([#"../hashmap.rs" 236 9 236 18] get0 h2 ([#"../hashmap.rs" 236 16 236 17] (1 : usize)));
     goto BB10
   }
   BB10 {
-    [#"../hashmap.rs" 236 4 236 18] _z <- ([#"../hashmap.rs" 236 4 236 18] _17);
-    [#"../hashmap.rs" 236 4 236 18] _17 <- any Core_Option_Option_Type.t_option isize;
-    [#"../hashmap.rs" 237 9 237 18] _19 <- ([#"../hashmap.rs" 237 9 237 18] get0 ([#"../hashmap.rs" 237 9 237 11] h2) ([#"../hashmap.rs" 237 16 237 17] [#"../hashmap.rs" 237 16 237 17] (2 : usize)));
+    [#"../hashmap.rs" 236 4 236 18] _z <- _17;
+    _17 <- any Core_Option_Option_Type.t_option isize;
+    [#"../hashmap.rs" 237 9 237 18] _19 <- ([#"../hashmap.rs" 237 9 237 18] get0 h2 ([#"../hashmap.rs" 237 16 237 17] (2 : usize)));
     goto BB11
   }
   BB11 {
-    [#"../hashmap.rs" 237 4 237 18] _t <- ([#"../hashmap.rs" 237 4 237 18] _19);
-    [#"../hashmap.rs" 237 4 237 18] _19 <- any Core_Option_Option_Type.t_option isize;
+    [#"../hashmap.rs" 237 4 237 18] _t <- _19;
+    _19 <- any Core_Option_Option_Type.t_option isize;
     [#"../hashmap.rs" 240 4 240 6] _22 <- Borrow.borrow_mut h2;
     [#"../hashmap.rs" 240 4 240 6] h2 <-  ^ _22;
-    [#"../hashmap.rs" 240 4 240 17] _21 <- ([#"../hashmap.rs" 240 4 240 17] add0 _22 ([#"../hashmap.rs" 240 11 240 12] [#"../hashmap.rs" 240 11 240 12] (1 : usize)) ([#"../hashmap.rs" 240 14 240 16] [#"../hashmap.rs" 240 14 240 16] (42 : isize)));
+    [#"../hashmap.rs" 240 4 240 17] _21 <- ([#"../hashmap.rs" 240 4 240 17] add0 _22 ([#"../hashmap.rs" 240 11 240 12] (1 : usize)) ([#"../hashmap.rs" 240 14 240 16] (42 : isize)));
     _22 <- any borrowed (Hashmap_MyHashMap_Type.t_myhashmap usize isize);
     goto BB12
   }
   BB12 {
-    [#"../hashmap.rs" 241 9 241 18] _23 <- ([#"../hashmap.rs" 241 9 241 18] get0 ([#"../hashmap.rs" 241 9 241 11] h1) ([#"../hashmap.rs" 241 16 241 17] [#"../hashmap.rs" 241 16 241 17] (1 : usize)));
+    [#"../hashmap.rs" 241 9 241 18] _23 <- ([#"../hashmap.rs" 241 9 241 18] get0 h1 ([#"../hashmap.rs" 241 16 241 17] (1 : usize)));
     goto BB13
   }
   BB13 {
-    [#"../hashmap.rs" 241 4 241 18] _x <- ([#"../hashmap.rs" 241 4 241 18] _23);
-    [#"../hashmap.rs" 241 4 241 18] _23 <- any Core_Option_Option_Type.t_option isize;
-    [#"../hashmap.rs" 242 9 242 18] _25 <- ([#"../hashmap.rs" 242 9 242 18] get0 ([#"../hashmap.rs" 242 9 242 11] h1) ([#"../hashmap.rs" 242 16 242 17] [#"../hashmap.rs" 242 16 242 17] (2 : usize)));
+    [#"../hashmap.rs" 241 4 241 18] _x <- _23;
+    _23 <- any Core_Option_Option_Type.t_option isize;
+    [#"../hashmap.rs" 242 9 242 18] _25 <- ([#"../hashmap.rs" 242 9 242 18] get0 h1 ([#"../hashmap.rs" 242 16 242 17] (2 : usize)));
     goto BB14
   }
   BB14 {
-    [#"../hashmap.rs" 242 4 242 18] _y <- ([#"../hashmap.rs" 242 4 242 18] _25);
-    [#"../hashmap.rs" 242 4 242 18] _25 <- any Core_Option_Option_Type.t_option isize;
-    [#"../hashmap.rs" 243 9 243 18] _27 <- ([#"../hashmap.rs" 243 9 243 18] get0 ([#"../hashmap.rs" 243 9 243 11] h2) ([#"../hashmap.rs" 243 16 243 17] [#"../hashmap.rs" 243 16 243 17] (1 : usize)));
+    [#"../hashmap.rs" 242 4 242 18] _y <- _25;
+    _25 <- any Core_Option_Option_Type.t_option isize;
+    [#"../hashmap.rs" 243 9 243 18] _27 <- ([#"../hashmap.rs" 243 9 243 18] get0 h2 ([#"../hashmap.rs" 243 16 243 17] (1 : usize)));
     goto BB15
   }
   BB15 {
-    [#"../hashmap.rs" 243 4 243 18] _z <- ([#"../hashmap.rs" 243 4 243 18] _27);
-    [#"../hashmap.rs" 243 4 243 18] _27 <- any Core_Option_Option_Type.t_option isize;
-    [#"../hashmap.rs" 244 9 244 18] _29 <- ([#"../hashmap.rs" 244 9 244 18] get0 ([#"../hashmap.rs" 244 9 244 11] h2) ([#"../hashmap.rs" 244 16 244 17] [#"../hashmap.rs" 244 16 244 17] (2 : usize)));
+    [#"../hashmap.rs" 243 4 243 18] _z <- _27;
+    _27 <- any Core_Option_Option_Type.t_option isize;
+    [#"../hashmap.rs" 244 9 244 18] _29 <- ([#"../hashmap.rs" 244 9 244 18] get0 h2 ([#"../hashmap.rs" 244 16 244 17] (2 : usize)));
     goto BB16
   }
   BB16 {
-    [#"../hashmap.rs" 244 4 244 18] _t <- ([#"../hashmap.rs" 244 4 244 18] _29);
-    [#"../hashmap.rs" 244 4 244 18] _29 <- any Core_Option_Option_Type.t_option isize;
+    [#"../hashmap.rs" 244 4 244 18] _t <- _29;
+    _29 <- any Core_Option_Option_Type.t_option isize;
     [#"../hashmap.rs" 217 14 247 1] _0 <- ([#"../hashmap.rs" 217 14 247 1] ());
     goto BB17
   }
@@ -2277,7 +2353,9 @@ module Hashmap_Impl0
     
   axiom inv0 : forall x : Hashmap_List_Type.t_list t . inv0 x = true
   use prelude.Borrow
-  goal clone'_refn : [#"../hashmap.rs" 16 4 16 27] forall self : Hashmap_List_Type.t_list t . inv0 self -> inv0 self /\ (forall result : Hashmap_List_Type.t_list t . inv1 result /\ result = self -> inv1 result /\ result = self)
+  goal clone'_refn : [#"../hashmap.rs" 16 4 16 27] forall self : Hashmap_List_Type.t_list t . inv0 self
+   -> inv0 self /\ (forall result : Hashmap_List_Type.t_list t . inv1 result /\ result = self
+   -> inv1 result /\ result = self)
 end
 module Hashmap_Impl2
   use prelude.UIntSize
@@ -2306,13 +2384,15 @@ module Hashmap_Impl2
   use prelude.Int
   use prelude.Borrow
   function deep_model0 (self : usize) : int =
-    [#"../../../../creusot-contracts/src/model.rs" 70 8 70 28] deep_model1 self
+    [#"../../../../creusot-contracts/src/model.rs" 74 8 74 28] deep_model1 self
   val deep_model0 (self : usize) : int
     ensures { result = deep_model0 self }
     
   use prelude.UInt64
   use prelude.UInt64
-  goal hash_refn : [#"../hashmap.rs" 59 4 59 25] forall self : usize . inv0 self -> (forall result : uint64 . UInt64.to_int result = hash_log0 (deep_model0 self) -> UInt64.to_int result = hash_log0 (deep_model0 self))
+  goal hash_refn : [#"../hashmap.rs" 59 4 59 25] forall self : usize . inv0 self
+   -> (forall result : uint64 . UInt64.to_int result = hash_log0 (deep_model0 self)
+   -> UInt64.to_int result = hash_log0 (deep_model0 self))
 end
 module Hashmap_Impl3
   type k
diff --git a/creusot/tests/should_succeed/hashmap.rs b/creusot/tests/should_succeed/hashmap.rs
index 96ce8163e0..d844cac633 100644
--- a/creusot/tests/should_succeed/hashmap.rs
+++ b/creusot/tests/should_succeed/hashmap.rs
@@ -23,7 +23,7 @@ impl<T: Clone> Clone for List<T> {
 }
 
 impl<K: DeepModel, V> List<(K, V)> {
-    #[ghost]
+    #[logic]
     #[open]
     pub fn get(self, index: K::DeepModelTy) -> Option<V> {
         pearlite! {
@@ -50,7 +50,7 @@ trait Hash: DeepModel {
     #[ensures(result@ == Self::hash_log(self.deep_model()))]
     fn hash(&self) -> u64;
 
-    #[ghost]
+    #[logic]
     fn hash_log(_: Self::DeepModelTy) -> Int;
 }
 
@@ -60,7 +60,7 @@ impl Hash for usize {
         *self as u64
     }
 
-    #[ghost]
+    #[logic]
     fn hash_log(x: Int) -> Int {
         pearlite! { x }
     }
@@ -74,18 +74,18 @@ impl<K: Hash, V> ShallowModel for MyHashMap<K, V> {
     type ShallowModelTy = Mapping<K::DeepModelTy, Option<V>>;
 
     #[open(self)]
-    #[ghost]
+    #[logic]
     fn shallow_model(self) -> Self::ShallowModelTy {
         pearlite! { |k| self.bucket(k).get(k) }
     }
 }
 impl<K: Hash, V> MyHashMap<K, V> {
-    #[ghost]
+    #[logic]
     fn bucket(self, k: K::DeepModelTy) -> List<(K, V)> {
         pearlite! { self.buckets[self.bucket_ix(k)] }
     }
 
-    #[ghost]
+    #[logic]
     fn bucket_ix(self, k: K::DeepModelTy) -> Int {
         pearlite! { K::hash_log(k).rem_euclid(self.buckets@.len()) }
     }
@@ -105,11 +105,11 @@ impl<K: Hash + Copy + Eq + DeepModel, V: Copy> MyHashMap<K, V> {
     #[ensures(forall<i: K::DeepModelTy> (^self)@.get(i) == (if i == key.deep_model() { Some(val) } else { self@.get(i) } ))]
     pub fn add(&mut self, key: K, val: V) {
         use List::*;
-        let old_self = gh! { self };
+        let old_self = snapshot! { self };
         let length = self.buckets.len();
         let index: usize = key.hash() as usize % length;
         let mut l: &mut List<_> = &mut self.buckets[index];
-        let old_l = gh! { l };
+        let old_l = snapshot! { l };
 
         #[invariant(old_self.good_bucket(*l, index@))]
         #[invariant(old_self.good_bucket(^l, index@) ==> old_self.good_bucket(^old_l.inner(), index@))]
@@ -159,7 +159,7 @@ impl<K: Hash + Copy + Eq + DeepModel, V: Copy> MyHashMap<K, V> {
     #[ensures(forall<k : K::DeepModelTy> (^self)@.get(k) == self@.get(k))] // lets prove the extensional version for now
     #[allow(dead_code)]
     fn resize(&mut self) {
-        let old_self = gh! { self };
+        let old_self = snapshot! { self };
         let mut new = Self::new(self.buckets.len() * 2);
 
         let mut i: usize = 0;
diff --git a/creusot/tests/should_succeed/hashmap/why3session.xml b/creusot/tests/should_succeed/hashmap/why3session.xml
index a607e2c377..f8ce4b4682 100644
--- a/creusot/tests/should_succeed/hashmap/why3session.xml
+++ b/creusot/tests/should_succeed/hashmap/why3session.xml
@@ -14,7 +14,7 @@
 </theory>
 <theory name="Hashmap_Impl5_New" proved="true">
  <goal name="new&#39;vc" expl="VC for new" proved="true">
- <proof prover="3"><result status="valid" time="0.020000" steps="335"/></proof>
+ <proof prover="3"><result status="valid" time="0.020000" steps="336"/></proof>
  </goal>
 </theory>
 <theory name="Hashmap_Impl5_Add" proved="true">
@@ -29,20 +29,20 @@
   <goal name="add&#39;vc.2" expl="precondition" proved="true">
   <proof prover="3"><result status="valid" time="0.050551" steps="22"/></proof>
   </goal>
-  <goal name="add&#39;vc.3" expl="remainder by zero" proved="true">
-  <proof prover="3"><result status="valid" time="0.010000" steps="45"/></proof>
+  <goal name="add&#39;vc.3" expl="integer overflow" proved="true">
+  <proof prover="3"><result status="valid" time="0.010000" steps="24"/></proof>
   </goal>
-  <goal name="add&#39;vc.4" expl="integer overflow" proved="true">
-  <proof prover="3"><result status="valid" time="0.010000" steps="39"/></proof>
+  <goal name="add&#39;vc.4" expl="remainder by zero" proved="true">
+  <proof prover="3"><result status="valid" time="0.010000" steps="52"/></proof>
   </goal>
   <goal name="add&#39;vc.5" expl="division by zero" proved="true">
   <proof prover="3"><result status="valid" time="0.010000" steps="34"/></proof>
   </goal>
   <goal name="add&#39;vc.6" expl="integer overflow" proved="true">
-  <proof prover="3"><result status="valid" time="0.010000" steps="257"/></proof>
+  <proof prover="3"><result status="valid" time="0.010000" steps="259"/></proof>
   </goal>
   <goal name="add&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.020000" steps="358"/></proof>
+  <proof prover="3"><result status="valid" time="0.020000" steps="360"/></proof>
   </goal>
   <goal name="add&#39;vc.8" expl="precondition" proved="true">
   <proof prover="3"><result status="valid" time="0.023065" steps="85"/></proof>
@@ -57,7 +57,7 @@
   <proof prover="3"><result status="valid" time="0.037622" steps="117"/></proof>
   </goal>
   <goal name="add&#39;vc.12" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.117533" steps="127988"/></proof>
+  <proof prover="2"><result status="valid" time="0.117533" steps="128002"/></proof>
   </goal>
   <goal name="add&#39;vc.13" expl="loop invariant init" proved="true">
   <proof prover="3"><result status="valid" time="0.010000" steps="163"/></proof>
@@ -69,7 +69,7 @@
   <proof prover="3"><result status="valid" time="0.010000" steps="168"/></proof>
   </goal>
   <goal name="add&#39;vc.16" expl="loop invariant init" proved="true">
-  <proof prover="3"><result status="valid" time="0.010000" steps="561"/></proof>
+  <proof prover="3"><result status="valid" time="0.010000" steps="548"/></proof>
   </goal>
   <goal name="add&#39;vc.17" expl="loop invariant init" proved="true">
   <proof prover="3"><result status="valid" time="0.020000" steps="130"/></proof>
@@ -84,7 +84,7 @@
   <proof prover="3"><result status="valid" time="0.038618" steps="235"/></proof>
   </goal>
   <goal name="add&#39;vc.21" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.026865" steps="237"/></proof>
+  <proof prover="3"><result status="valid" time="0.030997" steps="237"/></proof>
   </goal>
   <goal name="add&#39;vc.22" expl="type invariant" proved="true">
   <proof prover="3"><result status="valid" time="0.041230" steps="263"/></proof>
@@ -96,34 +96,34 @@
   <proof prover="3"><result status="valid" time="0.029787" steps="263"/></proof>
   </goal>
   <goal name="add&#39;vc.25" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.046695" steps="140150"/></proof>
+  <proof prover="2"><result status="valid" time="0.046695" steps="140146"/></proof>
   </goal>
   <goal name="add&#39;vc.26" expl="loop invariant preservation" proved="true">
-  <proof prover="1"><result status="valid" time="0.336146" steps="41041"/></proof>
+  <proof prover="1"><result status="valid" time="0.168621" steps="41174"/></proof>
   </goal>
   <goal name="add&#39;vc.27" expl="loop invariant preservation" proved="true">
-  <proof prover="1"><result status="valid" time="0.224426" steps="28896"/></proof>
+  <proof prover="1"><result status="valid" time="0.224426" steps="29055"/></proof>
   </goal>
   <goal name="add&#39;vc.28" expl="loop invariant preservation" proved="true">
   <proof prover="2"><result status="valid" time="0.030000" steps="328955"/></proof>
   </goal>
   <goal name="add&#39;vc.29" expl="loop invariant preservation" proved="true">
-  <proof prover="1"><result status="valid" time="0.239705" steps="28904"/></proof>
+  <proof prover="1"><result status="valid" time="0.239705" steps="29063"/></proof>
   </goal>
   <goal name="add&#39;vc.30" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.074204" steps="335947"/></proof>
+  <proof prover="2"><result status="valid" time="0.074204" steps="332559"/></proof>
   </goal>
   <goal name="add&#39;vc.31" expl="type invariant" proved="true">
   <proof prover="3"><result status="valid" time="0.023273" steps="235"/></proof>
   </goal>
   <goal name="add&#39;vc.32" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.030997" steps="238"/></proof>
+  <proof prover="3"><result status="valid" time="0.026865" steps="238"/></proof>
   </goal>
   <goal name="add&#39;vc.33" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.037778" steps="158"/></proof>
+  <proof prover="3"><result status="valid" time="0.039024" steps="158"/></proof>
   </goal>
   <goal name="add&#39;vc.34" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.046851" steps="159"/></proof>
+  <proof prover="3"><result status="valid" time="0.026545" steps="159"/></proof>
   </goal>
   <goal name="add&#39;vc.35" expl="type invariant" proved="true">
   <proof prover="3"><result status="valid" time="0.026727" steps="164"/></proof>
@@ -132,93 +132,93 @@
   <proof prover="3"><result status="valid" time="0.026151" steps="248"/></proof>
   </goal>
   <goal name="add&#39;vc.37" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.026823" steps="251"/></proof>
+  <proof prover="3"><result status="valid" time="0.034607" steps="251"/></proof>
   </goal>
   <goal name="add&#39;vc.38" expl="type invariant" proved="true">
   <proof prover="3"><result status="valid" time="0.027034" steps="260"/></proof>
   </goal>
   <goal name="add&#39;vc.39" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.033467" steps="255"/></proof>
+  <proof prover="3"><result status="valid" time="0.023549" steps="255"/></proof>
   </goal>
   <goal name="add&#39;vc.40" expl="assertion" proved="true">
   <transf name="inline_goal" proved="true" >
    <goal name="add&#39;vc.40.0" expl="assertion" proved="true">
    <transf name="split_all_full" proved="true" >
     <goal name="add&#39;vc.40.0.0" expl="VC for add" proved="true">
-    <proof prover="3"><result status="valid" time="0.010000" steps="451"/></proof>
+    <proof prover="3"><result status="valid" time="0.020000" steps="451"/></proof>
     </goal>
     <goal name="add&#39;vc.40.0.1" expl="VC for add" proved="true">
     <transf name="split_vc" proved="true" >
      <goal name="add&#39;vc.40.0.1.0" expl="VC for add" proved="true">
      <transf name="inline_goal" proved="true" >
       <goal name="add&#39;vc.40.0.1.0.0" expl="VC for add" proved="true">
-      <proof prover="3" timelimit="30" memlimit="4000"><result status="valid" time="2.585221" steps="63147"/></proof>
+      <proof prover="3" timelimit="30" memlimit="4000"><result status="valid" time="3.067385" steps="71307"/></proof>
       </goal>
      </transf>
      </goal>
     </transf>
     </goal>
     <goal name="add&#39;vc.40.0.2" expl="VC for add" proved="true">
-    <proof prover="3"><result status="valid" time="0.468194" steps="12928"/></proof>
+    <proof prover="1"><result status="valid" time="0.211758" steps="47291"/></proof>
     </goal>
    </transf>
    </goal>
   </transf>
   </goal>
   <goal name="add&#39;vc.41" expl="unreachable point" proved="true">
-  <proof prover="3"><result status="valid" time="0.020000" steps="352"/></proof>
+  <proof prover="3"><result status="valid" time="0.030000" steps="352"/></proof>
   </goal>
   <goal name="add&#39;vc.42" expl="unreachable point" proved="true">
   <proof prover="3"><result status="valid" time="0.020000" steps="278"/></proof>
   </goal>
   <goal name="add&#39;vc.43" expl="unreachable point" proved="true">
-  <proof prover="3"><result status="valid" time="0.030000" steps="200"/></proof>
+  <proof prover="3"><result status="valid" time="0.020000" steps="200"/></proof>
   </goal>
   <goal name="add&#39;vc.44" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.039024" steps="87"/></proof>
+  <proof prover="3"><result status="valid" time="0.037778" steps="87"/></proof>
   </goal>
   <goal name="add&#39;vc.45" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.026545" steps="88"/></proof>
+  <proof prover="3"><result status="valid" time="0.046851" steps="88"/></proof>
   </goal>
   <goal name="add&#39;vc.46" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.017641" steps="140"/></proof>
+  <proof prover="3"><result status="valid" time="0.017641" steps="149"/></proof>
   </goal>
   <goal name="add&#39;vc.47" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.033278" steps="143"/></proof>
+  <proof prover="3"><result status="valid" time="0.033278" steps="154"/></proof>
   </goal>
   <goal name="add&#39;vc.48" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.034607" steps="145"/></proof>
+  <proof prover="3"><result status="valid" time="0.026823" steps="154"/></proof>
   </goal>
   <goal name="add&#39;vc.49" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.023549" steps="145"/></proof>
+  <proof prover="3"><result status="valid" time="0.033467" steps="154"/></proof>
   </goal>
   <goal name="add&#39;vc.50" expl="assertion" proved="true">
   <transf name="inline_goal" proved="true" >
    <goal name="add&#39;vc.50.0" expl="assertion" proved="true">
    <transf name="split_all_full" proved="true" >
     <goal name="add&#39;vc.50.0.0" expl="VC for add" proved="true">
-    <proof prover="3"><result status="valid" time="0.020000" steps="206"/></proof>
+    <proof prover="3"><result status="valid" time="0.010000" steps="219"/></proof>
     </goal>
     <goal name="add&#39;vc.50.0.1" expl="VC for add" proved="true">
     <transf name="split_vc" proved="true" >
      <goal name="add&#39;vc.50.0.1.0" expl="VC for add" proved="true">
      <transf name="inline_goal" proved="true" >
       <goal name="add&#39;vc.50.0.1.0.0" expl="VC for add" proved="true">
-      <proof prover="3" timelimit="30" memlimit="4000"><result status="valid" time="0.740503" steps="17463"/></proof>
+      <proof prover="3" timelimit="30" memlimit="4000"><result status="valid" time="0.896837" steps="19973"/></proof>
       </goal>
      </transf>
      </goal>
     </transf>
     </goal>
     <goal name="add&#39;vc.50.0.2" expl="VC for add" proved="true">
-    <proof prover="1"><result status="valid" time="0.516297" steps="44168"/></proof>
+    <proof prover="3"><result status="valid" time="0.162916" steps="3781"/></proof>
     </goal>
    </transf>
    </goal>
   </transf>
   </goal>
   <goal name="add&#39;vc.51" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.082778" steps="346869"/></proof>
+  <proof prover="2"><result status="valid" time="0.082778" steps="347027"/></proof>
   </goal>
   <goal name="add&#39;vc.52" expl="postcondition" proved="true">
   <transf name="split_vc" proved="true" >
@@ -235,7 +235,7 @@
         <goal name="add&#39;vc.52.0.0.0.0.0.0" expl="postcondition" proved="true">
         <transf name="split_all_full" proved="true" >
          <goal name="add&#39;vc.52.0.0.0.0.0.0.0" expl="postcondition" proved="true">
-         <proof prover="3" timelimit="30" memlimit="4000"><result status="valid" time="0.764376" steps="20383"/></proof>
+         <proof prover="3" timelimit="30" memlimit="4000"><result status="valid" time="0.909392" steps="23946"/></proof>
          </goal>
         </transf>
         </goal>
@@ -250,7 +250,7 @@
    </transf>
    </goal>
    <goal name="add&#39;vc.52.1" expl="postcondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.314198" steps="8362"/></proof>
+   <proof prover="3"><result status="valid" time="0.314198" steps="9167"/></proof>
    </goal>
   </transf>
   </goal>
@@ -263,26 +263,26 @@
   <goal name="get&#39;vc.0" expl="precondition" proved="true">
   <proof prover="3"><result status="valid" time="0.017460" steps="12"/></proof>
   </goal>
-  <goal name="get&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.023465" steps="15"/></proof>
+  <goal name="get&#39;vc.1" expl="integer overflow" proved="true">
+  <proof prover="3"><result status="valid" time="0.030489" steps="15"/></proof>
   </goal>
-  <goal name="get&#39;vc.2" expl="remainder by zero" proved="true">
-  <proof prover="3"><result status="valid" time="0.040109" steps="54"/></proof>
+  <goal name="get&#39;vc.2" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.023465" steps="20"/></proof>
   </goal>
-  <goal name="get&#39;vc.3" expl="integer overflow" proved="true">
-  <proof prover="3"><result status="valid" time="0.030489" steps="27"/></proof>
+  <goal name="get&#39;vc.3" expl="remainder by zero" proved="true">
+  <proof prover="3"><result status="valid" time="0.040109" steps="64"/></proof>
   </goal>
   <goal name="get&#39;vc.4" expl="division by zero" proved="true">
   <proof prover="3"><result status="valid" time="0.029645" steps="24"/></proof>
   </goal>
   <goal name="get&#39;vc.5" expl="integer overflow" proved="true">
-  <proof prover="3"><result status="valid" time="0.052343" steps="222"/></proof>
+  <proof prover="3"><result status="valid" time="0.052343" steps="221"/></proof>
   </goal>
   <goal name="get&#39;vc.6" expl="type invariant" proved="true">
   <proof prover="3"><result status="valid" time="0.030365" steps="26"/></proof>
   </goal>
   <goal name="get&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.047542" steps="247"/></proof>
+  <proof prover="3"><result status="valid" time="0.047542" steps="239"/></proof>
   </goal>
   <goal name="get&#39;vc.8" expl="precondition" proved="true">
   <proof prover="3"><result status="valid" time="0.034683" steps="50"/></proof>
@@ -318,13 +318,13 @@
   <proof prover="3"><result status="valid" time="0.029799" steps="85"/></proof>
   </goal>
   <goal name="get&#39;vc.19" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.057105" steps="222"/></proof>
+  <proof prover="3"><result status="valid" time="0.057105" steps="221"/></proof>
   </goal>
   <goal name="get&#39;vc.20" expl="type invariant" proved="true">
   <proof prover="3"><result status="valid" time="0.038290" steps="78"/></proof>
   </goal>
   <goal name="get&#39;vc.21" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.036566" steps="60"/></proof>
+  <proof prover="3"><result status="valid" time="0.045509" steps="60"/></proof>
   </goal>
   <goal name="get&#39;vc.22" expl="type invariant" proved="true">
   <proof prover="3"><result status="valid" time="0.033107" steps="81"/></proof>
@@ -333,10 +333,10 @@
   <proof prover="3"><result status="valid" time="0.013955" steps="55"/></proof>
   </goal>
   <goal name="get&#39;vc.24" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.045509" steps="42"/></proof>
+  <proof prover="3"><result status="valid" time="0.036566" steps="42"/></proof>
   </goal>
   <goal name="get&#39;vc.25" expl="postcondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.204543" steps="22519"/></proof>
+  <proof prover="1"><result status="valid" time="0.204543" steps="22677"/></proof>
   </goal>
   <goal name="get&#39;vc.26" expl="postcondition" proved="true">
   <proof prover="3"><result status="valid" time="0.030945" steps="58"/></proof>
@@ -375,7 +375,7 @@
   <proof prover="3"><result status="valid" time="0.010000" steps="36"/></proof>
   </goal>
   <goal name="resize&#39;vc.9" expl="loop invariant init" proved="true">
-  <proof prover="1"><result status="valid" time="0.110000" steps="17318"/></proof>
+  <proof prover="1"><result status="valid" time="0.110000" steps="17500"/></proof>
   </goal>
   <goal name="resize&#39;vc.10" expl="loop invariant init" proved="true">
   <proof prover="3"><result status="valid" time="0.010000" steps="51"/></proof>
@@ -383,138 +383,138 @@
   <goal name="resize&#39;vc.11" expl="precondition" proved="true">
   <proof prover="3"><result status="valid" time="0.019989" steps="51"/></proof>
   </goal>
-  <goal name="resize&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.010000" steps="86"/></proof>
+  <goal name="resize&#39;vc.12" expl="type invariant" proved="true">
+  <proof prover="3"><result status="valid" time="0.030380" steps="71"/></proof>
   </goal>
-  <goal name="resize&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.024363" steps="83"/></proof>
+  <goal name="resize&#39;vc.13" expl="type invariant" proved="true">
+  <proof prover="3"><result status="valid" time="0.031425" steps="72"/></proof>
   </goal>
-  <goal name="resize&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.047560" steps="83"/></proof>
+  <goal name="resize&#39;vc.14" expl="postcondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.010000" steps="79"/></proof>
   </goal>
-  <goal name="resize&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.035052" steps="111"/></proof>
+  <goal name="resize&#39;vc.15" expl="postcondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.030000" steps="119856"/></proof>
   </goal>
   <goal name="resize&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.041292" steps="114"/></proof>
+  <proof prover="3"><result status="valid" time="0.010000" steps="87"/></proof>
   </goal>
-  <goal name="resize&#39;vc.17" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.058543" steps="121"/></proof>
+  <goal name="resize&#39;vc.17" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.024363" steps="83"/></proof>
   </goal>
-  <goal name="resize&#39;vc.18" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.050285" steps="124"/></proof>
+  <goal name="resize&#39;vc.18" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.047560" steps="85"/></proof>
   </goal>
-  <goal name="resize&#39;vc.19" expl="loop invariant init" proved="true">
-  <proof prover="3"><result status="valid" time="0.010000" steps="93"/></proof>
+  <goal name="resize&#39;vc.19" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.035052" steps="114"/></proof>
   </goal>
-  <goal name="resize&#39;vc.20" expl="loop invariant init" proved="true">
-  <proof prover="2"><result status="valid" time="0.081917" steps="117507"/></proof>
+  <goal name="resize&#39;vc.20" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.041292" steps="115"/></proof>
   </goal>
-  <goal name="resize&#39;vc.21" expl="loop invariant init" proved="true">
-  <proof prover="3"><result status="valid" time="0.020000" steps="131"/></proof>
+  <goal name="resize&#39;vc.21" expl="type invariant" proved="true">
+  <proof prover="3"><result status="valid" time="0.058543" steps="124"/></proof>
   </goal>
-  <goal name="resize&#39;vc.22" expl="loop invariant init" proved="true">
-  <proof prover="3"><result status="valid" time="0.010000" steps="715"/></proof>
+  <goal name="resize&#39;vc.22" expl="type invariant" proved="true">
+  <proof prover="3"><result status="valid" time="0.050285" steps="127"/></proof>
   </goal>
   <goal name="resize&#39;vc.23" expl="loop invariant init" proved="true">
-  <proof prover="3"><result status="valid" time="0.020000" steps="405"/></proof>
+  <proof prover="3"><result status="valid" time="0.010000" steps="95"/></proof>
   </goal>
   <goal name="resize&#39;vc.24" expl="loop invariant init" proved="true">
-  <proof prover="3"><result status="valid" time="0.143185" steps="509"/></proof>
+  <proof prover="2"><result status="valid" time="0.081917" steps="117676"/></proof>
   </goal>
-  <goal name="resize&#39;vc.25" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.057361" steps="161"/></proof>
+  <goal name="resize&#39;vc.25" expl="loop invariant init" proved="true">
+  <proof prover="3"><result status="valid" time="0.020000" steps="134"/></proof>
   </goal>
-  <goal name="resize&#39;vc.26" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.054759" steps="164"/></proof>
+  <goal name="resize&#39;vc.26" expl="loop invariant init" proved="true">
+  <proof prover="3"><result status="valid" time="0.010000" steps="715"/></proof>
   </goal>
-  <goal name="resize&#39;vc.27" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.060589" steps="166"/></proof>
+  <goal name="resize&#39;vc.27" expl="loop invariant init" proved="true">
+  <proof prover="3"><result status="valid" time="0.020000" steps="410"/></proof>
   </goal>
-  <goal name="resize&#39;vc.28" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.020000" steps="58831"/></proof>
+  <goal name="resize&#39;vc.28" expl="loop invariant init" proved="true">
+  <proof prover="3"><result status="valid" time="0.143185" steps="513"/></proof>
   </goal>
-  <goal name="resize&#39;vc.29" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.033517" steps="170"/></proof>
+  <goal name="resize&#39;vc.29" expl="type invariant" proved="true">
+  <proof prover="3"><result status="valid" time="0.057361" steps="162"/></proof>
   </goal>
-  <goal name="resize&#39;vc.30" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.053581" steps="123"/></proof>
+  <goal name="resize&#39;vc.30" expl="type invariant" proved="true">
+  <proof prover="3"><result status="valid" time="0.054759" steps="166"/></proof>
   </goal>
-  <goal name="resize&#39;vc.31" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.051338" steps="123"/></proof>
+  <goal name="resize&#39;vc.31" expl="type invariant" proved="true">
+  <proof prover="3"><result status="valid" time="0.060589" steps="169"/></proof>
   </goal>
-  <goal name="resize&#39;vc.32" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.046327" steps="170"/></proof>
+  <goal name="resize&#39;vc.32" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.020000" steps="59018"/></proof>
   </goal>
-  <goal name="resize&#39;vc.33" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.010000" steps="128"/></proof>
+  <goal name="resize&#39;vc.33" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.033517" steps="173"/></proof>
   </goal>
-  <goal name="resize&#39;vc.34" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.186472" steps="2166"/></proof>
+  <goal name="resize&#39;vc.34" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.053581" steps="127"/></proof>
   </goal>
-  <goal name="resize&#39;vc.35" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.191667" steps="2020"/></proof>
+  <goal name="resize&#39;vc.35" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.051338" steps="127"/></proof>
   </goal>
-  <goal name="resize&#39;vc.36" expl="loop invariant preservation" proved="true">
-  <proof prover="1"><result status="valid" time="0.815775" steps="34957"/></proof>
+  <goal name="resize&#39;vc.36" expl="type invariant" proved="true">
+  <proof prover="3"><result status="valid" time="0.046327" steps="172"/></proof>
   </goal>
   <goal name="resize&#39;vc.37" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.030000" steps="122667"/></proof>
+  <proof prover="3"><result status="valid" time="0.010000" steps="132"/></proof>
   </goal>
   <goal name="resize&#39;vc.38" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.187169" steps="1948"/></proof>
+  <proof prover="3"><result status="valid" time="0.186472" steps="2168"/></proof>
   </goal>
-  <goal name="resize&#39;vc.39" expl="unreachable point" proved="true">
-  <proof prover="3"><result status="valid" time="0.020000" steps="147"/></proof>
+  <goal name="resize&#39;vc.39" expl="loop invariant preservation" proved="true">
+  <proof prover="3"><result status="valid" time="0.191667" steps="2023"/></proof>
   </goal>
-  <goal name="resize&#39;vc.40" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.059040" steps="96"/></proof>
+  <goal name="resize&#39;vc.40" expl="loop invariant preservation" proved="true">
+  <proof prover="1"><result status="valid" time="0.133882" steps="35166"/></proof>
   </goal>
-  <goal name="resize&#39;vc.41" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.332965" steps="5742"/></proof>
+  <goal name="resize&#39;vc.41" expl="loop invariant preservation" proved="true">
+  <proof prover="2"><result status="valid" time="0.030000" steps="122836"/></proof>
   </goal>
-  <goal name="resize&#39;vc.42" expl="integer overflow" proved="true">
-  <proof prover="3"><result status="valid" time="0.010000" steps="304"/></proof>
+  <goal name="resize&#39;vc.42" expl="loop invariant preservation" proved="true">
+  <proof prover="3"><result status="valid" time="0.187169" steps="1949"/></proof>
   </goal>
-  <goal name="resize&#39;vc.43" expl="loop invariant preservation" proved="true">
-  <proof prover="1"><result status="valid" time="0.084944" steps="25300"/></proof>
+  <goal name="resize&#39;vc.43" expl="unreachable point" proved="true">
+  <proof prover="3"><result status="valid" time="0.020000" steps="150"/></proof>
   </goal>
-  <goal name="resize&#39;vc.44" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.020000" steps="147"/></proof>
+  <goal name="resize&#39;vc.44" expl="type invariant" proved="true">
+  <proof prover="3"><result status="valid" time="0.059040" steps="99"/></proof>
   </goal>
-  <goal name="resize&#39;vc.45" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.020000" steps="323"/></proof>
+  <goal name="resize&#39;vc.45" expl="assertion" proved="true">
+  <proof prover="3"><result status="valid" time="0.197998" steps="5637"/></proof>
   </goal>
-  <goal name="resize&#39;vc.46" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.010000" steps="102"/></proof>
+  <goal name="resize&#39;vc.46" expl="integer overflow" proved="true">
+  <proof prover="3"><result status="valid" time="0.010000" steps="306"/></proof>
   </goal>
   <goal name="resize&#39;vc.47" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.020000" steps="34120"/></proof>
+  <proof prover="1"><result status="valid" time="0.220708" steps="25509"/></proof>
   </goal>
   <goal name="resize&#39;vc.48" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.020000" steps="155"/></proof>
+  <proof prover="3"><result status="valid" time="0.020000" steps="149"/></proof>
   </goal>
   <goal name="resize&#39;vc.49" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.010000" steps="112"/></proof>
+  <proof prover="3"><result status="valid" time="0.020000" steps="324"/></proof>
   </goal>
-  <goal name="resize&#39;vc.50" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.030380" steps="69"/></proof>
+  <goal name="resize&#39;vc.50" expl="loop invariant preservation" proved="true">
+  <proof prover="3"><result status="valid" time="0.010000" steps="104"/></proof>
   </goal>
-  <goal name="resize&#39;vc.51" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.031425" steps="71"/></proof>
+  <goal name="resize&#39;vc.51" expl="loop invariant preservation" proved="true">
+  <proof prover="2"><result status="valid" time="0.020000" steps="34309"/></proof>
   </goal>
-  <goal name="resize&#39;vc.52" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.010000" steps="78"/></proof>
+  <goal name="resize&#39;vc.52" expl="loop invariant preservation" proved="true">
+  <proof prover="3"><result status="valid" time="0.020000" steps="158"/></proof>
   </goal>
-  <goal name="resize&#39;vc.53" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.030000" steps="115847"/></proof>
+  <goal name="resize&#39;vc.53" expl="loop invariant preservation" proved="true">
+  <proof prover="3"><result status="valid" time="0.010000" steps="114"/></proof>
   </goal>
  </transf>
  </goal>
 </theory>
 <theory name="Hashmap_Main" proved="true">
  <goal name="main&#39;vc" expl="VC for main" proved="true">
- <proof prover="2"><result status="valid" time="0.104287" steps="246197"/></proof>
+ <proof prover="2"><result status="valid" time="0.104287" steps="258233"/></proof>
  </goal>
 </theory>
 <theory name="Hashmap_Impl0" proved="true">
diff --git a/creusot/tests/should_succeed/hashmap/why3shapes.gz b/creusot/tests/should_succeed/hashmap/why3shapes.gz
index df19aca4c9..2c28e59a52 100644
Binary files a/creusot/tests/should_succeed/hashmap/why3shapes.gz and b/creusot/tests/should_succeed/hashmap/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/heapsort_generic.mlcfg b/creusot/tests/should_succeed/heapsort_generic.mlcfg
index fb2f0ce6bf..b51619c365 100644
--- a/creusot/tests/should_succeed/heapsort_generic.mlcfg
+++ b/creusot/tests/should_succeed/heapsort_generic.mlcfg
@@ -28,7 +28,9 @@ module HeapsortGeneric_HeapFragMax_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : t) (y : t) : ()
   val antisym20 (x : t) (y : t) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -36,7 +38,10 @@ module HeapsortGeneric_HeapFragMax_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : t) (y : t) : ()
   val antisym10 (x : t) (y : t) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -44,7 +49,10 @@ module HeapsortGeneric_HeapFragMax_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : t) (y : t) (z : t) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
   val trans0 (x : t) (y : t) (z : t) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o}
@@ -54,13 +62,19 @@ module HeapsortGeneric_HeapFragMax_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : t, y : t, z : t, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : t, y : t, z : t, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : t) : ()
   val refl0 (x : t) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : t) (o : t) : bool
   val gt_log0 (self : t) (o : t) : bool
     ensures { result = gt_log0 self o }
@@ -71,7 +85,9 @@ module HeapsortGeneric_HeapFragMax_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : t) (o : t) : bool
   val ge_log0 (self : t) (o : t) : bool
     ensures { result = ge_log0 self o }
@@ -82,7 +98,9 @@ module HeapsortGeneric_HeapFragMax_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : t) (o : t) : bool
   val lt_log0 (self : t) (o : t) : bool
     ensures { result = lt_log0 self o }
@@ -93,7 +111,9 @@ module HeapsortGeneric_HeapFragMax_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : t) (o : t) : bool
   val le_log0 (self : t) (o : t) : bool
     ensures { result = le_log0 self o }
@@ -104,7 +124,9 @@ module HeapsortGeneric_HeapFragMax_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : t, y : t . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   use seq.Seq
   predicate invariant0 (self : Seq.seq t)
   val invariant0 (self : Seq.seq t) : bool
@@ -123,19 +145,23 @@ module HeapsortGeneric_HeapFragMax_Impl
     
   use seq.Seq
   predicate heap_frag0 [#"../heapsort_generic.rs" 15 0 15 66] (s : Seq.seq t) (start : int) (end' : int) =
-    [#"../heapsort_generic.rs" 16 4 17 26] forall i : int . start <= parent0 i /\ i < end' -> le_log0 (Seq.get s i) (Seq.get s (parent0 i))
+    [#"../heapsort_generic.rs" 16 4 17 26] forall i : int . start <= parent0 i /\ i < end'
+     -> le_log0 (Seq.get s i) (Seq.get s (parent0 i))
   val heap_frag0 [#"../heapsort_generic.rs" 15 0 15 66] (s : Seq.seq t) (start : int) (end' : int) : bool
     ensures { result = heap_frag0 s start end' }
     
-  let rec ghost function heap_frag_max [#"../heapsort_generic.rs" 25 0 25 58] (s : Seq.seq t) (i : int) (end' : int) : ()
-    requires {[#"../heapsort_generic.rs" 21 11 21 31] heap_frag0 s 0 end'}
-    requires {[#"../heapsort_generic.rs" 22 11 22 28] 0 <= i /\ i < end'}
-    requires {[#"../heapsort_generic.rs" 25 30 25 31] inv0 s}
-    ensures { [#"../heapsort_generic.rs" 23 10 23 22] le_log0 (Seq.get s i) (Seq.get s 0) }
-    variant {[#"../heapsort_generic.rs" 24 10 24 11] i}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../heapsort_generic.rs" 26 4 28 5] if pure {i > 0} then let b' = parent0 i in heap_frag_max s b' end' else ()
+  constant s  : Seq.seq t
+  constant i  : int
+  constant end'  : int
+  function heap_frag_max [#"../heapsort_generic.rs" 25 0 25 58] (s : Seq.seq t) (i : int) (end' : int) : ()
+  goal vc_heap_frag_max : ([#"../heapsort_generic.rs" 25 30 25 31] inv0 s)
+   -> ([#"../heapsort_generic.rs" 22 11 22 28] 0 <= i /\ i < end')
+   -> ([#"../heapsort_generic.rs" 21 11 21 31] heap_frag0 s 0 end')
+   -> match i > 0 with
+    | True -> ((([#"../heapsort_generic.rs" 25 30 25 31] inv0 s) && ([#"../heapsort_generic.rs" 22 11 22 28] 0 <= parent0 i /\ parent0 i < end') && ([#"../heapsort_generic.rs" 21 11 21 31] heap_frag0 s 0 end')) /\ 0 <= ([#"../heapsort_generic.rs" 24 10 24 11] i) /\ ([#"../heapsort_generic.rs" 24 10 24 11] parent0 i) < ([#"../heapsort_generic.rs" 24 10 24 11] i)) /\ (([#"../heapsort_generic.rs" 23 10 23 22] le_log0 (Seq.get s (parent0 i)) (Seq.get s 0))
+     -> ([#"../heapsort_generic.rs" 23 10 23 22] le_log0 (Seq.get s i) (Seq.get s 0)))
+    | False -> [#"../heapsort_generic.rs" 23 10 23 22] le_log0 (Seq.get s i) (Seq.get s 0)
+    end
 end
 module Core_Ptr_NonNull_NonNull_Type
   use prelude.Opaque
@@ -155,12 +181,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -263,7 +295,8 @@ module HeapsortGeneric_SiftDown
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self}
     ensures { result = shallow_model3 self }
     
-  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
+  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
   predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv10 (shallow_model3 self)
   val invariant3 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -294,7 +327,9 @@ module HeapsortGeneric_SiftDown
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -302,7 +337,10 @@ module HeapsortGeneric_SiftDown
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -310,7 +348,10 @@ module HeapsortGeneric_SiftDown
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -321,13 +362,19 @@ module HeapsortGeneric_SiftDown
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -338,7 +385,9 @@ module HeapsortGeneric_SiftDown
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -349,7 +398,9 @@ module HeapsortGeneric_SiftDown
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -360,7 +411,9 @@ module HeapsortGeneric_SiftDown
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -371,23 +424,25 @@ module HeapsortGeneric_SiftDown
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   predicate invariant1 (self : deep_model_ty0)
   val invariant1 (self : deep_model_ty0) : bool
     ensures { result = invariant1 self }
     
   axiom inv1 : forall x : deep_model_ty0 . inv1 x = true
-  use prelude.Ghost
-  predicate invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+  use prelude.Snapshot
+  predicate invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
     
-  val invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  val invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = invariant0 self }
     
-  predicate inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
-  val inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  predicate inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+  val inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true
+  axiom inv0 : forall x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true
   function deep_model3 (self : t) : deep_model_ty0
   val deep_model3 (self : t) : deep_model_ty0
     ensures { result = deep_model3 self }
@@ -407,14 +462,17 @@ module HeapsortGeneric_SiftDown
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv3 self}
     ensures { result = deep_model1 self }
     
-  axiom deep_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv3 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv9 (deep_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) -> Seq.get (deep_model1 self) i = deep_model3 (index_logic0 self i)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model3 self) = Seq.length (deep_model1 self))
+  axiom deep_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv3 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv9 (deep_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self)
+   -> Seq.get (deep_model1 self) i = deep_model3 (index_logic0 self i)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model3 self) = Seq.length (deep_model1 self))
   function parent0 [#"../heapsort_generic.rs" 10 0 10 24] (i : int) : int =
     [#"../heapsort_generic.rs" 11 4 11 19] div (i + 1) 2 - 1
   val parent0 [#"../heapsort_generic.rs" 10 0 10 24] (i : int) : int
     ensures { result = parent0 i }
     
   predicate heap_frag0 [#"../heapsort_generic.rs" 15 0 15 66] (s : Seq.seq deep_model_ty0) (start : int) (end' : int) =
-    [#"../heapsort_generic.rs" 16 4 17 26] forall i : int . start <= parent0 i /\ i < end' -> le_log0 (Seq.get s i) (Seq.get s (parent0 i))
+    [#"../heapsort_generic.rs" 16 4 17 26] forall i : int . start <= parent0 i /\ i < end'
+     -> le_log0 (Seq.get s i) (Seq.get s (parent0 i))
   val heap_frag0 [#"../heapsort_generic.rs" 15 0 15 66] (s : Seq.seq deep_model_ty0) (start : int) (end' : int) : bool
     ensures { result = heap_frag0 s start end' }
     
@@ -435,7 +493,8 @@ module HeapsortGeneric_SiftDown
     requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self}
     ensures { result = shallow_model7 self }
     
-  axiom shallow_model7_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv10 (shallow_model7 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model7 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0)
+  axiom shallow_model7_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv10 (shallow_model7 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model7 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0)
   function shallow_model6 (self : borrowed (slice t)) : Seq.seq t =
     [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model7 ( * self)
   val shallow_model6 (self : borrowed (slice t)) : Seq.seq t
@@ -507,7 +566,7 @@ module HeapsortGeneric_SiftDown
   val deep_model0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq deep_model_ty0
     ensures { result = deep_model0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   use seq.Permut
   predicate permutation_of0 (self : Seq.seq t) (o : Seq.seq t) =
     [#"../../../../creusot-contracts/src/logic/seq.rs" 107 8 107 37] Permut.permut self o 0 (Seq.length self)
@@ -520,18 +579,19 @@ module HeapsortGeneric_SiftDown
   val shallow_model4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
     ensures { result = shallow_model4 self }
     
-  function shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
+  function shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
     
    =
-    [#"../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model4 (Ghost.inner self)
-  val shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
+    [#"../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model4 (Snapshot.inner self)
+  val shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
     ensures { result = shallow_model1 self }
     
-  predicate resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
-  val resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  predicate resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+    
+  val resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   let rec cfg sift_down [#"../heapsort_generic.rs" 41 0 43 29] [@cfg:stackify] [@cfg:subregion_analysis] (v : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) (start : usize) (end' : usize) : ()
     requires {[#"../heapsort_generic.rs" 31 11 31 54] heap_frag0 (deep_model0 v) (UIntSize.to_int start + 1) (UIntSize.to_int end')}
     requires {[#"../heapsort_generic.rs" 32 11 32 24] UIntSize.to_int start < UIntSize.to_int end'}
@@ -539,22 +599,33 @@ module HeapsortGeneric_SiftDown
     requires {[#"../heapsort_generic.rs" 41 33 41 34] inv6 v}
     ensures { [#"../heapsort_generic.rs" 34 10 34 52] heap_frag0 (deep_model1 ( ^ v)) (UIntSize.to_int start) (UIntSize.to_int end') }
     ensures { [#"../heapsort_generic.rs" 35 0 35 36] permutation_of0 (shallow_model3 ( ^ v)) (shallow_model0 v) }
-    ensures { [#"../heapsort_generic.rs" 36 0 37 43] forall i : int . 0 <= i /\ i < UIntSize.to_int start \/ UIntSize.to_int end' <= i /\ i < Seq.length (shallow_model0 v) -> index_logic0 ( * v) i = index_logic0 ( ^ v) i }
-    ensures { [#"../heapsort_generic.rs" 38 0 40 80] forall m : deep_model_ty0 . inv1 m -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end' -> le_log0 (Seq.get (deep_model0 v) j) m) -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end' -> le_log0 (Seq.get (deep_model1 ( ^ v)) j) m) }
+    ensures { [#"../heapsort_generic.rs" 36 0 37 43] forall i : int . 0 <= i /\ i < UIntSize.to_int start \/ UIntSize.to_int end' <= i /\ i < Seq.length (shallow_model0 v)
+     -> index_logic0 ( * v) i = index_logic0 ( ^ v) i }
+    ensures { [#"../heapsort_generic.rs" 38 0 40 80] forall m : deep_model_ty0 . inv1 m
+     -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end'
+     -> le_log0 (Seq.get (deep_model0 v) j) m)
+     -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end'
+     -> le_log0 (Seq.get (deep_model1 ( ^ v)) j) m) }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var v : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = v;
   var start : usize = start;
   var end' : usize = end';
-  var old_v : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)));
+  var old_v : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)));
   var i : usize;
+  var _24 : bool;
+  var _26 : usize;
   var _28 : bool;
   var child : usize;
+  var _31 : usize;
   var _33 : ();
+  var _34 : bool;
+  var _35 : usize;
   var _38 : bool;
   var _40 : t;
   var _44 : t;
+  var _46 : usize;
   var _49 : bool;
   var _51 : t;
   var _55 : t;
@@ -566,32 +637,43 @@ module HeapsortGeneric_SiftDown
     goto BB0
   }
   BB0 {
-    [#"../heapsort_generic.rs" 45 16 45 25] old_v <- ([#"../heapsort_generic.rs" 45 16 45 25] Ghost.new v);
+    [#"../heapsort_generic.rs" 45 16 45 31] old_v <- ([#"../heapsort_generic.rs" 45 16 45 31] Snapshot.new v);
     goto BB1
   }
   BB1 {
     assert { [@expl:type invariant] inv0 old_v };
     assume { resolve0 old_v };
-    [#"../heapsort_generic.rs" 46 16 46 21] i <- ([#"../heapsort_generic.rs" 46 16 46 21] start);
+    [#"../heapsort_generic.rs" 46 16 46 21] i <- start;
     goto BB2
   }
   BB2 {
     invariant { [#"../heapsort_generic.rs" 48 4 48 43] permutation_of0 (shallow_model0 v) (shallow_model1 old_v) };
     invariant { [#"../heapsort_generic.rs" 49 16 49 41] UIntSize.to_int start <= UIntSize.to_int i /\ UIntSize.to_int i < UIntSize.to_int end' };
-    invariant { [#"../heapsort_generic.rs" 48 4 48 43] forall j : int . 0 <= j /\ j < UIntSize.to_int start \/ UIntSize.to_int end' <= j /\ j < Seq.length (shallow_model0 v) -> index_logic0 ( * Ghost.inner old_v) j = index_logic0 ( * v) j };
-    invariant { [#"../heapsort_generic.rs" 48 4 48 43] forall m : deep_model_ty0 . inv1 m -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end' -> le_log0 (Seq.get (deep_model0 (Ghost.inner old_v)) j) m) -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end' -> le_log0 (Seq.get (deep_model0 v) j) m) };
-    invariant { [#"../heapsort_generic.rs" 48 4 48 43] forall j : int . UIntSize.to_int start <= parent0 j /\ j < UIntSize.to_int end' /\ UIntSize.to_int i <> parent0 j -> le_log0 (Seq.get (deep_model0 v) j) (Seq.get (deep_model0 v) (parent0 j)) };
-    invariant { [#"../heapsort_generic.rs" 48 4 48 43] let c = 2 * UIntSize.to_int i + 1 in c < UIntSize.to_int end' /\ UIntSize.to_int start <= parent0 (UIntSize.to_int i) -> le_log0 (Seq.get (deep_model0 v) c) (Seq.get (deep_model0 v) (parent0 (parent0 c))) };
-    invariant { [#"../heapsort_generic.rs" 48 4 48 43] let c = 2 * UIntSize.to_int i + 2 in c < UIntSize.to_int end' /\ UIntSize.to_int start <= parent0 (UIntSize.to_int i) -> le_log0 (Seq.get (deep_model0 v) c) (Seq.get (deep_model0 v) (parent0 (parent0 c))) };
+    invariant { [#"../heapsort_generic.rs" 48 4 48 43] forall j : int . 0 <= j /\ j < UIntSize.to_int start \/ UIntSize.to_int end' <= j /\ j < Seq.length (shallow_model0 v)
+     -> index_logic0 ( * Snapshot.inner old_v) j = index_logic0 ( * v) j };
+    invariant { [#"../heapsort_generic.rs" 48 4 48 43] forall m : deep_model_ty0 . inv1 m
+     -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end'
+     -> le_log0 (Seq.get (deep_model0 (Snapshot.inner old_v)) j) m)
+     -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end'
+     -> le_log0 (Seq.get (deep_model0 v) j) m) };
+    invariant { [#"../heapsort_generic.rs" 48 4 48 43] forall j : int . UIntSize.to_int start <= parent0 j /\ j < UIntSize.to_int end' /\ UIntSize.to_int i <> parent0 j
+     -> le_log0 (Seq.get (deep_model0 v) j) (Seq.get (deep_model0 v) (parent0 j)) };
+    invariant { [#"../heapsort_generic.rs" 48 4 48 43] let c = 2 * UIntSize.to_int i + 1 in c < UIntSize.to_int end' /\ UIntSize.to_int start <= parent0 (UIntSize.to_int i)
+     -> le_log0 (Seq.get (deep_model0 v) c) (Seq.get (deep_model0 v) (parent0 (parent0 c))) };
+    invariant { [#"../heapsort_generic.rs" 48 4 48 43] let c = 2 * UIntSize.to_int i + 2 in c < UIntSize.to_int end' /\ UIntSize.to_int start <= parent0 (UIntSize.to_int i)
+     -> le_log0 (Seq.get (deep_model0 v) c) (Seq.get (deep_model0 v) (parent0 (parent0 c))) };
     goto BB3
   }
   BB3 {
-    [#"../heapsort_generic.rs" 60 16 60 23] _28 <- ([#"../heapsort_generic.rs" 60 16 60 23] ([#"../heapsort_generic.rs" 60 22 60 23] [#"../heapsort_generic.rs" 60 22 60 23] (2 : usize)) = ([#"../heapsort_generic.rs" 60 16 60 23] [#"../heapsort_generic.rs" 60 16 60 23] (0 : usize)));
+    [#"../heapsort_generic.rs" 60 16 60 23] _28 <- ([#"../heapsort_generic.rs" 60 22 60 23] (2 : usize)) = ([#"../heapsort_generic.rs" 60 16 60 23] (0 : usize));
     assert { [@expl:division by zero] [#"../heapsort_generic.rs" 60 16 60 23] not _28 };
     goto BB4
   }
   BB4 {
-    switch ([#"../heapsort_generic.rs" 60 11 60 23] ([#"../heapsort_generic.rs" 60 11 60 12] i) >= ([#"../heapsort_generic.rs" 60 16 60 23] ([#"../heapsort_generic.rs" 60 16 60 19] end') / ([#"../heapsort_generic.rs" 60 22 60 23] [#"../heapsort_generic.rs" 60 22 60 23] (2 : usize))))
+    [#"../heapsort_generic.rs" 60 16 60 23] _26 <- end' / ([#"../heapsort_generic.rs" 60 22 60 23] (2 : usize));
+    [#"../heapsort_generic.rs" 60 11 60 23] _24 <- i >= _26;
+    _26 <- any usize;
+    switch (_24)
       | False -> goto BB6
       | True -> goto BB5
       end
@@ -603,14 +685,19 @@ module HeapsortGeneric_SiftDown
     goto BB23
   }
   BB6 {
-    [#"../heapsort_generic.rs" 64 24 64 33] child <- ([#"../heapsort_generic.rs" 64 24 64 33] ([#"../heapsort_generic.rs" 64 24 64 29] ([#"../heapsort_generic.rs" 64 24 64 25] [#"../heapsort_generic.rs" 64 24 64 25] (2 : usize)) * ([#"../heapsort_generic.rs" 64 28 64 29] i)) + ([#"../heapsort_generic.rs" 64 32 64 33] [#"../heapsort_generic.rs" 64 32 64 33] (1 : usize)));
-    switch ([#"../heapsort_generic.rs" 65 11 65 26] ([#"../heapsort_generic.rs" 65 11 65 20] ([#"../heapsort_generic.rs" 65 11 65 16] child) + ([#"../heapsort_generic.rs" 65 19 65 20] [#"../heapsort_generic.rs" 65 19 65 20] (1 : usize))) < ([#"../heapsort_generic.rs" 65 23 65 26] end'))
+    [#"../heapsort_generic.rs" 64 24 64 29] _31 <- ([#"../heapsort_generic.rs" 64 24 64 25] (2 : usize)) * i;
+    [#"../heapsort_generic.rs" 64 24 64 33] child <- _31 + ([#"../heapsort_generic.rs" 64 32 64 33] (1 : usize));
+    _31 <- any usize;
+    [#"../heapsort_generic.rs" 65 11 65 20] _35 <- child + ([#"../heapsort_generic.rs" 65 19 65 20] (1 : usize));
+    [#"../heapsort_generic.rs" 65 11 65 26] _34 <- _35 < end';
+    _35 <- any usize;
+    switch (_34)
       | False -> goto BB8
       | True -> goto BB7
       end
   }
   BB7 {
-    [#"../heapsort_generic.rs" 65 31 65 38] _40 <- ([#"../heapsort_generic.rs" 65 31 65 38] index0 ([#"../heapsort_generic.rs" 65 30 65 31]  * v) ([#"../heapsort_generic.rs" 65 32 65 37] child));
+    [#"../heapsort_generic.rs" 65 31 65 38] _40 <- ([#"../heapsort_generic.rs" 65 31 65 38] index0 ( * v) child);
     goto BB9
   }
   BB8 {
@@ -619,13 +706,15 @@ module HeapsortGeneric_SiftDown
   BB9 {
     assert { [@expl:type invariant] inv2 _40 };
     assume { resolve1 _40 };
-    [#"../heapsort_generic.rs" 65 42 65 53] _44 <- ([#"../heapsort_generic.rs" 65 42 65 53] index0 ([#"../heapsort_generic.rs" 65 41 65 42]  * v) ([#"../heapsort_generic.rs" 65 43 65 52] ([#"../heapsort_generic.rs" 65 43 65 48] child) + ([#"../heapsort_generic.rs" 65 51 65 52] [#"../heapsort_generic.rs" 65 51 65 52] (1 : usize))));
+    [#"../heapsort_generic.rs" 65 43 65 52] _46 <- child + ([#"../heapsort_generic.rs" 65 51 65 52] (1 : usize));
+    [#"../heapsort_generic.rs" 65 42 65 53] _44 <- ([#"../heapsort_generic.rs" 65 42 65 53] index0 ( * v) _46);
+    _46 <- any usize;
     goto BB10
   }
   BB10 {
     assert { [@expl:type invariant] inv2 _44 };
     assume { resolve1 _44 };
-    [#"../heapsort_generic.rs" 65 30 65 53] _38 <- ([#"../heapsort_generic.rs" 65 30 65 53] lt0 ([#"../heapsort_generic.rs" 65 30 65 38] _40) ([#"../heapsort_generic.rs" 65 41 65 53] _44));
+    [#"../heapsort_generic.rs" 65 30 65 53] _38 <- ([#"../heapsort_generic.rs" 65 30 65 53] lt0 _40 _44);
     goto BB11
   }
   BB11 {
@@ -635,7 +724,7 @@ module HeapsortGeneric_SiftDown
       end
   }
   BB12 {
-    [#"../heapsort_generic.rs" 66 12 66 22] child <- ([#"../heapsort_generic.rs" 66 12 66 22] child + ([#"../heapsort_generic.rs" 66 21 66 22] [#"../heapsort_generic.rs" 66 21 66 22] (1 : usize)));
+    [#"../heapsort_generic.rs" 66 12 66 22] child <- child + ([#"../heapsort_generic.rs" 66 21 66 22] (1 : usize));
     [#"../heapsort_generic.rs" 66 12 66 22] _33 <- ([#"../heapsort_generic.rs" 66 12 66 22] ());
     goto BB15
   }
@@ -647,19 +736,19 @@ module HeapsortGeneric_SiftDown
     goto BB15
   }
   BB15 {
-    [#"../heapsort_generic.rs" 68 12 68 19] _51 <- ([#"../heapsort_generic.rs" 68 12 68 19] index0 ([#"../heapsort_generic.rs" 68 11 68 12]  * v) ([#"../heapsort_generic.rs" 68 13 68 18] child));
+    [#"../heapsort_generic.rs" 68 12 68 19] _51 <- ([#"../heapsort_generic.rs" 68 12 68 19] index0 ( * v) child);
     goto BB16
   }
   BB16 {
     assert { [@expl:type invariant] inv2 _51 };
     assume { resolve1 _51 };
-    [#"../heapsort_generic.rs" 68 24 68 27] _55 <- ([#"../heapsort_generic.rs" 68 24 68 27] index0 ([#"../heapsort_generic.rs" 68 23 68 24]  * v) ([#"../heapsort_generic.rs" 68 25 68 26] i));
+    [#"../heapsort_generic.rs" 68 24 68 27] _55 <- ([#"../heapsort_generic.rs" 68 24 68 27] index0 ( * v) i);
     goto BB17
   }
   BB17 {
     assert { [@expl:type invariant] inv2 _55 };
     assume { resolve1 _55 };
-    [#"../heapsort_generic.rs" 68 11 68 27] _49 <- ([#"../heapsort_generic.rs" 68 11 68 27] le0 ([#"../heapsort_generic.rs" 68 11 68 19] _51) ([#"../heapsort_generic.rs" 68 23 68 27] _55));
+    [#"../heapsort_generic.rs" 68 11 68 27] _49 <- ([#"../heapsort_generic.rs" 68 11 68 27] le0 _51 _55);
     goto BB18
   }
   BB18 {
@@ -686,14 +775,14 @@ module HeapsortGeneric_SiftDown
     [#"../heapsort_generic.rs" 71 8 71 9] _60 <- Borrow.borrow_final ( * _61) (Borrow.get_id _61);
     [#"../heapsort_generic.rs" 71 8 71 9] _61 <- { _61 with current = ( ^ _60) ; };
     assume { inv4 ( ^ _60) };
-    [#"../heapsort_generic.rs" 71 8 71 24] _59 <- ([#"../heapsort_generic.rs" 71 8 71 24] swap0 _60 ([#"../heapsort_generic.rs" 71 15 71 16] i) ([#"../heapsort_generic.rs" 71 18 71 23] child));
+    [#"../heapsort_generic.rs" 71 8 71 24] _59 <- ([#"../heapsort_generic.rs" 71 8 71 24] swap0 _60 i child);
     _60 <- any borrowed (slice t);
     goto BB22
   }
   BB22 {
     assert { [@expl:type invariant] inv5 _61 };
     assume { resolve2 _61 };
-    [#"../heapsort_generic.rs" 72 8 72 17] i <- ([#"../heapsort_generic.rs" 72 12 72 17] child);
+    [#"../heapsort_generic.rs" 72 8 72 17] i <- child;
     goto BB2
   }
   BB23 {
@@ -778,7 +867,8 @@ module HeapsortGeneric_HeapSort
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self}
     ensures { result = shallow_model3 self }
     
-  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max1)
+  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max1)
   predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv8 (shallow_model3 self)
   val invariant2 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -805,7 +895,9 @@ module HeapsortGeneric_HeapSort
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv7 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv7 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv7 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -813,7 +905,10 @@ module HeapsortGeneric_HeapSort
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv7 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv7 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv7 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -821,7 +916,10 @@ module HeapsortGeneric_HeapSort
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv7 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv7 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv7 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -832,13 +930,19 @@ module HeapsortGeneric_HeapSort
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv7 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv7 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv7 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv7 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv7 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv7 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv7 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -849,7 +953,9 @@ module HeapsortGeneric_HeapSort
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv7 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv7 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv7 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -860,7 +966,9 @@ module HeapsortGeneric_HeapSort
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv7 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv7 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv7 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -871,7 +979,9 @@ module HeapsortGeneric_HeapSort
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv7 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv7 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv7 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -882,21 +992,24 @@ module HeapsortGeneric_HeapSort
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv7 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
-  use prelude.Ghost
-  predicate invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv7 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv7 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  use prelude.Snapshot
+  predicate invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
     
-  val invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  val invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = invariant0 self }
     
-  predicate inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
-  val inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  predicate inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+  val inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true
+  axiom inv0 : forall x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true
   use seq.Seq
   predicate sorted_range0 [#"../heapsort_generic.rs" 77 0 77 63] (s : Seq.seq deep_model_ty0) (l : int) (u : int) =
-    [#"../heapsort_generic.rs" 78 4 80 5] forall j : int . forall i : int . l <= i /\ i < j /\ j < u -> le_log0 (Seq.get s i) (Seq.get s j)
+    [#"../heapsort_generic.rs" 78 4 80 5] forall j : int . forall i : int . l <= i /\ i < j /\ j < u
+     -> le_log0 (Seq.get s i) (Seq.get s j)
   val sorted_range0 [#"../heapsort_generic.rs" 77 0 77 63] (s : Seq.seq deep_model_ty0) (l : int) (u : int) : bool
     ensures { result = sorted_range0 s l u }
     
@@ -923,7 +1036,9 @@ module HeapsortGeneric_HeapSort
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv2 self}
     ensures { result = deep_model1 self }
     
-  axiom deep_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv6 (deep_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) -> Seq.get (deep_model1 self) i = deep_model2 (index_logic1 self i)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model3 self) = Seq.length (deep_model1 self))
+  axiom deep_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv2 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv6 (deep_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self)
+   -> Seq.get (deep_model1 self) i = deep_model2 (index_logic1 self i)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model3 self) = Seq.length (deep_model1 self))
   let constant max0  : usize = [@vc:do_not_keep_trace] [@vc:sp]
     (18446744073709551615 : usize)
   use seq.Permut
@@ -944,7 +1059,8 @@ module HeapsortGeneric_HeapSort
     ensures { result = parent0 i }
     
   predicate heap_frag0 [#"../heapsort_generic.rs" 15 0 15 66] (s : Seq.seq deep_model_ty0) (start : int) (end' : int) =
-    [#"../heapsort_generic.rs" 16 4 17 26] forall i : int . start <= parent0 i /\ i < end' -> le_log0 (Seq.get s i) (Seq.get s (parent0 i))
+    [#"../heapsort_generic.rs" 16 4 17 26] forall i : int . start <= parent0 i /\ i < end'
+     -> le_log0 (Seq.get s i) (Seq.get s (parent0 i))
   val heap_frag0 [#"../heapsort_generic.rs" 15 0 15 66] (s : Seq.seq deep_model_ty0) (start : int) (end' : int) : bool
     ensures { result = heap_frag0 s start end' }
     
@@ -962,8 +1078,13 @@ module HeapsortGeneric_HeapSort
     requires {[#"../heapsort_generic.rs" 41 33 41 34] inv1 v}
     ensures { [#"../heapsort_generic.rs" 34 10 34 52] heap_frag0 (deep_model1 ( ^ v)) (UIntSize.to_int start) (UIntSize.to_int end') }
     ensures { [#"../heapsort_generic.rs" 35 0 35 36] permutation_of0 (shallow_model3 ( ^ v)) (shallow_model0 v) }
-    ensures { [#"../heapsort_generic.rs" 36 0 37 43] forall i : int . 0 <= i /\ i < UIntSize.to_int start \/ UIntSize.to_int end' <= i /\ i < Seq.length (shallow_model0 v) -> index_logic1 ( * v) i = index_logic1 ( ^ v) i }
-    ensures { [#"../heapsort_generic.rs" 38 0 40 80] forall m : deep_model_ty0 . inv7 m -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end' -> le_log0 (Seq.get (deep_model0 v) j) m) -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end' -> le_log0 (Seq.get (deep_model1 ( ^ v)) j) m) }
+    ensures { [#"../heapsort_generic.rs" 36 0 37 43] forall i : int . 0 <= i /\ i < UIntSize.to_int start \/ UIntSize.to_int end' <= i /\ i < Seq.length (shallow_model0 v)
+     -> index_logic1 ( * v) i = index_logic1 ( ^ v) i }
+    ensures { [#"../heapsort_generic.rs" 38 0 40 80] forall m : deep_model_ty0 . inv7 m
+     -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end'
+     -> le_log0 (Seq.get (deep_model0 v) j) m)
+     -> (forall j : int . UIntSize.to_int start <= j /\ j < UIntSize.to_int end'
+     -> le_log0 (Seq.get (deep_model1 ( ^ v)) j) m) }
     
   function heap_frag_max0 [#"../heapsort_generic.rs" 25 0 25 58] (s : Seq.seq deep_model_ty0) (i : int) (end' : int) : ()
     
@@ -978,7 +1099,10 @@ module HeapsortGeneric_HeapSort
     requires {[#"../heapsort_generic.rs" 25 30 25 31] inv6 s}
     ensures { result = heap_frag_max0 s i end' }
     
-  axiom heap_frag_max0_spec : forall s : Seq.seq deep_model_ty0, i : int, end' : int . ([#"../heapsort_generic.rs" 21 11 21 31] heap_frag0 s 0 end') -> ([#"../heapsort_generic.rs" 22 11 22 28] 0 <= i /\ i < end') -> ([#"../heapsort_generic.rs" 25 30 25 31] inv6 s) -> ([#"../heapsort_generic.rs" 23 10 23 22] le_log0 (Seq.get s i) (Seq.get s 0))
+  axiom heap_frag_max0_spec : forall s : Seq.seq deep_model_ty0, i : int, end' : int . ([#"../heapsort_generic.rs" 21 11 21 31] heap_frag0 s 0 end')
+   -> ([#"../heapsort_generic.rs" 22 11 22 28] 0 <= i /\ i < end')
+   -> ([#"../heapsort_generic.rs" 25 30 25 31] inv6 s)
+   -> ([#"../heapsort_generic.rs" 23 10 23 22] le_log0 (Seq.get s i) (Seq.get s 0))
   predicate resolve2 (self : borrowed (slice t)) =
     [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve2 (self : borrowed (slice t)) : bool
@@ -991,7 +1115,8 @@ module HeapsortGeneric_HeapSort
     requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self}
     ensures { result = shallow_model7 self }
     
-  axiom shallow_model7_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv8 (shallow_model7 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model7 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max1)
+  axiom shallow_model7_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv8 (shallow_model7 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model7 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max1)
   function shallow_model6 (self : borrowed (slice t)) : Seq.seq t =
     [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model7 ( * self)
   val shallow_model6 (self : borrowed (slice t)) : Seq.seq t
@@ -1020,12 +1145,12 @@ module HeapsortGeneric_HeapSort
   val shallow_model5 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
     ensures { result = shallow_model5 self }
     
-  use prelude.Ghost
-  function shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
+  use prelude.Snapshot
+  function shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
     
    =
-    [#"../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model5 (Ghost.inner self)
-  val shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
+    [#"../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model5 (Snapshot.inner self)
+  val shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
     ensures { result = shallow_model1 self }
     
   function shallow_model4 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : Seq.seq t =
@@ -1037,11 +1162,12 @@ module HeapsortGeneric_HeapSort
     requires {inv5 self}
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 75 26 75 48] UIntSize.to_int result = Seq.length (shallow_model4 self) }
     
-  predicate resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
-  val resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  predicate resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+    
+  val resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   let rec cfg heap_sort [#"../heapsort_generic.rs" 93 0 95 29] [@cfg:stackify] [@cfg:subregion_analysis] (v : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : ()
     requires {[#"../heapsort_generic.rs" 90 11 90 40] Seq.length (shallow_model0 v) < div (UIntSize.to_int max0) 2}
     requires {[#"../heapsort_generic.rs" 93 37 93 38] inv1 v}
@@ -1051,15 +1177,17 @@ module HeapsortGeneric_HeapSort
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var v : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = v;
-  var old_v : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)));
+  var old_v : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)));
   var start : usize;
   var _8 : usize;
   var _10 : bool;
   var _15 : ();
+  var _16 : bool;
   var _18 : ();
   var _19 : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
   var _21 : usize;
   var end' : usize;
+  var _33 : bool;
   var _35 : ();
   var _36 : borrowed (slice t);
   var _37 : borrowed (slice t);
@@ -1070,22 +1198,22 @@ module HeapsortGeneric_HeapSort
     goto BB0
   }
   BB0 {
-    [#"../heapsort_generic.rs" 97 16 97 25] old_v <- ([#"../heapsort_generic.rs" 97 16 97 25] Ghost.new v);
+    [#"../heapsort_generic.rs" 97 16 97 31] old_v <- ([#"../heapsort_generic.rs" 97 16 97 31] Snapshot.new v);
     goto BB1
   }
   BB1 {
     assert { [@expl:type invariant] inv0 old_v };
     assume { resolve0 old_v };
-    [#"../heapsort_generic.rs" 99 20 99 27] _8 <- ([#"../heapsort_generic.rs" 99 20 99 27] len0 ([#"../heapsort_generic.rs" 99 20 99 21]  * v));
+    [#"../heapsort_generic.rs" 99 20 99 27] _8 <- ([#"../heapsort_generic.rs" 99 20 99 27] len0 ( * v));
     goto BB2
   }
   BB2 {
-    [#"../heapsort_generic.rs" 99 20 99 31] _10 <- ([#"../heapsort_generic.rs" 99 20 99 31] ([#"../heapsort_generic.rs" 99 30 99 31] [#"../heapsort_generic.rs" 99 30 99 31] (2 : usize)) = ([#"../heapsort_generic.rs" 99 20 99 31] [#"../heapsort_generic.rs" 99 20 99 31] (0 : usize)));
+    [#"../heapsort_generic.rs" 99 20 99 31] _10 <- ([#"../heapsort_generic.rs" 99 30 99 31] (2 : usize)) = ([#"../heapsort_generic.rs" 99 20 99 31] (0 : usize));
     assert { [@expl:division by zero] [#"../heapsort_generic.rs" 99 20 99 31] not _10 };
     goto BB3
   }
   BB3 {
-    [#"../heapsort_generic.rs" 99 20 99 31] start <- ([#"../heapsort_generic.rs" 99 20 99 31] _8 / ([#"../heapsort_generic.rs" 99 30 99 31] [#"../heapsort_generic.rs" 99 30 99 31] (2 : usize)));
+    [#"../heapsort_generic.rs" 99 20 99 31] start <- _8 / ([#"../heapsort_generic.rs" 99 30 99 31] (2 : usize));
     _8 <- any usize;
     goto BB4
   }
@@ -1096,21 +1224,22 @@ module HeapsortGeneric_HeapSort
     goto BB5
   }
   BB5 {
-    switch ([#"../heapsort_generic.rs" 103 10 103 19] ([#"../heapsort_generic.rs" 103 10 103 15] start) > ([#"../heapsort_generic.rs" 103 18 103 19] [#"../heapsort_generic.rs" 103 18 103 19] (0 : usize)))
+    [#"../heapsort_generic.rs" 103 10 103 19] _16 <- start > ([#"../heapsort_generic.rs" 103 18 103 19] (0 : usize));
+    switch (_16)
       | False -> goto BB9
       | True -> goto BB6
       end
   }
   BB6 {
-    [#"../heapsort_generic.rs" 104 8 104 18] start <- ([#"../heapsort_generic.rs" 104 8 104 18] start - ([#"../heapsort_generic.rs" 104 17 104 18] [#"../heapsort_generic.rs" 104 17 104 18] (1 : usize)));
+    [#"../heapsort_generic.rs" 104 8 104 18] start <- start - ([#"../heapsort_generic.rs" 104 17 104 18] (1 : usize));
     [#"../heapsort_generic.rs" 105 18 105 19] _19 <- Borrow.borrow_mut ( * v);
     [#"../heapsort_generic.rs" 105 18 105 19] v <- { v with current = ( ^ _19) ; };
     assume { inv2 ( ^ _19) };
-    [#"../heapsort_generic.rs" 105 28 105 35] _21 <- ([#"../heapsort_generic.rs" 105 28 105 35] len0 ([#"../heapsort_generic.rs" 105 28 105 29]  * _19));
+    [#"../heapsort_generic.rs" 105 28 105 35] _21 <- ([#"../heapsort_generic.rs" 105 28 105 35] len0 ( * _19));
     goto BB7
   }
   BB7 {
-    [#"../heapsort_generic.rs" 105 8 105 36] _18 <- ([#"../heapsort_generic.rs" 105 8 105 36] sift_down0 _19 ([#"../heapsort_generic.rs" 105 21 105 26] start) _21);
+    [#"../heapsort_generic.rs" 105 8 105 36] _18 <- ([#"../heapsort_generic.rs" 105 8 105 36] sift_down0 _19 start _21);
     _19 <- any borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
     _21 <- any usize;
     goto BB8
@@ -1120,7 +1249,7 @@ module HeapsortGeneric_HeapSort
     goto BB4
   }
   BB9 {
-    [#"../heapsort_generic.rs" 108 18 108 25] end' <- ([#"../heapsort_generic.rs" 108 18 108 25] len0 ([#"../heapsort_generic.rs" 108 18 108 19]  * v));
+    [#"../heapsort_generic.rs" 108 18 108 25] end' <- ([#"../heapsort_generic.rs" 108 18 108 25] len0 ( * v));
     goto BB10
   }
   BB10 {
@@ -1131,17 +1260,19 @@ module HeapsortGeneric_HeapSort
     invariant { [#"../heapsort_generic.rs" 109 4 109 34] permutation_of0 (shallow_model0 v) (shallow_model1 old_v) };
     invariant { [#"../heapsort_generic.rs" 111 16 111 50] heap_frag0 (deep_model0 v) 0 (UIntSize.to_int end') };
     invariant { [#"../heapsort_generic.rs" 112 16 112 60] sorted_range0 (deep_model0 v) (UIntSize.to_int end') (Seq.length (shallow_model0 v)) };
-    invariant { [#"../heapsort_generic.rs" 109 4 109 34] forall j : int . forall i : int . 0 <= i /\ i < UIntSize.to_int end' /\ UIntSize.to_int end' <= j /\ j < Seq.length (shallow_model0 v) -> le_log0 (Seq.get (deep_model0 v) i) (Seq.get (deep_model0 v) j) };
+    invariant { [#"../heapsort_generic.rs" 109 4 109 34] forall j : int . forall i : int . 0 <= i /\ i < UIntSize.to_int end' /\ UIntSize.to_int end' <= j /\ j < Seq.length (shallow_model0 v)
+     -> le_log0 (Seq.get (deep_model0 v) i) (Seq.get (deep_model0 v) j) };
     goto BB12
   }
   BB12 {
-    switch ([#"../heapsort_generic.rs" 115 10 115 17] ([#"../heapsort_generic.rs" 115 10 115 13] end') > ([#"../heapsort_generic.rs" 115 16 115 17] [#"../heapsort_generic.rs" 115 16 115 17] (1 : usize)))
+    [#"../heapsort_generic.rs" 115 10 115 17] _33 <- end' > ([#"../heapsort_generic.rs" 115 16 115 17] (1 : usize));
+    switch (_33)
       | False -> goto BB17
       | True -> goto BB13
       end
   }
   BB13 {
-    [#"../heapsort_generic.rs" 116 8 116 16] end' <- ([#"../heapsort_generic.rs" 116 8 116 16] end' - ([#"../heapsort_generic.rs" 116 15 116 16] [#"../heapsort_generic.rs" 116 15 116 16] (1 : usize)));
+    [#"../heapsort_generic.rs" 116 8 116 16] end' <- end' - ([#"../heapsort_generic.rs" 116 15 116 16] (1 : usize));
     [#"../heapsort_generic.rs" 117 8 117 9] _38 <- Borrow.borrow_mut ( * v);
     [#"../heapsort_generic.rs" 117 8 117 9] v <- { v with current = ( ^ _38) ; };
     assume { inv2 ( ^ _38) };
@@ -1153,18 +1284,19 @@ module HeapsortGeneric_HeapSort
     [#"../heapsort_generic.rs" 117 8 117 9] _36 <- Borrow.borrow_final ( * _37) (Borrow.get_id _37);
     [#"../heapsort_generic.rs" 117 8 117 9] _37 <- { _37 with current = ( ^ _36) ; };
     assume { inv3 ( ^ _36) };
-    [#"../heapsort_generic.rs" 117 8 117 22] _35 <- ([#"../heapsort_generic.rs" 117 8 117 22] swap0 _36 ([#"../heapsort_generic.rs" 117 15 117 16] [#"../heapsort_generic.rs" 117 15 117 16] (0 : usize)) ([#"../heapsort_generic.rs" 117 18 117 21] end'));
+    [#"../heapsort_generic.rs" 117 8 117 22] _35 <- ([#"../heapsort_generic.rs" 117 8 117 22] swap0 _36 ([#"../heapsort_generic.rs" 117 15 117 16] (0 : usize)) end');
     _36 <- any borrowed (slice t);
     goto BB15
   }
   BB15 {
     assert { [@expl:type invariant] inv4 _37 };
     assume { resolve2 _37 };
-    assert { [@expl:assertion] [#"../heapsort_generic.rs" 119 12 119 59] let _ = heap_frag_max0 (deep_model0 v) 0 (UIntSize.to_int end') in forall j : int . forall i : int . 0 <= i /\ i < UIntSize.to_int end' /\ UIntSize.to_int end' <= j /\ j < Seq.length (shallow_model0 v) -> le_log0 (Seq.get (deep_model0 v) i) (Seq.get (deep_model0 v) j) };
+    assert { [@expl:assertion] [#"../heapsort_generic.rs" 119 12 119 59] let _ = heap_frag_max0 (deep_model0 v) 0 (UIntSize.to_int end') in forall j : int . forall i : int . 0 <= i /\ i < UIntSize.to_int end' /\ UIntSize.to_int end' <= j /\ j < Seq.length (shallow_model0 v)
+     -> le_log0 (Seq.get (deep_model0 v) i) (Seq.get (deep_model0 v) j) };
     [#"../heapsort_generic.rs" 123 18 123 19] _43 <- Borrow.borrow_mut ( * v);
     [#"../heapsort_generic.rs" 123 18 123 19] v <- { v with current = ( ^ _43) ; };
     assume { inv2 ( ^ _43) };
-    [#"../heapsort_generic.rs" 123 8 123 28] _42 <- ([#"../heapsort_generic.rs" 123 8 123 28] sift_down0 _43 ([#"../heapsort_generic.rs" 123 21 123 22] [#"../heapsort_generic.rs" 123 21 123 22] (0 : usize)) ([#"../heapsort_generic.rs" 123 24 123 27] end'));
+    [#"../heapsort_generic.rs" 123 8 123 28] _42 <- ([#"../heapsort_generic.rs" 123 8 123 28] sift_down0 _43 ([#"../heapsort_generic.rs" 123 21 123 22] (0 : usize)) end');
     _43 <- any borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
     goto BB16
   }
diff --git a/creusot/tests/should_succeed/heapsort_generic.rs b/creusot/tests/should_succeed/heapsort_generic.rs
index 93e7957cde..551c003231 100644
--- a/creusot/tests/should_succeed/heapsort_generic.rs
+++ b/creusot/tests/should_succeed/heapsort_generic.rs
@@ -6,7 +6,7 @@ use creusot_contracts::{
     *,
 };
 
-#[ghost]
+#[logic]
 fn parent(i: Int) -> Int {
     (i + 1) / 2 - 1
 }
@@ -17,7 +17,7 @@ fn heap_frag<T: OrdLogic>(s: Seq<T>, start: Int, end: Int) -> bool {
     s[i] <= s[parent(i)] }
 }
 
-#[ghost]
+#[logic]
 #[requires(heap_frag(s, 0, end))]
 #[requires(0 <= i && i < end)]
 #[ensures(s[i] <= s[0])]
@@ -42,7 +42,7 @@ fn sift_down<T: Ord + DeepModel>(v: &mut Vec<T>, start: usize, end: usize)
 where
     T::DeepModelTy: OrdLogic,
 {
-    let old_v = gh! { v };
+    let old_v = snapshot! { v };
     let mut i = start;
 
     #[invariant(v@.permutation_of(old_v@))]
@@ -94,7 +94,7 @@ pub fn heap_sort<T: Ord + DeepModel>(v: &mut Vec<T>)
 where
     T::DeepModelTy: OrdLogic,
 {
-    let old_v = gh! { v };
+    let old_v = snapshot! { v };
 
     let mut start = v.len() / 2;
     #[invariant(v@.permutation_of(old_v@))]
diff --git a/creusot/tests/should_succeed/heapsort_generic/why3session.xml b/creusot/tests/should_succeed/heapsort_generic/why3session.xml
index e28544f122..01f99d27a7 100644
--- a/creusot/tests/should_succeed/heapsort_generic/why3session.xml
+++ b/creusot/tests/should_succeed/heapsort_generic/why3session.xml
@@ -9,8 +9,8 @@
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="heapsort_generic.mlcfg"/>
 <theory name="HeapsortGeneric_HeapFragMax_Impl" proved="true">
- <goal name="heap_frag_max&#39;vc" expl="VC for heap_frag_max" proved="true">
- <proof prover="5"><result status="valid" time="0.050000" steps="509"/></proof>
+ <goal name="vc_heap_frag_max" proved="true">
+ <proof prover="5"><result status="valid" time="0.050000" steps="524"/></proof>
  </goal>
 </theory>
 <theory name="HeapsortGeneric_SiftDown" proved="true">
@@ -32,7 +32,7 @@
   <proof prover="5"><result status="valid" time="0.016734" steps="66"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.5" expl="loop invariant init" proved="true">
-  <proof prover="5"><result status="valid" time="0.019680" steps="105"/></proof>
+  <proof prover="5"><result status="valid" time="0.019680" steps="104"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.6" expl="loop invariant init" proved="true">
   <proof prover="5"><result status="valid" time="0.031433" steps="278"/></proof>
@@ -49,56 +49,56 @@
   <goal name="sift_down&#39;vc.10" expl="integer overflow" proved="true">
   <proof prover="2"><result status="valid" time="0.039010" steps="168965"/></proof>
   </goal>
-  <goal name="sift_down&#39;vc.11" expl="type invariant" proved="true">
-  <proof prover="5"><result status="valid" time="0.019246" steps="102"/></proof>
+  <goal name="sift_down&#39;vc.11" expl="integer overflow" proved="true">
+  <proof prover="5"><result status="valid" time="0.034036" steps="417"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.12" expl="integer overflow" proved="true">
-  <proof prover="5"><result status="valid" time="0.034036" steps="416"/></proof>
+  <proof prover="5"><result status="valid" time="0.035707" steps="447"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.13" expl="integer overflow" proved="true">
-  <proof prover="5"><result status="valid" time="0.035707" steps="449"/></proof>
+  <proof prover="5"><result status="valid" time="0.043446" steps="515"/></proof>
   </goal>
-  <goal name="sift_down&#39;vc.14" expl="integer overflow" proved="true">
-  <proof prover="5"><result status="valid" time="0.043446" steps="507"/></proof>
+  <goal name="sift_down&#39;vc.14" expl="precondition" proved="true">
+  <proof prover="5"><result status="valid" time="0.050653" steps="486"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.050653" steps="484"/></proof>
+  <proof prover="5"><result status="valid" time="0.022349" steps="140"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.039960" steps="170720"/></proof>
+  <proof prover="5"><result status="valid" time="0.021568" steps="140"/></proof>
   </goal>
-  <goal name="sift_down&#39;vc.17" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.021568" steps="138"/></proof>
+  <goal name="sift_down&#39;vc.17" expl="type invariant" proved="true">
+  <proof prover="2"><result status="valid" time="0.015296" steps="13512"/></proof>
   </goal>
-  <goal name="sift_down&#39;vc.18" expl="type invariant" proved="true">
-  <proof prover="2"><result status="valid" time="0.015296" steps="13482"/></proof>
+  <goal name="sift_down&#39;vc.18" expl="integer overflow" proved="true">
+  <proof prover="5"><result status="valid" time="0.021657" steps="144"/></proof>
   </goal>
-  <goal name="sift_down&#39;vc.19" expl="integer overflow" proved="true">
-  <proof prover="5"><result status="valid" time="0.021657" steps="142"/></proof>
+  <goal name="sift_down&#39;vc.19" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.041698" steps="178360"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.20" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.041698" steps="178279"/></proof>
+  <proof prover="2"><result status="valid" time="0.039960" steps="171392"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.21" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.022349" steps="155"/></proof>
+  <proof prover="5"><result status="valid" time="0.022619" steps="158"/></proof>
   </goal>
-  <goal name="sift_down&#39;vc.22" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.022619" steps="155"/></proof>
+  <goal name="sift_down&#39;vc.22" expl="type invariant" proved="true">
+  <proof prover="2"><result status="valid" time="0.015883" steps="13549"/></proof>
   </goal>
-  <goal name="sift_down&#39;vc.23" expl="type invariant" proved="true">
-  <proof prover="2"><result status="valid" time="0.015883" steps="13519"/></proof>
+  <goal name="sift_down&#39;vc.23" expl="precondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.015660" steps="13559"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.24" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.015660" steps="13529"/></proof>
+  <proof prover="2"><result status="valid" time="0.015521" steps="13564"/></proof>
   </goal>
-  <goal name="sift_down&#39;vc.25" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.015521" steps="13534"/></proof>
+  <goal name="sift_down&#39;vc.25" expl="integer overflow" proved="true">
+  <proof prover="5"><result status="valid" time="0.023618" steps="166"/></proof>
   </goal>
-  <goal name="sift_down&#39;vc.26" expl="integer overflow" proved="true">
-  <proof prover="5"><result status="valid" time="0.023618" steps="164"/></proof>
+  <goal name="sift_down&#39;vc.26" expl="type invariant" proved="true">
+  <proof prover="5"><result status="valid" time="0.019246" steps="102"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.27" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.439627" steps="77022"/></proof>
+  <proof prover="3"><result status="valid" time="0.229099" steps="78330"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.28" expl="precondition" proved="true">
   <proof prover="5"><result status="valid" time="0.025269" steps="65"/></proof>
@@ -119,10 +119,10 @@
   <proof prover="5"><result status="valid" time="0.024289" steps="71"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.34" expl="type invariant" proved="true">
-  <proof prover="2"><result status="valid" time="0.015384" steps="15988"/></proof>
+  <proof prover="2"><result status="valid" time="0.015384" steps="18174"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.35" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.015215" steps="15998"/></proof>
+  <proof prover="2"><result status="valid" time="0.015215" steps="18184"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.36" expl="precondition" proved="true">
   <proof prover="5"><result status="valid" time="0.016094" steps="51"/></proof>
@@ -131,10 +131,10 @@
   <proof prover="5"><result status="valid" time="0.025544" steps="85"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.38" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.068048" steps="387"/></proof>
+  <proof prover="5"><result status="valid" time="0.068048" steps="388"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.39" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.473313" steps="80949"/></proof>
+  <proof prover="3"><result status="valid" time="0.242699" steps="82483"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.40" expl="precondition" proved="true">
   <proof prover="5"><result status="valid" time="0.026685" steps="105"/></proof>
@@ -146,33 +146,29 @@
   <proof prover="5"><result status="valid" time="0.077758" steps="440"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.43" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.506906" steps="83647"/></proof>
+  <proof prover="3"><result status="valid" time="0.269807" steps="86486"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.44" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.591638" steps="65963"/></proof>
+  <proof prover="3"><result status="valid" time="0.302663" steps="67567"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.45" expl="loop invariant preservation" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="sift_down&#39;vc.45.0" expl="loop invariant preservation" proved="true">
    <transf name="split_vc" proved="true" >
     <goal name="sift_down&#39;vc.45.0.0" expl="loop invariant preservation" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="sift_down&#39;vc.45.0.0.0" expl="loop invariant preservation" proved="true">
-     <proof prover="0" timelimit="10"><result status="valid" time="1.538140" steps="304729"/></proof>
-     </goal>
-    </transf>
+    <proof prover="0"><result status="valid" time="1.471645" steps="215900"/></proof>
     </goal>
    </transf>
    </goal>
    <goal name="sift_down&#39;vc.45.1" expl="loop invariant preservation" proved="true">
    <transf name="split_vc" proved="true" >
     <goal name="sift_down&#39;vc.45.1.0" expl="loop invariant preservation" proved="true">
-    <proof prover="0"><result status="valid" time="1.471645" steps="244698"/></proof>
-    </goal>
-    <goal name="sift_down&#39;vc.45.1.1" expl="loop invariant preservation" proved="true">
     <transf name="split_vc" proved="true" >
-     <goal name="sift_down&#39;vc.45.1.1.0" expl="loop invariant preservation" proved="true">
-     <proof prover="0"><result status="valid" time="1.904934" steps="393514"/></proof>
+     <goal name="sift_down&#39;vc.45.1.0.0" expl="loop invariant preservation" proved="true">
+     <proof prover="3" timelimit="5" memlimit="2000"><result status="valid" time="2.038489" steps="368458"/></proof>
+     </goal>
+     <goal name="sift_down&#39;vc.45.1.0.1" expl="loop invariant preservation" proved="true">
+     <proof prover="0" timelimit="10"><result status="valid" time="1.538140" steps="321267"/></proof>
      </goal>
     </transf>
     </goal>
@@ -183,17 +179,25 @@
   <goal name="sift_down&#39;vc.46" expl="loop invariant preservation" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="sift_down&#39;vc.46.0" expl="loop invariant preservation" proved="true">
-   <proof prover="3"><result status="valid" time="0.916978" steps="108653"/></proof>
+   <transf name="split_vc" proved="true" >
+    <goal name="sift_down&#39;vc.46.0.0" expl="loop invariant preservation" proved="true">
+    <proof prover="3"><result status="valid" time="0.597162" steps="109007"/></proof>
+    </goal>
+   </transf>
    </goal>
    <goal name="sift_down&#39;vc.46.1" expl="loop invariant preservation" proved="true">
    <transf name="split_vc" proved="true" >
     <goal name="sift_down&#39;vc.46.1.0" expl="loop invariant preservation" proved="true">
-    <proof prover="3"><result status="valid" time="0.656595" steps="81109"/></proof>
-    </goal>
-    <goal name="sift_down&#39;vc.46.1.1" expl="loop invariant preservation" proved="true">
     <transf name="split_vc" proved="true" >
-     <goal name="sift_down&#39;vc.46.1.1.0" expl="loop invariant preservation" proved="true">
-     <proof prover="0" memlimit="2000"><result status="valid" time="1.800689" steps="295759"/></proof>
+     <goal name="sift_down&#39;vc.46.1.0.0" expl="loop invariant preservation" proved="true">
+     <proof prover="3"><result status="valid" time="0.390807" steps="81312"/></proof>
+     </goal>
+     <goal name="sift_down&#39;vc.46.1.0.1" expl="loop invariant preservation" proved="true">
+     <transf name="split_vc" proved="true" >
+      <goal name="sift_down&#39;vc.46.1.0.1.0" expl="loop invariant preservation" proved="true">
+      <proof prover="3" timelimit="5" memlimit="2000"><result status="valid" time="0.856921" steps="128095"/></proof>
+      </goal>
+     </transf>
      </goal>
     </transf>
     </goal>
@@ -204,62 +208,70 @@
   <goal name="sift_down&#39;vc.47" expl="loop invariant preservation" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="sift_down&#39;vc.47.0" expl="loop invariant preservation" proved="true">
+   <proof prover="3"><result status="valid" time="0.501024" steps="82658"/></proof>
+   </goal>
+   <goal name="sift_down&#39;vc.47.1" expl="loop invariant preservation" proved="true">
+   <proof prover="3"><result status="valid" time="0.395238" steps="81017"/></proof>
+   </goal>
+  </transf>
+  </goal>
+  <goal name="sift_down&#39;vc.48" expl="loop invariant preservation" proved="true">
+  <transf name="split_vc" proved="true" >
+   <goal name="sift_down&#39;vc.48.0" expl="loop invariant preservation" proved="true">
    <transf name="split_vc" proved="true" >
-    <goal name="sift_down&#39;vc.47.0.0" expl="loop invariant preservation" proved="true">
+    <goal name="sift_down&#39;vc.48.0.0" expl="loop invariant preservation" proved="true">
     <transf name="split_vc" proved="true" >
-     <goal name="sift_down&#39;vc.47.0.0.0" expl="loop invariant preservation" proved="true">
-     <proof prover="3" timelimit="10" memlimit="2000"><result status="valid" time="0.854658" steps="82755"/></proof>
+     <goal name="sift_down&#39;vc.48.0.0.0" expl="loop invariant preservation" proved="true">
+     <proof prover="3" timelimit="10" memlimit="2000"><result status="valid" time="0.460618" steps="90460"/></proof>
      </goal>
     </transf>
     </goal>
    </transf>
    </goal>
-   <goal name="sift_down&#39;vc.47.1" expl="loop invariant preservation" proved="true">
+   <goal name="sift_down&#39;vc.48.1" expl="loop invariant preservation" proved="true">
    <transf name="split_vc" proved="true" >
-    <goal name="sift_down&#39;vc.47.1.0" expl="loop invariant preservation" proved="true">
+    <goal name="sift_down&#39;vc.48.1.0" expl="loop invariant preservation" proved="true">
     <transf name="split_vc" proved="true" >
-     <goal name="sift_down&#39;vc.47.1.0.0" expl="loop invariant preservation" proved="true">
-     <proof prover="3" timelimit="10" memlimit="2000"><result status="valid" time="0.265036" steps="28842"/></proof>
+     <goal name="sift_down&#39;vc.48.1.0.0" expl="loop invariant preservation" proved="true">
+     <proof prover="2"><result status="valid" time="0.051307" steps="186215"/></proof>
+     </goal>
+     <goal name="sift_down&#39;vc.48.1.0.1" expl="loop invariant preservation" proved="true">
+     <proof prover="3" timelimit="10" memlimit="2000"><result status="valid" time="0.506186" steps="95808"/></proof>
      </goal>
     </transf>
     </goal>
-    <goal name="sift_down&#39;vc.47.1.1" expl="loop invariant preservation" proved="true">
-    <proof prover="3"><result status="valid" time="0.648804" steps="73135"/></proof>
-    </goal>
    </transf>
    </goal>
   </transf>
   </goal>
-  <goal name="sift_down&#39;vc.48" expl="loop invariant preservation" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="sift_down&#39;vc.48.0" expl="loop invariant preservation" proved="true">
-   <proof prover="3"><result status="valid" time="0.842804" steps="90314"/></proof>
-   </goal>
-   <goal name="sift_down&#39;vc.48.1" expl="loop invariant preservation" proved="true">
-   <proof prover="3"><result status="valid" time="0.961927" steps="98731"/></proof>
-   </goal>
-  </transf>
-  </goal>
   <goal name="sift_down&#39;vc.49" expl="type invariant" proved="true">
   <proof prover="5"><result status="valid" time="0.027420" steps="76"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.50" expl="postcondition" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="sift_down&#39;vc.50.0" expl="postcondition" proved="true">
-   <proof prover="5"><result status="valid" time="0.553515" steps="2150"/></proof>
+   <proof prover="5"><result status="valid" time="0.203016" steps="2147"/></proof>
    </goal>
    <goal name="sift_down&#39;vc.50.1" expl="postcondition" proved="true">
    <transf name="split_vc" proved="true" >
     <goal name="sift_down&#39;vc.50.1.0" expl="postcondition" proved="true">
-    <proof prover="3"><result status="valid" time="0.860124" steps="106958"/></proof>
+    <transf name="split_vc" proved="true" >
+     <goal name="sift_down&#39;vc.50.1.0.0" expl="postcondition" proved="true">
+     <proof prover="3"><result status="valid" time="0.500745" steps="107277"/></proof>
+     </goal>
+    </transf>
     </goal>
     <goal name="sift_down&#39;vc.50.1.1" expl="postcondition" proved="true">
     <transf name="split_vc" proved="true" >
      <goal name="sift_down&#39;vc.50.1.1.0" expl="postcondition" proved="true">
-     <proof prover="3"><result status="valid" time="0.824943" steps="101705"/></proof>
-     </goal>
-     <goal name="sift_down&#39;vc.50.1.1.1" expl="postcondition" proved="true">
-     <proof prover="0"><result status="valid" time="1.786954" steps="596365"/></proof>
+     <transf name="split_vc" proved="true" >
+      <goal name="sift_down&#39;vc.50.1.1.0.0" expl="postcondition" proved="true">
+      <proof prover="3"><result status="valid" time="0.506429" steps="101916"/></proof>
+      </goal>
+      <goal name="sift_down&#39;vc.50.1.1.0.1" expl="postcondition" proved="true">
+      <proof prover="3"><result status="valid" time="0.507719" steps="105775"/></proof>
+      </goal>
+     </transf>
      </goal>
     </transf>
     </goal>
@@ -268,13 +280,13 @@
   </transf>
   </goal>
   <goal name="sift_down&#39;vc.51" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.045758" steps="175231"/></proof>
+  <proof prover="2"><result status="valid" time="0.045758" steps="177761"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.52" expl="postcondition" proved="true">
   <proof prover="5"><result status="valid" time="0.055685" steps="468"/></proof>
   </goal>
   <goal name="sift_down&#39;vc.53" expl="postcondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.201430" steps="1913"/></proof>
+  <proof prover="5"><result status="valid" time="0.201430" steps="1916"/></proof>
   </goal>
  </transf>
  </goal>
@@ -301,110 +313,92 @@
   <proof prover="5"><result status="valid" time="0.010000" steps="249"/></proof>
   </goal>
   <goal name="heap_sort&#39;vc.6" expl="loop invariant init" proved="true">
-  <proof prover="5"><result status="valid" time="0.163234" steps="625"/></proof>
+  <proof prover="5"><result status="valid" time="0.163234" steps="627"/></proof>
   </goal>
   <goal name="heap_sort&#39;vc.7" expl="loop invariant init" proved="true">
   <proof prover="5"><result status="valid" time="0.050000" steps="113"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.8" expl="integer overflow" proved="true">
-  <proof prover="5"><result status="valid" time="0.050000" steps="131"/></proof>
+  <goal name="heap_sort&#39;vc.8" expl="precondition" proved="true">
+  <proof prover="5"><result status="valid" time="0.082669" steps="118"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.046440" steps="132"/></proof>
+  <goal name="heap_sort&#39;vc.9" expl="loop invariant init" proved="true">
+  <proof prover="5"><result status="valid" time="0.070000" steps="137"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="0" memlimit="2000"><result status="valid" time="0.241869" steps="31564"/></proof>
+  <goal name="heap_sort&#39;vc.10" expl="loop invariant init" proved="true">
+  <proof prover="5"><result status="valid" time="0.050000" steps="43"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.070000" steps="187"/></proof>
+  <goal name="heap_sort&#39;vc.11" expl="loop invariant init" proved="true">
+  <proof prover="5"><result status="valid" time="0.060356" steps="162"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.030000" steps="163"/></proof>
+  <goal name="heap_sort&#39;vc.12" expl="loop invariant init" proved="true">
+  <proof prover="5"><result status="valid" time="0.080000" steps="224"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.056983" steps="156"/></proof>
+  <goal name="heap_sort&#39;vc.13" expl="loop invariant init" proved="true">
+  <proof prover="5"><result status="valid" time="0.060000" steps="150"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.14" expl="loop invariant preservation" proved="true">
-  <proof prover="5"><result status="valid" time="0.293555" steps="1490"/></proof>
+  <goal name="heap_sort&#39;vc.14" expl="type invariant" proved="true">
+  <proof prover="5"><result status="valid" time="0.051245" steps="146"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.15" expl="loop invariant preservation" proved="true">
-  <proof prover="5"><result status="valid" time="0.110000" steps="625"/></proof>
+  <goal name="heap_sort&#39;vc.15" expl="postcondition" proved="true">
+  <proof prover="5"><result status="valid" time="0.180000" steps="1384"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.16" expl="loop invariant preservation" proved="true">
-  <proof prover="5"><result status="valid" time="0.160000" steps="791"/></proof>
+  <goal name="heap_sort&#39;vc.16" expl="postcondition" proved="true">
+  <proof prover="5"><result status="valid" time="0.070000" steps="159"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.17" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.082669" steps="117"/></proof>
+  <goal name="heap_sort&#39;vc.17" expl="integer overflow" proved="true">
+  <proof prover="5"><result status="valid" time="0.060000" steps="163"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.18" expl="loop invariant init" proved="true">
-  <proof prover="5"><result status="valid" time="0.070000" steps="136"/></proof>
+  <goal name="heap_sort&#39;vc.18" expl="precondition" proved="true">
+  <proof prover="5"><result status="valid" time="0.041137" steps="164"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.19" expl="loop invariant init" proved="true">
-  <proof prover="5"><result status="valid" time="0.050000" steps="41"/></proof>
+  <goal name="heap_sort&#39;vc.19" expl="precondition" proved="true">
+  <proof prover="5"><result status="valid" time="0.040000" steps="190"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.20" expl="loop invariant init" proved="true">
-  <proof prover="5"><result status="valid" time="0.060356" steps="160"/></proof>
+  <goal name="heap_sort&#39;vc.20" expl="precondition" proved="true">
+  <proof prover="5"><result status="valid" time="0.060000" steps="192"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.21" expl="loop invariant init" proved="true">
-  <proof prover="5"><result status="valid" time="0.080000" steps="223"/></proof>
+  <goal name="heap_sort&#39;vc.21" expl="precondition" proved="true">
+  <proof prover="5"><result status="valid" time="0.019194" steps="183"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.22" expl="loop invariant init" proved="true">
-  <proof prover="5"><result status="valid" time="0.060000" steps="150"/></proof>
+  <goal name="heap_sort&#39;vc.22" expl="type invariant" proved="true">
+  <proof prover="5"><result status="valid" time="0.036699" steps="186"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.23" expl="integer overflow" proved="true">
-  <proof prover="5"><result status="valid" time="0.060000" steps="162"/></proof>
+  <goal name="heap_sort&#39;vc.23" expl="assertion" proved="true">
+  <proof prover="0" timelimit="10" memlimit="4000"><result status="valid" time="1.156512" steps="300823"/></proof>
   </goal>
   <goal name="heap_sort&#39;vc.24" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.041137" steps="161"/></proof>
+  <proof prover="0"><result status="valid" time="0.319274" steps="51148"/></proof>
   </goal>
   <goal name="heap_sort&#39;vc.25" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.040000" steps="189"/></proof>
+  <proof prover="5"><result status="valid" time="0.060000" steps="93"/></proof>
   </goal>
   <goal name="heap_sort&#39;vc.26" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.060000" steps="190"/></proof>
+  <proof prover="5"><result status="valid" time="0.090000" steps="210"/></proof>
   </goal>
   <goal name="heap_sort&#39;vc.27" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.019194" steps="180"/></proof>
+  <proof prover="5"><result status="valid" time="0.036609" steps="201"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.28" expl="type invariant" proved="true">
-  <proof prover="5"><result status="valid" time="0.036699" steps="183"/></proof>
+  <goal name="heap_sort&#39;vc.28" expl="loop invariant preservation" proved="true">
+  <proof prover="5"><result status="valid" time="0.160000" steps="785"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.29" expl="assertion" proved="true">
-  <proof prover="0" timelimit="10" memlimit="4000"><result status="valid" time="1.156512" steps="257319"/></proof>
+  <goal name="heap_sort&#39;vc.29" expl="loop invariant preservation" proved="true">
+  <proof prover="5"><result status="valid" time="0.151073" steps="1822"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.30" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.467799" steps="51022"/></proof>
+  <goal name="heap_sort&#39;vc.30" expl="loop invariant preservation" proved="true">
+  <proof prover="5"><result status="valid" time="0.130000" steps="214"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.31" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.060000" steps="89"/></proof>
-  </goal>
-  <goal name="heap_sort&#39;vc.32" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.090000" steps="208"/></proof>
-  </goal>
-  <goal name="heap_sort&#39;vc.33" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.036609" steps="198"/></proof>
-  </goal>
-  <goal name="heap_sort&#39;vc.34" expl="loop invariant preservation" proved="true">
-  <proof prover="5"><result status="valid" time="0.160000" steps="783"/></proof>
-  </goal>
-  <goal name="heap_sort&#39;vc.35" expl="loop invariant preservation" proved="true">
-  <proof prover="5"><result status="valid" time="0.420636" steps="1823"/></proof>
-  </goal>
-  <goal name="heap_sort&#39;vc.36" expl="loop invariant preservation" proved="true">
-  <proof prover="5"><result status="valid" time="0.130000" steps="212"/></proof>
-  </goal>
-  <goal name="heap_sort&#39;vc.37" expl="loop invariant preservation" proved="true">
+  <goal name="heap_sort&#39;vc.31" expl="loop invariant preservation" proved="true">
   <transf name="remove" proved="true" arg1="to_int_in_bounds,extensionality,zero_unsigned_is_zero,(==)&#39;spec,create&#39;spec,set&#39;spec,set&#39;def,([&lt;-])&#39;def,singleton&#39;spec,cons&#39;spec,snoc&#39;spec,([..])&#39;spec,([..])&#39;def,([_..])&#39;def,([.._])&#39;def,(++)&#39;spec,mem_append,mem_tail,occ_cons,occ_snoc,occ_tail,append_num_occ">
-   <goal name="heap_sort&#39;vc.37.0" expl="loop invariant preservation" proved="true">
+   <goal name="heap_sort&#39;vc.31.0" expl="loop invariant preservation" proved="true">
    <transf name="split_vc" proved="true" >
-    <goal name="heap_sort&#39;vc.37.0.0" expl="loop invariant preservation" proved="true">
+    <goal name="heap_sort&#39;vc.31.0.0" expl="loop invariant preservation" proved="true">
     <transf name="inline_goal" proved="true" >
-     <goal name="heap_sort&#39;vc.37.0.0.0" expl="loop invariant preservation" proved="true">
+     <goal name="heap_sort&#39;vc.31.0.0.0" expl="loop invariant preservation" proved="true">
      <transf name="split_all_full" proved="true" >
-      <goal name="heap_sort&#39;vc.37.0.0.0.0" expl="loop invariant preservation" proved="true">
+      <goal name="heap_sort&#39;vc.31.0.0.0.0" expl="loop invariant preservation" proved="true">
       <transf name="split_vc" proved="true" >
-       <goal name="heap_sort&#39;vc.37.0.0.0.0.0" expl="loop invariant preservation" proved="true">
-       <proof prover="0" timelimit="30" memlimit="4000"><result status="valid" time="2.053087" steps="627924"/></proof>
+       <goal name="heap_sort&#39;vc.31.0.0.0.0.0" expl="loop invariant preservation" proved="true">
+       <proof prover="0" timelimit="30" memlimit="4000"><result status="valid" time="2.053087" steps="432102"/></proof>
        </goal>
       </transf>
       </goal>
@@ -416,17 +410,35 @@
    </goal>
   </transf>
   </goal>
-  <goal name="heap_sort&#39;vc.38" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.444174" steps="61613"/></proof>
+  <goal name="heap_sort&#39;vc.32" expl="loop invariant preservation" proved="true">
+  <proof prover="3"><result status="valid" time="0.266323" steps="61036"/></proof>
+  </goal>
+  <goal name="heap_sort&#39;vc.33" expl="integer overflow" proved="true">
+  <proof prover="5"><result status="valid" time="0.050000" steps="132"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.39" expl="type invariant" proved="true">
-  <proof prover="5"><result status="valid" time="0.051245" steps="144"/></proof>
+  <goal name="heap_sort&#39;vc.34" expl="precondition" proved="true">
+  <proof prover="5"><result status="valid" time="0.046440" steps="133"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.40" expl="postcondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.180000" steps="1383"/></proof>
+  <goal name="heap_sort&#39;vc.35" expl="precondition" proved="true">
+  <proof prover="0" memlimit="2000"><result status="valid" time="0.241869" steps="31665"/></proof>
   </goal>
-  <goal name="heap_sort&#39;vc.41" expl="postcondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.070000" steps="156"/></proof>
+  <goal name="heap_sort&#39;vc.36" expl="precondition" proved="true">
+  <proof prover="5"><result status="valid" time="0.070000" steps="188"/></proof>
+  </goal>
+  <goal name="heap_sort&#39;vc.37" expl="precondition" proved="true">
+  <proof prover="5"><result status="valid" time="0.030000" steps="165"/></proof>
+  </goal>
+  <goal name="heap_sort&#39;vc.38" expl="precondition" proved="true">
+  <proof prover="5"><result status="valid" time="0.056983" steps="157"/></proof>
+  </goal>
+  <goal name="heap_sort&#39;vc.39" expl="loop invariant preservation" proved="true">
+  <proof prover="5"><result status="valid" time="0.109330" steps="1491"/></proof>
+  </goal>
+  <goal name="heap_sort&#39;vc.40" expl="loop invariant preservation" proved="true">
+  <proof prover="5"><result status="valid" time="0.110000" steps="625"/></proof>
+  </goal>
+  <goal name="heap_sort&#39;vc.41" expl="loop invariant preservation" proved="true">
+  <proof prover="5"><result status="valid" time="0.160000" steps="791"/></proof>
   </goal>
  </transf>
  </goal>
diff --git a/creusot/tests/should_succeed/heapsort_generic/why3shapes.gz b/creusot/tests/should_succeed/heapsort_generic/why3shapes.gz
index 2b14177726..a41b99bf4e 100644
Binary files a/creusot/tests/should_succeed/heapsort_generic/why3shapes.gz and b/creusot/tests/should_succeed/heapsort_generic/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/hillel.mlcfg b/creusot/tests/should_succeed/hillel.mlcfg
index 157c481a79..c76af90cd2 100644
--- a/creusot/tests/should_succeed/hillel.mlcfg
+++ b/creusot/tests/should_succeed/hillel.mlcfg
@@ -17,12 +17,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -76,7 +82,8 @@ module Hillel_RightPad
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self}
     ensures { result = shallow_model3 self }
     
-  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
+  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
   predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv5 (shallow_model3 self)
   val invariant3 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -102,21 +109,21 @@ module Hillel_RightPad
     ensures { result = inv1 _x }
     
   axiom inv1 : forall x : t . inv1 x = true
-  use prelude.Ghost
-  predicate invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+  use prelude.Snapshot
+  predicate invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
     
-  val invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  val invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = invariant0 self }
     
-  predicate inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
-  val inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  predicate inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+  val inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true
+  axiom inv0 : forall x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true
   use seq.Seq
   function shallow_model1 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
    =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model3 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model3 ( * self)
   val shallow_model1 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
     ensures { result = shallow_model1 self }
     
@@ -126,7 +133,7 @@ module Hillel_RightPad
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 78 26 78 51] shallow_model3 ( ^ self) = Seq.snoc (shallow_model1 self) value }
     
   predicate resolve2 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve2 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = resolve2 self }
     
@@ -135,7 +142,7 @@ module Hillel_RightPad
     ensures { result = resolve1 self }
     
   function shallow_model5 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : Seq.seq t =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model3 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model3 self
   val shallow_model5 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : Seq.seq t
     ensures { result = shallow_model5 self }
     
@@ -143,7 +150,7 @@ module Hillel_RightPad
     requires {inv4 self}
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 75 26 75 48] UIntSize.to_int result = Seq.length (shallow_model5 self) }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   use seq.Seq
   function index_logic0 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) (ix : int) : t
     
@@ -154,38 +161,44 @@ module Hillel_RightPad
     
   function shallow_model4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
    =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model1 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model1 self
   val shallow_model4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
     ensures { result = shallow_model4 self }
     
-  function shallow_model0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
+  function shallow_model0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
     
    =
-    [#"../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model4 (Ghost.inner self)
-  val shallow_model0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
+    [#"../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model4 (Snapshot.inner self)
+  val shallow_model0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
     ensures { result = shallow_model0 self }
     
-  predicate resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
-  val resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  predicate resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+    
+  val resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   let rec cfg right_pad [#"../hillel.rs" 16 0 16 59] [@cfg:stackify] [@cfg:subregion_analysis] (str : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) (len : usize) (pad : t) : ()
     requires {[#"../hillel.rs" 16 22 16 25] inv2 str}
     requires {[#"../hillel.rs" 16 52 16 55] inv1 pad}
     ensures { [#"../hillel.rs" 10 10 10 62] Seq.length (shallow_model3 ( ^ str)) >= UIntSize.to_int len /\ Seq.length (shallow_model3 ( ^ str)) >= Seq.length (shallow_model1 str) }
     ensures { [#"../hillel.rs" 11 10 11 62] Seq.length (shallow_model3 ( ^ str)) = UIntSize.to_int len \/ Seq.length (shallow_model3 ( ^ str)) = Seq.length (shallow_model1 str) }
-    ensures { [#"../hillel.rs" 12 0 12 62] UIntSize.to_int len <= Seq.length (shallow_model1 str) -> Seq.length (shallow_model3 ( ^ str)) = Seq.length (shallow_model1 str) }
-    ensures { [#"../hillel.rs" 13 0 13 55] UIntSize.to_int len > Seq.length (shallow_model1 str) -> Seq.length (shallow_model3 ( ^ str)) = UIntSize.to_int len }
-    ensures { [#"../hillel.rs" 14 0 14 75] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 str) -> index_logic0 ( ^ str) i = index_logic0 ( * str) i }
-    ensures { [#"../hillel.rs" 15 0 15 75] forall i : int . Seq.length (shallow_model1 str) <= i /\ i < UIntSize.to_int len -> index_logic0 ( ^ str) i = pad }
+    ensures { [#"../hillel.rs" 12 0 12 62] UIntSize.to_int len <= Seq.length (shallow_model1 str)
+     -> Seq.length (shallow_model3 ( ^ str)) = Seq.length (shallow_model1 str) }
+    ensures { [#"../hillel.rs" 13 0 13 55] UIntSize.to_int len > Seq.length (shallow_model1 str)
+     -> Seq.length (shallow_model3 ( ^ str)) = UIntSize.to_int len }
+    ensures { [#"../hillel.rs" 14 0 14 75] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 str)
+     -> index_logic0 ( ^ str) i = index_logic0 ( * str) i }
+    ensures { [#"../hillel.rs" 15 0 15 75] forall i : int . Seq.length (shallow_model1 str) <= i /\ i < UIntSize.to_int len
+     -> index_logic0 ( ^ str) i = pad }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var str : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = str;
   var len : usize = len;
   var pad : t = pad;
-  var old_str : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)));
+  var old_str : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)));
+  var _18 : bool;
   var _19 : usize;
   var _22 : ();
   var _23 : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
@@ -193,7 +206,7 @@ module Hillel_RightPad
     goto BB0
   }
   BB0 {
-    [#"../hillel.rs" 17 18 17 29] old_str <- ([#"../hillel.rs" 17 18 17 29] Ghost.new str);
+    [#"../hillel.rs" 17 18 17 35] old_str <- ([#"../hillel.rs" 17 18 17 35] Snapshot.new str);
     goto BB1
   }
   BB1 {
@@ -203,18 +216,24 @@ module Hillel_RightPad
   }
   BB2 {
     invariant { [#"../hillel.rs" 19 16 19 44] Seq.length (shallow_model0 old_str) <= Seq.length (shallow_model1 str) };
-    invariant { [#"../hillel.rs" 19 4 19 46] Seq.length (shallow_model0 old_str) < UIntSize.to_int len -> Seq.length (shallow_model1 str) <= UIntSize.to_int len };
-    invariant { [#"../hillel.rs" 19 4 19 46] Seq.length (shallow_model1 str) > UIntSize.to_int len -> Seq.length (shallow_model1 str) = Seq.length (shallow_model0 old_str) };
-    invariant { [#"../hillel.rs" 19 4 19 46] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 old_str) -> index_logic0 ( * str) i = index_logic0 ( * Ghost.inner old_str) i };
-    invariant { [#"../hillel.rs" 19 4 19 46] forall i : int . Seq.length (shallow_model0 old_str) <= i /\ i < Seq.length (shallow_model1 str) -> index_logic0 ( * str) i = pad };
+    invariant { [#"../hillel.rs" 19 4 19 46] Seq.length (shallow_model0 old_str) < UIntSize.to_int len
+     -> Seq.length (shallow_model1 str) <= UIntSize.to_int len };
+    invariant { [#"../hillel.rs" 19 4 19 46] Seq.length (shallow_model1 str) > UIntSize.to_int len
+     -> Seq.length (shallow_model1 str) = Seq.length (shallow_model0 old_str) };
+    invariant { [#"../hillel.rs" 19 4 19 46] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 old_str)
+     -> index_logic0 ( * str) i = index_logic0 ( * Snapshot.inner old_str) i };
+    invariant { [#"../hillel.rs" 19 4 19 46] forall i : int . Seq.length (shallow_model0 old_str) <= i /\ i < Seq.length (shallow_model1 str)
+     -> index_logic0 ( * str) i = pad };
     goto BB3
   }
   BB3 {
-    [#"../hillel.rs" 24 10 24 19] _19 <- ([#"../hillel.rs" 24 10 24 19] len1 ([#"../hillel.rs" 24 10 24 13]  * str));
+    [#"../hillel.rs" 24 10 24 19] _19 <- ([#"../hillel.rs" 24 10 24 19] len1 ( * str));
     goto BB4
   }
   BB4 {
-    switch ([#"../hillel.rs" 24 10 24 25] _19 < ([#"../hillel.rs" 24 22 24 25] len))
+    [#"../hillel.rs" 24 10 24 25] _18 <- _19 < len;
+    _19 <- any usize;
+    switch (_18)
       | False -> goto BB7
       | True -> goto BB5
       end
@@ -223,7 +242,7 @@ module Hillel_RightPad
     [#"../hillel.rs" 25 8 25 11] _23 <- Borrow.borrow_mut ( * str);
     [#"../hillel.rs" 25 8 25 11] str <- { str with current = ( ^ _23) ; };
     assume { inv3 ( ^ _23) };
-    [#"../hillel.rs" 25 8 25 21] _22 <- ([#"../hillel.rs" 25 8 25 21] push0 _23 ([#"../hillel.rs" 25 17 25 20] pad));
+    [#"../hillel.rs" 25 8 25 21] _22 <- ([#"../hillel.rs" 25 8 25 21] push0 _23 pad);
     _23 <- any borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
     goto BB6
   }
@@ -278,7 +297,8 @@ module Hillel_LeftPad
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self}
     ensures { result = shallow_model4 self }
     
-  axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0)
+  axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0)
   predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv5 (shallow_model4 self)
   val invariant3 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -304,18 +324,18 @@ module Hillel_LeftPad
     ensures { result = inv1 _x }
     
   axiom inv1 : forall x : t . inv1 x = true
-  use prelude.Ghost
-  predicate invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+  use prelude.Snapshot
+  predicate invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
     
-  val invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  val invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = invariant0 self }
     
-  predicate inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
-  val inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  predicate inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+  val inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true
-  use prelude.Ghost
+  axiom inv0 : forall x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true
+  use prelude.Snapshot
   use seq.Seq
   function index_logic0 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) (ix : int) : t
     
@@ -326,7 +346,7 @@ module Hillel_LeftPad
     
   function shallow_model1 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
    =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model4 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model4 ( * self)
   val shallow_model1 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
     ensures { result = shallow_model1 self }
     
@@ -334,12 +354,14 @@ module Hillel_LeftPad
     requires {inv2 self}
     requires {inv1 element}
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 95 26 95 59] Seq.length (shallow_model4 ( ^ self)) = Seq.length (shallow_model1 self) + 1 }
-    ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 96 16 96 89] forall i : int . 0 <= i /\ i < UIntSize.to_int index -> index_logic0 ( ^ self) i = index_logic0 ( * self) i }
+    ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 96 16 96 89] forall i : int . 0 <= i /\ i < UIntSize.to_int index
+     -> index_logic0 ( ^ self) i = index_logic0 ( * self) i }
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 97 26 97 52] index_logic0 ( ^ self) (UIntSize.to_int index) = element }
-    ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 98 16 98 105] forall i : int . UIntSize.to_int index < i /\ i < Seq.length (shallow_model4 ( ^ self)) -> index_logic0 ( ^ self) i = index_logic0 ( * self) (i - 1) }
+    ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 98 16 98 105] forall i : int . UIntSize.to_int index < i /\ i < Seq.length (shallow_model4 ( ^ self))
+     -> index_logic0 ( ^ self) i = index_logic0 ( * self) (i - 1) }
     
   predicate resolve2 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve2 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = resolve2 self }
     
@@ -348,7 +370,7 @@ module Hillel_LeftPad
     ensures { result = resolve1 self }
     
   function shallow_model7 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : Seq.seq t =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model4 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model4 self
   val shallow_model7 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : Seq.seq t
     ensures { result = shallow_model7 self }
     
@@ -356,67 +378,71 @@ module Hillel_LeftPad
     requires {inv4 self}
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 75 26 75 48] UIntSize.to_int result = Seq.length (shallow_model7 self) }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   use prelude.Int
   function shallow_model6 (self : usize) : int =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] UIntSize.to_int self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] UIntSize.to_int self
   val shallow_model6 (self : usize) : int
     ensures { result = shallow_model6 self }
     
-  function shallow_model3 (self : Ghost.ghost_ty usize) : int =
-    [#"../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model6 (Ghost.inner self)
-  val shallow_model3 (self : Ghost.ghost_ty usize) : int
+  function shallow_model3 (self : Snapshot.snap_ty usize) : int =
+    [#"../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model6 (Snapshot.inner self)
+  val shallow_model3 (self : Snapshot.snap_ty usize) : int
     ensures { result = shallow_model3 self }
     
   function shallow_model5 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
    =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model1 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model1 self
   val shallow_model5 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
     ensures { result = shallow_model5 self }
     
-  function shallow_model0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
+  function shallow_model0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
     
    =
-    [#"../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model5 (Ghost.inner self)
-  val shallow_model0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
+    [#"../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model5 (Snapshot.inner self)
+  val shallow_model0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
     ensures { result = shallow_model0 self }
     
-  use prelude.Ghost
-  predicate resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
-  val resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  use prelude.Snapshot
+  predicate resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+    
+  val resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   let rec cfg left_pad [#"../hillel.rs" 33 0 33 58] [@cfg:stackify] [@cfg:subregion_analysis] (str : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) (len : usize) (pad : t) : ()
     requires {[#"../hillel.rs" 33 21 33 24] inv2 str}
     requires {[#"../hillel.rs" 33 51 33 54] inv1 pad}
     ensures { [#"../hillel.rs" 29 10 29 62] Seq.length (shallow_model4 ( ^ str)) >= UIntSize.to_int len /\ Seq.length (shallow_model4 ( ^ str)) >= Seq.length (shallow_model1 str) }
     ensures { [#"../hillel.rs" 30 10 30 62] Seq.length (shallow_model4 ( ^ str)) = UIntSize.to_int len \/ Seq.length (shallow_model4 ( ^ str)) = Seq.length (shallow_model1 str) }
-    ensures { [#"../hillel.rs" 31 0 31 90] forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 ( ^ str)) - Seq.length (shallow_model1 str) -> index_logic0 ( ^ str) i = pad }
-    ensures { [#"../hillel.rs" 32 0 32 106] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 str) -> index_logic0 ( ^ str) (i + (Seq.length (shallow_model4 ( ^ str)) - Seq.length (shallow_model1 str))) = index_logic0 ( * str) i }
+    ensures { [#"../hillel.rs" 31 0 31 90] forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 ( ^ str)) - Seq.length (shallow_model1 str)
+     -> index_logic0 ( ^ str) i = pad }
+    ensures { [#"../hillel.rs" 32 0 32 106] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 str)
+     -> index_logic0 ( ^ str) (i + (Seq.length (shallow_model4 ( ^ str)) - Seq.length (shallow_model1 str))) = index_logic0 ( * str) i }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var str : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = str;
   var len : usize = len;
   var pad : t = pad;
-  var old_str : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)));
-  var c : Ghost.ghost_ty usize;
+  var old_str : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)));
+  var c : Snapshot.snap_ty usize;
+  var _19 : bool;
   var _20 : usize;
   var _23 : ();
   var _24 : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
-  var _26 : Ghost.ghost_ty usize;
+  var _26 : Snapshot.snap_ty usize;
   {
     goto BB0
   }
   BB0 {
-    [#"../hillel.rs" 34 18 34 29] old_str <- ([#"../hillel.rs" 34 18 34 29] Ghost.new str);
+    [#"../hillel.rs" 34 18 34 35] old_str <- ([#"../hillel.rs" 34 18 34 35] Snapshot.new str);
     goto BB1
   }
   BB1 {
     assert { [@expl:type invariant] inv0 old_str };
     assume { resolve0 old_str };
-    [#"../hillel.rs" 35 30 35 44] c <- ([#"../hillel.rs" 35 30 35 44] Ghost.new (0 : usize));
+    [#"../hillel.rs" 35 33 35 53] c <- ([#"../hillel.rs" 35 33 35 53] Snapshot.new (0 : usize));
     goto BB2
   }
   BB2 {
@@ -424,19 +450,25 @@ module Hillel_LeftPad
   }
   BB3 {
     invariant { [#"../hillel.rs" 37 16 37 44] Seq.length (shallow_model0 old_str) <= Seq.length (shallow_model1 str) };
-    invariant { [#"../hillel.rs" 37 4 37 46] Seq.length (shallow_model0 old_str) < UIntSize.to_int len -> Seq.length (shallow_model1 str) <= UIntSize.to_int len };
-    invariant { [#"../hillel.rs" 37 4 37 46] Seq.length (shallow_model1 str) > UIntSize.to_int len -> Seq.length (shallow_model1 str) = Seq.length (shallow_model0 old_str) };
+    invariant { [#"../hillel.rs" 37 4 37 46] Seq.length (shallow_model0 old_str) < UIntSize.to_int len
+     -> Seq.length (shallow_model1 str) <= UIntSize.to_int len };
+    invariant { [#"../hillel.rs" 37 4 37 46] Seq.length (shallow_model1 str) > UIntSize.to_int len
+     -> Seq.length (shallow_model1 str) = Seq.length (shallow_model0 old_str) };
     invariant { [#"../hillel.rs" 40 16 40 49] shallow_model3 c = Seq.length (shallow_model1 str) - Seq.length (shallow_model0 old_str) };
-    invariant { [#"../hillel.rs" 37 4 37 46] forall i : int . shallow_model3 c <= i /\ i < Seq.length (shallow_model1 str) -> index_logic0 ( * str) i = index_logic0 ( * Ghost.inner old_str) (i - shallow_model3 c) };
-    invariant { [#"../hillel.rs" 37 4 37 46] forall i : int . 0 <= i /\ i < shallow_model3 c -> index_logic0 ( * str) i = pad };
+    invariant { [#"../hillel.rs" 37 4 37 46] forall i : int . shallow_model3 c <= i /\ i < Seq.length (shallow_model1 str)
+     -> index_logic0 ( * str) i = index_logic0 ( * Snapshot.inner old_str) (i - shallow_model3 c) };
+    invariant { [#"../hillel.rs" 37 4 37 46] forall i : int . 0 <= i /\ i < shallow_model3 c
+     -> index_logic0 ( * str) i = pad };
     goto BB4
   }
   BB4 {
-    [#"../hillel.rs" 43 10 43 19] _20 <- ([#"../hillel.rs" 43 10 43 19] len1 ([#"../hillel.rs" 43 10 43 13]  * str));
+    [#"../hillel.rs" 43 10 43 19] _20 <- ([#"../hillel.rs" 43 10 43 19] len1 ( * str));
     goto BB5
   }
   BB5 {
-    switch ([#"../hillel.rs" 43 10 43 25] _20 < ([#"../hillel.rs" 43 22 43 25] len))
+    [#"../hillel.rs" 43 10 43 25] _19 <- _20 < len;
+    _20 <- any usize;
+    switch (_19)
       | False -> goto BB9
       | True -> goto BB6
       end
@@ -445,17 +477,17 @@ module Hillel_LeftPad
     [#"../hillel.rs" 44 8 44 11] _24 <- Borrow.borrow_mut ( * str);
     [#"../hillel.rs" 44 8 44 11] str <- { str with current = ( ^ _24) ; };
     assume { inv3 ( ^ _24) };
-    [#"../hillel.rs" 44 8 44 26] _23 <- ([#"../hillel.rs" 44 8 44 26] insert0 _24 ([#"../hillel.rs" 44 19 44 20] [#"../hillel.rs" 44 19 44 20] (0 : usize)) ([#"../hillel.rs" 44 22 44 25] pad));
+    [#"../hillel.rs" 44 8 44 26] _23 <- ([#"../hillel.rs" 44 8 44 26] insert0 _24 ([#"../hillel.rs" 44 19 44 20] (0 : usize)) pad);
     _24 <- any borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
     goto BB7
   }
   BB7 {
-    [#"../hillel.rs" 45 12 45 31] _26 <- ([#"../hillel.rs" 45 12 45 31] Ghost.new ((1 : usize) + Ghost.inner c));
+    [#"../hillel.rs" 45 12 45 37] _26 <- ([#"../hillel.rs" 45 12 45 37] Snapshot.new ((1 : usize) + Snapshot.inner c));
     goto BB8
   }
   BB8 {
-    [#"../hillel.rs" 45 8 45 31] c <- ([#"../hillel.rs" 45 8 45 31] _26);
-    [#"../hillel.rs" 45 8 45 31] _26 <- any Ghost.ghost_ty usize;
+    [#"../hillel.rs" 45 8 45 37] c <- _26;
+    _26 <- any Snapshot.snap_ty usize;
     goto BB3
   }
   BB9 {
@@ -498,18 +530,16 @@ module Hillel_SubsetPush_Impl
     ensures { result = contains0 seq elem }
     
   predicate is_subset0 [#"../hillel.rs" 64 0 64 49] (sub : Seq.seq t) (sup : Seq.seq t) =
-    [#"../hillel.rs" 65 4 67 5] forall i : int . 0 <= i /\ i < Seq.length sub -> contains0 sup (Seq.get sub i)
+    [#"../hillel.rs" 65 4 67 5] forall i : int . 0 <= i /\ i < Seq.length sub  -> contains0 sup (Seq.get sub i)
   val is_subset0 [#"../hillel.rs" 64 0 64 49] (sub : Seq.seq t) (sup : Seq.seq t) : bool
     ensures { result = is_subset0 sub sup }
     
   use seq.Seq
-  let rec ghost function subset_push [#"../hillel.rs" 72 0 72 37] (s : Seq.seq t) (elem : t) : ()
-    requires {[#"../hillel.rs" 72 18 72 19] inv0 s}
-    requires {[#"../hillel.rs" 72 29 72 33] inv1 elem}
-    ensures { [#"../hillel.rs" 71 10 71 36] is_subset0 s (Seq.snoc s elem) }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../hillel.rs" 70 0 70 8] ()
+  constant s  : Seq.seq t
+  constant elem  : t
+  function subset_push [#"../hillel.rs" 72 0 72 37] (s : Seq.seq t) (elem : t) : ()
+  goal vc_subset_push : ([#"../hillel.rs" 72 29 72 33] inv1 elem)
+   -> ([#"../hillel.rs" 72 18 72 19] inv0 s)  -> ([#"../hillel.rs" 71 10 71 36] is_subset0 s (Seq.snoc s elem))
 end
 module Core_Slice_Iter_Iter_Type
   use prelude.Borrow
@@ -616,7 +646,8 @@ module Hillel_InsertUnique
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self}
     ensures { result = shallow_model3 self }
     
-  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv14 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
+  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv14 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
   predicate invariant8 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv14 (shallow_model3 self)
   val invariant8 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -670,7 +701,8 @@ module Hillel_InsertUnique
     requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv15 self}
     ensures { result = shallow_model5 self }
     
-  axiom shallow_model5_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv15 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv14 (shallow_model5 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model5 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max0)
+  axiom shallow_model5_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv15 self)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv14 (shallow_model5 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model5 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max0)
   function index_logic5 [@inline:trivial] (self : slice t) (ix : int) : t =
     [#"../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model5 self) ix
   val index_logic5 [@inline:trivial] (self : slice t) (ix : int) : t
@@ -678,7 +710,7 @@ module Hillel_InsertUnique
     
   use seq.Seq
   function shallow_model0 (self : slice t) : Seq.seq t =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model5 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model5 self
   val shallow_model0 (self : slice t) : Seq.seq t
     ensures { result = shallow_model0 self }
     
@@ -692,7 +724,9 @@ module Hillel_InsertUnique
     requires {[#"../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv1 self}
     ensures { result = to_ref_seq0 self }
     
-  axiom to_ref_seq0_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv1 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv13 (to_ref_seq0 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self) -> Seq.get (to_ref_seq0 self) i = index_logic5 self i) && ([#"../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model0 self))
+  axiom to_ref_seq0_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv1 self)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv13 (to_ref_seq0 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self)
+   -> Seq.get (to_ref_seq0 self) i = index_logic5 self i) && ([#"../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model0 self))
   function shallow_model2 (self : Core_Slice_Iter_Iter_Type.t_iter t) : slice t
   val shallow_model2 (self : Core_Slice_Iter_Iter_Type.t_iter t) : slice t
     ensures { result = shallow_model2 self }
@@ -715,7 +749,11 @@ module Hillel_InsertUnique
     requires {[#"../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv13 bc}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter t, ab : Seq.seq t, b : Core_Slice_Iter_Iter_Type.t_iter t, bc : Seq.seq t, c : Core_Slice_Iter_Iter_Type.t_iter t . ([#"../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv13 ab) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv13 bc) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter t, ab : Seq.seq t, b : Core_Slice_Iter_Iter_Type.t_iter t, bc : Seq.seq t, c : Core_Slice_Iter_Iter_Type.t_iter t . ([#"../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv13 ab)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv13 bc)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : Core_Slice_Iter_Iter_Type.t_iter t) : () =
     [#"../../../../creusot-contracts/src/std/slice.rs" 390 4 390 10] ()
@@ -732,30 +770,30 @@ module Hillel_InsertUnique
     ensures { result = inv3 _x }
     
   axiom inv3 : forall x : Core_Slice_Iter_Iter_Type.t_iter t . inv3 x = true
-  use prelude.Ghost
-  predicate invariant2 (self : Ghost.ghost_ty (Seq.seq t))
-  val invariant2 (self : Ghost.ghost_ty (Seq.seq t)) : bool
+  use prelude.Snapshot
+  predicate invariant2 (self : Snapshot.snap_ty (Seq.seq t))
+  val invariant2 (self : Snapshot.snap_ty (Seq.seq t)) : bool
     ensures { result = invariant2 self }
     
-  predicate inv2 (_x : Ghost.ghost_ty (Seq.seq t))
-  val inv2 (_x : Ghost.ghost_ty (Seq.seq t)) : bool
+  predicate inv2 (_x : Snapshot.snap_ty (Seq.seq t))
+  val inv2 (_x : Snapshot.snap_ty (Seq.seq t)) : bool
     ensures { result = inv2 _x }
     
-  axiom inv2 : forall x : Ghost.ghost_ty (Seq.seq t) . inv2 x = true
+  axiom inv2 : forall x : Snapshot.snap_ty (Seq.seq t) . inv2 x = true
   predicate invariant1 (self : slice t)
   val invariant1 (self : slice t) : bool
     ensures { result = invariant1 self }
     
   axiom inv1 : forall x : slice t . inv1 x = true
-  predicate invariant0 (self : Ghost.ghost_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))
-  val invariant0 (self : Ghost.ghost_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : bool
+  predicate invariant0 (self : Snapshot.snap_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))
+  val invariant0 (self : Snapshot.snap_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = invariant0 self }
     
-  predicate inv0 (_x : Ghost.ghost_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))
-  val inv0 (_x : Ghost.ghost_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : bool
+  predicate inv0 (_x : Snapshot.snap_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))
+  val inv0 (_x : Snapshot.snap_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : Ghost.ghost_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) . inv0 x = true
+  axiom inv0 : forall x : Snapshot.snap_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) . inv0 x = true
   function deep_model1 (self : t) : deep_model_ty0
   val deep_model1 (self : t) : deep_model_ty0
     ensures { result = deep_model1 self }
@@ -774,11 +812,13 @@ module Hillel_InsertUnique
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv8 self}
     ensures { result = deep_model3 self }
     
-  axiom deep_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv8 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv9 (deep_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) -> Seq.get (deep_model3 self) i = deep_model1 (index_logic1 self i)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model3 self) = Seq.length (deep_model3 self))
+  axiom deep_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv8 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv9 (deep_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self)
+   -> Seq.get (deep_model3 self) i = deep_model1 (index_logic1 self i)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model3 self) = Seq.length (deep_model3 self))
   use seq.Seq
   function shallow_model4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
    =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model3 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model3 ( * self)
   val shallow_model4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
     ensures { result = shallow_model4 self }
     
@@ -788,7 +828,8 @@ module Hillel_InsertUnique
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 78 26 78 51] shallow_model3 ( ^ self) = Seq.snoc (shallow_model4 self) value }
     
   predicate is_unique0 [#"../hillel.rs" 50 0 50 34] (s : Seq.seq deep_model_ty0) =
-    [#"../hillel.rs" 51 4 53 5] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s -> Seq.get s i = Seq.get s j -> i = j
+    [#"../hillel.rs" 51 4 53 5] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s
+     -> Seq.get s i = Seq.get s j  -> i = j
   val is_unique0 [#"../hillel.rs" 50 0 50 34] (s : Seq.seq deep_model_ty0) : bool
     ensures { result = is_unique0 s }
     
@@ -798,7 +839,7 @@ module Hillel_InsertUnique
     ensures { result = contains0 seq elem }
     
   predicate resolve10 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve10 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = resolve10 self }
     
@@ -811,12 +852,12 @@ module Hillel_InsertUnique
     ensures { result = resolve8 self }
     
   function deep_model2 (self : t) : deep_model_ty0 =
-    [#"../../../../creusot-contracts/src/model.rs" 70 8 70 28] deep_model1 self
+    [#"../../../../creusot-contracts/src/model.rs" 74 8 74 28] deep_model1 self
   val deep_model2 (self : t) : deep_model_ty0
     ensures { result = deep_model2 self }
     
   function deep_model4 (self : t) : deep_model_ty0 =
-    [#"../../../../creusot-contracts/src/model.rs" 70 8 70 28] deep_model2 self
+    [#"../../../../creusot-contracts/src/model.rs" 74 8 74 28] deep_model2 self
   val deep_model4 (self : t) : deep_model_ty0
     ensures { result = deep_model4 self }
     
@@ -825,7 +866,7 @@ module Hillel_InsertUnique
     requires {inv12 other}
     ensures { [#"../../../../creusot-contracts/src/std/cmp.rs" 11 26 11 75] result = (deep_model4 self = deep_model4 other) }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate resolve7 (self : t)
   val resolve7 (self : t) : bool
     ensures { result = resolve7 self }
@@ -836,13 +877,13 @@ module Hillel_InsertUnique
     ensures { result = resolve6 self }
     
   predicate resolve5 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter t)) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve5 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter t)) : bool
     ensures { result = resolve5 self }
     
   use seq.Seq
   function shallow_model6 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter t)) : slice t =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model2 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model2 ( * self)
   val shallow_model6 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter t)) : slice t
     ensures { result = shallow_model6 self }
     
@@ -858,24 +899,24 @@ module Hillel_InsertUnique
       end }
     ensures { inv4 result }
     
-  use prelude.Ghost
-  function index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t =
-    [#"../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Ghost.inner self) ix
-  val index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq t)) (ix : int) : t
+  use prelude.Snapshot
+  function index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq t)) (ix : int) : t =
+    [#"../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Snapshot.inner self) ix
+  val index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq t)) (ix : int) : t
     ensures { result = index_logic0 self ix }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  predicate resolve4 (self : Ghost.ghost_ty (Seq.seq t))
-  val resolve4 (self : Ghost.ghost_ty (Seq.seq t)) : bool
+  use prelude.Snapshot
+  use prelude.Snapshot
+  predicate resolve4 (self : Snapshot.snap_ty (Seq.seq t))
+  val resolve4 (self : Snapshot.snap_ty (Seq.seq t)) : bool
     ensures { result = resolve4 self }
     
-  use prelude.Ghost
-  predicate resolve3 (self : Ghost.ghost_ty (Core_Slice_Iter_Iter_Type.t_iter t))
-  val resolve3 (self : Ghost.ghost_ty (Core_Slice_Iter_Iter_Type.t_iter t)) : bool
+  use prelude.Snapshot
+  predicate resolve3 (self : Snapshot.snap_ty (Core_Slice_Iter_Iter_Type.t_iter t))
+  val resolve3 (self : Snapshot.snap_ty (Core_Slice_Iter_Iter_Type.t_iter t)) : bool
     ensures { result = resolve3 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate into_iter_post0 (self : Core_Slice_Iter_Iter_Type.t_iter t) (res : Core_Slice_Iter_Iter_Type.t_iter t) =
     [#"../../../../creusot-contracts/src/std/iter.rs" 80 8 80 19] self = res
   val into_iter_post0 (self : Core_Slice_Iter_Iter_Type.t_iter t) (res : Core_Slice_Iter_Iter_Type.t_iter t) : bool
@@ -901,7 +942,7 @@ module Hillel_InsertUnique
     ensures { result = resolve2 self }
     
   function shallow_model1 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : Seq.seq t =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model3 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model3 self
   val shallow_model1 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : Seq.seq t
     ensures { result = shallow_model1 self }
     
@@ -910,13 +951,13 @@ module Hillel_InsertUnique
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 147 26 147 42] shallow_model0 result = shallow_model1 self }
     ensures { inv1 result }
     
-  predicate resolve1 (self : Ghost.ghost_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))
-  val resolve1 (self : Ghost.ghost_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : bool
+  predicate resolve1 (self : Snapshot.snap_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))
+  val resolve1 (self : Snapshot.snap_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = resolve1 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate is_subset0 [#"../hillel.rs" 64 0 64 49] (sub : Seq.seq deep_model_ty0) (sup : Seq.seq deep_model_ty0) =
-    [#"../hillel.rs" 65 4 67 5] forall i : int . 0 <= i /\ i < Seq.length sub -> contains0 sup (Seq.get sub i)
+    [#"../hillel.rs" 65 4 67 5] forall i : int . 0 <= i /\ i < Seq.length sub  -> contains0 sup (Seq.get sub i)
   val is_subset0 [#"../hillel.rs" 64 0 64 49] (sub : Seq.seq deep_model_ty0) (sup : Seq.seq deep_model_ty0) : bool
     ensures { result = is_subset0 sub sup }
     
@@ -924,15 +965,15 @@ module Hillel_InsertUnique
   function deep_model0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq deep_model_ty0
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 88 8 88 28] deep_model3 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 92 8 92 28] deep_model3 ( * self)
   val deep_model0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq deep_model_ty0
     ensures { result = deep_model0 self }
     
-  predicate resolve0 (self : Ghost.ghost_ty ())
-  val resolve0 (self : Ghost.ghost_ty ()) : bool
+  predicate resolve0 (self : Snapshot.snap_ty ())
+  val resolve0 (self : Snapshot.snap_ty ()) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   function subset_push0 [#"../hillel.rs" 72 0 72 37] (s : Seq.seq deep_model_ty0) (elem : deep_model_ty0) : () =
     [#"../hillel.rs" 70 0 70 8] ()
   val subset_push0 [#"../hillel.rs" 72 0 72 37] (s : Seq.seq deep_model_ty0) (elem : deep_model_ty0) : ()
@@ -940,7 +981,8 @@ module Hillel_InsertUnique
     requires {[#"../hillel.rs" 72 29 72 33] inv10 elem}
     ensures { result = subset_push0 s elem }
     
-  axiom subset_push0_spec : forall s : Seq.seq deep_model_ty0, elem : deep_model_ty0 . ([#"../hillel.rs" 72 18 72 19] inv9 s) -> ([#"../hillel.rs" 72 29 72 33] inv10 elem) -> ([#"../hillel.rs" 71 10 71 36] is_subset0 s (Seq.snoc s elem))
+  axiom subset_push0_spec : forall s : Seq.seq deep_model_ty0, elem : deep_model_ty0 . ([#"../hillel.rs" 72 18 72 19] inv9 s)
+   -> ([#"../hillel.rs" 72 29 72 33] inv10 elem)  -> ([#"../hillel.rs" 71 10 71 36] is_subset0 s (Seq.snoc s elem))
   let rec cfg insert_unique [#"../hillel.rs" 79 0 79 62] [@cfg:stackify] [@cfg:subregion_analysis] (vec : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) (elem : t) : ()
     requires {[#"../hillel.rs" 74 11 74 38] is_unique0 (deep_model0 vec)}
     requires {[#"../hillel.rs" 79 36 79 39] inv7 vec}
@@ -954,18 +996,18 @@ module Hillel_InsertUnique
   var _0 : ();
   var vec : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = vec;
   var elem : t = elem;
-  var _8 : Ghost.ghost_ty ();
-  var ghost_vec : Ghost.ghost_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
+  var _8 : Snapshot.snap_ty ();
+  var ghost_vec : Snapshot.snap_ty (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
   var iter : Core_Slice_Iter_Iter_Type.t_iter t;
   var _16 : Core_Slice_Iter_Iter_Type.t_iter t;
   var _18 : slice t;
-  var iter_old : Ghost.ghost_ty (Core_Slice_Iter_Iter_Type.t_iter t);
-  var produced : Ghost.ghost_ty (Seq.seq t);
+  var iter_old : Snapshot.snap_ty (Core_Slice_Iter_Iter_Type.t_iter t);
+  var produced : Snapshot.snap_ty (Seq.seq t);
   var _28 : Core_Option_Option_Type.t_option t;
   var _29 : borrowed (Core_Slice_Iter_Iter_Type.t_iter t);
   var _30 : borrowed (Core_Slice_Iter_Iter_Type.t_iter t);
   var __creusot_proc_iter_elem : t;
-  var _33 : Ghost.ghost_ty (Seq.seq t);
+  var _33 : Snapshot.snap_ty (Seq.seq t);
   var e : t;
   var _38 : bool;
   var _41 : t;
@@ -981,7 +1023,7 @@ module Hillel_InsertUnique
     goto BB2
   }
   BB2 {
-    [#"../hillel.rs" 80 4 80 41] _8 <- ([#"../hillel.rs" 80 4 80 41] Ghost.new ());
+    [#"../hillel.rs" 80 4 80 47] _8 <- ([#"../hillel.rs" 80 4 80 47] Snapshot.new ());
     goto BB3
   }
   BB3 {
@@ -990,19 +1032,19 @@ module Hillel_InsertUnique
     goto BB4
   }
   BB4 {
-    [#"../hillel.rs" 82 20 82 32] ghost_vec <- ([#"../hillel.rs" 82 20 82 32] Ghost.new ( * vec));
+    [#"../hillel.rs" 82 20 82 38] ghost_vec <- ([#"../hillel.rs" 82 20 82 38] Snapshot.new ( * vec));
     goto BB5
   }
   BB5 {
     assert { [@expl:type invariant] inv0 ghost_vec };
     assume { resolve1 ghost_vec };
-    [#"../hillel.rs" 85 13 85 23] _18 <- ([#"../hillel.rs" 85 13 85 23] deref0 ([#"../hillel.rs" 85 13 85 16]  * vec));
+    [#"../hillel.rs" 85 13 85 23] _18 <- ([#"../hillel.rs" 85 13 85 23] deref0 ( * vec));
     goto BB6
   }
   BB6 {
     assert { [@expl:type invariant] inv1 _18 };
     assume { resolve2 _18 };
-    [#"../hillel.rs" 85 13 85 23] _16 <- ([#"../hillel.rs" 85 13 85 23] iter0 ([#"../hillel.rs" 85 13 85 16] _18));
+    [#"../hillel.rs" 85 13 85 23] _16 <- ([#"../hillel.rs" 85 13 85 23] iter0 _18);
     goto BB7
   }
   BB7 {
@@ -1011,12 +1053,12 @@ module Hillel_InsertUnique
     goto BB8
   }
   BB8 {
-    [#"../hillel.rs" 84 4 84 111] iter_old <- ([#"../hillel.rs" 84 4 84 111] Ghost.new iter);
+    [#"../hillel.rs" 84 4 84 111] iter_old <- ([#"../hillel.rs" 84 4 84 111] Snapshot.new iter);
     goto BB9
   }
   BB9 {
     assume { resolve3 iter_old };
-    [#"../hillel.rs" 84 4 84 111] produced <- ([#"../hillel.rs" 84 4 84 111] Ghost.new (Seq.empty ));
+    [#"../hillel.rs" 84 4 84 111] produced <- ([#"../hillel.rs" 84 4 84 111] Snapshot.new (Seq.empty ));
     goto BB10
   }
   BB10 {
@@ -1029,8 +1071,9 @@ module Hillel_InsertUnique
   }
   BB12 {
     invariant { [#"../hillel.rs" 84 4 84 111] inv3 iter };
-    invariant { [#"../hillel.rs" 84 4 84 111] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter };
-    invariant { [#"../hillel.rs" 84 4 84 111] forall j : int . 0 <= j /\ j < Seq.length (Ghost.inner produced) -> deep_model2 (index_logic0 produced j) <> deep_model1 elem };
+    invariant { [#"../hillel.rs" 84 4 84 111] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter };
+    invariant { [#"../hillel.rs" 84 4 84 111] forall j : int . 0 <= j /\ j < Seq.length (Snapshot.inner produced)
+     -> deep_model2 (index_logic0 produced j) <> deep_model1 elem };
     goto BB13
   }
   BB13 {
@@ -1060,34 +1103,34 @@ module Hillel_InsertUnique
     goto BB18
   }
   BB17 {
-    assert { [@expl:type invariant] inv4 _28 };
-    assume { resolve6 _28 };
     assume { resolve8 iter };
     assert { [@expl:type invariant] inv6 elem };
     assume { resolve9 elem };
+    assert { [@expl:type invariant] inv4 _28 };
+    assume { resolve6 _28 };
     assert { [@expl:type invariant] inv7 vec };
     assume { resolve10 vec };
     assert { [#"../hillel.rs" 84 4 84 111] false };
     absurd
   }
   BB18 {
-    [#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _28);
+    [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _28;
     assert { [@expl:type invariant] inv4 _28 };
     assume { resolve6 _28 };
-    [#"../hillel.rs" 84 4 84 111] _33 <- ([#"../hillel.rs" 84 4 84 111] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../hillel.rs" 84 4 84 111] _33 <- ([#"../hillel.rs" 84 4 84 111] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB19
   }
   BB19 {
-    [#"../hillel.rs" 84 4 84 111] produced <- ([#"../hillel.rs" 84 4 84 111] _33);
-    [#"../hillel.rs" 84 4 84 111] _33 <- any Ghost.ghost_ty (Seq.seq t);
+    [#"../hillel.rs" 84 4 84 111] produced <- _33;
+    _33 <- any Snapshot.snap_ty (Seq.seq t);
     assert { [@expl:type invariant] inv2 produced };
     assume { resolve4 produced };
-    [#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] e <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem);
+    [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] e <- __creusot_proc_iter_elem;
     assert { [@expl:type invariant] inv5 __creusot_proc_iter_elem };
     assume { resolve7 __creusot_proc_iter_elem };
-    assert { [@expl:assertion] [#"../hillel.rs" 86 24 86 57] e = index_logic1 (Ghost.inner ghost_vec) (Seq.length (Ghost.inner produced) - 1) };
-    [#"../hillel.rs" 87 16 87 21] _41 <- ([#"../hillel.rs" 87 16 87 21] elem);
-    [#"../hillel.rs" 87 11 87 21] _38 <- ([#"../hillel.rs" 87 11 87 21] eq0 ([#"../hillel.rs" 87 11 87 12] e) ([#"../hillel.rs" 87 16 87 21] _41));
+    assert { [@expl:assertion] [#"../hillel.rs" 86 24 86 57] e = index_logic1 (Snapshot.inner ghost_vec) (Seq.length (Snapshot.inner produced) - 1) };
+    [#"../hillel.rs" 87 16 87 21] _41 <- elem;
+    [#"../hillel.rs" 87 11 87 21] _38 <- ([#"../hillel.rs" 87 11 87 21] eq0 e _41);
     goto BB20
   }
   BB20 {
@@ -1124,9 +1167,9 @@ module Hillel_InsertUnique
     [#"../hillel.rs" 94 4 94 7] _49 <- Borrow.borrow_final ( * vec) (Borrow.get_id vec);
     [#"../hillel.rs" 94 4 94 7] vec <- { vec with current = ( ^ _49) ; };
     assume { inv8 ( ^ _49) };
-    [#"../hillel.rs" 94 4 94 18] _48 <- ([#"../hillel.rs" 94 4 94 18] push1 _49 ([#"../hillel.rs" 94 13 94 17] elem));
+    [#"../hillel.rs" 94 4 94 18] _48 <- ([#"../hillel.rs" 94 4 94 18] push1 _49 elem);
     _49 <- any borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
-    [#"../hillel.rs" 94 13 94 17] elem <- any t;
+    elem <- any t;
     goto BB25
   }
   BB25 {
@@ -1262,7 +1305,8 @@ module Hillel_Unique
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self}
     ensures { result = shallow_model1 self }
     
-  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv9 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
+  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv9 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
   predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv9 (shallow_model1 self)
   val invariant2 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -1285,7 +1329,9 @@ module Hillel_Unique
   predicate produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize)
     
    =
-    [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model2 (Core_Ops_Range_Range_Type.range_start self) <= deep_model2 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model2 (Core_Ops_Range_Range_Type.range_start o) <= deep_model2 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model2 (Core_Ops_Range_Range_Type.range_start o) - deep_model2 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model2 (Seq.get visited i) = deep_model2 (Core_Ops_Range_Range_Type.range_start self) + i)
+    [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model2 (Core_Ops_Range_Range_Type.range_start self) <= deep_model2 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0
+     -> deep_model2 (Core_Ops_Range_Range_Type.range_start o) <= deep_model2 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model2 (Core_Ops_Range_Range_Type.range_start o) - deep_model2 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> deep_model2 (Seq.get visited i) = deep_model2 (Core_Ops_Range_Range_Type.range_start self) + i)
   val produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool
     ensures { result = produces0 self visited o }
     
@@ -1301,30 +1347,38 @@ module Hillel_Unique
     requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv1 a) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv10 ab) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv1 b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv10 bc) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv1 a)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv10 ab)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv1 b)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv10 bc)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
   val produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
     requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
   predicate invariant1 (self : Core_Ops_Range_Range_Type.t_range usize) =
     [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant1 (self : Core_Ops_Range_Range_Type.t_range usize) : bool
     ensures { result = invariant1 self }
     
   axiom inv1 : forall x : Core_Ops_Range_Range_Type.t_range usize . inv1 x = true
-  use prelude.Ghost
-  predicate invariant0 (self : Ghost.ghost_ty (Seq.seq t))
-  val invariant0 (self : Ghost.ghost_ty (Seq.seq t)) : bool
+  use prelude.Snapshot
+  predicate invariant0 (self : Snapshot.snap_ty (Seq.seq t))
+  val invariant0 (self : Snapshot.snap_ty (Seq.seq t)) : bool
     ensures { result = invariant0 self }
     
-  predicate inv0 (_x : Ghost.ghost_ty (Seq.seq t))
-  val inv0 (_x : Ghost.ghost_ty (Seq.seq t)) : bool
+  predicate inv0 (_x : Snapshot.snap_ty (Seq.seq t))
+  val inv0 (_x : Snapshot.snap_ty (Seq.seq t)) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : Ghost.ghost_ty (Seq.seq t) . inv0 x = true
+  axiom inv0 : forall x : Snapshot.snap_ty (Seq.seq t) . inv0 x = true
   predicate resolve2 (self : t)
   val resolve2 (self : t) : bool
     ensures { result = resolve2 self }
@@ -1338,7 +1392,8 @@ module Hillel_Unique
     ensures { result = index_logic2 self ix }
     
   predicate resolve5 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) =
-    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self) -> resolve2 (index_logic2 self i)
+    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self)
+     -> resolve2 (index_logic2 self i)
   val resolve5 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve5 self }
     
@@ -1349,9 +1404,10 @@ module Hillel_Unique
     requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self}
     ensures { result = shallow_model3 self }
     
-  axiom shallow_model3_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv9 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model3 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
+  axiom shallow_model3_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv9 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model3 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
   function shallow_model0 (self : slice t) : Seq.seq t =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model3 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model3 self
   val shallow_model0 (self : slice t) : Seq.seq t
     ensures { result = shallow_model0 self }
     
@@ -1360,9 +1416,9 @@ module Hillel_Unique
     ensures { result = resolve4 self }
     
   use seq.Seq
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate resolve3 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve3 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = resolve3 self }
     
@@ -1379,7 +1435,7 @@ module Hillel_Unique
     ensures { result = deep_model3 self }
     
   predicate is_subset0 [#"../hillel.rs" 64 0 64 49] (sub : Seq.seq deep_model_ty0) (sup : Seq.seq deep_model_ty0) =
-    [#"../hillel.rs" 65 4 67 5] forall i : int . 0 <= i /\ i < Seq.length sub -> contains0 sup (Seq.get sub i)
+    [#"../hillel.rs" 65 4 67 5] forall i : int . 0 <= i /\ i < Seq.length sub  -> contains0 sup (Seq.get sub i)
   val is_subset0 [#"../hillel.rs" 64 0 64 49] (sub : Seq.seq deep_model_ty0) (sup : Seq.seq deep_model_ty0) : bool
     ensures { result = is_subset0 sub sup }
     
@@ -1388,16 +1444,19 @@ module Hillel_Unique
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv2 self}
     ensures { result = deep_model0 self }
     
-  axiom deep_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv6 (deep_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self) -> Seq.get (deep_model0 self) i = deep_model3 (index_logic2 self i)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model1 self) = Seq.length (deep_model0 self))
+  axiom deep_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv2 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv6 (deep_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self)
+   -> Seq.get (deep_model0 self) i = deep_model3 (index_logic2 self i)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model1 self) = Seq.length (deep_model0 self))
   predicate is_unique0 [#"../hillel.rs" 50 0 50 34] (s : Seq.seq deep_model_ty0) =
-    [#"../hillel.rs" 51 4 53 5] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s -> Seq.get s i = Seq.get s j -> i = j
+    [#"../hillel.rs" 51 4 53 5] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s
+     -> Seq.get s i = Seq.get s j  -> i = j
   val is_unique0 [#"../hillel.rs" 50 0 50 34] (s : Seq.seq deep_model_ty0) : bool
     ensures { result = is_unique0 s }
     
   function deep_model5 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq deep_model_ty0
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 88 8 88 28] deep_model0 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 92 8 92 28] deep_model0 ( * self)
   val deep_model5 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq deep_model_ty0
     ensures { result = deep_model5 self }
     
@@ -1412,7 +1471,7 @@ module Hillel_Unique
     
   use seq.Seq
   predicate resolve1 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve1 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) : bool
     ensures { result = resolve1 self }
     
@@ -1430,7 +1489,7 @@ module Hillel_Unique
     ensures { inv8 result }
     
   use seq_ext.SeqExt
-  use prelude.Ghost
+  use prelude.Snapshot
   function index_logic4 [@inline:trivial] (self : slice t) (ix : int) : t =
     [#"../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model3 self) ix
   val index_logic4 [@inline:trivial] (self : slice t) (ix : int) : t
@@ -1441,16 +1500,18 @@ module Hillel_Unique
     requires {[#"../../../../creusot-contracts/src/std/slice.rs" 32 18 32 22] inv11 self}
     ensures { result = deep_model4 self }
     
-  axiom deep_model4_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 32 18 32 22] inv11 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 32 4 32 44] inv6 (deep_model4 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 31 4 31 98] forall i : int . 0 <= i /\ i < Seq.length (deep_model4 self) -> Seq.get (deep_model4 self) i = deep_model3 (index_logic4 self i)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 30 14 30 44] Seq.length (shallow_model0 self) = Seq.length (deep_model4 self))
+  axiom deep_model4_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 32 18 32 22] inv11 self)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 32 4 32 44] inv6 (deep_model4 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 31 4 31 98] forall i : int . 0 <= i /\ i < Seq.length (deep_model4 self)
+   -> Seq.get (deep_model4 self) i = deep_model3 (index_logic4 self i)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 30 14 30 44] Seq.length (shallow_model0 self) = Seq.length (deep_model4 self))
   function deep_model1 (self : slice t) : Seq.seq deep_model_ty0 =
-    [#"../../../../creusot-contracts/src/model.rs" 70 8 70 28] deep_model4 self
+    [#"../../../../creusot-contracts/src/model.rs" 74 8 74 28] deep_model4 self
   val deep_model1 (self : slice t) : Seq.seq deep_model_ty0
     ensures { result = deep_model1 self }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate into_iter_post0 (self : Core_Ops_Range_Range_Type.t_range usize) (res : Core_Ops_Range_Range_Type.t_range usize)
     
    =
@@ -1473,11 +1534,11 @@ module Hillel_Unique
     requires {inv5 self}
     ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 238 0 334 1] Seq.length (shallow_model0 self) = UIntSize.to_int result }
     
-  predicate resolve0 (self : Ghost.ghost_ty (Seq.seq t))
-  val resolve0 (self : Ghost.ghost_ty (Seq.seq t)) : bool
+  predicate resolve0 (self : Snapshot.snap_ty (Seq.seq t))
+  val resolve0 (self : Snapshot.snap_ty (Seq.seq t)) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   use seq.Seq
   val new0 (_1 : ()) : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 68 26 68 44] Seq.length (shallow_model1 result) = 0 }
@@ -1494,52 +1555,56 @@ module Hillel_Unique
   var _0 : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global);
   var str : slice t = str;
   var unique : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global);
-  var sub_str : Ghost.ghost_ty (Seq.seq t);
+  var sub_str : Snapshot.snap_ty (Seq.seq t);
   var iter : Core_Ops_Range_Range_Type.t_range usize;
+  var _10 : Core_Ops_Range_Range_Type.t_range usize;
   var _11 : usize;
-  var iter_old : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range usize);
-  var produced : Ghost.ghost_ty (Seq.seq usize);
+  var iter_old : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range usize);
+  var produced : Snapshot.snap_ty (Seq.seq usize);
   var _23 : Core_Option_Option_Type.t_option usize;
   var _24 : borrowed (Core_Ops_Range_Range_Type.t_range usize);
   var _25 : borrowed (Core_Ops_Range_Range_Type.t_range usize);
   var __creusot_proc_iter_elem : usize;
-  var _28 : Ghost.ghost_ty (Seq.seq usize);
+  var _28 : Snapshot.snap_ty (Seq.seq usize);
   var i : usize;
   var elem : t;
   var _32 : usize;
+  var _33 : usize;
   var _34 : bool;
   var _35 : ();
   var _36 : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
   var _37 : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
-  var _39 : Ghost.ghost_ty (Seq.seq t);
+  var _39 : Snapshot.snap_ty (Seq.seq t);
   {
     goto BB0
   }
   BB0 {
-    [#"../hillel.rs" 101 21 101 31] unique <- ([#"../hillel.rs" 101 21 101 31] new0 ());
+    [#"../hillel.rs" 101 21 101 31] unique <- ([#"../hillel.rs" 101 21 101 31] new0 ([#"../hillel.rs" 101 21 101 31] ()));
     goto BB1
   }
   BB1 {
-    [#"../hillel.rs" 102 37 102 55] sub_str <- ([#"../hillel.rs" 102 37 102 55] Ghost.new (Seq.empty ));
+    [#"../hillel.rs" 102 40 102 64] sub_str <- ([#"../hillel.rs" 102 40 102 64] Snapshot.new (Seq.empty ));
     goto BB2
   }
   BB2 {
     assert { [@expl:type invariant] inv0 sub_str };
     assume { resolve0 sub_str };
-    [#"../hillel.rs" 107 16 107 25] _11 <- ([#"../hillel.rs" 107 16 107 25] len0 ([#"../hillel.rs" 107 16 107 19] str));
+    [#"../hillel.rs" 107 16 107 25] _11 <- ([#"../hillel.rs" 107 16 107 25] len0 str);
     goto BB3
   }
   BB3 {
-    [#"../hillel.rs" 104 4 104 48] iter <- ([#"../hillel.rs" 104 4 104 48] into_iter0 ([#"../hillel.rs" 107 13 107 25] Core_Ops_Range_Range_Type.C_Range ([#"../hillel.rs" 107 13 107 14] [#"../hillel.rs" 107 13 107 14] (0 : usize)) _11));
+    [#"../hillel.rs" 107 13 107 25] _10 <- Core_Ops_Range_Range_Type.C_Range ([#"../hillel.rs" 107 13 107 14] (0 : usize)) _11;
     _11 <- any usize;
+    [#"../hillel.rs" 104 4 104 48] iter <- ([#"../hillel.rs" 104 4 104 48] into_iter0 _10);
+    _10 <- any Core_Ops_Range_Range_Type.t_range usize;
     goto BB4
   }
   BB4 {
-    [#"../hillel.rs" 104 4 104 48] iter_old <- ([#"../hillel.rs" 104 4 104 48] Ghost.new iter);
+    [#"../hillel.rs" 104 4 104 48] iter_old <- ([#"../hillel.rs" 104 4 104 48] Snapshot.new iter);
     goto BB5
   }
   BB5 {
-    [#"../hillel.rs" 104 4 104 48] produced <- ([#"../hillel.rs" 104 4 104 48] Ghost.new (Seq.empty ));
+    [#"../hillel.rs" 104 4 104 48] produced <- ([#"../hillel.rs" 104 4 104 48] Snapshot.new (Seq.empty ));
     goto BB6
   }
   BB6 {
@@ -1556,10 +1621,10 @@ module Hillel_Unique
   }
   BB10 {
     invariant { [#"../hillel.rs" 104 4 104 48] inv1 iter };
-    invariant { [#"../hillel.rs" 104 4 104 48] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter };
+    invariant { [#"../hillel.rs" 104 4 104 48] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter };
     invariant { [#"../hillel.rs" 104 16 104 46] is_unique0 (deep_model0 unique) };
     invariant { [#"../hillel.rs" 105 16 105 64] is_subset0 (deep_model0 unique) (deep_model1 str) };
-    invariant { [#"../hillel.rs" 106 16 106 95] is_subset0 (SeqExt.subsequence (deep_model1 str) 0 (Seq.length (Ghost.inner produced))) (deep_model0 unique) };
+    invariant { [#"../hillel.rs" 106 16 106 95] is_subset0 (SeqExt.subsequence (deep_model1 str) 0 (Seq.length (Snapshot.inner produced))) (deep_model0 unique) };
     goto BB11
   }
   BB11 {
@@ -1596,21 +1661,22 @@ module Hillel_Unique
     absurd
   }
   BB16 {
-    [#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _23);
-    [#"../hillel.rs" 104 4 104 48] _28 <- ([#"../hillel.rs" 104 4 104 48] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _23;
+    [#"../hillel.rs" 104 4 104 48] _28 <- ([#"../hillel.rs" 104 4 104 48] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB17
   }
   BB17 {
-    [#"../hillel.rs" 104 4 104 48] produced <- ([#"../hillel.rs" 104 4 104 48] _28);
-    [#"../hillel.rs" 104 4 104 48] _28 <- any Ghost.ghost_ty (Seq.seq usize);
-    [#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] i <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem);
-    [#"../hillel.rs" 108 26 108 27] _32 <- ([#"../hillel.rs" 108 26 108 27] i);
-    [#"../hillel.rs" 108 22 108 28] _34 <- ([#"../hillel.rs" 108 22 108 28] _32 < ([#"../hillel.rs" 108 22 108 28] Slice.length str));
+    [#"../hillel.rs" 104 4 104 48] produced <- _28;
+    _28 <- any Snapshot.snap_ty (Seq.seq usize);
+    [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] i <- __creusot_proc_iter_elem;
+    [#"../hillel.rs" 108 26 108 27] _32 <- i;
+    [#"../hillel.rs" 108 22 108 28] _33 <- Slice.length str;
+    [#"../hillel.rs" 108 22 108 28] _34 <- _32 < _33;
     assert { [@expl:index in bounds] [#"../hillel.rs" 108 22 108 28] _34 };
     goto BB18
   }
   BB18 {
-    [#"../hillel.rs" 108 22 108 28] elem <- ([#"../hillel.rs" 108 22 108 28] Slice.get str _32);
+    [#"../hillel.rs" 108 22 108 28] elem <- Slice.get str _32;
     [#"../hillel.rs" 109 22 109 33] _37 <- Borrow.borrow_mut unique;
     [#"../hillel.rs" 109 22 109 33] unique <-  ^ _37;
     assume { inv2 ( ^ _37) };
@@ -1619,27 +1685,27 @@ module Hillel_Unique
     assume { inv2 ( ^ _36) };
     assert { [@expl:type invariant] inv3 elem };
     assume { resolve2 elem };
-    [#"../hillel.rs" 109 8 109 40] _35 <- ([#"../hillel.rs" 109 8 109 40] insert_unique0 _36 ([#"../hillel.rs" 109 35 109 39] elem));
+    [#"../hillel.rs" 109 8 109 40] _35 <- ([#"../hillel.rs" 109 8 109 40] insert_unique0 _36 elem);
     _36 <- any borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
     goto BB19
   }
   BB19 {
     assert { [@expl:type invariant] inv4 _37 };
     assume { resolve3 _37 };
-    [#"../hillel.rs" 110 18 110 44] _39 <- ([#"../hillel.rs" 110 18 110 44] Ghost.new (Seq.snoc (Ghost.inner sub_str) elem));
+    [#"../hillel.rs" 110 18 110 50] _39 <- ([#"../hillel.rs" 110 18 110 50] Snapshot.new (Seq.snoc (Snapshot.inner sub_str) elem));
     goto BB20
   }
   BB20 {
-    [#"../hillel.rs" 110 8 110 44] sub_str <- ([#"../hillel.rs" 110 8 110 44] _39);
-    [#"../hillel.rs" 110 8 110 44] _39 <- any Ghost.ghost_ty (Seq.seq t);
+    [#"../hillel.rs" 110 8 110 50] sub_str <- _39;
+    _39 <- any Snapshot.snap_ty (Seq.seq t);
     assert { [@expl:type invariant] inv0 sub_str };
     assume { resolve0 sub_str };
     goto BB10
   }
   BB21 {
     assert { [@expl:assertion] [#"../hillel.rs" 114 20 114 88] Seq.(==) (SeqExt.subsequence (deep_model1 str) 0 (Seq.length (shallow_model0 str))) (deep_model1 str) };
-    [#"../hillel.rs" 115 4 115 10] _0 <- ([#"../hillel.rs" 115 4 115 10] unique);
-    [#"../hillel.rs" 115 4 115 10] unique <- any Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global);
+    [#"../hillel.rs" 115 4 115 10] _0 <- unique;
+    unique <- any Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global);
     goto BB22
   }
   BB22 {
@@ -1654,17 +1720,16 @@ module Hillel_SumRange_Impl
   use seq.Seq
   use seq.Seq
   use prelude.Int
-  let rec ghost function sum_range [#"../hillel.rs" 122 0 122 54] (seq : Seq.seq uint32) (from : int) (to' : int) : int
-    requires {[#"../hillel.rs" 120 11 120 53] 0 <= from /\ from <= to' /\ to' <= Seq.length seq}
-    ensures { [#"../hillel.rs" 121 10 121 21] result >= 0 }
-    variant {[#"../hillel.rs" 119 10 119 19] to' - from}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../hillel.rs" 118 0 118 8] if pure {to' - from > 0} then
-      UInt32.to_int (Seq.get seq from) + sum_range seq (from + 1) to'
-    else
-      0
-    
+  constant seq  : Seq.seq uint32
+  constant from  : int
+  constant to'  : int
+  function sum_range [#"../hillel.rs" 122 0 122 54] (seq : Seq.seq uint32) (from : int) (to' : int) : int
+  goal vc_sum_range : ([#"../hillel.rs" 120 11 120 53] 0 <= from /\ from <= to' /\ to' <= Seq.length seq)
+   -> match to' - from > 0 with
+    | True -> (([#"../hillel.rs" 120 11 120 53] 0 <= from + 1 /\ from + 1 <= to' /\ to' <= Seq.length seq) /\ 0 <= ([#"../hillel.rs" 119 10 119 19] to' - from) /\ ([#"../hillel.rs" 119 10 119 19] to' - (from + 1)) < ([#"../hillel.rs" 119 10 119 19] to' - from)) /\ (([#"../hillel.rs" 121 10 121 21] sum_range seq (from + 1) to' >= 0)
+     -> ([#"../hillel.rs" 121 10 121 21] UInt32.to_int (Seq.get seq from) + sum_range seq (from + 1) to' >= 0))
+    | False -> [#"../hillel.rs" 121 10 121 21] 0 >= 0
+    end
 end
 module Hillel_SumRangeSplit_Impl
   use prelude.UInt32
@@ -1683,19 +1748,24 @@ module Hillel_SumRangeSplit_Impl
     requires {[#"../hillel.rs" 120 11 120 53] 0 <= from /\ from <= to' /\ to' <= Seq.length seq}
     ensures { result = sum_range0 seq from to' }
     
-  axiom sum_range0_spec : forall seq : Seq.seq uint32, from : int, to' : int . ([#"../hillel.rs" 120 11 120 53] 0 <= from /\ from <= to' /\ to' <= Seq.length seq) -> ([#"../hillel.rs" 121 10 121 21] sum_range0 seq from to' >= 0)
-  let rec ghost function sum_range_split [#"../hillel.rs" 134 0 134 61] (seq : Seq.seq uint32) (from : int) (to' : int) (i : int) : ()
-    requires {[#"../hillel.rs" 132 11 132 63] 0 <= from /\ from <= i /\ i <= to' /\ to' <= Seq.length seq}
-    ensures { [#"../hillel.rs" 133 10 133 85] sum_range0 seq from to' = sum_range0 seq from i + sum_range0 seq i to' }
-    variant {[#"../hillel.rs" 131 10 131 18] i - from}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../hillel.rs" 135 4 137 5] if pure {i > from} then let _ = sum_range_split seq (from + 1) to' i in () else ()
+  axiom sum_range0_spec : forall seq : Seq.seq uint32, from : int, to' : int . ([#"../hillel.rs" 120 11 120 53] 0 <= from /\ from <= to' /\ to' <= Seq.length seq)
+   -> ([#"../hillel.rs" 121 10 121 21] sum_range0 seq from to' >= 0)
+  constant seq  : Seq.seq uint32
+  constant from  : int
+  constant to'  : int
+  constant i  : int
+  function sum_range_split [#"../hillel.rs" 134 0 134 61] (seq : Seq.seq uint32) (from : int) (to' : int) (i : int) : ()
+  goal vc_sum_range_split : ([#"../hillel.rs" 132 11 132 63] 0 <= from /\ from <= i /\ i <= to' /\ to' <= Seq.length seq)
+   -> match i > from with
+    | True -> (([#"../hillel.rs" 132 11 132 63] 0 <= from + 1 /\ from + 1 <= i /\ i <= to' /\ to' <= Seq.length seq) /\ 0 <= ([#"../hillel.rs" 131 10 131 18] i - from) /\ ([#"../hillel.rs" 131 10 131 18] i - (from + 1)) < ([#"../hillel.rs" 131 10 131 18] i - from)) /\ (([#"../hillel.rs" 133 10 133 85] sum_range0 seq (from + 1) to' = sum_range0 seq (from + 1) i + sum_range0 seq i to')
+     -> (let _ = sum_range_split seq (from + 1) to' i in [#"../hillel.rs" 133 10 133 85] sum_range0 seq from to' = sum_range0 seq from i + sum_range0 seq i to'))
+    | False -> [#"../hillel.rs" 133 10 133 85] sum_range0 seq from to' = sum_range0 seq from i + sum_range0 seq i to'
+    end
 end
 module Hillel_Score_Impl
   use prelude.Int
   function abs_diff0 (self : int) (other : int) : int =
-    [#"../../../../creusot-contracts/src/logic/int.rs" 50 4 50 12] if self < other then other - self else self - other
+    [#"../../../../creusot-contracts/src/logic/int.rs" 51 4 51 12] if self < other then other - self else self - other
   val abs_diff0 (self : int) (other : int) : int
     ensures { result = abs_diff0 self other }
     
@@ -1714,7 +1784,8 @@ module Hillel_Score_Impl
     requires {[#"../hillel.rs" 120 11 120 53] 0 <= from /\ from <= to' /\ to' <= Seq.length seq}
     ensures { result = sum_range0 seq from to' }
     
-  axiom sum_range0_spec : forall seq : Seq.seq uint32, from : int, to' : int . ([#"../hillel.rs" 120 11 120 53] 0 <= from /\ from <= to' /\ to' <= Seq.length seq) -> ([#"../hillel.rs" 121 10 121 21] sum_range0 seq from to' >= 0)
+  axiom sum_range0_spec : forall seq : Seq.seq uint32, from : int, to' : int . ([#"../hillel.rs" 120 11 120 53] 0 <= from /\ from <= to' /\ to' <= Seq.length seq)
+   -> ([#"../hillel.rs" 121 10 121 21] sum_range0 seq from to' >= 0)
   function sum_range_split0 [#"../hillel.rs" 134 0 134 61] (seq : Seq.seq uint32) (from : int) (to' : int) (i : int) : ()
     
   axiom sum_range_split0_def : forall seq : Seq.seq uint32, from : int, to' : int, i : int . sum_range_split0 seq from to' i = ([#"../hillel.rs" 135 4 137 5] if i > from then
@@ -1726,14 +1797,17 @@ module Hillel_Score_Impl
     requires {[#"../hillel.rs" 132 11 132 63] 0 <= from /\ from <= i /\ i <= to' /\ to' <= Seq.length seq}
     ensures { result = sum_range_split0 seq from to' i }
     
-  axiom sum_range_split0_spec : forall seq : Seq.seq uint32, from : int, to' : int, i : int . ([#"../hillel.rs" 132 11 132 63] 0 <= from /\ from <= i /\ i <= to' /\ to' <= Seq.length seq) -> ([#"../hillel.rs" 133 10 133 85] sum_range0 seq from to' = sum_range0 seq from i + sum_range0 seq i to')
-  let rec ghost function score [#"../hillel.rs" 144 0 144 38] (seq : Seq.seq uint32) (i : int) : int
-    requires {[#"../hillel.rs" 141 11 141 35] 0 <= i /\ i <= Seq.length seq}
-    ensures { [#"../hillel.rs" 142 10 142 64] 0 <= result /\ result <= sum_range0 seq 0 (Seq.length seq) }
-    ensures { [#"../hillel.rs" 143 0 143 79] 0 = i \/ i = Seq.length seq -> result = sum_range0 seq 0 (Seq.length seq) }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../hillel.rs" 145 4 145 41] let _ = sum_range_split0 seq 0 (Seq.length seq) i in let a' = sum_range0 seq 0 i in let b' = sum_range0 seq i (Seq.length seq) in abs_diff0 a' b'
+  axiom sum_range_split0_spec : forall seq : Seq.seq uint32, from : int, to' : int, i : int . ([#"../hillel.rs" 132 11 132 63] 0 <= from /\ from <= i /\ i <= to' /\ to' <= Seq.length seq)
+   -> ([#"../hillel.rs" 133 10 133 85] sum_range0 seq from to' = sum_range0 seq from i + sum_range0 seq i to')
+  constant seq  : Seq.seq uint32
+  constant i  : int
+  function score [#"../hillel.rs" 144 0 144 38] (seq : Seq.seq uint32) (i : int) : int
+  goal vc_score : ([#"../hillel.rs" 141 11 141 35] 0 <= i /\ i <= Seq.length seq)
+   -> ([#"../hillel.rs" 132 11 132 63] 0 <= 0 /\ 0 <= i /\ i <= Seq.length seq /\ Seq.length seq <= Seq.length seq) /\ (([#"../hillel.rs" 133 10 133 85] sum_range0 seq 0 (Seq.length seq) = sum_range0 seq 0 i + sum_range0 seq i (Seq.length seq))
+   -> (let _ = sum_range_split0 seq 0 (Seq.length seq) i in ([#"../hillel.rs" 120 11 120 53] 0 <= 0 /\ 0 <= i /\ i <= Seq.length seq) /\ (([#"../hillel.rs" 121 10 121 21] sum_range0 seq 0 i >= 0)
+   -> ([#"../hillel.rs" 120 11 120 53] 0 <= i /\ i <= Seq.length seq /\ Seq.length seq <= Seq.length seq) /\ (([#"../hillel.rs" 121 10 121 21] sum_range0 seq i (Seq.length seq) >= 0)
+   -> (let result = abs_diff0 (sum_range0 seq 0 i) (sum_range0 seq i (Seq.length seq)) in ([#"../hillel.rs" 143 0 143 79] 0 = i \/ i = Seq.length seq
+   -> result = sum_range0 seq 0 (Seq.length seq)) && ([#"../hillel.rs" 142 10 142 64] 0 <= result /\ result <= sum_range0 seq 0 (Seq.length seq)))))))
 end
 module Hillel_Fulcrum
   use prelude.UIntSize
@@ -1841,7 +1915,9 @@ module Hillel_Fulcrum
   predicate produces1 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize)
     
    =
-    [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
+    [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0
+     -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
   val produces1 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool
     ensures { result = produces1 self visited o }
     
@@ -1857,14 +1933,22 @@ module Hillel_Fulcrum
     requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c}
     ensures { result = produces_trans1 a ab b bc c }
     
-  axiom produces_trans1_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces1 a ab b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces1 b bc c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv1 a) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv9 ab) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv1 b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv9 bc) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans1_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces1 a ab b)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces1 b bc c)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv1 a)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv9 ab)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv1 b)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv9 bc)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl1 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
   val produces_refl1 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
     requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self}
     ensures { result = produces_refl1 self }
     
-  axiom produces_refl1_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl1_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces1 self (Seq.empty ) self)
   predicate invariant1 (self : Core_Ops_Range_Range_Type.t_range usize) =
     [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant1 (self : Core_Ops_Range_Range_Type.t_range usize) : bool
@@ -1883,7 +1967,8 @@ module Hillel_Fulcrum
     requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv7 self}
     ensures { result = shallow_model4 self }
     
-  axiom shallow_model4_spec : forall self : slice uint32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv7 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv8 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model4 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0)
+  axiom shallow_model4_spec : forall self : slice uint32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv7 self)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv8 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model4 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0)
   function index_logic3 [@inline:trivial] (self : slice uint32) (ix : int) : uint32 =
     [#"../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model4 self) ix
   val index_logic3 [@inline:trivial] (self : slice uint32) (ix : int) : uint32
@@ -1891,7 +1976,7 @@ module Hillel_Fulcrum
     
   use seq.Seq
   function shallow_model1 (self : slice uint32) : Seq.seq uint32 =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model4 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model4 self
   val shallow_model1 (self : slice uint32) : Seq.seq uint32
     ensures { result = shallow_model1 self }
     
@@ -1901,7 +1986,9 @@ module Hillel_Fulcrum
     requires {[#"../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv2 self}
     ensures { result = to_ref_seq0 self }
     
-  axiom to_ref_seq0_spec : forall self : slice uint32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv2 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv6 (to_ref_seq0 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self) -> Seq.get (to_ref_seq0 self) i = index_logic3 self i) && ([#"../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model1 self))
+  axiom to_ref_seq0_spec : forall self : slice uint32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv2 self)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv6 (to_ref_seq0 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self)
+   -> Seq.get (to_ref_seq0 self) i = index_logic3 self i) && ([#"../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model1 self))
   function shallow_model3 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) : slice uint32
   val shallow_model3 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) : slice uint32
     ensures { result = shallow_model3 self }
@@ -1924,7 +2011,11 @@ module Hillel_Fulcrum
     requires {[#"../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv6 bc}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter uint32, ab : Seq.seq uint32, b : Core_Slice_Iter_Iter_Type.t_iter uint32, bc : Seq.seq uint32, c : Core_Slice_Iter_Iter_Type.t_iter uint32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv6 ab) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv6 bc) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter uint32, ab : Seq.seq uint32, b : Core_Slice_Iter_Iter_Type.t_iter uint32, bc : Seq.seq uint32, c : Core_Slice_Iter_Iter_Type.t_iter uint32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv6 ab)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv6 bc)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) : () =
     [#"../../../../creusot-contracts/src/std/slice.rs" 390 4 390 10] ()
@@ -1942,9 +2033,9 @@ module Hillel_Fulcrum
     ensures { result = inv0 _x }
     
   axiom inv0 : forall x : Core_Slice_Iter_Iter_Type.t_iter uint32 . inv0 x = true
-  use prelude.Ghost
+  use prelude.Snapshot
   function abs_diff1 (self : int) (other : int) : int =
-    [#"../../../../creusot-contracts/src/logic/int.rs" 50 4 50 12] if self < other then other - self else self - other
+    [#"../../../../creusot-contracts/src/logic/int.rs" 51 4 51 12] if self < other then other - self else self - other
   val abs_diff1 (self : int) (other : int) : int
     ensures { result = abs_diff1 self other }
     
@@ -1954,7 +2045,7 @@ module Hillel_Fulcrum
     
   use seq.Seq
   predicate resolve1 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve1 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) : bool
     ensures { result = resolve1 self }
     
@@ -1981,7 +2072,8 @@ module Hillel_Fulcrum
     requires {[#"../hillel.rs" 120 11 120 53] 0 <= from /\ from <= to' /\ to' <= Seq.length seq}
     ensures { result = sum_range0 seq from to' }
     
-  axiom sum_range0_spec : forall seq : Seq.seq uint32, from : int, to' : int . ([#"../hillel.rs" 120 11 120 53] 0 <= from /\ from <= to' /\ to' <= Seq.length seq) -> ([#"../hillel.rs" 121 10 121 21] sum_range0 seq from to' >= 0)
+  axiom sum_range0_spec : forall seq : Seq.seq uint32, from : int, to' : int . ([#"../hillel.rs" 120 11 120 53] 0 <= from /\ from <= to' /\ to' <= Seq.length seq)
+   -> ([#"../hillel.rs" 121 10 121 21] sum_range0 seq from to' >= 0)
   function sum_range_split0 [#"../hillel.rs" 134 0 134 61] (seq : Seq.seq uint32) (from : int) (to' : int) (i : int) : ()
     
   axiom sum_range_split0_def : forall seq : Seq.seq uint32, from : int, to' : int, i : int . sum_range_split0 seq from to' i = ([#"../hillel.rs" 135 4 137 5] if i > from then
@@ -1993,19 +2085,22 @@ module Hillel_Fulcrum
     requires {[#"../hillel.rs" 132 11 132 63] 0 <= from /\ from <= i /\ i <= to' /\ to' <= Seq.length seq}
     ensures { result = sum_range_split0 seq from to' i }
     
-  axiom sum_range_split0_spec : forall seq : Seq.seq uint32, from : int, to' : int, i : int . ([#"../hillel.rs" 132 11 132 63] 0 <= from /\ from <= i /\ i <= to' /\ to' <= Seq.length seq) -> ([#"../hillel.rs" 133 10 133 85] sum_range0 seq from to' = sum_range0 seq from i + sum_range0 seq i to')
+  axiom sum_range_split0_spec : forall seq : Seq.seq uint32, from : int, to' : int, i : int . ([#"../hillel.rs" 132 11 132 63] 0 <= from /\ from <= i /\ i <= to' /\ to' <= Seq.length seq)
+   -> ([#"../hillel.rs" 133 10 133 85] sum_range0 seq from to' = sum_range0 seq from i + sum_range0 seq i to')
   function score0 [#"../hillel.rs" 144 0 144 38] (seq : Seq.seq uint32) (i : int) : int =
     [#"../hillel.rs" 145 4 145 41] let _ = sum_range_split0 seq 0 (Seq.length seq) i in abs_diff1 (sum_range0 seq 0 i) (sum_range0 seq i (Seq.length seq))
   val score0 [#"../hillel.rs" 144 0 144 38] (seq : Seq.seq uint32) (i : int) : int
     requires {[#"../hillel.rs" 141 11 141 35] 0 <= i /\ i <= Seq.length seq}
     ensures { result = score0 seq i }
     
-  axiom score0_spec : forall seq : Seq.seq uint32, i : int . ([#"../hillel.rs" 141 11 141 35] 0 <= i /\ i <= Seq.length seq) -> ([#"../hillel.rs" 143 0 143 79] 0 = i \/ i = Seq.length seq -> score0 seq i = sum_range0 seq 0 (Seq.length seq)) && ([#"../hillel.rs" 142 10 142 64] 0 <= score0 seq i /\ score0 seq i <= sum_range0 seq 0 (Seq.length seq))
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  axiom score0_spec : forall seq : Seq.seq uint32, i : int . ([#"../hillel.rs" 141 11 141 35] 0 <= i /\ i <= Seq.length seq)
+   -> ([#"../hillel.rs" 143 0 143 79] 0 = i \/ i = Seq.length seq
+   -> score0 seq i = sum_range0 seq 0 (Seq.length seq)) && ([#"../hillel.rs" 142 10 142 64] 0 <= score0 seq i /\ score0 seq i <= sum_range0 seq 0 (Seq.length seq))
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate into_iter_post1 (self : Core_Ops_Range_Range_Type.t_range usize) (res : Core_Ops_Range_Range_Type.t_range usize)
     
    =
@@ -2030,13 +2125,13 @@ module Hillel_Fulcrum
     
   use seq.Seq
   predicate resolve0 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter uint32)) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter uint32)) : bool
     ensures { result = resolve0 self }
     
   use seq.Seq
   function shallow_model5 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter uint32)) : slice uint32 =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model3 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model3 ( * self)
   val shallow_model5 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter uint32)) : slice uint32
     ensures { result = shallow_model5 self }
     
@@ -2052,11 +2147,11 @@ module Hillel_Fulcrum
       end }
     ensures { inv3 result }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate into_iter_post0 (self : slice uint32) (res : Core_Slice_Iter_Iter_Type.t_iter uint32) =
     [#"../../../../creusot-contracts/src/std/slice.rs" 346 20 346 32] self = shallow_model3 res
   val into_iter_post0 (self : slice uint32) (res : Core_Slice_Iter_Iter_Type.t_iter uint32) : bool
@@ -2076,53 +2171,58 @@ module Hillel_Fulcrum
     requires {[#"../hillel.rs" 152 11 152 45] sum_range0 (shallow_model1 s) 0 (Seq.length (shallow_model1 s)) <= 1000}
     requires {[#"../hillel.rs" 153 11 153 23] Seq.length (shallow_model1 s) > 0}
     ensures { [#"../hillel.rs" 154 10 154 44] 0 <= UIntSize.to_int result /\ UIntSize.to_int result < Seq.length (shallow_model1 s) }
-    ensures { [#"../hillel.rs" 155 0 155 88] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 s) -> score0 (shallow_model1 s) (UIntSize.to_int result) <= score0 (shallow_model1 s) i }
+    ensures { [#"../hillel.rs" 155 0 155 88] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 s)
+     -> score0 (shallow_model1 s) (UIntSize.to_int result) <= score0 (shallow_model1 s) i }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : usize;
   var s : slice uint32 = s;
   var total : uint32;
   var iter : Core_Slice_Iter_Iter_Type.t_iter uint32;
-  var iter_old : Ghost.ghost_ty (Core_Slice_Iter_Iter_Type.t_iter uint32);
-  var produced : Ghost.ghost_ty (Seq.seq uint32);
+  var iter_old : Snapshot.snap_ty (Core_Slice_Iter_Iter_Type.t_iter uint32);
+  var produced : Snapshot.snap_ty (Seq.seq uint32);
   var _18 : ();
   var _19 : Core_Option_Option_Type.t_option uint32;
   var _20 : borrowed (Core_Slice_Iter_Iter_Type.t_iter uint32);
   var _21 : borrowed (Core_Slice_Iter_Iter_Type.t_iter uint32);
   var __creusot_proc_iter_elem : uint32;
-  var _24 : Ghost.ghost_ty (Seq.seq uint32);
+  var _24 : Snapshot.snap_ty (Seq.seq uint32);
   var x : uint32;
   var min_i : usize;
   var min_dist : uint32;
   var sum : uint32;
   var iter1 : Core_Ops_Range_Range_Type.t_range usize;
+  var _36 : Core_Ops_Range_Range_Type.t_range usize;
   var _37 : usize;
-  var iter_old1 : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range usize);
-  var produced1 : Ghost.ghost_ty (Seq.seq usize);
+  var iter_old1 : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range usize);
+  var produced1 : Snapshot.snap_ty (Seq.seq usize);
   var _50 : Core_Option_Option_Type.t_option usize;
   var _51 : borrowed (Core_Ops_Range_Range_Type.t_range usize);
   var _52 : borrowed (Core_Ops_Range_Range_Type.t_range usize);
   var __creusot_proc_iter_elem1 : usize;
-  var _55 : Ghost.ghost_ty (Seq.seq usize);
+  var _55 : Snapshot.snap_ty (Seq.seq usize);
   var i : usize;
   var dist : uint32;
+  var _60 : uint32;
   var _63 : ();
+  var _64 : bool;
   var _70 : usize;
+  var _71 : usize;
   var _72 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../hillel.rs" 157 25 157 26] total <- ([#"../hillel.rs" 157 25 157 26] [#"../hillel.rs" 157 25 157 26] (0 : uint32));
-    [#"../hillel.rs" 159 4 159 60] iter <- ([#"../hillel.rs" 159 4 159 60] into_iter0 ([#"../hillel.rs" 161 14 161 15] s));
+    [#"../hillel.rs" 157 25 157 26] total <- ([#"../hillel.rs" 157 25 157 26] (0 : uint32));
+    [#"../hillel.rs" 159 4 159 60] iter <- ([#"../hillel.rs" 159 4 159 60] into_iter0 s);
     goto BB1
   }
   BB1 {
-    [#"../hillel.rs" 159 4 159 60] iter_old <- ([#"../hillel.rs" 159 4 159 60] Ghost.new iter);
+    [#"../hillel.rs" 159 4 159 60] iter_old <- ([#"../hillel.rs" 159 4 159 60] Snapshot.new iter);
     goto BB2
   }
   BB2 {
-    [#"../hillel.rs" 159 4 159 60] produced <- ([#"../hillel.rs" 159 4 159 60] Ghost.new (Seq.empty ));
+    [#"../hillel.rs" 159 4 159 60] produced <- ([#"../hillel.rs" 159 4 159 60] Snapshot.new (Seq.empty ));
     goto BB3
   }
   BB3 {
@@ -2130,8 +2230,8 @@ module Hillel_Fulcrum
   }
   BB4 {
     invariant { [#"../hillel.rs" 159 4 159 60] inv0 iter };
-    invariant { [#"../hillel.rs" 159 4 159 60] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter };
-    invariant { [#"../hillel.rs" 159 16 159 58] UInt32.to_int total = sum_range0 (shallow_model1 s) 0 (Seq.length (Ghost.inner produced)) };
+    invariant { [#"../hillel.rs" 159 4 159 60] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter };
+    invariant { [#"../hillel.rs" 159 16 159 58] UInt32.to_int total = sum_range0 (shallow_model1 s) 0 (Seq.length (Snapshot.inner produced)) };
     invariant { [#"../hillel.rs" 160 16 160 52] UInt32.to_int total <= sum_range0 (shallow_model1 s) 0 (Seq.length (shallow_model1 s)) };
     goto BB5
   }
@@ -2153,10 +2253,10 @@ module Hillel_Fulcrum
   }
   BB7 {
     assert { [@expl:assertion] [#"../hillel.rs" 165 20 165 56] UInt32.to_int total = sum_range0 (shallow_model1 s) 0 (Seq.length (shallow_model1 s)) };
-    [#"../hillel.rs" 167 27 167 28] min_i <- ([#"../hillel.rs" 167 27 167 28] [#"../hillel.rs" 167 27 167 28] (0 : usize));
-    [#"../hillel.rs" 168 28 168 33] min_dist <- ([#"../hillel.rs" 168 28 168 33] total);
-    [#"../hillel.rs" 170 23 170 24] sum <- ([#"../hillel.rs" 170 23 170 24] [#"../hillel.rs" 170 23 170 24] (0 : uint32));
-    [#"../hillel.rs" 176 16 176 23] _37 <- ([#"../hillel.rs" 176 16 176 23] len2 ([#"../hillel.rs" 176 16 176 17] s));
+    [#"../hillel.rs" 167 27 167 28] min_i <- ([#"../hillel.rs" 167 27 167 28] (0 : usize));
+    [#"../hillel.rs" 168 28 168 33] min_dist <- total;
+    [#"../hillel.rs" 170 23 170 24] sum <- ([#"../hillel.rs" 170 23 170 24] (0 : uint32));
+    [#"../hillel.rs" 176 16 176 23] _37 <- ([#"../hillel.rs" 176 16 176 23] len2 s);
     goto BB12
   }
   BB8 {
@@ -2167,29 +2267,31 @@ module Hillel_Fulcrum
     absurd
   }
   BB10 {
-    [#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _19);
-    [#"../hillel.rs" 159 4 159 60] _24 <- ([#"../hillel.rs" 159 4 159 60] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _19;
+    [#"../hillel.rs" 159 4 159 60] _24 <- ([#"../hillel.rs" 159 4 159 60] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB11
   }
   BB11 {
-    [#"../hillel.rs" 159 4 159 60] produced <- ([#"../hillel.rs" 159 4 159 60] _24);
-    [#"../hillel.rs" 159 4 159 60] _24 <- any Ghost.ghost_ty (Seq.seq uint32);
-    [#"../hillel.rs" 161 9 161 10] x <- ([#"../hillel.rs" 161 9 161 10] __creusot_proc_iter_elem);
-    [#"../hillel.rs" 162 8 162 18] total <- ([#"../hillel.rs" 162 8 162 18] total + ([#"../hillel.rs" 162 17 162 18] x));
+    [#"../hillel.rs" 159 4 159 60] produced <- _24;
+    _24 <- any Snapshot.snap_ty (Seq.seq uint32);
+    [#"../hillel.rs" 161 9 161 10] x <- __creusot_proc_iter_elem;
+    [#"../hillel.rs" 162 8 162 18] total <- total + x;
     [#"../hillel.rs" 161 16 163 5] _18 <- ([#"../hillel.rs" 161 16 163 5] ());
     goto BB4
   }
   BB12 {
-    [#"../hillel.rs" 171 4 171 58] iter1 <- ([#"../hillel.rs" 171 4 171 58] into_iter1 ([#"../hillel.rs" 176 13 176 23] Core_Ops_Range_Range_Type.C_Range ([#"../hillel.rs" 176 13 176 14] [#"../hillel.rs" 176 13 176 14] (0 : usize)) _37));
+    [#"../hillel.rs" 176 13 176 23] _36 <- Core_Ops_Range_Range_Type.C_Range ([#"../hillel.rs" 176 13 176 14] (0 : usize)) _37;
     _37 <- any usize;
+    [#"../hillel.rs" 171 4 171 58] iter1 <- ([#"../hillel.rs" 171 4 171 58] into_iter1 _36);
+    _36 <- any Core_Ops_Range_Range_Type.t_range usize;
     goto BB13
   }
   BB13 {
-    [#"../hillel.rs" 171 4 171 58] iter_old1 <- ([#"../hillel.rs" 171 4 171 58] Ghost.new iter1);
+    [#"../hillel.rs" 171 4 171 58] iter_old1 <- ([#"../hillel.rs" 171 4 171 58] Snapshot.new iter1);
     goto BB14
   }
   BB14 {
-    [#"../hillel.rs" 171 4 171 58] produced1 <- ([#"../hillel.rs" 171 4 171 58] Ghost.new (Seq.empty ));
+    [#"../hillel.rs" 171 4 171 58] produced1 <- ([#"../hillel.rs" 171 4 171 58] Snapshot.new (Seq.empty ));
     goto BB15
   }
   BB15 {
@@ -2197,12 +2299,13 @@ module Hillel_Fulcrum
   }
   BB16 {
     invariant { [#"../hillel.rs" 171 4 171 58] inv1 iter1 };
-    invariant { [#"../hillel.rs" 171 4 171 58] produces1 (Ghost.inner iter_old1) (Ghost.inner produced1) iter1 };
-    invariant { [#"../hillel.rs" 171 16 171 56] UInt32.to_int sum = sum_range0 (shallow_model1 s) 0 (Seq.length (Ghost.inner produced1)) };
+    invariant { [#"../hillel.rs" 171 4 171 58] produces1 (Snapshot.inner iter_old1) (Snapshot.inner produced1) iter1 };
+    invariant { [#"../hillel.rs" 171 16 171 56] UInt32.to_int sum = sum_range0 (shallow_model1 s) 0 (Seq.length (Snapshot.inner produced1)) };
     invariant { [#"../hillel.rs" 172 16 172 30] UInt32.to_int sum <= UInt32.to_int total };
-    invariant { [#"../hillel.rs" 173 16 173 61] UIntSize.to_int min_i <= Seq.length (Ghost.inner produced1) /\ UIntSize.to_int min_i < Seq.length (shallow_model1 s) };
+    invariant { [#"../hillel.rs" 173 16 173 61] UIntSize.to_int min_i <= Seq.length (Snapshot.inner produced1) /\ UIntSize.to_int min_i < Seq.length (shallow_model1 s) };
     invariant { [#"../hillel.rs" 174 16 174 46] UInt32.to_int min_dist = score0 (shallow_model1 s) (UIntSize.to_int min_i) };
-    invariant { [#"../hillel.rs" 171 4 171 58] forall j : int . 0 <= j /\ j < Seq.length (Ghost.inner produced1) -> score0 (shallow_model1 s) (UIntSize.to_int min_i) <= score0 (shallow_model1 s) j };
+    invariant { [#"../hillel.rs" 171 4 171 58] forall j : int . 0 <= j /\ j < Seq.length (Snapshot.inner produced1)
+     -> score0 (shallow_model1 s) (UIntSize.to_int min_i) <= score0 (shallow_model1 s) j };
     goto BB17
   }
   BB17 {
@@ -2222,56 +2325,58 @@ module Hillel_Fulcrum
       end
   }
   BB19 {
-    [#"../hillel.rs" 186 4 186 9] _0 <- ([#"../hillel.rs" 186 4 186 9] min_i);
+    [#"../hillel.rs" 186 4 186 9] _0 <- min_i;
     return _0
   }
   BB20 {
-    goto BB21
+    goto BB22
   }
   BB21 {
-    [#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem1 <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _50);
-    [#"../hillel.rs" 171 4 171 58] _55 <- ([#"../hillel.rs" 171 4 171 58] Ghost.new (Seq.(++) (Ghost.inner produced1) (Seq.singleton __creusot_proc_iter_elem1)));
-    goto BB22
+    assert { [#"../hillel.rs" 171 4 171 58] false };
+    absurd
   }
   BB22 {
-    [#"../hillel.rs" 171 4 171 58] produced1 <- ([#"../hillel.rs" 171 4 171 58] _55);
-    [#"../hillel.rs" 171 4 171 58] _55 <- any Ghost.ghost_ty (Seq.seq usize);
-    [#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] i <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem1);
-    [#"../hillel.rs" 177 19 177 44] dist <- ([#"../hillel.rs" 177 19 177 44] abs_diff0 ([#"../hillel.rs" 177 19 177 22] sum) ([#"../hillel.rs" 177 32 177 43] ([#"../hillel.rs" 177 32 177 37] total) - ([#"../hillel.rs" 177 40 177 43] sum)));
+    [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem1 <- Core_Option_Option_Type.some_0 _50;
+    [#"../hillel.rs" 171 4 171 58] _55 <- ([#"../hillel.rs" 171 4 171 58] Snapshot.new (Seq.(++) (Snapshot.inner produced1) (Seq.singleton __creusot_proc_iter_elem1)));
     goto BB23
   }
   BB23 {
-    switch ([#"../hillel.rs" 178 11 178 26] ([#"../hillel.rs" 178 11 178 15] dist) < ([#"../hillel.rs" 178 18 178 26] min_dist))
-      | False -> goto BB25
-      | True -> goto BB24
-      end
+    [#"../hillel.rs" 171 4 171 58] produced1 <- _55;
+    _55 <- any Snapshot.snap_ty (Seq.seq usize);
+    [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] i <- __creusot_proc_iter_elem1;
+    [#"../hillel.rs" 177 32 177 43] _60 <- total - sum;
+    [#"../hillel.rs" 177 19 177 44] dist <- ([#"../hillel.rs" 177 19 177 44] abs_diff0 sum _60);
+    _60 <- any uint32;
+    goto BB24
   }
   BB24 {
-    [#"../hillel.rs" 179 12 179 21] min_i <- ([#"../hillel.rs" 179 20 179 21] i);
-    [#"../hillel.rs" 180 12 180 27] min_dist <- ([#"../hillel.rs" 180 23 180 27] dist);
-    [#"../hillel.rs" 178 27 181 9] _63 <- ([#"../hillel.rs" 178 27 181 9] ());
-    goto BB26
+    [#"../hillel.rs" 178 11 178 26] _64 <- dist < min_dist;
+    switch (_64)
+      | False -> goto BB26
+      | True -> goto BB25
+      end
   }
   BB25 {
-    [#"../hillel.rs" 181 9 181 9] _63 <- ([#"../hillel.rs" 181 9 181 9] ());
-    goto BB26
+    [#"../hillel.rs" 179 12 179 21] min_i <- i;
+    [#"../hillel.rs" 180 12 180 27] min_dist <- dist;
+    [#"../hillel.rs" 178 27 181 9] _63 <- ([#"../hillel.rs" 178 27 181 9] ());
+    goto BB27
   }
   BB26 {
-    [#"../hillel.rs" 183 17 183 18] _70 <- ([#"../hillel.rs" 183 17 183 18] i);
-    [#"../hillel.rs" 183 15 183 19] _72 <- ([#"../hillel.rs" 183 15 183 19] _70 < ([#"../hillel.rs" 183 15 183 19] Slice.length s));
-    assert { [@expl:index in bounds] [#"../hillel.rs" 183 15 183 19] _72 };
+    [#"../hillel.rs" 181 9 181 9] _63 <- ([#"../hillel.rs" 181 9 181 9] ());
     goto BB27
   }
   BB27 {
-    [#"../hillel.rs" 183 8 183 19] sum <- ([#"../hillel.rs" 183 8 183 19] sum + ([#"../hillel.rs" 183 15 183 19] Slice.get s _70));
+    [#"../hillel.rs" 183 17 183 18] _70 <- i;
+    [#"../hillel.rs" 183 15 183 19] _71 <- Slice.length s;
+    [#"../hillel.rs" 183 15 183 19] _72 <- _70 < _71;
+    assert { [@expl:index in bounds] [#"../hillel.rs" 183 15 183 19] _72 };
+    goto BB28
+  }
+  BB28 {
+    [#"../hillel.rs" 183 8 183 19] sum <- sum + Slice.get s _70;
     [#"../hillel.rs" 176 24 184 5] _18 <- ([#"../hillel.rs" 176 24 184 5] ());
     goto BB16
   }
-  BB29 {
-    goto BB9
-  }
-  BB30 {
-    goto BB9
-  }
   
 end
diff --git a/creusot/tests/should_succeed/hillel.rs b/creusot/tests/should_succeed/hillel.rs
index 4b8e81c428..667779f4ef 100644
--- a/creusot/tests/should_succeed/hillel.rs
+++ b/creusot/tests/should_succeed/hillel.rs
@@ -14,7 +14,7 @@ use creusot_contracts::{
 #[ensures(forall<i: Int> 0 <= i && i < str@.len() ==> (^str)[i] == str[i])]
 #[ensures(forall<i: Int> str@.len() <= i && i < len@ ==> (^str)[i] == pad)]
 fn right_pad<T: Copy>(str: &mut Vec<T>, len: usize, pad: T) {
-    let old_str = gh! { str };
+    let old_str = snapshot! { str };
 
     #[invariant(old_str@.len() <= str@.len())]
     #[invariant(old_str@.len() < len@ ==> str@.len() <= len@)]
@@ -31,8 +31,8 @@ fn right_pad<T: Copy>(str: &mut Vec<T>, len: usize, pad: T) {
 #[ensures(forall<i: Int> 0 <= i && i < ((^str)@.len() - str@.len()) ==> (^str)[i] == pad)]
 #[ensures(forall<i: Int> 0 <= i && i < str@.len() ==> (^str)[i + ((^str)@.len() - str@.len())] == str[i])]
 fn left_pad<T: Copy>(str: &mut Vec<T>, len: usize, pad: T) {
-    let old_str = gh! { str };
-    let mut c: Ghost<usize> = gh! { 0usize };
+    let old_str = snapshot! { str };
+    let mut c: Snapshot<usize> = snapshot! { 0usize };
 
     #[invariant(old_str@.len() <= str@.len())]
     #[invariant(old_str@.len() < len@ ==> str@.len() <= len@)]
@@ -42,7 +42,7 @@ fn left_pad<T: Copy>(str: &mut Vec<T>, len: usize, pad: T) {
     #[invariant(forall<i: Int> 0 <= i && i < c@ ==> str[i] == pad)]
     while str.len() < len {
         str.insert(0, pad);
-        c = gh! { 1usize + *c };
+        c = snapshot! { 1usize + *c };
     }
 }
 
@@ -67,7 +67,7 @@ fn is_subset<T>(sub: Seq<T>, sup: Seq<T>) -> bool {
     }
 }
 
-#[ghost]
+#[logic]
 #[ensures(is_subset(s, s.push(elem)))]
 fn subset_push<T>(s: Seq<T>, elem: T) {}
 
@@ -77,9 +77,9 @@ fn subset_push<T>(s: Seq<T>, elem: T) {}
 #[ensures(is_subset((^vec).deep_model(), vec.deep_model().push(elem.deep_model())))]
 #[ensures(contains((^vec).deep_model(), elem.deep_model()))]
 fn insert_unique<T: Eq + DeepModel>(vec: &mut Vec<T>, elem: T) {
-    gh! { subset_push::<T::DeepModelTy> };
+    snapshot! { subset_push::<T::DeepModelTy> };
     proof_assert! { is_subset(vec.deep_model(), vec.deep_model().push(elem.deep_model())) };
-    let ghost_vec = gh! { *vec };
+    let ghost_vec = snapshot! { *vec };
 
     #[invariant(forall<j: Int> 0 <= j && j < produced.len() ==> produced[j].deep_model() != elem.deep_model())]
     for e in vec.iter() {
@@ -99,7 +99,7 @@ fn insert_unique<T: Eq + DeepModel>(vec: &mut Vec<T>, elem: T) {
 #[ensures(is_subset(str.deep_model(), result.deep_model()))]
 fn unique<T: Eq + DeepModel + Copy>(str: &[T]) -> Vec<T> {
     let mut unique = Vec::new();
-    let mut sub_str: Ghost<Seq<T>> = gh! { Seq::EMPTY };
+    let mut sub_str: Snapshot<Seq<T>> = snapshot! { Seq::EMPTY };
 
     #[invariant(is_unique(unique.deep_model()))]
     #[invariant(is_subset(unique.deep_model(), str.deep_model()))]
@@ -107,7 +107,7 @@ fn unique<T: Eq + DeepModel + Copy>(str: &[T]) -> Vec<T> {
     for i in 0..str.len() {
         let elem: T = str[i];
         insert_unique(&mut unique, elem);
-        sub_str = gh! { sub_str.push(elem) };
+        sub_str = snapshot! { sub_str.push(elem) };
     }
 
     proof_assert! { is_subset(str.deep_model().subsequence(0, str@.len()), unique.deep_model()) }
@@ -115,7 +115,7 @@ fn unique<T: Eq + DeepModel + Copy>(str: &[T]) -> Vec<T> {
     unique
 }
 
-#[ghost]
+#[logic]
 #[variant(to - from)]
 #[requires(0 <= from && from <= to && to <= seq.len())]
 #[ensures(result >= 0)]
@@ -127,7 +127,7 @@ fn sum_range(seq: Seq<u32>, from: Int, to: Int) -> Int {
     }
 }
 
-#[ghost]
+#[logic]
 #[variant(i - from)]
 #[requires(0 <= from && from <= i && i <= to && to <= seq.len())]
 #[ensures(sum_range(seq, from, to) == sum_range(seq, from, i) + sum_range(seq, i, to))]
@@ -137,7 +137,7 @@ fn sum_range_split(seq: Seq<u32>, from: Int, to: Int, i: Int) {
     }
 }
 
-#[ghost]
+#[logic]
 #[requires(0 <= i && i <= seq.len())]
 #[ensures(0 <= result && result <= sum_range(seq, 0 , seq.len()))]
 #[ensures(0 == i || i == seq.len() ==> result == sum_range(seq, 0, seq.len()))]
diff --git a/creusot/tests/should_succeed/hillel/why3session.xml b/creusot/tests/should_succeed/hillel/why3session.xml
index 2fab57c547..40de0b593a 100644
--- a/creusot/tests/should_succeed/hillel/why3session.xml
+++ b/creusot/tests/should_succeed/hillel/why3session.xml
@@ -10,17 +10,17 @@
 <path name=".."/><path name="hillel.mlcfg"/>
 <theory name="Hillel_RightPad" proved="true">
  <goal name="right_pad&#39;vc" expl="VC for right_pad" proved="true">
- <proof prover="4"><result status="valid" time="0.130000" steps="1093"/></proof>
+ <proof prover="4"><result status="valid" time="0.130000" steps="966"/></proof>
  </goal>
 </theory>
 <theory name="Hillel_LeftPad" proved="true">
  <goal name="left_pad&#39;vc" expl="VC for left_pad" proved="true">
- <proof prover="4"><result status="valid" time="0.179477" steps="3248"/></proof>
+ <proof prover="4"><result status="valid" time="0.179477" steps="3197"/></proof>
  </goal>
 </theory>
 <theory name="Hillel_SubsetPush_Impl" proved="true">
- <goal name="subset_push&#39;vc" expl="VC for subset_push" proved="true">
- <proof prover="4"><result status="valid" time="0.166910" steps="8264"/></proof>
+ <goal name="vc_subset_push" proved="true">
+ <proof prover="4"><result status="valid" time="0.166910" steps="8290"/></proof>
  </goal>
 </theory>
 <theory name="Hillel_InsertUnique" proved="true">
@@ -63,7 +63,7 @@
   <proof prover="4"><result status="valid" time="0.016424" steps="62"/></proof>
   </goal>
   <goal name="insert_unique&#39;vc.12" expl="assertion" proved="true">
-  <proof prover="4"><result status="valid" time="0.060000" steps="801"/></proof>
+  <proof prover="4"><result status="valid" time="0.060000" steps="802"/></proof>
   </goal>
   <goal name="insert_unique&#39;vc.13" expl="precondition" proved="true">
   <proof prover="4"><result status="valid" time="0.019755" steps="78"/></proof>
@@ -84,7 +84,7 @@
   <proof prover="4"><result status="valid" time="0.019742" steps="83"/></proof>
   </goal>
   <goal name="insert_unique&#39;vc.19" expl="assertion" proved="true">
-  <proof prover="4"><result status="valid" time="0.090000" steps="1627"/></proof>
+  <proof prover="4"><result status="valid" time="0.090000" steps="1625"/></proof>
   </goal>
   <goal name="insert_unique&#39;vc.20" expl="precondition" proved="true">
   <proof prover="4"><result status="valid" time="0.020540" steps="91"/></proof>
@@ -105,7 +105,7 @@
   <proof prover="4"><result status="valid" time="0.010000" steps="706"/></proof>
   </goal>
   <goal name="insert_unique&#39;vc.26" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.129146" steps="837"/></proof>
+  <proof prover="4"><result status="valid" time="0.129146" steps="832"/></proof>
   </goal>
   <goal name="insert_unique&#39;vc.27" expl="type invariant" proved="true">
   <proof prover="4"><result status="valid" time="0.016069" steps="95"/></proof>
@@ -120,12 +120,12 @@
   <proof prover="4"><result status="valid" time="0.010016" steps="102"/></proof>
   </goal>
   <goal name="insert_unique&#39;vc.31" expl="assertion" proved="true">
-  <proof prover="4"><result status="valid" time="0.067612" steps="1460"/></proof>
+  <proof prover="4"><result status="valid" time="0.067612" steps="1479"/></proof>
   </goal>
   <goal name="insert_unique&#39;vc.32" expl="postcondition" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="insert_unique&#39;vc.32.0" expl="postcondition" proved="true">
-   <proof prover="4"><result status="valid" time="0.107459" steps="2587"/></proof>
+   <proof prover="4"><result status="valid" time="0.107459" steps="2588"/></proof>
    </goal>
    <goal name="insert_unique&#39;vc.32.1" expl="postcondition" proved="true">
    <proof prover="4"><result status="valid" time="0.008016" steps="109"/></proof>
@@ -133,17 +133,21 @@
   </transf>
   </goal>
   <goal name="insert_unique&#39;vc.33" expl="postcondition" proved="true">
-  <proof prover="1" timelimit="1"><result status="valid" time="0.584221" steps="1471077"/></proof>
+  <transf name="remove" proved="true" arg1="abs,uint64&#39;maxInt,uint64&#39;minInt,uint64&#39;eq,max_uint64,length1,radix,to_int,min_unsigned,in_bounds,singleton,cons,(++),get_id,borrow_logic,slice&#39;eq,id1,max0,invariant8,produces_trans0,produces_refl0,is_unique0,deep_model4,resolve5,into_iter_pre0,subset_push0,Abs_le,Abs_pos,Div_mod,Div_bound,Mod_bound,Div_sign_pos,Div_sign_neg,Mod_sign_pos,Mod_sign_neg,Rounds_toward_zero,Div_1,Mod_1,Div_inf,Mod_inf,Div_mult,Mod_mult,uint64&#39;inj,to_int_in_bounds,extensionality,zero_unsigned_is_zero,length_nonnegative,(==)&#39;spec&#39;0,set&#39;spec,set&#39;spec&#39;0,set&#39;spec&#39;1,set&#39;def,([&lt;-])&#39;def,singleton&#39;spec,singleton&#39;spec&#39;0,cons&#39;spec,cons&#39;spec&#39;0,cons&#39;spec&#39;1,snoc&#39;spec&#39;0,([..])&#39;spec,([..])&#39;spec&#39;0,([..])&#39;def,([_..])&#39;def,([.._])&#39;def,(++)&#39;spec,inner_spec,slice&#39;invariant,slice&#39;inj,slice_ext,length&#39;def,get&#39;def,some_0&#39;def,inv15,inv14,inv13,inv12,inv111,inv10,inv9,shallow_model3_spec,inv7,inv6,inv5,inv4,shallow_model5_spec,produces_trans0_spec,produces_refl0_spec,inv3,inv2,inv0,subset_push0_spec,Requires2,Requires1,Requires,H9,Assume5,H8,Assert2,Assume4,Ensures8,Assert1,Assume3,Ensures5,Assume2,H6,Assert,Assume1,H4,H2,Ensures3,H1,Ensures1,Assume,Ensures">
+   <goal name="insert_unique&#39;vc.33.0" expl="postcondition" proved="true">
+   <proof prover="1" timelimit="0.037067"><result status="valid" time="0.052825" steps="178057"/></proof>
+   </goal>
+  </transf>
   </goal>
   <goal name="insert_unique&#39;vc.34" expl="postcondition" proved="true">
   <transf name="remove" proved="true" arg1="zero,one,(-),(&gt;),(&lt;=),(&gt;=),abs,uint64&#39;maxInt,uint64&#39;minInt,max_uint64,length1,radix,to_int,min_unsigned,in_bounds,singleton,cons,(++),id,mAX&#39;5,index_logic3,shallow_model6,produces,produces_trans,produces_refl,is_unique,deep_model2,deep_model1,resolve5,shallow_model1,completed,index_logic,into_iter_post,into_iter_pre,shallow_model,subset_push,Assoc1,Unit_def_l,Unit_def_r,Inv_def_l,Inv_def_r,Comm1,Assoc,Mul_distr_l,Mul_distr_r,Comm,Unitary,NonTrivialRing,Refl,Trans,Antisymm,Total,ZeroLessOne,CompatOrderAdd,CompatOrderMult,Abs_le,Abs_pos,Div_mod,Div_bound,Mod_bound,Div_sign_pos,Div_sign_neg,Mod_sign_pos,Mod_sign_neg,Rounds_toward_zero,Div_1,Mod_1,Div_inf,Mod_inf,Div_mult,Mod_mult,to_int_in_bounds,extensionality,zero_unsigned_is_zero,(==)&#39;spec,(==)&#39;spec&#39;0,create&#39;spec&#39;0,empty&#39;def,set&#39;spec,set&#39;spec&#39;0,set&#39;spec&#39;1,([&lt;-])&#39;def,singleton&#39;spec,singleton&#39;spec&#39;0,cons&#39;spec,cons&#39;spec&#39;0,cons&#39;spec&#39;1,([..])&#39;spec,([..])&#39;spec&#39;0,([..])&#39;def,([_..])&#39;def,([.._])&#39;def,(++)&#39;spec,(++)&#39;spec&#39;0,(++)&#39;spec&#39;1,new_spec,slice&#39;invariant,slice_ext,length&#39;def,get&#39;def,some_0&#39;def,inv_trivial15,inv_trivial14,inv_trivial13,inv_trivial12,inv_trivial11,inv_trivial10,inv_trivial9,inv_trivial7,inv_trivial6,inv_trivial5,inv_trivial4,shallow_model_spec1,to_ref_seq_spec,produces_trans_spec,produces_refl_spec,inv_trivial3,inv_trivial2,inv_trivial1,inv_trivial,shallow_model_spec,subset_push_spec">
    <goal name="insert_unique&#39;vc.34.0" expl="postcondition" proved="true">
-   <proof prover="1"><result status="valid" time="0.027065" steps="146451"/></proof>
+   <proof prover="1"><result status="valid" time="0.027065" steps="146570"/></proof>
    </goal>
   </transf>
   </goal>
   <goal name="insert_unique&#39;vc.35" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.163990" steps="23770"/></proof>
+  <proof prover="0"><result status="valid" time="0.163990" steps="23952"/></proof>
   </goal>
  </transf>
  </goal>
@@ -152,24 +156,24 @@
  <goal name="unique&#39;vc" expl="VC for unique" proved="true">
  <transf name="remove" proved="true" arg1="zero,one,(-),(&gt;),(&lt;=),(&gt;=),abs,uint64&#39;maxInt,uint64&#39;minInt,max_uint64,length1,radix,min_unsigned,in_bounds,singleton,cons,snoc,(++),mAX&#39;7,index_logic2,resolve4,Assoc1,Unit_def_l,Unit_def_r,Inv_def_l,Inv_def_r,Comm1,Assoc,Mul_distr_l,Mul_distr_r,Comm,Unitary,NonTrivialRing,Refl,Trans,Antisymm,Total,ZeroLessOne,CompatOrderAdd,CompatOrderMult,Abs_le,Abs_pos,Div_mod,Div_bound,Mod_bound,Div_sign_pos,Div_sign_neg,Mod_sign_pos,Mod_sign_neg,Rounds_toward_zero,Div_1,Mod_1,Div_inf,Mod_inf,Div_mult,Mod_mult,to_int_in_bounds,extensionality,zero_unsigned_is_zero,set&#39;spec,set&#39;spec&#39;0,set&#39;spec&#39;1,([&lt;-])&#39;def,singleton&#39;spec,singleton&#39;spec&#39;0,cons&#39;spec,cons&#39;spec&#39;0,cons&#39;spec&#39;1,([..])&#39;spec,([_..])&#39;def,([.._])&#39;def,(++)&#39;spec,(++)&#39;spec&#39;0,(++)&#39;spec&#39;1,inner_spec,slice&#39;invariant,slice_ext">
   <goal name="unique&#39;vc.0" expl="VC for unique" proved="true">
-  <proof prover="1"><result status="valid" time="0.165112" steps="741741"/></proof>
+  <proof prover="1"><result status="valid" time="0.165112" steps="629781"/></proof>
   </goal>
  </transf>
  </goal>
 </theory>
 <theory name="Hillel_SumRange_Impl" proved="true">
- <goal name="sum_range&#39;vc" expl="VC for sum_range" proved="true">
- <proof prover="4"><result status="valid" time="0.010000" steps="43"/></proof>
+ <goal name="vc_sum_range" proved="true">
+ <proof prover="4"><result status="valid" time="0.010000" steps="14"/></proof>
  </goal>
 </theory>
 <theory name="Hillel_SumRangeSplit_Impl" proved="true">
- <goal name="sum_range_split&#39;vc" expl="VC for sum_range_split" proved="true">
- <proof prover="4"><result status="valid" time="0.010000" steps="133"/></proof>
+ <goal name="vc_sum_range_split" proved="true">
+ <proof prover="4"><result status="valid" time="0.010000" steps="177"/></proof>
  </goal>
 </theory>
 <theory name="Hillel_Score_Impl" proved="true">
- <goal name="score&#39;vc" expl="VC for score" proved="true">
- <proof prover="0"><result status="valid" time="0.080000" steps="9893"/></proof>
+ <goal name="vc_score" proved="true">
+ <proof prover="0"><result status="valid" time="0.080000" steps="8131"/></proof>
  </goal>
 </theory>
 <theory name="Hillel_Fulcrum" proved="true">
@@ -200,88 +204,88 @@
   <proof prover="4"><result status="valid" time="0.015936" steps="73"/></proof>
   </goal>
   <goal name="fulcrum&#39;vc.8" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.010000" steps="52"/></proof>
+  <proof prover="4"><result status="valid" time="0.010000" steps="54"/></proof>
   </goal>
   <goal name="fulcrum&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.020505" steps="81"/></proof>
+  <proof prover="4"><result status="valid" time="0.020505" steps="82"/></proof>
   </goal>
   <goal name="fulcrum&#39;vc.10" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.010000" steps="60"/></proof>
+  <proof prover="4"><result status="valid" time="0.010000" steps="62"/></proof>
   </goal>
   <goal name="fulcrum&#39;vc.11" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.010000" steps="97"/></proof>
+  <proof prover="4"><result status="valid" time="0.010000" steps="98"/></proof>
   </goal>
   <goal name="fulcrum&#39;vc.12" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.010000" steps="222"/></proof>
+  <proof prover="4"><result status="valid" time="0.010000" steps="223"/></proof>
   </goal>
   <goal name="fulcrum&#39;vc.13" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.010000" steps="110"/></proof>
+  <proof prover="4"><result status="valid" time="0.010000" steps="112"/></proof>
   </goal>
   <goal name="fulcrum&#39;vc.14" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.010000" steps="126"/></proof>
+  <proof prover="4"><result status="valid" time="0.010000" steps="127"/></proof>
   </goal>
   <goal name="fulcrum&#39;vc.15" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.010000" steps="135"/></proof>
+  <proof prover="4"><result status="valid" time="0.010000" steps="136"/></proof>
   </goal>
   <goal name="fulcrum&#39;vc.16" expl="loop invariant init" proved="true">
   <proof prover="4"><result status="valid" time="0.010000" steps="159"/></proof>
   </goal>
   <goal name="fulcrum&#39;vc.17" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.023869" steps="135"/></proof>
+  <proof prover="4"><result status="valid" time="0.023869" steps="137"/></proof>
   </goal>
   <goal name="fulcrum&#39;vc.18" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.020000" steps="139"/></proof>
+  <proof prover="4"><result status="valid" time="0.020000" steps="141"/></proof>
   </goal>
   <goal name="fulcrum&#39;vc.19" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.050000" steps="674"/></proof>
+  <proof prover="4"><result status="valid" time="0.050000" steps="676"/></proof>
   </goal>
   <goal name="fulcrum&#39;vc.20" expl="integer overflow" proved="true">
-  <proof prover="4"><result status="valid" time="0.020000" steps="174"/></proof>
+  <proof prover="4"><result status="valid" time="0.020000" steps="175"/></proof>
   </goal>
   <goal name="fulcrum&#39;vc.21" expl="index in bounds" proved="true">
-  <proof prover="0"><result status="valid" time="0.190000" steps="28950"/></proof>
+  <proof prover="0"><result status="valid" time="0.190000" steps="29019"/></proof>
   </goal>
   <goal name="fulcrum&#39;vc.22" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.020000" steps="164"/></proof>
+  <proof prover="4"><result status="valid" time="0.020000" steps="170"/></proof>
   </goal>
   <goal name="fulcrum&#39;vc.23" expl="integer overflow" proved="true">
-  <proof prover="0"><result status="valid" time="0.422001" steps="55546"/></proof>
+  <proof prover="0"><result status="valid" time="0.422001" steps="55615"/></proof>
   </goal>
   <goal name="fulcrum&#39;vc.24" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.010000" steps="165"/></proof>
+  <proof prover="4"><result status="valid" time="0.010000" steps="169"/></proof>
   </goal>
   <goal name="fulcrum&#39;vc.25" expl="loop invariant preservation" proved="true">
-  <proof prover="0"><result status="valid" time="0.078788" steps="23923"/></proof>
+  <proof prover="0"><result status="valid" time="0.203075" steps="23992"/></proof>
   </goal>
   <goal name="fulcrum&#39;vc.26" expl="loop invariant preservation" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="fulcrum&#39;vc.26.0" expl="loop invariant preservation" proved="true">
    <transf name="split_vc" proved="true" >
     <goal name="fulcrum&#39;vc.26.0.0" expl="loop invariant preservation" proved="true">
-    <proof prover="1" memlimit="2000"><result status="valid" time="1.839260" steps="2873831"/></proof>
+    <proof prover="1" memlimit="2000"><result status="valid" time="0.924004" steps="3339754"/></proof>
     </goal>
     <goal name="fulcrum&#39;vc.26.0.1" expl="loop invariant preservation" proved="true">
-    <proof prover="2"><result status="valid" time="2.267951" steps="470231"/></proof>
+    <proof prover="2"><result status="valid" time="2.267951" steps="462387"/></proof>
     </goal>
    </transf>
    </goal>
   </transf>
   </goal>
   <goal name="fulcrum&#39;vc.27" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.511288" steps="70855"/></proof>
+  <proof prover="2"><result status="valid" time="0.511288" steps="70981"/></proof>
   </goal>
   <goal name="fulcrum&#39;vc.28" expl="loop invariant preservation" proved="true">
-  <proof prover="0"><result status="valid" time="0.276216" steps="31021"/></proof>
+  <proof prover="0"><result status="valid" time="0.276216" steps="31090"/></proof>
   </goal>
   <goal name="fulcrum&#39;vc.29" expl="loop invariant preservation" proved="true">
   <transf name="remove" proved="true" arg1="singleton,snoc">
    <goal name="fulcrum&#39;vc.29.0" expl="loop invariant preservation" proved="true">
-   <proof prover="1" memlimit="2000"><result status="valid" time="0.536290" steps="1078878"/></proof>
+   <proof prover="1" memlimit="2000"><result status="valid" time="0.194523" steps="1102561"/></proof>
    </goal>
   </transf>
   </goal>
   <goal name="fulcrum&#39;vc.30" expl="loop invariant preservation" proved="true">
-  <proof prover="1"><result status="valid" time="1.120212" steps="1824838"/></proof>
+  <proof prover="1"><result status="valid" time="0.493091" steps="1939288"/></proof>
   </goal>
   <goal name="fulcrum&#39;vc.31" expl="integer overflow" proved="true">
   <proof prover="0"><result status="valid" time="0.967856" steps="59038"/></proof>
diff --git a/creusot/tests/should_succeed/hillel/why3shapes.gz b/creusot/tests/should_succeed/hillel/why3shapes.gz
index 0e91db8a85..0431318f81 100644
Binary files a/creusot/tests/should_succeed/hillel/why3shapes.gz and b/creusot/tests/should_succeed/hillel/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/immut.mlcfg b/creusot/tests/should_succeed/immut.mlcfg
index e1e10422ed..8c6a337dfc 100644
--- a/creusot/tests/should_succeed/immut.mlcfg
+++ b/creusot/tests/should_succeed/immut.mlcfg
@@ -18,10 +18,10 @@ module Immut_F
     goto BB0
   }
   BB0 {
-    [#"../immut.rs" 4 16 4 18] a <- ([#"../immut.rs" 4 16 4 18] [#"../immut.rs" 4 16 4 18] (10 : uint32));
+    [#"../immut.rs" 4 16 4 18] a <- ([#"../immut.rs" 4 16 4 18] (10 : uint32));
     [#"../immut.rs" 5 12 5 18] b <- Borrow.borrow_mut a;
     [#"../immut.rs" 5 12 5 18] a <-  ^ b;
-    [#"../immut.rs" 6 19 6 20] _c <- ([#"../immut.rs" 6 19 6 20]  * b);
+    [#"../immut.rs" 6 19 6 20] _c <-  * b;
     [#"../immut.rs" 3 11 7 1] _0 <- ([#"../immut.rs" 3 11 7 1] ());
     assume { resolve0 b };
     return _0
diff --git a/creusot/tests/should_succeed/index_range.mlcfg b/creusot/tests/should_succeed/index_range.mlcfg
index 556269fd6c..0982c0f1e1 100644
--- a/creusot/tests/should_succeed/index_range.mlcfg
+++ b/creusot/tests/should_succeed/index_range.mlcfg
@@ -17,12 +17,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -89,7 +95,8 @@ module IndexRange_CreateArr
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv3 (shallow_model0 self)
   val invariant0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -142,59 +149,53 @@ module IndexRange_CreateArr
     goto BB0
   }
   BB0 {
-    [#"../index_range.rs" 15 18 15 28] arr <- ([#"../index_range.rs" 15 18 15 28] new0 ());
+    [#"../index_range.rs" 15 18 15 28] arr <- ([#"../index_range.rs" 15 18 15 28] new0 ([#"../index_range.rs" 15 18 15 28] ()));
     goto BB1
   }
   BB1 {
     [#"../index_range.rs" 17 4 17 7] _4 <- Borrow.borrow_mut arr;
     [#"../index_range.rs" 17 4 17 7] arr <-  ^ _4;
-    [#"../index_range.rs" 17 4 17 15] _3 <- ([#"../index_range.rs" 17 4 17 15] push0 _4 ([#"../index_range.rs" 17 13 17 14] [#"../index_range.rs" 17 13 17 14] (0 : int32)));
+    [#"../index_range.rs" 17 4 17 15] _3 <- ([#"../index_range.rs" 17 4 17 15] push0 _4 ([#"../index_range.rs" 17 13 17 14] (0 : int32)));
     _4 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global));
     goto BB2
   }
   BB2 {
     [#"../index_range.rs" 18 4 18 7] _6 <- Borrow.borrow_mut arr;
     [#"../index_range.rs" 18 4 18 7] arr <-  ^ _6;
-    [#"../index_range.rs" 18 4 18 15] _5 <- ([#"../index_range.rs" 18 4 18 15] push0 _6 ([#"../index_range.rs" 18 13 18 14] [#"../index_range.rs" 18 13 18 14] (1 : int32)));
+    [#"../index_range.rs" 18 4 18 15] _5 <- ([#"../index_range.rs" 18 4 18 15] push0 _6 ([#"../index_range.rs" 18 13 18 14] (1 : int32)));
     _6 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global));
     goto BB3
   }
   BB3 {
     [#"../index_range.rs" 19 4 19 7] _8 <- Borrow.borrow_mut arr;
     [#"../index_range.rs" 19 4 19 7] arr <-  ^ _8;
-    [#"../index_range.rs" 19 4 19 15] _7 <- ([#"../index_range.rs" 19 4 19 15] push0 _8 ([#"../index_range.rs" 19 13 19 14] [#"../index_range.rs" 19 13 19 14] (2 : int32)));
+    [#"../index_range.rs" 19 4 19 15] _7 <- ([#"../index_range.rs" 19 4 19 15] push0 _8 ([#"../index_range.rs" 19 13 19 14] (2 : int32)));
     _8 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global));
     goto BB4
   }
   BB4 {
     [#"../index_range.rs" 20 4 20 7] _10 <- Borrow.borrow_mut arr;
     [#"../index_range.rs" 20 4 20 7] arr <-  ^ _10;
-    [#"../index_range.rs" 20 4 20 15] _9 <- ([#"../index_range.rs" 20 4 20 15] push0 _10 ([#"../index_range.rs" 20 13 20 14] [#"../index_range.rs" 20 13 20 14] (3 : int32)));
+    [#"../index_range.rs" 20 4 20 15] _9 <- ([#"../index_range.rs" 20 4 20 15] push0 _10 ([#"../index_range.rs" 20 13 20 14] (3 : int32)));
     _10 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global));
     goto BB5
   }
   BB5 {
     [#"../index_range.rs" 21 4 21 7] _12 <- Borrow.borrow_mut arr;
     [#"../index_range.rs" 21 4 21 7] arr <-  ^ _12;
-    [#"../index_range.rs" 21 4 21 15] _11 <- ([#"../index_range.rs" 21 4 21 15] push0 _12 ([#"../index_range.rs" 21 13 21 14] [#"../index_range.rs" 21 13 21 14] (4 : int32)));
+    [#"../index_range.rs" 21 4 21 15] _11 <- ([#"../index_range.rs" 21 4 21 15] push0 _12 ([#"../index_range.rs" 21 13 21 14] (4 : int32)));
     _12 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global));
     goto BB6
   }
   BB6 {
-    [#"../index_range.rs" 23 4 23 7] _0 <- ([#"../index_range.rs" 23 4 23 7] arr);
-    [#"../index_range.rs" 23 4 23 7] arr <- any Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global);
+    [#"../index_range.rs" 23 4 23 7] _0 <- arr;
+    arr <- any Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global);
     goto BB7
   }
   BB7 {
     return _0
   }
   
-end
-module Core_Option_Option_Type
-  type t_option 't =
-    | C_None
-    | C_Some 't
-    
 end
 module Core_Ops_Range_Range_Type
   type t_range 'idx =
@@ -209,6 +210,12 @@ module Core_Ops_Range_Range_Type
       | C_Range _ a -> a
       end
 end
+module Core_Option_Option_Type
+  type t_option 't =
+    | C_None
+    | C_Some 't
+    
+end
 module IndexRange_TestRange
   use prelude.Int32
   use prelude.Slice
@@ -250,7 +257,8 @@ module IndexRange_TestRange
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant9 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv10 (shallow_model0 self)
   val invariant9 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -385,7 +393,8 @@ module IndexRange_TestRange
   predicate resolve_elswhere0 (self : Core_Ops_Range_Range_Type.t_range usize) (old' : Seq.seq int32) (fin : Seq.seq int32)
     
    =
-    [#"../../../../creusot-contracts/src/std/slice.rs" 149 8 152 9] forall i : int . 0 <= i /\ (i < UIntSize.to_int (Core_Ops_Range_Range_Type.range_start self) \/ UIntSize.to_int (Core_Ops_Range_Range_Type.range_end self) <= i) /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i
+    [#"../../../../creusot-contracts/src/std/slice.rs" 149 8 152 9] forall i : int . 0 <= i /\ (i < UIntSize.to_int (Core_Ops_Range_Range_Type.range_start self) \/ UIntSize.to_int (Core_Ops_Range_Range_Type.range_end self) <= i) /\ i < Seq.length old'
+     -> Seq.get old' i = Seq.get fin i
   val resolve_elswhere0 (self : Core_Ops_Range_Range_Type.t_range usize) (old' : Seq.seq int32) (fin : Seq.seq int32) : bool
     ensures { result = resolve_elswhere0 self old' fin }
     
@@ -395,7 +404,8 @@ module IndexRange_TestRange
     requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self}
     ensures { result = shallow_model6 self }
     
-  axiom shallow_model6_spec : forall self : slice int32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv10 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0)
+  axiom shallow_model6_spec : forall self : slice int32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv10 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0)
   use seq_ext.SeqExt
   predicate has_value0 (self : Core_Ops_Range_Range_Type.t_range usize) (seq : Seq.seq int32) (out : slice int32) =
     [#"../../../../creusot-contracts/src/std/slice.rs" 143 20 143 67] SeqExt.subsequence seq (UIntSize.to_int (Core_Ops_Range_Range_Type.range_start self)) (UIntSize.to_int (Core_Ops_Range_Range_Type.range_end self)) = shallow_model6 out
@@ -436,7 +446,8 @@ module IndexRange_TestRange
   val get0 (self : slice int32) (index : Core_Ops_Range_Range_Type.t_range usize) : Core_Option_Option_Type.t_option (slice int32)
     requires {inv2 self}
     requires {inv1 index}
-    ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 252 8 252 102] in_bounds0 index (shallow_model3 self) -> (exists r : slice int32 . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ has_value0 index (shallow_model3 self) r) }
+    ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 252 8 252 102] in_bounds0 index (shallow_model3 self)
+     -> (exists r : slice int32 . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ has_value0 index (shallow_model3 self) r) }
     ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 253 18 253 55] in_bounds0 index (shallow_model3 self) \/ result = Core_Option_Option_Type.C_None }
     ensures { inv3 result }
     
@@ -458,7 +469,8 @@ module IndexRange_TestRange
     ensures { result = index_logic0 self ix }
     
   predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) =
-    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve2 (index_logic0 self i)
+    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self)
+     -> resolve2 (index_logic0 self i)
   val resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve0 self }
     
@@ -483,98 +495,140 @@ module IndexRange_TestRange
   var arr : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global);
   var s : slice int32;
   var _3 : slice int32;
+  var _5 : Core_Ops_Range_Range_Type.t_range usize;
+  var _7 : bool;
   var _8 : usize;
+  var _10 : bool;
   var _12 : usize;
+  var _13 : usize;
   var _14 : bool;
+  var _15 : bool;
   var _17 : usize;
+  var _18 : usize;
   var _19 : bool;
   var s1 : slice int32;
   var _22 : slice int32;
+  var _24 : Core_Ops_Range_Range_Type.t_range usize;
+  var _26 : bool;
   var _27 : usize;
+  var _29 : bool;
   var _31 : usize;
+  var _32 : usize;
   var _33 : bool;
+  var _34 : bool;
   var _36 : usize;
+  var _37 : usize;
   var _38 : bool;
+  var _41 : bool;
   var _42 : usize;
   var _44 : slice int32;
+  var _46 : Core_Ops_Range_Range_Type.t_range usize;
+  var _49 : bool;
   var _50 : usize;
   var _52 : slice int32;
+  var _54 : Core_Ops_Range_Range_Type.t_range usize;
   var _57 : bool;
   var _59 : Core_Option_Option_Type.t_option (slice int32);
   var _61 : slice int32;
+  var _63 : Core_Ops_Range_Range_Type.t_range usize;
   var _66 : bool;
   var _68 : Core_Option_Option_Type.t_option (slice int32);
   var _70 : slice int32;
+  var _72 : Core_Ops_Range_Range_Type.t_range usize;
   var _75 : bool;
   var _77 : Core_Option_Option_Type.t_option (slice int32);
   var _79 : slice int32;
+  var _81 : Core_Ops_Range_Range_Type.t_range usize;
   var _84 : bool;
   var _86 : Core_Option_Option_Type.t_option (slice int32);
   var _88 : slice int32;
+  var _90 : Core_Ops_Range_Range_Type.t_range usize;
   var s2 : borrowed (slice int32);
   var _93 : borrowed (slice int32);
   var _94 : borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global));
+  var _95 : Core_Ops_Range_Range_Type.t_range usize;
+  var _97 : bool;
   var _98 : usize;
   var _101 : usize;
+  var _102 : usize;
   var _103 : bool;
   var _104 : usize;
+  var _105 : usize;
   var _106 : bool;
+  var _108 : bool;
   var _110 : usize;
+  var _111 : usize;
   var _112 : bool;
+  var _115 : bool;
   var _116 : usize;
+  var _120 : bool;
   var _122 : int32;
+  var _126 : bool;
   var _128 : int32;
+  var _132 : bool;
   var _134 : int32;
+  var _138 : bool;
   var _140 : int32;
+  var _144 : bool;
   var _146 : int32;
   {
     goto BB0
   }
   BB0 {
-    [#"../index_range.rs" 29 18 29 30] arr <- ([#"../index_range.rs" 29 18 29 30] create_arr0 ());
+    [#"../index_range.rs" 29 18 29 30] arr <- ([#"../index_range.rs" 29 18 29 30] create_arr0 ([#"../index_range.rs" 29 18 29 30] ()));
     goto BB1
   }
   BB1 {
-    [#"../index_range.rs" 34 16 34 22] _3 <- ([#"../index_range.rs" 34 16 34 22] index0 ([#"../index_range.rs" 34 13 34 16] arr) ([#"../index_range.rs" 34 17 34 21] Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 34 17 34 18] [#"../index_range.rs" 34 17 34 18] (0 : usize)) ([#"../index_range.rs" 34 20 34 21] [#"../index_range.rs" 34 20 34 21] (2 : usize))));
+    [#"../index_range.rs" 34 17 34 21] _5 <- Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 34 17 34 18] (0 : usize)) ([#"../index_range.rs" 34 20 34 21] (2 : usize));
+    [#"../index_range.rs" 34 16 34 22] _3 <- ([#"../index_range.rs" 34 16 34 22] index0 arr _5);
+    _5 <- any Core_Ops_Range_Range_Type.t_range usize;
     goto BB2
   }
   BB2 {
-    [#"../index_range.rs" 34 12 34 22] s <- ([#"../index_range.rs" 34 12 34 22] _3);
-    [#"../index_range.rs" 35 12 35 19] _8 <- ([#"../index_range.rs" 35 12 35 19] len0 ([#"../index_range.rs" 35 12 35 13] s));
+    [#"../index_range.rs" 34 12 34 22] s <- _3;
+    [#"../index_range.rs" 35 12 35 19] _8 <- ([#"../index_range.rs" 35 12 35 19] len0 s);
     goto BB3
   }
   BB3 {
-    switch ([#"../index_range.rs" 35 12 35 24] _8 = ([#"../index_range.rs" 35 23 35 24] [#"../index_range.rs" 35 23 35 24] (2 : usize)))
+    [#"../index_range.rs" 35 12 35 24] _7 <- _8 = ([#"../index_range.rs" 35 23 35 24] (2 : usize));
+    _8 <- any usize;
+    switch (_7)
       | False -> goto BB11
       | True -> goto BB4
       end
   }
   BB4 {
-    [#"../index_range.rs" 35 30 35 31] _12 <- ([#"../index_range.rs" 35 30 35 31] [#"../index_range.rs" 35 30 35 31] (0 : usize));
-    [#"../index_range.rs" 35 28 35 32] _14 <- ([#"../index_range.rs" 35 28 35 32] _12 < ([#"../index_range.rs" 35 28 35 32] Slice.length s));
+    [#"../index_range.rs" 35 30 35 31] _12 <- ([#"../index_range.rs" 35 30 35 31] (0 : usize));
+    [#"../index_range.rs" 35 28 35 32] _13 <- Slice.length s;
+    [#"../index_range.rs" 35 28 35 32] _14 <- _12 < _13;
     assert { [@expl:index in bounds] [#"../index_range.rs" 35 28 35 32] _14 };
     goto BB5
   }
   BB5 {
-    switch ([#"../index_range.rs" 35 28 35 37] ([#"../index_range.rs" 35 28 35 32] Slice.get s _12) = ([#"../index_range.rs" 35 36 35 37] [#"../index_range.rs" 35 36 35 37] (0 : int32)))
+    [#"../index_range.rs" 35 28 35 37] _10 <- Slice.get s _12 = ([#"../index_range.rs" 35 36 35 37] (0 : int32));
+    switch (_10)
       | False -> goto BB10
       | True -> goto BB6
       end
   }
   BB6 {
-    [#"../index_range.rs" 35 43 35 44] _17 <- ([#"../index_range.rs" 35 43 35 44] [#"../index_range.rs" 35 43 35 44] (1 : usize));
-    [#"../index_range.rs" 35 41 35 45] _19 <- ([#"../index_range.rs" 35 41 35 45] _17 < ([#"../index_range.rs" 35 41 35 45] Slice.length s));
+    [#"../index_range.rs" 35 43 35 44] _17 <- ([#"../index_range.rs" 35 43 35 44] (1 : usize));
+    [#"../index_range.rs" 35 41 35 45] _18 <- Slice.length s;
+    [#"../index_range.rs" 35 41 35 45] _19 <- _17 < _18;
     assert { [@expl:index in bounds] [#"../index_range.rs" 35 41 35 45] _19 };
     goto BB7
   }
   BB7 {
-    switch ([#"../index_range.rs" 35 41 35 50] ([#"../index_range.rs" 35 41 35 45] Slice.get s _17) = ([#"../index_range.rs" 35 49 35 50] [#"../index_range.rs" 35 49 35 50] (1 : int32)))
+    [#"../index_range.rs" 35 41 35 50] _15 <- Slice.get s _17 = ([#"../index_range.rs" 35 49 35 50] (1 : int32));
+    switch (_15)
       | False -> goto BB9
       | True -> goto BB8
       end
   }
   BB8 {
-    [#"../index_range.rs" 37 16 37 22] _22 <- ([#"../index_range.rs" 37 16 37 22] index0 ([#"../index_range.rs" 37 13 37 16] arr) ([#"../index_range.rs" 37 17 37 21] Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 37 17 37 18] [#"../index_range.rs" 37 17 37 18] (3 : usize)) ([#"../index_range.rs" 37 20 37 21] [#"../index_range.rs" 37 20 37 21] (5 : usize))));
+    [#"../index_range.rs" 37 17 37 21] _24 <- Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 37 17 37 18] (3 : usize)) ([#"../index_range.rs" 37 20 37 21] (5 : usize));
+    [#"../index_range.rs" 37 16 37 22] _22 <- ([#"../index_range.rs" 37 16 37 22] index0 arr _24);
+    _24 <- any Core_Ops_Range_Range_Type.t_range usize;
     goto BB13
   }
   BB9 {
@@ -594,42 +648,50 @@ module IndexRange_TestRange
     absurd
   }
   BB13 {
-    [#"../index_range.rs" 37 12 37 22] s1 <- ([#"../index_range.rs" 37 12 37 22] _22);
-    [#"../index_range.rs" 38 12 38 19] _27 <- ([#"../index_range.rs" 38 12 38 19] len0 ([#"../index_range.rs" 38 12 38 13] s1));
+    [#"../index_range.rs" 37 12 37 22] s1 <- _22;
+    [#"../index_range.rs" 38 12 38 19] _27 <- ([#"../index_range.rs" 38 12 38 19] len0 s1);
     goto BB14
   }
   BB14 {
-    switch ([#"../index_range.rs" 38 12 38 24] _27 = ([#"../index_range.rs" 38 23 38 24] [#"../index_range.rs" 38 23 38 24] (2 : usize)))
+    [#"../index_range.rs" 38 12 38 24] _26 <- _27 = ([#"../index_range.rs" 38 23 38 24] (2 : usize));
+    _27 <- any usize;
+    switch (_26)
       | False -> goto BB22
       | True -> goto BB15
       end
   }
   BB15 {
-    [#"../index_range.rs" 38 30 38 31] _31 <- ([#"../index_range.rs" 38 30 38 31] [#"../index_range.rs" 38 30 38 31] (0 : usize));
-    [#"../index_range.rs" 38 28 38 32] _33 <- ([#"../index_range.rs" 38 28 38 32] _31 < ([#"../index_range.rs" 38 28 38 32] Slice.length s1));
+    [#"../index_range.rs" 38 30 38 31] _31 <- ([#"../index_range.rs" 38 30 38 31] (0 : usize));
+    [#"../index_range.rs" 38 28 38 32] _32 <- Slice.length s1;
+    [#"../index_range.rs" 38 28 38 32] _33 <- _31 < _32;
     assert { [@expl:index in bounds] [#"../index_range.rs" 38 28 38 32] _33 };
     goto BB16
   }
   BB16 {
-    switch ([#"../index_range.rs" 38 28 38 37] ([#"../index_range.rs" 38 28 38 32] Slice.get s1 _31) = ([#"../index_range.rs" 38 36 38 37] [#"../index_range.rs" 38 36 38 37] (3 : int32)))
+    [#"../index_range.rs" 38 28 38 37] _29 <- Slice.get s1 _31 = ([#"../index_range.rs" 38 36 38 37] (3 : int32));
+    switch (_29)
       | False -> goto BB21
       | True -> goto BB17
       end
   }
   BB17 {
-    [#"../index_range.rs" 38 43 38 44] _36 <- ([#"../index_range.rs" 38 43 38 44] [#"../index_range.rs" 38 43 38 44] (1 : usize));
-    [#"../index_range.rs" 38 41 38 45] _38 <- ([#"../index_range.rs" 38 41 38 45] _36 < ([#"../index_range.rs" 38 41 38 45] Slice.length s1));
+    [#"../index_range.rs" 38 43 38 44] _36 <- ([#"../index_range.rs" 38 43 38 44] (1 : usize));
+    [#"../index_range.rs" 38 41 38 45] _37 <- Slice.length s1;
+    [#"../index_range.rs" 38 41 38 45] _38 <- _36 < _37;
     assert { [@expl:index in bounds] [#"../index_range.rs" 38 41 38 45] _38 };
     goto BB18
   }
   BB18 {
-    switch ([#"../index_range.rs" 38 41 38 50] ([#"../index_range.rs" 38 41 38 45] Slice.get s1 _36) = ([#"../index_range.rs" 38 49 38 50] [#"../index_range.rs" 38 49 38 50] (4 : int32)))
+    [#"../index_range.rs" 38 41 38 50] _34 <- Slice.get s1 _36 = ([#"../index_range.rs" 38 49 38 50] (4 : int32));
+    switch (_34)
       | False -> goto BB20
       | True -> goto BB19
       end
   }
   BB19 {
-    [#"../index_range.rs" 43 15 43 21] _44 <- ([#"../index_range.rs" 43 15 43 21] index0 ([#"../index_range.rs" 43 12 43 15] arr) ([#"../index_range.rs" 43 16 43 20] Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 43 16 43 17] [#"../index_range.rs" 43 16 43 17] (2 : usize)) ([#"../index_range.rs" 43 19 43 20] [#"../index_range.rs" 43 19 43 20] (2 : usize))));
+    [#"../index_range.rs" 43 16 43 20] _46 <- Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 43 16 43 17] (2 : usize)) ([#"../index_range.rs" 43 19 43 20] (2 : usize));
+    [#"../index_range.rs" 43 15 43 21] _44 <- ([#"../index_range.rs" 43 15 43 21] index0 arr _46);
+    _46 <- any Core_Ops_Range_Range_Type.t_range usize;
     goto BB24
   }
   BB20 {
@@ -649,17 +711,21 @@ module IndexRange_TestRange
     absurd
   }
   BB24 {
-    [#"../index_range.rs" 43 12 43 27] _42 <- ([#"../index_range.rs" 43 12 43 27] len0 ([#"../index_range.rs" 43 12 43 21] _44));
+    [#"../index_range.rs" 43 12 43 27] _42 <- ([#"../index_range.rs" 43 12 43 27] len0 _44);
     goto BB25
   }
   BB25 {
-    switch ([#"../index_range.rs" 43 12 43 32] _42 = ([#"../index_range.rs" 43 31 43 32] [#"../index_range.rs" 43 31 43 32] (0 : usize)))
+    [#"../index_range.rs" 43 12 43 32] _41 <- _42 = ([#"../index_range.rs" 43 31 43 32] (0 : usize));
+    _42 <- any usize;
+    switch (_41)
       | False -> goto BB27
       | True -> goto BB26
       end
   }
   BB26 {
-    [#"../index_range.rs" 45 15 45 21] _52 <- ([#"../index_range.rs" 45 15 45 21] index0 ([#"../index_range.rs" 45 12 45 15] arr) ([#"../index_range.rs" 45 16 45 20] Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 45 16 45 17] [#"../index_range.rs" 45 16 45 17] (5 : usize)) ([#"../index_range.rs" 45 19 45 20] [#"../index_range.rs" 45 19 45 20] (5 : usize))));
+    [#"../index_range.rs" 45 16 45 20] _54 <- Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 45 16 45 17] (5 : usize)) ([#"../index_range.rs" 45 19 45 20] (5 : usize));
+    [#"../index_range.rs" 45 15 45 21] _52 <- ([#"../index_range.rs" 45 15 45 21] index0 arr _54);
+    _54 <- any Core_Ops_Range_Range_Type.t_range usize;
     goto BB28
   }
   BB27 {
@@ -668,17 +734,19 @@ module IndexRange_TestRange
     absurd
   }
   BB28 {
-    [#"../index_range.rs" 45 12 45 27] _50 <- ([#"../index_range.rs" 45 12 45 27] len0 ([#"../index_range.rs" 45 12 45 21] _52));
+    [#"../index_range.rs" 45 12 45 27] _50 <- ([#"../index_range.rs" 45 12 45 27] len0 _52);
     goto BB29
   }
   BB29 {
-    switch ([#"../index_range.rs" 45 12 45 32] _50 = ([#"../index_range.rs" 45 31 45 32] [#"../index_range.rs" 45 31 45 32] (0 : usize)))
+    [#"../index_range.rs" 45 12 45 32] _49 <- _50 = ([#"../index_range.rs" 45 31 45 32] (0 : usize));
+    _50 <- any usize;
+    switch (_49)
       | False -> goto BB31
       | True -> goto BB30
       end
   }
   BB30 {
-    [#"../index_range.rs" 50 12 50 25] _61 <- ([#"../index_range.rs" 50 12 50 25] deref0 ([#"../index_range.rs" 50 12 50 15] arr));
+    [#"../index_range.rs" 50 12 50 25] _61 <- ([#"../index_range.rs" 50 12 50 25] deref0 arr);
     goto BB32
   }
   BB31 {
@@ -687,11 +755,13 @@ module IndexRange_TestRange
     absurd
   }
   BB32 {
-    [#"../index_range.rs" 50 12 50 25] _59 <- ([#"../index_range.rs" 50 12 50 25] get0 ([#"../index_range.rs" 50 12 50 15] _61) ([#"../index_range.rs" 50 20 50 24] Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 50 20 50 21] [#"../index_range.rs" 50 20 50 21] (2 : usize)) ([#"../index_range.rs" 50 23 50 24] [#"../index_range.rs" 50 23 50 24] (6 : usize))));
+    [#"../index_range.rs" 50 20 50 24] _63 <- Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 50 20 50 21] (2 : usize)) ([#"../index_range.rs" 50 23 50 24] (6 : usize));
+    [#"../index_range.rs" 50 12 50 25] _59 <- ([#"../index_range.rs" 50 12 50 25] get0 _61 _63);
+    _63 <- any Core_Ops_Range_Range_Type.t_range usize;
     goto BB33
   }
   BB33 {
-    [#"../index_range.rs" 50 12 50 35] _57 <- ([#"../index_range.rs" 50 12 50 35] is_none0 ([#"../index_range.rs" 50 12 50 25] _59));
+    [#"../index_range.rs" 50 12 50 35] _57 <- ([#"../index_range.rs" 50 12 50 35] is_none0 _59);
     goto BB34
   }
   BB34 {
@@ -701,7 +771,7 @@ module IndexRange_TestRange
       end
   }
   BB35 {
-    [#"../index_range.rs" 52 12 52 25] _70 <- ([#"../index_range.rs" 52 12 52 25] deref0 ([#"../index_range.rs" 52 12 52 15] arr));
+    [#"../index_range.rs" 52 12 52 25] _70 <- ([#"../index_range.rs" 52 12 52 25] deref0 arr);
     goto BB37
   }
   BB36 {
@@ -710,11 +780,13 @@ module IndexRange_TestRange
     absurd
   }
   BB37 {
-    [#"../index_range.rs" 52 12 52 25] _68 <- ([#"../index_range.rs" 52 12 52 25] get0 ([#"../index_range.rs" 52 12 52 15] _70) ([#"../index_range.rs" 52 20 52 24] Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 52 20 52 21] [#"../index_range.rs" 52 20 52 21] (2 : usize)) ([#"../index_range.rs" 52 23 52 24] [#"../index_range.rs" 52 23 52 24] (1 : usize))));
+    [#"../index_range.rs" 52 20 52 24] _72 <- Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 52 20 52 21] (2 : usize)) ([#"../index_range.rs" 52 23 52 24] (1 : usize));
+    [#"../index_range.rs" 52 12 52 25] _68 <- ([#"../index_range.rs" 52 12 52 25] get0 _70 _72);
+    _72 <- any Core_Ops_Range_Range_Type.t_range usize;
     goto BB38
   }
   BB38 {
-    [#"../index_range.rs" 52 12 52 35] _66 <- ([#"../index_range.rs" 52 12 52 35] is_none0 ([#"../index_range.rs" 52 12 52 25] _68));
+    [#"../index_range.rs" 52 12 52 35] _66 <- ([#"../index_range.rs" 52 12 52 35] is_none0 _68);
     goto BB39
   }
   BB39 {
@@ -724,7 +796,7 @@ module IndexRange_TestRange
       end
   }
   BB40 {
-    [#"../index_range.rs" 54 12 54 25] _79 <- ([#"../index_range.rs" 54 12 54 25] deref0 ([#"../index_range.rs" 54 12 54 15] arr));
+    [#"../index_range.rs" 54 12 54 25] _79 <- ([#"../index_range.rs" 54 12 54 25] deref0 arr);
     goto BB42
   }
   BB41 {
@@ -733,11 +805,13 @@ module IndexRange_TestRange
     absurd
   }
   BB42 {
-    [#"../index_range.rs" 54 12 54 25] _77 <- ([#"../index_range.rs" 54 12 54 25] get0 ([#"../index_range.rs" 54 12 54 15] _79) ([#"../index_range.rs" 54 20 54 24] Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 54 20 54 21] [#"../index_range.rs" 54 20 54 21] (6 : usize)) ([#"../index_range.rs" 54 23 54 24] [#"../index_range.rs" 54 23 54 24] (6 : usize))));
+    [#"../index_range.rs" 54 20 54 24] _81 <- Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 54 20 54 21] (6 : usize)) ([#"../index_range.rs" 54 23 54 24] (6 : usize));
+    [#"../index_range.rs" 54 12 54 25] _77 <- ([#"../index_range.rs" 54 12 54 25] get0 _79 _81);
+    _81 <- any Core_Ops_Range_Range_Type.t_range usize;
     goto BB43
   }
   BB43 {
-    [#"../index_range.rs" 54 12 54 35] _75 <- ([#"../index_range.rs" 54 12 54 35] is_none0 ([#"../index_range.rs" 54 12 54 25] _77));
+    [#"../index_range.rs" 54 12 54 35] _75 <- ([#"../index_range.rs" 54 12 54 35] is_none0 _77);
     goto BB44
   }
   BB44 {
@@ -747,7 +821,7 @@ module IndexRange_TestRange
       end
   }
   BB45 {
-    [#"../index_range.rs" 56 12 56 27] _88 <- ([#"../index_range.rs" 56 12 56 27] deref0 ([#"../index_range.rs" 56 12 56 15] arr));
+    [#"../index_range.rs" 56 12 56 27] _88 <- ([#"../index_range.rs" 56 12 56 27] deref0 arr);
     goto BB47
   }
   BB46 {
@@ -756,11 +830,13 @@ module IndexRange_TestRange
     absurd
   }
   BB47 {
-    [#"../index_range.rs" 56 12 56 27] _86 <- ([#"../index_range.rs" 56 12 56 27] get0 ([#"../index_range.rs" 56 12 56 15] _88) ([#"../index_range.rs" 56 20 56 26] Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 56 20 56 22] [#"../index_range.rs" 56 20 56 22] (10 : usize)) ([#"../index_range.rs" 56 24 56 26] [#"../index_range.rs" 56 24 56 26] (10 : usize))));
+    [#"../index_range.rs" 56 20 56 26] _90 <- Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 56 20 56 22] (10 : usize)) ([#"../index_range.rs" 56 24 56 26] (10 : usize));
+    [#"../index_range.rs" 56 12 56 27] _86 <- ([#"../index_range.rs" 56 12 56 27] get0 _88 _90);
+    _90 <- any Core_Ops_Range_Range_Type.t_range usize;
     goto BB48
   }
   BB48 {
-    [#"../index_range.rs" 56 12 56 37] _84 <- ([#"../index_range.rs" 56 12 56 37] is_none0 ([#"../index_range.rs" 56 12 56 27] _86));
+    [#"../index_range.rs" 56 12 56 37] _84 <- ([#"../index_range.rs" 56 12 56 37] is_none0 _86);
     goto BB49
   }
   BB49 {
@@ -772,8 +848,10 @@ module IndexRange_TestRange
   BB50 {
     [#"../index_range.rs" 59 17 59 20] _94 <- Borrow.borrow_mut arr;
     [#"../index_range.rs" 59 17 59 20] arr <-  ^ _94;
-    [#"../index_range.rs" 59 20 59 26] _93 <- ([#"../index_range.rs" 59 20 59 26] index_mut0 _94 ([#"../index_range.rs" 59 21 59 25] Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 59 21 59 22] [#"../index_range.rs" 59 21 59 22] (1 : usize)) ([#"../index_range.rs" 59 24 59 25] [#"../index_range.rs" 59 24 59 25] (4 : usize))));
+    [#"../index_range.rs" 59 21 59 25] _95 <- Core_Ops_Range_Range_Type.C_Range ([#"../index_range.rs" 59 21 59 22] (1 : usize)) ([#"../index_range.rs" 59 24 59 25] (4 : usize));
+    [#"../index_range.rs" 59 20 59 26] _93 <- ([#"../index_range.rs" 59 20 59 26] index_mut0 _94 _95);
     _94 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global));
+    _95 <- any Core_Ops_Range_Range_Type.t_range usize;
     goto BB52
   }
   BB51 {
@@ -784,18 +862,21 @@ module IndexRange_TestRange
   BB52 {
     [#"../index_range.rs" 59 12 59 26] s2 <- Borrow.borrow_final ( * _93) (Borrow.get_id _93);
     [#"../index_range.rs" 59 12 59 26] _93 <- { _93 with current = ( ^ s2) ; };
-    [#"../index_range.rs" 60 12 60 19] _98 <- ([#"../index_range.rs" 60 12 60 19] len0 ([#"../index_range.rs" 60 12 60 13]  * s2));
+    [#"../index_range.rs" 60 12 60 19] _98 <- ([#"../index_range.rs" 60 12 60 19] len0 ( * s2));
     goto BB53
   }
   BB53 {
-    switch ([#"../index_range.rs" 60 12 60 24] _98 = ([#"../index_range.rs" 60 23 60 24] [#"../index_range.rs" 60 23 60 24] (3 : usize)))
+    [#"../index_range.rs" 60 12 60 24] _97 <- _98 = ([#"../index_range.rs" 60 23 60 24] (3 : usize));
+    _98 <- any usize;
+    switch (_97)
       | False -> goto BB55
       | True -> goto BB54
       end
   }
   BB54 {
-    [#"../index_range.rs" 61 6 61 7] _101 <- ([#"../index_range.rs" 61 6 61 7] [#"../index_range.rs" 61 6 61 7] (0 : usize));
-    [#"../index_range.rs" 61 4 61 8] _103 <- ([#"../index_range.rs" 61 4 61 8] _101 < ([#"../index_range.rs" 61 4 61 8] Slice.length ( * s2)));
+    [#"../index_range.rs" 61 6 61 7] _101 <- ([#"../index_range.rs" 61 6 61 7] (0 : usize));
+    [#"../index_range.rs" 61 4 61 8] _102 <- Slice.length ( * s2);
+    [#"../index_range.rs" 61 4 61 8] _103 <- _101 < _102;
     assert { [@expl:index in bounds] [#"../index_range.rs" 61 4 61 8] _103 };
     goto BB56
   }
@@ -807,29 +888,32 @@ module IndexRange_TestRange
     absurd
   }
   BB56 {
-    [#"../index_range.rs" 61 4 61 13] s2 <- { s2 with current = Slice.set ( * s2) _101 ([#"../index_range.rs" 61 4 61 13] [#"../index_range.rs" 61 11 61 13] (-1 : int32)) ; };
-    [#"../index_range.rs" 62 6 62 7] _104 <- ([#"../index_range.rs" 62 6 62 7] [#"../index_range.rs" 62 6 62 7] (1 : usize));
-    [#"../index_range.rs" 62 4 62 8] _106 <- ([#"../index_range.rs" 62 4 62 8] _104 < ([#"../index_range.rs" 62 4 62 8] Slice.length ( * s2)));
+    [#"../index_range.rs" 61 4 61 13] s2 <- { s2 with current = Slice.set ( * s2) _101 ([#"../index_range.rs" 61 11 61 13] (-1 : int32)) ; };
+    [#"../index_range.rs" 62 6 62 7] _104 <- ([#"../index_range.rs" 62 6 62 7] (1 : usize));
+    [#"../index_range.rs" 62 4 62 8] _105 <- Slice.length ( * s2);
+    [#"../index_range.rs" 62 4 62 8] _106 <- _104 < _105;
     assert { [@expl:index in bounds] [#"../index_range.rs" 62 4 62 8] _106 };
     goto BB57
   }
   BB57 {
-    [#"../index_range.rs" 62 4 62 13] s2 <- { s2 with current = Slice.set ( * s2) _104 ([#"../index_range.rs" 62 4 62 13] [#"../index_range.rs" 62 11 62 13] (-1 : int32)) ; };
-    [#"../index_range.rs" 67 14 67 15] _110 <- ([#"../index_range.rs" 67 14 67 15] [#"../index_range.rs" 67 14 67 15] (2 : usize));
-    [#"../index_range.rs" 67 12 67 16] _112 <- ([#"../index_range.rs" 67 12 67 16] _110 < ([#"../index_range.rs" 67 12 67 16] Slice.length ( * s2)));
+    [#"../index_range.rs" 62 4 62 13] s2 <- { s2 with current = Slice.set ( * s2) _104 ([#"../index_range.rs" 62 11 62 13] (-1 : int32)) ; };
+    [#"../index_range.rs" 67 14 67 15] _110 <- ([#"../index_range.rs" 67 14 67 15] (2 : usize));
+    [#"../index_range.rs" 67 12 67 16] _111 <- Slice.length ( * s2);
+    [#"../index_range.rs" 67 12 67 16] _112 <- _110 < _111;
     assert { [@expl:index in bounds] [#"../index_range.rs" 67 12 67 16] _112 };
     goto BB58
   }
   BB58 {
     assume { resolve1 s2 };
+    [#"../index_range.rs" 67 12 67 21] _108 <- Slice.get ( * s2) _110 = ([#"../index_range.rs" 67 20 67 21] (3 : int32));
     assume { resolve1 _93 };
-    switch ([#"../index_range.rs" 67 12 67 21] ([#"../index_range.rs" 67 12 67 16] Slice.get ( * s2) _110) = ([#"../index_range.rs" 67 20 67 21] [#"../index_range.rs" 67 20 67 21] (3 : int32)))
+    switch (_108)
       | False -> goto BB60
       | True -> goto BB59
       end
   }
   BB59 {
-    [#"../index_range.rs" 69 12 69 21] _116 <- ([#"../index_range.rs" 69 12 69 21] len1 ([#"../index_range.rs" 69 12 69 15] arr));
+    [#"../index_range.rs" 69 12 69 21] _116 <- ([#"../index_range.rs" 69 12 69 21] len1 arr);
     goto BB61
   }
   BB60 {
@@ -838,13 +922,15 @@ module IndexRange_TestRange
     absurd
   }
   BB61 {
-    switch ([#"../index_range.rs" 69 12 69 26] _116 = ([#"../index_range.rs" 69 25 69 26] [#"../index_range.rs" 69 25 69 26] (5 : usize)))
+    [#"../index_range.rs" 69 12 69 26] _115 <- _116 = ([#"../index_range.rs" 69 25 69 26] (5 : usize));
+    _116 <- any usize;
+    switch (_115)
       | False -> goto BB63
       | True -> goto BB62
       end
   }
   BB62 {
-    [#"../index_range.rs" 70 15 70 18] _122 <- ([#"../index_range.rs" 70 15 70 18] index1 ([#"../index_range.rs" 70 12 70 15] arr) ([#"../index_range.rs" 70 16 70 17] [#"../index_range.rs" 70 16 70 17] (0 : usize)));
+    [#"../index_range.rs" 70 15 70 18] _122 <- ([#"../index_range.rs" 70 15 70 18] index1 arr ([#"../index_range.rs" 70 16 70 17] (0 : usize)));
     goto BB64
   }
   BB63 {
@@ -853,13 +939,14 @@ module IndexRange_TestRange
     absurd
   }
   BB64 {
-    switch ([#"../index_range.rs" 70 12 70 23] ([#"../index_range.rs" 70 12 70 18] _122) = ([#"../index_range.rs" 70 22 70 23] [#"../index_range.rs" 70 22 70 23] (0 : int32)))
+    [#"../index_range.rs" 70 12 70 23] _120 <- _122 = ([#"../index_range.rs" 70 22 70 23] (0 : int32));
+    switch (_120)
       | False -> goto BB66
       | True -> goto BB65
       end
   }
   BB65 {
-    [#"../index_range.rs" 71 15 71 18] _128 <- ([#"../index_range.rs" 71 15 71 18] index1 ([#"../index_range.rs" 71 12 71 15] arr) ([#"../index_range.rs" 71 16 71 17] [#"../index_range.rs" 71 16 71 17] (1 : usize)));
+    [#"../index_range.rs" 71 15 71 18] _128 <- ([#"../index_range.rs" 71 15 71 18] index1 arr ([#"../index_range.rs" 71 16 71 17] (1 : usize)));
     goto BB67
   }
   BB66 {
@@ -868,13 +955,14 @@ module IndexRange_TestRange
     absurd
   }
   BB67 {
-    switch ([#"../index_range.rs" 71 12 71 24] ([#"../index_range.rs" 71 12 71 18] _128) = ([#"../index_range.rs" 71 22 71 24] [#"../index_range.rs" 71 22 71 24] (-1 : int32)))
+    [#"../index_range.rs" 71 12 71 24] _126 <- _128 = ([#"../index_range.rs" 71 22 71 24] (-1 : int32));
+    switch (_126)
       | False -> goto BB69
       | True -> goto BB68
       end
   }
   BB68 {
-    [#"../index_range.rs" 72 15 72 18] _134 <- ([#"../index_range.rs" 72 15 72 18] index1 ([#"../index_range.rs" 72 12 72 15] arr) ([#"../index_range.rs" 72 16 72 17] [#"../index_range.rs" 72 16 72 17] (2 : usize)));
+    [#"../index_range.rs" 72 15 72 18] _134 <- ([#"../index_range.rs" 72 15 72 18] index1 arr ([#"../index_range.rs" 72 16 72 17] (2 : usize)));
     goto BB70
   }
   BB69 {
@@ -883,13 +971,14 @@ module IndexRange_TestRange
     absurd
   }
   BB70 {
-    switch ([#"../index_range.rs" 72 12 72 24] ([#"../index_range.rs" 72 12 72 18] _134) = ([#"../index_range.rs" 72 22 72 24] [#"../index_range.rs" 72 22 72 24] (-1 : int32)))
+    [#"../index_range.rs" 72 12 72 24] _132 <- _134 = ([#"../index_range.rs" 72 22 72 24] (-1 : int32));
+    switch (_132)
       | False -> goto BB72
       | True -> goto BB71
       end
   }
   BB71 {
-    [#"../index_range.rs" 73 15 73 18] _140 <- ([#"../index_range.rs" 73 15 73 18] index1 ([#"../index_range.rs" 73 12 73 15] arr) ([#"../index_range.rs" 73 16 73 17] [#"../index_range.rs" 73 16 73 17] (3 : usize)));
+    [#"../index_range.rs" 73 15 73 18] _140 <- ([#"../index_range.rs" 73 15 73 18] index1 arr ([#"../index_range.rs" 73 16 73 17] (3 : usize)));
     goto BB73
   }
   BB72 {
@@ -898,13 +987,14 @@ module IndexRange_TestRange
     absurd
   }
   BB73 {
-    switch ([#"../index_range.rs" 73 12 73 23] ([#"../index_range.rs" 73 12 73 18] _140) = ([#"../index_range.rs" 73 22 73 23] [#"../index_range.rs" 73 22 73 23] (3 : int32)))
+    [#"../index_range.rs" 73 12 73 23] _138 <- _140 = ([#"../index_range.rs" 73 22 73 23] (3 : int32));
+    switch (_138)
       | False -> goto BB75
       | True -> goto BB74
       end
   }
   BB74 {
-    [#"../index_range.rs" 74 15 74 18] _146 <- ([#"../index_range.rs" 74 15 74 18] index1 ([#"../index_range.rs" 74 12 74 15] arr) ([#"../index_range.rs" 74 16 74 17] [#"../index_range.rs" 74 16 74 17] (4 : usize)));
+    [#"../index_range.rs" 74 15 74 18] _146 <- ([#"../index_range.rs" 74 15 74 18] index1 arr ([#"../index_range.rs" 74 16 74 17] (4 : usize)));
     goto BB76
   }
   BB75 {
@@ -914,7 +1004,8 @@ module IndexRange_TestRange
   }
   BB76 {
     assume { resolve0 arr };
-    switch ([#"../index_range.rs" 74 12 74 23] ([#"../index_range.rs" 74 12 74 18] _146) = ([#"../index_range.rs" 74 22 74 23] [#"../index_range.rs" 74 22 74 23] (4 : int32)))
+    [#"../index_range.rs" 74 12 74 23] _144 <- _146 = ([#"../index_range.rs" 74 22 74 23] (4 : int32));
+    switch (_144)
       | False -> goto BB78
       | True -> goto BB77
       end
@@ -982,7 +1073,8 @@ module IndexRange_TestRangeTo
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant9 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv10 (shallow_model0 self)
   val invariant9 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -1117,7 +1209,8 @@ module IndexRange_TestRangeTo
   predicate resolve_elswhere0 (self : Core_Ops_Range_RangeTo_Type.t_rangeto usize) (old' : Seq.seq int32) (fin : Seq.seq int32)
     
    =
-    [#"../../../../creusot-contracts/src/std/slice.rs" 172 8 172 90] forall i : int . UIntSize.to_int (Core_Ops_Range_RangeTo_Type.rangeto_end self) <= i /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i
+    [#"../../../../creusot-contracts/src/std/slice.rs" 172 8 172 90] forall i : int . UIntSize.to_int (Core_Ops_Range_RangeTo_Type.rangeto_end self) <= i /\ i < Seq.length old'
+     -> Seq.get old' i = Seq.get fin i
   val resolve_elswhere0 (self : Core_Ops_Range_RangeTo_Type.t_rangeto usize) (old' : Seq.seq int32) (fin : Seq.seq int32) : bool
     ensures { result = resolve_elswhere0 self old' fin }
     
@@ -1127,7 +1220,8 @@ module IndexRange_TestRangeTo
     requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self}
     ensures { result = shallow_model6 self }
     
-  axiom shallow_model6_spec : forall self : slice int32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv10 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0)
+  axiom shallow_model6_spec : forall self : slice int32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv10 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0)
   use seq_ext.SeqExt
   predicate has_value0 (self : Core_Ops_Range_RangeTo_Type.t_rangeto usize) (seq : Seq.seq int32) (out : slice int32) =
     [#"../../../../creusot-contracts/src/std/slice.rs" 166 20 166 57] SeqExt.subsequence seq 0 (UIntSize.to_int (Core_Ops_Range_RangeTo_Type.rangeto_end self)) = shallow_model6 out
@@ -1168,7 +1262,8 @@ module IndexRange_TestRangeTo
   val get0 (self : slice int32) (index : Core_Ops_Range_RangeTo_Type.t_rangeto usize) : Core_Option_Option_Type.t_option (slice int32)
     requires {inv2 self}
     requires {inv1 index}
-    ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 252 8 252 102] in_bounds0 index (shallow_model3 self) -> (exists r : slice int32 . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ has_value0 index (shallow_model3 self) r) }
+    ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 252 8 252 102] in_bounds0 index (shallow_model3 self)
+     -> (exists r : slice int32 . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ has_value0 index (shallow_model3 self) r) }
     ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 253 18 253 55] in_bounds0 index (shallow_model3 self) \/ result = Core_Option_Option_Type.C_None }
     ensures { inv3 result }
     
@@ -1190,7 +1285,8 @@ module IndexRange_TestRangeTo
     ensures { result = index_logic0 self ix }
     
   predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) =
-    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve2 (index_logic0 self i)
+    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self)
+     -> resolve2 (index_logic0 self i)
   val resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve0 self }
     
@@ -1215,80 +1311,111 @@ module IndexRange_TestRangeTo
   var arr : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global);
   var s : slice int32;
   var _3 : slice int32;
+  var _5 : Core_Ops_Range_RangeTo_Type.t_rangeto usize;
+  var _7 : bool;
   var _8 : usize;
+  var _10 : bool;
   var _12 : usize;
+  var _13 : usize;
   var _14 : bool;
+  var _15 : bool;
   var _17 : usize;
+  var _18 : usize;
   var _19 : bool;
+  var _22 : bool;
   var _23 : usize;
   var _25 : slice int32;
+  var _27 : Core_Ops_Range_RangeTo_Type.t_rangeto usize;
   var _30 : bool;
   var _32 : Core_Option_Option_Type.t_option (slice int32);
   var _34 : slice int32;
+  var _36 : Core_Ops_Range_RangeTo_Type.t_rangeto usize;
   var s1 : borrowed (slice int32);
   var _39 : borrowed (slice int32);
   var _40 : borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global));
+  var _41 : Core_Ops_Range_RangeTo_Type.t_rangeto usize;
+  var _43 : bool;
   var _44 : usize;
   var _47 : usize;
+  var _48 : usize;
   var _49 : bool;
   var _50 : usize;
+  var _51 : usize;
   var _52 : bool;
+  var _54 : bool;
   var _56 : usize;
+  var _57 : usize;
   var _58 : bool;
+  var _61 : bool;
   var _62 : usize;
+  var _66 : bool;
   var _68 : int32;
+  var _72 : bool;
   var _74 : int32;
+  var _78 : bool;
   var _80 : int32;
+  var _84 : bool;
   var _86 : int32;
+  var _90 : bool;
   var _92 : int32;
   {
     goto BB0
   }
   BB0 {
-    [#"../index_range.rs" 80 18 80 30] arr <- ([#"../index_range.rs" 80 18 80 30] create_arr0 ());
+    [#"../index_range.rs" 80 18 80 30] arr <- ([#"../index_range.rs" 80 18 80 30] create_arr0 ([#"../index_range.rs" 80 18 80 30] ()));
     goto BB1
   }
   BB1 {
-    [#"../index_range.rs" 85 16 85 21] _3 <- ([#"../index_range.rs" 85 16 85 21] index0 ([#"../index_range.rs" 85 13 85 16] arr) ([#"../index_range.rs" 85 17 85 20] Core_Ops_Range_RangeTo_Type.C_RangeTo ([#"../index_range.rs" 85 19 85 20] [#"../index_range.rs" 85 19 85 20] (2 : usize))));
+    [#"../index_range.rs" 85 17 85 20] _5 <- Core_Ops_Range_RangeTo_Type.C_RangeTo ([#"../index_range.rs" 85 19 85 20] (2 : usize));
+    [#"../index_range.rs" 85 16 85 21] _3 <- ([#"../index_range.rs" 85 16 85 21] index0 arr _5);
+    _5 <- any Core_Ops_Range_RangeTo_Type.t_rangeto usize;
     goto BB2
   }
   BB2 {
-    [#"../index_range.rs" 85 12 85 21] s <- ([#"../index_range.rs" 85 12 85 21] _3);
-    [#"../index_range.rs" 86 12 86 19] _8 <- ([#"../index_range.rs" 86 12 86 19] len0 ([#"../index_range.rs" 86 12 86 13] s));
+    [#"../index_range.rs" 85 12 85 21] s <- _3;
+    [#"../index_range.rs" 86 12 86 19] _8 <- ([#"../index_range.rs" 86 12 86 19] len0 s);
     goto BB3
   }
   BB3 {
-    switch ([#"../index_range.rs" 86 12 86 24] _8 = ([#"../index_range.rs" 86 23 86 24] [#"../index_range.rs" 86 23 86 24] (2 : usize)))
+    [#"../index_range.rs" 86 12 86 24] _7 <- _8 = ([#"../index_range.rs" 86 23 86 24] (2 : usize));
+    _8 <- any usize;
+    switch (_7)
       | False -> goto BB11
       | True -> goto BB4
       end
   }
   BB4 {
-    [#"../index_range.rs" 86 30 86 31] _12 <- ([#"../index_range.rs" 86 30 86 31] [#"../index_range.rs" 86 30 86 31] (0 : usize));
-    [#"../index_range.rs" 86 28 86 32] _14 <- ([#"../index_range.rs" 86 28 86 32] _12 < ([#"../index_range.rs" 86 28 86 32] Slice.length s));
+    [#"../index_range.rs" 86 30 86 31] _12 <- ([#"../index_range.rs" 86 30 86 31] (0 : usize));
+    [#"../index_range.rs" 86 28 86 32] _13 <- Slice.length s;
+    [#"../index_range.rs" 86 28 86 32] _14 <- _12 < _13;
     assert { [@expl:index in bounds] [#"../index_range.rs" 86 28 86 32] _14 };
     goto BB5
   }
   BB5 {
-    switch ([#"../index_range.rs" 86 28 86 37] ([#"../index_range.rs" 86 28 86 32] Slice.get s _12) = ([#"../index_range.rs" 86 36 86 37] [#"../index_range.rs" 86 36 86 37] (0 : int32)))
+    [#"../index_range.rs" 86 28 86 37] _10 <- Slice.get s _12 = ([#"../index_range.rs" 86 36 86 37] (0 : int32));
+    switch (_10)
       | False -> goto BB10
       | True -> goto BB6
       end
   }
   BB6 {
-    [#"../index_range.rs" 86 43 86 44] _17 <- ([#"../index_range.rs" 86 43 86 44] [#"../index_range.rs" 86 43 86 44] (1 : usize));
-    [#"../index_range.rs" 86 41 86 45] _19 <- ([#"../index_range.rs" 86 41 86 45] _17 < ([#"../index_range.rs" 86 41 86 45] Slice.length s));
+    [#"../index_range.rs" 86 43 86 44] _17 <- ([#"../index_range.rs" 86 43 86 44] (1 : usize));
+    [#"../index_range.rs" 86 41 86 45] _18 <- Slice.length s;
+    [#"../index_range.rs" 86 41 86 45] _19 <- _17 < _18;
     assert { [@expl:index in bounds] [#"../index_range.rs" 86 41 86 45] _19 };
     goto BB7
   }
   BB7 {
-    switch ([#"../index_range.rs" 86 41 86 50] ([#"../index_range.rs" 86 41 86 45] Slice.get s _17) = ([#"../index_range.rs" 86 49 86 50] [#"../index_range.rs" 86 49 86 50] (1 : int32)))
+    [#"../index_range.rs" 86 41 86 50] _15 <- Slice.get s _17 = ([#"../index_range.rs" 86 49 86 50] (1 : int32));
+    switch (_15)
       | False -> goto BB9
       | True -> goto BB8
       end
   }
   BB8 {
-    [#"../index_range.rs" 91 15 91 20] _25 <- ([#"../index_range.rs" 91 15 91 20] index0 ([#"../index_range.rs" 91 12 91 15] arr) ([#"../index_range.rs" 91 16 91 19] Core_Ops_Range_RangeTo_Type.C_RangeTo ([#"../index_range.rs" 91 18 91 19] [#"../index_range.rs" 91 18 91 19] (0 : usize))));
+    [#"../index_range.rs" 91 16 91 19] _27 <- Core_Ops_Range_RangeTo_Type.C_RangeTo ([#"../index_range.rs" 91 18 91 19] (0 : usize));
+    [#"../index_range.rs" 91 15 91 20] _25 <- ([#"../index_range.rs" 91 15 91 20] index0 arr _27);
+    _27 <- any Core_Ops_Range_RangeTo_Type.t_rangeto usize;
     goto BB13
   }
   BB9 {
@@ -1308,17 +1435,19 @@ module IndexRange_TestRangeTo
     absurd
   }
   BB13 {
-    [#"../index_range.rs" 91 12 91 26] _23 <- ([#"../index_range.rs" 91 12 91 26] len0 ([#"../index_range.rs" 91 12 91 20] _25));
+    [#"../index_range.rs" 91 12 91 26] _23 <- ([#"../index_range.rs" 91 12 91 26] len0 _25);
     goto BB14
   }
   BB14 {
-    switch ([#"../index_range.rs" 91 12 91 31] _23 = ([#"../index_range.rs" 91 30 91 31] [#"../index_range.rs" 91 30 91 31] (0 : usize)))
+    [#"../index_range.rs" 91 12 91 31] _22 <- _23 = ([#"../index_range.rs" 91 30 91 31] (0 : usize));
+    _23 <- any usize;
+    switch (_22)
       | False -> goto BB16
       | True -> goto BB15
       end
   }
   BB15 {
-    [#"../index_range.rs" 96 12 96 24] _34 <- ([#"../index_range.rs" 96 12 96 24] deref0 ([#"../index_range.rs" 96 12 96 15] arr));
+    [#"../index_range.rs" 96 12 96 24] _34 <- ([#"../index_range.rs" 96 12 96 24] deref0 arr);
     goto BB17
   }
   BB16 {
@@ -1327,11 +1456,13 @@ module IndexRange_TestRangeTo
     absurd
   }
   BB17 {
-    [#"../index_range.rs" 96 12 96 24] _32 <- ([#"../index_range.rs" 96 12 96 24] get0 ([#"../index_range.rs" 96 12 96 15] _34) ([#"../index_range.rs" 96 20 96 23] Core_Ops_Range_RangeTo_Type.C_RangeTo ([#"../index_range.rs" 96 22 96 23] [#"../index_range.rs" 96 22 96 23] (6 : usize))));
+    [#"../index_range.rs" 96 20 96 23] _36 <- Core_Ops_Range_RangeTo_Type.C_RangeTo ([#"../index_range.rs" 96 22 96 23] (6 : usize));
+    [#"../index_range.rs" 96 12 96 24] _32 <- ([#"../index_range.rs" 96 12 96 24] get0 _34 _36);
+    _36 <- any Core_Ops_Range_RangeTo_Type.t_rangeto usize;
     goto BB18
   }
   BB18 {
-    [#"../index_range.rs" 96 12 96 34] _30 <- ([#"../index_range.rs" 96 12 96 34] is_none0 ([#"../index_range.rs" 96 12 96 24] _32));
+    [#"../index_range.rs" 96 12 96 34] _30 <- ([#"../index_range.rs" 96 12 96 34] is_none0 _32);
     goto BB19
   }
   BB19 {
@@ -1343,8 +1474,10 @@ module IndexRange_TestRangeTo
   BB20 {
     [#"../index_range.rs" 99 17 99 20] _40 <- Borrow.borrow_mut arr;
     [#"../index_range.rs" 99 17 99 20] arr <-  ^ _40;
-    [#"../index_range.rs" 99 20 99 25] _39 <- ([#"../index_range.rs" 99 20 99 25] index_mut0 _40 ([#"../index_range.rs" 99 21 99 24] Core_Ops_Range_RangeTo_Type.C_RangeTo ([#"../index_range.rs" 99 23 99 24] [#"../index_range.rs" 99 23 99 24] (3 : usize))));
+    [#"../index_range.rs" 99 21 99 24] _41 <- Core_Ops_Range_RangeTo_Type.C_RangeTo ([#"../index_range.rs" 99 23 99 24] (3 : usize));
+    [#"../index_range.rs" 99 20 99 25] _39 <- ([#"../index_range.rs" 99 20 99 25] index_mut0 _40 _41);
     _40 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global));
+    _41 <- any Core_Ops_Range_RangeTo_Type.t_rangeto usize;
     goto BB22
   }
   BB21 {
@@ -1355,18 +1488,21 @@ module IndexRange_TestRangeTo
   BB22 {
     [#"../index_range.rs" 99 12 99 25] s1 <- Borrow.borrow_final ( * _39) (Borrow.get_id _39);
     [#"../index_range.rs" 99 12 99 25] _39 <- { _39 with current = ( ^ s1) ; };
-    [#"../index_range.rs" 100 12 100 19] _44 <- ([#"../index_range.rs" 100 12 100 19] len0 ([#"../index_range.rs" 100 12 100 13]  * s1));
+    [#"../index_range.rs" 100 12 100 19] _44 <- ([#"../index_range.rs" 100 12 100 19] len0 ( * s1));
     goto BB23
   }
   BB23 {
-    switch ([#"../index_range.rs" 100 12 100 24] _44 = ([#"../index_range.rs" 100 23 100 24] [#"../index_range.rs" 100 23 100 24] (3 : usize)))
+    [#"../index_range.rs" 100 12 100 24] _43 <- _44 = ([#"../index_range.rs" 100 23 100 24] (3 : usize));
+    _44 <- any usize;
+    switch (_43)
       | False -> goto BB25
       | True -> goto BB24
       end
   }
   BB24 {
-    [#"../index_range.rs" 101 6 101 7] _47 <- ([#"../index_range.rs" 101 6 101 7] [#"../index_range.rs" 101 6 101 7] (0 : usize));
-    [#"../index_range.rs" 101 4 101 8] _49 <- ([#"../index_range.rs" 101 4 101 8] _47 < ([#"../index_range.rs" 101 4 101 8] Slice.length ( * s1)));
+    [#"../index_range.rs" 101 6 101 7] _47 <- ([#"../index_range.rs" 101 6 101 7] (0 : usize));
+    [#"../index_range.rs" 101 4 101 8] _48 <- Slice.length ( * s1);
+    [#"../index_range.rs" 101 4 101 8] _49 <- _47 < _48;
     assert { [@expl:index in bounds] [#"../index_range.rs" 101 4 101 8] _49 };
     goto BB26
   }
@@ -1378,29 +1514,32 @@ module IndexRange_TestRangeTo
     absurd
   }
   BB26 {
-    [#"../index_range.rs" 101 4 101 13] s1 <- { s1 with current = Slice.set ( * s1) _47 ([#"../index_range.rs" 101 4 101 13] [#"../index_range.rs" 101 11 101 13] (-1 : int32)) ; };
-    [#"../index_range.rs" 102 6 102 7] _50 <- ([#"../index_range.rs" 102 6 102 7] [#"../index_range.rs" 102 6 102 7] (2 : usize));
-    [#"../index_range.rs" 102 4 102 8] _52 <- ([#"../index_range.rs" 102 4 102 8] _50 < ([#"../index_range.rs" 102 4 102 8] Slice.length ( * s1)));
+    [#"../index_range.rs" 101 4 101 13] s1 <- { s1 with current = Slice.set ( * s1) _47 ([#"../index_range.rs" 101 11 101 13] (-1 : int32)) ; };
+    [#"../index_range.rs" 102 6 102 7] _50 <- ([#"../index_range.rs" 102 6 102 7] (2 : usize));
+    [#"../index_range.rs" 102 4 102 8] _51 <- Slice.length ( * s1);
+    [#"../index_range.rs" 102 4 102 8] _52 <- _50 < _51;
     assert { [@expl:index in bounds] [#"../index_range.rs" 102 4 102 8] _52 };
     goto BB27
   }
   BB27 {
-    [#"../index_range.rs" 102 4 102 13] s1 <- { s1 with current = Slice.set ( * s1) _50 ([#"../index_range.rs" 102 4 102 13] [#"../index_range.rs" 102 11 102 13] (-1 : int32)) ; };
-    [#"../index_range.rs" 104 14 104 15] _56 <- ([#"../index_range.rs" 104 14 104 15] [#"../index_range.rs" 104 14 104 15] (1 : usize));
-    [#"../index_range.rs" 104 12 104 16] _58 <- ([#"../index_range.rs" 104 12 104 16] _56 < ([#"../index_range.rs" 104 12 104 16] Slice.length ( * s1)));
+    [#"../index_range.rs" 102 4 102 13] s1 <- { s1 with current = Slice.set ( * s1) _50 ([#"../index_range.rs" 102 11 102 13] (-1 : int32)) ; };
+    [#"../index_range.rs" 104 14 104 15] _56 <- ([#"../index_range.rs" 104 14 104 15] (1 : usize));
+    [#"../index_range.rs" 104 12 104 16] _57 <- Slice.length ( * s1);
+    [#"../index_range.rs" 104 12 104 16] _58 <- _56 < _57;
     assert { [@expl:index in bounds] [#"../index_range.rs" 104 12 104 16] _58 };
     goto BB28
   }
   BB28 {
     assume { resolve1 s1 };
+    [#"../index_range.rs" 104 12 104 21] _54 <- Slice.get ( * s1) _56 = ([#"../index_range.rs" 104 20 104 21] (1 : int32));
     assume { resolve1 _39 };
-    switch ([#"../index_range.rs" 104 12 104 21] ([#"../index_range.rs" 104 12 104 16] Slice.get ( * s1) _56) = ([#"../index_range.rs" 104 20 104 21] [#"../index_range.rs" 104 20 104 21] (1 : int32)))
+    switch (_54)
       | False -> goto BB30
       | True -> goto BB29
       end
   }
   BB29 {
-    [#"../index_range.rs" 106 12 106 21] _62 <- ([#"../index_range.rs" 106 12 106 21] len1 ([#"../index_range.rs" 106 12 106 15] arr));
+    [#"../index_range.rs" 106 12 106 21] _62 <- ([#"../index_range.rs" 106 12 106 21] len1 arr);
     goto BB31
   }
   BB30 {
@@ -1409,13 +1548,15 @@ module IndexRange_TestRangeTo
     absurd
   }
   BB31 {
-    switch ([#"../index_range.rs" 106 12 106 26] _62 = ([#"../index_range.rs" 106 25 106 26] [#"../index_range.rs" 106 25 106 26] (5 : usize)))
+    [#"../index_range.rs" 106 12 106 26] _61 <- _62 = ([#"../index_range.rs" 106 25 106 26] (5 : usize));
+    _62 <- any usize;
+    switch (_61)
       | False -> goto BB33
       | True -> goto BB32
       end
   }
   BB32 {
-    [#"../index_range.rs" 107 15 107 18] _68 <- ([#"../index_range.rs" 107 15 107 18] index1 ([#"../index_range.rs" 107 12 107 15] arr) ([#"../index_range.rs" 107 16 107 17] [#"../index_range.rs" 107 16 107 17] (0 : usize)));
+    [#"../index_range.rs" 107 15 107 18] _68 <- ([#"../index_range.rs" 107 15 107 18] index1 arr ([#"../index_range.rs" 107 16 107 17] (0 : usize)));
     goto BB34
   }
   BB33 {
@@ -1424,13 +1565,14 @@ module IndexRange_TestRangeTo
     absurd
   }
   BB34 {
-    switch ([#"../index_range.rs" 107 12 107 24] ([#"../index_range.rs" 107 12 107 18] _68) = ([#"../index_range.rs" 107 22 107 24] [#"../index_range.rs" 107 22 107 24] (-1 : int32)))
+    [#"../index_range.rs" 107 12 107 24] _66 <- _68 = ([#"../index_range.rs" 107 22 107 24] (-1 : int32));
+    switch (_66)
       | False -> goto BB36
       | True -> goto BB35
       end
   }
   BB35 {
-    [#"../index_range.rs" 108 15 108 18] _74 <- ([#"../index_range.rs" 108 15 108 18] index1 ([#"../index_range.rs" 108 12 108 15] arr) ([#"../index_range.rs" 108 16 108 17] [#"../index_range.rs" 108 16 108 17] (1 : usize)));
+    [#"../index_range.rs" 108 15 108 18] _74 <- ([#"../index_range.rs" 108 15 108 18] index1 arr ([#"../index_range.rs" 108 16 108 17] (1 : usize)));
     goto BB37
   }
   BB36 {
@@ -1439,13 +1581,14 @@ module IndexRange_TestRangeTo
     absurd
   }
   BB37 {
-    switch ([#"../index_range.rs" 108 12 108 23] ([#"../index_range.rs" 108 12 108 18] _74) = ([#"../index_range.rs" 108 22 108 23] [#"../index_range.rs" 108 22 108 23] (1 : int32)))
+    [#"../index_range.rs" 108 12 108 23] _72 <- _74 = ([#"../index_range.rs" 108 22 108 23] (1 : int32));
+    switch (_72)
       | False -> goto BB39
       | True -> goto BB38
       end
   }
   BB38 {
-    [#"../index_range.rs" 109 15 109 18] _80 <- ([#"../index_range.rs" 109 15 109 18] index1 ([#"../index_range.rs" 109 12 109 15] arr) ([#"../index_range.rs" 109 16 109 17] [#"../index_range.rs" 109 16 109 17] (2 : usize)));
+    [#"../index_range.rs" 109 15 109 18] _80 <- ([#"../index_range.rs" 109 15 109 18] index1 arr ([#"../index_range.rs" 109 16 109 17] (2 : usize)));
     goto BB40
   }
   BB39 {
@@ -1454,13 +1597,14 @@ module IndexRange_TestRangeTo
     absurd
   }
   BB40 {
-    switch ([#"../index_range.rs" 109 12 109 24] ([#"../index_range.rs" 109 12 109 18] _80) = ([#"../index_range.rs" 109 22 109 24] [#"../index_range.rs" 109 22 109 24] (-1 : int32)))
+    [#"../index_range.rs" 109 12 109 24] _78 <- _80 = ([#"../index_range.rs" 109 22 109 24] (-1 : int32));
+    switch (_78)
       | False -> goto BB42
       | True -> goto BB41
       end
   }
   BB41 {
-    [#"../index_range.rs" 110 15 110 18] _86 <- ([#"../index_range.rs" 110 15 110 18] index1 ([#"../index_range.rs" 110 12 110 15] arr) ([#"../index_range.rs" 110 16 110 17] [#"../index_range.rs" 110 16 110 17] (3 : usize)));
+    [#"../index_range.rs" 110 15 110 18] _86 <- ([#"../index_range.rs" 110 15 110 18] index1 arr ([#"../index_range.rs" 110 16 110 17] (3 : usize)));
     goto BB43
   }
   BB42 {
@@ -1469,13 +1613,14 @@ module IndexRange_TestRangeTo
     absurd
   }
   BB43 {
-    switch ([#"../index_range.rs" 110 12 110 23] ([#"../index_range.rs" 110 12 110 18] _86) = ([#"../index_range.rs" 110 22 110 23] [#"../index_range.rs" 110 22 110 23] (3 : int32)))
+    [#"../index_range.rs" 110 12 110 23] _84 <- _86 = ([#"../index_range.rs" 110 22 110 23] (3 : int32));
+    switch (_84)
       | False -> goto BB45
       | True -> goto BB44
       end
   }
   BB44 {
-    [#"../index_range.rs" 111 15 111 18] _92 <- ([#"../index_range.rs" 111 15 111 18] index1 ([#"../index_range.rs" 111 12 111 15] arr) ([#"../index_range.rs" 111 16 111 17] [#"../index_range.rs" 111 16 111 17] (4 : usize)));
+    [#"../index_range.rs" 111 15 111 18] _92 <- ([#"../index_range.rs" 111 15 111 18] index1 arr ([#"../index_range.rs" 111 16 111 17] (4 : usize)));
     goto BB46
   }
   BB45 {
@@ -1485,7 +1630,8 @@ module IndexRange_TestRangeTo
   }
   BB46 {
     assume { resolve0 arr };
-    switch ([#"../index_range.rs" 111 12 111 23] ([#"../index_range.rs" 111 12 111 18] _92) = ([#"../index_range.rs" 111 22 111 23] [#"../index_range.rs" 111 22 111 23] (4 : int32)))
+    [#"../index_range.rs" 111 12 111 23] _90 <- _92 = ([#"../index_range.rs" 111 22 111 23] (4 : int32));
+    switch (_90)
       | False -> goto BB48
       | True -> goto BB47
       end
@@ -1553,7 +1699,8 @@ module IndexRange_TestRangeFrom
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant9 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv10 (shallow_model0 self)
   val invariant9 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -1688,7 +1835,8 @@ module IndexRange_TestRangeFrom
   predicate resolve_elswhere0 (self : Core_Ops_Range_RangeFrom_Type.t_rangefrom usize) (old' : Seq.seq int32) (fin : Seq.seq int32)
     
    =
-    [#"../../../../creusot-contracts/src/std/slice.rs" 192 8 194 9] forall i : int . 0 <= i /\ i < UIntSize.to_int (Core_Ops_Range_RangeFrom_Type.rangefrom_start self) /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i
+    [#"../../../../creusot-contracts/src/std/slice.rs" 192 8 194 9] forall i : int . 0 <= i /\ i < UIntSize.to_int (Core_Ops_Range_RangeFrom_Type.rangefrom_start self) /\ i < Seq.length old'
+     -> Seq.get old' i = Seq.get fin i
   val resolve_elswhere0 (self : Core_Ops_Range_RangeFrom_Type.t_rangefrom usize) (old' : Seq.seq int32) (fin : Seq.seq int32) : bool
     ensures { result = resolve_elswhere0 self old' fin }
     
@@ -1698,7 +1846,8 @@ module IndexRange_TestRangeFrom
     requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self}
     ensures { result = shallow_model6 self }
     
-  axiom shallow_model6_spec : forall self : slice int32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv10 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0)
+  axiom shallow_model6_spec : forall self : slice int32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv10 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0)
   use seq_ext.SeqExt
   predicate has_value0 (self : Core_Ops_Range_RangeFrom_Type.t_rangefrom usize) (seq : Seq.seq int32) (out : slice int32)
     
@@ -1741,7 +1890,8 @@ module IndexRange_TestRangeFrom
   val get0 (self : slice int32) (index : Core_Ops_Range_RangeFrom_Type.t_rangefrom usize) : Core_Option_Option_Type.t_option (slice int32)
     requires {inv2 self}
     requires {inv1 index}
-    ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 252 8 252 102] in_bounds0 index (shallow_model3 self) -> (exists r : slice int32 . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ has_value0 index (shallow_model3 self) r) }
+    ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 252 8 252 102] in_bounds0 index (shallow_model3 self)
+     -> (exists r : slice int32 . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ has_value0 index (shallow_model3 self) r) }
     ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 253 18 253 55] in_bounds0 index (shallow_model3 self) \/ result = Core_Option_Option_Type.C_None }
     ensures { inv3 result }
     
@@ -1763,7 +1913,8 @@ module IndexRange_TestRangeFrom
     ensures { result = index_logic0 self ix }
     
   predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) =
-    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve2 (index_logic0 self i)
+    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self)
+     -> resolve2 (index_logic0 self i)
   val resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve0 self }
     
@@ -1789,83 +1940,115 @@ module IndexRange_TestRangeFrom
   var arr : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global);
   var s : slice int32;
   var _3 : slice int32;
+  var _5 : Core_Ops_Range_RangeFrom_Type.t_rangefrom usize;
+  var _7 : bool;
   var _8 : usize;
+  var _10 : bool;
   var _12 : usize;
+  var _13 : usize;
   var _14 : bool;
+  var _15 : bool;
   var _17 : usize;
+  var _18 : usize;
   var _19 : bool;
+  var _22 : bool;
   var _23 : usize;
   var _25 : slice int32;
+  var _27 : Core_Ops_Range_RangeFrom_Type.t_rangefrom usize;
   var _30 : bool;
   var _32 : Core_Option_Option_Type.t_option (slice int32);
   var _34 : slice int32;
+  var _36 : Core_Ops_Range_RangeFrom_Type.t_rangefrom usize;
   var _39 : bool;
   var _41 : Core_Option_Option_Type.t_option (slice int32);
   var _43 : slice int32;
+  var _45 : Core_Ops_Range_RangeFrom_Type.t_rangefrom usize;
   var s1 : borrowed (slice int32);
   var _48 : borrowed (slice int32);
   var _49 : borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global));
+  var _50 : Core_Ops_Range_RangeFrom_Type.t_rangefrom usize;
+  var _52 : bool;
   var _53 : usize;
   var _56 : usize;
+  var _57 : usize;
   var _58 : bool;
   var _59 : usize;
+  var _60 : usize;
   var _61 : bool;
+  var _63 : bool;
   var _65 : usize;
+  var _66 : usize;
   var _67 : bool;
+  var _70 : bool;
   var _71 : usize;
+  var _75 : bool;
   var _77 : int32;
+  var _81 : bool;
   var _83 : int32;
+  var _87 : bool;
   var _89 : int32;
+  var _93 : bool;
   var _95 : int32;
+  var _99 : bool;
   var _101 : int32;
   {
     goto BB0
   }
   BB0 {
-    [#"../index_range.rs" 117 18 117 30] arr <- ([#"../index_range.rs" 117 18 117 30] create_arr0 ());
+    [#"../index_range.rs" 117 18 117 30] arr <- ([#"../index_range.rs" 117 18 117 30] create_arr0 ([#"../index_range.rs" 117 18 117 30] ()));
     goto BB1
   }
   BB1 {
-    [#"../index_range.rs" 122 16 122 21] _3 <- ([#"../index_range.rs" 122 16 122 21] index0 ([#"../index_range.rs" 122 13 122 16] arr) ([#"../index_range.rs" 122 17 122 20] Core_Ops_Range_RangeFrom_Type.C_RangeFrom ([#"../index_range.rs" 122 17 122 18] [#"../index_range.rs" 122 17 122 18] (3 : usize))));
+    [#"../index_range.rs" 122 17 122 20] _5 <- Core_Ops_Range_RangeFrom_Type.C_RangeFrom ([#"../index_range.rs" 122 17 122 18] (3 : usize));
+    [#"../index_range.rs" 122 16 122 21] _3 <- ([#"../index_range.rs" 122 16 122 21] index0 arr _5);
+    _5 <- any Core_Ops_Range_RangeFrom_Type.t_rangefrom usize;
     goto BB2
   }
   BB2 {
-    [#"../index_range.rs" 122 12 122 21] s <- ([#"../index_range.rs" 122 12 122 21] _3);
-    [#"../index_range.rs" 123 12 123 19] _8 <- ([#"../index_range.rs" 123 12 123 19] len0 ([#"../index_range.rs" 123 12 123 13] s));
+    [#"../index_range.rs" 122 12 122 21] s <- _3;
+    [#"../index_range.rs" 123 12 123 19] _8 <- ([#"../index_range.rs" 123 12 123 19] len0 s);
     goto BB3
   }
   BB3 {
-    switch ([#"../index_range.rs" 123 12 123 24] _8 = ([#"../index_range.rs" 123 23 123 24] [#"../index_range.rs" 123 23 123 24] (2 : usize)))
+    [#"../index_range.rs" 123 12 123 24] _7 <- _8 = ([#"../index_range.rs" 123 23 123 24] (2 : usize));
+    _8 <- any usize;
+    switch (_7)
       | False -> goto BB11
       | True -> goto BB4
       end
   }
   BB4 {
-    [#"../index_range.rs" 123 30 123 31] _12 <- ([#"../index_range.rs" 123 30 123 31] [#"../index_range.rs" 123 30 123 31] (0 : usize));
-    [#"../index_range.rs" 123 28 123 32] _14 <- ([#"../index_range.rs" 123 28 123 32] _12 < ([#"../index_range.rs" 123 28 123 32] Slice.length s));
+    [#"../index_range.rs" 123 30 123 31] _12 <- ([#"../index_range.rs" 123 30 123 31] (0 : usize));
+    [#"../index_range.rs" 123 28 123 32] _13 <- Slice.length s;
+    [#"../index_range.rs" 123 28 123 32] _14 <- _12 < _13;
     assert { [@expl:index in bounds] [#"../index_range.rs" 123 28 123 32] _14 };
     goto BB5
   }
   BB5 {
-    switch ([#"../index_range.rs" 123 28 123 37] ([#"../index_range.rs" 123 28 123 32] Slice.get s _12) = ([#"../index_range.rs" 123 36 123 37] [#"../index_range.rs" 123 36 123 37] (3 : int32)))
+    [#"../index_range.rs" 123 28 123 37] _10 <- Slice.get s _12 = ([#"../index_range.rs" 123 36 123 37] (3 : int32));
+    switch (_10)
       | False -> goto BB10
       | True -> goto BB6
       end
   }
   BB6 {
-    [#"../index_range.rs" 123 43 123 44] _17 <- ([#"../index_range.rs" 123 43 123 44] [#"../index_range.rs" 123 43 123 44] (1 : usize));
-    [#"../index_range.rs" 123 41 123 45] _19 <- ([#"../index_range.rs" 123 41 123 45] _17 < ([#"../index_range.rs" 123 41 123 45] Slice.length s));
+    [#"../index_range.rs" 123 43 123 44] _17 <- ([#"../index_range.rs" 123 43 123 44] (1 : usize));
+    [#"../index_range.rs" 123 41 123 45] _18 <- Slice.length s;
+    [#"../index_range.rs" 123 41 123 45] _19 <- _17 < _18;
     assert { [@expl:index in bounds] [#"../index_range.rs" 123 41 123 45] _19 };
     goto BB7
   }
   BB7 {
-    switch ([#"../index_range.rs" 123 41 123 50] ([#"../index_range.rs" 123 41 123 45] Slice.get s _17) = ([#"../index_range.rs" 123 49 123 50] [#"../index_range.rs" 123 49 123 50] (4 : int32)))
+    [#"../index_range.rs" 123 41 123 50] _15 <- Slice.get s _17 = ([#"../index_range.rs" 123 49 123 50] (4 : int32));
+    switch (_15)
       | False -> goto BB9
       | True -> goto BB8
       end
   }
   BB8 {
-    [#"../index_range.rs" 128 15 128 20] _25 <- ([#"../index_range.rs" 128 15 128 20] index0 ([#"../index_range.rs" 128 12 128 15] arr) ([#"../index_range.rs" 128 16 128 19] Core_Ops_Range_RangeFrom_Type.C_RangeFrom ([#"../index_range.rs" 128 16 128 17] [#"../index_range.rs" 128 16 128 17] (5 : usize))));
+    [#"../index_range.rs" 128 16 128 19] _27 <- Core_Ops_Range_RangeFrom_Type.C_RangeFrom ([#"../index_range.rs" 128 16 128 17] (5 : usize));
+    [#"../index_range.rs" 128 15 128 20] _25 <- ([#"../index_range.rs" 128 15 128 20] index0 arr _27);
+    _27 <- any Core_Ops_Range_RangeFrom_Type.t_rangefrom usize;
     goto BB13
   }
   BB9 {
@@ -1885,17 +2068,19 @@ module IndexRange_TestRangeFrom
     absurd
   }
   BB13 {
-    [#"../index_range.rs" 128 12 128 26] _23 <- ([#"../index_range.rs" 128 12 128 26] len0 ([#"../index_range.rs" 128 12 128 20] _25));
+    [#"../index_range.rs" 128 12 128 26] _23 <- ([#"../index_range.rs" 128 12 128 26] len0 _25);
     goto BB14
   }
   BB14 {
-    switch ([#"../index_range.rs" 128 12 128 31] _23 = ([#"../index_range.rs" 128 30 128 31] [#"../index_range.rs" 128 30 128 31] (0 : usize)))
+    [#"../index_range.rs" 128 12 128 31] _22 <- _23 = ([#"../index_range.rs" 128 30 128 31] (0 : usize));
+    _23 <- any usize;
+    switch (_22)
       | False -> goto BB16
       | True -> goto BB15
       end
   }
   BB15 {
-    [#"../index_range.rs" 133 12 133 24] _34 <- ([#"../index_range.rs" 133 12 133 24] deref0 ([#"../index_range.rs" 133 12 133 15] arr));
+    [#"../index_range.rs" 133 12 133 24] _34 <- ([#"../index_range.rs" 133 12 133 24] deref0 arr);
     goto BB17
   }
   BB16 {
@@ -1904,11 +2089,13 @@ module IndexRange_TestRangeFrom
     absurd
   }
   BB17 {
-    [#"../index_range.rs" 133 12 133 24] _32 <- ([#"../index_range.rs" 133 12 133 24] get0 ([#"../index_range.rs" 133 12 133 15] _34) ([#"../index_range.rs" 133 20 133 23] Core_Ops_Range_RangeFrom_Type.C_RangeFrom ([#"../index_range.rs" 133 20 133 21] [#"../index_range.rs" 133 20 133 21] (6 : usize))));
+    [#"../index_range.rs" 133 20 133 23] _36 <- Core_Ops_Range_RangeFrom_Type.C_RangeFrom ([#"../index_range.rs" 133 20 133 21] (6 : usize));
+    [#"../index_range.rs" 133 12 133 24] _32 <- ([#"../index_range.rs" 133 12 133 24] get0 _34 _36);
+    _36 <- any Core_Ops_Range_RangeFrom_Type.t_rangefrom usize;
     goto BB18
   }
   BB18 {
-    [#"../index_range.rs" 133 12 133 34] _30 <- ([#"../index_range.rs" 133 12 133 34] is_none0 ([#"../index_range.rs" 133 12 133 24] _32));
+    [#"../index_range.rs" 133 12 133 34] _30 <- ([#"../index_range.rs" 133 12 133 34] is_none0 _32);
     goto BB19
   }
   BB19 {
@@ -1918,7 +2105,7 @@ module IndexRange_TestRangeFrom
       end
   }
   BB20 {
-    [#"../index_range.rs" 135 12 135 25] _43 <- ([#"../index_range.rs" 135 12 135 25] deref0 ([#"../index_range.rs" 135 12 135 15] arr));
+    [#"../index_range.rs" 135 12 135 25] _43 <- ([#"../index_range.rs" 135 12 135 25] deref0 arr);
     goto BB22
   }
   BB21 {
@@ -1927,11 +2114,13 @@ module IndexRange_TestRangeFrom
     absurd
   }
   BB22 {
-    [#"../index_range.rs" 135 12 135 25] _41 <- ([#"../index_range.rs" 135 12 135 25] get0 ([#"../index_range.rs" 135 12 135 15] _43) ([#"../index_range.rs" 135 20 135 24] Core_Ops_Range_RangeFrom_Type.C_RangeFrom ([#"../index_range.rs" 135 20 135 22] [#"../index_range.rs" 135 20 135 22] (10 : usize))));
+    [#"../index_range.rs" 135 20 135 24] _45 <- Core_Ops_Range_RangeFrom_Type.C_RangeFrom ([#"../index_range.rs" 135 20 135 22] (10 : usize));
+    [#"../index_range.rs" 135 12 135 25] _41 <- ([#"../index_range.rs" 135 12 135 25] get0 _43 _45);
+    _45 <- any Core_Ops_Range_RangeFrom_Type.t_rangefrom usize;
     goto BB23
   }
   BB23 {
-    [#"../index_range.rs" 135 12 135 35] _39 <- ([#"../index_range.rs" 135 12 135 35] is_none0 ([#"../index_range.rs" 135 12 135 25] _41));
+    [#"../index_range.rs" 135 12 135 35] _39 <- ([#"../index_range.rs" 135 12 135 35] is_none0 _41);
     goto BB24
   }
   BB24 {
@@ -1943,8 +2132,10 @@ module IndexRange_TestRangeFrom
   BB25 {
     [#"../index_range.rs" 138 17 138 20] _49 <- Borrow.borrow_mut arr;
     [#"../index_range.rs" 138 17 138 20] arr <-  ^ _49;
-    [#"../index_range.rs" 138 20 138 25] _48 <- ([#"../index_range.rs" 138 20 138 25] index_mut0 _49 ([#"../index_range.rs" 138 21 138 24] Core_Ops_Range_RangeFrom_Type.C_RangeFrom ([#"../index_range.rs" 138 21 138 22] [#"../index_range.rs" 138 21 138 22] (2 : usize))));
+    [#"../index_range.rs" 138 21 138 24] _50 <- Core_Ops_Range_RangeFrom_Type.C_RangeFrom ([#"../index_range.rs" 138 21 138 22] (2 : usize));
+    [#"../index_range.rs" 138 20 138 25] _48 <- ([#"../index_range.rs" 138 20 138 25] index_mut0 _49 _50);
     _49 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global));
+    _50 <- any Core_Ops_Range_RangeFrom_Type.t_rangefrom usize;
     goto BB27
   }
   BB26 {
@@ -1955,18 +2146,21 @@ module IndexRange_TestRangeFrom
   BB27 {
     [#"../index_range.rs" 138 12 138 25] s1 <- Borrow.borrow_final ( * _48) (Borrow.get_id _48);
     [#"../index_range.rs" 138 12 138 25] _48 <- { _48 with current = ( ^ s1) ; };
-    [#"../index_range.rs" 139 12 139 19] _53 <- ([#"../index_range.rs" 139 12 139 19] len0 ([#"../index_range.rs" 139 12 139 13]  * s1));
+    [#"../index_range.rs" 139 12 139 19] _53 <- ([#"../index_range.rs" 139 12 139 19] len0 ( * s1));
     goto BB28
   }
   BB28 {
-    switch ([#"../index_range.rs" 139 12 139 24] _53 = ([#"../index_range.rs" 139 23 139 24] [#"../index_range.rs" 139 23 139 24] (3 : usize)))
+    [#"../index_range.rs" 139 12 139 24] _52 <- _53 = ([#"../index_range.rs" 139 23 139 24] (3 : usize));
+    _53 <- any usize;
+    switch (_52)
       | False -> goto BB30
       | True -> goto BB29
       end
   }
   BB29 {
-    [#"../index_range.rs" 140 6 140 7] _56 <- ([#"../index_range.rs" 140 6 140 7] [#"../index_range.rs" 140 6 140 7] (0 : usize));
-    [#"../index_range.rs" 140 4 140 8] _58 <- ([#"../index_range.rs" 140 4 140 8] _56 < ([#"../index_range.rs" 140 4 140 8] Slice.length ( * s1)));
+    [#"../index_range.rs" 140 6 140 7] _56 <- ([#"../index_range.rs" 140 6 140 7] (0 : usize));
+    [#"../index_range.rs" 140 4 140 8] _57 <- Slice.length ( * s1);
+    [#"../index_range.rs" 140 4 140 8] _58 <- _56 < _57;
     assert { [@expl:index in bounds] [#"../index_range.rs" 140 4 140 8] _58 };
     goto BB31
   }
@@ -1978,29 +2172,32 @@ module IndexRange_TestRangeFrom
     absurd
   }
   BB31 {
-    [#"../index_range.rs" 140 4 140 13] s1 <- { s1 with current = Slice.set ( * s1) _56 ([#"../index_range.rs" 140 4 140 13] [#"../index_range.rs" 140 11 140 13] (-1 : int32)) ; };
-    [#"../index_range.rs" 141 6 141 7] _59 <- ([#"../index_range.rs" 141 6 141 7] [#"../index_range.rs" 141 6 141 7] (1 : usize));
-    [#"../index_range.rs" 141 4 141 8] _61 <- ([#"../index_range.rs" 141 4 141 8] _59 < ([#"../index_range.rs" 141 4 141 8] Slice.length ( * s1)));
+    [#"../index_range.rs" 140 4 140 13] s1 <- { s1 with current = Slice.set ( * s1) _56 ([#"../index_range.rs" 140 11 140 13] (-1 : int32)) ; };
+    [#"../index_range.rs" 141 6 141 7] _59 <- ([#"../index_range.rs" 141 6 141 7] (1 : usize));
+    [#"../index_range.rs" 141 4 141 8] _60 <- Slice.length ( * s1);
+    [#"../index_range.rs" 141 4 141 8] _61 <- _59 < _60;
     assert { [@expl:index in bounds] [#"../index_range.rs" 141 4 141 8] _61 };
     goto BB32
   }
   BB32 {
-    [#"../index_range.rs" 141 4 141 13] s1 <- { s1 with current = Slice.set ( * s1) _59 ([#"../index_range.rs" 141 4 141 13] [#"../index_range.rs" 141 11 141 13] (-1 : int32)) ; };
-    [#"../index_range.rs" 143 14 143 15] _65 <- ([#"../index_range.rs" 143 14 143 15] [#"../index_range.rs" 143 14 143 15] (2 : usize));
-    [#"../index_range.rs" 143 12 143 16] _67 <- ([#"../index_range.rs" 143 12 143 16] _65 < ([#"../index_range.rs" 143 12 143 16] Slice.length ( * s1)));
+    [#"../index_range.rs" 141 4 141 13] s1 <- { s1 with current = Slice.set ( * s1) _59 ([#"../index_range.rs" 141 11 141 13] (-1 : int32)) ; };
+    [#"../index_range.rs" 143 14 143 15] _65 <- ([#"../index_range.rs" 143 14 143 15] (2 : usize));
+    [#"../index_range.rs" 143 12 143 16] _66 <- Slice.length ( * s1);
+    [#"../index_range.rs" 143 12 143 16] _67 <- _65 < _66;
     assert { [@expl:index in bounds] [#"../index_range.rs" 143 12 143 16] _67 };
     goto BB33
   }
   BB33 {
     assume { resolve1 s1 };
+    [#"../index_range.rs" 143 12 143 21] _63 <- Slice.get ( * s1) _65 = ([#"../index_range.rs" 143 20 143 21] (4 : int32));
     assume { resolve1 _48 };
-    switch ([#"../index_range.rs" 143 12 143 21] ([#"../index_range.rs" 143 12 143 16] Slice.get ( * s1) _65) = ([#"../index_range.rs" 143 20 143 21] [#"../index_range.rs" 143 20 143 21] (4 : int32)))
+    switch (_63)
       | False -> goto BB35
       | True -> goto BB34
       end
   }
   BB34 {
-    [#"../index_range.rs" 145 12 145 21] _71 <- ([#"../index_range.rs" 145 12 145 21] len1 ([#"../index_range.rs" 145 12 145 15] arr));
+    [#"../index_range.rs" 145 12 145 21] _71 <- ([#"../index_range.rs" 145 12 145 21] len1 arr);
     goto BB36
   }
   BB35 {
@@ -2009,13 +2206,15 @@ module IndexRange_TestRangeFrom
     absurd
   }
   BB36 {
-    switch ([#"../index_range.rs" 145 12 145 26] _71 = ([#"../index_range.rs" 145 25 145 26] [#"../index_range.rs" 145 25 145 26] (5 : usize)))
+    [#"../index_range.rs" 145 12 145 26] _70 <- _71 = ([#"../index_range.rs" 145 25 145 26] (5 : usize));
+    _71 <- any usize;
+    switch (_70)
       | False -> goto BB38
       | True -> goto BB37
       end
   }
   BB37 {
-    [#"../index_range.rs" 146 15 146 18] _77 <- ([#"../index_range.rs" 146 15 146 18] index1 ([#"../index_range.rs" 146 12 146 15] arr) ([#"../index_range.rs" 146 16 146 17] [#"../index_range.rs" 146 16 146 17] (0 : usize)));
+    [#"../index_range.rs" 146 15 146 18] _77 <- ([#"../index_range.rs" 146 15 146 18] index1 arr ([#"../index_range.rs" 146 16 146 17] (0 : usize)));
     goto BB39
   }
   BB38 {
@@ -2024,13 +2223,14 @@ module IndexRange_TestRangeFrom
     absurd
   }
   BB39 {
-    switch ([#"../index_range.rs" 146 12 146 23] ([#"../index_range.rs" 146 12 146 18] _77) = ([#"../index_range.rs" 146 22 146 23] [#"../index_range.rs" 146 22 146 23] (0 : int32)))
+    [#"../index_range.rs" 146 12 146 23] _75 <- _77 = ([#"../index_range.rs" 146 22 146 23] (0 : int32));
+    switch (_75)
       | False -> goto BB41
       | True -> goto BB40
       end
   }
   BB40 {
-    [#"../index_range.rs" 147 15 147 18] _83 <- ([#"../index_range.rs" 147 15 147 18] index1 ([#"../index_range.rs" 147 12 147 15] arr) ([#"../index_range.rs" 147 16 147 17] [#"../index_range.rs" 147 16 147 17] (1 : usize)));
+    [#"../index_range.rs" 147 15 147 18] _83 <- ([#"../index_range.rs" 147 15 147 18] index1 arr ([#"../index_range.rs" 147 16 147 17] (1 : usize)));
     goto BB42
   }
   BB41 {
@@ -2039,13 +2239,14 @@ module IndexRange_TestRangeFrom
     absurd
   }
   BB42 {
-    switch ([#"../index_range.rs" 147 12 147 23] ([#"../index_range.rs" 147 12 147 18] _83) = ([#"../index_range.rs" 147 22 147 23] [#"../index_range.rs" 147 22 147 23] (1 : int32)))
+    [#"../index_range.rs" 147 12 147 23] _81 <- _83 = ([#"../index_range.rs" 147 22 147 23] (1 : int32));
+    switch (_81)
       | False -> goto BB44
       | True -> goto BB43
       end
   }
   BB43 {
-    [#"../index_range.rs" 148 15 148 18] _89 <- ([#"../index_range.rs" 148 15 148 18] index1 ([#"../index_range.rs" 148 12 148 15] arr) ([#"../index_range.rs" 148 16 148 17] [#"../index_range.rs" 148 16 148 17] (2 : usize)));
+    [#"../index_range.rs" 148 15 148 18] _89 <- ([#"../index_range.rs" 148 15 148 18] index1 arr ([#"../index_range.rs" 148 16 148 17] (2 : usize)));
     goto BB45
   }
   BB44 {
@@ -2054,13 +2255,14 @@ module IndexRange_TestRangeFrom
     absurd
   }
   BB45 {
-    switch ([#"../index_range.rs" 148 12 148 24] ([#"../index_range.rs" 148 12 148 18] _89) = ([#"../index_range.rs" 148 22 148 24] [#"../index_range.rs" 148 22 148 24] (-1 : int32)))
+    [#"../index_range.rs" 148 12 148 24] _87 <- _89 = ([#"../index_range.rs" 148 22 148 24] (-1 : int32));
+    switch (_87)
       | False -> goto BB47
       | True -> goto BB46
       end
   }
   BB46 {
-    [#"../index_range.rs" 149 15 149 18] _95 <- ([#"../index_range.rs" 149 15 149 18] index1 ([#"../index_range.rs" 149 12 149 15] arr) ([#"../index_range.rs" 149 16 149 17] [#"../index_range.rs" 149 16 149 17] (3 : usize)));
+    [#"../index_range.rs" 149 15 149 18] _95 <- ([#"../index_range.rs" 149 15 149 18] index1 arr ([#"../index_range.rs" 149 16 149 17] (3 : usize)));
     goto BB48
   }
   BB47 {
@@ -2069,13 +2271,14 @@ module IndexRange_TestRangeFrom
     absurd
   }
   BB48 {
-    switch ([#"../index_range.rs" 149 12 149 24] ([#"../index_range.rs" 149 12 149 18] _95) = ([#"../index_range.rs" 149 22 149 24] [#"../index_range.rs" 149 22 149 24] (-1 : int32)))
+    [#"../index_range.rs" 149 12 149 24] _93 <- _95 = ([#"../index_range.rs" 149 22 149 24] (-1 : int32));
+    switch (_93)
       | False -> goto BB50
       | True -> goto BB49
       end
   }
   BB49 {
-    [#"../index_range.rs" 150 15 150 18] _101 <- ([#"../index_range.rs" 150 15 150 18] index1 ([#"../index_range.rs" 150 12 150 15] arr) ([#"../index_range.rs" 150 16 150 17] [#"../index_range.rs" 150 16 150 17] (4 : usize)));
+    [#"../index_range.rs" 150 15 150 18] _101 <- ([#"../index_range.rs" 150 15 150 18] index1 arr ([#"../index_range.rs" 150 16 150 17] (4 : usize)));
     goto BB51
   }
   BB50 {
@@ -2085,7 +2288,8 @@ module IndexRange_TestRangeFrom
   }
   BB51 {
     assume { resolve0 arr };
-    switch ([#"../index_range.rs" 150 12 150 23] ([#"../index_range.rs" 150 12 150 18] _101) = ([#"../index_range.rs" 150 22 150 23] [#"../index_range.rs" 150 22 150 23] (4 : int32)))
+    [#"../index_range.rs" 150 12 150 23] _99 <- _101 = ([#"../index_range.rs" 150 22 150 23] (4 : int32));
+    switch (_99)
       | False -> goto BB53
       | True -> goto BB52
       end
@@ -2149,7 +2353,8 @@ module IndexRange_TestRangeFull
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant7 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv8 (shallow_model0 self)
   val invariant7 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -2273,7 +2478,8 @@ module IndexRange_TestRangeFull
     requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv9 self}
     ensures { result = shallow_model6 self }
     
-  axiom shallow_model6_spec : forall self : slice int32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv9 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv8 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0)
+  axiom shallow_model6_spec : forall self : slice int32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv9 self)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv8 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0)
   predicate has_value0 (self : Core_Ops_Range_RangeFull_Type.t_rangefull) (seq : Seq.seq int32) (out : slice int32) =
     [#"../../../../creusot-contracts/src/std/slice.rs" 208 20 208 31] seq = shallow_model6 out
   val has_value0 (self : Core_Ops_Range_RangeFull_Type.t_rangefull) (seq : Seq.seq int32) (out : slice int32) : bool
@@ -2314,7 +2520,8 @@ module IndexRange_TestRangeFull
     ensures { result = index_logic0 self ix }
     
   predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) =
-    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve2 (index_logic0 self i)
+    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self)
+     -> resolve2 (index_logic0 self i)
   val resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve0 self }
     
@@ -2345,109 +2552,145 @@ module IndexRange_TestRangeFull
   var arr : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global);
   var s : slice int32;
   var _3 : slice int32;
+  var _5 : Core_Ops_Range_RangeFull_Type.t_rangefull;
+  var _7 : bool;
   var _8 : usize;
+  var _10 : bool;
   var _12 : usize;
+  var _13 : usize;
   var _14 : bool;
+  var _15 : bool;
   var _17 : usize;
+  var _18 : usize;
   var _19 : bool;
+  var _20 : bool;
   var _22 : usize;
+  var _23 : usize;
   var _24 : bool;
+  var _25 : bool;
   var _27 : usize;
+  var _28 : usize;
   var _29 : bool;
+  var _30 : bool;
   var _32 : usize;
+  var _33 : usize;
   var _34 : bool;
   var s1 : borrowed (slice int32);
   var _37 : borrowed (slice int32);
   var _38 : borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global));
+  var _39 : Core_Ops_Range_RangeFull_Type.t_rangefull;
+  var _41 : bool;
   var _42 : usize;
   var _45 : usize;
+  var _46 : usize;
   var _47 : bool;
   var _48 : usize;
+  var _49 : usize;
   var _50 : bool;
+  var _52 : bool;
   var _53 : usize;
+  var _57 : bool;
   var _59 : int32;
+  var _63 : bool;
   var _65 : int32;
+  var _69 : bool;
   var _71 : int32;
+  var _75 : bool;
   var _77 : int32;
+  var _81 : bool;
   var _83 : int32;
   {
     goto BB0
   }
   BB0 {
-    [#"../index_range.rs" 156 18 156 30] arr <- ([#"../index_range.rs" 156 18 156 30] create_arr0 ());
+    [#"../index_range.rs" 156 18 156 30] arr <- ([#"../index_range.rs" 156 18 156 30] create_arr0 ([#"../index_range.rs" 156 18 156 30] ()));
     goto BB1
   }
   BB1 {
-    [#"../index_range.rs" 161 16 161 20] _3 <- ([#"../index_range.rs" 161 16 161 20] index0 ([#"../index_range.rs" 161 13 161 16] arr) ([#"../index_range.rs" 161 17 161 19] Core_Ops_Range_RangeFull_Type.C_RangeFull));
+    [#"../index_range.rs" 161 17 161 19] _5 <- Core_Ops_Range_RangeFull_Type.C_RangeFull;
+    [#"../index_range.rs" 161 16 161 20] _3 <- ([#"../index_range.rs" 161 16 161 20] index0 arr _5);
+    _5 <- any Core_Ops_Range_RangeFull_Type.t_rangefull;
     goto BB2
   }
   BB2 {
-    [#"../index_range.rs" 161 12 161 20] s <- ([#"../index_range.rs" 161 12 161 20] _3);
-    [#"../index_range.rs" 162 12 162 19] _8 <- ([#"../index_range.rs" 162 12 162 19] len0 ([#"../index_range.rs" 162 12 162 13] s));
+    [#"../index_range.rs" 161 12 161 20] s <- _3;
+    [#"../index_range.rs" 162 12 162 19] _8 <- ([#"../index_range.rs" 162 12 162 19] len0 s);
     goto BB3
   }
   BB3 {
-    switch ([#"../index_range.rs" 162 12 162 24] _8 = ([#"../index_range.rs" 162 23 162 24] [#"../index_range.rs" 162 23 162 24] (5 : usize)))
+    [#"../index_range.rs" 162 12 162 24] _7 <- _8 = ([#"../index_range.rs" 162 23 162 24] (5 : usize));
+    _8 <- any usize;
+    switch (_7)
       | False -> goto BB20
       | True -> goto BB4
       end
   }
   BB4 {
-    [#"../index_range.rs" 162 30 162 31] _12 <- ([#"../index_range.rs" 162 30 162 31] [#"../index_range.rs" 162 30 162 31] (0 : usize));
-    [#"../index_range.rs" 162 28 162 32] _14 <- ([#"../index_range.rs" 162 28 162 32] _12 < ([#"../index_range.rs" 162 28 162 32] Slice.length s));
+    [#"../index_range.rs" 162 30 162 31] _12 <- ([#"../index_range.rs" 162 30 162 31] (0 : usize));
+    [#"../index_range.rs" 162 28 162 32] _13 <- Slice.length s;
+    [#"../index_range.rs" 162 28 162 32] _14 <- _12 < _13;
     assert { [@expl:index in bounds] [#"../index_range.rs" 162 28 162 32] _14 };
     goto BB5
   }
   BB5 {
-    switch ([#"../index_range.rs" 162 28 162 37] ([#"../index_range.rs" 162 28 162 32] Slice.get s _12) = ([#"../index_range.rs" 162 36 162 37] [#"../index_range.rs" 162 36 162 37] (0 : int32)))
+    [#"../index_range.rs" 162 28 162 37] _10 <- Slice.get s _12 = ([#"../index_range.rs" 162 36 162 37] (0 : int32));
+    switch (_10)
       | False -> goto BB19
       | True -> goto BB6
       end
   }
   BB6 {
-    [#"../index_range.rs" 162 43 162 44] _17 <- ([#"../index_range.rs" 162 43 162 44] [#"../index_range.rs" 162 43 162 44] (1 : usize));
-    [#"../index_range.rs" 162 41 162 45] _19 <- ([#"../index_range.rs" 162 41 162 45] _17 < ([#"../index_range.rs" 162 41 162 45] Slice.length s));
+    [#"../index_range.rs" 162 43 162 44] _17 <- ([#"../index_range.rs" 162 43 162 44] (1 : usize));
+    [#"../index_range.rs" 162 41 162 45] _18 <- Slice.length s;
+    [#"../index_range.rs" 162 41 162 45] _19 <- _17 < _18;
     assert { [@expl:index in bounds] [#"../index_range.rs" 162 41 162 45] _19 };
     goto BB7
   }
   BB7 {
-    switch ([#"../index_range.rs" 162 41 162 50] ([#"../index_range.rs" 162 41 162 45] Slice.get s _17) = ([#"../index_range.rs" 162 49 162 50] [#"../index_range.rs" 162 49 162 50] (1 : int32)))
+    [#"../index_range.rs" 162 41 162 50] _15 <- Slice.get s _17 = ([#"../index_range.rs" 162 49 162 50] (1 : int32));
+    switch (_15)
       | False -> goto BB18
       | True -> goto BB8
       end
   }
   BB8 {
-    [#"../index_range.rs" 162 56 162 57] _22 <- ([#"../index_range.rs" 162 56 162 57] [#"../index_range.rs" 162 56 162 57] (2 : usize));
-    [#"../index_range.rs" 162 54 162 58] _24 <- ([#"../index_range.rs" 162 54 162 58] _22 < ([#"../index_range.rs" 162 54 162 58] Slice.length s));
+    [#"../index_range.rs" 162 56 162 57] _22 <- ([#"../index_range.rs" 162 56 162 57] (2 : usize));
+    [#"../index_range.rs" 162 54 162 58] _23 <- Slice.length s;
+    [#"../index_range.rs" 162 54 162 58] _24 <- _22 < _23;
     assert { [@expl:index in bounds] [#"../index_range.rs" 162 54 162 58] _24 };
     goto BB9
   }
   BB9 {
-    switch ([#"../index_range.rs" 162 54 162 63] ([#"../index_range.rs" 162 54 162 58] Slice.get s _22) = ([#"../index_range.rs" 162 62 162 63] [#"../index_range.rs" 162 62 162 63] (2 : int32)))
+    [#"../index_range.rs" 162 54 162 63] _20 <- Slice.get s _22 = ([#"../index_range.rs" 162 62 162 63] (2 : int32));
+    switch (_20)
       | False -> goto BB17
       | True -> goto BB10
       end
   }
   BB10 {
-    [#"../index_range.rs" 162 69 162 70] _27 <- ([#"../index_range.rs" 162 69 162 70] [#"../index_range.rs" 162 69 162 70] (3 : usize));
-    [#"../index_range.rs" 162 67 162 71] _29 <- ([#"../index_range.rs" 162 67 162 71] _27 < ([#"../index_range.rs" 162 67 162 71] Slice.length s));
+    [#"../index_range.rs" 162 69 162 70] _27 <- ([#"../index_range.rs" 162 69 162 70] (3 : usize));
+    [#"../index_range.rs" 162 67 162 71] _28 <- Slice.length s;
+    [#"../index_range.rs" 162 67 162 71] _29 <- _27 < _28;
     assert { [@expl:index in bounds] [#"../index_range.rs" 162 67 162 71] _29 };
     goto BB11
   }
   BB11 {
-    switch ([#"../index_range.rs" 162 67 162 76] ([#"../index_range.rs" 162 67 162 71] Slice.get s _27) = ([#"../index_range.rs" 162 75 162 76] [#"../index_range.rs" 162 75 162 76] (3 : int32)))
+    [#"../index_range.rs" 162 67 162 76] _25 <- Slice.get s _27 = ([#"../index_range.rs" 162 75 162 76] (3 : int32));
+    switch (_25)
       | False -> goto BB16
       | True -> goto BB12
       end
   }
   BB12 {
-    [#"../index_range.rs" 162 82 162 83] _32 <- ([#"../index_range.rs" 162 82 162 83] [#"../index_range.rs" 162 82 162 83] (4 : usize));
-    [#"../index_range.rs" 162 80 162 84] _34 <- ([#"../index_range.rs" 162 80 162 84] _32 < ([#"../index_range.rs" 162 80 162 84] Slice.length s));
+    [#"../index_range.rs" 162 82 162 83] _32 <- ([#"../index_range.rs" 162 82 162 83] (4 : usize));
+    [#"../index_range.rs" 162 80 162 84] _33 <- Slice.length s;
+    [#"../index_range.rs" 162 80 162 84] _34 <- _32 < _33;
     assert { [@expl:index in bounds] [#"../index_range.rs" 162 80 162 84] _34 };
     goto BB13
   }
   BB13 {
-    switch ([#"../index_range.rs" 162 80 162 89] ([#"../index_range.rs" 162 80 162 84] Slice.get s _32) = ([#"../index_range.rs" 162 88 162 89] [#"../index_range.rs" 162 88 162 89] (4 : int32)))
+    [#"../index_range.rs" 162 80 162 89] _30 <- Slice.get s _32 = ([#"../index_range.rs" 162 88 162 89] (4 : int32));
+    switch (_30)
       | False -> goto BB15
       | True -> goto BB14
       end
@@ -2455,8 +2698,10 @@ module IndexRange_TestRangeFull
   BB14 {
     [#"../index_range.rs" 165 17 165 20] _38 <- Borrow.borrow_mut arr;
     [#"../index_range.rs" 165 17 165 20] arr <-  ^ _38;
-    [#"../index_range.rs" 165 20 165 24] _37 <- ([#"../index_range.rs" 165 20 165 24] index_mut0 _38 ([#"../index_range.rs" 165 21 165 23] Core_Ops_Range_RangeFull_Type.C_RangeFull));
+    [#"../index_range.rs" 165 21 165 23] _39 <- Core_Ops_Range_RangeFull_Type.C_RangeFull;
+    [#"../index_range.rs" 165 20 165 24] _37 <- ([#"../index_range.rs" 165 20 165 24] index_mut0 _38 _39);
     _38 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global));
+    _39 <- any Core_Ops_Range_RangeFull_Type.t_rangefull;
     goto BB22
   }
   BB15 {
@@ -2490,18 +2735,21 @@ module IndexRange_TestRangeFull
   BB22 {
     [#"../index_range.rs" 165 12 165 24] s1 <- Borrow.borrow_final ( * _37) (Borrow.get_id _37);
     [#"../index_range.rs" 165 12 165 24] _37 <- { _37 with current = ( ^ s1) ; };
-    [#"../index_range.rs" 166 12 166 19] _42 <- ([#"../index_range.rs" 166 12 166 19] len0 ([#"../index_range.rs" 166 12 166 13]  * s1));
+    [#"../index_range.rs" 166 12 166 19] _42 <- ([#"../index_range.rs" 166 12 166 19] len0 ( * s1));
     goto BB23
   }
   BB23 {
-    switch ([#"../index_range.rs" 166 12 166 24] _42 = ([#"../index_range.rs" 166 23 166 24] [#"../index_range.rs" 166 23 166 24] (5 : usize)))
+    [#"../index_range.rs" 166 12 166 24] _41 <- _42 = ([#"../index_range.rs" 166 23 166 24] (5 : usize));
+    _42 <- any usize;
+    switch (_41)
       | False -> goto BB25
       | True -> goto BB24
       end
   }
   BB24 {
-    [#"../index_range.rs" 167 6 167 7] _45 <- ([#"../index_range.rs" 167 6 167 7] [#"../index_range.rs" 167 6 167 7] (1 : usize));
-    [#"../index_range.rs" 167 4 167 8] _47 <- ([#"../index_range.rs" 167 4 167 8] _45 < ([#"../index_range.rs" 167 4 167 8] Slice.length ( * s1)));
+    [#"../index_range.rs" 167 6 167 7] _45 <- ([#"../index_range.rs" 167 6 167 7] (1 : usize));
+    [#"../index_range.rs" 167 4 167 8] _46 <- Slice.length ( * s1);
+    [#"../index_range.rs" 167 4 167 8] _47 <- _45 < _46;
     assert { [@expl:index in bounds] [#"../index_range.rs" 167 4 167 8] _47 };
     goto BB26
   }
@@ -2513,27 +2761,30 @@ module IndexRange_TestRangeFull
     absurd
   }
   BB26 {
-    [#"../index_range.rs" 167 4 167 13] s1 <- { s1 with current = Slice.set ( * s1) _45 ([#"../index_range.rs" 167 4 167 13] [#"../index_range.rs" 167 11 167 13] (-1 : int32)) ; };
-    [#"../index_range.rs" 168 6 168 7] _48 <- ([#"../index_range.rs" 168 6 168 7] [#"../index_range.rs" 168 6 168 7] (3 : usize));
-    [#"../index_range.rs" 168 4 168 8] _50 <- ([#"../index_range.rs" 168 4 168 8] _48 < ([#"../index_range.rs" 168 4 168 8] Slice.length ( * s1)));
+    [#"../index_range.rs" 167 4 167 13] s1 <- { s1 with current = Slice.set ( * s1) _45 ([#"../index_range.rs" 167 11 167 13] (-1 : int32)) ; };
+    [#"../index_range.rs" 168 6 168 7] _48 <- ([#"../index_range.rs" 168 6 168 7] (3 : usize));
+    [#"../index_range.rs" 168 4 168 8] _49 <- Slice.length ( * s1);
+    [#"../index_range.rs" 168 4 168 8] _50 <- _48 < _49;
     assert { [@expl:index in bounds] [#"../index_range.rs" 168 4 168 8] _50 };
     goto BB27
   }
   BB27 {
-    [#"../index_range.rs" 168 4 168 13] s1 <- { s1 with current = Slice.set ( * s1) _48 ([#"../index_range.rs" 168 4 168 13] [#"../index_range.rs" 168 11 168 13] (-1 : int32)) ; };
+    [#"../index_range.rs" 168 4 168 13] s1 <- { s1 with current = Slice.set ( * s1) _48 ([#"../index_range.rs" 168 11 168 13] (-1 : int32)) ; };
     assume { resolve1 s1 };
     assume { resolve1 _37 };
-    [#"../index_range.rs" 170 12 170 21] _53 <- ([#"../index_range.rs" 170 12 170 21] len1 ([#"../index_range.rs" 170 12 170 15] arr));
+    [#"../index_range.rs" 170 12 170 21] _53 <- ([#"../index_range.rs" 170 12 170 21] len1 arr);
     goto BB28
   }
   BB28 {
-    switch ([#"../index_range.rs" 170 12 170 26] _53 = ([#"../index_range.rs" 170 25 170 26] [#"../index_range.rs" 170 25 170 26] (5 : usize)))
+    [#"../index_range.rs" 170 12 170 26] _52 <- _53 = ([#"../index_range.rs" 170 25 170 26] (5 : usize));
+    _53 <- any usize;
+    switch (_52)
       | False -> goto BB30
       | True -> goto BB29
       end
   }
   BB29 {
-    [#"../index_range.rs" 171 15 171 18] _59 <- ([#"../index_range.rs" 171 15 171 18] index1 ([#"../index_range.rs" 171 12 171 15] arr) ([#"../index_range.rs" 171 16 171 17] [#"../index_range.rs" 171 16 171 17] (0 : usize)));
+    [#"../index_range.rs" 171 15 171 18] _59 <- ([#"../index_range.rs" 171 15 171 18] index1 arr ([#"../index_range.rs" 171 16 171 17] (0 : usize)));
     goto BB31
   }
   BB30 {
@@ -2542,13 +2793,14 @@ module IndexRange_TestRangeFull
     absurd
   }
   BB31 {
-    switch ([#"../index_range.rs" 171 12 171 23] ([#"../index_range.rs" 171 12 171 18] _59) = ([#"../index_range.rs" 171 22 171 23] [#"../index_range.rs" 171 22 171 23] (0 : int32)))
+    [#"../index_range.rs" 171 12 171 23] _57 <- _59 = ([#"../index_range.rs" 171 22 171 23] (0 : int32));
+    switch (_57)
       | False -> goto BB33
       | True -> goto BB32
       end
   }
   BB32 {
-    [#"../index_range.rs" 172 15 172 18] _65 <- ([#"../index_range.rs" 172 15 172 18] index1 ([#"../index_range.rs" 172 12 172 15] arr) ([#"../index_range.rs" 172 16 172 17] [#"../index_range.rs" 172 16 172 17] (1 : usize)));
+    [#"../index_range.rs" 172 15 172 18] _65 <- ([#"../index_range.rs" 172 15 172 18] index1 arr ([#"../index_range.rs" 172 16 172 17] (1 : usize)));
     goto BB34
   }
   BB33 {
@@ -2557,13 +2809,14 @@ module IndexRange_TestRangeFull
     absurd
   }
   BB34 {
-    switch ([#"../index_range.rs" 172 12 172 24] ([#"../index_range.rs" 172 12 172 18] _65) = ([#"../index_range.rs" 172 22 172 24] [#"../index_range.rs" 172 22 172 24] (-1 : int32)))
+    [#"../index_range.rs" 172 12 172 24] _63 <- _65 = ([#"../index_range.rs" 172 22 172 24] (-1 : int32));
+    switch (_63)
       | False -> goto BB36
       | True -> goto BB35
       end
   }
   BB35 {
-    [#"../index_range.rs" 173 15 173 18] _71 <- ([#"../index_range.rs" 173 15 173 18] index1 ([#"../index_range.rs" 173 12 173 15] arr) ([#"../index_range.rs" 173 16 173 17] [#"../index_range.rs" 173 16 173 17] (2 : usize)));
+    [#"../index_range.rs" 173 15 173 18] _71 <- ([#"../index_range.rs" 173 15 173 18] index1 arr ([#"../index_range.rs" 173 16 173 17] (2 : usize)));
     goto BB37
   }
   BB36 {
@@ -2572,13 +2825,14 @@ module IndexRange_TestRangeFull
     absurd
   }
   BB37 {
-    switch ([#"../index_range.rs" 173 12 173 23] ([#"../index_range.rs" 173 12 173 18] _71) = ([#"../index_range.rs" 173 22 173 23] [#"../index_range.rs" 173 22 173 23] (2 : int32)))
+    [#"../index_range.rs" 173 12 173 23] _69 <- _71 = ([#"../index_range.rs" 173 22 173 23] (2 : int32));
+    switch (_69)
       | False -> goto BB39
       | True -> goto BB38
       end
   }
   BB38 {
-    [#"../index_range.rs" 174 15 174 18] _77 <- ([#"../index_range.rs" 174 15 174 18] index1 ([#"../index_range.rs" 174 12 174 15] arr) ([#"../index_range.rs" 174 16 174 17] [#"../index_range.rs" 174 16 174 17] (3 : usize)));
+    [#"../index_range.rs" 174 15 174 18] _77 <- ([#"../index_range.rs" 174 15 174 18] index1 arr ([#"../index_range.rs" 174 16 174 17] (3 : usize)));
     goto BB40
   }
   BB39 {
@@ -2587,13 +2841,14 @@ module IndexRange_TestRangeFull
     absurd
   }
   BB40 {
-    switch ([#"../index_range.rs" 174 12 174 24] ([#"../index_range.rs" 174 12 174 18] _77) = ([#"../index_range.rs" 174 22 174 24] [#"../index_range.rs" 174 22 174 24] (-1 : int32)))
+    [#"../index_range.rs" 174 12 174 24] _75 <- _77 = ([#"../index_range.rs" 174 22 174 24] (-1 : int32));
+    switch (_75)
       | False -> goto BB42
       | True -> goto BB41
       end
   }
   BB41 {
-    [#"../index_range.rs" 175 15 175 18] _83 <- ([#"../index_range.rs" 175 15 175 18] index1 ([#"../index_range.rs" 175 12 175 15] arr) ([#"../index_range.rs" 175 16 175 17] [#"../index_range.rs" 175 16 175 17] (4 : usize)));
+    [#"../index_range.rs" 175 15 175 18] _83 <- ([#"../index_range.rs" 175 15 175 18] index1 arr ([#"../index_range.rs" 175 16 175 17] (4 : usize)));
     goto BB43
   }
   BB42 {
@@ -2603,7 +2858,8 @@ module IndexRange_TestRangeFull
   }
   BB43 {
     assume { resolve0 arr };
-    switch ([#"../index_range.rs" 175 12 175 23] ([#"../index_range.rs" 175 12 175 18] _83) = ([#"../index_range.rs" 175 22 175 23] [#"../index_range.rs" 175 22 175 23] (4 : int32)))
+    [#"../index_range.rs" 175 12 175 23] _81 <- _83 = ([#"../index_range.rs" 175 22 175 23] (4 : int32));
+    switch (_81)
       | False -> goto BB45
       | True -> goto BB44
       end
@@ -2671,7 +2927,8 @@ module IndexRange_TestRangeToInclusive
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant9 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv10 (shallow_model0 self)
   val invariant9 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -2806,7 +3063,8 @@ module IndexRange_TestRangeToInclusive
   predicate resolve_elswhere0 (self : Core_Ops_Range_RangeToInclusive_Type.t_rangetoinclusive usize) (old' : Seq.seq int32) (fin : Seq.seq int32)
     
    =
-    [#"../../../../creusot-contracts/src/std/slice.rs" 234 8 234 89] forall i : int . UIntSize.to_int (Core_Ops_Range_RangeToInclusive_Type.rangetoinclusive_end self) < i /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i
+    [#"../../../../creusot-contracts/src/std/slice.rs" 234 8 234 89] forall i : int . UIntSize.to_int (Core_Ops_Range_RangeToInclusive_Type.rangetoinclusive_end self) < i /\ i < Seq.length old'
+     -> Seq.get old' i = Seq.get fin i
   val resolve_elswhere0 (self : Core_Ops_Range_RangeToInclusive_Type.t_rangetoinclusive usize) (old' : Seq.seq int32) (fin : Seq.seq int32) : bool
     ensures { result = resolve_elswhere0 self old' fin }
     
@@ -2816,7 +3074,8 @@ module IndexRange_TestRangeToInclusive
     requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self}
     ensures { result = shallow_model6 self }
     
-  axiom shallow_model6_spec : forall self : slice int32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv10 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0)
+  axiom shallow_model6_spec : forall self : slice int32 . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv11 self)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv10 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0)
   use seq_ext.SeqExt
   predicate has_value0 (self : Core_Ops_Range_RangeToInclusive_Type.t_rangetoinclusive usize) (seq : Seq.seq int32) (out : slice int32)
     
@@ -2859,7 +3118,8 @@ module IndexRange_TestRangeToInclusive
   val get0 (self : slice int32) (index : Core_Ops_Range_RangeToInclusive_Type.t_rangetoinclusive usize) : Core_Option_Option_Type.t_option (slice int32)
     requires {inv2 self}
     requires {inv1 index}
-    ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 252 8 252 102] in_bounds0 index (shallow_model3 self) -> (exists r : slice int32 . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ has_value0 index (shallow_model3 self) r) }
+    ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 252 8 252 102] in_bounds0 index (shallow_model3 self)
+     -> (exists r : slice int32 . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\ has_value0 index (shallow_model3 self) r) }
     ensures { [#"../../../../creusot-contracts/src/std/slice.rs" 253 18 253 55] in_bounds0 index (shallow_model3 self) \/ result = Core_Option_Option_Type.C_None }
     ensures { inv3 result }
     
@@ -2881,7 +3141,8 @@ module IndexRange_TestRangeToInclusive
     ensures { result = index_logic0 self ix }
     
   predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) =
-    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve2 (index_logic0 self i)
+    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self)
+     -> resolve2 (index_logic0 self i)
   val resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve0 self }
     
@@ -2907,78 +3168,105 @@ module IndexRange_TestRangeToInclusive
   var arr : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global);
   var s : slice int32;
   var _3 : slice int32;
+  var _5 : Core_Ops_Range_RangeToInclusive_Type.t_rangetoinclusive usize;
+  var _7 : bool;
   var _8 : usize;
+  var _10 : bool;
   var _12 : usize;
+  var _13 : usize;
   var _14 : bool;
+  var _15 : bool;
   var _17 : usize;
+  var _18 : usize;
   var _19 : bool;
   var _22 : bool;
   var _24 : Core_Option_Option_Type.t_option (slice int32);
   var _26 : slice int32;
+  var _28 : Core_Ops_Range_RangeToInclusive_Type.t_rangetoinclusive usize;
   var s1 : borrowed (slice int32);
   var _31 : borrowed (slice int32);
   var _32 : borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global));
+  var _33 : Core_Ops_Range_RangeToInclusive_Type.t_rangetoinclusive usize;
+  var _35 : bool;
   var _36 : usize;
   var _39 : usize;
+  var _40 : usize;
   var _41 : bool;
   var _42 : usize;
+  var _43 : usize;
   var _44 : bool;
+  var _46 : bool;
   var _48 : usize;
+  var _49 : usize;
   var _50 : bool;
+  var _53 : bool;
   var _54 : usize;
+  var _58 : bool;
   var _60 : int32;
+  var _64 : bool;
   var _66 : int32;
+  var _70 : bool;
   var _72 : int32;
+  var _76 : bool;
   var _78 : int32;
+  var _82 : bool;
   var _84 : int32;
   {
     goto BB0
   }
   BB0 {
-    [#"../index_range.rs" 181 18 181 30] arr <- ([#"../index_range.rs" 181 18 181 30] create_arr0 ());
+    [#"../index_range.rs" 181 18 181 30] arr <- ([#"../index_range.rs" 181 18 181 30] create_arr0 ([#"../index_range.rs" 181 18 181 30] ()));
     goto BB1
   }
   BB1 {
-    [#"../index_range.rs" 186 16 186 22] _3 <- ([#"../index_range.rs" 186 16 186 22] index0 ([#"../index_range.rs" 186 13 186 16] arr) ([#"../index_range.rs" 186 17 186 21] Core_Ops_Range_RangeToInclusive_Type.C_RangeToInclusive ([#"../index_range.rs" 186 20 186 21] [#"../index_range.rs" 186 20 186 21] (1 : usize))));
+    [#"../index_range.rs" 186 17 186 21] _5 <- Core_Ops_Range_RangeToInclusive_Type.C_RangeToInclusive ([#"../index_range.rs" 186 20 186 21] (1 : usize));
+    [#"../index_range.rs" 186 16 186 22] _3 <- ([#"../index_range.rs" 186 16 186 22] index0 arr _5);
+    _5 <- any Core_Ops_Range_RangeToInclusive_Type.t_rangetoinclusive usize;
     goto BB2
   }
   BB2 {
-    [#"../index_range.rs" 186 12 186 22] s <- ([#"../index_range.rs" 186 12 186 22] _3);
-    [#"../index_range.rs" 187 12 187 19] _8 <- ([#"../index_range.rs" 187 12 187 19] len0 ([#"../index_range.rs" 187 12 187 13] s));
+    [#"../index_range.rs" 186 12 186 22] s <- _3;
+    [#"../index_range.rs" 187 12 187 19] _8 <- ([#"../index_range.rs" 187 12 187 19] len0 s);
     goto BB3
   }
   BB3 {
-    switch ([#"../index_range.rs" 187 12 187 24] _8 = ([#"../index_range.rs" 187 23 187 24] [#"../index_range.rs" 187 23 187 24] (2 : usize)))
+    [#"../index_range.rs" 187 12 187 24] _7 <- _8 = ([#"../index_range.rs" 187 23 187 24] (2 : usize));
+    _8 <- any usize;
+    switch (_7)
       | False -> goto BB11
       | True -> goto BB4
       end
   }
   BB4 {
-    [#"../index_range.rs" 187 30 187 31] _12 <- ([#"../index_range.rs" 187 30 187 31] [#"../index_range.rs" 187 30 187 31] (0 : usize));
-    [#"../index_range.rs" 187 28 187 32] _14 <- ([#"../index_range.rs" 187 28 187 32] _12 < ([#"../index_range.rs" 187 28 187 32] Slice.length s));
+    [#"../index_range.rs" 187 30 187 31] _12 <- ([#"../index_range.rs" 187 30 187 31] (0 : usize));
+    [#"../index_range.rs" 187 28 187 32] _13 <- Slice.length s;
+    [#"../index_range.rs" 187 28 187 32] _14 <- _12 < _13;
     assert { [@expl:index in bounds] [#"../index_range.rs" 187 28 187 32] _14 };
     goto BB5
   }
   BB5 {
-    switch ([#"../index_range.rs" 187 28 187 37] ([#"../index_range.rs" 187 28 187 32] Slice.get s _12) = ([#"../index_range.rs" 187 36 187 37] [#"../index_range.rs" 187 36 187 37] (0 : int32)))
+    [#"../index_range.rs" 187 28 187 37] _10 <- Slice.get s _12 = ([#"../index_range.rs" 187 36 187 37] (0 : int32));
+    switch (_10)
       | False -> goto BB10
       | True -> goto BB6
       end
   }
   BB6 {
-    [#"../index_range.rs" 187 43 187 44] _17 <- ([#"../index_range.rs" 187 43 187 44] [#"../index_range.rs" 187 43 187 44] (1 : usize));
-    [#"../index_range.rs" 187 41 187 45] _19 <- ([#"../index_range.rs" 187 41 187 45] _17 < ([#"../index_range.rs" 187 41 187 45] Slice.length s));
+    [#"../index_range.rs" 187 43 187 44] _17 <- ([#"../index_range.rs" 187 43 187 44] (1 : usize));
+    [#"../index_range.rs" 187 41 187 45] _18 <- Slice.length s;
+    [#"../index_range.rs" 187 41 187 45] _19 <- _17 < _18;
     assert { [@expl:index in bounds] [#"../index_range.rs" 187 41 187 45] _19 };
     goto BB7
   }
   BB7 {
-    switch ([#"../index_range.rs" 187 41 187 50] ([#"../index_range.rs" 187 41 187 45] Slice.get s _17) = ([#"../index_range.rs" 187 49 187 50] [#"../index_range.rs" 187 49 187 50] (1 : int32)))
+    [#"../index_range.rs" 187 41 187 50] _15 <- Slice.get s _17 = ([#"../index_range.rs" 187 49 187 50] (1 : int32));
+    switch (_15)
       | False -> goto BB9
       | True -> goto BB8
       end
   }
   BB8 {
-    [#"../index_range.rs" 192 12 192 25] _26 <- ([#"../index_range.rs" 192 12 192 25] deref0 ([#"../index_range.rs" 192 12 192 15] arr));
+    [#"../index_range.rs" 192 12 192 25] _26 <- ([#"../index_range.rs" 192 12 192 25] deref0 arr);
     goto BB13
   }
   BB9 {
@@ -2998,11 +3286,13 @@ module IndexRange_TestRangeToInclusive
     absurd
   }
   BB13 {
-    [#"../index_range.rs" 192 12 192 25] _24 <- ([#"../index_range.rs" 192 12 192 25] get0 ([#"../index_range.rs" 192 12 192 15] _26) ([#"../index_range.rs" 192 20 192 24] Core_Ops_Range_RangeToInclusive_Type.C_RangeToInclusive ([#"../index_range.rs" 192 23 192 24] [#"../index_range.rs" 192 23 192 24] (5 : usize))));
+    [#"../index_range.rs" 192 20 192 24] _28 <- Core_Ops_Range_RangeToInclusive_Type.C_RangeToInclusive ([#"../index_range.rs" 192 23 192 24] (5 : usize));
+    [#"../index_range.rs" 192 12 192 25] _24 <- ([#"../index_range.rs" 192 12 192 25] get0 _26 _28);
+    _28 <- any Core_Ops_Range_RangeToInclusive_Type.t_rangetoinclusive usize;
     goto BB14
   }
   BB14 {
-    [#"../index_range.rs" 192 12 192 35] _22 <- ([#"../index_range.rs" 192 12 192 35] is_none0 ([#"../index_range.rs" 192 12 192 25] _24));
+    [#"../index_range.rs" 192 12 192 35] _22 <- ([#"../index_range.rs" 192 12 192 35] is_none0 _24);
     goto BB15
   }
   BB15 {
@@ -3014,8 +3304,10 @@ module IndexRange_TestRangeToInclusive
   BB16 {
     [#"../index_range.rs" 195 17 195 20] _32 <- Borrow.borrow_mut arr;
     [#"../index_range.rs" 195 17 195 20] arr <-  ^ _32;
-    [#"../index_range.rs" 195 20 195 26] _31 <- ([#"../index_range.rs" 195 20 195 26] index_mut0 _32 ([#"../index_range.rs" 195 21 195 25] Core_Ops_Range_RangeToInclusive_Type.C_RangeToInclusive ([#"../index_range.rs" 195 24 195 25] [#"../index_range.rs" 195 24 195 25] (2 : usize))));
+    [#"../index_range.rs" 195 21 195 25] _33 <- Core_Ops_Range_RangeToInclusive_Type.C_RangeToInclusive ([#"../index_range.rs" 195 24 195 25] (2 : usize));
+    [#"../index_range.rs" 195 20 195 26] _31 <- ([#"../index_range.rs" 195 20 195 26] index_mut0 _32 _33);
     _32 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global));
+    _33 <- any Core_Ops_Range_RangeToInclusive_Type.t_rangetoinclusive usize;
     goto BB18
   }
   BB17 {
@@ -3026,18 +3318,21 @@ module IndexRange_TestRangeToInclusive
   BB18 {
     [#"../index_range.rs" 195 12 195 26] s1 <- Borrow.borrow_final ( * _31) (Borrow.get_id _31);
     [#"../index_range.rs" 195 12 195 26] _31 <- { _31 with current = ( ^ s1) ; };
-    [#"../index_range.rs" 196 12 196 19] _36 <- ([#"../index_range.rs" 196 12 196 19] len0 ([#"../index_range.rs" 196 12 196 13]  * s1));
+    [#"../index_range.rs" 196 12 196 19] _36 <- ([#"../index_range.rs" 196 12 196 19] len0 ( * s1));
     goto BB19
   }
   BB19 {
-    switch ([#"../index_range.rs" 196 12 196 24] _36 = ([#"../index_range.rs" 196 23 196 24] [#"../index_range.rs" 196 23 196 24] (3 : usize)))
+    [#"../index_range.rs" 196 12 196 24] _35 <- _36 = ([#"../index_range.rs" 196 23 196 24] (3 : usize));
+    _36 <- any usize;
+    switch (_35)
       | False -> goto BB21
       | True -> goto BB20
       end
   }
   BB20 {
-    [#"../index_range.rs" 197 6 197 7] _39 <- ([#"../index_range.rs" 197 6 197 7] [#"../index_range.rs" 197 6 197 7] (0 : usize));
-    [#"../index_range.rs" 197 4 197 8] _41 <- ([#"../index_range.rs" 197 4 197 8] _39 < ([#"../index_range.rs" 197 4 197 8] Slice.length ( * s1)));
+    [#"../index_range.rs" 197 6 197 7] _39 <- ([#"../index_range.rs" 197 6 197 7] (0 : usize));
+    [#"../index_range.rs" 197 4 197 8] _40 <- Slice.length ( * s1);
+    [#"../index_range.rs" 197 4 197 8] _41 <- _39 < _40;
     assert { [@expl:index in bounds] [#"../index_range.rs" 197 4 197 8] _41 };
     goto BB22
   }
@@ -3049,29 +3344,32 @@ module IndexRange_TestRangeToInclusive
     absurd
   }
   BB22 {
-    [#"../index_range.rs" 197 4 197 13] s1 <- { s1 with current = Slice.set ( * s1) _39 ([#"../index_range.rs" 197 4 197 13] [#"../index_range.rs" 197 11 197 13] (-1 : int32)) ; };
-    [#"../index_range.rs" 198 6 198 7] _42 <- ([#"../index_range.rs" 198 6 198 7] [#"../index_range.rs" 198 6 198 7] (2 : usize));
-    [#"../index_range.rs" 198 4 198 8] _44 <- ([#"../index_range.rs" 198 4 198 8] _42 < ([#"../index_range.rs" 198 4 198 8] Slice.length ( * s1)));
+    [#"../index_range.rs" 197 4 197 13] s1 <- { s1 with current = Slice.set ( * s1) _39 ([#"../index_range.rs" 197 11 197 13] (-1 : int32)) ; };
+    [#"../index_range.rs" 198 6 198 7] _42 <- ([#"../index_range.rs" 198 6 198 7] (2 : usize));
+    [#"../index_range.rs" 198 4 198 8] _43 <- Slice.length ( * s1);
+    [#"../index_range.rs" 198 4 198 8] _44 <- _42 < _43;
     assert { [@expl:index in bounds] [#"../index_range.rs" 198 4 198 8] _44 };
     goto BB23
   }
   BB23 {
-    [#"../index_range.rs" 198 4 198 13] s1 <- { s1 with current = Slice.set ( * s1) _42 ([#"../index_range.rs" 198 4 198 13] [#"../index_range.rs" 198 11 198 13] (-1 : int32)) ; };
-    [#"../index_range.rs" 200 14 200 15] _48 <- ([#"../index_range.rs" 200 14 200 15] [#"../index_range.rs" 200 14 200 15] (1 : usize));
-    [#"../index_range.rs" 200 12 200 16] _50 <- ([#"../index_range.rs" 200 12 200 16] _48 < ([#"../index_range.rs" 200 12 200 16] Slice.length ( * s1)));
+    [#"../index_range.rs" 198 4 198 13] s1 <- { s1 with current = Slice.set ( * s1) _42 ([#"../index_range.rs" 198 11 198 13] (-1 : int32)) ; };
+    [#"../index_range.rs" 200 14 200 15] _48 <- ([#"../index_range.rs" 200 14 200 15] (1 : usize));
+    [#"../index_range.rs" 200 12 200 16] _49 <- Slice.length ( * s1);
+    [#"../index_range.rs" 200 12 200 16] _50 <- _48 < _49;
     assert { [@expl:index in bounds] [#"../index_range.rs" 200 12 200 16] _50 };
     goto BB24
   }
   BB24 {
     assume { resolve1 s1 };
+    [#"../index_range.rs" 200 12 200 21] _46 <- Slice.get ( * s1) _48 = ([#"../index_range.rs" 200 20 200 21] (1 : int32));
     assume { resolve1 _31 };
-    switch ([#"../index_range.rs" 200 12 200 21] ([#"../index_range.rs" 200 12 200 16] Slice.get ( * s1) _48) = ([#"../index_range.rs" 200 20 200 21] [#"../index_range.rs" 200 20 200 21] (1 : int32)))
+    switch (_46)
       | False -> goto BB26
       | True -> goto BB25
       end
   }
   BB25 {
-    [#"../index_range.rs" 202 12 202 21] _54 <- ([#"../index_range.rs" 202 12 202 21] len1 ([#"../index_range.rs" 202 12 202 15] arr));
+    [#"../index_range.rs" 202 12 202 21] _54 <- ([#"../index_range.rs" 202 12 202 21] len1 arr);
     goto BB27
   }
   BB26 {
@@ -3080,13 +3378,15 @@ module IndexRange_TestRangeToInclusive
     absurd
   }
   BB27 {
-    switch ([#"../index_range.rs" 202 12 202 26] _54 = ([#"../index_range.rs" 202 25 202 26] [#"../index_range.rs" 202 25 202 26] (5 : usize)))
+    [#"../index_range.rs" 202 12 202 26] _53 <- _54 = ([#"../index_range.rs" 202 25 202 26] (5 : usize));
+    _54 <- any usize;
+    switch (_53)
       | False -> goto BB29
       | True -> goto BB28
       end
   }
   BB28 {
-    [#"../index_range.rs" 203 15 203 18] _60 <- ([#"../index_range.rs" 203 15 203 18] index1 ([#"../index_range.rs" 203 12 203 15] arr) ([#"../index_range.rs" 203 16 203 17] [#"../index_range.rs" 203 16 203 17] (0 : usize)));
+    [#"../index_range.rs" 203 15 203 18] _60 <- ([#"../index_range.rs" 203 15 203 18] index1 arr ([#"../index_range.rs" 203 16 203 17] (0 : usize)));
     goto BB30
   }
   BB29 {
@@ -3095,13 +3395,14 @@ module IndexRange_TestRangeToInclusive
     absurd
   }
   BB30 {
-    switch ([#"../index_range.rs" 203 12 203 24] ([#"../index_range.rs" 203 12 203 18] _60) = ([#"../index_range.rs" 203 22 203 24] [#"../index_range.rs" 203 22 203 24] (-1 : int32)))
+    [#"../index_range.rs" 203 12 203 24] _58 <- _60 = ([#"../index_range.rs" 203 22 203 24] (-1 : int32));
+    switch (_58)
       | False -> goto BB32
       | True -> goto BB31
       end
   }
   BB31 {
-    [#"../index_range.rs" 204 15 204 18] _66 <- ([#"../index_range.rs" 204 15 204 18] index1 ([#"../index_range.rs" 204 12 204 15] arr) ([#"../index_range.rs" 204 16 204 17] [#"../index_range.rs" 204 16 204 17] (1 : usize)));
+    [#"../index_range.rs" 204 15 204 18] _66 <- ([#"../index_range.rs" 204 15 204 18] index1 arr ([#"../index_range.rs" 204 16 204 17] (1 : usize)));
     goto BB33
   }
   BB32 {
@@ -3110,13 +3411,14 @@ module IndexRange_TestRangeToInclusive
     absurd
   }
   BB33 {
-    switch ([#"../index_range.rs" 204 12 204 23] ([#"../index_range.rs" 204 12 204 18] _66) = ([#"../index_range.rs" 204 22 204 23] [#"../index_range.rs" 204 22 204 23] (1 : int32)))
+    [#"../index_range.rs" 204 12 204 23] _64 <- _66 = ([#"../index_range.rs" 204 22 204 23] (1 : int32));
+    switch (_64)
       | False -> goto BB35
       | True -> goto BB34
       end
   }
   BB34 {
-    [#"../index_range.rs" 205 15 205 18] _72 <- ([#"../index_range.rs" 205 15 205 18] index1 ([#"../index_range.rs" 205 12 205 15] arr) ([#"../index_range.rs" 205 16 205 17] [#"../index_range.rs" 205 16 205 17] (2 : usize)));
+    [#"../index_range.rs" 205 15 205 18] _72 <- ([#"../index_range.rs" 205 15 205 18] index1 arr ([#"../index_range.rs" 205 16 205 17] (2 : usize)));
     goto BB36
   }
   BB35 {
@@ -3125,13 +3427,14 @@ module IndexRange_TestRangeToInclusive
     absurd
   }
   BB36 {
-    switch ([#"../index_range.rs" 205 12 205 24] ([#"../index_range.rs" 205 12 205 18] _72) = ([#"../index_range.rs" 205 22 205 24] [#"../index_range.rs" 205 22 205 24] (-1 : int32)))
+    [#"../index_range.rs" 205 12 205 24] _70 <- _72 = ([#"../index_range.rs" 205 22 205 24] (-1 : int32));
+    switch (_70)
       | False -> goto BB38
       | True -> goto BB37
       end
   }
   BB37 {
-    [#"../index_range.rs" 206 15 206 18] _78 <- ([#"../index_range.rs" 206 15 206 18] index1 ([#"../index_range.rs" 206 12 206 15] arr) ([#"../index_range.rs" 206 16 206 17] [#"../index_range.rs" 206 16 206 17] (3 : usize)));
+    [#"../index_range.rs" 206 15 206 18] _78 <- ([#"../index_range.rs" 206 15 206 18] index1 arr ([#"../index_range.rs" 206 16 206 17] (3 : usize)));
     goto BB39
   }
   BB38 {
@@ -3140,13 +3443,14 @@ module IndexRange_TestRangeToInclusive
     absurd
   }
   BB39 {
-    switch ([#"../index_range.rs" 206 12 206 23] ([#"../index_range.rs" 206 12 206 18] _78) = ([#"../index_range.rs" 206 22 206 23] [#"../index_range.rs" 206 22 206 23] (3 : int32)))
+    [#"../index_range.rs" 206 12 206 23] _76 <- _78 = ([#"../index_range.rs" 206 22 206 23] (3 : int32));
+    switch (_76)
       | False -> goto BB41
       | True -> goto BB40
       end
   }
   BB40 {
-    [#"../index_range.rs" 207 15 207 18] _84 <- ([#"../index_range.rs" 207 15 207 18] index1 ([#"../index_range.rs" 207 12 207 15] arr) ([#"../index_range.rs" 207 16 207 17] [#"../index_range.rs" 207 16 207 17] (4 : usize)));
+    [#"../index_range.rs" 207 15 207 18] _84 <- ([#"../index_range.rs" 207 15 207 18] index1 arr ([#"../index_range.rs" 207 16 207 17] (4 : usize)));
     goto BB42
   }
   BB41 {
@@ -3156,7 +3460,8 @@ module IndexRange_TestRangeToInclusive
   }
   BB42 {
     assume { resolve0 arr };
-    switch ([#"../index_range.rs" 207 12 207 23] ([#"../index_range.rs" 207 12 207 18] _84) = ([#"../index_range.rs" 207 22 207 23] [#"../index_range.rs" 207 22 207 23] (4 : int32)))
+    [#"../index_range.rs" 207 12 207 23] _82 <- _84 = ([#"../index_range.rs" 207 22 207 23] (4 : int32));
+    switch (_82)
       | False -> goto BB44
       | True -> goto BB43
       end
diff --git a/creusot/tests/should_succeed/index_range/why3session.xml b/creusot/tests/should_succeed/index_range/why3session.xml
index 0007cfb686..3857a39796 100644
--- a/creusot/tests/should_succeed/index_range/why3session.xml
+++ b/creusot/tests/should_succeed/index_range/why3session.xml
@@ -9,225 +9,225 @@
 <path name=".."/><path name="index_range.mlcfg"/>
 <theory name="IndexRange_CreateArr" proved="true">
  <goal name="create_arr&#39;vc" expl="VC for create_arr" proved="true">
- <proof prover="0"><result status="valid" time="0.308684" steps="706608"/></proof>
+ <proof prover="0"><result status="valid" time="0.308684" steps="706918"/></proof>
  </goal>
 </theory>
 <theory name="IndexRange_TestRange" proved="true">
  <goal name="test_range&#39;vc" expl="VC for test_range" proved="true">
- <proof prover="0" timelimit="5"><result status="valid" time="0.641634" steps="2080697"/></proof>
+ <proof prover="0" timelimit="5"><result status="valid" time="0.792057" steps="2207559"/></proof>
  </goal>
 </theory>
 <theory name="IndexRange_TestRangeTo" proved="true">
  <goal name="test_range_to&#39;vc" expl="VC for test_range_to" proved="true">
  <transf name="split_vc" proved="true" >
   <goal name="test_range_to&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.018601" steps="64"/></proof>
+  <proof prover="3"><result status="valid" time="0.041386" steps="66"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.1" expl="precondition" proved="true">
   <proof prover="3"><result status="valid" time="0.030911" steps="36"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.058163" steps="36"/></proof>
+  <proof prover="3"><result status="valid" time="0.063416" steps="37"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.3" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.064435" steps="24"/></proof>
+  <proof prover="3"><result status="valid" time="0.064435" steps="26"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.4" expl="index in bounds" proved="true">
-  <proof prover="3"><result status="valid" time="0.023802" steps="136"/></proof>
+  <proof prover="3"><result status="valid" time="0.023802" steps="140"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.025856" steps="82"/></proof>
+  <proof prover="3"><result status="valid" time="0.025856" steps="85"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.6" expl="index in bounds" proved="true">
-  <proof prover="3"><result status="valid" time="0.038420" steps="187"/></proof>
+  <proof prover="3"><result status="valid" time="0.038420" steps="211"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.020791" steps="113"/></proof>
+  <proof prover="3"><result status="valid" time="0.020791" steps="130"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.8" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.041386" steps="232"/></proof>
+  <proof prover="3"><result status="valid" time="0.039089" steps="263"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.009889" steps="111"/></proof>
+  <proof prover="3"><result status="valid" time="0.009889" steps="130"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.063416" steps="112"/></proof>
+  <proof prover="3"><result status="valid" time="0.026291" steps="131"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.054579" steps="66"/></proof>
+  <proof prover="3"><result status="valid" time="0.054579" steps="78"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.033770" steps="125"/></proof>
+  <goal name="test_range_to&#39;vc.12" expl="assertion" proved="true">
+  <proof prover="3"><result status="valid" time="0.052196" steps="383"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.046611" steps="75"/></proof>
+  <goal name="test_range_to&#39;vc.13" expl="unreachable point" proved="true">
+  <proof prover="1"><result status="valid" time="0.061981" steps="10056"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.026291" steps="137"/></proof>
+  <proof prover="3"><result status="valid" time="0.033770" steps="145"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.032972" steps="145"/></proof>
+  <proof prover="3"><result status="valid" time="0.046611" steps="94"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.16" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.023059" steps="320"/></proof>
+  <goal name="test_range_to&#39;vc.16" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.022309" steps="160"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.17" expl="unreachable point" proved="true">
-  <proof prover="3"><result status="valid" time="0.017632" steps="86"/></proof>
+  <goal name="test_range_to&#39;vc.17" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.032972" steps="168"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.18" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.039089" steps="398"/></proof>
+  <goal name="test_range_to&#39;vc.18" expl="assertion" proved="true">
+  <proof prover="3"><result status="valid" time="0.028730" steps="357"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.19" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.053796" steps="164"/></proof>
+  <goal name="test_range_to&#39;vc.19" expl="unreachable point" proved="true">
+  <proof prover="3"><result status="valid" time="0.013824" steps="101"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.20" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.022309" steps="165"/></proof>
+  <proof prover="3"><result status="valid" time="0.018601" steps="431"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.21" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.017629" steps="188"/></proof>
+  <proof prover="3"><result status="valid" time="0.053796" steps="188"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.22" expl="index in bounds" proved="true">
-  <proof prover="3"><result status="valid" time="0.028291" steps="684"/></proof>
+  <goal name="test_range_to&#39;vc.22" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.058163" steps="189"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.23" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.023533" steps="257"/></proof>
+  <proof prover="3"><result status="valid" time="0.017629" steps="212"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.24" expl="index in bounds" proved="true">
-  <proof prover="3"><result status="valid" time="0.085769" steps="876"/></proof>
+  <goal name="test_range_to&#39;vc.24" expl="assertion" proved="true">
+  <proof prover="3"><result status="valid" time="0.055844" steps="765"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.25" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.026927" steps="328"/></proof>
+  <goal name="test_range_to&#39;vc.25" expl="unreachable point" proved="true">
+  <proof prover="3"><result status="valid" time="0.011609" steps="135"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.26" expl="index in bounds" proved="true">
-  <proof prover="3"><result status="valid" time="0.095159" steps="378"/></proof>
+  <proof prover="3"><result status="valid" time="0.028291" steps="727"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.27" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.038629" steps="391"/></proof>
+  <proof prover="3"><result status="valid" time="0.023533" steps="286"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.28" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.026829" steps="369"/></proof>
+  <goal name="test_range_to&#39;vc.28" expl="index in bounds" proved="true">
+  <proof prover="3"><result status="valid" time="0.085769" steps="917"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.29" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.030057" steps="203"/></proof>
+  <proof prover="3"><result status="valid" time="0.026927" steps="359"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.30" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.055926" steps="409"/></proof>
+  <goal name="test_range_to&#39;vc.30" expl="index in bounds" proved="true">
+  <proof prover="3"><result status="valid" time="0.095159" steps="409"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.31" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.029806" steps="410"/></proof>
+  <proof prover="3"><result status="valid" time="0.038629" steps="420"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.32" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.029811" steps="206"/></proof>
+  <goal name="test_range_to&#39;vc.32" expl="assertion" proved="true">
+  <proof prover="3"><result status="valid" time="0.080546" steps="2571"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.33" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.080859" steps="419"/></proof>
+  <goal name="test_range_to&#39;vc.33" expl="unreachable point" proved="true">
+  <proof prover="0"><result status="valid" time="0.012073" steps="3985"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.34" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.040729" steps="419"/></proof>
+  <proof prover="3"><result status="valid" time="0.026829" steps="402"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.35" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.036415" steps="210"/></proof>
+  <goal name="test_range_to&#39;vc.35" expl="assertion" proved="true">
+  <proof prover="3"><result status="valid" time="0.126453" steps="453"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.36" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.018603" steps="427"/></proof>
+  <goal name="test_range_to&#39;vc.36" expl="unreachable point" proved="true">
+  <proof prover="3"><result status="valid" time="0.018127" steps="221"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.37" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.073584" steps="425"/></proof>
+  <proof prover="3"><result status="valid" time="0.030057" steps="224"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.38" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.053095" steps="215"/></proof>
+  <proof prover="3"><result status="valid" time="0.040842" steps="444"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.39" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.039692" steps="434"/></proof>
+  <proof prover="3"><result status="valid" time="0.029806" steps="445"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.40" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.056447" steps="435"/></proof>
+  <goal name="test_range_to&#39;vc.40" expl="assertion" proved="true">
+  <proof prover="3"><result status="valid" time="0.117944" steps="2071"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.41" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.034534" steps="223"/></proof>
+  <goal name="test_range_to&#39;vc.41" expl="unreachable point" proved="true">
+  <proof prover="3"><result status="valid" time="0.018043" steps="231"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.42" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.040842" steps="451"/></proof>
+  <proof prover="3"><result status="valid" time="0.029811" steps="229"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.43" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.041801" steps="472"/></proof>
+  <proof prover="3"><result status="valid" time="0.039692" steps="455"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.44" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.052196" steps="1121"/></proof>
+  <goal name="test_range_to&#39;vc.44" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.040729" steps="456"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.45" expl="unreachable point" proved="true">
-  <proof prover="1"><result status="valid" time="0.061981" steps="11137"/></proof>
+  <goal name="test_range_to&#39;vc.45" expl="assertion" proved="true">
+  <proof prover="3"><result status="valid" time="0.088526" steps="2487"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.46" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.055844" steps="1090"/></proof>
+  <goal name="test_range_to&#39;vc.46" expl="unreachable point" proved="true">
+  <proof prover="0"><result status="valid" time="0.012573" steps="4076"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.47" expl="unreachable point" proved="true">
-  <proof prover="3"><result status="valid" time="0.011609" steps="224"/></proof>
+  <goal name="test_range_to&#39;vc.47" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.036415" steps="235"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.48" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.080546" steps="2256"/></proof>
+  <goal name="test_range_to&#39;vc.48" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.018603" steps="464"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.49" expl="unreachable point" proved="true">
-  <proof prover="0"><result status="valid" time="0.012073" steps="4008"/></proof>
+  <goal name="test_range_to&#39;vc.49" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.073584" steps="464"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.50" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.126453" steps="2377"/></proof>
+  <proof prover="3"><result status="valid" time="0.139415" steps="2376"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.51" expl="unreachable point" proved="true">
-  <proof prover="3"><result status="valid" time="0.018127" steps="212"/></proof>
+  <proof prover="0"><result status="valid" time="0.012386" steps="4103"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.52" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.117944" steps="1983"/></proof>
+  <goal name="test_range_to&#39;vc.52" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.053095" steps="241"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.53" expl="unreachable point" proved="true">
-  <proof prover="3"><result status="valid" time="0.018043" steps="208"/></proof>
+  <goal name="test_range_to&#39;vc.53" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.080859" steps="474"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.54" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.088526" steps="417"/></proof>
+  <goal name="test_range_to&#39;vc.54" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.056447" steps="475"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.55" expl="unreachable point" proved="true">
-  <proof prover="0"><result status="valid" time="0.012573" steps="3944"/></proof>
+  <goal name="test_range_to&#39;vc.55" expl="assertion" proved="true">
+  <proof prover="3"><result status="valid" time="0.042777" steps="1136"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.56" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.139415" steps="2471"/></proof>
+  <goal name="test_range_to&#39;vc.56" expl="unreachable point" proved="true">
+  <proof prover="3"><result status="valid" time="0.017446" steps="251"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.57" expl="unreachable point" proved="true">
-  <proof prover="0"><result status="valid" time="0.012386" steps="3918"/></proof>
+  <goal name="test_range_to&#39;vc.57" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.034534" steps="250"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.58" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.042777" steps="711"/></proof>
+  <goal name="test_range_to&#39;vc.58" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.055926" steps="491"/></proof>
   </goal>
-  <goal name="test_range_to&#39;vc.59" expl="unreachable point" proved="true">
-  <proof prover="3"><result status="valid" time="0.017446" steps="117"/></proof>
+  <goal name="test_range_to&#39;vc.59" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.041801" steps="512"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.60" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.073526" steps="345"/></proof>
+  <proof prover="3"><result status="valid" time="0.073526" steps="1184"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.61" expl="unreachable point" proved="true">
-  <proof prover="3"><result status="valid" time="0.016324" steps="72"/></proof>
+  <proof prover="3"><result status="valid" time="0.016324" steps="262"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.62" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.028730" steps="458"/></proof>
+  <proof prover="3"><result status="valid" time="0.023059" steps="492"/></proof>
   </goal>
   <goal name="test_range_to&#39;vc.63" expl="unreachable point" proved="true">
-  <proof prover="3"><result status="valid" time="0.013824" steps="42"/></proof>
+  <proof prover="3"><result status="valid" time="0.017632" steps="43"/></proof>
   </goal>
  </transf>
  </goal>
 </theory>
 <theory name="IndexRange_TestRangeFrom" proved="true">
  <goal name="test_range_from&#39;vc" expl="VC for test_range_from" proved="true">
- <proof prover="0" timelimit="5"><result status="valid" time="0.411818" steps="1685878"/></proof>
+ <proof prover="0" timelimit="5"><result status="valid" time="1.255205" steps="5603161"/></proof>
  </goal>
 </theory>
 <theory name="IndexRange_TestRangeFull" proved="true">
  <goal name="test_range_full&#39;vc" expl="VC for test_range_full" proved="true">
- <proof prover="0"><result status="valid" time="0.039072" steps="155371"/></proof>
+ <proof prover="0"><result status="valid" time="0.039072" steps="180149"/></proof>
  </goal>
 </theory>
 <theory name="IndexRange_TestRangeToInclusive" proved="true">
  <goal name="test_range_to_inclusive&#39;vc" expl="VC for test_range_to_inclusive" proved="true">
- <proof prover="0"><result status="valid" time="0.621854" steps="2760491"/></proof>
+ <proof prover="0"><result status="valid" time="0.280171" steps="1220362"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/index_range/why3shapes.gz b/creusot/tests/should_succeed/index_range/why3shapes.gz
index c0759acd7c..4f7f35d875 100644
Binary files a/creusot/tests/should_succeed/index_range/why3shapes.gz and b/creusot/tests/should_succeed/index_range/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/inplace_list_reversal.mlcfg b/creusot/tests/should_succeed/inplace_list_reversal.mlcfg
index 298d29d482..d837e30251 100644
--- a/creusot/tests/should_succeed/inplace_list_reversal.mlcfg
+++ b/creusot/tests/should_succeed/inplace_list_reversal.mlcfg
@@ -32,16 +32,16 @@ module InplaceListReversal_Rev
     ensures { result = inv1 _x }
     
   axiom inv1 : forall x : InplaceListReversal_List_Type.t_list t . inv1 x = true
-  use prelude.Ghost
-  predicate invariant0 (self : Ghost.ghost_ty (borrowed (InplaceListReversal_List_Type.t_list t)))
-  val invariant0 (self : Ghost.ghost_ty (borrowed (InplaceListReversal_List_Type.t_list t))) : bool
+  use prelude.Snapshot
+  predicate invariant0 (self : Snapshot.snap_ty (borrowed (InplaceListReversal_List_Type.t_list t)))
+  val invariant0 (self : Snapshot.snap_ty (borrowed (InplaceListReversal_List_Type.t_list t))) : bool
     ensures { result = invariant0 self }
     
-  predicate inv0 (_x : Ghost.ghost_ty (borrowed (InplaceListReversal_List_Type.t_list t)))
-  val inv0 (_x : Ghost.ghost_ty (borrowed (InplaceListReversal_List_Type.t_list t))) : bool
+  predicate inv0 (_x : Snapshot.snap_ty (borrowed (InplaceListReversal_List_Type.t_list t)))
+  val inv0 (_x : Snapshot.snap_ty (borrowed (InplaceListReversal_List_Type.t_list t))) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : Ghost.ghost_ty (borrowed (InplaceListReversal_List_Type.t_list t)) . inv0 x = true
+  axiom inv0 : forall x : Snapshot.snap_ty (borrowed (InplaceListReversal_List_Type.t_list t)) . inv0 x = true
   predicate resolve2 (self : borrowed (InplaceListReversal_List_Type.t_list t)) =
     [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve2 (self : borrowed (InplaceListReversal_List_Type.t_list t)) : bool
@@ -51,7 +51,7 @@ module InplaceListReversal_Rev
   val resolve1 (self : InplaceListReversal_List_Type.t_list t) : bool
     ensures { result = resolve1 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   function rev_append0 [#"../inplace_list_reversal.rs" 16 0 16 55] (n : InplaceListReversal_List_Type.t_list t) (o : InplaceListReversal_List_Type.t_list t) : InplaceListReversal_List_Type.t_list t
     
    =
@@ -69,11 +69,11 @@ module InplaceListReversal_Rev
     ensures { [#"../../../../creusot-contracts/src/std/mem.rs" 8 22 8 37] result =  * dest }
     ensures { inv1 result }
     
-  predicate resolve0 (self : Ghost.ghost_ty (borrowed (InplaceListReversal_List_Type.t_list t)))
-  val resolve0 (self : Ghost.ghost_ty (borrowed (InplaceListReversal_List_Type.t_list t))) : bool
+  predicate resolve0 (self : Snapshot.snap_ty (borrowed (InplaceListReversal_List_Type.t_list t)))
+  val resolve0 (self : Snapshot.snap_ty (borrowed (InplaceListReversal_List_Type.t_list t))) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   let rec cfg rev [#"../inplace_list_reversal.rs" 24 0 24 30] [@cfg:stackify] [@cfg:subregion_analysis] (l : borrowed (InplaceListReversal_List_Type.t_list t)) : ()
     requires {[#"../inplace_list_reversal.rs" 24 14 24 15] inv2 l}
     ensures { [#"../inplace_list_reversal.rs" 23 10 23 35]  ^ l = rev_append0 ( * l) (InplaceListReversal_List_Type.C_Nil) }
@@ -81,28 +81,32 @@ module InplaceListReversal_Rev
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var l : borrowed (InplaceListReversal_List_Type.t_list t) = l;
-  var old_l : Ghost.ghost_ty (borrowed (InplaceListReversal_List_Type.t_list t));
+  var old_l : Snapshot.snap_ty (borrowed (InplaceListReversal_List_Type.t_list t));
   var prev : InplaceListReversal_List_Type.t_list t;
   var head : InplaceListReversal_List_Type.t_list t;
   var _7 : borrowed (InplaceListReversal_List_Type.t_list t);
+  var _8 : InplaceListReversal_List_Type.t_list t;
   var curr : (t, InplaceListReversal_List_Type.t_list t);
   var next : InplaceListReversal_List_Type.t_list t;
+  var _16 : InplaceListReversal_List_Type.t_list t;
   {
     goto BB0
   }
   BB0 {
-    [#"../inplace_list_reversal.rs" 25 16 25 25] old_l <- ([#"../inplace_list_reversal.rs" 25 16 25 25] Ghost.new l);
+    [#"../inplace_list_reversal.rs" 25 16 25 31] old_l <- ([#"../inplace_list_reversal.rs" 25 16 25 31] Snapshot.new l);
     goto BB1
   }
   BB1 {
     assert { [@expl:type invariant] inv0 old_l };
     assume { resolve0 old_l };
-    [#"../inplace_list_reversal.rs" 26 19 26 22] prev <- ([#"../inplace_list_reversal.rs" 26 19 26 22] InplaceListReversal_List_Type.C_Nil);
+    [#"../inplace_list_reversal.rs" 26 19 26 22] prev <- InplaceListReversal_List_Type.C_Nil;
     [#"../inplace_list_reversal.rs" 27 27 27 28] _7 <- Borrow.borrow_final ( * l) (Borrow.get_id l);
     [#"../inplace_list_reversal.rs" 27 27 27 28] l <- { l with current = ( ^ _7) ; };
     assume { inv1 ( ^ _7) };
-    [#"../inplace_list_reversal.rs" 27 19 27 34] head <- ([#"../inplace_list_reversal.rs" 27 19 27 34] replace0 _7 ([#"../inplace_list_reversal.rs" 27 30 27 33] InplaceListReversal_List_Type.C_Nil));
+    [#"../inplace_list_reversal.rs" 27 30 27 33] _8 <- InplaceListReversal_List_Type.C_Nil;
+    [#"../inplace_list_reversal.rs" 27 19 27 34] head <- ([#"../inplace_list_reversal.rs" 27 19 27 34] replace0 _7 _8);
     _7 <- any borrowed (InplaceListReversal_List_Type.t_list t);
+    _8 <- any InplaceListReversal_List_Type.t_list t;
     goto BB2
   }
   BB2 {
@@ -112,7 +116,7 @@ module InplaceListReversal_Rev
     goto BB4
   }
   BB4 {
-    invariant { [#"../inplace_list_reversal.rs" 28 16 28 73] rev_append0 head prev = rev_append0 ( * Ghost.inner old_l) (InplaceListReversal_List_Type.C_Nil) };
+    invariant { [#"../inplace_list_reversal.rs" 28 16 28 73] rev_append0 head prev = rev_append0 ( * Snapshot.inner old_l) (InplaceListReversal_List_Type.C_Nil) };
     goto BB5
   }
   BB5 {
@@ -125,36 +129,38 @@ module InplaceListReversal_Rev
     goto BB7
   }
   BB7 {
-    [#"../inplace_list_reversal.rs" 29 19 29 27] curr <- ([#"../inplace_list_reversal.rs" 29 19 29 27] InplaceListReversal_List_Type.cons_0 head);
-    [#"../inplace_list_reversal.rs" 29 19 29 27] head <- (let InplaceListReversal_List_Type.C_Cons x0 = head in InplaceListReversal_List_Type.C_Cons (any (t, InplaceListReversal_List_Type.t_list t)));
+    [#"../inplace_list_reversal.rs" 29 19 29 27] curr <- InplaceListReversal_List_Type.cons_0 head;
+    head <- (let InplaceListReversal_List_Type.C_Cons x0 = head in InplaceListReversal_List_Type.C_Cons (any (t, InplaceListReversal_List_Type.t_list t)));
     assert { [@expl:type invariant] inv1 head };
     assume { resolve1 head };
-    [#"../inplace_list_reversal.rs" 30 19 30 25] next <- ([#"../inplace_list_reversal.rs" 30 19 30 25] let (_, a) = curr in a);
-    [#"../inplace_list_reversal.rs" 30 19 30 25] curr <- (let (x0, x1) = curr in (x0, any InplaceListReversal_List_Type.t_list t));
+    [#"../inplace_list_reversal.rs" 30 19 30 25] next <- (let (_, a) = curr in a);
+    curr <- (let (x0, x1) = curr in (x0, any InplaceListReversal_List_Type.t_list t));
     goto BB8
   }
   BB8 {
-    [#"../inplace_list_reversal.rs" 31 8 31 14] curr <- (let (x0, x1) = curr in (x0, ([#"../inplace_list_reversal.rs" 31 17 31 21] prev)));
-    [#"../inplace_list_reversal.rs" 31 17 31 21] prev <- any InplaceListReversal_List_Type.t_list t;
+    [#"../inplace_list_reversal.rs" 31 8 31 14] curr <- (let (x0, x1) = curr in (x0, prev));
+    prev <- any InplaceListReversal_List_Type.t_list t;
     goto BB10
   }
   BB10 {
+    [#"../inplace_list_reversal.rs" 32 15 32 25] _16 <- InplaceListReversal_List_Type.C_Cons curr;
+    curr <- any (t, InplaceListReversal_List_Type.t_list t);
     goto BB11
   }
   BB11 {
     goto BB12
   }
   BB12 {
-    [#"../inplace_list_reversal.rs" 32 8 32 12] prev <- ([#"../inplace_list_reversal.rs" 32 15 32 25] InplaceListReversal_List_Type.C_Cons ([#"../inplace_list_reversal.rs" 32 20 32 24] curr));
-    [#"../inplace_list_reversal.rs" 32 20 32 24] curr <- any (t, InplaceListReversal_List_Type.t_list t);
+    [#"../inplace_list_reversal.rs" 32 8 32 12] prev <- _16;
+    _16 <- any InplaceListReversal_List_Type.t_list t;
     goto BB14
   }
   BB14 {
     goto BB15
   }
   BB15 {
-    [#"../inplace_list_reversal.rs" 33 8 33 12] head <- ([#"../inplace_list_reversal.rs" 33 15 33 19] next);
-    [#"../inplace_list_reversal.rs" 33 15 33 19] next <- any InplaceListReversal_List_Type.t_list t;
+    [#"../inplace_list_reversal.rs" 33 8 33 12] head <- next;
+    next <- any InplaceListReversal_List_Type.t_list t;
     goto BB17
   }
   BB17 {
@@ -172,8 +178,8 @@ module InplaceListReversal_Rev
     goto BB4
   }
   BB21 {
-    [#"../inplace_list_reversal.rs" 35 4 35 6] l <- { l with current = ([#"../inplace_list_reversal.rs" 35 9 35 13] prev) ; };
-    [#"../inplace_list_reversal.rs" 35 9 35 13] prev <- any InplaceListReversal_List_Type.t_list t;
+    [#"../inplace_list_reversal.rs" 35 4 35 6] l <- { l with current = prev ; };
+    prev <- any InplaceListReversal_List_Type.t_list t;
     assert { [@expl:type invariant] inv1 ( * l) };
     assume { resolve1 ( * l) };
     assert { [@expl:type invariant] inv2 l };
diff --git a/creusot/tests/should_succeed/inplace_list_reversal.rs b/creusot/tests/should_succeed/inplace_list_reversal.rs
index 6aee771ec7..26607bc85c 100644
--- a/creusot/tests/should_succeed/inplace_list_reversal.rs
+++ b/creusot/tests/should_succeed/inplace_list_reversal.rs
@@ -11,7 +11,7 @@ pub enum List<T> {
 use List::*;
 type Node<T> = Box<(T, List<T>)>;
 
-#[ghost]
+#[logic]
 #[open(self)]
 pub fn rev_append<T>(n: List<T>, o: List<T>) -> List<T> {
     match n {
@@ -22,7 +22,7 @@ pub fn rev_append<T>(n: List<T>, o: List<T>) -> List<T> {
 
 #[ensures(^l == rev_append(*l, Nil))]
 pub fn rev<T>(l: &mut List<T>) {
-    let old_l = gh! { l };
+    let old_l = snapshot! { l };
     let mut prev = Nil;
     let mut head = replace(l, Nil);
     #[invariant(rev_append(head, prev) == rev_append(*old_l.inner(), Nil))]
diff --git a/creusot/tests/should_succeed/inplace_list_reversal/why3session.xml b/creusot/tests/should_succeed/inplace_list_reversal/why3session.xml
index 31b0868b8c..a72a1e213a 100644
--- a/creusot/tests/should_succeed/inplace_list_reversal/why3session.xml
+++ b/creusot/tests/should_succeed/inplace_list_reversal/why3session.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
-"http://why3.lri.fr/why3session.dtd">
+"https://www.why3.org/why3session.dtd">
 <why3session shape_version="6">
 <prover id="0" name="Alt-Ergo" version="2.4.3" timelimit="1" steplimit="0" memlimit="1000"/>
 <file format="mlcfg" proved="true">
diff --git a/creusot/tests/should_succeed/inplace_list_reversal/why3shapes.gz b/creusot/tests/should_succeed/inplace_list_reversal/why3shapes.gz
index e5dbb9b484..26cbb40d6b 100644
Binary files a/creusot/tests/should_succeed/inplace_list_reversal/why3shapes.gz and b/creusot/tests/should_succeed/inplace_list_reversal/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/instant.mlcfg b/creusot/tests/should_succeed/instant.mlcfg
index 5eb46fc467..c8d3f43d4a 100644
--- a/creusot/tests/should_succeed/instant.mlcfg
+++ b/creusot/tests/should_succeed/instant.mlcfg
@@ -5,31 +5,31 @@ module Core_Option_Option_Type
     | C_Some 't
     
 end
-module Std_Sys_Unix_Time_Nanoseconds_Type
+module Std_Sys_Pal_Unix_Time_Nanoseconds_Type
   use prelude.UInt32
   use prelude.Int
   type t_nanoseconds  =
     | C_Nanoseconds uint32
     
 end
-module Std_Sys_Unix_Time_Timespec_Type
-  use Std_Sys_Unix_Time_Nanoseconds_Type as Std_Sys_Unix_Time_Nanoseconds_Type
+module Std_Sys_Pal_Unix_Time_Timespec_Type
+  use Std_Sys_Pal_Unix_Time_Nanoseconds_Type as Std_Sys_Pal_Unix_Time_Nanoseconds_Type
   use prelude.Int64
   use prelude.Int
   type t_timespec  =
-    | C_Timespec int64 (Std_Sys_Unix_Time_Nanoseconds_Type.t_nanoseconds)
+    | C_Timespec int64 (Std_Sys_Pal_Unix_Time_Nanoseconds_Type.t_nanoseconds)
     
 end
-module Std_Sys_Unix_Time_Inner_Instant_Type
-  use Std_Sys_Unix_Time_Timespec_Type as Std_Sys_Unix_Time_Timespec_Type
+module Std_Sys_Pal_Unix_Time_Instant_Type
+  use Std_Sys_Pal_Unix_Time_Timespec_Type as Std_Sys_Pal_Unix_Time_Timespec_Type
   type t_instant  =
-    | C_Instant (Std_Sys_Unix_Time_Timespec_Type.t_timespec)
+    | C_Instant (Std_Sys_Pal_Unix_Time_Timespec_Type.t_timespec)
     
 end
 module Std_Time_Instant_Type
-  use Std_Sys_Unix_Time_Inner_Instant_Type as Std_Sys_Unix_Time_Inner_Instant_Type
+  use Std_Sys_Pal_Unix_Time_Instant_Type as Std_Sys_Pal_Unix_Time_Instant_Type
   type t_instant  =
-    | C_Instant (Std_Sys_Unix_Time_Inner_Instant_Type.t_instant)
+    | C_Instant (Std_Sys_Pal_Unix_Time_Instant_Type.t_instant)
     
 end
 module Core_Time_Nanoseconds_Type
@@ -175,7 +175,7 @@ module Instant_TestInstant
     
   axiom inv1 : forall x : Core_Option_Option_Type.t_option (Std_Time_Instant_Type.t_instant) . inv1 x = true
   function cmp_log1 (self : int) (o : int) : Core_Cmp_Ordering_Type.t_ordering =
-    [#"../../../../creusot-contracts/src/logic/ord.rs" 137 12 146 17] if self < o then
+    [#"../../../../creusot-contracts/src/logic/ord.rs" 140 16 146 17] if self < o then
       Core_Cmp_Ordering_Type.C_Less
     else
       if self = o then Core_Cmp_Ordering_Type.C_Equal else Core_Cmp_Ordering_Type.C_Greater
@@ -201,7 +201,9 @@ module Instant_TestInstant
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv4 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv4 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv4 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv4 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv4 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : Core_Option_Option_Type.t_option int) (y : Core_Option_Option_Type.t_option int) : ()
   val antisym20 (x : Core_Option_Option_Type.t_option int) (y : Core_Option_Option_Type.t_option int) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -209,7 +211,10 @@ module Instant_TestInstant
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv4 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv4 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv4 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv4 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv4 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : Core_Option_Option_Type.t_option int) (y : Core_Option_Option_Type.t_option int) : ()
   val antisym10 (x : Core_Option_Option_Type.t_option int) (y : Core_Option_Option_Type.t_option int) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -217,7 +222,10 @@ module Instant_TestInstant
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv4 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv4 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv4 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv4 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv4 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : Core_Option_Option_Type.t_option int) (y : Core_Option_Option_Type.t_option int) (z : Core_Option_Option_Type.t_option int) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : Core_Option_Option_Type.t_option int) (y : Core_Option_Option_Type.t_option int) (z : Core_Option_Option_Type.t_option int) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -228,13 +236,19 @@ module Instant_TestInstant
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv4 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int, z : Core_Option_Option_Type.t_option int, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv4 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv4 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv4 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int, z : Core_Option_Option_Type.t_option int, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv4 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv4 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv4 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : Core_Option_Option_Type.t_option int) : ()
   val refl0 (x : Core_Option_Option_Type.t_option int) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv4 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv4 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv4 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : Core_Option_Option_Type.t_option int) (o : Core_Option_Option_Type.t_option int) : bool =
     [#"../../../../creusot-contracts/src/logic/ord.rs" 41 20 41 56] cmp_log0 self o = Core_Cmp_Ordering_Type.C_Greater
   val gt_log0 (self : Core_Option_Option_Type.t_option int) (o : Core_Option_Option_Type.t_option int) : bool
@@ -246,7 +260,9 @@ module Instant_TestInstant
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv4 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv4 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv4 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv4 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv4 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log1 (self : Core_Option_Option_Type.t_option int) (o : Core_Option_Option_Type.t_option int) : bool =
     [#"../../../../creusot-contracts/src/logic/ord.rs" 31 20 31 53] cmp_log0 self o <> Core_Cmp_Ordering_Type.C_Less
   val ge_log1 (self : Core_Option_Option_Type.t_option int) (o : Core_Option_Option_Type.t_option int) : bool
@@ -258,7 +274,9 @@ module Instant_TestInstant
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv4 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv4 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv4 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log1 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv4 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv4 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log1 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : Core_Option_Option_Type.t_option int) (o : Core_Option_Option_Type.t_option int) : bool =
     [#"../../../../creusot-contracts/src/logic/ord.rs" 21 20 21 53] cmp_log0 self o = Core_Cmp_Ordering_Type.C_Less
   val lt_log0 (self : Core_Option_Option_Type.t_option int) (o : Core_Option_Option_Type.t_option int) : bool
@@ -270,7 +288,9 @@ module Instant_TestInstant
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv4 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv4 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv4 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv4 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv4 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : Core_Option_Option_Type.t_option int) (o : Core_Option_Option_Type.t_option int) : bool =
     [#"../../../../creusot-contracts/src/logic/ord.rs" 11 20 11 56] cmp_log0 self o <> Core_Cmp_Ordering_Type.C_Greater
   val le_log0 (self : Core_Option_Option_Type.t_option int) (o : Core_Option_Option_Type.t_option int) : bool
@@ -282,7 +302,9 @@ module Instant_TestInstant
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv4 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv4 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv4 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : Core_Option_Option_Type.t_option int, y : Core_Option_Option_Type.t_option int . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv4 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv4 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   predicate invariant0 (self : Core_Time_Duration_Type.t_duration) =
     [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant0 (self : Core_Time_Duration_Type.t_duration) : bool
@@ -318,8 +340,10 @@ module Instant_TestInstant
     ensures { result = shallow_model3 self }
     
   val saturating_duration_since0 (self : Std_Time_Instant_Type.t_instant) (earlier : Std_Time_Instant_Type.t_instant) : Core_Time_Duration_Type.t_duration
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 157 16 157 60] shallow_model3 self > shallow_model0 earlier -> shallow_model1 result > 0 }
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 158 16 158 62] shallow_model3 self <= shallow_model0 earlier -> shallow_model1 result = 0 }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 157 16 157 60] shallow_model3 self > shallow_model0 earlier
+     -> shallow_model1 result > 0 }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 158 16 158 62] shallow_model3 self <= shallow_model0 earlier
+     -> shallow_model1 result = 0 }
     
   val is_none0 (self : Core_Option_Option_Type.t_option (Core_Time_Duration_Type.t_duration)) : bool
     requires {inv3 self}
@@ -330,12 +354,16 @@ module Instant_TestInstant
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 33 26 33 51] result = (self <> Core_Option_Option_Type.C_None) }
     
   val checked_duration_since0 (self : Std_Time_Instant_Type.t_instant) (earlier : Std_Time_Instant_Type.t_instant) : Core_Option_Option_Type.t_option (Core_Time_Duration_Type.t_duration)
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 153 16 153 64] shallow_model3 self >= shallow_model0 earlier -> result <> Core_Option_Option_Type.C_None }
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 154 16 154 63] shallow_model3 self < shallow_model0 earlier -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 153 16 153 64] shallow_model3 self >= shallow_model0 earlier
+     -> result <> Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 154 16 154 63] shallow_model3 self < shallow_model0 earlier
+     -> result = Core_Option_Option_Type.C_None }
     
   val duration_since0 (self : Std_Time_Instant_Type.t_instant) (earlier : Std_Time_Instant_Type.t_instant) : Core_Time_Duration_Type.t_duration
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 149 16 149 60] shallow_model3 self > shallow_model0 earlier -> shallow_model1 result > 0 }
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 150 16 150 62] shallow_model3 self <= shallow_model0 earlier -> shallow_model1 result = 0 }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 149 16 149 60] shallow_model3 self > shallow_model0 earlier
+     -> shallow_model1 result > 0 }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 150 16 150 62] shallow_model3 self <= shallow_model0 earlier
+     -> shallow_model1 result = 0 }
     
   use int.Int
   function deep_model3 (self : Core_Time_Duration_Type.t_duration) : int
@@ -357,12 +385,16 @@ module Instant_TestInstant
     ensures { [#"../../../../creusot-contracts/src/std/cmp.rs" 11 26 11 75] result = (deep_model0 self = deep_model0 other) }
     
   val sub1 (self : Std_Time_Instant_Type.t_instant) (other : Std_Time_Instant_Type.t_instant) : Core_Time_Duration_Type.t_duration
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 199 8 199 50] shallow_model0 self > shallow_model0 other -> shallow_model1 result > 0 }
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 200 8 200 52] shallow_model0 self <= shallow_model0 other -> shallow_model1 result = 0 }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 199 8 199 50] shallow_model0 self > shallow_model0 other
+     -> shallow_model1 result > 0 }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 200 8 200 52] shallow_model0 self <= shallow_model0 other
+     -> shallow_model1 result = 0 }
     
   val sub0 (self : Std_Time_Instant_Type.t_instant) (other : Core_Time_Duration_Type.t_duration) : Std_Time_Instant_Type.t_instant
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 193 8 193 50] shallow_model1 other = 0 -> shallow_model0 self = shallow_model0 result }
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 194 8 194 48] shallow_model1 other > 0 -> shallow_model0 self > shallow_model0 result }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 193 8 193 50] shallow_model1 other = 0
+     -> shallow_model0 self = shallow_model0 result }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 194 8 194 48] shallow_model1 other > 0
+     -> shallow_model0 self > shallow_model0 result }
     
   function deep_model4 (self : Std_Time_Instant_Type.t_instant) : int
   val deep_model4 (self : Std_Time_Instant_Type.t_instant) : int
@@ -380,12 +412,16 @@ module Instant_TestInstant
     ensures { result = deep_model1 self }
     
   val checked_sub0 (self : Std_Time_Instant_Type.t_instant) (duration : Core_Time_Duration_Type.t_duration) : Core_Option_Option_Type.t_option (Std_Time_Instant_Type.t_instant)
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 165 16 165 81] shallow_model1 duration = 0 -> deep_model1 result = Core_Option_Option_Type.C_Some (shallow_model3 self) }
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 166 16 166 97] shallow_model1 duration > 0 /\ result <> Core_Option_Option_Type.C_None -> gt_log0 (Core_Option_Option_Type.C_Some (shallow_model3 self)) (deep_model1 result) }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 165 16 165 81] shallow_model1 duration = 0
+     -> deep_model1 result = Core_Option_Option_Type.C_Some (shallow_model3 self) }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 166 16 166 97] shallow_model1 duration > 0 /\ result <> Core_Option_Option_Type.C_None
+     -> gt_log0 (Core_Option_Option_Type.C_Some (shallow_model3 self)) (deep_model1 result) }
     
   val add0 (self : Std_Time_Instant_Type.t_instant) (other : Core_Time_Duration_Type.t_duration) : Std_Time_Instant_Type.t_instant
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 187 8 187 50] shallow_model1 other = 0 -> shallow_model0 self = shallow_model0 result }
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 188 8 188 48] shallow_model1 other > 0 -> shallow_model0 self < shallow_model0 result }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 187 8 187 50] shallow_model1 other = 0
+     -> shallow_model0 self = shallow_model0 result }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 188 8 188 48] shallow_model1 other > 0
+     -> shallow_model0 self < shallow_model0 result }
     
   function deep_model2 (self : Std_Time_Instant_Type.t_instant) : int =
     [#"../../../../creusot-contracts/src/model.rs" 70 8 70 28] deep_model4 self
@@ -402,8 +438,10 @@ module Instant_TestInstant
     ensures { inv2 result }
     
   val checked_add0 (self : Std_Time_Instant_Type.t_instant) (duration : Core_Time_Duration_Type.t_duration) : Core_Option_Option_Type.t_option (Std_Time_Instant_Type.t_instant)
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 161 16 161 81] shallow_model1 duration = 0 -> deep_model1 result = Core_Option_Option_Type.C_Some (shallow_model3 self) }
-    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 162 16 162 97] shallow_model1 duration > 0 /\ result <> Core_Option_Option_Type.C_None -> lt_log0 (Core_Option_Option_Type.C_Some (shallow_model3 self)) (deep_model1 result) }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 161 16 161 81] shallow_model1 duration = 0
+     -> deep_model1 result = Core_Option_Option_Type.C_Some (shallow_model3 self) }
+    ensures { [#"../../../../creusot-contracts/src/std/time.rs" 162 16 162 97] shallow_model1 duration > 0 /\ result <> Core_Option_Option_Type.C_None
+     -> lt_log0 (Core_Option_Option_Type.C_Some (shallow_model3 self)) (deep_model1 result) }
     
   use int.Int
   val ge0 (self : Core_Time_Duration_Type.t_duration) (other : Core_Time_Duration_Type.t_duration) : bool
@@ -463,19 +501,19 @@ module Instant_TestInstant
     goto BB0
   }
   BB0 {
-    [#"../instant.rs" 8 18 8 32] instant <- ([#"../instant.rs" 8 18 8 32] now0 ());
+    [#"../instant.rs" 8 18 8 32] instant <- ([#"../instant.rs" 8 18 8 32] now0 ([#"../instant.rs" 8 18 8 32] ()));
     goto BB1
   }
   BB1 {
-    [#"../instant.rs" 9 19 9 41] zero_dur <- ([#"../instant.rs" 9 19 9 41] from_secs0 ([#"../instant.rs" 9 39 9 40] [#"../instant.rs" 9 39 9 40] (0 : uint64)));
+    [#"../instant.rs" 9 19 9 41] zero_dur <- ([#"../instant.rs" 9 19 9 41] from_secs0 ([#"../instant.rs" 9 39 9 40] (0 : uint64)));
     goto BB2
   }
   BB2 {
-    [#"../instant.rs" 10 12 10 29] _6 <- ([#"../instant.rs" 10 12 10 29] elapsed0 ([#"../instant.rs" 10 12 10 19] instant));
+    [#"../instant.rs" 10 12 10 29] _6 <- ([#"../instant.rs" 10 12 10 29] elapsed0 instant);
     goto BB3
   }
   BB3 {
-    [#"../instant.rs" 10 12 10 41] _4 <- ([#"../instant.rs" 10 12 10 41] ge0 ([#"../instant.rs" 10 12 10 29] _6) ([#"../instant.rs" 10 33 10 41] zero_dur));
+    [#"../instant.rs" 10 12 10 41] _4 <- ([#"../instant.rs" 10 12 10 41] ge0 _6 zero_dur);
     goto BB4
   }
   BB4 {
@@ -485,7 +523,7 @@ module Instant_TestInstant
       end
   }
   BB5 {
-    [#"../instant.rs" 12 12 12 41] _14 <- ([#"../instant.rs" 12 12 12 41] checked_add0 ([#"../instant.rs" 12 12 12 19] instant) ([#"../instant.rs" 12 32 12 40] zero_dur));
+    [#"../instant.rs" 12 12 12 41] _14 <- ([#"../instant.rs" 12 12 12 41] checked_add0 instant zero_dur);
     goto BB7
   }
   BB6 {
@@ -498,7 +536,7 @@ module Instant_TestInstant
     goto BB8
   }
   BB8 {
-    [#"../instant.rs" 12 12 12 61] _11 <- ([#"../instant.rs" 12 12 12 61] eq0 ([#"../instant.rs" 12 12 12 50] _13) ([#"../instant.rs" 12 54 12 61] instant));
+    [#"../instant.rs" 12 12 12 61] _11 <- ([#"../instant.rs" 12 12 12 61] eq0 _13 instant);
     goto BB9
   }
   BB9 {
@@ -508,7 +546,7 @@ module Instant_TestInstant
       end
   }
   BB10 {
-    [#"../instant.rs" 13 12 13 30] _22 <- ([#"../instant.rs" 13 12 13 30] add0 ([#"../instant.rs" 13 12 13 19] instant) ([#"../instant.rs" 13 22 13 30] zero_dur));
+    [#"../instant.rs" 13 12 13 30] _22 <- ([#"../instant.rs" 13 12 13 30] add0 instant zero_dur);
     goto BB12
   }
   BB11 {
@@ -516,7 +554,7 @@ module Instant_TestInstant
     absurd
   }
   BB12 {
-    [#"../instant.rs" 13 12 13 41] _20 <- ([#"../instant.rs" 13 12 13 41] eq0 ([#"../instant.rs" 13 12 13 30] _22) ([#"../instant.rs" 13 34 13 41] instant));
+    [#"../instant.rs" 13 12 13 41] _20 <- ([#"../instant.rs" 13 12 13 41] eq0 _22 instant);
     goto BB13
   }
   BB13 {
@@ -526,7 +564,7 @@ module Instant_TestInstant
       end
   }
   BB14 {
-    [#"../instant.rs" 14 24 14 46] three_seconds <- ([#"../instant.rs" 14 24 14 46] from_secs0 ([#"../instant.rs" 14 44 14 45] [#"../instant.rs" 14 44 14 45] (3 : uint64)));
+    [#"../instant.rs" 14 24 14 46] three_seconds <- ([#"../instant.rs" 14 24 14 46] from_secs0 ([#"../instant.rs" 14 44 14 45] (3 : uint64)));
     goto BB16
   }
   BB15 {
@@ -534,17 +572,17 @@ module Instant_TestInstant
     absurd
   }
   BB16 {
-    [#"../instant.rs" 15 26 15 49] greater_instant <- ([#"../instant.rs" 15 26 15 49] add0 ([#"../instant.rs" 15 26 15 33] instant) ([#"../instant.rs" 15 36 15 49] three_seconds));
+    [#"../instant.rs" 15 26 15 49] greater_instant <- ([#"../instant.rs" 15 26 15 49] add0 instant three_seconds);
     goto BB17
   }
   BB17 {
     assert { [@expl:assertion] [#"../instant.rs" 16 18 16 45] shallow_model0 instant < shallow_model0 greater_instant };
-    [#"../instant.rs" 17 31 17 62] even_greater_instant <- ([#"../instant.rs" 17 31 17 62] add0 ([#"../instant.rs" 17 31 17 46] greater_instant) ([#"../instant.rs" 17 49 17 62] three_seconds));
+    [#"../instant.rs" 17 31 17 62] even_greater_instant <- ([#"../instant.rs" 17 31 17 62] add0 greater_instant three_seconds);
     goto BB18
   }
   BB18 {
     assert { [@expl:assertion] [#"../instant.rs" 18 18 18 50] shallow_model0 instant < shallow_model0 even_greater_instant };
-    [#"../instant.rs" 20 12 20 41] _42 <- ([#"../instant.rs" 20 12 20 41] checked_sub0 ([#"../instant.rs" 20 12 20 19] instant) ([#"../instant.rs" 20 32 20 40] zero_dur));
+    [#"../instant.rs" 20 12 20 41] _42 <- ([#"../instant.rs" 20 12 20 41] checked_sub0 instant zero_dur);
     goto BB19
   }
   BB19 {
@@ -553,7 +591,7 @@ module Instant_TestInstant
     goto BB20
   }
   BB20 {
-    [#"../instant.rs" 20 12 20 61] _39 <- ([#"../instant.rs" 20 12 20 61] eq0 ([#"../instant.rs" 20 12 20 50] _41) ([#"../instant.rs" 20 54 20 61] instant));
+    [#"../instant.rs" 20 12 20 61] _39 <- ([#"../instant.rs" 20 12 20 61] eq0 _41 instant);
     goto BB21
   }
   BB21 {
@@ -563,7 +601,7 @@ module Instant_TestInstant
       end
   }
   BB22 {
-    [#"../instant.rs" 21 12 21 30] _50 <- ([#"../instant.rs" 21 12 21 30] sub0 ([#"../instant.rs" 21 12 21 19] instant) ([#"../instant.rs" 21 22 21 30] zero_dur));
+    [#"../instant.rs" 21 12 21 30] _50 <- ([#"../instant.rs" 21 12 21 30] sub0 instant zero_dur);
     goto BB24
   }
   BB23 {
@@ -571,7 +609,7 @@ module Instant_TestInstant
     absurd
   }
   BB24 {
-    [#"../instant.rs" 21 12 21 41] _48 <- ([#"../instant.rs" 21 12 21 41] eq0 ([#"../instant.rs" 21 12 21 30] _50) ([#"../instant.rs" 21 34 21 41] instant));
+    [#"../instant.rs" 21 12 21 41] _48 <- ([#"../instant.rs" 21 12 21 41] eq0 _50 instant);
     goto BB25
   }
   BB25 {
@@ -581,7 +619,7 @@ module Instant_TestInstant
       end
   }
   BB26 {
-    [#"../instant.rs" 22 25 22 48] lesser_instant <- ([#"../instant.rs" 22 25 22 48] sub0 ([#"../instant.rs" 22 25 22 32] instant) ([#"../instant.rs" 22 35 22 48] three_seconds));
+    [#"../instant.rs" 22 25 22 48] lesser_instant <- ([#"../instant.rs" 22 25 22 48] sub0 instant three_seconds);
     goto BB28
   }
   BB27 {
@@ -590,11 +628,11 @@ module Instant_TestInstant
   }
   BB28 {
     assert { [@expl:assertion] [#"../instant.rs" 23 18 23 44] shallow_model0 instant > shallow_model0 lesser_instant };
-    [#"../instant.rs" 24 12 24 29] _63 <- ([#"../instant.rs" 24 12 24 29] sub1 ([#"../instant.rs" 24 12 24 19] instant) ([#"../instant.rs" 24 22 24 29] instant));
+    [#"../instant.rs" 24 12 24 29] _63 <- ([#"../instant.rs" 24 12 24 29] sub1 instant instant);
     goto BB29
   }
   BB29 {
-    [#"../instant.rs" 24 12 24 41] _61 <- ([#"../instant.rs" 24 12 24 41] eq1 ([#"../instant.rs" 24 12 24 29] _63) ([#"../instant.rs" 24 33 24 41] zero_dur));
+    [#"../instant.rs" 24 12 24 41] _61 <- ([#"../instant.rs" 24 12 24 41] eq1 _63 zero_dur);
     goto BB30
   }
   BB30 {
@@ -604,7 +642,7 @@ module Instant_TestInstant
       end
   }
   BB31 {
-    [#"../instant.rs" 25 12 25 37] _71 <- ([#"../instant.rs" 25 12 25 37] sub1 ([#"../instant.rs" 25 12 25 19] instant) ([#"../instant.rs" 25 22 25 37] greater_instant));
+    [#"../instant.rs" 25 12 25 37] _71 <- ([#"../instant.rs" 25 12 25 37] sub1 instant greater_instant);
     goto BB33
   }
   BB32 {
@@ -612,7 +650,7 @@ module Instant_TestInstant
     absurd
   }
   BB33 {
-    [#"../instant.rs" 25 12 25 49] _69 <- ([#"../instant.rs" 25 12 25 49] eq1 ([#"../instant.rs" 25 12 25 37] _71) ([#"../instant.rs" 25 41 25 49] zero_dur));
+    [#"../instant.rs" 25 12 25 49] _69 <- ([#"../instant.rs" 25 12 25 49] eq1 _71 zero_dur);
     goto BB34
   }
   BB34 {
@@ -622,7 +660,7 @@ module Instant_TestInstant
       end
   }
   BB35 {
-    [#"../instant.rs" 26 12 26 37] _79 <- ([#"../instant.rs" 26 12 26 37] sub1 ([#"../instant.rs" 26 12 26 27] greater_instant) ([#"../instant.rs" 26 30 26 37] instant));
+    [#"../instant.rs" 26 12 26 37] _79 <- ([#"../instant.rs" 26 12 26 37] sub1 greater_instant instant);
     goto BB37
   }
   BB36 {
@@ -630,7 +668,7 @@ module Instant_TestInstant
     absurd
   }
   BB37 {
-    [#"../instant.rs" 26 12 26 48] _77 <- ([#"../instant.rs" 26 12 26 48] gt0 ([#"../instant.rs" 26 12 26 37] _79) ([#"../instant.rs" 26 40 26 48] zero_dur));
+    [#"../instant.rs" 26 12 26 48] _77 <- ([#"../instant.rs" 26 12 26 48] gt0 _79 zero_dur);
     goto BB38
   }
   BB38 {
@@ -640,7 +678,7 @@ module Instant_TestInstant
       end
   }
   BB39 {
-    [#"../instant.rs" 28 12 28 51] _87 <- ([#"../instant.rs" 28 12 28 51] duration_since0 ([#"../instant.rs" 28 12 28 27] greater_instant) ([#"../instant.rs" 28 43 28 50] instant));
+    [#"../instant.rs" 28 12 28 51] _87 <- ([#"../instant.rs" 28 12 28 51] duration_since0 greater_instant instant);
     goto BB41
   }
   BB40 {
@@ -648,7 +686,7 @@ module Instant_TestInstant
     absurd
   }
   BB41 {
-    [#"../instant.rs" 28 12 28 62] _85 <- ([#"../instant.rs" 28 12 28 62] gt0 ([#"../instant.rs" 28 12 28 51] _87) ([#"../instant.rs" 28 54 28 62] zero_dur));
+    [#"../instant.rs" 28 12 28 62] _85 <- ([#"../instant.rs" 28 12 28 62] gt0 _87 zero_dur);
     goto BB42
   }
   BB42 {
@@ -658,7 +696,7 @@ module Instant_TestInstant
       end
   }
   BB43 {
-    [#"../instant.rs" 29 12 29 51] _95 <- ([#"../instant.rs" 29 12 29 51] duration_since0 ([#"../instant.rs" 29 12 29 19] instant) ([#"../instant.rs" 29 35 29 50] greater_instant));
+    [#"../instant.rs" 29 12 29 51] _95 <- ([#"../instant.rs" 29 12 29 51] duration_since0 instant greater_instant);
     goto BB45
   }
   BB44 {
@@ -666,7 +704,7 @@ module Instant_TestInstant
     absurd
   }
   BB45 {
-    [#"../instant.rs" 29 12 29 63] _93 <- ([#"../instant.rs" 29 12 29 63] eq1 ([#"../instant.rs" 29 12 29 51] _95) ([#"../instant.rs" 29 55 29 63] zero_dur));
+    [#"../instant.rs" 29 12 29 63] _93 <- ([#"../instant.rs" 29 12 29 63] eq1 _95 zero_dur);
     goto BB46
   }
   BB46 {
@@ -676,7 +714,7 @@ module Instant_TestInstant
       end
   }
   BB47 {
-    [#"../instant.rs" 30 12 30 59] _103 <- ([#"../instant.rs" 30 12 30 59] checked_duration_since0 ([#"../instant.rs" 30 12 30 27] greater_instant) ([#"../instant.rs" 30 51 30 58] instant));
+    [#"../instant.rs" 30 12 30 59] _103 <- ([#"../instant.rs" 30 12 30 59] checked_duration_since0 greater_instant instant);
     goto BB49
   }
   BB48 {
@@ -684,7 +722,7 @@ module Instant_TestInstant
     absurd
   }
   BB49 {
-    [#"../instant.rs" 30 12 30 69] _101 <- ([#"../instant.rs" 30 12 30 69] is_some0 ([#"../instant.rs" 30 12 30 59] _103));
+    [#"../instant.rs" 30 12 30 69] _101 <- ([#"../instant.rs" 30 12 30 69] is_some0 _103);
     goto BB50
   }
   BB50 {
@@ -694,7 +732,7 @@ module Instant_TestInstant
       end
   }
   BB51 {
-    [#"../instant.rs" 31 12 31 59] _110 <- ([#"../instant.rs" 31 12 31 59] checked_duration_since0 ([#"../instant.rs" 31 12 31 19] instant) ([#"../instant.rs" 31 43 31 58] greater_instant));
+    [#"../instant.rs" 31 12 31 59] _110 <- ([#"../instant.rs" 31 12 31 59] checked_duration_since0 instant greater_instant);
     goto BB53
   }
   BB52 {
@@ -702,7 +740,7 @@ module Instant_TestInstant
     absurd
   }
   BB53 {
-    [#"../instant.rs" 31 12 31 69] _108 <- ([#"../instant.rs" 31 12 31 69] is_none0 ([#"../instant.rs" 31 12 31 59] _110));
+    [#"../instant.rs" 31 12 31 69] _108 <- ([#"../instant.rs" 31 12 31 69] is_none0 _110);
     goto BB54
   }
   BB54 {
@@ -712,7 +750,7 @@ module Instant_TestInstant
       end
   }
   BB55 {
-    [#"../instant.rs" 32 12 32 62] _117 <- ([#"../instant.rs" 32 12 32 62] saturating_duration_since0 ([#"../instant.rs" 32 12 32 27] greater_instant) ([#"../instant.rs" 32 54 32 61] instant));
+    [#"../instant.rs" 32 12 32 62] _117 <- ([#"../instant.rs" 32 12 32 62] saturating_duration_since0 greater_instant instant);
     goto BB57
   }
   BB56 {
@@ -720,7 +758,7 @@ module Instant_TestInstant
     absurd
   }
   BB57 {
-    [#"../instant.rs" 32 12 32 73] _115 <- ([#"../instant.rs" 32 12 32 73] gt0 ([#"../instant.rs" 32 12 32 62] _117) ([#"../instant.rs" 32 65 32 73] zero_dur));
+    [#"../instant.rs" 32 12 32 73] _115 <- ([#"../instant.rs" 32 12 32 73] gt0 _117 zero_dur);
     goto BB58
   }
   BB58 {
@@ -730,7 +768,7 @@ module Instant_TestInstant
       end
   }
   BB59 {
-    [#"../instant.rs" 33 12 33 62] _125 <- ([#"../instant.rs" 33 12 33 62] saturating_duration_since0 ([#"../instant.rs" 33 12 33 19] instant) ([#"../instant.rs" 33 46 33 61] greater_instant));
+    [#"../instant.rs" 33 12 33 62] _125 <- ([#"../instant.rs" 33 12 33 62] saturating_duration_since0 instant greater_instant);
     goto BB61
   }
   BB60 {
@@ -738,7 +776,7 @@ module Instant_TestInstant
     absurd
   }
   BB61 {
-    [#"../instant.rs" 33 12 33 74] _123 <- ([#"../instant.rs" 33 12 33 74] eq1 ([#"../instant.rs" 33 12 33 62] _125) ([#"../instant.rs" 33 66 33 74] zero_dur));
+    [#"../instant.rs" 33 12 33 74] _123 <- ([#"../instant.rs" 33 12 33 74] eq1 _125 zero_dur);
     goto BB62
   }
   BB62 {
diff --git a/creusot/tests/should_succeed/invariant_moves.mlcfg b/creusot/tests/should_succeed/invariant_moves.mlcfg
index 4b6f20b1c2..6405a8f76c 100644
--- a/creusot/tests/should_succeed/invariant_moves.mlcfg
+++ b/creusot/tests/should_succeed/invariant_moves.mlcfg
@@ -17,12 +17,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -74,7 +80,8 @@ module InvariantMoves_TestInvariantMove
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv3 (shallow_model0 self)
   val invariant2 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -117,7 +124,8 @@ module InvariantMoves_TestInvariantMove
     ensures { result = index_logic0 self ix }
     
   predicate resolve1 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) =
-    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve2 (index_logic0 self i)
+    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self)
+     -> resolve2 (index_logic0 self i)
   val resolve1 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve1 self }
     
diff --git a/creusot/tests/should_succeed/ite_normalize.mlcfg b/creusot/tests/should_succeed/ite_normalize.mlcfg
index 81d375ffcb..72520abe1f 100644
--- a/creusot/tests/should_succeed/ite_normalize.mlcfg
+++ b/creusot/tests/should_succeed/ite_normalize.mlcfg
@@ -153,7 +153,7 @@ module IteNormalize_Impl6_Clone
     goto BB15
   }
   BB4 {
-    [#"../ite_normalize.rs" 56 9 60 9] _0 <- ([#"../ite_normalize.rs" 56 9 60 9] IteNormalize_Expr_Type.C_False);
+    [#"../ite_normalize.rs" 56 9 60 9] _0 <- IteNormalize_Expr_Type.C_False;
     goto BB16
   }
   BB5 {
@@ -161,25 +161,25 @@ module IteNormalize_Impl6_Clone
     absurd
   }
   BB6 {
-    [#"../ite_normalize.rs" 57 17 57 18] c_1 <- ([#"../ite_normalize.rs" 57 17 57 18] IteNormalize_Expr_Type.ifthenelse_c self);
-    [#"../ite_normalize.rs" 57 31 57 32] t_1 <- ([#"../ite_normalize.rs" 57 31 57 32] IteNormalize_Expr_Type.ifthenelse_t self);
-    [#"../ite_normalize.rs" 57 45 57 46] e_1 <- ([#"../ite_normalize.rs" 57 45 57 46] IteNormalize_Expr_Type.ifthenelse_e self);
-    [#"../ite_normalize.rs" 55 9 55 14] _9 <- ([#"../ite_normalize.rs" 55 9 55 14] c_1);
-    [#"../ite_normalize.rs" 55 9 55 14] _7 <- ([#"../ite_normalize.rs" 55 9 55 14] clone0 ([#"../ite_normalize.rs" 55 9 55 14] _9));
+    [#"../ite_normalize.rs" 57 17 57 18] c_1 <- IteNormalize_Expr_Type.ifthenelse_c self;
+    [#"../ite_normalize.rs" 57 31 57 32] t_1 <- IteNormalize_Expr_Type.ifthenelse_t self;
+    [#"../ite_normalize.rs" 57 45 57 46] e_1 <- IteNormalize_Expr_Type.ifthenelse_e self;
+    [#"../ite_normalize.rs" 55 9 55 14] _9 <- c_1;
+    [#"../ite_normalize.rs" 55 9 55 14] _7 <- ([#"../ite_normalize.rs" 55 9 55 14] clone0 _9);
     goto BB7
   }
   BB7 {
-    [#"../ite_normalize.rs" 55 9 55 14] _12 <- ([#"../ite_normalize.rs" 55 9 55 14] t_1);
-    [#"../ite_normalize.rs" 55 9 55 14] _10 <- ([#"../ite_normalize.rs" 55 9 55 14] clone0 ([#"../ite_normalize.rs" 55 9 55 14] _12));
+    [#"../ite_normalize.rs" 55 9 55 14] _12 <- t_1;
+    [#"../ite_normalize.rs" 55 9 55 14] _10 <- ([#"../ite_normalize.rs" 55 9 55 14] clone0 _12);
     goto BB8
   }
   BB8 {
-    [#"../ite_normalize.rs" 55 9 55 14] _15 <- ([#"../ite_normalize.rs" 55 9 55 14] e_1);
-    [#"../ite_normalize.rs" 55 9 55 14] _13 <- ([#"../ite_normalize.rs" 55 9 55 14] clone0 ([#"../ite_normalize.rs" 55 9 55 14] _15));
+    [#"../ite_normalize.rs" 55 9 55 14] _15 <- e_1;
+    [#"../ite_normalize.rs" 55 9 55 14] _13 <- ([#"../ite_normalize.rs" 55 9 55 14] clone0 _15);
     goto BB9
   }
   BB9 {
-    [#"../ite_normalize.rs" 55 9 55 14] _0 <- ([#"../ite_normalize.rs" 55 9 55 14] IteNormalize_Expr_Type.C_IfThenElse _7 _10 _13);
+    [#"../ite_normalize.rs" 55 9 55 14] _0 <- IteNormalize_Expr_Type.C_IfThenElse _7 _10 _13;
     _7 <- any IteNormalize_Expr_Type.t_expr;
     _10 <- any IteNormalize_Expr_Type.t_expr;
     _13 <- any IteNormalize_Expr_Type.t_expr;
@@ -195,18 +195,18 @@ module IteNormalize_Impl6_Clone
     goto BB16
   }
   BB13 {
-    [#"../ite_normalize.rs" 58 10 58 11] v_1 <- ([#"../ite_normalize.rs" 58 10 58 11] IteNormalize_Expr_Type.var_v self);
-    [#"../ite_normalize.rs" 55 9 55 14] _19 <- ([#"../ite_normalize.rs" 55 9 55 14] v_1);
-    [#"../ite_normalize.rs" 55 9 55 14] _17 <- ([#"../ite_normalize.rs" 55 9 55 14] clone1 ([#"../ite_normalize.rs" 55 9 55 14] _19));
+    [#"../ite_normalize.rs" 58 10 58 11] v_1 <- IteNormalize_Expr_Type.var_v self;
+    [#"../ite_normalize.rs" 55 9 55 14] _19 <- v_1;
+    [#"../ite_normalize.rs" 55 9 55 14] _17 <- ([#"../ite_normalize.rs" 55 9 55 14] clone1 _19);
     goto BB14
   }
   BB14 {
-    [#"../ite_normalize.rs" 55 9 55 14] _0 <- ([#"../ite_normalize.rs" 55 9 55 14] IteNormalize_Expr_Type.C_Var _17);
+    [#"../ite_normalize.rs" 55 9 55 14] _0 <- IteNormalize_Expr_Type.C_Var _17;
     _17 <- any usize;
     goto BB16
   }
   BB15 {
-    [#"../ite_normalize.rs" 56 9 59 8] _0 <- ([#"../ite_normalize.rs" 56 9 59 8] IteNormalize_Expr_Type.C_True);
+    [#"../ite_normalize.rs" 56 9 59 8] _0 <- IteNormalize_Expr_Type.C_True;
     goto BB16
   }
   BB16 {
@@ -230,7 +230,7 @@ module IteNormalize_Impl5_Variable
     goto BB0
   }
   BB0 {
-    [#"../ite_normalize.rs" 102 8 102 23] _0 <- ([#"../ite_normalize.rs" 102 8 102 23] IteNormalize_Expr_Type.C_Var ([#"../ite_normalize.rs" 102 20 102 21] v));
+    [#"../ite_normalize.rs" 102 8 102 23] _0 <- IteNormalize_Expr_Type.C_Var v;
     return _0
   }
   
@@ -249,7 +249,7 @@ module IteNormalize_Impl3_From
     goto BB0
   }
   BB0 {
-    [#"../ite_normalize.rs" 81 8 81 25] _0 <- ([#"../ite_normalize.rs" 81 8 81 25] variable0 ([#"../ite_normalize.rs" 81 23 81 24] a));
+    [#"../ite_normalize.rs" 81 8 81 25] _0 <- ([#"../ite_normalize.rs" 81 8 81 25] variable0 a);
     goto BB1
   }
   BB1 {
@@ -268,17 +268,17 @@ module IteNormalize_Impl4_From
     goto BB0
   }
   BB0 {
-    switch ([#"../ite_normalize.rs" 87 11 87 12] b)
+    switch (b)
       | False -> goto BB2
       | True -> goto BB1
       end
   }
   BB1 {
-    [#"../ite_normalize.rs" 88 12 88 22] _0 <- ([#"../ite_normalize.rs" 88 12 88 22] IteNormalize_Expr_Type.C_True);
+    [#"../ite_normalize.rs" 88 12 88 22] _0 <- IteNormalize_Expr_Type.C_True;
     goto BB3
   }
   BB2 {
-    [#"../ite_normalize.rs" 90 12 90 23] _0 <- ([#"../ite_normalize.rs" 90 12 90 23] IteNormalize_Expr_Type.C_False);
+    [#"../ite_normalize.rs" 90 12 90 23] _0 <- IteNormalize_Expr_Type.C_False;
     goto BB3
   }
   BB3 {
@@ -312,10 +312,10 @@ module IteNormalize_Impl5_Ite
     goto BB4
   }
   BB4 {
-    [#"../ite_normalize.rs" 98 8 98 75] _0 <- ([#"../ite_normalize.rs" 98 8 98 75] IteNormalize_Expr_Type.C_IfThenElse ([#"../ite_normalize.rs" 98 39 98 40] c) ([#"../ite_normalize.rs" 98 55 98 56] t) ([#"../ite_normalize.rs" 98 71 98 72] e));
-    [#"../ite_normalize.rs" 98 39 98 40] c <- any IteNormalize_Expr_Type.t_expr;
-    [#"../ite_normalize.rs" 98 55 98 56] t <- any IteNormalize_Expr_Type.t_expr;
-    [#"../ite_normalize.rs" 98 71 98 72] e <- any IteNormalize_Expr_Type.t_expr;
+    [#"../ite_normalize.rs" 98 8 98 75] _0 <- IteNormalize_Expr_Type.C_IfThenElse c t e;
+    c <- any IteNormalize_Expr_Type.t_expr;
+    t <- any IteNormalize_Expr_Type.t_expr;
+    e <- any IteNormalize_Expr_Type.t_expr;
     goto BB5
   }
   BB5 {
@@ -419,8 +419,8 @@ module IteNormalize_Impl5_Transpose
     goto BB30
   }
   BB8 {
-    [#"../ite_normalize.rs" 121 27 121 28] _0 <- ([#"../ite_normalize.rs" 121 27 121 28] b);
-    [#"../ite_normalize.rs" 121 27 121 28] b <- any IteNormalize_Expr_Type.t_expr;
+    [#"../ite_normalize.rs" 121 27 121 28] _0 <- b;
+    b <- any IteNormalize_Expr_Type.t_expr;
     goto BB31
   }
   BB9 {
@@ -428,23 +428,23 @@ module IteNormalize_Impl5_Transpose
     absurd
   }
   BB10 {
-    [#"../ite_normalize.rs" 112 31 112 32] c <- ([#"../ite_normalize.rs" 112 31 112 32] IteNormalize_Expr_Type.ifthenelse_c self);
-    [#"../ite_normalize.rs" 112 31 112 32] self <- (let IteNormalize_Expr_Type.C_IfThenElse x0 x1 x2 = self in IteNormalize_Expr_Type.C_IfThenElse (any IteNormalize_Expr_Type.t_expr) x1 x2);
-    [#"../ite_normalize.rs" 112 34 112 35] t <- ([#"../ite_normalize.rs" 112 34 112 35] IteNormalize_Expr_Type.ifthenelse_t self);
-    [#"../ite_normalize.rs" 112 34 112 35] self <- (let IteNormalize_Expr_Type.C_IfThenElse x0 x1 x2 = self in IteNormalize_Expr_Type.C_IfThenElse x0 (any IteNormalize_Expr_Type.t_expr) x2);
-    [#"../ite_normalize.rs" 112 37 112 38] e <- ([#"../ite_normalize.rs" 112 37 112 38] IteNormalize_Expr_Type.ifthenelse_e self);
-    [#"../ite_normalize.rs" 112 37 112 38] self <- (let IteNormalize_Expr_Type.C_IfThenElse x0 x1 x2 = self in IteNormalize_Expr_Type.C_IfThenElse x0 x1 (any IteNormalize_Expr_Type.t_expr));
+    [#"../ite_normalize.rs" 112 31 112 32] c <- IteNormalize_Expr_Type.ifthenelse_c self;
+    self <- (let IteNormalize_Expr_Type.C_IfThenElse x0 x1 x2 = self in IteNormalize_Expr_Type.C_IfThenElse (any IteNormalize_Expr_Type.t_expr) x1 x2);
+    [#"../ite_normalize.rs" 112 34 112 35] t <- IteNormalize_Expr_Type.ifthenelse_t self;
+    self <- (let IteNormalize_Expr_Type.C_IfThenElse x0 x1 x2 = self in IteNormalize_Expr_Type.C_IfThenElse x0 (any IteNormalize_Expr_Type.t_expr) x2);
+    [#"../ite_normalize.rs" 112 37 112 38] e <- IteNormalize_Expr_Type.ifthenelse_e self;
+    self <- (let IteNormalize_Expr_Type.C_IfThenElse x0 x1 x2 = self in IteNormalize_Expr_Type.C_IfThenElse x0 x1 (any IteNormalize_Expr_Type.t_expr));
     assume { resolve0 t };
-    [#"../ite_normalize.rs" 114 40 114 49] _17 <- ([#"../ite_normalize.rs" 114 40 114 49] clone0 ([#"../ite_normalize.rs" 114 40 114 41] a));
+    [#"../ite_normalize.rs" 114 40 114 49] _17 <- ([#"../ite_normalize.rs" 114 40 114 49] clone0 a);
     goto BB11
   }
   BB11 {
-    [#"../ite_normalize.rs" 114 51 114 60] _19 <- ([#"../ite_normalize.rs" 114 51 114 60] clone0 ([#"../ite_normalize.rs" 114 51 114 52] b));
+    [#"../ite_normalize.rs" 114 51 114 60] _19 <- ([#"../ite_normalize.rs" 114 51 114 60] clone0 b);
     goto BB12
   }
   BB12 {
-    [#"../ite_normalize.rs" 114 28 114 61] _15 <- ([#"../ite_normalize.rs" 114 28 114 61] transpose ([#"../ite_normalize.rs" 114 28 114 29] t) _17 _19);
-    [#"../ite_normalize.rs" 114 28 114 29] t <- any IteNormalize_Expr_Type.t_expr;
+    [#"../ite_normalize.rs" 114 28 114 61] _15 <- ([#"../ite_normalize.rs" 114 28 114 61] transpose t _17 _19);
+    t <- any IteNormalize_Expr_Type.t_expr;
     _17 <- any IteNormalize_Expr_Type.t_expr;
     _19 <- any IteNormalize_Expr_Type.t_expr;
     goto BB13
@@ -454,18 +454,18 @@ module IteNormalize_Impl5_Transpose
   }
   BB14 {
     assume { resolve0 e };
-    [#"../ite_normalize.rs" 115 28 115 45] _22 <- ([#"../ite_normalize.rs" 115 28 115 45] transpose ([#"../ite_normalize.rs" 115 28 115 29] e) ([#"../ite_normalize.rs" 115 40 115 41] a) ([#"../ite_normalize.rs" 115 43 115 44] b));
-    [#"../ite_normalize.rs" 115 28 115 29] e <- any IteNormalize_Expr_Type.t_expr;
-    [#"../ite_normalize.rs" 115 40 115 41] a <- any IteNormalize_Expr_Type.t_expr;
-    [#"../ite_normalize.rs" 115 43 115 44] b <- any IteNormalize_Expr_Type.t_expr;
+    [#"../ite_normalize.rs" 115 28 115 45] _22 <- ([#"../ite_normalize.rs" 115 28 115 45] transpose e a b);
+    e <- any IteNormalize_Expr_Type.t_expr;
+    a <- any IteNormalize_Expr_Type.t_expr;
+    b <- any IteNormalize_Expr_Type.t_expr;
     goto BB15
   }
   BB15 {
     goto BB16
   }
   BB16 {
-    [#"../ite_normalize.rs" 112 44 116 13] _0 <- ([#"../ite_normalize.rs" 112 44 116 13] IteNormalize_Expr_Type.C_IfThenElse ([#"../ite_normalize.rs" 113 16 113 17] c) _15 _22);
-    [#"../ite_normalize.rs" 113 16 113 17] c <- any IteNormalize_Expr_Type.t_expr;
+    [#"../ite_normalize.rs" 112 44 116 13] _0 <- IteNormalize_Expr_Type.C_IfThenElse c _15 _22;
+    c <- any IteNormalize_Expr_Type.t_expr;
     _15 <- any IteNormalize_Expr_Type.t_expr;
     _22 <- any IteNormalize_Expr_Type.t_expr;
     goto BB17
@@ -498,10 +498,10 @@ module IteNormalize_Impl5_Transpose
     goto BB26
   }
   BB26 {
-    [#"../ite_normalize.rs" 118 16 118 86] _0 <- ([#"../ite_normalize.rs" 118 16 118 86] IteNormalize_Expr_Type.C_IfThenElse ([#"../ite_normalize.rs" 118 47 118 51] self) ([#"../ite_normalize.rs" 118 66 118 67] a) ([#"../ite_normalize.rs" 118 82 118 83] b));
-    [#"../ite_normalize.rs" 118 47 118 51] self <- any IteNormalize_Expr_Type.t_expr;
-    [#"../ite_normalize.rs" 118 66 118 67] a <- any IteNormalize_Expr_Type.t_expr;
-    [#"../ite_normalize.rs" 118 82 118 83] b <- any IteNormalize_Expr_Type.t_expr;
+    [#"../ite_normalize.rs" 118 16 118 86] _0 <- IteNormalize_Expr_Type.C_IfThenElse self a b;
+    self <- any IteNormalize_Expr_Type.t_expr;
+    a <- any IteNormalize_Expr_Type.t_expr;
+    b <- any IteNormalize_Expr_Type.t_expr;
     goto BB27
   }
   BB27 {
@@ -514,8 +514,8 @@ module IteNormalize_Impl5_Transpose
     goto BB31
   }
   BB30 {
-    [#"../ite_normalize.rs" 120 26 120 27] _0 <- ([#"../ite_normalize.rs" 120 26 120 27] a);
-    [#"../ite_normalize.rs" 120 26 120 27] a <- any IteNormalize_Expr_Type.t_expr;
+    [#"../ite_normalize.rs" 120 26 120 27] _0 <- a;
+    a <- any IteNormalize_Expr_Type.t_expr;
     goto BB31
   }
   BB31 {
@@ -590,30 +590,30 @@ module IteNormalize_Impl5_Normalize
     goto BB3
   }
   BB2 {
-    [#"../ite_normalize.rs" 153 12 153 13] e1 <- ([#"../ite_normalize.rs" 153 12 153 13] self);
-    [#"../ite_normalize.rs" 153 17 153 26] _0 <- ([#"../ite_normalize.rs" 153 17 153 26] clone0 ([#"../ite_normalize.rs" 153 17 153 18] e1));
+    [#"../ite_normalize.rs" 153 12 153 13] e1 <- self;
+    [#"../ite_normalize.rs" 153 17 153 26] _0 <- ([#"../ite_normalize.rs" 153 17 153 26] clone0 e1);
     goto BB11
   }
   BB3 {
-    [#"../ite_normalize.rs" 147 31 147 32] c <- ([#"../ite_normalize.rs" 147 31 147 32] IteNormalize_Expr_Type.ifthenelse_c self);
-    [#"../ite_normalize.rs" 147 34 147 35] t <- ([#"../ite_normalize.rs" 147 34 147 35] IteNormalize_Expr_Type.ifthenelse_t self);
-    [#"../ite_normalize.rs" 147 37 147 38] e <- ([#"../ite_normalize.rs" 147 37 147 38] IteNormalize_Expr_Type.ifthenelse_e self);
-    [#"../ite_normalize.rs" 148 25 148 38] cp <- ([#"../ite_normalize.rs" 148 25 148 38] normalize ([#"../ite_normalize.rs" 148 25 148 26] c));
+    [#"../ite_normalize.rs" 147 31 147 32] c <- IteNormalize_Expr_Type.ifthenelse_c self;
+    [#"../ite_normalize.rs" 147 34 147 35] t <- IteNormalize_Expr_Type.ifthenelse_t self;
+    [#"../ite_normalize.rs" 147 37 147 38] e <- IteNormalize_Expr_Type.ifthenelse_e self;
+    [#"../ite_normalize.rs" 148 25 148 38] cp <- ([#"../ite_normalize.rs" 148 25 148 38] normalize c);
     goto BB4
   }
   BB4 {
-    [#"../ite_normalize.rs" 149 25 149 38] tp <- ([#"../ite_normalize.rs" 149 25 149 38] normalize ([#"../ite_normalize.rs" 149 25 149 26] t));
+    [#"../ite_normalize.rs" 149 25 149 38] tp <- ([#"../ite_normalize.rs" 149 25 149 38] normalize t);
     goto BB5
   }
   BB5 {
-    [#"../ite_normalize.rs" 150 25 150 38] ep <- ([#"../ite_normalize.rs" 150 25 150 38] normalize ([#"../ite_normalize.rs" 150 25 150 26] e));
+    [#"../ite_normalize.rs" 150 25 150 38] ep <- ([#"../ite_normalize.rs" 150 25 150 38] normalize e);
     goto BB6
   }
   BB6 {
-    [#"../ite_normalize.rs" 151 16 151 36] _0 <- ([#"../ite_normalize.rs" 151 16 151 36] transpose0 ([#"../ite_normalize.rs" 151 16 151 18] cp) ([#"../ite_normalize.rs" 151 29 151 31] tp) ([#"../ite_normalize.rs" 151 33 151 35] ep));
-    [#"../ite_normalize.rs" 151 16 151 18] cp <- any IteNormalize_Expr_Type.t_expr;
-    [#"../ite_normalize.rs" 151 29 151 31] tp <- any IteNormalize_Expr_Type.t_expr;
-    [#"../ite_normalize.rs" 151 33 151 35] ep <- any IteNormalize_Expr_Type.t_expr;
+    [#"../ite_normalize.rs" 151 16 151 36] _0 <- ([#"../ite_normalize.rs" 151 16 151 36] transpose0 cp tp ep);
+    cp <- any IteNormalize_Expr_Type.t_expr;
+    tp <- any IteNormalize_Expr_Type.t_expr;
+    ep <- any IteNormalize_Expr_Type.t_expr;
     goto BB7
   }
   BB7 {
@@ -771,7 +771,8 @@ module IteNormalize_Impl5_SimplifyHelper
   val insert0 [#"../ite_normalize.rs" 28 4 30 15] (self : borrowed (IteNormalize_BTreeMap_Type.t_btreemap usize bool)) (key : usize) (value : bool) : Core_Option_Option_Type.t_option bool
     requires {[#"../ite_normalize.rs" 28 25 28 28] inv3 key}
     requires {[#"../ite_normalize.rs" 28 33 28 38] inv4 value}
-    ensures { [#"../ite_normalize.rs" 27 4 27 125] forall i : int . inv5 i -> Map.get (shallow_model0 ( ^ self)) i = (if i = deep_model1 key then
+    ensures { [#"../ite_normalize.rs" 27 4 27 125] forall i : int . inv5 i
+     -> Map.get (shallow_model0 ( ^ self)) i = (if i = deep_model1 key then
       Core_Option_Option_Type.C_Some value
     else
       Map.get (shallow_model3 self) i
@@ -805,13 +806,17 @@ module IteNormalize_Impl5_SimplifyHelper
     
   val get0 [#"../ite_normalize.rs" 19 4 21 15] (self : IteNormalize_BTreeMap_Type.t_btreemap usize bool) (key : usize) : Core_Option_Option_Type.t_option bool
     requires {[#"../ite_normalize.rs" 19 25 19 28] inv0 key}
-    ensures { [#"../ite_normalize.rs" 17 4 17 70] result = Core_Option_Option_Type.C_None -> Map.get (shallow_model2 self) (deep_model0 key) = Core_Option_Option_Type.C_None }
-    ensures { [#"../ite_normalize.rs" 18 4 18 91] forall v : bool . inv1 v -> result = Core_Option_Option_Type.C_Some v -> Map.get (shallow_model2 self) (deep_model0 key) = Core_Option_Option_Type.C_Some v }
+    ensures { [#"../ite_normalize.rs" 17 4 17 70] result = Core_Option_Option_Type.C_None
+     -> Map.get (shallow_model2 self) (deep_model0 key) = Core_Option_Option_Type.C_None }
+    ensures { [#"../ite_normalize.rs" 18 4 18 91] forall v : bool . inv1 v
+     -> result = Core_Option_Option_Type.C_Some v
+     -> Map.get (shallow_model2 self) (deep_model0 key) = Core_Option_Option_Type.C_Some v }
     ensures { [#"../ite_normalize.rs" 19 40 19 53] inv2 result }
     
   let rec cfg simplify_helper [#"../ite_normalize.rs" 189 4 189 66] [@cfg:stackify] [@cfg:subregion_analysis] (self : IteNormalize_Expr_Type.t_expr) (state : IteNormalize_BTreeMap_Type.t_btreemap usize bool) : IteNormalize_Expr_Type.t_expr
     requires {[#"../ite_normalize.rs" 185 15 185 35] is_normalized0 self}
-    ensures { [#"../ite_normalize.rs" 186 4 186 107] forall i : usize . (exists v : bool . Map.get (shallow_model0 state) (UIntSize.to_int i) = Core_Option_Option_Type.C_Some v) -> does_not_contain0 result i }
+    ensures { [#"../ite_normalize.rs" 186 4 186 107] forall i : usize . (exists v : bool . Map.get (shallow_model0 state) (UIntSize.to_int i) = Core_Option_Option_Type.C_Some v)
+     -> does_not_contain0 result i }
     ensures { [#"../ite_normalize.rs" 187 14 187 36] is_simplified0 result }
     variant {[#"../ite_normalize.rs" 188 14 188 18] self}
     
@@ -866,19 +871,19 @@ module IteNormalize_Impl5_SimplifyHelper
     goto BB42
   }
   BB6 {
-    [#"../ite_normalize.rs" 229 12 229 13] c2 <- ([#"../ite_normalize.rs" 229 12 229 13] self);
-    [#"../ite_normalize.rs" 229 12 229 13] self <- any IteNormalize_Expr_Type.t_expr;
-    [#"../ite_normalize.rs" 229 17 229 18] _0 <- ([#"../ite_normalize.rs" 229 17 229 18] c2);
-    [#"../ite_normalize.rs" 229 17 229 18] c2 <- any IteNormalize_Expr_Type.t_expr;
+    [#"../ite_normalize.rs" 229 12 229 13] c2 <- self;
+    self <- any IteNormalize_Expr_Type.t_expr;
+    [#"../ite_normalize.rs" 229 17 229 18] _0 <- c2;
+    c2 <- any IteNormalize_Expr_Type.t_expr;
     goto BB51
   }
   BB7 {
-    [#"../ite_normalize.rs" 191 31 191 32] c <- ([#"../ite_normalize.rs" 191 31 191 32] IteNormalize_Expr_Type.ifthenelse_c self);
-    [#"../ite_normalize.rs" 191 31 191 32] self <- (let IteNormalize_Expr_Type.C_IfThenElse x0 x1 x2 = self in IteNormalize_Expr_Type.C_IfThenElse (any IteNormalize_Expr_Type.t_expr) x1 x2);
-    [#"../ite_normalize.rs" 191 34 191 35] t <- ([#"../ite_normalize.rs" 191 34 191 35] IteNormalize_Expr_Type.ifthenelse_t self);
-    [#"../ite_normalize.rs" 191 34 191 35] self <- (let IteNormalize_Expr_Type.C_IfThenElse x0 x1 x2 = self in IteNormalize_Expr_Type.C_IfThenElse x0 (any IteNormalize_Expr_Type.t_expr) x2);
-    [#"../ite_normalize.rs" 191 37 191 38] e <- ([#"../ite_normalize.rs" 191 37 191 38] IteNormalize_Expr_Type.ifthenelse_e self);
-    [#"../ite_normalize.rs" 191 37 191 38] self <- (let IteNormalize_Expr_Type.C_IfThenElse x0 x1 x2 = self in IteNormalize_Expr_Type.C_IfThenElse x0 x1 (any IteNormalize_Expr_Type.t_expr));
+    [#"../ite_normalize.rs" 191 31 191 32] c <- IteNormalize_Expr_Type.ifthenelse_c self;
+    self <- (let IteNormalize_Expr_Type.C_IfThenElse x0 x1 x2 = self in IteNormalize_Expr_Type.C_IfThenElse (any IteNormalize_Expr_Type.t_expr) x1 x2);
+    [#"../ite_normalize.rs" 191 34 191 35] t <- IteNormalize_Expr_Type.ifthenelse_t self;
+    self <- (let IteNormalize_Expr_Type.C_IfThenElse x0 x1 x2 = self in IteNormalize_Expr_Type.C_IfThenElse x0 (any IteNormalize_Expr_Type.t_expr) x2);
+    [#"../ite_normalize.rs" 191 37 191 38] e <- IteNormalize_Expr_Type.ifthenelse_e self;
+    self <- (let IteNormalize_Expr_Type.C_IfThenElse x0 x1 x2 = self in IteNormalize_Expr_Type.C_IfThenElse x0 x1 (any IteNormalize_Expr_Type.t_expr));
     switch (c)
       | IteNormalize_Expr_Type.C_Var _ -> goto BB9
       | _ -> goto BB8
@@ -887,21 +892,21 @@ module IteNormalize_Impl5_SimplifyHelper
   BB8 {
     assume { resolve0 e };
     assume { resolve0 t };
-    [#"../ite_normalize.rs" 215 20 215 21] c1 <- ([#"../ite_normalize.rs" 215 20 215 21] c);
-    [#"../ite_normalize.rs" 215 20 215 21] c <- any IteNormalize_Expr_Type.t_expr;
+    [#"../ite_normalize.rs" 215 20 215 21] c1 <- c;
+    c <- any IteNormalize_Expr_Type.t_expr;
     assume { resolve0 c };
-    [#"../ite_normalize.rs" 215 25 215 49] _0 <- ([#"../ite_normalize.rs" 215 25 215 49] simplify_helper ([#"../ite_normalize.rs" 215 25 215 26] c1) ([#"../ite_normalize.rs" 215 43 215 48] state));
-    [#"../ite_normalize.rs" 215 25 215 26] c1 <- any IteNormalize_Expr_Type.t_expr;
-    [#"../ite_normalize.rs" 215 43 215 48] state <- any IteNormalize_BTreeMap_Type.t_btreemap usize bool;
+    [#"../ite_normalize.rs" 215 25 215 49] _0 <- ([#"../ite_normalize.rs" 215 25 215 49] simplify_helper c1 state);
+    c1 <- any IteNormalize_Expr_Type.t_expr;
+    state <- any IteNormalize_BTreeMap_Type.t_btreemap usize bool;
     goto BB36
   }
   BB9 {
     goto BB10
   }
   BB10 {
-    [#"../ite_normalize.rs" 193 32 193 33] v <- ([#"../ite_normalize.rs" 193 32 193 33] IteNormalize_Expr_Type.var_v c);
-    [#"../ite_normalize.rs" 194 51 194 53] _16 <- ([#"../ite_normalize.rs" 194 51 194 53] v);
-    [#"../ite_normalize.rs" 194 41 194 54] _13 <- ([#"../ite_normalize.rs" 194 41 194 54] get0 ([#"../ite_normalize.rs" 194 41 194 46] state) ([#"../ite_normalize.rs" 194 51 194 53] _16));
+    [#"../ite_normalize.rs" 193 32 193 33] v <- IteNormalize_Expr_Type.var_v c;
+    [#"../ite_normalize.rs" 194 51 194 53] _16 <- v;
+    [#"../ite_normalize.rs" 194 41 194 54] _13 <- ([#"../ite_normalize.rs" 194 41 194 54] get0 state _16);
     goto BB11
   }
   BB11 {
@@ -915,8 +920,8 @@ module IteNormalize_Impl5_SimplifyHelper
   }
   BB13 {
     assume { resolve0 c };
-    [#"../ite_normalize.rs" 194 36 194 37] b <- ([#"../ite_normalize.rs" 194 36 194 37] Core_Option_Option_Type.some_0 _13);
-    switch ([#"../ite_normalize.rs" 195 31 195 33] b)
+    [#"../ite_normalize.rs" 194 36 194 37] b <- Core_Option_Option_Type.some_0 _13;
+    switch (b)
       | False -> goto BB16
       | True -> goto BB14
       end
@@ -924,9 +929,9 @@ module IteNormalize_Impl5_SimplifyHelper
   BB14 {
     assume { resolve0 e };
     assume { resolve0 t };
-    [#"../ite_normalize.rs" 196 32 196 56] _0 <- ([#"../ite_normalize.rs" 196 32 196 56] simplify_helper ([#"../ite_normalize.rs" 196 32 196 33] t) ([#"../ite_normalize.rs" 196 50 196 55] state));
-    [#"../ite_normalize.rs" 196 32 196 33] t <- any IteNormalize_Expr_Type.t_expr;
-    [#"../ite_normalize.rs" 196 50 196 55] state <- any IteNormalize_BTreeMap_Type.t_btreemap usize bool;
+    [#"../ite_normalize.rs" 196 32 196 56] _0 <- ([#"../ite_normalize.rs" 196 32 196 56] simplify_helper t state);
+    t <- any IteNormalize_Expr_Type.t_expr;
+    state <- any IteNormalize_BTreeMap_Type.t_btreemap usize bool;
     goto BB15
   }
   BB15 {
@@ -935,9 +940,9 @@ module IteNormalize_Impl5_SimplifyHelper
   BB16 {
     assume { resolve0 t };
     assume { resolve0 e };
-    [#"../ite_normalize.rs" 198 32 198 56] _0 <- ([#"../ite_normalize.rs" 198 32 198 56] simplify_helper ([#"../ite_normalize.rs" 198 32 198 33] e) ([#"../ite_normalize.rs" 198 50 198 55] state));
-    [#"../ite_normalize.rs" 198 32 198 33] e <- any IteNormalize_Expr_Type.t_expr;
-    [#"../ite_normalize.rs" 198 50 198 55] state <- any IteNormalize_BTreeMap_Type.t_btreemap usize bool;
+    [#"../ite_normalize.rs" 198 32 198 56] _0 <- ([#"../ite_normalize.rs" 198 32 198 56] simplify_helper e state);
+    e <- any IteNormalize_Expr_Type.t_expr;
+    state <- any IteNormalize_BTreeMap_Type.t_btreemap usize bool;
     goto BB17
   }
   BB17 {
@@ -947,39 +952,39 @@ module IteNormalize_Impl5_SimplifyHelper
     goto BB35
   }
   BB19 {
-    [#"../ite_normalize.rs" 202 46 202 59] state_t <- ([#"../ite_normalize.rs" 202 46 202 59] clone0 ([#"../ite_normalize.rs" 202 46 202 51] state));
+    [#"../ite_normalize.rs" 202 46 202 59] state_t <- ([#"../ite_normalize.rs" 202 46 202 59] clone0 state);
     goto BB20
   }
   BB20 {
     [#"../ite_normalize.rs" 203 28 203 35] _27 <- Borrow.borrow_mut state_t;
     [#"../ite_normalize.rs" 203 28 203 35] state_t <-  ^ _27;
-    [#"../ite_normalize.rs" 203 28 203 51] _26 <- ([#"../ite_normalize.rs" 203 28 203 51] insert0 _27 ([#"../ite_normalize.rs" 203 43 203 44] v) ([#"../ite_normalize.rs" 203 46 203 50] [#"../ite_normalize.rs" 203 46 203 50] true));
+    [#"../ite_normalize.rs" 203 28 203 51] _26 <- ([#"../ite_normalize.rs" 203 28 203 51] insert0 _27 v ([#"../ite_normalize.rs" 203 46 203 50] true));
     _27 <- any borrowed (IteNormalize_BTreeMap_Type.t_btreemap usize bool);
     goto BB21
   }
   BB21 {
     assume { resolve0 t };
-    [#"../ite_normalize.rs" 204 37 204 63] tp <- ([#"../ite_normalize.rs" 204 37 204 63] simplify_helper ([#"../ite_normalize.rs" 204 37 204 38] t) ([#"../ite_normalize.rs" 204 55 204 62] state_t));
-    [#"../ite_normalize.rs" 204 37 204 38] t <- any IteNormalize_Expr_Type.t_expr;
-    [#"../ite_normalize.rs" 204 55 204 62] state_t <- any IteNormalize_BTreeMap_Type.t_btreemap usize bool;
+    [#"../ite_normalize.rs" 204 37 204 63] tp <- ([#"../ite_normalize.rs" 204 37 204 63] simplify_helper t state_t);
+    t <- any IteNormalize_Expr_Type.t_expr;
+    state_t <- any IteNormalize_BTreeMap_Type.t_btreemap usize bool;
     goto BB22
   }
   BB22 {
-    [#"../ite_normalize.rs" 207 46 207 59] state_e <- ([#"../ite_normalize.rs" 207 46 207 59] clone0 ([#"../ite_normalize.rs" 207 46 207 51] state));
+    [#"../ite_normalize.rs" 207 46 207 59] state_e <- ([#"../ite_normalize.rs" 207 46 207 59] clone0 state);
     goto BB23
   }
   BB23 {
     [#"../ite_normalize.rs" 208 28 208 35] _35 <- Borrow.borrow_mut state_e;
     [#"../ite_normalize.rs" 208 28 208 35] state_e <-  ^ _35;
-    [#"../ite_normalize.rs" 208 28 208 52] _34 <- ([#"../ite_normalize.rs" 208 28 208 52] insert0 _35 ([#"../ite_normalize.rs" 208 43 208 44] v) ([#"../ite_normalize.rs" 208 46 208 51] [#"../ite_normalize.rs" 208 46 208 51] false));
+    [#"../ite_normalize.rs" 208 28 208 52] _34 <- ([#"../ite_normalize.rs" 208 28 208 52] insert0 _35 v ([#"../ite_normalize.rs" 208 46 208 51] false));
     _35 <- any borrowed (IteNormalize_BTreeMap_Type.t_btreemap usize bool);
     goto BB24
   }
   BB24 {
     assume { resolve0 e };
-    [#"../ite_normalize.rs" 209 37 209 63] ep <- ([#"../ite_normalize.rs" 209 37 209 63] simplify_helper ([#"../ite_normalize.rs" 209 37 209 38] e) ([#"../ite_normalize.rs" 209 55 209 62] state_e));
-    [#"../ite_normalize.rs" 209 37 209 38] e <- any IteNormalize_Expr_Type.t_expr;
-    [#"../ite_normalize.rs" 209 55 209 62] state_e <- any IteNormalize_BTreeMap_Type.t_btreemap usize bool;
+    [#"../ite_normalize.rs" 209 37 209 63] ep <- ([#"../ite_normalize.rs" 209 37 209 63] simplify_helper e state_e);
+    e <- any IteNormalize_Expr_Type.t_expr;
+    state_e <- any IteNormalize_BTreeMap_Type.t_btreemap usize bool;
     goto BB25
   }
   BB25 {
@@ -989,10 +994,10 @@ module IteNormalize_Impl5_SimplifyHelper
     goto BB27
   }
   BB27 {
-    [#"../ite_normalize.rs" 212 28 212 84] _0 <- ([#"../ite_normalize.rs" 212 28 212 84] IteNormalize_Expr_Type.C_IfThenElse ([#"../ite_normalize.rs" 212 47 212 48] c) ([#"../ite_normalize.rs" 212 62 212 64] tp) ([#"../ite_normalize.rs" 212 79 212 81] ep));
-    [#"../ite_normalize.rs" 212 47 212 48] c <- any IteNormalize_Expr_Type.t_expr;
-    [#"../ite_normalize.rs" 212 62 212 64] tp <- any IteNormalize_Expr_Type.t_expr;
-    [#"../ite_normalize.rs" 212 79 212 81] ep <- any IteNormalize_Expr_Type.t_expr;
+    [#"../ite_normalize.rs" 212 28 212 84] _0 <- IteNormalize_Expr_Type.C_IfThenElse c tp ep;
+    c <- any IteNormalize_Expr_Type.t_expr;
+    tp <- any IteNormalize_Expr_Type.t_expr;
+    ep <- any IteNormalize_Expr_Type.t_expr;
     goto BB28
   }
   BB28 {
@@ -1038,9 +1043,9 @@ module IteNormalize_Impl5_SimplifyHelper
     goto BB52
   }
   BB42 {
-    [#"../ite_normalize.rs" 218 24 218 25] v1 <- ([#"../ite_normalize.rs" 218 24 218 25] IteNormalize_Expr_Type.var_v self);
-    [#"../ite_normalize.rs" 219 43 219 45] _52 <- ([#"../ite_normalize.rs" 219 43 219 45] v1);
-    [#"../ite_normalize.rs" 219 33 219 46] _49 <- ([#"../ite_normalize.rs" 219 33 219 46] get0 ([#"../ite_normalize.rs" 219 33 219 38] state) ([#"../ite_normalize.rs" 219 43 219 45] _52));
+    [#"../ite_normalize.rs" 218 24 218 25] v1 <- IteNormalize_Expr_Type.var_v self;
+    [#"../ite_normalize.rs" 219 43 219 45] _52 <- v1;
+    [#"../ite_normalize.rs" 219 33 219 46] _49 <- ([#"../ite_normalize.rs" 219 33 219 46] get0 state _52);
     goto BB43
   }
   BB43 {
@@ -1053,25 +1058,25 @@ module IteNormalize_Impl5_SimplifyHelper
     goto BB45
   }
   BB45 {
-    [#"../ite_normalize.rs" 219 28 219 29] b1 <- ([#"../ite_normalize.rs" 219 28 219 29] Core_Option_Option_Type.some_0 _49);
-    switch ([#"../ite_normalize.rs" 220 23 220 25] b1)
+    [#"../ite_normalize.rs" 219 28 219 29] b1 <- Core_Option_Option_Type.some_0 _49;
+    switch (b1)
       | False -> goto BB47
       | True -> goto BB46
       end
   }
   BB46 {
-    [#"../ite_normalize.rs" 221 24 221 34] _0 <- ([#"../ite_normalize.rs" 221 24 221 34] IteNormalize_Expr_Type.C_True);
+    [#"../ite_normalize.rs" 221 24 221 34] _0 <- IteNormalize_Expr_Type.C_True;
     goto BB48
   }
   BB47 {
-    [#"../ite_normalize.rs" 223 24 223 35] _0 <- ([#"../ite_normalize.rs" 223 24 223 35] IteNormalize_Expr_Type.C_False);
+    [#"../ite_normalize.rs" 223 24 223 35] _0 <- IteNormalize_Expr_Type.C_False;
     goto BB48
   }
   BB48 {
     goto BB50
   }
   BB49 {
-    [#"../ite_normalize.rs" 226 20 226 35] _0 <- ([#"../ite_normalize.rs" 226 20 226 35] IteNormalize_Expr_Type.C_Var ([#"../ite_normalize.rs" 226 32 226 33] v1));
+    [#"../ite_normalize.rs" 226 20 226 35] _0 <- IteNormalize_Expr_Type.C_Var v1;
     goto BB50
   }
   BB50 {
@@ -1142,7 +1147,8 @@ module IteNormalize_Impl5_Simplify
     
   val simplify_helper0 [#"../ite_normalize.rs" 189 4 189 66] (self : IteNormalize_Expr_Type.t_expr) (state : IteNormalize_BTreeMap_Type.t_btreemap usize bool) : IteNormalize_Expr_Type.t_expr
     requires {[#"../ite_normalize.rs" 185 15 185 35] is_normalized0 self}
-    ensures { [#"../ite_normalize.rs" 186 4 186 107] forall i : usize . (exists v : bool . Map.get (shallow_model0 state) (UIntSize.to_int i) = Core_Option_Option_Type.C_Some v) -> does_not_contain0 result i }
+    ensures { [#"../ite_normalize.rs" 186 4 186 107] forall i : usize . (exists v : bool . Map.get (shallow_model0 state) (UIntSize.to_int i) = Core_Option_Option_Type.C_Some v)
+     -> does_not_contain0 result i }
     ensures { [#"../ite_normalize.rs" 187 14 187 36] is_simplified0 result }
     
   val new0 [#"../ite_normalize.rs" 12 4 12 20] (_1 : ()) : IteNormalize_BTreeMap_Type.t_btreemap usize bool
@@ -1161,12 +1167,12 @@ module IteNormalize_Impl5_Simplify
     goto BB1
   }
   BB1 {
-    [#"../ite_normalize.rs" 182 29 182 44] _5 <- ([#"../ite_normalize.rs" 182 29 182 44] new0 ());
+    [#"../ite_normalize.rs" 182 29 182 44] _5 <- ([#"../ite_normalize.rs" 182 29 182 44] new0 ([#"../ite_normalize.rs" 182 29 182 44] ()));
     goto BB2
   }
   BB2 {
-    [#"../ite_normalize.rs" 182 8 182 45] _0 <- ([#"../ite_normalize.rs" 182 8 182 45] simplify_helper0 ([#"../ite_normalize.rs" 182 8 182 12] self) _5);
-    [#"../ite_normalize.rs" 182 8 182 12] self <- any IteNormalize_Expr_Type.t_expr;
+    [#"../ite_normalize.rs" 182 8 182 45] _0 <- ([#"../ite_normalize.rs" 182 8 182 45] simplify_helper0 self _5);
+    self <- any IteNormalize_Expr_Type.t_expr;
     _5 <- any IteNormalize_BTreeMap_Type.t_btreemap usize bool;
     goto BB3
   }
@@ -1201,7 +1207,8 @@ module IteNormalize_Impl1
     
   axiom inv0 : forall x : IteNormalize_BTreeMap_Type.t_btreemap k v . inv0 x = true
   use prelude.Borrow
-  goal clone'_refn : [#"../ite_normalize.rs" 39 4 39 27] forall self : IteNormalize_BTreeMap_Type.t_btreemap k v . inv0 self -> (forall result : IteNormalize_BTreeMap_Type.t_btreemap k v . self = result -> inv1 result /\ result = self)
+  goal clone'_refn : [#"../ite_normalize.rs" 39 4 39 27] forall self : IteNormalize_BTreeMap_Type.t_btreemap k v . inv0 self
+   -> (forall result : IteNormalize_BTreeMap_Type.t_btreemap k v . self = result  -> inv1 result /\ result = self)
 end
 module IteNormalize_Impl6
   use IteNormalize_Expr_Type as IteNormalize_Expr_Type
@@ -1226,7 +1233,8 @@ module IteNormalize_Impl6
     
   axiom inv0 : forall x : IteNormalize_Expr_Type.t_expr . inv0 x = true
   use prelude.Borrow
-  goal clone'_refn : [#"../ite_normalize.rs" 55 9 55 14] forall self : IteNormalize_Expr_Type.t_expr . inv0 self -> (forall result : IteNormalize_Expr_Type.t_expr . result = self -> inv1 result /\ result = self)
+  goal clone'_refn : [#"../ite_normalize.rs" 55 9 55 14] forall self : IteNormalize_Expr_Type.t_expr . inv0 self
+   -> (forall result : IteNormalize_Expr_Type.t_expr . result = self  -> inv1 result /\ result = self)
 end
 module IteNormalize_Impl2
   type k
@@ -1259,7 +1267,8 @@ module IteNormalize_Impl3
     
   axiom inv0 : forall x : usize . inv0 x = true
   use prelude.Int
-  goal from_refn : [#"../ite_normalize.rs" 80 4 80 29] forall value : usize . inv0 value -> (forall result : IteNormalize_Expr_Type.t_expr . inv1 result)
+  goal from_refn : [#"../ite_normalize.rs" 80 4 80 29] forall value : usize . inv0 value
+   -> (forall result : IteNormalize_Expr_Type.t_expr . inv1 result)
 end
 module IteNormalize_Impl4
   use IteNormalize_Expr_Type as IteNormalize_Expr_Type
@@ -1283,5 +1292,6 @@ module IteNormalize_Impl4
     ensures { result = inv0 _x }
     
   axiom inv0 : forall x : bool . inv0 x = true
-  goal from_refn : [#"../ite_normalize.rs" 86 4 86 28] forall value : bool . inv0 value -> (forall result : IteNormalize_Expr_Type.t_expr . inv1 result)
+  goal from_refn : [#"../ite_normalize.rs" 86 4 86 28] forall value : bool . inv0 value
+   -> (forall result : IteNormalize_Expr_Type.t_expr . inv1 result)
 end
diff --git a/creusot/tests/should_succeed/ite_normalize.rs b/creusot/tests/should_succeed/ite_normalize.rs
index a9a960ac43..f4253b10ab 100644
--- a/creusot/tests/should_succeed/ite_normalize.rs
+++ b/creusot/tests/should_succeed/ite_normalize.rs
@@ -44,7 +44,7 @@ impl<K: Clone, V: Clone> Clone for BTreeMap<K, V> {
 impl<K: DeepModel, V> ShallowModel for BTreeMap<K, V> {
     type ShallowModelTy = creusot_contracts::logic::Mapping<K::DeepModelTy, Option<V>>;
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[trusted]
     fn shallow_model(self) -> Self::ShallowModelTy {
diff --git a/creusot/tests/should_succeed/iterators/01_range.mlcfg b/creusot/tests/should_succeed/iterators/01_range.mlcfg
index 9f744091af..534314e5a9 100644
--- a/creusot/tests/should_succeed/iterators/01_range.mlcfg
+++ b/creusot/tests/should_succeed/iterators/01_range.mlcfg
@@ -25,16 +25,16 @@ module C01Range_Impl0_ProducesRefl_Impl
   predicate produces0 [#"../01_range.rs" 31 4 31 64] (self : C01Range_Range_Type.t_range) (visited : Seq.seq isize) (o : C01Range_Range_Type.t_range)
     
    =
-    [#"../01_range.rs" 32 8 38 9] C01Range_Range_Type.range_end self = C01Range_Range_Type.range_end o /\ C01Range_Range_Type.range_start self <= C01Range_Range_Type.range_start o /\ (Seq.length visited > 0 -> C01Range_Range_Type.range_start o <= C01Range_Range_Type.range_end o) /\ Seq.length visited = IntSize.to_int (C01Range_Range_Type.range_start o) - IntSize.to_int (C01Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> IntSize.to_int (Seq.get visited i) = IntSize.to_int (C01Range_Range_Type.range_start self) + i)
+    [#"../01_range.rs" 32 8 38 9] C01Range_Range_Type.range_end self = C01Range_Range_Type.range_end o /\ C01Range_Range_Type.range_start self <= C01Range_Range_Type.range_start o /\ (Seq.length visited > 0
+     -> C01Range_Range_Type.range_start o <= C01Range_Range_Type.range_end o) /\ Seq.length visited = IntSize.to_int (C01Range_Range_Type.range_start o) - IntSize.to_int (C01Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> IntSize.to_int (Seq.get visited i) = IntSize.to_int (C01Range_Range_Type.range_start self) + i)
   val produces0 [#"../01_range.rs" 31 4 31 64] (self : C01Range_Range_Type.t_range) (visited : Seq.seq isize) (o : C01Range_Range_Type.t_range) : bool
     ensures { result = produces0 self visited o }
     
   use seq.Seq
-  let rec ghost function produces_refl [#"../01_range.rs" 44 4 44 26] (self : C01Range_Range_Type.t_range) : ()
-    ensures { [#"../01_range.rs" 43 14 43 45] produces0 self (Seq.empty ) self }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../01_range.rs" 41 4 41 10] ()
+  constant self  : C01Range_Range_Type.t_range
+  function produces_refl [#"../01_range.rs" 44 4 44 26] (self : C01Range_Range_Type.t_range) : ()
+  goal vc_produces_refl : [#"../01_range.rs" 43 14 43 45] produces0 self (Seq.empty ) self
 end
 module C01Range_Impl0_ProducesTrans_Impl
   use prelude.IntSize
@@ -48,17 +48,22 @@ module C01Range_Impl0_ProducesTrans_Impl
   predicate produces0 [#"../01_range.rs" 31 4 31 64] (self : C01Range_Range_Type.t_range) (visited : Seq.seq isize) (o : C01Range_Range_Type.t_range)
     
    =
-    [#"../01_range.rs" 32 8 38 9] C01Range_Range_Type.range_end self = C01Range_Range_Type.range_end o /\ C01Range_Range_Type.range_start self <= C01Range_Range_Type.range_start o /\ (Seq.length visited > 0 -> C01Range_Range_Type.range_start o <= C01Range_Range_Type.range_end o) /\ Seq.length visited = IntSize.to_int (C01Range_Range_Type.range_start o) - IntSize.to_int (C01Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> IntSize.to_int (Seq.get visited i) = IntSize.to_int (C01Range_Range_Type.range_start self) + i)
+    [#"../01_range.rs" 32 8 38 9] C01Range_Range_Type.range_end self = C01Range_Range_Type.range_end o /\ C01Range_Range_Type.range_start self <= C01Range_Range_Type.range_start o /\ (Seq.length visited > 0
+     -> C01Range_Range_Type.range_start o <= C01Range_Range_Type.range_end o) /\ Seq.length visited = IntSize.to_int (C01Range_Range_Type.range_start o) - IntSize.to_int (C01Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> IntSize.to_int (Seq.get visited i) = IntSize.to_int (C01Range_Range_Type.range_start self) + i)
   val produces0 [#"../01_range.rs" 31 4 31 64] (self : C01Range_Range_Type.t_range) (visited : Seq.seq isize) (o : C01Range_Range_Type.t_range) : bool
     ensures { result = produces0 self visited o }
     
-  let rec ghost function produces_trans [#"../01_range.rs" 51 4 51 90] (a : C01Range_Range_Type.t_range) (ab : Seq.seq isize) (b : C01Range_Range_Type.t_range) (bc : Seq.seq isize) (c : C01Range_Range_Type.t_range) : ()
-    requires {[#"../01_range.rs" 48 15 48 32] produces0 a ab b}
-    requires {[#"../01_range.rs" 49 15 49 32] produces0 b bc c}
-    ensures { [#"../01_range.rs" 50 14 50 42] produces0 a (Seq.(++) ab bc) c }
+  constant a  : C01Range_Range_Type.t_range
+  constant ab  : Seq.seq isize
+  constant b  : C01Range_Range_Type.t_range
+  constant bc  : Seq.seq isize
+  constant c  : C01Range_Range_Type.t_range
+  function produces_trans [#"../01_range.rs" 51 4 51 90] (a : C01Range_Range_Type.t_range) (ab : Seq.seq isize) (b : C01Range_Range_Type.t_range) (bc : Seq.seq isize) (c : C01Range_Range_Type.t_range) : ()
     
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../01_range.rs" 46 4 46 10] ()
+  goal vc_produces_trans : ([#"../01_range.rs" 49 15 49 32] produces0 b bc c)
+   -> ([#"../01_range.rs" 48 15 48 32] produces0 a ab b)
+   -> ([#"../01_range.rs" 50 14 50 42] produces0 a (Seq.(++) ab bc) c)
 end
 module Core_Option_Option_Type
   type t_option 't =
@@ -82,14 +87,16 @@ module C01Range_Impl0_Next
   predicate produces0 [#"../01_range.rs" 31 4 31 64] (self : C01Range_Range_Type.t_range) (visited : Seq.seq isize) (o : C01Range_Range_Type.t_range)
     
    =
-    [#"../01_range.rs" 32 8 38 9] C01Range_Range_Type.range_end self = C01Range_Range_Type.range_end o /\ C01Range_Range_Type.range_start self <= C01Range_Range_Type.range_start o /\ (Seq.length visited > 0 -> C01Range_Range_Type.range_start o <= C01Range_Range_Type.range_end o) /\ Seq.length visited = IntSize.to_int (C01Range_Range_Type.range_start o) - IntSize.to_int (C01Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> IntSize.to_int (Seq.get visited i) = IntSize.to_int (C01Range_Range_Type.range_start self) + i)
+    [#"../01_range.rs" 32 8 38 9] C01Range_Range_Type.range_end self = C01Range_Range_Type.range_end o /\ C01Range_Range_Type.range_start self <= C01Range_Range_Type.range_start o /\ (Seq.length visited > 0
+     -> C01Range_Range_Type.range_start o <= C01Range_Range_Type.range_end o) /\ Seq.length visited = IntSize.to_int (C01Range_Range_Type.range_start o) - IntSize.to_int (C01Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> IntSize.to_int (Seq.get visited i) = IntSize.to_int (C01Range_Range_Type.range_start self) + i)
   val produces0 [#"../01_range.rs" 31 4 31 64] (self : C01Range_Range_Type.t_range) (visited : Seq.seq isize) (o : C01Range_Range_Type.t_range) : bool
     ensures { result = produces0 self visited o }
     
   use seq.Seq
   use prelude.Borrow
   predicate resolve0 (self : borrowed (C01Range_Range_Type.t_range)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (C01Range_Range_Type.t_range)) : bool
     ensures { result = resolve0 self }
     
@@ -108,26 +115,28 @@ module C01Range_Impl0_Next
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : Core_Option_Option_Type.t_option isize;
   var self : borrowed (C01Range_Range_Type.t_range) = self;
+  var _3 : bool;
   var r : isize;
   {
     goto BB0
   }
   BB0 {
-    switch ([#"../01_range.rs" 58 11 58 33] ([#"../01_range.rs" 58 11 58 21] C01Range_Range_Type.range_start ( * self)) >= ([#"../01_range.rs" 58 25 58 33] C01Range_Range_Type.range_end ( * self)))
+    [#"../01_range.rs" 58 11 58 33] _3 <- C01Range_Range_Type.range_start ( * self) >= C01Range_Range_Type.range_end ( * self);
+    switch (_3)
       | False -> goto BB2
       | True -> goto BB1
       end
   }
   BB1 {
     assume { resolve0 self };
-    [#"../01_range.rs" 59 12 59 16] _0 <- ([#"../01_range.rs" 59 12 59 16] Core_Option_Option_Type.C_None);
+    [#"../01_range.rs" 59 12 59 16] _0 <- Core_Option_Option_Type.C_None;
     goto BB3
   }
   BB2 {
-    [#"../01_range.rs" 61 20 61 30] r <- ([#"../01_range.rs" 61 20 61 30] C01Range_Range_Type.range_start ( * self));
-    [#"../01_range.rs" 62 12 62 27] self <- { self with current = (let C01Range_Range_Type.C_Range x0 x1 =  * self in C01Range_Range_Type.C_Range ([#"../01_range.rs" 62 12 62 27] C01Range_Range_Type.range_start ( * self) + ([#"../01_range.rs" 62 26 62 27] [#"../01_range.rs" 62 26 62 27] (1 : isize))) x1) ; };
+    [#"../01_range.rs" 61 20 61 30] r <- C01Range_Range_Type.range_start ( * self);
+    [#"../01_range.rs" 62 12 62 27] self <- { self with current = (let C01Range_Range_Type.C_Range x0 x1 =  * self in C01Range_Range_Type.C_Range (C01Range_Range_Type.range_start ( * self) + ([#"../01_range.rs" 62 26 62 27] (1 : isize))) x1) ; };
     assume { resolve0 self };
-    [#"../01_range.rs" 63 12 63 19] _0 <- ([#"../01_range.rs" 63 12 63 19] Core_Option_Option_Type.C_Some ([#"../01_range.rs" 63 17 63 18] r));
+    [#"../01_range.rs" 63 12 63 19] _0 <- Core_Option_Option_Type.C_Some r;
     goto BB3
   }
   BB3 {
@@ -147,8 +156,8 @@ module C01Range_Impl1_IntoIter
     goto BB0
   }
   BB0 {
-    [#"../01_range.rs" 71 8 71 12] _0 <- ([#"../01_range.rs" 71 8 71 12] self);
-    [#"../01_range.rs" 71 8 71 12] self <- any C01Range_Range_Type.t_range;
+    [#"../01_range.rs" 71 8 71 12] _0 <- self;
+    self <- any C01Range_Range_Type.t_range;
     return _0
   }
   
@@ -165,7 +174,9 @@ module C01Range_SumRange
   predicate produces0 [#"../01_range.rs" 31 4 31 64] (self : C01Range_Range_Type.t_range) (visited : Seq.seq isize) (o : C01Range_Range_Type.t_range)
     
    =
-    [#"../01_range.rs" 32 8 38 9] C01Range_Range_Type.range_end self = C01Range_Range_Type.range_end o /\ C01Range_Range_Type.range_start self <= C01Range_Range_Type.range_start o /\ (Seq.length visited > 0 -> C01Range_Range_Type.range_start o <= C01Range_Range_Type.range_end o) /\ Seq.length visited = IntSize.to_int (C01Range_Range_Type.range_start o) - IntSize.to_int (C01Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> IntSize.to_int (Seq.get visited i) = IntSize.to_int (C01Range_Range_Type.range_start self) + i)
+    [#"../01_range.rs" 32 8 38 9] C01Range_Range_Type.range_end self = C01Range_Range_Type.range_end o /\ C01Range_Range_Type.range_start self <= C01Range_Range_Type.range_start o /\ (Seq.length visited > 0
+     -> C01Range_Range_Type.range_start o <= C01Range_Range_Type.range_end o) /\ Seq.length visited = IntSize.to_int (C01Range_Range_Type.range_start o) - IntSize.to_int (C01Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> IntSize.to_int (Seq.get visited i) = IntSize.to_int (C01Range_Range_Type.range_start self) + i)
   val produces0 [#"../01_range.rs" 31 4 31 64] (self : C01Range_Range_Type.t_range) (visited : Seq.seq isize) (o : C01Range_Range_Type.t_range) : bool
     ensures { result = produces0 self visited o }
     
@@ -178,7 +189,9 @@ module C01Range_SumRange
     requires {[#"../01_range.rs" 49 15 49 32] produces0 b bc c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : C01Range_Range_Type.t_range, ab : Seq.seq isize, b : C01Range_Range_Type.t_range, bc : Seq.seq isize, c : C01Range_Range_Type.t_range . ([#"../01_range.rs" 48 15 48 32] produces0 a ab b) -> ([#"../01_range.rs" 49 15 49 32] produces0 b bc c) -> ([#"../01_range.rs" 50 14 50 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : C01Range_Range_Type.t_range, ab : Seq.seq isize, b : C01Range_Range_Type.t_range, bc : Seq.seq isize, c : C01Range_Range_Type.t_range . ([#"../01_range.rs" 48 15 48 32] produces0 a ab b)
+   -> ([#"../01_range.rs" 49 15 49 32] produces0 b bc c)
+   -> ([#"../01_range.rs" 50 14 50 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../01_range.rs" 44 4 44 26] (self : C01Range_Range_Type.t_range) : () =
     [#"../01_range.rs" 41 4 41 10] ()
@@ -196,12 +209,12 @@ module C01Range_SumRange
     ensures { result = inv0 _x }
     
   axiom inv0 : forall x : C01Range_Range_Type.t_range . inv0 x = true
-  use prelude.Ghost
+  use prelude.Snapshot
   use seq.Seq
   use Core_Option_Option_Type as Core_Option_Option_Type
   use prelude.Borrow
   predicate resolve0 (self : borrowed (C01Range_Range_Type.t_range)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (C01Range_Range_Type.t_range)) : bool
     ensures { result = resolve0 self }
     
@@ -216,11 +229,11 @@ module C01Range_SumRange
       | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
       end }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   val into_iter0 [#"../01_range.rs" 70 4 70 34] (self : C01Range_Range_Type.t_range) : C01Range_Range_Type.t_range
     ensures { [#"../01_range.rs" 69 14 69 28] result = self }
     
@@ -233,26 +246,29 @@ module C01Range_SumRange
   var n : isize = n;
   var i : isize;
   var it : C01Range_Range_Type.t_range;
-  var iter_old : Ghost.ghost_ty (C01Range_Range_Type.t_range);
-  var produced : Ghost.ghost_ty (Seq.seq isize);
+  var _6 : C01Range_Range_Type.t_range;
+  var iter_old : Snapshot.snap_ty (C01Range_Range_Type.t_range);
+  var produced : Snapshot.snap_ty (Seq.seq isize);
   var _17 : Core_Option_Option_Type.t_option isize;
   var _18 : borrowed (C01Range_Range_Type.t_range);
   var x : isize;
-  var _21 : Ghost.ghost_ty (Seq.seq isize);
+  var _21 : Snapshot.snap_ty (Seq.seq isize);
   {
     goto BB0
   }
   BB0 {
-    [#"../01_range.rs" 78 16 78 17] i <- ([#"../01_range.rs" 78 16 78 17] [#"../01_range.rs" 78 16 78 17] (0 : isize));
-    [#"../01_range.rs" 79 17 79 55] it <- ([#"../01_range.rs" 79 17 79 55] into_iter0 ([#"../01_range.rs" 79 17 79 43] C01Range_Range_Type.C_Range ([#"../01_range.rs" 79 32 79 33] [#"../01_range.rs" 79 32 79 33] (0 : isize)) ([#"../01_range.rs" 79 40 79 41] n)));
+    [#"../01_range.rs" 78 16 78 17] i <- ([#"../01_range.rs" 78 16 78 17] (0 : isize));
+    [#"../01_range.rs" 79 17 79 43] _6 <- C01Range_Range_Type.C_Range ([#"../01_range.rs" 79 32 79 33] (0 : isize)) n;
+    [#"../01_range.rs" 79 17 79 55] it <- ([#"../01_range.rs" 79 17 79 55] into_iter0 _6);
+    _6 <- any C01Range_Range_Type.t_range;
     goto BB1
   }
   BB1 {
-    [#"../01_range.rs" 80 19 80 29] iter_old <- ([#"../01_range.rs" 80 19 80 29] Ghost.new it);
+    [#"../01_range.rs" 80 19 80 35] iter_old <- ([#"../01_range.rs" 80 19 80 35] Snapshot.new it);
     goto BB2
   }
   BB2 {
-    [#"../01_range.rs" 81 23 81 41] produced <- ([#"../01_range.rs" 81 23 81 41] Ghost.new (Seq.empty ));
+    [#"../01_range.rs" 81 23 81 47] produced <- ([#"../01_range.rs" 81 23 81 47] Snapshot.new (Seq.empty ));
     goto BB3
   }
   BB3 {
@@ -260,8 +276,8 @@ module C01Range_SumRange
   }
   BB4 {
     invariant { [#"../01_range.rs" 82 16 82 23] inv0 it };
-    invariant { [#"../01_range.rs" 83 16 83 55] produces0 (Ghost.inner iter_old) (Ghost.inner produced) it };
-    invariant { [#"../01_range.rs" 84 16 84 46] IntSize.to_int i = Seq.length (Ghost.inner produced) /\ i <= n };
+    invariant { [#"../01_range.rs" 83 16 83 55] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) it };
+    invariant { [#"../01_range.rs" 84 16 84 46] IntSize.to_int i = Seq.length (Snapshot.inner produced) /\ i <= n };
     goto BB5
   }
   BB5 {
@@ -278,7 +294,7 @@ module C01Range_SumRange
       end
   }
   BB7 {
-    [#"../01_range.rs" 94 4 94 5] _0 <- ([#"../01_range.rs" 94 4 94 5] i);
+    [#"../01_range.rs" 94 4 94 5] _0 <- i;
     return _0
   }
   BB8 {
@@ -289,81 +305,70 @@ module C01Range_SumRange
     absurd
   }
   BB10 {
-    [#"../01_range.rs" 87 17 87 18] x <- ([#"../01_range.rs" 87 17 87 18] Core_Option_Option_Type.some_0 _17);
-    [#"../01_range.rs" 88 27 88 69] _21 <- ([#"../01_range.rs" 88 27 88 69] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton x)));
+    [#"../01_range.rs" 87 17 87 18] x <- Core_Option_Option_Type.some_0 _17;
+    [#"../01_range.rs" 88 27 88 75] _21 <- ([#"../01_range.rs" 88 27 88 75] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton x)));
     goto BB11
   }
   BB11 {
-    [#"../01_range.rs" 88 16 88 69] produced <- ([#"../01_range.rs" 88 16 88 69] _21);
-    [#"../01_range.rs" 88 16 88 69] _21 <- any Ghost.ghost_ty (Seq.seq isize);
-    [#"../01_range.rs" 89 16 89 22] i <- ([#"../01_range.rs" 89 16 89 22] i + ([#"../01_range.rs" 89 21 89 22] [#"../01_range.rs" 89 21 89 22] (1 : isize)));
+    [#"../01_range.rs" 88 16 88 75] produced <- _21;
+    _21 <- any Snapshot.snap_ty (Seq.seq isize);
+    [#"../01_range.rs" 89 16 89 22] i <- i + ([#"../01_range.rs" 89 21 89 22] (1 : isize));
     goto BB4
   }
   
 end
 module C01Range_Impl0
   use prelude.IntSize
-  use seq.Seq
-  predicate invariant3 (self : Seq.seq isize) =
+  use Core_Option_Option_Type as Core_Option_Option_Type
+  predicate invariant3 (self : Core_Option_Option_Type.t_option isize) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
-  val invariant3 (self : Seq.seq isize) : bool
+  val invariant3 (self : Core_Option_Option_Type.t_option isize) : bool
     ensures { result = invariant3 self }
     
-  predicate inv3 (_x : Seq.seq isize)
-  val inv3 (_x : Seq.seq isize) : bool
+  predicate inv3 (_x : Core_Option_Option_Type.t_option isize)
+  val inv3 (_x : Core_Option_Option_Type.t_option isize) : bool
     ensures { result = inv3 _x }
     
-  axiom inv3 : forall x : Seq.seq isize . inv3 x = true
+  axiom inv3 : forall x : Core_Option_Option_Type.t_option isize . inv3 x = true
   use C01Range_Range_Type as C01Range_Range_Type
-  predicate invariant2 (self : C01Range_Range_Type.t_range) =
+  use prelude.Borrow
+  predicate invariant2 (self : borrowed (C01Range_Range_Type.t_range)) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
-  val invariant2 (self : C01Range_Range_Type.t_range) : bool
+  val invariant2 (self : borrowed (C01Range_Range_Type.t_range)) : bool
     ensures { result = invariant2 self }
     
-  predicate inv2 (_x : C01Range_Range_Type.t_range)
-  val inv2 (_x : C01Range_Range_Type.t_range) : bool
+  predicate inv2 (_x : borrowed (C01Range_Range_Type.t_range))
+  val inv2 (_x : borrowed (C01Range_Range_Type.t_range)) : bool
     ensures { result = inv2 _x }
     
-  axiom inv2 : forall x : C01Range_Range_Type.t_range . inv2 x = true
-  use Core_Option_Option_Type as Core_Option_Option_Type
-  predicate invariant1 (self : Core_Option_Option_Type.t_option isize) =
+  axiom inv2 : forall x : borrowed (C01Range_Range_Type.t_range) . inv2 x = true
+  use seq.Seq
+  predicate invariant1 (self : Seq.seq isize) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
-  val invariant1 (self : Core_Option_Option_Type.t_option isize) : bool
+  val invariant1 (self : Seq.seq isize) : bool
     ensures { result = invariant1 self }
     
-  predicate inv1 (_x : Core_Option_Option_Type.t_option isize)
-  val inv1 (_x : Core_Option_Option_Type.t_option isize) : bool
+  predicate inv1 (_x : Seq.seq isize)
+  val inv1 (_x : Seq.seq isize) : bool
     ensures { result = inv1 _x }
     
-  axiom inv1 : forall x : Core_Option_Option_Type.t_option isize . inv1 x = true
-  use prelude.Borrow
-  predicate invariant0 (self : borrowed (C01Range_Range_Type.t_range)) =
+  axiom inv1 : forall x : Seq.seq isize . inv1 x = true
+  predicate invariant0 (self : C01Range_Range_Type.t_range) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
-  val invariant0 (self : borrowed (C01Range_Range_Type.t_range)) : bool
+  val invariant0 (self : C01Range_Range_Type.t_range) : bool
     ensures { result = invariant0 self }
     
-  predicate inv0 (_x : borrowed (C01Range_Range_Type.t_range))
-  val inv0 (_x : borrowed (C01Range_Range_Type.t_range)) : bool
+  predicate inv0 (_x : C01Range_Range_Type.t_range)
+  val inv0 (_x : C01Range_Range_Type.t_range) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : borrowed (C01Range_Range_Type.t_range) . inv0 x = true
-  use seq.Seq
-  use seq.Seq
+  axiom inv0 : forall x : C01Range_Range_Type.t_range . inv0 x = true
   use seq.Seq
   use seq.Seq
-  use prelude.IntSize
   use seq.Seq
   use prelude.Int
-  predicate produces0 [#"../01_range.rs" 31 4 31 64] (self : C01Range_Range_Type.t_range) (visited : Seq.seq isize) (o : C01Range_Range_Type.t_range)
-    
-   =
-    [#"../01_range.rs" 32 8 38 9] C01Range_Range_Type.range_end self = C01Range_Range_Type.range_end o /\ C01Range_Range_Type.range_start self <= C01Range_Range_Type.range_start o /\ (Seq.length visited > 0 -> C01Range_Range_Type.range_start o <= C01Range_Range_Type.range_end o) /\ Seq.length visited = IntSize.to_int (C01Range_Range_Type.range_start o) - IntSize.to_int (C01Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> IntSize.to_int (Seq.get visited i) = IntSize.to_int (C01Range_Range_Type.range_start self) + i)
-  val produces0 [#"../01_range.rs" 31 4 31 64] (self : C01Range_Range_Type.t_range) (visited : Seq.seq isize) (o : C01Range_Range_Type.t_range) : bool
-    ensures { result = produces0 self visited o }
-    
-  use seq.Seq
   predicate resolve0 (self : borrowed (C01Range_Range_Type.t_range)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (C01Range_Range_Type.t_range)) : bool
     ensures { result = resolve0 self }
     
@@ -372,13 +377,31 @@ module C01Range_Impl0
   val completed0 [#"../01_range.rs" 23 4 23 35] (self : borrowed (C01Range_Range_Type.t_range)) : bool
     ensures { result = completed0 self }
     
-  goal next_refn : [#"../01_range.rs" 57 4 57 39] forall self : borrowed (C01Range_Range_Type.t_range) . inv0 self -> (forall result : Core_Option_Option_Type.t_option isize . match result with
+  use seq.Seq
+  use seq.Seq
+  use prelude.IntSize
+  use seq.Seq
+  predicate produces0 [#"../01_range.rs" 31 4 31 64] (self : C01Range_Range_Type.t_range) (visited : Seq.seq isize) (o : C01Range_Range_Type.t_range)
+    
+   =
+    [#"../01_range.rs" 32 8 38 9] C01Range_Range_Type.range_end self = C01Range_Range_Type.range_end o /\ C01Range_Range_Type.range_start self <= C01Range_Range_Type.range_start o /\ (Seq.length visited > 0
+     -> C01Range_Range_Type.range_start o <= C01Range_Range_Type.range_end o) /\ Seq.length visited = IntSize.to_int (C01Range_Range_Type.range_start o) - IntSize.to_int (C01Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> IntSize.to_int (Seq.get visited i) = IntSize.to_int (C01Range_Range_Type.range_start self) + i)
+  val produces0 [#"../01_range.rs" 31 4 31 64] (self : C01Range_Range_Type.t_range) (visited : Seq.seq isize) (o : C01Range_Range_Type.t_range) : bool
+    ensures { result = produces0 self visited o }
+    
+  goal produces_trans_refn : [#"../01_range.rs" 51 4 51 90] forall a : C01Range_Range_Type.t_range . forall ab : Seq.seq isize . forall b : C01Range_Range_Type.t_range . forall bc : Seq.seq isize . forall c : C01Range_Range_Type.t_range . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b
+   -> produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c
+   -> produces0 a (Seq.(++) ab bc) c)
+  goal next_refn : [#"../01_range.rs" 57 4 57 39] forall self : borrowed (C01Range_Range_Type.t_range) . inv2 self
+   -> (forall result : Core_Option_Option_Type.t_option isize . match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
-    end -> inv1 result /\ match result with
+    end
+   -> inv3 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
     end)
-  goal produces_refl_refn : [#"../01_range.rs" 44 4 44 26] forall self : C01Range_Range_Type.t_range . inv2 self -> (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self)
-  goal produces_trans_refn : [#"../01_range.rs" 51 4 51 90] forall a : C01Range_Range_Type.t_range . forall ab : Seq.seq isize . forall b : C01Range_Range_Type.t_range . forall bc : Seq.seq isize . forall c : C01Range_Range_Type.t_range . inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b -> produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c)
+  goal produces_refl_refn : [#"../01_range.rs" 44 4 44 26] forall self : C01Range_Range_Type.t_range . inv0 self
+   -> (forall result : () . produces0 self (Seq.empty ) self  -> produces0 self (Seq.empty ) self)
 end
diff --git a/creusot/tests/should_succeed/iterators/01_range.rs b/creusot/tests/should_succeed/iterators/01_range.rs
index cb83e7000e..5d1e9d0330 100644
--- a/creusot/tests/should_succeed/iterators/01_range.rs
+++ b/creusot/tests/should_succeed/iterators/01_range.rs
@@ -19,7 +19,7 @@ impl Iterator for Range {
     type Item = isize;
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! {
             self.resolve() && self.start >= self.end
@@ -77,15 +77,15 @@ impl Range {
 pub fn sum_range(n: isize) -> isize {
     let mut i = 0;
     let mut it = Range { start: 0, end: n }.into_iter();
-    let iter_old = gh! { it };
-    let mut produced = gh! { Seq::EMPTY };
+    let iter_old = snapshot! { it };
+    let mut produced = snapshot! { Seq::EMPTY };
     #[invariant(inv(it))]
     #[invariant(iter_old.produces(produced.inner(), it))]
     #[invariant(i@ == produced.len() && i <= n)]
     loop {
         match it.next() {
             Some(x) => {
-                produced = gh! { produced.concat(Seq::singleton(x)) };
+                produced = snapshot! { produced.concat(Seq::singleton(x)) };
                 i += 1
             }
             None => break,
diff --git a/creusot/tests/should_succeed/iterators/01_range/why3session.xml b/creusot/tests/should_succeed/iterators/01_range/why3session.xml
index cb3bf3edaf..558313af22 100644
--- a/creusot/tests/should_succeed/iterators/01_range/why3session.xml
+++ b/creusot/tests/should_succeed/iterators/01_range/why3session.xml
@@ -6,18 +6,18 @@
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="01_range.mlcfg"/>
 <theory name="C01Range_Impl0_ProducesRefl_Impl" proved="true">
- <goal name="produces_refl&#39;vc" expl="VC for produces_refl" proved="true">
+ <goal name="vc_produces_refl" proved="true">
  <proof prover="0"><result status="valid" time="0.030655" steps="13"/></proof>
  </goal>
 </theory>
 <theory name="C01Range_Impl0_ProducesTrans_Impl" proved="true">
- <goal name="produces_trans&#39;vc" expl="VC for produces_trans" proved="true">
- <proof prover="0"><result status="valid" time="0.077811" steps="290"/></proof>
+ <goal name="vc_produces_trans" proved="true">
+ <proof prover="0"><result status="valid" time="0.077811" steps="302"/></proof>
  </goal>
 </theory>
 <theory name="C01Range_Impl0_Next" proved="true">
  <goal name="next&#39;vc" expl="VC for next" proved="true">
- <proof prover="0"><result status="valid" time="0.065018" steps="267"/></proof>
+ <proof prover="0"><result status="valid" time="0.065018" steps="265"/></proof>
  </goal>
 </theory>
 <theory name="C01Range_Impl1_IntoIter" proved="true">
@@ -27,18 +27,18 @@
 </theory>
 <theory name="C01Range_SumRange" proved="true">
  <goal name="sum_range&#39;vc" expl="VC for sum_range" proved="true">
- <proof prover="0"><result status="valid" time="0.130000" steps="1740"/></proof>
+ <proof prover="0"><result status="valid" time="0.130000" steps="1624"/></proof>
  </goal>
 </theory>
 <theory name="C01Range_Impl0" proved="true">
- <goal name="produces_refl_refn" proved="true">
- <proof prover="0"><result status="valid" time="0.016725" steps="0"/></proof>
+ <goal name="produces_trans_refn" proved="true">
+ <proof prover="0"><result status="valid" time="0.013647" steps="14"/></proof>
  </goal>
  <goal name="next_refn" proved="true">
  <proof prover="0"><result status="valid" time="0.013215" steps="112"/></proof>
  </goal>
- <goal name="produces_trans_refn" proved="true">
- <proof prover="0"><result status="valid" time="0.013647" steps="14"/></proof>
+ <goal name="produces_refl_refn" proved="true">
+ <proof prover="0"><result status="valid" time="0.016725" steps="0"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/iterators/01_range/why3shapes.gz b/creusot/tests/should_succeed/iterators/01_range/why3shapes.gz
index 404b2b0604..96e2bd440f 100644
Binary files a/creusot/tests/should_succeed/iterators/01_range/why3shapes.gz and b/creusot/tests/should_succeed/iterators/01_range/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/iterators/02_iter_mut.mlcfg b/creusot/tests/should_succeed/iterators/02_iter_mut.mlcfg
index 4398a76c31..cb0eb2e069 100644
--- a/creusot/tests/should_succeed/iterators/02_iter_mut.mlcfg
+++ b/creusot/tests/should_succeed/iterators/02_iter_mut.mlcfg
@@ -63,7 +63,8 @@ module C02IterMut_Impl1_ProducesRefl_Impl
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self}
     ensures { result = shallow_model1 self }
     
-  axiom shallow_model1_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv4 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
+  axiom shallow_model1_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv4 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
   use C02IterMut_IterMut_Type as C02IterMut_IterMut_Type
   predicate invariant0 [#"../02_iter_mut.rs" 20 4 20 30] (self : C02IterMut_IterMut_Type.t_itermut t) =
     [#"../02_iter_mut.rs" 22 20 22 64] Seq.length (shallow_model1 ( ^ C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length (shallow_model1 ( * C02IterMut_IterMut_Type.itermut_inner self))
@@ -96,21 +97,23 @@ module C02IterMut_Impl1_ProducesRefl_Impl
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv1 self}
     ensures { result = to_mut_seq0 self }
     
-  axiom to_mut_seq0_spec : forall self : borrowed (slice t) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv2 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) ->  ^ Seq.get (to_mut_seq0 self) i = index_logic1 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) ->  * Seq.get (to_mut_seq0 self) i = index_logic1 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model0 self))
+  axiom to_mut_seq0_spec : forall self : borrowed (slice t) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv1 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv2 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self)
+   ->  ^ Seq.get (to_mut_seq0 self) i = index_logic1 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self)
+   ->  * Seq.get (to_mut_seq0 self) i = index_logic1 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model0 self))
   predicate produces0 [#"../02_iter_mut.rs" 37 4 37 65] (self : C02IterMut_IterMut_Type.t_itermut t) (visited : Seq.seq (borrowed t)) (tl : C02IterMut_IterMut_Type.t_itermut t)
     
    =
-    [#"../02_iter_mut.rs" 39 12 43 13] Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length visited + Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner tl)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self)) ->  * Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i =  * Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i /\  ^ Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i =  ^ Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i)
+    [#"../02_iter_mut.rs" 39 12 43 13] Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length visited + Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner tl)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self))
+     ->  * Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i =  * Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i /\  ^ Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i =  ^ Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i)
   val produces0 [#"../02_iter_mut.rs" 37 4 37 65] (self : C02IterMut_IterMut_Type.t_itermut t) (visited : Seq.seq (borrowed t)) (tl : C02IterMut_IterMut_Type.t_itermut t) : bool
     ensures { result = produces0 self visited tl }
     
   use seq.Seq
-  let rec ghost function produces_refl [#"../02_iter_mut.rs" 50 4 50 26] (self : C02IterMut_IterMut_Type.t_itermut t) : ()
-    requires {[#"../02_iter_mut.rs" 50 21 50 25] inv0 self}
-    ensures { [#"../02_iter_mut.rs" 49 14 49 45] produces0 self (Seq.empty ) self }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../02_iter_mut.rs" 47 4 47 10] ()
+  constant self  : C02IterMut_IterMut_Type.t_itermut t
+  function produces_refl [#"../02_iter_mut.rs" 50 4 50 26] (self : C02IterMut_IterMut_Type.t_itermut t) : ()
+  goal vc_produces_refl : ([#"../02_iter_mut.rs" 50 21 50 25] inv0 self)
+   -> ([#"../02_iter_mut.rs" 49 14 49 45] produces0 self (Seq.empty ) self)
 end
 module C02IterMut_Impl1_ProducesTrans_Impl
   type t
@@ -165,7 +168,8 @@ module C02IterMut_Impl1_ProducesTrans_Impl
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self}
     ensures { result = shallow_model1 self }
     
-  axiom shallow_model1_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv4 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
+  axiom shallow_model1_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv4 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
   use C02IterMut_IterMut_Type as C02IterMut_IterMut_Type
   predicate invariant0 [#"../02_iter_mut.rs" 20 4 20 30] (self : C02IterMut_IterMut_Type.t_itermut t) =
     [#"../02_iter_mut.rs" 22 20 22 64] Seq.length (shallow_model1 ( ^ C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length (shallow_model1 ( * C02IterMut_IterMut_Type.itermut_inner self))
@@ -198,26 +202,33 @@ module C02IterMut_Impl1_ProducesTrans_Impl
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv2 self}
     ensures { result = to_mut_seq0 self }
     
-  axiom to_mut_seq0_spec : forall self : borrowed (slice t) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv1 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) ->  ^ Seq.get (to_mut_seq0 self) i = index_logic1 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) ->  * Seq.get (to_mut_seq0 self) i = index_logic1 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model0 self))
+  axiom to_mut_seq0_spec : forall self : borrowed (slice t) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv1 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self)
+   ->  ^ Seq.get (to_mut_seq0 self) i = index_logic1 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self)
+   ->  * Seq.get (to_mut_seq0 self) i = index_logic1 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model0 self))
   predicate produces0 [#"../02_iter_mut.rs" 37 4 37 65] (self : C02IterMut_IterMut_Type.t_itermut t) (visited : Seq.seq (borrowed t)) (tl : C02IterMut_IterMut_Type.t_itermut t)
     
    =
-    [#"../02_iter_mut.rs" 39 12 43 13] Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length visited + Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner tl)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self)) ->  * Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i =  * Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i /\  ^ Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i =  ^ Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i)
+    [#"../02_iter_mut.rs" 39 12 43 13] Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length visited + Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner tl)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self))
+     ->  * Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i =  * Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i /\  ^ Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i =  ^ Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i)
   val produces0 [#"../02_iter_mut.rs" 37 4 37 65] (self : C02IterMut_IterMut_Type.t_itermut t) (visited : Seq.seq (borrowed t)) (tl : C02IterMut_IterMut_Type.t_itermut t) : bool
     ensures { result = produces0 self visited tl }
     
-  let rec ghost function produces_trans [#"../02_iter_mut.rs" 57 4 57 90] (a : C02IterMut_IterMut_Type.t_itermut t) (ab : Seq.seq (borrowed t)) (b : C02IterMut_IterMut_Type.t_itermut t) (bc : Seq.seq (borrowed t)) (c : C02IterMut_IterMut_Type.t_itermut t) : ()
-    requires {[#"../02_iter_mut.rs" 54 15 54 32] produces0 a ab b}
-    requires {[#"../02_iter_mut.rs" 55 15 55 32] produces0 b bc c}
-    requires {[#"../02_iter_mut.rs" 57 22 57 23] inv0 a}
-    requires {[#"../02_iter_mut.rs" 57 31 57 33] inv1 ab}
-    requires {[#"../02_iter_mut.rs" 57 52 57 53] inv0 b}
-    requires {[#"../02_iter_mut.rs" 57 61 57 63] inv1 bc}
-    requires {[#"../02_iter_mut.rs" 57 82 57 83] inv0 c}
-    ensures { [#"../02_iter_mut.rs" 56 14 56 42] produces0 a (Seq.(++) ab bc) c }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../02_iter_mut.rs" 52 4 52 10] ()
+  constant a  : C02IterMut_IterMut_Type.t_itermut t
+  constant ab  : Seq.seq (borrowed t)
+  constant b  : C02IterMut_IterMut_Type.t_itermut t
+  constant bc  : Seq.seq (borrowed t)
+  constant c  : C02IterMut_IterMut_Type.t_itermut t
+  function produces_trans [#"../02_iter_mut.rs" 57 4 57 90] (a : C02IterMut_IterMut_Type.t_itermut t) (ab : Seq.seq (borrowed t)) (b : C02IterMut_IterMut_Type.t_itermut t) (bc : Seq.seq (borrowed t)) (c : C02IterMut_IterMut_Type.t_itermut t) : ()
+    
+  goal vc_produces_trans : ([#"../02_iter_mut.rs" 57 82 57 83] inv0 c)
+   -> ([#"../02_iter_mut.rs" 57 61 57 63] inv1 bc)
+   -> ([#"../02_iter_mut.rs" 57 52 57 53] inv0 b)
+   -> ([#"../02_iter_mut.rs" 57 31 57 33] inv1 ab)
+   -> ([#"../02_iter_mut.rs" 57 22 57 23] inv0 a)
+   -> ([#"../02_iter_mut.rs" 55 15 55 32] produces0 b bc c)
+   -> ([#"../02_iter_mut.rs" 54 15 54 32] produces0 a ab b)
+   -> ([#"../02_iter_mut.rs" 56 14 56 42] produces0 a (Seq.(++) ab bc) c)
 end
 module Core_Option_Option_Type
   type t_option 't =
@@ -268,7 +279,8 @@ module C02IterMut_Impl1_Next
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv5 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model0 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv5 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model0 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   use C02IterMut_IterMut_Type as C02IterMut_IterMut_Type
   predicate invariant6 [#"../02_iter_mut.rs" 20 4 20 30] (self : C02IterMut_IterMut_Type.t_itermut t) =
     [#"../02_iter_mut.rs" 22 20 22 64] Seq.length (shallow_model0 ( ^ C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length (shallow_model0 ( * C02IterMut_IterMut_Type.itermut_inner self))
@@ -344,11 +356,15 @@ module C02IterMut_Impl1_Next
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv0 self}
     ensures { result = to_mut_seq0 self }
     
-  axiom to_mut_seq0_spec : forall self : borrowed (slice t) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv7 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) ->  ^ Seq.get (to_mut_seq0 self) i = index_logic0 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) ->  * Seq.get (to_mut_seq0 self) i = index_logic0 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model1 self))
+  axiom to_mut_seq0_spec : forall self : borrowed (slice t) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv7 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self)
+   ->  ^ Seq.get (to_mut_seq0 self) i = index_logic0 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self)
+   ->  * Seq.get (to_mut_seq0 self) i = index_logic0 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model1 self))
   predicate produces0 [#"../02_iter_mut.rs" 37 4 37 65] (self : C02IterMut_IterMut_Type.t_itermut t) (visited : Seq.seq (borrowed t)) (tl : C02IterMut_IterMut_Type.t_itermut t)
     
    =
-    [#"../02_iter_mut.rs" 39 12 43 13] Seq.length (shallow_model1 (C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length visited + Seq.length (shallow_model1 (C02IterMut_IterMut_Type.itermut_inner tl)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 (C02IterMut_IterMut_Type.itermut_inner self)) ->  * Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i =  * Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i /\  ^ Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i =  ^ Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i)
+    [#"../02_iter_mut.rs" 39 12 43 13] Seq.length (shallow_model1 (C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length visited + Seq.length (shallow_model1 (C02IterMut_IterMut_Type.itermut_inner tl)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 (C02IterMut_IterMut_Type.itermut_inner self))
+     ->  * Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i =  * Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i /\  ^ Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i =  ^ Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i)
   val produces0 [#"../02_iter_mut.rs" 37 4 37 65] (self : C02IterMut_IterMut_Type.t_itermut t) (visited : Seq.seq (borrowed t)) (tl : C02IterMut_IterMut_Type.t_itermut t) : bool
     ensures { result = produces0 self visited tl }
     
@@ -458,7 +474,8 @@ module C02IterMut_Impl2_IntoIter
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv2 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv3 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model0 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv3 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model0 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   use C02IterMut_IterMut_Type as C02IterMut_IterMut_Type
   predicate invariant0 [#"../02_iter_mut.rs" 20 4 20 30] (self : C02IterMut_IterMut_Type.t_itermut t) =
     [#"../02_iter_mut.rs" 22 20 22 64] Seq.length (shallow_model0 ( ^ C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length (shallow_model0 ( * C02IterMut_IterMut_Type.itermut_inner self))
@@ -484,8 +501,8 @@ module C02IterMut_Impl2_IntoIter
     goto BB0
   }
   BB0 {
-    [#"../02_iter_mut.rs" 71 8 71 12] _0 <- ([#"../02_iter_mut.rs" 71 8 71 12] self);
-    [#"../02_iter_mut.rs" 71 8 71 12] self <- any C02IterMut_IterMut_Type.t_itermut t;
+    [#"../02_iter_mut.rs" 71 8 71 12] _0 <- self;
+    self <- any C02IterMut_IterMut_Type.t_itermut t;
     return _0
   }
   
@@ -508,12 +525,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -579,7 +602,8 @@ module C02IterMut_IterMut
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv1 self}
     ensures { result = shallow_model2 self }
     
-  axiom shallow_model2_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv6 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model2 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
+  axiom shallow_model2_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv1 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv6 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model2 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
   use C02IterMut_IterMut_Type as C02IterMut_IterMut_Type
   predicate invariant4 [#"../02_iter_mut.rs" 20 4 20 30] (self : C02IterMut_IterMut_Type.t_itermut t) =
     [#"../02_iter_mut.rs" 22 20 22 64] Seq.length (shallow_model2 ( ^ C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length (shallow_model2 ( * C02IterMut_IterMut_Type.itermut_inner self))
@@ -623,7 +647,8 @@ module C02IterMut_IterMut
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model3 self }
     
-  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
+  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
   predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv6 (shallow_model3 self)
   val invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -690,6 +715,7 @@ module C02IterMut_IterMut
   var _6 : borrowed (slice t);
   var _7 : borrowed (slice t);
   var _8 : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
+  var _9 : Core_Ops_Range_RangeFull_Type.t_rangefull;
   {
     goto BB0
   }
@@ -697,8 +723,10 @@ module C02IterMut_IterMut
     [#"../02_iter_mut.rs" 79 26 79 27] _8 <- Borrow.borrow_final ( * v) (Borrow.get_id v);
     [#"../02_iter_mut.rs" 79 26 79 27] v <- { v with current = ( ^ _8) ; };
     assume { inv0 ( ^ _8) };
-    [#"../02_iter_mut.rs" 79 27 79 31] _7 <- ([#"../02_iter_mut.rs" 79 27 79 31] index_mut0 _8 ([#"../02_iter_mut.rs" 79 28 79 30] Core_Ops_Range_RangeFull_Type.C_RangeFull));
+    [#"../02_iter_mut.rs" 79 28 79 30] _9 <- Core_Ops_Range_RangeFull_Type.C_RangeFull;
+    [#"../02_iter_mut.rs" 79 27 79 31] _7 <- ([#"../02_iter_mut.rs" 79 27 79 31] index_mut0 _8 _9);
     _8 <- any borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
+    _9 <- any Core_Ops_Range_RangeFull_Type.t_rangefull;
     goto BB1
   }
   BB1 {
@@ -708,7 +736,7 @@ module C02IterMut_IterMut
     [#"../02_iter_mut.rs" 79 21 79 31] _5 <- Borrow.borrow_final ( * _6) (Borrow.get_id _6);
     [#"../02_iter_mut.rs" 79 21 79 31] _6 <- { _6 with current = ( ^ _5) ; };
     assume { inv1 ( ^ _5) };
-    [#"../02_iter_mut.rs" 79 4 79 33] _0 <- ([#"../02_iter_mut.rs" 79 4 79 33] C02IterMut_IterMut_Type.C_IterMut _5);
+    [#"../02_iter_mut.rs" 79 4 79 33] _0 <- C02IterMut_IterMut_Type.C_IterMut _5;
     _5 <- any borrowed (slice t);
     assert { [@expl:type invariant] inv2 _7 };
     assume { resolve0 _7 };
@@ -781,7 +809,8 @@ module C02IterMut_AllZero
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self}
     ensures { result = shallow_model1 self }
     
-  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
+  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
   predicate invariant4 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv5 (shallow_model1 self)
   val invariant4 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -833,7 +862,8 @@ module C02IterMut_AllZero
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self}
     ensures { result = shallow_model4 self }
     
-  axiom shallow_model4_spec : forall self : slice usize . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv5 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model4 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0)
+  axiom shallow_model4_spec : forall self : slice usize . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv5 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model4 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0)
   function index_logic4 [@inline:trivial] (self : slice usize) (ix : int) : usize =
     [#"../../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model4 self) ix
   val index_logic4 [@inline:trivial] (self : slice usize) (ix : int) : usize
@@ -850,11 +880,15 @@ module C02IterMut_AllZero
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv7 self}
     ensures { result = to_mut_seq0 self }
     
-  axiom to_mut_seq0_spec : forall self : borrowed (slice usize) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv8 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) ->  ^ Seq.get (to_mut_seq0 self) i = index_logic4 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) ->  * Seq.get (to_mut_seq0 self) i = index_logic4 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model3 self))
+  axiom to_mut_seq0_spec : forall self : borrowed (slice usize) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv7 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv8 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self)
+   ->  ^ Seq.get (to_mut_seq0 self) i = index_logic4 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self)
+   ->  * Seq.get (to_mut_seq0 self) i = index_logic4 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model3 self))
   predicate produces0 [#"../02_iter_mut.rs" 37 4 37 65] (self : C02IterMut_IterMut_Type.t_itermut usize) (visited : Seq.seq (borrowed usize)) (tl : C02IterMut_IterMut_Type.t_itermut usize)
     
    =
-    [#"../02_iter_mut.rs" 39 12 43 13] Seq.length (shallow_model3 (C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length visited + Seq.length (shallow_model3 (C02IterMut_IterMut_Type.itermut_inner tl)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 (C02IterMut_IterMut_Type.itermut_inner self)) ->  * Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i =  * Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i /\  ^ Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i =  ^ Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i)
+    [#"../02_iter_mut.rs" 39 12 43 13] Seq.length (shallow_model3 (C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length visited + Seq.length (shallow_model3 (C02IterMut_IterMut_Type.itermut_inner tl)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 (C02IterMut_IterMut_Type.itermut_inner self))
+     ->  * Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i =  * Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i /\  ^ Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i =  ^ Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i)
   val produces0 [#"../02_iter_mut.rs" 37 4 37 65] (self : C02IterMut_IterMut_Type.t_itermut usize) (visited : Seq.seq (borrowed usize)) (tl : C02IterMut_IterMut_Type.t_itermut usize) : bool
     ensures { result = produces0 self visited tl }
     
@@ -872,7 +906,14 @@ module C02IterMut_AllZero
     requires {[#"../02_iter_mut.rs" 57 82 57 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : C02IterMut_IterMut_Type.t_itermut usize, ab : Seq.seq (borrowed usize), b : C02IterMut_IterMut_Type.t_itermut usize, bc : Seq.seq (borrowed usize), c : C02IterMut_IterMut_Type.t_itermut usize . ([#"../02_iter_mut.rs" 54 15 54 32] produces0 a ab b) -> ([#"../02_iter_mut.rs" 55 15 55 32] produces0 b bc c) -> ([#"../02_iter_mut.rs" 57 22 57 23] inv0 a) -> ([#"../02_iter_mut.rs" 57 31 57 33] inv8 ab) -> ([#"../02_iter_mut.rs" 57 52 57 53] inv0 b) -> ([#"../02_iter_mut.rs" 57 61 57 63] inv8 bc) -> ([#"../02_iter_mut.rs" 57 82 57 83] inv0 c) -> ([#"../02_iter_mut.rs" 56 14 56 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : C02IterMut_IterMut_Type.t_itermut usize, ab : Seq.seq (borrowed usize), b : C02IterMut_IterMut_Type.t_itermut usize, bc : Seq.seq (borrowed usize), c : C02IterMut_IterMut_Type.t_itermut usize . ([#"../02_iter_mut.rs" 54 15 54 32] produces0 a ab b)
+   -> ([#"../02_iter_mut.rs" 55 15 55 32] produces0 b bc c)
+   -> ([#"../02_iter_mut.rs" 57 22 57 23] inv0 a)
+   -> ([#"../02_iter_mut.rs" 57 31 57 33] inv8 ab)
+   -> ([#"../02_iter_mut.rs" 57 52 57 53] inv0 b)
+   -> ([#"../02_iter_mut.rs" 57 61 57 63] inv8 bc)
+   -> ([#"../02_iter_mut.rs" 57 82 57 83] inv0 c)
+   -> ([#"../02_iter_mut.rs" 56 14 56 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../02_iter_mut.rs" 50 4 50 26] (self : C02IterMut_IterMut_Type.t_itermut usize) : () =
     [#"../02_iter_mut.rs" 47 4 47 10] ()
@@ -880,7 +921,8 @@ module C02IterMut_AllZero
     requires {[#"../02_iter_mut.rs" 50 21 50 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : C02IterMut_IterMut_Type.t_itermut usize . ([#"../02_iter_mut.rs" 50 21 50 25] inv0 self) -> ([#"../02_iter_mut.rs" 49 14 49 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : C02IterMut_IterMut_Type.t_itermut usize . ([#"../02_iter_mut.rs" 50 21 50 25] inv0 self)
+   -> ([#"../02_iter_mut.rs" 49 14 49 45] produces0 self (Seq.empty ) self)
   predicate invariant0 [#"../02_iter_mut.rs" 20 4 20 30] (self : C02IterMut_IterMut_Type.t_itermut usize) =
     [#"../02_iter_mut.rs" 22 20 22 64] Seq.length (shallow_model4 ( ^ C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length (shallow_model4 ( * C02IterMut_IterMut_Type.itermut_inner self))
   val invariant0 [#"../02_iter_mut.rs" 20 4 20 30] (self : C02IterMut_IterMut_Type.t_itermut usize) : bool
@@ -903,7 +945,7 @@ module C02IterMut_AllZero
   val shallow_model2 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : Seq.seq usize
     ensures { result = shallow_model2 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate resolve1 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) =
     [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve1 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : bool
@@ -935,17 +977,18 @@ module C02IterMut_AllZero
       end }
     ensures { [#"../02_iter_mut.rs" 63 26 63 44] inv3 result }
     
-  use prelude.Ghost
-  function index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq (borrowed usize))) (ix : int) : borrowed usize
+  use prelude.Snapshot
+  function index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq (borrowed usize))) (ix : int) : borrowed usize
+    
    =
-    [#"../../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Ghost.inner self) ix
-  val index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq (borrowed usize))) (ix : int) : borrowed usize
+    [#"../../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Snapshot.inner self) ix
+  val index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq (borrowed usize))) (ix : int) : borrowed usize
     ensures { result = index_logic0 self ix }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   val into_iter0 [#"../02_iter_mut.rs" 70 4 70 30] (self : C02IterMut_IterMut_Type.t_itermut usize) : C02IterMut_IterMut_Type.t_itermut usize
     requires {[#"../02_iter_mut.rs" 70 17 70 21] inv0 self}
     ensures { [#"../02_iter_mut.rs" 69 14 69 28] result = self }
@@ -960,7 +1003,8 @@ module C02IterMut_AllZero
     
   let rec cfg all_zero [#"../02_iter_mut.rs" 84 0 84 35] [@cfg:stackify] [@cfg:subregion_analysis] (v : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : ()
     ensures { [#"../02_iter_mut.rs" 82 10 82 33] Seq.length (shallow_model1 ( ^ v)) = Seq.length (shallow_model2 v) }
-    ensures { [#"../02_iter_mut.rs" 83 0 83 66] forall i : int . 0 <= i /\ i < Seq.length (shallow_model2 v) -> UIntSize.to_int (index_logic1 ( ^ v) i) = 0 }
+    ensures { [#"../02_iter_mut.rs" 83 0 83 66] forall i : int . 0 <= i /\ i < Seq.length (shallow_model2 v)
+     -> UIntSize.to_int (index_logic1 ( ^ v) i) = 0 }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
@@ -968,12 +1012,12 @@ module C02IterMut_AllZero
   var it : C02IterMut_IterMut_Type.t_itermut usize;
   var _5 : C02IterMut_IterMut_Type.t_itermut usize;
   var _6 : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global));
-  var iter_old : Ghost.ghost_ty (C02IterMut_IterMut_Type.t_itermut usize);
-  var produced : Ghost.ghost_ty (Seq.seq (borrowed usize));
+  var iter_old : Snapshot.snap_ty (C02IterMut_IterMut_Type.t_itermut usize);
+  var produced : Snapshot.snap_ty (Seq.seq (borrowed usize));
   var _15 : Core_Option_Option_Type.t_option (borrowed usize);
   var _16 : borrowed (C02IterMut_IterMut_Type.t_itermut usize);
   var x : borrowed usize;
-  var _19 : Ghost.ghost_ty (Seq.seq (borrowed usize));
+  var _19 : Snapshot.snap_ty (Seq.seq (borrowed usize));
   {
     goto BB0
   }
@@ -990,11 +1034,11 @@ module C02IterMut_AllZero
     goto BB2
   }
   BB2 {
-    [#"../02_iter_mut.rs" 86 19 86 29] iter_old <- ([#"../02_iter_mut.rs" 86 19 86 29] Ghost.new it);
+    [#"../02_iter_mut.rs" 86 19 86 35] iter_old <- ([#"../02_iter_mut.rs" 86 19 86 35] Snapshot.new it);
     goto BB3
   }
   BB3 {
-    [#"../02_iter_mut.rs" 87 23 87 41] produced <- ([#"../02_iter_mut.rs" 87 23 87 41] Ghost.new (Seq.empty ));
+    [#"../02_iter_mut.rs" 87 23 87 47] produced <- ([#"../02_iter_mut.rs" 87 23 87 47] Snapshot.new (Seq.empty ));
     goto BB4
   }
   BB4 {
@@ -1002,8 +1046,9 @@ module C02IterMut_AllZero
   }
   BB5 {
     invariant { [#"../02_iter_mut.rs" 88 16 88 23] inv0 it };
-    invariant { [#"../02_iter_mut.rs" 89 16 89 55] produces0 (Ghost.inner iter_old) (Ghost.inner produced) it };
-    invariant { [#"../02_iter_mut.rs" 88 4 88 25] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner produced) -> UIntSize.to_int ( ^ index_logic0 produced i) = 0 };
+    invariant { [#"../02_iter_mut.rs" 89 16 89 55] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) it };
+    invariant { [#"../02_iter_mut.rs" 88 4 88 25] forall i : int . 0 <= i /\ i < Seq.length (Snapshot.inner produced)
+     -> UIntSize.to_int ( ^ index_logic0 produced i) = 0 };
     goto BB6
   }
   BB6 {
@@ -1034,15 +1079,15 @@ module C02IterMut_AllZero
     absurd
   }
   BB11 {
-    [#"../02_iter_mut.rs" 93 17 93 18] x <- ([#"../02_iter_mut.rs" 93 17 93 18] Core_Option_Option_Type.some_0 _15);
-    [#"../02_iter_mut.rs" 93 17 93 18] _15 <- (let Core_Option_Option_Type.C_Some x0 = _15 in Core_Option_Option_Type.C_Some (any borrowed usize));
-    [#"../02_iter_mut.rs" 94 27 94 69] _19 <- ([#"../02_iter_mut.rs" 94 27 94 69] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton x)));
+    [#"../02_iter_mut.rs" 93 17 93 18] x <- Core_Option_Option_Type.some_0 _15;
+    _15 <- (let Core_Option_Option_Type.C_Some x0 = _15 in Core_Option_Option_Type.C_Some (any borrowed usize));
+    [#"../02_iter_mut.rs" 94 27 94 75] _19 <- ([#"../02_iter_mut.rs" 94 27 94 75] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton x)));
     goto BB12
   }
   BB12 {
-    [#"../02_iter_mut.rs" 94 16 94 69] produced <- ([#"../02_iter_mut.rs" 94 16 94 69] _19);
-    [#"../02_iter_mut.rs" 94 16 94 69] _19 <- any Ghost.ghost_ty (Seq.seq (borrowed usize));
-    [#"../02_iter_mut.rs" 95 16 95 22] x <- { x with current = ([#"../02_iter_mut.rs" 95 16 95 22] [#"../02_iter_mut.rs" 95 21 95 22] (0 : usize)) ; };
+    [#"../02_iter_mut.rs" 94 16 94 75] produced <- _19;
+    _19 <- any Snapshot.snap_ty (Seq.seq (borrowed usize));
+    [#"../02_iter_mut.rs" 95 16 95 22] x <- { x with current = ([#"../02_iter_mut.rs" 95 21 95 22] (0 : usize)) ; };
     assume { resolve0 x };
     goto BB5
   }
@@ -1104,7 +1149,8 @@ module C02IterMut_Impl1
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv5 self}
     ensures { result = shallow_model1 self }
     
-  axiom shallow_model1_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv6 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
+  axiom shallow_model1_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv5 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv6 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
   use C02IterMut_IterMut_Type as C02IterMut_IterMut_Type
   predicate invariant2 [#"../02_iter_mut.rs" 20 4 20 30] (self : C02IterMut_IterMut_Type.t_itermut t) =
     [#"../02_iter_mut.rs" 22 20 22 64] Seq.length (shallow_model1 ( ^ C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length (shallow_model1 ( * C02IterMut_IterMut_Type.itermut_inner self))
@@ -1158,11 +1204,15 @@ module C02IterMut_Impl1
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv4 self}
     ensures { result = to_mut_seq0 self }
     
-  axiom to_mut_seq0_spec : forall self : borrowed (slice t) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv3 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) ->  ^ Seq.get (to_mut_seq0 self) i = index_logic1 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) ->  * Seq.get (to_mut_seq0 self) i = index_logic1 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model0 self))
+  axiom to_mut_seq0_spec : forall self : borrowed (slice t) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv4 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv3 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self)
+   ->  ^ Seq.get (to_mut_seq0 self) i = index_logic1 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self)
+   ->  * Seq.get (to_mut_seq0 self) i = index_logic1 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model0 self))
   predicate produces0 [#"../02_iter_mut.rs" 37 4 37 65] (self : C02IterMut_IterMut_Type.t_itermut t) (visited : Seq.seq (borrowed t)) (tl : C02IterMut_IterMut_Type.t_itermut t)
     
    =
-    [#"../02_iter_mut.rs" 39 12 43 13] Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length visited + Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner tl)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self)) ->  * Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i =  * Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i /\  ^ Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i =  ^ Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i)
+    [#"../02_iter_mut.rs" 39 12 43 13] Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self)) = Seq.length visited + Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner tl)) /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 (C02IterMut_IterMut_Type.itermut_inner self))
+     ->  * Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i =  * Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i /\  ^ Seq.get (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner self)) i =  ^ Seq.get (Seq.(++) visited (to_mut_seq0 (C02IterMut_IterMut_Type.itermut_inner tl))) i)
   val produces0 [#"../02_iter_mut.rs" 37 4 37 65] (self : C02IterMut_IterMut_Type.t_itermut t) (visited : Seq.seq (borrowed t)) (tl : C02IterMut_IterMut_Type.t_itermut t) : bool
     ensures { result = produces0 self visited tl }
     
@@ -1179,13 +1229,18 @@ module C02IterMut_Impl1
   val completed0 [#"../02_iter_mut.rs" 31 4 31 35] (self : borrowed (C02IterMut_IterMut_Type.t_itermut t)) : bool
     ensures { result = completed0 self }
     
-  goal next_refn : [#"../02_iter_mut.rs" 63 4 63 44] forall self : borrowed (C02IterMut_IterMut_Type.t_itermut t) . inv0 self -> inv0 self /\ (forall result : Core_Option_Option_Type.t_option (borrowed t) . inv1 result /\ match result with
+  goal next_refn : [#"../02_iter_mut.rs" 63 4 63 44] forall self : borrowed (C02IterMut_IterMut_Type.t_itermut t) . inv0 self
+   -> inv0 self /\ (forall result : Core_Option_Option_Type.t_option (borrowed t) . inv1 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
-    end -> inv1 result /\ match result with
+    end
+   -> inv1 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
     end)
-  goal produces_refl_refn : [#"../02_iter_mut.rs" 50 4 50 26] forall self : C02IterMut_IterMut_Type.t_itermut t . inv2 self -> inv2 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self)
-  goal produces_trans_refn : [#"../02_iter_mut.rs" 57 4 57 90] forall a : C02IterMut_IterMut_Type.t_itermut t . forall ab : Seq.seq (borrowed t) . forall b : C02IterMut_IterMut_Type.t_itermut t . forall bc : Seq.seq (borrowed t) . forall c : C02IterMut_IterMut_Type.t_itermut t . inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b -> inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c)
+  goal produces_refl_refn : [#"../02_iter_mut.rs" 50 4 50 26] forall self : C02IterMut_IterMut_Type.t_itermut t . inv2 self
+   -> inv2 self /\ (forall result : () . produces0 self (Seq.empty ) self  -> produces0 self (Seq.empty ) self)
+  goal produces_trans_refn : [#"../02_iter_mut.rs" 57 4 57 90] forall a : C02IterMut_IterMut_Type.t_itermut t . forall ab : Seq.seq (borrowed t) . forall b : C02IterMut_IterMut_Type.t_itermut t . forall bc : Seq.seq (borrowed t) . forall c : C02IterMut_IterMut_Type.t_itermut t . inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b
+   -> inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c
+   -> produces0 a (Seq.(++) ab bc) c)
 end
diff --git a/creusot/tests/should_succeed/iterators/02_iter_mut.rs b/creusot/tests/should_succeed/iterators/02_iter_mut.rs
index c83d4a7a44..42e717ee55 100644
--- a/creusot/tests/should_succeed/iterators/02_iter_mut.rs
+++ b/creusot/tests/should_succeed/iterators/02_iter_mut.rs
@@ -16,7 +16,7 @@ struct IterMut<'a, T> {
 
 impl<'a, T> Invariant for IterMut<'a, T> {
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn invariant(self) -> bool {
         // Property that is always true but we must carry around..
         pearlite! { (^self.inner)@.len() == (*self.inner)@.len() }
@@ -27,13 +27,13 @@ impl<'a, T> Iterator for IterMut<'a, T> {
     type Item = &'a mut T;
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! { self.inner.resolve() && self.inner@.ext_eq(Seq::EMPTY) }
     }
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn produces(self, visited: Seq<Self::Item>, tl: Self) -> bool {
         pearlite! {
             self.inner@.len() == visited.len() + tl.inner@.len() &&
@@ -83,15 +83,15 @@ fn iter_mut<'a, T>(v: &'a mut Vec<T>) -> IterMut<'a, T> {
 #[ensures(forall<i : _> 0 <= i && i < v@.len() ==> (^v)[i]@ == 0)]
 pub fn all_zero(v: &mut Vec<usize>) {
     let mut it = iter_mut(v).into_iter();
-    let iter_old = gh! { it };
-    let mut produced = gh! { Seq::EMPTY };
+    let iter_old = snapshot! { it };
+    let mut produced = snapshot! { Seq::EMPTY };
     #[invariant(inv(it))]
     #[invariant(iter_old.produces(produced.inner(), it))]
     #[invariant(forall<i : Int> 0 <= i && i < produced.len() ==> (^produced[i])@ == 0)]
     loop {
         match it.next() {
             Some(x) => {
-                produced = gh! { produced.concat(Seq::singleton(x)) };
+                produced = snapshot! { produced.concat(Seq::singleton(x)) };
                 *x = 0;
             }
             None => break,
diff --git a/creusot/tests/should_succeed/iterators/02_iter_mut/why3session.xml b/creusot/tests/should_succeed/iterators/02_iter_mut/why3session.xml
index 6f3549b5ea..427502c37f 100644
--- a/creusot/tests/should_succeed/iterators/02_iter_mut/why3session.xml
+++ b/creusot/tests/should_succeed/iterators/02_iter_mut/why3session.xml
@@ -2,32 +2,31 @@
 <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
 "https://www.why3.org/why3session.dtd">
 <why3session shape_version="6">
-<prover id="0" name="CVC4" version="1.8" timelimit="1" steplimit="0" memlimit="1000"/>
 <prover id="1" name="Z3" version="4.12.4" timelimit="1" steplimit="0" memlimit="1000"/>
 <prover id="3" name="CVC5" version="1.0.5" timelimit="1" steplimit="0" memlimit="1000"/>
 <prover id="4" name="Alt-Ergo" version="2.4.3" timelimit="1" steplimit="0" memlimit="1000"/>
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="02_iter_mut.mlcfg"/>
 <theory name="C02IterMut_Impl1_ProducesRefl_Impl" proved="true">
- <goal name="produces_refl&#39;vc" expl="VC for produces_refl" proved="true">
- <proof prover="4"><result status="valid" time="0.010000" steps="95"/></proof>
+ <goal name="vc_produces_refl" proved="true">
+ <proof prover="4"><result status="valid" time="0.010000" steps="78"/></proof>
  </goal>
 </theory>
 <theory name="C02IterMut_Impl1_ProducesTrans_Impl" proved="true">
- <goal name="produces_trans&#39;vc" expl="VC for produces_trans" proved="true">
+ <goal name="vc_produces_trans" proved="true">
  <transf name="split_vc" proved="true" >
-  <goal name="produces_trans&#39;vc.0" expl="postcondition" proved="true">
+  <goal name="vc_produces_trans.0" proved="true">
   <transf name="inline_goal" proved="true" >
-   <goal name="produces_trans&#39;vc.0.0" expl="postcondition" proved="true">
+   <goal name="vc_produces_trans.0.0" proved="true">
    <transf name="split_all_full" proved="true" >
-    <goal name="produces_trans&#39;vc.0.0.0" expl="VC for produces_trans" proved="true">
-    <proof prover="0"><result status="valid" time="0.065386" steps="21738"/></proof>
+    <goal name="vc_produces_trans.0.0.0" proved="true">
+    <proof prover="1"><result status="valid" time="0.137914" steps="123624"/></proof>
     </goal>
-    <goal name="produces_trans&#39;vc.0.0.1" expl="VC for produces_trans" proved="true">
-    <proof prover="1"><result status="valid" time="0.137914" steps="501707"/></proof>
+    <goal name="vc_produces_trans.0.0.1" proved="true">
+    <proof prover="1" timelimit="5"><result status="valid" time="0.102708" steps="573625"/></proof>
     </goal>
-    <goal name="produces_trans&#39;vc.0.0.2" expl="VC for produces_trans" proved="true">
-    <proof prover="1"><result status="valid" time="0.126535" steps="501710"/></proof>
+    <goal name="vc_produces_trans.0.0.2" proved="true">
+    <proof prover="1"><result status="valid" time="0.126535" steps="573628"/></proof>
     </goal>
    </transf>
    </goal>
@@ -68,7 +67,7 @@
 </theory>
 <theory name="C02IterMut_IterMut" proved="true">
  <goal name="iter_mut&#39;vc" expl="VC for iter_mut" proved="true">
- <proof prover="1"><result status="valid" time="0.046575" steps="94210"/></proof>
+ <proof prover="1"><result status="valid" time="0.046575" steps="94212"/></proof>
  </goal>
 </theory>
 <theory name="C02IterMut_AllZero" proved="true">
@@ -96,16 +95,16 @@
   <proof prover="4"><result status="valid" time="0.010000" steps="59"/></proof>
   </goal>
   <goal name="all_zero&#39;vc.7" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.099677" steps="1375"/></proof>
+  <proof prover="4"><result status="valid" time="0.099677" steps="1365"/></proof>
   </goal>
   <goal name="all_zero&#39;vc.8" expl="loop invariant preservation" proved="true">
   <proof prover="4"><result status="valid" time="0.010000" steps="56"/></proof>
   </goal>
   <goal name="all_zero&#39;vc.9" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.041605" steps="640"/></proof>
+  <proof prover="4"><result status="valid" time="0.041605" steps="650"/></proof>
   </goal>
   <goal name="all_zero&#39;vc.10" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.150551" steps="754"/></proof>
+  <proof prover="4"><result status="valid" time="0.150551" steps="766"/></proof>
   </goal>
   <goal name="all_zero&#39;vc.11" expl="unreachable point" proved="true">
   <proof prover="4"><result status="valid" time="0.010000" steps="59"/></proof>
diff --git a/creusot/tests/should_succeed/iterators/02_iter_mut/why3shapes.gz b/creusot/tests/should_succeed/iterators/02_iter_mut/why3shapes.gz
index e10052c84d..a8943ec229 100644
Binary files a/creusot/tests/should_succeed/iterators/02_iter_mut/why3shapes.gz and b/creusot/tests/should_succeed/iterators/02_iter_mut/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/iterators/03_std_iterators.mlcfg b/creusot/tests/should_succeed/iterators/03_std_iterators.mlcfg
index 4cd4c81fe2..fe20388f12 100644
--- a/creusot/tests/should_succeed/iterators/03_std_iterators.mlcfg
+++ b/creusot/tests/should_succeed/iterators/03_std_iterators.mlcfg
@@ -96,7 +96,8 @@ module C03StdIterators_SliceIter
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self}
     ensures { result = shallow_model3 self }
     
-  axiom shallow_model3_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv7 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model3 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
+  axiom shallow_model3_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv7 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model3 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
   function index_logic1 [@inline:trivial] (self : slice t) (ix : int) : t =
     [#"../../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model3 self) ix
   val index_logic1 [@inline:trivial] (self : slice t) (ix : int) : t
@@ -104,7 +105,7 @@ module C03StdIterators_SliceIter
     
   use seq.Seq
   function shallow_model1 (self : slice t) : Seq.seq t =
-    [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model3 self
+    [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model3 self
   val shallow_model1 (self : slice t) : Seq.seq t
     ensures { result = shallow_model1 self }
     
@@ -118,7 +119,9 @@ module C03StdIterators_SliceIter
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv0 self}
     ensures { result = to_ref_seq0 self }
     
-  axiom to_ref_seq0_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv5 (to_ref_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self) -> Seq.get (to_ref_seq0 self) i = index_logic1 self i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model1 self))
+  axiom to_ref_seq0_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv5 (to_ref_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self)
+   -> Seq.get (to_ref_seq0 self) i = index_logic1 self i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model1 self))
   function shallow_model2 (self : Core_Slice_Iter_Iter_Type.t_iter t) : slice t
   val shallow_model2 (self : Core_Slice_Iter_Iter_Type.t_iter t) : slice t
     ensures { result = shallow_model2 self }
@@ -141,7 +144,11 @@ module C03StdIterators_SliceIter
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv5 bc}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter t, ab : Seq.seq t, b : Core_Slice_Iter_Iter_Type.t_iter t, bc : Seq.seq t, c : Core_Slice_Iter_Iter_Type.t_iter t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv5 ab) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv5 bc) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter t, ab : Seq.seq t, b : Core_Slice_Iter_Iter_Type.t_iter t, bc : Seq.seq t, c : Core_Slice_Iter_Iter_Type.t_iter t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv5 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv5 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : Core_Slice_Iter_Iter_Type.t_iter t) : () =
     [#"../../../../../creusot-contracts/src/std/slice.rs" 390 4 390 10] ()
@@ -158,16 +165,16 @@ module C03StdIterators_SliceIter
     ensures { result = inv2 _x }
     
   axiom inv2 : forall x : Core_Slice_Iter_Iter_Type.t_iter t . inv2 x = true
-  use prelude.Ghost
-  predicate invariant1 (self : Ghost.ghost_ty (Seq.seq t))
-  val invariant1 (self : Ghost.ghost_ty (Seq.seq t)) : bool
+  use prelude.Snapshot
+  predicate invariant1 (self : Snapshot.snap_ty (Seq.seq t))
+  val invariant1 (self : Snapshot.snap_ty (Seq.seq t)) : bool
     ensures { result = invariant1 self }
     
-  predicate inv1 (_x : Ghost.ghost_ty (Seq.seq t))
-  val inv1 (_x : Ghost.ghost_ty (Seq.seq t)) : bool
+  predicate inv1 (_x : Snapshot.snap_ty (Seq.seq t))
+  val inv1 (_x : Snapshot.snap_ty (Seq.seq t)) : bool
     ensures { result = inv1 _x }
     
-  axiom inv1 : forall x : Ghost.ghost_ty (Seq.seq t) . inv1 x = true
+  axiom inv1 : forall x : Snapshot.snap_ty (Seq.seq t) . inv1 x = true
   predicate invariant0 (self : slice t)
   val invariant0 (self : slice t) : bool
     ensures { result = invariant0 self }
@@ -187,13 +194,13 @@ module C03StdIterators_SliceIter
     ensures { result = resolve4 self }
     
   predicate resolve3 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter t)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve3 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter t)) : bool
     ensures { result = resolve3 self }
     
   use seq.Seq
   function shallow_model4 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter t)) : slice t =
-    [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model2 ( * self)
+    [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model2 ( * self)
   val shallow_model4 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter t)) : slice t
     ensures { result = shallow_model4 self }
     
@@ -209,19 +216,19 @@ module C03StdIterators_SliceIter
       end }
     ensures { inv3 result }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  predicate resolve2 (self : Ghost.ghost_ty (Seq.seq t))
-  val resolve2 (self : Ghost.ghost_ty (Seq.seq t)) : bool
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  predicate resolve2 (self : Snapshot.snap_ty (Seq.seq t))
+  val resolve2 (self : Snapshot.snap_ty (Seq.seq t)) : bool
     ensures { result = resolve2 self }
     
-  use prelude.Ghost
-  predicate resolve1 (self : Ghost.ghost_ty (Core_Slice_Iter_Iter_Type.t_iter t))
-  val resolve1 (self : Ghost.ghost_ty (Core_Slice_Iter_Iter_Type.t_iter t)) : bool
+  use prelude.Snapshot
+  predicate resolve1 (self : Snapshot.snap_ty (Core_Slice_Iter_Iter_Type.t_iter t))
+  val resolve1 (self : Snapshot.snap_ty (Core_Slice_Iter_Iter_Type.t_iter t)) : bool
     ensures { result = resolve1 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate into_iter_post0 (self : Core_Slice_Iter_Iter_Type.t_iter t) (res : Core_Slice_Iter_Iter_Type.t_iter t) =
     [#"../../../../../creusot-contracts/src/std/iter.rs" 80 8 80 19] self = res
   val into_iter_post0 (self : Core_Slice_Iter_Iter_Type.t_iter t) (res : Core_Slice_Iter_Iter_Type.t_iter t) : bool
@@ -257,21 +264,21 @@ module C03StdIterators_SliceIter
   var i : usize;
   var iter : Core_Slice_Iter_Iter_Type.t_iter t;
   var _7 : Core_Slice_Iter_Iter_Type.t_iter t;
-  var iter_old : Ghost.ghost_ty (Core_Slice_Iter_Iter_Type.t_iter t);
-  var produced : Ghost.ghost_ty (Seq.seq t);
+  var iter_old : Snapshot.snap_ty (Core_Slice_Iter_Iter_Type.t_iter t);
+  var produced : Snapshot.snap_ty (Seq.seq t);
   var _17 : Core_Option_Option_Type.t_option t;
   var _18 : borrowed (Core_Slice_Iter_Iter_Type.t_iter t);
   var _19 : borrowed (Core_Slice_Iter_Iter_Type.t_iter t);
   var __creusot_proc_iter_elem : t;
-  var _22 : Ghost.ghost_ty (Seq.seq t);
+  var _22 : Snapshot.snap_ty (Seq.seq t);
   {
     goto BB0
   }
   BB0 {
-    [#"../03_std_iterators.rs" 7 16 7 17] i <- ([#"../03_std_iterators.rs" 7 16 7 17] [#"../03_std_iterators.rs" 7 16 7 17] (0 : usize));
+    [#"../03_std_iterators.rs" 7 16 7 17] i <- ([#"../03_std_iterators.rs" 7 16 7 17] (0 : usize));
     assert { [@expl:type invariant] inv0 slice };
     assume { resolve0 slice };
-    [#"../03_std_iterators.rs" 9 13 9 25] _7 <- ([#"../03_std_iterators.rs" 9 13 9 25] iter0 ([#"../03_std_iterators.rs" 9 13 9 18] slice));
+    [#"../03_std_iterators.rs" 9 13 9 25] _7 <- ([#"../03_std_iterators.rs" 9 13 9 25] iter0 slice);
     goto BB1
   }
   BB1 {
@@ -280,12 +287,12 @@ module C03StdIterators_SliceIter
     goto BB2
   }
   BB2 {
-    [#"../03_std_iterators.rs" 8 4 8 38] iter_old <- ([#"../03_std_iterators.rs" 8 4 8 38] Ghost.new iter);
+    [#"../03_std_iterators.rs" 8 4 8 38] iter_old <- ([#"../03_std_iterators.rs" 8 4 8 38] Snapshot.new iter);
     goto BB3
   }
   BB3 {
     assume { resolve1 iter_old };
-    [#"../03_std_iterators.rs" 8 4 8 38] produced <- ([#"../03_std_iterators.rs" 8 4 8 38] Ghost.new (Seq.empty ));
+    [#"../03_std_iterators.rs" 8 4 8 38] produced <- ([#"../03_std_iterators.rs" 8 4 8 38] Snapshot.new (Seq.empty ));
     goto BB4
   }
   BB4 {
@@ -295,8 +302,8 @@ module C03StdIterators_SliceIter
   }
   BB5 {
     invariant { [#"../03_std_iterators.rs" 8 4 8 38] inv2 iter };
-    invariant { [#"../03_std_iterators.rs" 8 4 8 38] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter };
-    invariant { [#"../03_std_iterators.rs" 8 16 8 36] UIntSize.to_int i = Seq.length (Ghost.inner produced) };
+    invariant { [#"../03_std_iterators.rs" 8 4 8 38] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter };
+    invariant { [#"../03_std_iterators.rs" 8 16 8 36] UIntSize.to_int i = Seq.length (Snapshot.inner produced) };
     goto BB6
   }
   BB6 {
@@ -319,34 +326,34 @@ module C03StdIterators_SliceIter
     assert { [@expl:type invariant] inv3 _17 };
     assume { resolve4 _17 };
     assume { resolve6 iter };
-    [#"../03_std_iterators.rs" 12 4 12 5] _0 <- ([#"../03_std_iterators.rs" 12 4 12 5] i);
+    [#"../03_std_iterators.rs" 12 4 12 5] _0 <- i;
     return _0
   }
   BB9 {
     goto BB11
   }
   BB10 {
+    assume { resolve6 iter };
     assert { [@expl:type invariant] inv3 _17 };
     assume { resolve4 _17 };
-    assume { resolve6 iter };
     assert { [#"../03_std_iterators.rs" 8 4 8 38] false };
     absurd
   }
   BB11 {
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _17);
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _17;
     assert { [@expl:type invariant] inv3 _17 };
     assume { resolve4 _17 };
-    [#"../03_std_iterators.rs" 8 4 8 38] _22 <- ([#"../03_std_iterators.rs" 8 4 8 38] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../03_std_iterators.rs" 8 4 8 38] _22 <- ([#"../03_std_iterators.rs" 8 4 8 38] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB12
   }
   BB12 {
-    [#"../03_std_iterators.rs" 8 4 8 38] produced <- ([#"../03_std_iterators.rs" 8 4 8 38] _22);
-    [#"../03_std_iterators.rs" 8 4 8 38] _22 <- any Ghost.ghost_ty (Seq.seq t);
+    [#"../03_std_iterators.rs" 8 4 8 38] produced <- _22;
+    _22 <- any Snapshot.snap_ty (Seq.seq t);
     assert { [@expl:type invariant] inv1 produced };
     assume { resolve2 produced };
     assert { [@expl:type invariant] inv4 __creusot_proc_iter_elem };
     assume { resolve5 __creusot_proc_iter_elem };
-    [#"../03_std_iterators.rs" 10 8 10 14] i <- ([#"../03_std_iterators.rs" 10 8 10 14] i + ([#"../03_std_iterators.rs" 10 13 10 14] [#"../03_std_iterators.rs" 10 13 10 14] (1 : usize)));
+    [#"../03_std_iterators.rs" 10 8 10 14] i <- i + ([#"../03_std_iterators.rs" 10 13 10 14] (1 : usize));
     goto BB5
   }
   
@@ -358,12 +365,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -418,7 +431,8 @@ module C03StdIterators_VecIter
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self}
     ensures { result = shallow_model3 self }
     
-  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
+  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
   predicate invariant7 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv8 (shallow_model3 self)
   val invariant7 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -472,7 +486,8 @@ module C03StdIterators_VecIter
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv9 self}
     ensures { result = shallow_model6 self }
     
-  axiom shallow_model6_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv9 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv8 (shallow_model6 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0)
+  axiom shallow_model6_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv9 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv8 (shallow_model6 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0)
   function index_logic1 [@inline:trivial] (self : slice t) (ix : int) : t =
     [#"../../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model6 self) ix
   val index_logic1 [@inline:trivial] (self : slice t) (ix : int) : t
@@ -480,7 +495,7 @@ module C03StdIterators_VecIter
     
   use seq.Seq
   function shallow_model4 (self : slice t) : Seq.seq t =
-    [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model6 self
+    [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model6 self
   val shallow_model4 (self : slice t) : Seq.seq t
     ensures { result = shallow_model4 self }
     
@@ -490,7 +505,9 @@ module C03StdIterators_VecIter
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv6 self}
     ensures { result = to_ref_seq0 self }
     
-  axiom to_ref_seq0_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv5 (to_ref_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self) -> Seq.get (to_ref_seq0 self) i = index_logic1 self i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model4 self))
+  axiom to_ref_seq0_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv6 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv5 (to_ref_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self)
+   -> Seq.get (to_ref_seq0 self) i = index_logic1 self i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model4 self))
   function shallow_model2 (self : Core_Slice_Iter_Iter_Type.t_iter t) : slice t
   val shallow_model2 (self : Core_Slice_Iter_Iter_Type.t_iter t) : slice t
     ensures { result = shallow_model2 self }
@@ -513,7 +530,11 @@ module C03StdIterators_VecIter
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv5 bc}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter t, ab : Seq.seq t, b : Core_Slice_Iter_Iter_Type.t_iter t, bc : Seq.seq t, c : Core_Slice_Iter_Iter_Type.t_iter t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv5 ab) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv5 bc) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter t, ab : Seq.seq t, b : Core_Slice_Iter_Iter_Type.t_iter t, bc : Seq.seq t, c : Core_Slice_Iter_Iter_Type.t_iter t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv5 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv5 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : Core_Slice_Iter_Iter_Type.t_iter t) : () =
     [#"../../../../../creusot-contracts/src/std/slice.rs" 390 4 390 10] ()
@@ -530,16 +551,16 @@ module C03StdIterators_VecIter
     ensures { result = inv2 _x }
     
   axiom inv2 : forall x : Core_Slice_Iter_Iter_Type.t_iter t . inv2 x = true
-  use prelude.Ghost
-  predicate invariant1 (self : Ghost.ghost_ty (Seq.seq t))
-  val invariant1 (self : Ghost.ghost_ty (Seq.seq t)) : bool
+  use prelude.Snapshot
+  predicate invariant1 (self : Snapshot.snap_ty (Seq.seq t))
+  val invariant1 (self : Snapshot.snap_ty (Seq.seq t)) : bool
     ensures { result = invariant1 self }
     
-  predicate inv1 (_x : Ghost.ghost_ty (Seq.seq t))
-  val inv1 (_x : Ghost.ghost_ty (Seq.seq t)) : bool
+  predicate inv1 (_x : Snapshot.snap_ty (Seq.seq t))
+  val inv1 (_x : Snapshot.snap_ty (Seq.seq t)) : bool
     ensures { result = inv1 _x }
     
-  axiom inv1 : forall x : Ghost.ghost_ty (Seq.seq t) . inv1 x = true
+  axiom inv1 : forall x : Snapshot.snap_ty (Seq.seq t) . inv1 x = true
   predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))
   val invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = invariant0 self }
@@ -550,7 +571,7 @@ module C03StdIterators_VecIter
     
   axiom inv0 : forall x : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . inv0 x = true
   function shallow_model1 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : Seq.seq t =
-    [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model3 self
+    [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model3 self
   val shallow_model1 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : Seq.seq t
     ensures { result = shallow_model1 self }
     
@@ -568,13 +589,13 @@ module C03StdIterators_VecIter
     ensures { result = resolve4 self }
     
   predicate resolve3 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter t)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve3 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter t)) : bool
     ensures { result = resolve3 self }
     
   use seq.Seq
   function shallow_model5 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter t)) : slice t =
-    [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model2 ( * self)
+    [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model2 ( * self)
   val shallow_model5 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter t)) : slice t
     ensures { result = shallow_model5 self }
     
@@ -590,19 +611,19 @@ module C03StdIterators_VecIter
       end }
     ensures { inv3 result }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  predicate resolve2 (self : Ghost.ghost_ty (Seq.seq t))
-  val resolve2 (self : Ghost.ghost_ty (Seq.seq t)) : bool
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  predicate resolve2 (self : Snapshot.snap_ty (Seq.seq t))
+  val resolve2 (self : Snapshot.snap_ty (Seq.seq t)) : bool
     ensures { result = resolve2 self }
     
-  use prelude.Ghost
-  predicate resolve1 (self : Ghost.ghost_ty (Core_Slice_Iter_Iter_Type.t_iter t))
-  val resolve1 (self : Ghost.ghost_ty (Core_Slice_Iter_Iter_Type.t_iter t)) : bool
+  use prelude.Snapshot
+  predicate resolve1 (self : Snapshot.snap_ty (Core_Slice_Iter_Iter_Type.t_iter t))
+  val resolve1 (self : Snapshot.snap_ty (Core_Slice_Iter_Iter_Type.t_iter t)) : bool
     ensures { result = resolve1 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate into_iter_post0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) (res : Core_Slice_Iter_Iter_Type.t_iter t)
     
    =
@@ -634,30 +655,30 @@ module C03StdIterators_VecIter
   var vec : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) = vec;
   var i : usize;
   var iter : Core_Slice_Iter_Iter_Type.t_iter t;
-  var iter_old : Ghost.ghost_ty (Core_Slice_Iter_Iter_Type.t_iter t);
-  var produced : Ghost.ghost_ty (Seq.seq t);
+  var iter_old : Snapshot.snap_ty (Core_Slice_Iter_Iter_Type.t_iter t);
+  var produced : Snapshot.snap_ty (Seq.seq t);
   var _16 : Core_Option_Option_Type.t_option t;
   var _17 : borrowed (Core_Slice_Iter_Iter_Type.t_iter t);
   var _18 : borrowed (Core_Slice_Iter_Iter_Type.t_iter t);
   var __creusot_proc_iter_elem : t;
-  var _21 : Ghost.ghost_ty (Seq.seq t);
+  var _21 : Snapshot.snap_ty (Seq.seq t);
   {
     goto BB0
   }
   BB0 {
-    [#"../03_std_iterators.rs" 18 16 18 17] i <- ([#"../03_std_iterators.rs" 18 16 18 17] [#"../03_std_iterators.rs" 18 16 18 17] (0 : usize));
+    [#"../03_std_iterators.rs" 18 16 18 17] i <- ([#"../03_std_iterators.rs" 18 16 18 17] (0 : usize));
     assert { [@expl:type invariant] inv0 vec };
     assume { resolve0 vec };
-    [#"../03_std_iterators.rs" 19 4 19 38] iter <- ([#"../03_std_iterators.rs" 19 4 19 38] into_iter0 ([#"../03_std_iterators.rs" 20 13 20 16] vec));
+    [#"../03_std_iterators.rs" 19 4 19 38] iter <- ([#"../03_std_iterators.rs" 19 4 19 38] into_iter0 vec);
     goto BB1
   }
   BB1 {
-    [#"../03_std_iterators.rs" 19 4 19 38] iter_old <- ([#"../03_std_iterators.rs" 19 4 19 38] Ghost.new iter);
+    [#"../03_std_iterators.rs" 19 4 19 38] iter_old <- ([#"../03_std_iterators.rs" 19 4 19 38] Snapshot.new iter);
     goto BB2
   }
   BB2 {
     assume { resolve1 iter_old };
-    [#"../03_std_iterators.rs" 19 4 19 38] produced <- ([#"../03_std_iterators.rs" 19 4 19 38] Ghost.new (Seq.empty ));
+    [#"../03_std_iterators.rs" 19 4 19 38] produced <- ([#"../03_std_iterators.rs" 19 4 19 38] Snapshot.new (Seq.empty ));
     goto BB3
   }
   BB3 {
@@ -667,8 +688,8 @@ module C03StdIterators_VecIter
   }
   BB4 {
     invariant { [#"../03_std_iterators.rs" 19 4 19 38] inv2 iter };
-    invariant { [#"../03_std_iterators.rs" 19 4 19 38] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter };
-    invariant { [#"../03_std_iterators.rs" 19 16 19 36] UIntSize.to_int i = Seq.length (Ghost.inner produced) };
+    invariant { [#"../03_std_iterators.rs" 19 4 19 38] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter };
+    invariant { [#"../03_std_iterators.rs" 19 16 19 36] UIntSize.to_int i = Seq.length (Snapshot.inner produced) };
     goto BB5
   }
   BB5 {
@@ -691,34 +712,34 @@ module C03StdIterators_VecIter
     assert { [@expl:type invariant] inv3 _16 };
     assume { resolve4 _16 };
     assume { resolve6 iter };
-    [#"../03_std_iterators.rs" 23 4 23 5] _0 <- ([#"../03_std_iterators.rs" 23 4 23 5] i);
+    [#"../03_std_iterators.rs" 23 4 23 5] _0 <- i;
     return _0
   }
   BB8 {
     goto BB10
   }
   BB9 {
+    assume { resolve6 iter };
     assert { [@expl:type invariant] inv3 _16 };
     assume { resolve4 _16 };
-    assume { resolve6 iter };
     assert { [#"../03_std_iterators.rs" 19 4 19 38] false };
     absurd
   }
   BB10 {
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _16);
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _16;
     assert { [@expl:type invariant] inv3 _16 };
     assume { resolve4 _16 };
-    [#"../03_std_iterators.rs" 19 4 19 38] _21 <- ([#"../03_std_iterators.rs" 19 4 19 38] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../03_std_iterators.rs" 19 4 19 38] _21 <- ([#"../03_std_iterators.rs" 19 4 19 38] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB11
   }
   BB11 {
-    [#"../03_std_iterators.rs" 19 4 19 38] produced <- ([#"../03_std_iterators.rs" 19 4 19 38] _21);
-    [#"../03_std_iterators.rs" 19 4 19 38] _21 <- any Ghost.ghost_ty (Seq.seq t);
+    [#"../03_std_iterators.rs" 19 4 19 38] produced <- _21;
+    _21 <- any Snapshot.snap_ty (Seq.seq t);
     assert { [@expl:type invariant] inv1 produced };
     assume { resolve2 produced };
     assert { [@expl:type invariant] inv4 __creusot_proc_iter_elem };
     assume { resolve5 __creusot_proc_iter_elem };
-    [#"../03_std_iterators.rs" 21 8 21 14] i <- ([#"../03_std_iterators.rs" 21 8 21 14] i + ([#"../03_std_iterators.rs" 21 13 21 14] [#"../03_std_iterators.rs" 21 13 21 14] (1 : usize)));
+    [#"../03_std_iterators.rs" 21 8 21 14] i <- i + ([#"../03_std_iterators.rs" 21 13 21 14] (1 : usize));
     goto BB4
   }
   
@@ -783,7 +804,8 @@ module C03StdIterators_AllZero
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self}
     ensures { result = shallow_model1 self }
     
-  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
+  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
   predicate invariant4 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv5 (shallow_model1 self)
   val invariant4 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -830,7 +852,8 @@ module C03StdIterators_AllZero
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self}
     ensures { result = shallow_model4 self }
     
-  axiom shallow_model4_spec : forall self : slice usize . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv5 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model4 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0)
+  axiom shallow_model4_spec : forall self : slice usize . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv5 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model4 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0)
   function index_logic4 [@inline:trivial] (self : slice usize) (ix : int) : usize =
     [#"../../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model4 self) ix
   val index_logic4 [@inline:trivial] (self : slice usize) (ix : int) : usize
@@ -838,7 +861,7 @@ module C03StdIterators_AllZero
     
   use seq.Seq
   function shallow_model3 (self : borrowed (slice usize)) : Seq.seq usize =
-    [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model4 ( * self)
+    [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model4 ( * self)
   val shallow_model3 (self : borrowed (slice usize)) : Seq.seq usize
     ensures { result = shallow_model3 self }
     
@@ -848,7 +871,10 @@ module C03StdIterators_AllZero
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv2 self}
     ensures { result = to_mut_seq0 self }
     
-  axiom to_mut_seq0_spec : forall self : borrowed (slice usize) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv7 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) ->  ^ Seq.get (to_mut_seq0 self) i = index_logic4 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self) ->  * Seq.get (to_mut_seq0 self) i = index_logic4 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model3 self))
+  axiom to_mut_seq0_spec : forall self : borrowed (slice usize) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 23 82 27] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 82 4 82 43] inv7 (to_mut_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 81 4 81 85] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self)
+   ->  ^ Seq.get (to_mut_seq0 self) i = index_logic4 ( ^ self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 80 4 80 82] forall i : int . 0 <= i /\ i < Seq.length (to_mut_seq0 self)
+   ->  * Seq.get (to_mut_seq0 self) i = index_logic4 ( * self) i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 79 14 79 41] Seq.length (to_mut_seq0 self) = Seq.length (shallow_model3 self))
   function shallow_model5 (self : Core_Slice_Iter_IterMut_Type.t_itermut usize) : borrowed (slice usize)
   val shallow_model5 (self : Core_Slice_Iter_IterMut_Type.t_itermut usize) : borrowed (slice usize)
     ensures { result = shallow_model5 self }
@@ -872,7 +898,11 @@ module C03StdIterators_AllZero
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 449 61 449 63] inv7 bc}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Slice_Iter_IterMut_Type.t_itermut usize, ab : Seq.seq (borrowed usize), b : Core_Slice_Iter_IterMut_Type.t_itermut usize, bc : Seq.seq (borrowed usize), c : Core_Slice_Iter_IterMut_Type.t_itermut usize . ([#"../../../../../creusot-contracts/src/std/slice.rs" 446 15 446 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 447 15 447 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 449 31 449 33] inv7 ab) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 449 61 449 63] inv7 bc) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 448 14 448 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Slice_Iter_IterMut_Type.t_itermut usize, ab : Seq.seq (borrowed usize), b : Core_Slice_Iter_IterMut_Type.t_itermut usize, bc : Seq.seq (borrowed usize), c : Core_Slice_Iter_IterMut_Type.t_itermut usize . ([#"../../../../../creusot-contracts/src/std/slice.rs" 446 15 446 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 447 15 447 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 449 31 449 33] inv7 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 449 61 449 63] inv7 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 448 14 448 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : Core_Slice_Iter_IterMut_Type.t_itermut usize) : () =
     [#"../../../../../creusot-contracts/src/std/slice.rs" 439 4 439 10] ()
@@ -900,13 +930,13 @@ module C03StdIterators_AllZero
   function shallow_model2 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : Seq.seq usize
     
    =
-    [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model1 ( * self)
+    [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model1 ( * self)
   val shallow_model2 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : Seq.seq usize
     ensures { result = shallow_model2 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate resolve4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = resolve4 self }
     
@@ -916,19 +946,19 @@ module C03StdIterators_AllZero
     ensures { result = resolve3 self }
     
   predicate resolve2 (self : borrowed usize) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve2 (self : borrowed usize) : bool
     ensures { result = resolve2 self }
     
   use seq.Seq
   predicate resolve1 (self : borrowed (Core_Slice_Iter_IterMut_Type.t_itermut usize)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve1 (self : borrowed (Core_Slice_Iter_IterMut_Type.t_itermut usize)) : bool
     ensures { result = resolve1 self }
     
   use seq.Seq
   function shallow_model6 (self : borrowed (Core_Slice_Iter_IterMut_Type.t_itermut usize)) : borrowed (slice usize) =
-    [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model5 ( * self)
+    [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model5 ( * self)
   val shallow_model6 (self : borrowed (Core_Slice_Iter_IterMut_Type.t_itermut usize)) : borrowed (slice usize)
     ensures { result = shallow_model6 self }
     
@@ -944,19 +974,20 @@ module C03StdIterators_AllZero
       end }
     ensures { inv3 result }
     
-  use prelude.Ghost
-  function index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq (borrowed usize))) (ix : int) : borrowed usize
+  use prelude.Snapshot
+  function index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq (borrowed usize))) (ix : int) : borrowed usize
+    
    =
-    [#"../../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Ghost.inner self) ix
-  val index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq (borrowed usize))) (ix : int) : borrowed usize
+    [#"../../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Snapshot.inner self) ix
+  val index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq (borrowed usize))) (ix : int) : borrowed usize
     ensures { result = index_logic0 self ix }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate resolve0 (self : borrowed (slice usize)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (slice usize)) : bool
     ensures { result = resolve0 self }
     
@@ -990,7 +1021,8 @@ module C03StdIterators_AllZero
     
   let rec cfg all_zero [#"../03_std_iterators.rs" 28 0 28 35] [@cfg:stackify] [@cfg:subregion_analysis] (v : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : ()
     ensures { [#"../03_std_iterators.rs" 26 10 26 33] Seq.length (shallow_model1 ( ^ v)) = Seq.length (shallow_model2 v) }
-    ensures { [#"../03_std_iterators.rs" 27 0 27 66] forall i : int . 0 <= i /\ i < Seq.length (shallow_model2 v) -> UIntSize.to_int (index_logic1 ( ^ v) i) = 0 }
+    ensures { [#"../03_std_iterators.rs" 27 0 27 66] forall i : int . 0 <= i /\ i < Seq.length (shallow_model2 v)
+     -> UIntSize.to_int (index_logic1 ( ^ v) i) = 0 }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
@@ -1000,13 +1032,13 @@ module C03StdIterators_AllZero
   var _6 : borrowed (slice usize);
   var _7 : borrowed (slice usize);
   var _8 : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global));
-  var iter_old : Ghost.ghost_ty (Core_Slice_Iter_IterMut_Type.t_itermut usize);
-  var produced : Ghost.ghost_ty (Seq.seq (borrowed usize));
+  var iter_old : Snapshot.snap_ty (Core_Slice_Iter_IterMut_Type.t_itermut usize);
+  var produced : Snapshot.snap_ty (Seq.seq (borrowed usize));
   var _17 : Core_Option_Option_Type.t_option (borrowed usize);
   var _18 : borrowed (Core_Slice_Iter_IterMut_Type.t_itermut usize);
   var _19 : borrowed (Core_Slice_Iter_IterMut_Type.t_itermut usize);
   var __creusot_proc_iter_elem : borrowed usize;
-  var _22 : Ghost.ghost_ty (Seq.seq (borrowed usize));
+  var _22 : Snapshot.snap_ty (Seq.seq (borrowed usize));
   var x : borrowed usize;
   {
     goto BB0
@@ -1032,11 +1064,11 @@ module C03StdIterators_AllZero
   }
   BB3 {
     assume { resolve0 _7 };
-    [#"../03_std_iterators.rs" 29 4 29 87] iter_old <- ([#"../03_std_iterators.rs" 29 4 29 87] Ghost.new iter);
+    [#"../03_std_iterators.rs" 29 4 29 87] iter_old <- ([#"../03_std_iterators.rs" 29 4 29 87] Snapshot.new iter);
     goto BB4
   }
   BB4 {
-    [#"../03_std_iterators.rs" 29 4 29 87] produced <- ([#"../03_std_iterators.rs" 29 4 29 87] Ghost.new (Seq.empty ));
+    [#"../03_std_iterators.rs" 29 4 29 87] produced <- ([#"../03_std_iterators.rs" 29 4 29 87] Snapshot.new (Seq.empty ));
     goto BB5
   }
   BB5 {
@@ -1044,8 +1076,9 @@ module C03StdIterators_AllZero
   }
   BB6 {
     invariant { [#"../03_std_iterators.rs" 29 4 29 87] inv0 iter };
-    invariant { [#"../03_std_iterators.rs" 29 4 29 87] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter };
-    invariant { [#"../03_std_iterators.rs" 29 4 29 87] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner produced) -> UIntSize.to_int ( ^ index_logic0 produced i) = 0 };
+    invariant { [#"../03_std_iterators.rs" 29 4 29 87] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter };
+    invariant { [#"../03_std_iterators.rs" 29 4 29 87] forall i : int . 0 <= i /\ i < Seq.length (Snapshot.inner produced)
+     -> UIntSize.to_int ( ^ index_logic0 produced i) = 0 };
     goto BB7
   }
   BB7 {
@@ -1080,17 +1113,17 @@ module C03StdIterators_AllZero
     absurd
   }
   BB12 {
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _17);
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] _17 <- (let Core_Option_Option_Type.C_Some x0 = _17 in Core_Option_Option_Type.C_Some (any borrowed usize));
-    [#"../03_std_iterators.rs" 29 4 29 87] _22 <- ([#"../03_std_iterators.rs" 29 4 29 87] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _17;
+    _17 <- (let Core_Option_Option_Type.C_Some x0 = _17 in Core_Option_Option_Type.C_Some (any borrowed usize));
+    [#"../03_std_iterators.rs" 29 4 29 87] _22 <- ([#"../03_std_iterators.rs" 29 4 29 87] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB13
   }
   BB13 {
-    [#"../03_std_iterators.rs" 29 4 29 87] produced <- ([#"../03_std_iterators.rs" 29 4 29 87] _22);
-    [#"../03_std_iterators.rs" 29 4 29 87] _22 <- any Ghost.ghost_ty (Seq.seq (borrowed usize));
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] x <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem);
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- any borrowed usize;
-    [#"../03_std_iterators.rs" 31 8 31 14] x <- { x with current = ([#"../03_std_iterators.rs" 31 8 31 14] [#"../03_std_iterators.rs" 31 13 31 14] (0 : usize)) ; };
+    [#"../03_std_iterators.rs" 29 4 29 87] produced <- _22;
+    _22 <- any Snapshot.snap_ty (Seq.seq (borrowed usize));
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] x <- __creusot_proc_iter_elem;
+    __creusot_proc_iter_elem <- any borrowed usize;
+    [#"../03_std_iterators.rs" 31 8 31 14] x <- { x with current = ([#"../03_std_iterators.rs" 31 13 31 14] (0 : usize)) ; };
     assume { resolve2 x };
     goto BB6
   }
@@ -1148,14 +1181,22 @@ module C03StdIterators_SkipTake
     requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv2 c}
     ensures { result = produces_trans2 a ab b bc c }
     
-  axiom produces_trans2_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces2 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces2 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv2 a) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv6 ab) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv2 b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv6 bc) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv2 c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces2 a (Seq.(++) ab bc) c)
+  axiom produces_trans2_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces2 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces2 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv2 a)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv6 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv2 b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv6 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv2 c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces2 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl2 (self : i) : ()
   val produces_refl2 (self : i) : ()
     requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv2 self}
     ensures { result = produces_refl2 self }
     
-  axiom produces_refl2_spec : forall self : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces2 self (Seq.empty ) self)
+  axiom produces_refl2_spec : forall self : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces2 self (Seq.empty ) self)
   use Core_Iter_Adapters_Take_Take_Type as Core_Iter_Adapters_Take_Take_Type
   predicate inv3 (_x : Core_Iter_Adapters_Take_Take_Type.t_take i)
   val inv3 (_x : Core_Iter_Adapters_Take_Take_Type.t_take i) : bool
@@ -1176,7 +1217,8 @@ module C03StdIterators_SkipTake
     requires {[#"../../../../../creusot-contracts/src/std/iter/take.rs" 34 9 34 13] inv3 self}
     ensures { result = n0 self }
     
-  axiom n0_spec : forall self : Core_Iter_Adapters_Take_Take_Type.t_take i . ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 34 9 34 13] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 33 14 33 50] n0 self >= 0 /\ n0 self <= UIntSize.to_int max0)
+  axiom n0_spec : forall self : Core_Iter_Adapters_Take_Take_Type.t_take i . ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 34 9 34 13] inv3 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 33 14 33 50] n0 self >= 0 /\ n0 self <= UIntSize.to_int max0)
   predicate produces1 (self : Core_Iter_Adapters_Take_Take_Type.t_take i) (visited : Seq.seq item0) (o : Core_Iter_Adapters_Take_Take_Type.t_take i)
     
    =
@@ -1196,13 +1238,21 @@ module C03StdIterators_SkipTake
     requires {[#"../../../../../creusot-contracts/src/std/iter/take.rs" 78 82 78 83] inv3 c}
     ensures { result = produces_trans1 a ab b bc c }
     
-  axiom produces_trans1_spec : forall a : Core_Iter_Adapters_Take_Take_Type.t_take i, ab : Seq.seq item0, b : Core_Iter_Adapters_Take_Take_Type.t_take i, bc : Seq.seq item0, c : Core_Iter_Adapters_Take_Take_Type.t_take i . ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 75 15 75 32] produces1 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 76 15 76 32] produces1 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 78 22 78 23] inv3 a) -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 78 31 78 33] inv6 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 78 52 78 53] inv3 b) -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 78 61 78 63] inv6 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 78 82 78 83] inv3 c) -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 77 14 77 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans1_spec : forall a : Core_Iter_Adapters_Take_Take_Type.t_take i, ab : Seq.seq item0, b : Core_Iter_Adapters_Take_Take_Type.t_take i, bc : Seq.seq item0, c : Core_Iter_Adapters_Take_Take_Type.t_take i . ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 75 15 75 32] produces1 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 76 15 76 32] produces1 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 78 22 78 23] inv3 a)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 78 31 78 33] inv6 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 78 52 78 53] inv3 b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 78 61 78 63] inv6 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 78 82 78 83] inv3 c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 77 14 77 42] produces1 a (Seq.(++) ab bc) c)
   function produces_refl1 (self : Core_Iter_Adapters_Take_Take_Type.t_take i) : ()
   val produces_refl1 (self : Core_Iter_Adapters_Take_Take_Type.t_take i) : ()
     requires {[#"../../../../../creusot-contracts/src/std/iter/take.rs" 71 21 71 25] inv3 self}
     ensures { result = produces_refl1 self }
     
-  axiom produces_refl1_spec : forall self : Core_Iter_Adapters_Take_Take_Type.t_take i . ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 71 21 71 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 70 14 70 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl1_spec : forall self : Core_Iter_Adapters_Take_Take_Type.t_take i . ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 71 21 71 25] inv3 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 70 14 70 45] produces1 self (Seq.empty ) self)
   predicate invariant6 (self : Seq.seq item0)
   val invariant6 (self : Seq.seq item0) : bool
     ensures { result = invariant6 self }
@@ -1237,11 +1287,13 @@ module C03StdIterators_SkipTake
     requires {[#"../../../../../creusot-contracts/src/std/iter/skip.rs" 23 9 23 13] inv0 self}
     ensures { result = n1 self }
     
-  axiom n1_spec : forall self : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i) . ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 23 9 23 13] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 22 14 22 50] n1 self >= 0 /\ n1 self <= UIntSize.to_int max0)
+  axiom n1_spec : forall self : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i) . ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 23 9 23 13] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 22 14 22 50] n1 self >= 0 /\ n1 self <= UIntSize.to_int max0)
   predicate produces0 (self : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i)) (visited : Seq.seq item0) (o : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i))
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/skip.rs" 57 8 64 9] visited = Seq.empty  /\ self = o \/ n1 o = 0 /\ Seq.length visited > 0 /\ (exists s : Seq.seq item0 . inv6 s /\ Seq.length s = n1 self /\ produces1 (iter1 self) (Seq.(++) s visited) (iter1 o) /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve3 (Seq.get s i)))
+    [#"../../../../../creusot-contracts/src/std/iter/skip.rs" 57 8 64 9] visited = Seq.empty  /\ self = o \/ n1 o = 0 /\ Seq.length visited > 0 /\ (exists s : Seq.seq item0 . inv6 s /\ Seq.length s = n1 self /\ produces1 (iter1 self) (Seq.(++) s visited) (iter1 o) /\ (forall i : int . 0 <= i /\ i < Seq.length s
+     -> resolve3 (Seq.get s i)))
   val produces0 (self : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i)) (visited : Seq.seq item0) (o : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i)) : bool
     ensures { result = produces0 self visited o }
     
@@ -1257,14 +1309,22 @@ module C03StdIterators_SkipTake
     requires {[#"../../../../../creusot-contracts/src/std/iter/skip.rs" 77 82 77 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i), ab : Seq.seq item0, b : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i), bc : Seq.seq item0, c : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i) . ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 74 15 74 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 75 15 75 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 77 22 77 23] inv0 a) -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 77 31 77 33] inv6 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 77 52 77 53] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 77 61 77 63] inv6 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 77 82 77 83] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 76 14 76 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i), ab : Seq.seq item0, b : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i), bc : Seq.seq item0, c : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i) . ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 74 15 74 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 75 15 75 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 77 22 77 23] inv0 a)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 77 31 77 33] inv6 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 77 52 77 53] inv0 b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 77 61 77 63] inv6 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 77 82 77 83] inv0 c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 76 14 76 42] produces0 a (Seq.(++) ab bc) c)
   function produces_refl0 (self : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i)) : ()
     
   val produces_refl0 (self : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i)) : ()
     requires {[#"../../../../../creusot-contracts/src/std/iter/skip.rs" 70 21 70 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i) . ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 70 21 70 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 69 14 69 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i) . ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 70 21 70 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/skip.rs" 69 14 69 45] produces0 self (Seq.empty ) self)
   predicate invariant4 (self : borrowed (Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i)))
     
   val invariant4 (self : borrowed (Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i))) : bool
@@ -1328,9 +1388,10 @@ module C03StdIterators_SkipTake
     requires {[#"../../../../../creusot-contracts/src/std/iter/take.rs" 26 21 26 25] inv5 self}
     ensures { result = iter_mut0 self }
     
-  axiom iter_mut0_spec : forall self : borrowed (Core_Iter_Adapters_Take_Take_Type.t_take i) . ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 26 21 26 25] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 26 4 26 36] inv7 (iter_mut0 self)) && ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 25 14 25 68] iter0 ( * self) =  * iter_mut0 self /\ iter0 ( ^ self) =  ^ iter_mut0 self)
+  axiom iter_mut0_spec : forall self : borrowed (Core_Iter_Adapters_Take_Take_Type.t_take i) . ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 26 21 26 25] inv5 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 26 4 26 36] inv7 (iter_mut0 self)) && ([#"../../../../../creusot-contracts/src/std/iter/take.rs" 25 14 25 68] iter0 ( * self) =  * iter_mut0 self /\ iter0 ( ^ self) =  ^ iter_mut0 self)
   predicate resolve5 (self : borrowed (Core_Iter_Adapters_Take_Take_Type.t_take i)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve5 (self : borrowed (Core_Iter_Adapters_Take_Take_Type.t_take i)) : bool
     ensures { result = resolve5 self }
     
@@ -1342,7 +1403,8 @@ module C03StdIterators_SkipTake
   predicate completed0 (self : borrowed (Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i)))
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/skip.rs" 43 8 51 9] n1 ( ^ self) = 0 /\ (exists i : borrowed (Core_Iter_Adapters_Take_Take_Type.t_take i) . exists s : Seq.seq item0 . inv5 i /\ inv6 s /\ Seq.length s <= n1 ( * self) /\ produces1 (iter1 ( * self)) s ( * i) /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve3 (Seq.get s i)) /\ completed1 i /\  ^ i = iter1 ( ^ self))
+    [#"../../../../../creusot-contracts/src/std/iter/skip.rs" 43 8 51 9] n1 ( ^ self) = 0 /\ (exists i : borrowed (Core_Iter_Adapters_Take_Take_Type.t_take i) . exists s : Seq.seq item0 . inv5 i /\ inv6 s /\ Seq.length s <= n1 ( * self) /\ produces1 (iter1 ( * self)) s ( * i) /\ (forall i : int . 0 <= i /\ i < Seq.length s
+     -> resolve3 (Seq.get s i)) /\ completed1 i /\  ^ i = iter1 ( ^ self))
   val completed0 (self : borrowed (Core_Iter_Adapters_Skip_Skip_Type.t_skip (Core_Iter_Adapters_Take_Take_Type.t_take i))) : bool
     ensures { result = completed0 self }
     
@@ -1379,12 +1441,12 @@ module C03StdIterators_SkipTake
     goto BB0
   }
   BB0 {
-    [#"../03_std_iterators.rs" 36 14 36 26] _6 <- ([#"../03_std_iterators.rs" 36 14 36 26] take0 ([#"../03_std_iterators.rs" 36 14 36 18] iter) ([#"../03_std_iterators.rs" 36 24 36 25] n));
-    [#"../03_std_iterators.rs" 36 14 36 18] iter <- any i;
+    [#"../03_std_iterators.rs" 36 14 36 26] _6 <- ([#"../03_std_iterators.rs" 36 14 36 26] take0 iter n);
+    iter <- any i;
     goto BB1
   }
   BB1 {
-    [#"../03_std_iterators.rs" 36 14 36 34] _5 <- ([#"../03_std_iterators.rs" 36 14 36 34] skip0 _6 ([#"../03_std_iterators.rs" 36 32 36 33] n));
+    [#"../03_std_iterators.rs" 36 14 36 34] _5 <- ([#"../03_std_iterators.rs" 36 14 36 34] skip0 _6 n);
     _6 <- any Core_Iter_Adapters_Take_Take_Type.t_take i;
     goto BB2
   }
@@ -1419,30 +1481,10 @@ module C03StdIterators_SkipTake
   }
   
 end
-module CreusotContracts_Std1_Iter_MapInv_MapInv_Type
-  use seq.Seq
-  use prelude.Ghost
-  type t_mapinv 'i 'b 'f =
-    | C_MapInv 'i 'f (Ghost.ghost_ty (Seq.seq 'b))
-    
-  let function mapinv_iter (self : t_mapinv 'i 'b 'f) : 'i = [@vc:do_not_keep_trace] [@vc:sp]
-    match self with
-      | C_MapInv a _ _ -> a
-      end
-  let function mapinv_func (self : t_mapinv 'i 'b 'f) : 'f = [@vc:do_not_keep_trace] [@vc:sp]
-    match self with
-      | C_MapInv _ a _ -> a
-      end
-  let function mapinv_produced (self : t_mapinv 'i 'b 'f) : Ghost.ghost_ty (Seq.seq 'b)
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    match self with
-      | C_MapInv _ _ a -> a
-      end
-end
 module C03StdIterators_Counter_Closure0_Type
   use prelude.UInt32
   use seq.Seq
-  use prelude.Ghost
+  use prelude.Snapshot
   use prelude.Int16
   use prelude.UIntSize
   use prelude.Int
@@ -1455,7 +1497,7 @@ module C03StdIterators_Counter_Closure0
   use prelude.Int16
   use prelude.UInt32
   use seq.Seq
-  use prelude.Ghost
+  use prelude.Snapshot
   use prelude.Int
   use prelude.UIntSize
   use prelude.Borrow
@@ -1474,16 +1516,16 @@ module C03StdIterators_Counter_Closure0
   let constant max0  : usize = [@vc:do_not_keep_trace] [@vc:sp]
     (18446744073709551615 : usize)
   use seq.Seq
-  use prelude.Ghost
+  use prelude.Snapshot
   use prelude.UIntSize
   predicate resolve0 (self : borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) : bool
     ensures { result = resolve0 self }
     
-  let rec cfg c03StdIterators_Counter_Closure0 [#"../03_std_iterators.rs" 48 12 48 91] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (x : uint32) (_prod : Ghost.ghost_ty (Seq.seq uint32)) : uint32
-    requires {[#"../03_std_iterators.rs" 47 23 47 65] UIntSize.to_int ( * field_00 ( * _1)) = Seq.length (Ghost.inner _prod) /\  * field_00 ( * _1) < max0}
-    ensures { [#"../03_std_iterators.rs" 48 22 48 89] UIntSize.to_int ( * field_00 ( ^ _1)) = UIntSize.to_int ( * field_00 ( * _1)) + 1 /\ UIntSize.to_int ( * field_00 ( ^ _1)) = Seq.length (Ghost.inner _prod) + 1 /\ result = x }
+  let rec cfg c03StdIterators_Counter_Closure0 [#"../03_std_iterators.rs" 48 12 48 91] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (x : uint32) (_prod : Snapshot.snap_ty (Seq.seq uint32)) : uint32
+    requires {[#"../03_std_iterators.rs" 47 23 47 65] UIntSize.to_int ( * field_00 ( * _1)) = Seq.length (Snapshot.inner _prod) /\  * field_00 ( * _1) < max0}
+    ensures { [#"../03_std_iterators.rs" 48 22 48 89] UIntSize.to_int ( * field_00 ( ^ _1)) = UIntSize.to_int ( * field_00 ( * _1)) + 1 /\ UIntSize.to_int ( * field_00 ( ^ _1)) = Seq.length (Snapshot.inner _prod) + 1 /\ result = x }
     ensures { unnest0 ( * _1) ( ^ _1) }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -1496,29 +1538,49 @@ module C03StdIterators_Counter_Closure0
     goto BB0
   }
   BB0 {
-    [#"../03_std_iterators.rs" 50 16 50 24] _1 <- { _1 with current = (let C03StdIterators_Counter_Closure0.C03StdIterators_Counter_Closure0 x0 =  * _1 in C03StdIterators_Counter_Closure0.C03StdIterators_Counter_Closure0 ({ (field_00 ( * _1)) with current = ([#"../03_std_iterators.rs" 50 16 50 24]  * field_00 ( * _1) + ([#"../03_std_iterators.rs" 50 23 50 24] [#"../03_std_iterators.rs" 50 23 50 24] (1 : usize))) ; })) ; };
+    [#"../03_std_iterators.rs" 50 16 50 24] _1 <- { _1 with current = (let C03StdIterators_Counter_Closure0.C03StdIterators_Counter_Closure0 x0 =  * _1 in C03StdIterators_Counter_Closure0.C03StdIterators_Counter_Closure0 ({ (field_00 ( * _1)) with current = ( * field_00 ( * _1) + ([#"../03_std_iterators.rs" 50 23 50 24] (1 : usize))) ; })) ; };
     assume { resolve0 _1 };
-    [#"../03_std_iterators.rs" 51 16 51 18] res1 <- ([#"../03_std_iterators.rs" 51 16 51 18] x);
-    [#"../03_std_iterators.rs" 47 12 47 67] res <- ([#"../03_std_iterators.rs" 47 12 47 67] res1);
-    [#"../03_std_iterators.rs" 48 12 48 91] _0 <- ([#"../03_std_iterators.rs" 48 12 48 91] res);
+    [#"../03_std_iterators.rs" 51 16 51 18] res1 <- x;
+    [#"../03_std_iterators.rs" 47 12 47 67] res <- res1;
+    [#"../03_std_iterators.rs" 48 12 48 91] _0 <- res;
     return _0
   }
   
 end
+module CreusotContracts_Std1_Iter_MapInv_MapInv_Type
+  use seq.Seq
+  use prelude.Snapshot
+  type t_mapinv 'i 'b 'f =
+    | C_MapInv 'i 'f (Snapshot.snap_ty (Seq.seq 'b))
+    
+  let function mapinv_iter (self : t_mapinv 'i 'b 'f) : 'i = [@vc:do_not_keep_trace] [@vc:sp]
+    match self with
+      | C_MapInv a _ _ -> a
+      end
+  let function mapinv_func (self : t_mapinv 'i 'b 'f) : 'f = [@vc:do_not_keep_trace] [@vc:sp]
+    match self with
+      | C_MapInv _ a _ -> a
+      end
+  let function mapinv_produced (self : t_mapinv 'i 'b 'f) : Snapshot.snap_ty (Seq.seq 'b)
+   = [@vc:do_not_keep_trace] [@vc:sp]
+    match self with
+      | C_MapInv _ _ a -> a
+      end
+end
 module C03StdIterators_Counter
   use prelude.UInt32
   use seq.Seq
-  use prelude.Ghost
-  predicate invariant15 (self : Ghost.ghost_ty (Seq.seq uint32)) =
+  use prelude.Snapshot
+  predicate invariant15 (self : Snapshot.snap_ty (Seq.seq uint32)) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
-  val invariant15 (self : Ghost.ghost_ty (Seq.seq uint32)) : bool
+  val invariant15 (self : Snapshot.snap_ty (Seq.seq uint32)) : bool
     ensures { result = invariant15 self }
     
-  predicate inv15 (_x : Ghost.ghost_ty (Seq.seq uint32))
-  val inv15 (_x : Ghost.ghost_ty (Seq.seq uint32)) : bool
+  predicate inv15 (_x : Snapshot.snap_ty (Seq.seq uint32))
+  val inv15 (_x : Snapshot.snap_ty (Seq.seq uint32)) : bool
     ensures { result = inv15 _x }
     
-  axiom inv15 : forall x : Ghost.ghost_ty (Seq.seq uint32) . inv15 x = true
+  axiom inv15 : forall x : Snapshot.snap_ty (Seq.seq uint32) . inv15 x = true
   use prelude.Slice
   predicate invariant14 (self : slice uint32) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
@@ -1605,7 +1667,8 @@ module C03StdIterators_Counter
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant8 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv6 (shallow_model0 self)
   val invariant8 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -1631,37 +1694,38 @@ module C03StdIterators_Counter
    =
      ^ field_00 _2 =  ^ field_00 self
   use seq.Seq
-  use prelude.Ghost
-  predicate postcondition_mut0 [#"../03_std_iterators.rs" 48 12 48 91] (self : borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (args : (uint32, Ghost.ghost_ty (Seq.seq uint32))) (result : uint32)
+  use prelude.Snapshot
+  predicate postcondition_mut0 [#"../03_std_iterators.rs" 48 12 48 91] (self : borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (args : (uint32, Snapshot.snap_ty (Seq.seq uint32))) (result : uint32)
     
    =
-    (let (x, _prod) = args in UIntSize.to_int ( * field_00 ( ^ self)) = UIntSize.to_int ( * field_00 ( * self)) + 1 /\ UIntSize.to_int ( * field_00 ( ^ self)) = Seq.length (Ghost.inner _prod) + 1 /\ result = x) /\ unnest0 ( * self) ( ^ self)
+    (let (x, _prod) = args in UIntSize.to_int ( * field_00 ( ^ self)) = UIntSize.to_int ( * field_00 ( * self)) + 1 /\ UIntSize.to_int ( * field_00 ( ^ self)) = Seq.length (Snapshot.inner _prod) + 1 /\ result = x) /\ unnest0 ( * self) ( ^ self)
   use seq.Seq
-  predicate precondition0 [#"../03_std_iterators.rs" 48 12 48 91] (self : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (args : (uint32, Ghost.ghost_ty (Seq.seq uint32)))
+  predicate precondition0 [#"../03_std_iterators.rs" 48 12 48 91] (self : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (args : (uint32, Snapshot.snap_ty (Seq.seq uint32)))
     
    =
-    [#"../03_std_iterators.rs" 47 23 47 65] let (x, _prod) = args in UIntSize.to_int ( * field_00 self) = Seq.length (Ghost.inner _prod) /\  * field_00 self < max0
-  use prelude.Ghost
+    [#"../03_std_iterators.rs" 47 23 47 65] let (x, _prod) = args in UIntSize.to_int ( * field_00 self) = Seq.length (Snapshot.inner _prod) /\  * field_00 self < max0
+  use prelude.Snapshot
   use seq_ext.SeqExt
   use seq.Seq
   use seq.Seq
   use seq.Seq
   use seq.Seq
-  use prelude.Ghost
+  use prelude.Snapshot
   use prelude.Slice
   function shallow_model5 (self : slice uint32) : Seq.seq uint32
   val shallow_model5 (self : slice uint32) : Seq.seq uint32
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv14 self}
     ensures { result = shallow_model5 self }
     
-  axiom shallow_model5_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv14 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv6 (shallow_model5 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model5 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max0)
+  axiom shallow_model5_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv14 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv6 (shallow_model5 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model5 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max0)
   function index_logic4 [@inline:trivial] (self : slice uint32) (ix : int) : uint32 =
     [#"../../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model5 self) ix
   val index_logic4 [@inline:trivial] (self : slice uint32) (ix : int) : uint32
     ensures { result = index_logic4 self ix }
     
   function shallow_model2 (self : slice uint32) : Seq.seq uint32 =
-    [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model5 self
+    [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model5 self
   val shallow_model2 (self : slice uint32) : Seq.seq uint32
     ensures { result = shallow_model2 self }
     
@@ -1674,7 +1738,9 @@ module C03StdIterators_Counter
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv1 self}
     ensures { result = to_ref_seq0 self }
     
-  axiom to_ref_seq0_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv9 (to_ref_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self) -> Seq.get (to_ref_seq0 self) i = index_logic4 self i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model2 self))
+  axiom to_ref_seq0_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv1 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv9 (to_ref_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self)
+   -> Seq.get (to_ref_seq0 self) i = index_logic4 self i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model2 self))
   function shallow_model4 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) : slice uint32
   val shallow_model4 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) : slice uint32
     ensures { result = shallow_model4 self }
@@ -1689,11 +1755,13 @@ module C03StdIterators_Counter
   predicate produces1 [@inline:trivial] (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (visited : Seq.seq uint32) (succ : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0)
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9] unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ) /\ (exists s : Seq.seq uint32 . inv9 s /\ Seq.length s = Seq.length visited /\ produces0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter self) s (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter succ) /\ Ghost.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced succ) = Seq.(++) (Ghost.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) s /\ (exists fs : Seq.seq (borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) . inv13 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
+    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9] unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ) /\ (exists s : Seq.seq uint32 . inv9 s /\ Seq.length s = Seq.length visited /\ produces0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter self) s (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter succ) /\ Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced succ) = Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) s /\ (exists fs : Seq.seq (borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) . inv13 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs
+     ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
       CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ
     else
        * Seq.get fs 0 = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self /\  ^ Seq.get fs (Seq.length visited - 1) = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ
-    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i))))
+    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i))))
   val produces1 [@inline:trivial] (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (visited : Seq.seq uint32) (succ : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) : bool
     ensures { result = produces1 self visited succ }
     
@@ -1709,7 +1777,14 @@ module C03StdIterators_Counter
     requires {[#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 82 31 83] inv5 c}
     ensures { result = produces_trans2 a ab b bc c }
     
-  axiom produces_trans2_spec : forall a : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0, ab : Seq.seq uint32, b : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0, bc : Seq.seq uint32, c : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0 . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32] produces1 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32] produces1 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 22 31 23] inv5 a) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 31 31 33] inv6 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 52 31 53] inv5 b) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 61 31 63] inv6 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 82 31 83] inv5 c) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans2_spec : forall a : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0, ab : Seq.seq uint32, b : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0, bc : Seq.seq uint32, c : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0 . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32] produces1 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32] produces1 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 22 31 23] inv5 a)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 31 31 33] inv6 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 52 31 53] inv5 b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 61 31 63] inv6 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 82 31 83] inv5 c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl2 (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) : ()
     
@@ -1717,7 +1792,8 @@ module C03StdIterators_Counter
     requires {[#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 24 21 24 25] inv5 self}
     ensures { result = produces_refl2 self }
     
-  axiom produces_refl2_spec : forall self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0 . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 24 21 24 25] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl2_spec : forall self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0 . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 24 21 24 25] inv5 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45] produces1 self (Seq.empty ) self)
   predicate invariant7 (self : borrowed (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0))
     
    =
@@ -1749,7 +1825,8 @@ module C03StdIterators_Counter
   predicate next_precondition0 (iter : Core_Slice_Iter_Iter_Type.t_iter uint32) (func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (produced : Seq.seq uint32)
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 112 8 116 9] forall i : Core_Slice_Iter_Iter_Type.t_iter uint32 . forall e : uint32 . inv2 i -> inv3 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced)
+    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 112 8 116 9] forall i : Core_Slice_Iter_Iter_Type.t_iter uint32 . forall e : uint32 . inv2 i
+     -> inv3 e  -> produces0 iter (Seq.singleton e) i  -> precondition0 func (e, Snapshot.new produced)
   val next_precondition0 (iter : Core_Slice_Iter_Iter_Type.t_iter uint32) (func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) (produced : Seq.seq uint32) : bool
     ensures { result = next_precondition0 iter func produced }
     
@@ -1757,7 +1834,16 @@ module C03StdIterators_Counter
   predicate preservation0 (iter : Core_Slice_Iter_Iter_Type.t_iter uint32) (func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0)
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 135 8 142 9] forall i : Core_Slice_Iter_Iter_Type.t_iter uint32 . forall b : uint32 . forall f : borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0 . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i -> inv11 b -> inv12 f -> inv3 e2 -> inv3 e1 -> inv9 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1))
+    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 135 8 142 9] forall i : Core_Slice_Iter_Iter_Type.t_iter uint32 . forall b : uint32 . forall f : borrowed C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0 . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i
+     -> inv11 b
+     -> inv12 f
+     -> inv3 e2
+     -> inv3 e1
+     -> inv9 s
+     -> unnest0 func ( * f)
+     -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new s)
+     -> postcondition_mut0 f (e1, Snapshot.new s) b  -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1))
   val preservation0 (iter : Core_Slice_Iter_Iter_Type.t_iter uint32) (func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) : bool
     ensures { result = preservation0 iter func }
     
@@ -1774,14 +1860,18 @@ module C03StdIterators_Counter
     requires {[#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 42 121 50] inv9 produced}
     ensures { result = preservation_inv0 iter func produced }
     
-  axiom preservation_inv0_spec : forall iter : Core_Slice_Iter_Iter_Type.t_iter uint32, func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0, produced : Seq.seq uint32 . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 24 121 28] inv2 iter) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 33 121 37] inv4 func) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 42 121 50] inv9 produced) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 120 4 120 83] produced = Seq.empty  -> preservation_inv0 iter func produced = preservation0 iter func)
+  axiom preservation_inv0_spec : forall iter : Core_Slice_Iter_Iter_Type.t_iter uint32, func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0, produced : Seq.seq uint32 . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 24 121 28] inv2 iter)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 33 121 37] inv4 func)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 42 121 50] inv9 produced)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 120 4 120 83] produced = Seq.empty 
+   -> preservation_inv0 iter func produced = preservation0 iter func)
   function shallow_model6 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter uint32)) : slice uint32 =
-    [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model4 ( * self)
+    [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model4 ( * self)
   val shallow_model6 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter uint32)) : slice uint32
     ensures { result = shallow_model6 self }
     
   predicate resolve5 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter uint32)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve5 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter uint32)) : bool
     ensures { result = resolve5 self }
     
@@ -1791,7 +1881,9 @@ module C03StdIterators_Counter
     ensures { result = completed1 self }
     
   predicate reinitialize0 (_1 : ()) =
-    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 148 8 153 9] forall func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0 . forall iter : borrowed (Core_Slice_Iter_Iter_Type.t_iter uint32) . inv4 func -> inv10 iter -> completed1 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
+    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 148 8 153 9] forall func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0 . forall iter : borrowed (Core_Slice_Iter_Iter_Type.t_iter uint32) . inv4 func
+     -> inv10 iter
+     -> completed1 iter  -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
   val reinitialize0 (_1 : ()) : bool
     ensures { result = reinitialize0 _1 }
     
@@ -1820,7 +1912,11 @@ module C03StdIterators_Counter
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv9 bc}
     ensures { result = produces_trans1 a ab b bc c }
     
-  axiom produces_trans1_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter uint32, ab : Seq.seq uint32, b : Core_Slice_Iter_Iter_Type.t_iter uint32, bc : Seq.seq uint32, c : Core_Slice_Iter_Iter_Type.t_iter uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv9 ab) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv9 bc) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans1_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter uint32, ab : Seq.seq uint32, b : Core_Slice_Iter_Iter_Type.t_iter uint32, bc : Seq.seq uint32, c : Core_Slice_Iter_Iter_Type.t_iter uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv9 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv9 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c)
   function produces_refl1 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) : () =
     [#"../../../../../creusot-contracts/src/std/slice.rs" 390 4 390 10] ()
   val produces_refl1 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) : ()
@@ -1867,16 +1963,24 @@ module C03StdIterators_Counter
     requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv2 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter uint32, ab : Seq.seq uint32, b : Core_Slice_Iter_Iter_Type.t_iter uint32, bc : Seq.seq uint32, c : Core_Slice_Iter_Iter_Type.t_iter uint32 . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv2 a) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv9 ab) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv2 b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv9 bc) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv2 c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter uint32, ab : Seq.seq uint32, b : Core_Slice_Iter_Iter_Type.t_iter uint32, bc : Seq.seq uint32, c : Core_Slice_Iter_Iter_Type.t_iter uint32 . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv2 a)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv9 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv2 b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv9 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv2 c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces0 a (Seq.(++) ab bc) c)
   function produces_refl0 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) : ()
   val produces_refl0 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) : ()
     requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv2 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : Core_Slice_Iter_Iter_Type.t_iter uint32 . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : Core_Slice_Iter_Iter_Type.t_iter uint32 . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces0 self (Seq.empty ) self)
   use seq.Seq
   predicate resolve2 (self : uint32) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
+    [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true
   val resolve2 (self : uint32) : bool
     ensures { result = resolve2 self }
     
@@ -1888,7 +1992,8 @@ module C03StdIterators_Counter
     ensures { result = index_logic0 self ix }
     
   predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) =
-    [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve2 (index_logic0 self i)
+    [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self)
+     -> resolve2 (index_logic0 self i)
   val resolve0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve0 self }
     
@@ -1902,12 +2007,12 @@ module C03StdIterators_Counter
   predicate completed0 (self : borrowed (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0))
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 15 8 18 9] Ghost.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced ( ^ self)) = Seq.empty  /\ completed1 (Borrow.borrow_logic (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter ( * self)) (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1)) /\ CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func ( * self) = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func ( ^ self)
+    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 15 8 18 9] Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced ( ^ self)) = Seq.empty  /\ completed1 (Borrow.borrow_logic (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter ( * self)) (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1)) /\ CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func ( * self) = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func ( ^ self)
   val completed0 (self : borrowed (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0)) : bool
     ensures { result = completed0 self }
     
   predicate resolve6 (self : borrowed usize) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve6 (self : borrowed usize) : bool
     ensures { result = resolve6 self }
     
@@ -1916,14 +2021,14 @@ module C03StdIterators_Counter
    =
     resolve6 (field_00 _1)
   predicate resolve3 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
+    [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true
   val resolve3 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) : bool
     ensures { result = resolve3 self }
     
   predicate resolve1 (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0)
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 56 4 56 16] resolve3 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter self) /\ resolve4 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self)
+    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 56 4 56 27] resolve3 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter self) /\ resolve4 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self)
   val resolve1 (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) : bool
     ensures { result = resolve1 self }
     
@@ -1933,20 +2038,21 @@ module C03StdIterators_Counter
     ensures { inv8 result }
     
   val map_inv0 (self : Core_Slice_Iter_Iter_Type.t_iter uint32) (func : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0) : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0
-    requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 43 4 43 138] forall i2 : Core_Slice_Iter_Iter_Type.t_iter uint32 . forall e : uint32 . inv2 i2 -> inv3 e -> produces0 self (Seq.singleton e) i2 -> precondition0 func (e, Ghost.new (Seq.empty ))}
+    requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 43 4 43 141] forall i2 : Core_Slice_Iter_Iter_Type.t_iter uint32 . forall e : uint32 . inv2 i2
+     -> inv3 e  -> produces0 self (Seq.singleton e) i2  -> precondition0 func (e, Snapshot.new (Seq.empty ))}
     requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 44 15 44 51] reinitialize0 ()}
     requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 45 15 45 70] preservation0 self func}
     requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 47 21 47 25] inv2 self}
     requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 47 27 47 31] inv4 func}
-    ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 46 14 46 85] result = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.C_MapInv self func (Ghost.new (Seq.empty )) }
-    ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 47 4 50 58] inv5 result }
+    ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 46 14 46 88] result = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.C_MapInv self func (Snapshot.new (Seq.empty )) }
+    ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 47 4 50 61] inv5 result }
     
   val iter0 (self : slice uint32) : Core_Slice_Iter_Iter_Type.t_iter uint32
     requires {inv1 self}
     ensures { [#"../../../../../creusot-contracts/src/std/slice.rs" 238 0 334 1] shallow_model4 result = self }
     
   function shallow_model3 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : Seq.seq uint32 =
-    [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model0 self
+    [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model0 self
   val shallow_model3 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : Seq.seq uint32
     ensures { result = shallow_model3 self }
     
@@ -1965,25 +2071,28 @@ module C03StdIterators_Counter
   var _4 : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Slice_Iter_Iter_Type.t_iter uint32) uint32 C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0;
   var _5 : Core_Slice_Iter_Iter_Type.t_iter uint32;
   var _7 : slice uint32;
+  var _9 : C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0;
   var _10 : borrowed usize;
   {
     goto BB0
   }
   BB0 {
-    [#"../03_std_iterators.rs" 42 18 42 19] cnt <- ([#"../03_std_iterators.rs" 42 18 42 19] [#"../03_std_iterators.rs" 42 18 42 19] (0 : usize));
-    [#"../03_std_iterators.rs" 44 22 45 15] _7 <- ([#"../03_std_iterators.rs" 44 22 45 15] deref0 ([#"../03_std_iterators.rs" 44 22 44 23] v));
+    [#"../03_std_iterators.rs" 42 18 42 19] cnt <- ([#"../03_std_iterators.rs" 42 18 42 19] (0 : usize));
+    [#"../03_std_iterators.rs" 44 22 45 15] _7 <- ([#"../03_std_iterators.rs" 44 22 45 15] deref0 v);
     goto BB1
   }
   BB1 {
-    [#"../03_std_iterators.rs" 44 22 45 15] _5 <- ([#"../03_std_iterators.rs" 44 22 45 15] iter0 ([#"../03_std_iterators.rs" 44 22 44 23] _7));
+    [#"../03_std_iterators.rs" 44 22 45 15] _5 <- ([#"../03_std_iterators.rs" 44 22 45 15] iter0 _7);
     goto BB2
   }
   BB2 {
     [#"../03_std_iterators.rs" 48 12 48 91] _10 <- Borrow.borrow_mut cnt;
     [#"../03_std_iterators.rs" 48 12 48 91] cnt <-  ^ _10;
-    [#"../03_std_iterators.rs" 44 22 53 9] _4 <- ([#"../03_std_iterators.rs" 44 22 53 9] map_inv0 _5 ([#"../03_std_iterators.rs" 48 12 48 91] C03StdIterators_Counter_Closure0.C03StdIterators_Counter_Closure0 _10));
-    _5 <- any Core_Slice_Iter_Iter_Type.t_iter uint32;
+    [#"../03_std_iterators.rs" 48 12 48 91] _9 <- C03StdIterators_Counter_Closure0.C03StdIterators_Counter_Closure0 _10;
     _10 <- any borrowed usize;
+    [#"../03_std_iterators.rs" 44 22 53 9] _4 <- ([#"../03_std_iterators.rs" 44 22 53 9] map_inv0 _5 _9);
+    _5 <- any Core_Slice_Iter_Iter_Type.t_iter uint32;
+    _9 <- any C03StdIterators_Counter_Closure0.c03stditerators_counter_closure0;
     goto BB3
   }
   BB3 {
@@ -2084,7 +2193,9 @@ module C03StdIterators_SumRange
   predicate produces0 (self : Core_Ops_Range_Range_Type.t_range isize) (visited : Seq.seq isize) (o : Core_Ops_Range_Range_Type.t_range isize)
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
+    [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0
+     -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
   val produces0 (self : Core_Ops_Range_Range_Type.t_range isize) (visited : Seq.seq isize) (o : Core_Ops_Range_Range_Type.t_range isize) : bool
     ensures { result = produces0 self visited o }
     
@@ -2100,24 +2211,32 @@ module C03StdIterators_SumRange
     requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range isize, ab : Seq.seq isize, b : Core_Ops_Range_Range_Type.t_range isize, bc : Seq.seq isize, c : Core_Ops_Range_Range_Type.t_range isize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv3 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv3 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range isize, ab : Seq.seq isize, b : Core_Ops_Range_Range_Type.t_range isize, bc : Seq.seq isize, c : Core_Ops_Range_Range_Type.t_range isize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv3 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv3 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : Core_Ops_Range_Range_Type.t_range isize) : ()
   val produces_refl0 (self : Core_Ops_Range_Range_Type.t_range isize) : ()
     requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range isize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range isize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
   predicate invariant0 (self : Core_Ops_Range_Range_Type.t_range isize) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant0 (self : Core_Ops_Range_Range_Type.t_range isize) : bool
     ensures { result = invariant0 self }
     
   axiom inv0 : forall x : Core_Ops_Range_Range_Type.t_range isize . inv0 x = true
-  use prelude.Ghost
+  use prelude.Snapshot
   use seq.Seq
   predicate resolve0 (self : borrowed (Core_Ops_Range_Range_Type.t_range isize)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (Core_Ops_Range_Range_Type.t_range isize)) : bool
     ensures { result = resolve0 self }
     
@@ -2134,11 +2253,11 @@ module C03StdIterators_SumRange
       end }
     ensures { inv2 result }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate into_iter_post0 (self : Core_Ops_Range_Range_Type.t_range isize) (res : Core_Ops_Range_Range_Type.t_range isize)
     
    =
@@ -2166,27 +2285,30 @@ module C03StdIterators_SumRange
   var n : isize = n;
   var i : isize;
   var iter : Core_Ops_Range_Range_Type.t_range isize;
-  var iter_old : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range isize);
-  var produced : Ghost.ghost_ty (Seq.seq isize);
+  var _7 : Core_Ops_Range_Range_Type.t_range isize;
+  var iter_old : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range isize);
+  var produced : Snapshot.snap_ty (Seq.seq isize);
   var _17 : Core_Option_Option_Type.t_option isize;
   var _18 : borrowed (Core_Ops_Range_Range_Type.t_range isize);
   var _19 : borrowed (Core_Ops_Range_Range_Type.t_range isize);
   var __creusot_proc_iter_elem : isize;
-  var _22 : Ghost.ghost_ty (Seq.seq isize);
+  var _22 : Snapshot.snap_ty (Seq.seq isize);
   {
     goto BB0
   }
   BB0 {
-    [#"../03_std_iterators.rs" 64 16 64 17] i <- ([#"../03_std_iterators.rs" 64 16 64 17] [#"../03_std_iterators.rs" 64 16 64 17] (0 : isize));
-    [#"../03_std_iterators.rs" 65 4 65 48] iter <- ([#"../03_std_iterators.rs" 65 4 65 48] into_iter0 ([#"../03_std_iterators.rs" 66 13 66 17] Core_Ops_Range_Range_Type.C_Range ([#"../03_std_iterators.rs" 66 13 66 14] [#"../03_std_iterators.rs" 66 13 66 14] (0 : isize)) ([#"../03_std_iterators.rs" 66 16 66 17] n)));
+    [#"../03_std_iterators.rs" 64 16 64 17] i <- ([#"../03_std_iterators.rs" 64 16 64 17] (0 : isize));
+    [#"../03_std_iterators.rs" 66 13 66 17] _7 <- Core_Ops_Range_Range_Type.C_Range ([#"../03_std_iterators.rs" 66 13 66 14] (0 : isize)) n;
+    [#"../03_std_iterators.rs" 65 4 65 48] iter <- ([#"../03_std_iterators.rs" 65 4 65 48] into_iter0 _7);
+    _7 <- any Core_Ops_Range_Range_Type.t_range isize;
     goto BB1
   }
   BB1 {
-    [#"../03_std_iterators.rs" 65 4 65 48] iter_old <- ([#"../03_std_iterators.rs" 65 4 65 48] Ghost.new iter);
+    [#"../03_std_iterators.rs" 65 4 65 48] iter_old <- ([#"../03_std_iterators.rs" 65 4 65 48] Snapshot.new iter);
     goto BB2
   }
   BB2 {
-    [#"../03_std_iterators.rs" 65 4 65 48] produced <- ([#"../03_std_iterators.rs" 65 4 65 48] Ghost.new (Seq.empty ));
+    [#"../03_std_iterators.rs" 65 4 65 48] produced <- ([#"../03_std_iterators.rs" 65 4 65 48] Snapshot.new (Seq.empty ));
     goto BB3
   }
   BB3 {
@@ -2194,8 +2316,8 @@ module C03StdIterators_SumRange
   }
   BB4 {
     invariant { [#"../03_std_iterators.rs" 65 4 65 48] inv0 iter };
-    invariant { [#"../03_std_iterators.rs" 65 4 65 48] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter };
-    invariant { [#"../03_std_iterators.rs" 65 16 65 46] IntSize.to_int i = Seq.length (Ghost.inner produced) /\ i <= n };
+    invariant { [#"../03_std_iterators.rs" 65 4 65 48] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter };
+    invariant { [#"../03_std_iterators.rs" 65 16 65 46] IntSize.to_int i = Seq.length (Snapshot.inner produced) /\ i <= n };
     goto BB5
   }
   BB5 {
@@ -2215,7 +2337,7 @@ module C03StdIterators_SumRange
       end
   }
   BB7 {
-    [#"../03_std_iterators.rs" 69 4 69 5] _0 <- ([#"../03_std_iterators.rs" 69 4 69 5] i);
+    [#"../03_std_iterators.rs" 69 4 69 5] _0 <- i;
     return _0
   }
   BB8 {
@@ -2226,14 +2348,14 @@ module C03StdIterators_SumRange
     absurd
   }
   BB10 {
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _17);
-    [#"../03_std_iterators.rs" 65 4 65 48] _22 <- ([#"../03_std_iterators.rs" 65 4 65 48] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _17;
+    [#"../03_std_iterators.rs" 65 4 65 48] _22 <- ([#"../03_std_iterators.rs" 65 4 65 48] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB11
   }
   BB11 {
-    [#"../03_std_iterators.rs" 65 4 65 48] produced <- ([#"../03_std_iterators.rs" 65 4 65 48] _22);
-    [#"../03_std_iterators.rs" 65 4 65 48] _22 <- any Ghost.ghost_ty (Seq.seq isize);
-    [#"../03_std_iterators.rs" 67 8 67 14] i <- ([#"../03_std_iterators.rs" 67 8 67 14] i + ([#"../03_std_iterators.rs" 67 13 67 14] [#"../03_std_iterators.rs" 67 13 67 14] (1 : isize)));
+    [#"../03_std_iterators.rs" 65 4 65 48] produced <- _22;
+    _22 <- any Snapshot.snap_ty (Seq.seq isize);
+    [#"../03_std_iterators.rs" 67 8 67 14] i <- i + ([#"../03_std_iterators.rs" 67 13 67 14] (1 : isize));
     goto BB4
   }
   
@@ -2303,7 +2425,9 @@ module C03StdIterators_EnumerateRange
   predicate produces1 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize)
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
+    [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0
+     -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
   val produces1 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool
     ensures { result = produces1 self visited o }
     
@@ -2319,14 +2443,22 @@ module C03StdIterators_EnumerateRange
     requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv2 c}
     ensures { result = produces_trans1 a ab b bc c }
     
-  axiom produces_trans1_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces1 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces1 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv2 a) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv3 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv2 b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv3 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv2 c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans1_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces1 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces1 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv2 a)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv3 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv2 b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv3 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv2 c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl1 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
   val produces_refl1 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
     requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv2 self}
     ensures { result = produces_refl1 self }
     
-  axiom produces_refl1_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl1_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces1 self (Seq.empty ) self)
   predicate invariant3 (self : Seq.seq usize) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant3 (self : Seq.seq usize) : bool
@@ -2374,7 +2506,8 @@ module C03StdIterators_EnumerateRange
   predicate produces0 (self : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize)) (visited : Seq.seq (usize, usize)) (o : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize))
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 62 8 67 9] Seq.length visited = n0 o - n0 self /\ (exists s : Seq.seq usize . inv3 s /\ produces1 (iter0 self) s (iter0 o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = n0 self + i /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i))
+    [#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 62 8 67 9] Seq.length visited = n0 o - n0 self /\ (exists s : Seq.seq usize . inv3 s /\ produces1 (iter0 self) s (iter0 o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s
+     -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = n0 self + i /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i))
   val produces0 (self : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize)) (visited : Seq.seq (usize, usize)) (o : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize)) : bool
     ensures { result = produces0 self visited o }
     
@@ -2390,7 +2523,14 @@ module C03StdIterators_EnumerateRange
     requires {[#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 80 82 80 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize), ab : Seq.seq (usize, usize), b : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize), bc : Seq.seq (usize, usize), c : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize) . ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 77 15 77 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 78 15 78 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 80 22 80 23] inv0 a) -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 80 31 80 33] inv5 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 80 52 80 53] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 80 61 80 63] inv5 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 80 82 80 83] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 79 14 79 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize), ab : Seq.seq (usize, usize), b : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize), bc : Seq.seq (usize, usize), c : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize) . ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 77 15 77 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 78 15 78 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 80 22 80 23] inv0 a)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 80 31 80 33] inv5 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 80 52 80 53] inv0 b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 80 61 80 63] inv5 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 80 82 80 83] inv0 c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 79 14 79 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize)) : ()
     
@@ -2398,9 +2538,10 @@ module C03StdIterators_EnumerateRange
     requires {[#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 73 21 73 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize) . ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 73 21 73 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 72 14 72 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize) . ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 73 21 73 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/enumerate.rs" 72 14 72 45] produces0 self (Seq.empty ) self)
   predicate resolve5 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve5 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) : bool
     ensures { result = resolve5 self }
     
@@ -2419,9 +2560,9 @@ module C03StdIterators_EnumerateRange
   axiom inv0 : forall x : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize) . inv0 x = (invariant0 x /\ match x with
     | Core_Iter_Adapters_Enumerate_Enumerate_Type.C_Enumerate iter count -> true
     end)
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate resolve4 (self : Core_Ops_Range_Range_Type.t_range usize) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
+    [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true
   val resolve4 (self : Core_Ops_Range_Range_Type.t_range usize) : bool
     ensures { result = resolve4 self }
     
@@ -2433,12 +2574,12 @@ module C03StdIterators_EnumerateRange
     ensures { result = resolve2 self }
     
   predicate resolve3 (self : usize) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
+    [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true
   val resolve3 (self : usize) : bool
     ensures { result = resolve3 self }
     
   predicate resolve1 (self : (usize, usize)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 18 8 18 60] resolve3 (let (a, _) = self in a) /\ resolve3 (let (_, a) = self in a)
+    [#"../../../../../creusot-contracts/src/resolve.rs" 16 8 16 60] resolve3 (let (a, _) = self in a) /\ resolve3 (let (_, a) = self in a)
   val resolve1 (self : (usize, usize)) : bool
     ensures { result = resolve1 self }
     
@@ -2446,7 +2587,7 @@ module C03StdIterators_EnumerateRange
   predicate resolve0 (self : borrowed (Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize)))
     
    =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize))) : bool
     ensures { result = resolve0 self }
     
@@ -2465,16 +2606,17 @@ module C03StdIterators_EnumerateRange
       end }
     ensures { inv4 result }
     
-  use prelude.Ghost
-  function index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq (usize, usize))) (ix : int) : (usize, usize) =
-    [#"../../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Ghost.inner self) ix
-  val index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq (usize, usize))) (ix : int) : (usize, usize)
+  use prelude.Snapshot
+  function index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq (usize, usize))) (ix : int) : (usize, usize)
+   =
+    [#"../../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Snapshot.inner self) ix
+  val index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq (usize, usize))) (ix : int) : (usize, usize)
     ensures { result = index_logic0 self ix }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate into_iter_post0 (self : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize)) (res : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize))
     
    =
@@ -2506,13 +2648,14 @@ module C03StdIterators_EnumerateRange
   var _0 : ();
   var iter : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize);
   var _2 : Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize);
-  var iter_old : Ghost.ghost_ty (Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize));
-  var produced : Ghost.ghost_ty (Seq.seq (usize, usize));
+  var _3 : Core_Ops_Range_Range_Type.t_range usize;
+  var iter_old : Snapshot.snap_ty (Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize));
+  var produced : Snapshot.snap_ty (Seq.seq (usize, usize));
   var _12 : Core_Option_Option_Type.t_option (usize, usize);
   var _13 : borrowed (Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize));
   var _14 : borrowed (Core_Iter_Adapters_Enumerate_Enumerate_Type.t_enumerate (Core_Ops_Range_Range_Type.t_range usize));
   var __creusot_proc_iter_elem : (usize, usize);
-  var _17 : Ghost.ghost_ty (Seq.seq (usize, usize));
+  var _17 : Snapshot.snap_ty (Seq.seq (usize, usize));
   var ix : usize;
   var x : usize;
   var _21 : (usize, usize);
@@ -2520,7 +2663,9 @@ module C03StdIterators_EnumerateRange
     goto BB0
   }
   BB0 {
-    [#"../03_std_iterators.rs" 74 19 74 38] _2 <- ([#"../03_std_iterators.rs" 74 19 74 38] enumerate0 ([#"../03_std_iterators.rs" 74 19 74 26] Core_Ops_Range_Range_Type.C_Range ([#"../03_std_iterators.rs" 74 20 74 21] [#"../03_std_iterators.rs" 74 20 74 21] (0 : usize)) ([#"../03_std_iterators.rs" 74 23 74 25] [#"../03_std_iterators.rs" 74 23 74 25] (10 : usize))));
+    [#"../03_std_iterators.rs" 74 19 74 26] _3 <- Core_Ops_Range_Range_Type.C_Range ([#"../03_std_iterators.rs" 74 20 74 21] (0 : usize)) ([#"../03_std_iterators.rs" 74 23 74 25] (10 : usize));
+    [#"../03_std_iterators.rs" 74 19 74 38] _2 <- ([#"../03_std_iterators.rs" 74 19 74 38] enumerate0 _3);
+    _3 <- any Core_Ops_Range_Range_Type.t_range usize;
     goto BB1
   }
   BB1 {
@@ -2529,11 +2674,11 @@ module C03StdIterators_EnumerateRange
     goto BB2
   }
   BB2 {
-    [#"../03_std_iterators.rs" 73 4 73 96] iter_old <- ([#"../03_std_iterators.rs" 73 4 73 96] Ghost.new iter);
+    [#"../03_std_iterators.rs" 73 4 73 96] iter_old <- ([#"../03_std_iterators.rs" 73 4 73 96] Snapshot.new iter);
     goto BB3
   }
   BB3 {
-    [#"../03_std_iterators.rs" 73 4 73 96] produced <- ([#"../03_std_iterators.rs" 73 4 73 96] Ghost.new (Seq.empty ));
+    [#"../03_std_iterators.rs" 73 4 73 96] produced <- ([#"../03_std_iterators.rs" 73 4 73 96] Snapshot.new (Seq.empty ));
     goto BB4
   }
   BB4 {
@@ -2541,8 +2686,9 @@ module C03StdIterators_EnumerateRange
   }
   BB5 {
     invariant { [#"../03_std_iterators.rs" 73 4 73 96] inv0 iter };
-    invariant { [#"../03_std_iterators.rs" 73 4 73 96] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter };
-    invariant { [#"../03_std_iterators.rs" 73 4 73 96] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner produced) -> (let (a, _) = index_logic0 produced i in a) = (let (_, a) = index_logic0 produced i in a) };
+    invariant { [#"../03_std_iterators.rs" 73 4 73 96] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter };
+    invariant { [#"../03_std_iterators.rs" 73 4 73 96] forall i : int . 0 <= i /\ i < Seq.length (Snapshot.inner produced)
+     -> (let (a, _) = index_logic0 produced i in a) = (let (_, a) = index_logic0 produced i in a) };
     goto BB6
   }
   BB6 {
@@ -2580,17 +2726,17 @@ module C03StdIterators_EnumerateRange
     absurd
   }
   BB11 {
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _12);
-    [#"../03_std_iterators.rs" 73 4 73 96] _17 <- ([#"../03_std_iterators.rs" 73 4 73 96] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _12;
+    [#"../03_std_iterators.rs" 73 4 73 96] _17 <- ([#"../03_std_iterators.rs" 73 4 73 96] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB12
   }
   BB12 {
-    [#"../03_std_iterators.rs" 73 4 73 96] produced <- ([#"../03_std_iterators.rs" 73 4 73 96] _17);
-    [#"../03_std_iterators.rs" 73 4 73 96] _17 <- any Ghost.ghost_ty (Seq.seq (usize, usize));
-    [#"../03_std_iterators.rs" 74 9 74 11] ix <- ([#"../03_std_iterators.rs" 74 9 74 11] let (a, _) = __creusot_proc_iter_elem in a);
-    [#"../03_std_iterators.rs" 74 13 74 14] x <- ([#"../03_std_iterators.rs" 74 13 74 14] let (_, a) = __creusot_proc_iter_elem in a);
+    [#"../03_std_iterators.rs" 73 4 73 96] produced <- _17;
+    _17 <- any Snapshot.snap_ty (Seq.seq (usize, usize));
+    [#"../03_std_iterators.rs" 74 9 74 11] ix <- (let (a, _) = __creusot_proc_iter_elem in a);
+    [#"../03_std_iterators.rs" 74 13 74 14] x <- (let (_, a) = __creusot_proc_iter_elem in a);
     assume { resolve1 __creusot_proc_iter_elem };
-    [#"../03_std_iterators.rs" 75 16 75 23] _21 <- ([#"../03_std_iterators.rs" 75 16 75 23] (([#"../03_std_iterators.rs" 75 17 75 19] ix), ([#"../03_std_iterators.rs" 75 21 75 22] x)));
+    [#"../03_std_iterators.rs" 75 16 75 23] _21 <- (ix, x);
     assume { resolve1 _21 };
     goto BB5
   }
@@ -2695,7 +2841,9 @@ module C03StdIterators_MyReverse
   predicate produces1 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize)
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
+    [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0
+     -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
   val produces1 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool
     ensures { result = produces1 self visited o }
     
@@ -2711,14 +2859,22 @@ module C03StdIterators_MyReverse
     requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv5 c}
     ensures { result = produces_trans1 a ab b bc c }
     
-  axiom produces_trans1_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces1 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces1 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv5 a) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv6 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv5 b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv6 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv5 c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans1_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces1 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces1 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv5 a)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv6 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv5 b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv6 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv5 c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl1 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
   val produces_refl1 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
     requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv5 self}
     ensures { result = produces_refl1 self }
     
-  axiom produces_refl1_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl1_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv5 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces1 self (Seq.empty ) self)
   predicate invariant6 (self : Seq.seq usize) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant6 (self : Seq.seq usize) : bool
@@ -2780,7 +2936,8 @@ module C03StdIterators_MyReverse
   predicate produces0 (self : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize)) (visited : Seq.seq (usize, usize)) (o : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize))
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/zip.rs" 44 8 50 9] exists p2 : Seq.seq usize . exists p1 : Seq.seq usize . inv6 p2 /\ inv6 p1 /\ Seq.length p1 = Seq.length p2 /\ Seq.length p2 = Seq.length visited /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) /\ produces1 (itera0 self) p1 (itera0 o) /\ produces1 (iterb0 self) p2 (iterb0 o)
+    [#"../../../../../creusot-contracts/src/std/iter/zip.rs" 44 8 50 9] exists p2 : Seq.seq usize . exists p1 : Seq.seq usize . inv6 p2 /\ inv6 p1 /\ Seq.length p1 = Seq.length p2 /\ Seq.length p2 = Seq.length visited /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) /\ produces1 (itera0 self) p1 (itera0 o) /\ produces1 (iterb0 self) p2 (iterb0 o)
   val produces0 (self : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize)) (visited : Seq.seq (usize, usize)) (o : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize)) : bool
     ensures { result = produces0 self visited o }
     
@@ -2796,7 +2953,14 @@ module C03StdIterators_MyReverse
     requires {[#"../../../../../creusot-contracts/src/std/iter/zip.rs" 63 82 63 83] inv1 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize), ab : Seq.seq (usize, usize), b : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize), bc : Seq.seq (usize, usize), c : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize) . ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 60 15 60 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 61 15 61 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 63 22 63 23] inv1 a) -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 63 31 63 33] inv10 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 63 52 63 53] inv1 b) -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 63 61 63 63] inv10 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 63 82 63 83] inv1 c) -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 62 14 62 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize), ab : Seq.seq (usize, usize), b : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize), bc : Seq.seq (usize, usize), c : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize) . ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 60 15 60 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 61 15 61 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 63 22 63 23] inv1 a)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 63 31 63 33] inv10 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 63 52 63 53] inv1 b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 63 61 63 63] inv10 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 63 82 63 83] inv1 c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 62 14 62 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize)) : ()
     
@@ -2804,7 +2968,8 @@ module C03StdIterators_MyReverse
     requires {[#"../../../../../creusot-contracts/src/std/iter/zip.rs" 56 21 56 25] inv1 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize) . ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 56 21 56 25] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 55 14 55 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize) . ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 56 21 56 25] inv1 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/zip.rs" 55 14 55 45] produces0 self (Seq.empty ) self)
   predicate invariant1 (self : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize))
     
    =
@@ -2813,16 +2978,16 @@ module C03StdIterators_MyReverse
     ensures { result = invariant1 self }
     
   axiom inv1 : forall x : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize) . inv1 x = true
-  use prelude.Ghost
-  predicate invariant0 (self : Ghost.ghost_ty (borrowed (slice t)))
-  val invariant0 (self : Ghost.ghost_ty (borrowed (slice t))) : bool
+  use prelude.Snapshot
+  predicate invariant0 (self : Snapshot.snap_ty (borrowed (slice t)))
+  val invariant0 (self : Snapshot.snap_ty (borrowed (slice t))) : bool
     ensures { result = invariant0 self }
     
-  predicate inv0 (_x : Ghost.ghost_ty (borrowed (slice t)))
-  val inv0 (_x : Ghost.ghost_ty (borrowed (slice t))) : bool
+  predicate inv0 (_x : Snapshot.snap_ty (borrowed (slice t)))
+  val inv0 (_x : Snapshot.snap_ty (borrowed (slice t))) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : Ghost.ghost_ty (borrowed (slice t)) . inv0 x = true
+  axiom inv0 : forall x : Snapshot.snap_ty (borrowed (slice t)) . inv0 x = true
   use seq.Seq
   use seq.Reverse
   use prelude.Slice
@@ -2834,15 +2999,16 @@ module C03StdIterators_MyReverse
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv2 self}
     ensures { result = shallow_model3 self }
     
-  axiom shallow_model3_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv9 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model3 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
+  axiom shallow_model3_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv9 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model3 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
   predicate resolve3 (self : borrowed (slice t)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve3 (self : borrowed (slice t)) : bool
     ensures { result = resolve3 self }
     
   use seq.Permut
   function shallow_model1 (self : borrowed (slice t)) : Seq.seq t =
-    [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model3 ( * self)
+    [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model3 ( * self)
   val shallow_model1 (self : borrowed (slice t)) : Seq.seq t
     ensures { result = shallow_model1 self }
     
@@ -2853,12 +3019,12 @@ module C03StdIterators_MyReverse
     ensures { [#"../../../../../creusot-contracts/src/std/slice.rs" 249 8 249 52] Permut.exchange (shallow_model3 ( ^ self)) (shallow_model1 self) (UIntSize.to_int a) (UIntSize.to_int b) }
     
   predicate resolve4 (self : usize) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
+    [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true
   val resolve4 (self : usize) : bool
     ensures { result = resolve4 self }
     
   predicate resolve2 (self : (usize, usize)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 18 8 18 60] resolve4 (let (a, _) = self in a) /\ resolve4 (let (_, a) = self in a)
+    [#"../../../../../creusot-contracts/src/resolve.rs" 16 8 16 60] resolve4 (let (a, _) = self in a) /\ resolve4 (let (_, a) = self in a)
   val resolve2 (self : (usize, usize)) : bool
     ensures { result = resolve2 self }
     
@@ -2866,13 +3032,13 @@ module C03StdIterators_MyReverse
   predicate resolve1 (self : borrowed (Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize)))
     
    =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve1 (self : borrowed (Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize))) : bool
     ensures { result = resolve1 self }
     
   use seq.Seq
   predicate resolve5 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve5 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) : bool
     ensures { result = resolve5 self }
     
@@ -2900,31 +3066,31 @@ module C03StdIterators_MyReverse
   predicate equiv_reverse_range0 [#"../03_std_iterators.rs" 87 0 87 81] (s1 : Seq.seq t) (s2 : Seq.seq t) (l : int) (u : int) (n : int)
     
    =
-    [#"../03_std_iterators.rs" 88 4 90 5] forall i : int . l <= i /\ i < u -> Seq.get s1 i = Seq.get s2 (n - i)
+    [#"../03_std_iterators.rs" 88 4 90 5] forall i : int . l <= i /\ i < u  -> Seq.get s1 i = Seq.get s2 (n - i)
   val equiv_reverse_range0 [#"../03_std_iterators.rs" 87 0 87 81] (s1 : Seq.seq t) (s2 : Seq.seq t) (l : int) (u : int) (n : int) : bool
     ensures { result = equiv_reverse_range0 s1 s2 l u n }
     
   predicate equiv_range0 [#"../03_std_iterators.rs" 80 0 80 65] (s1 : Seq.seq t) (s2 : Seq.seq t) (l : int) (u : int) =
-    [#"../03_std_iterators.rs" 81 4 83 5] forall i : int . l <= i /\ i < u -> Seq.get s1 i = Seq.get s2 i
+    [#"../03_std_iterators.rs" 81 4 83 5] forall i : int . l <= i /\ i < u  -> Seq.get s1 i = Seq.get s2 i
   val equiv_range0 [#"../03_std_iterators.rs" 80 0 80 65] (s1 : Seq.seq t) (s2 : Seq.seq t) (l : int) (u : int) : bool
     ensures { result = equiv_range0 s1 s2 l u }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   function shallow_model5 (self : borrowed (slice t)) : Seq.seq t =
-    [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model1 self
+    [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model1 self
   val shallow_model5 (self : borrowed (slice t)) : Seq.seq t
     ensures { result = shallow_model5 self }
     
-  use prelude.Ghost
-  function shallow_model2 (self : Ghost.ghost_ty (borrowed (slice t))) : Seq.seq t =
-    [#"../../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model5 (Ghost.inner self)
-  val shallow_model2 (self : Ghost.ghost_ty (borrowed (slice t))) : Seq.seq t
+  use prelude.Snapshot
+  function shallow_model2 (self : Snapshot.snap_ty (borrowed (slice t))) : Seq.seq t =
+    [#"../../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model5 (Snapshot.inner self)
+  val shallow_model2 (self : Snapshot.snap_ty (borrowed (slice t))) : Seq.seq t
     ensures { result = shallow_model2 self }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate into_iter_post1 (self : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize)) (res : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize))
     
    =
@@ -2965,13 +3131,13 @@ module C03StdIterators_MyReverse
     ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 125 26 125 62] into_iter_post0 other (iterb0 result) }
     ensures { inv1 result }
     
-  predicate resolve0 (self : Ghost.ghost_ty (borrowed (slice t)))
-  val resolve0 (self : Ghost.ghost_ty (borrowed (slice t))) : bool
+  predicate resolve0 (self : Snapshot.snap_ty (borrowed (slice t)))
+  val resolve0 (self : Snapshot.snap_ty (borrowed (slice t))) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   function shallow_model4 (self : slice t) : Seq.seq t =
-    [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model3 self
+    [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model3 self
   val shallow_model4 (self : slice t) : Seq.seq t
     ensures { result = shallow_model4 self }
     
@@ -2987,47 +3153,61 @@ module C03StdIterators_MyReverse
   var _0 : ();
   var slice : borrowed (slice t) = slice;
   var n : usize;
-  var old_v : Ghost.ghost_ty (borrowed (slice t));
+  var old_v : Snapshot.snap_ty (borrowed (slice t));
   var iter : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize);
   var _8 : Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize);
+  var _9 : Core_Ops_Range_Range_Type.t_range usize;
+  var _10 : usize;
   var _12 : bool;
+  var _13 : Core_Ops_Range_Range_Type.t_range usize;
+  var _14 : usize;
   var _16 : bool;
-  var iter_old : Ghost.ghost_ty (Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize));
-  var produced : Ghost.ghost_ty (Seq.seq (usize, usize));
+  var iter_old : Snapshot.snap_ty (Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize));
+  var produced : Snapshot.snap_ty (Seq.seq (usize, usize));
   var _28 : Core_Option_Option_Type.t_option (usize, usize);
   var _29 : borrowed (Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize));
   var _30 : borrowed (Core_Iter_Adapters_Zip_Zip_Type.t_zip (Core_Ops_Range_Range_Type.t_range usize) (Core_Ops_Range_Range_Type.t_range usize));
   var __creusot_proc_iter_elem : (usize, usize);
-  var _33 : Ghost.ghost_ty (Seq.seq (usize, usize));
+  var _33 : Snapshot.snap_ty (Seq.seq (usize, usize));
   var i : usize;
   var j : usize;
   var _37 : ();
   var _38 : borrowed (slice t);
+  var _40 : usize;
+  var _41 : usize;
   {
     goto BB0
   }
   BB0 {
-    [#"../03_std_iterators.rs" 95 12 95 23] n <- ([#"../03_std_iterators.rs" 95 12 95 23] len0 ([#"../03_std_iterators.rs" 95 12 95 17]  * slice));
+    [#"../03_std_iterators.rs" 95 12 95 23] n <- ([#"../03_std_iterators.rs" 95 12 95 23] len0 ( * slice));
     goto BB1
   }
   BB1 {
-    [#"../03_std_iterators.rs" 96 33 96 46] old_v <- ([#"../03_std_iterators.rs" 96 33 96 46] Ghost.new slice);
+    [#"../03_std_iterators.rs" 96 36 96 55] old_v <- ([#"../03_std_iterators.rs" 96 36 96 55] Snapshot.new slice);
     goto BB2
   }
   BB2 {
     assert { [@expl:type invariant] inv0 old_v };
     assume { resolve0 old_v };
-    [#"../03_std_iterators.rs" 101 22 101 27] _12 <- ([#"../03_std_iterators.rs" 101 22 101 27] ([#"../03_std_iterators.rs" 101 26 101 27] [#"../03_std_iterators.rs" 101 26 101 27] (2 : usize)) = ([#"../03_std_iterators.rs" 101 22 101 27] [#"../03_std_iterators.rs" 101 22 101 27] (0 : usize)));
+    [#"../03_std_iterators.rs" 101 22 101 27] _12 <- ([#"../03_std_iterators.rs" 101 26 101 27] (2 : usize)) = ([#"../03_std_iterators.rs" 101 22 101 27] (0 : usize));
     assert { [@expl:division by zero] [#"../03_std_iterators.rs" 101 22 101 27] not _12 };
     goto BB3
   }
   BB3 {
-    [#"../03_std_iterators.rs" 101 36 101 41] _16 <- ([#"../03_std_iterators.rs" 101 36 101 41] ([#"../03_std_iterators.rs" 101 40 101 41] [#"../03_std_iterators.rs" 101 40 101 41] (2 : usize)) = ([#"../03_std_iterators.rs" 101 36 101 41] [#"../03_std_iterators.rs" 101 36 101 41] (0 : usize)));
+    [#"../03_std_iterators.rs" 101 22 101 27] _10 <- n / ([#"../03_std_iterators.rs" 101 26 101 27] (2 : usize));
+    [#"../03_std_iterators.rs" 101 18 101 28] _9 <- Core_Ops_Range_Range_Type.C_Range ([#"../03_std_iterators.rs" 101 19 101 20] (0 : usize)) _10;
+    _10 <- any usize;
+    [#"../03_std_iterators.rs" 101 36 101 41] _16 <- ([#"../03_std_iterators.rs" 101 40 101 41] (2 : usize)) = ([#"../03_std_iterators.rs" 101 36 101 41] (0 : usize));
     assert { [@expl:division by zero] [#"../03_std_iterators.rs" 101 36 101 41] not _16 };
     goto BB4
   }
   BB4 {
-    [#"../03_std_iterators.rs" 101 18 101 42] _8 <- ([#"../03_std_iterators.rs" 101 18 101 42] zip0 ([#"../03_std_iterators.rs" 101 18 101 28] Core_Ops_Range_Range_Type.C_Range ([#"../03_std_iterators.rs" 101 19 101 20] [#"../03_std_iterators.rs" 101 19 101 20] (0 : usize)) ([#"../03_std_iterators.rs" 101 22 101 27] ([#"../03_std_iterators.rs" 101 22 101 23] n) / ([#"../03_std_iterators.rs" 101 26 101 27] [#"../03_std_iterators.rs" 101 26 101 27] (2 : usize)))) ([#"../03_std_iterators.rs" 101 33 101 41] Core_Ops_Range_Range_Type.C_Range ([#"../03_std_iterators.rs" 101 33 101 34] [#"../03_std_iterators.rs" 101 33 101 34] (0 : usize)) ([#"../03_std_iterators.rs" 101 36 101 41] ([#"../03_std_iterators.rs" 101 36 101 37] n) / ([#"../03_std_iterators.rs" 101 40 101 41] [#"../03_std_iterators.rs" 101 40 101 41] (2 : usize)))));
+    [#"../03_std_iterators.rs" 101 36 101 41] _14 <- n / ([#"../03_std_iterators.rs" 101 40 101 41] (2 : usize));
+    [#"../03_std_iterators.rs" 101 33 101 41] _13 <- Core_Ops_Range_Range_Type.C_Range ([#"../03_std_iterators.rs" 101 33 101 34] (0 : usize)) _14;
+    _14 <- any usize;
+    [#"../03_std_iterators.rs" 101 18 101 42] _8 <- ([#"../03_std_iterators.rs" 101 18 101 42] zip0 _9 _13);
+    _9 <- any Core_Ops_Range_Range_Type.t_range usize;
+    _13 <- any Core_Ops_Range_Range_Type.t_range usize;
     goto BB5
   }
   BB5 {
@@ -3036,11 +3216,11 @@ module C03StdIterators_MyReverse
     goto BB6
   }
   BB6 {
-    [#"../03_std_iterators.rs" 97 4 97 36] iter_old <- ([#"../03_std_iterators.rs" 97 4 97 36] Ghost.new iter);
+    [#"../03_std_iterators.rs" 97 4 97 36] iter_old <- ([#"../03_std_iterators.rs" 97 4 97 36] Snapshot.new iter);
     goto BB7
   }
   BB7 {
-    [#"../03_std_iterators.rs" 97 4 97 36] produced <- ([#"../03_std_iterators.rs" 97 4 97 36] Ghost.new (Seq.empty ));
+    [#"../03_std_iterators.rs" 97 4 97 36] produced <- ([#"../03_std_iterators.rs" 97 4 97 36] Snapshot.new (Seq.empty ));
     goto BB8
   }
   BB8 {
@@ -3048,11 +3228,11 @@ module C03StdIterators_MyReverse
   }
   BB9 {
     invariant { [#"../03_std_iterators.rs" 97 4 97 36] inv1 iter };
-    invariant { [#"../03_std_iterators.rs" 97 4 97 36] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter };
+    invariant { [#"../03_std_iterators.rs" 97 4 97 36] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter };
     invariant { [#"../03_std_iterators.rs" 97 16 97 34] UIntSize.to_int n = Seq.length (shallow_model1 slice) };
-    invariant { [#"../03_std_iterators.rs" 98 16 98 78] equiv_range0 (shallow_model1 slice) (shallow_model2 old_v) (Seq.length (Ghost.inner produced)) (UIntSize.to_int n - Seq.length (Ghost.inner produced)) };
-    invariant { [#"../03_std_iterators.rs" 99 16 99 76] equiv_reverse_range0 (shallow_model1 slice) (shallow_model2 old_v) 0 (Seq.length (Ghost.inner produced)) (UIntSize.to_int n - 1) };
-    invariant { [#"../03_std_iterators.rs" 100 16 100 80] equiv_reverse_range0 (shallow_model1 slice) (shallow_model2 old_v) (UIntSize.to_int n - Seq.length (Ghost.inner produced)) (UIntSize.to_int n) (UIntSize.to_int n - 1) };
+    invariant { [#"../03_std_iterators.rs" 98 16 98 78] equiv_range0 (shallow_model1 slice) (shallow_model2 old_v) (Seq.length (Snapshot.inner produced)) (UIntSize.to_int n - Seq.length (Snapshot.inner produced)) };
+    invariant { [#"../03_std_iterators.rs" 99 16 99 76] equiv_reverse_range0 (shallow_model1 slice) (shallow_model2 old_v) 0 (Seq.length (Snapshot.inner produced)) (UIntSize.to_int n - 1) };
+    invariant { [#"../03_std_iterators.rs" 100 16 100 80] equiv_reverse_range0 (shallow_model1 slice) (shallow_model2 old_v) (UIntSize.to_int n - Seq.length (Snapshot.inner produced)) (UIntSize.to_int n) (UIntSize.to_int n - 1) };
     goto BB10
   }
   BB10 {
@@ -3087,21 +3267,25 @@ module C03StdIterators_MyReverse
     absurd
   }
   BB15 {
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _28);
-    [#"../03_std_iterators.rs" 97 4 97 36] _33 <- ([#"../03_std_iterators.rs" 97 4 97 36] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _28;
+    [#"../03_std_iterators.rs" 97 4 97 36] _33 <- ([#"../03_std_iterators.rs" 97 4 97 36] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB16
   }
   BB16 {
-    [#"../03_std_iterators.rs" 97 4 97 36] produced <- ([#"../03_std_iterators.rs" 97 4 97 36] _33);
-    [#"../03_std_iterators.rs" 97 4 97 36] _33 <- any Ghost.ghost_ty (Seq.seq (usize, usize));
-    [#"../03_std_iterators.rs" 101 9 101 10] i <- ([#"../03_std_iterators.rs" 101 9 101 10] let (a, _) = __creusot_proc_iter_elem in a);
-    [#"../03_std_iterators.rs" 101 12 101 13] j <- ([#"../03_std_iterators.rs" 101 12 101 13] let (_, a) = __creusot_proc_iter_elem in a);
+    [#"../03_std_iterators.rs" 97 4 97 36] produced <- _33;
+    _33 <- any Snapshot.snap_ty (Seq.seq (usize, usize));
+    [#"../03_std_iterators.rs" 101 9 101 10] i <- (let (a, _) = __creusot_proc_iter_elem in a);
+    [#"../03_std_iterators.rs" 101 12 101 13] j <- (let (_, a) = __creusot_proc_iter_elem in a);
     assume { resolve2 __creusot_proc_iter_elem };
     [#"../03_std_iterators.rs" 102 8 102 13] _38 <- Borrow.borrow_mut ( * slice);
     [#"../03_std_iterators.rs" 102 8 102 13] slice <- { slice with current = ( ^ _38) ; };
     assume { inv2 ( ^ _38) };
-    [#"../03_std_iterators.rs" 102 8 102 32] _37 <- ([#"../03_std_iterators.rs" 102 8 102 32] swap0 _38 ([#"../03_std_iterators.rs" 102 19 102 20] i) ([#"../03_std_iterators.rs" 102 22 102 31] ([#"../03_std_iterators.rs" 102 22 102 27] ([#"../03_std_iterators.rs" 102 22 102 23] n) - ([#"../03_std_iterators.rs" 102 26 102 27] j)) - ([#"../03_std_iterators.rs" 102 30 102 31] [#"../03_std_iterators.rs" 102 30 102 31] (1 : usize))));
+    [#"../03_std_iterators.rs" 102 22 102 27] _41 <- n - j;
+    [#"../03_std_iterators.rs" 102 22 102 31] _40 <- _41 - ([#"../03_std_iterators.rs" 102 30 102 31] (1 : usize));
+    _41 <- any usize;
+    [#"../03_std_iterators.rs" 102 8 102 32] _37 <- ([#"../03_std_iterators.rs" 102 8 102 32] swap0 _38 i _40);
     _38 <- any borrowed (slice t);
+    _40 <- any usize;
     goto BB17
   }
   BB17 {
diff --git a/creusot/tests/should_succeed/iterators/03_std_iterators.rs b/creusot/tests/should_succeed/iterators/03_std_iterators.rs
index 9eacdb997d..48129ab740 100644
--- a/creusot/tests/should_succeed/iterators/03_std_iterators.rs
+++ b/creusot/tests/should_succeed/iterators/03_std_iterators.rs
@@ -93,7 +93,7 @@ fn equiv_reverse_range<T>(s1: Seq<T>, s2: Seq<T>, l: Int, u: Int, n: Int) -> boo
 #[ensures((^slice)@.ext_eq(slice@.reverse()))]
 pub fn my_reverse<T>(slice: &mut [T]) {
     let n = slice.len();
-    let old_v: Ghost<&mut [T]> = gh! { slice };
+    let old_v: Snapshot<&mut [T]> = snapshot! { slice };
     #[invariant(n@ == slice@.len())]
     #[invariant(equiv_range(slice@, old_v@, produced.len(), n@-produced.len()))]
     #[invariant(equiv_reverse_range(slice@, old_v@, 0, produced.len(), n@-1))]
diff --git a/creusot/tests/should_succeed/iterators/03_std_iterators/why3session.xml b/creusot/tests/should_succeed/iterators/03_std_iterators/why3session.xml
index fac3b7cce0..77bf4a6974 100644
--- a/creusot/tests/should_succeed/iterators/03_std_iterators/why3session.xml
+++ b/creusot/tests/should_succeed/iterators/03_std_iterators/why3session.xml
@@ -15,12 +15,12 @@
 </theory>
 <theory name="C03StdIterators_VecIter" proved="true">
  <goal name="vec_iter&#39;vc" expl="VC for vec_iter" proved="true">
- <proof prover="1"><result status="valid" time="0.068472" steps="1842"/></proof>
+ <proof prover="1"><result status="valid" time="0.068472" steps="1847"/></proof>
  </goal>
 </theory>
 <theory name="C03StdIterators_AllZero" proved="true">
  <goal name="all_zero&#39;vc" expl="VC for all_zero" proved="true">
- <proof prover="1"><result status="valid" time="0.435601" steps="3814"/></proof>
+ <proof prover="1"><result status="valid" time="0.435601" steps="3816"/></proof>
  </goal>
 </theory>
 <theory name="C03StdIterators_SkipTake" proved="true">
@@ -43,43 +43,43 @@
   <proof prover="1"><result status="valid" time="0.010000" steps="12"/></proof>
   </goal>
   <goal name="counter&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.010000" steps="88"/></proof>
+  <proof prover="1"><result status="valid" time="0.010000" steps="91"/></proof>
   </goal>
   <goal name="counter&#39;vc.3" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.059895" steps="213290"/></proof>
+  <proof prover="5"><result status="valid" time="0.059895" steps="213049"/></proof>
   </goal>
   <goal name="counter&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.020000" steps="387"/></proof>
+  <proof prover="1"><result status="valid" time="0.020000" steps="388"/></proof>
   </goal>
   <goal name="counter&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.056748" steps="113393"/></proof>
+  <proof prover="5"><result status="valid" time="0.056748" steps="113426"/></proof>
   </goal>
   <goal name="counter&#39;vc.6" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.024487" steps="26"/></proof>
+  <proof prover="1"><result status="valid" time="0.024487" steps="28"/></proof>
   </goal>
   <goal name="counter&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.028332" steps="22"/></proof>
+  <proof prover="1"><result status="valid" time="0.028332" steps="24"/></proof>
   </goal>
   <goal name="counter&#39;vc.8" expl="assertion" proved="true">
-  <proof prover="1"><result status="valid" time="0.212152" steps="614"/></proof>
+  <proof prover="1"><result status="valid" time="0.212152" steps="616"/></proof>
   </goal>
   <goal name="counter&#39;vc.9" expl="assertion" proved="true">
-  <proof prover="5"><result status="valid" time="0.050000" steps="288468"/></proof>
+  <proof prover="5"><result status="valid" time="0.050000" steps="288507"/></proof>
   </goal>
   <goal name="counter&#39;vc.10" expl="assertion" proved="true">
-  <proof prover="5"><result status="valid" time="0.118193" steps="404309"/></proof>
+  <proof prover="5"><result status="valid" time="0.118193" steps="404231"/></proof>
   </goal>
  </transf>
  </goal>
 </theory>
 <theory name="C03StdIterators_SumRange" proved="true">
  <goal name="sum_range&#39;vc" expl="VC for sum_range" proved="true">
- <proof prover="1"><result status="valid" time="0.111099" steps="1728"/></proof>
+ <proof prover="1"><result status="valid" time="0.111099" steps="2010"/></proof>
  </goal>
 </theory>
 <theory name="C03StdIterators_EnumerateRange" proved="true">
  <goal name="enumerate_range&#39;vc" expl="VC for enumerate_range" proved="true">
- <proof prover="1" timelimit="5"><result status="valid" time="1.198946" steps="9589"/></proof>
+ <proof prover="1" timelimit="5"><result status="valid" time="1.198946" steps="13438"/></proof>
  </goal>
 </theory>
 <theory name="C03StdIterators_MyReverse" proved="true">
@@ -95,100 +95,100 @@
   <proof prover="4"><result status="valid" time="0.046112" steps="16888"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.3" expl="division by zero" proved="true">
-  <proof prover="4"><result status="valid" time="0.141963" steps="16576"/></proof>
+  <proof prover="4"><result status="valid" time="0.038767" steps="16564"/></proof>
   </goal>
-  <goal name="my_reverse&#39;vc.4" expl="division by zero" proved="true">
-  <proof prover="4"><result status="valid" time="0.038767" steps="16583"/></proof>
+  <goal name="my_reverse&#39;vc.4" expl="integer overflow" proved="true">
+  <proof prover="4"><result status="valid" time="0.064487" steps="19428"/></proof>
   </goal>
-  <goal name="my_reverse&#39;vc.5" expl="integer overflow" proved="true">
-  <proof prover="4"><result status="valid" time="0.064487" steps="19452"/></proof>
+  <goal name="my_reverse&#39;vc.5" expl="division by zero" proved="true">
+  <proof prover="4"><result status="valid" time="0.141963" steps="17934"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.6" expl="division by zero" proved="true">
-  <proof prover="4"><result status="valid" time="0.041819" steps="17818"/></proof>
+  <proof prover="4"><result status="valid" time="0.041819" steps="17941"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.7" expl="integer overflow" proved="true">
-  <proof prover="4"><result status="valid" time="0.166155" steps="18550"/></proof>
+  <proof prover="4"><result status="valid" time="0.166155" steps="19125"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.8" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.043056" steps="17831"/></proof>
+  <proof prover="4"><result status="valid" time="0.043056" steps="17969"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.056799" steps="19116"/></proof>
+  <proof prover="4"><result status="valid" time="0.054220" steps="19154"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.054220" steps="19128"/></proof>
+  <proof prover="4"><result status="valid" time="0.056799" steps="19162"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.042483" steps="17977"/></proof>
+  <proof prover="4"><result status="valid" time="0.042483" steps="17994"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.042858" steps="17980"/></proof>
+  <proof prover="4"><result status="valid" time="0.042858" steps="17997"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.13" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.043813" steps="18459"/></proof>
+  <proof prover="4"><result status="valid" time="0.043813" steps="18476"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.14" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.057108" steps="19878"/></proof>
+  <proof prover="4"><result status="valid" time="0.057108" steps="19917"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.15" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.056545" steps="19745"/></proof>
+  <proof prover="4"><result status="valid" time="0.056545" steps="19784"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.16" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.328679" steps="25973"/></proof>
+  <proof prover="4"><result status="valid" time="0.328679" steps="26017"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.17" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.088827" steps="26328"/></proof>
+  <proof prover="4"><result status="valid" time="0.224844" steps="26372"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.18" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.086609" steps="26772"/></proof>
+  <proof prover="4"><result status="valid" time="0.229118" steps="26816"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.19" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.178925" steps="24121"/></proof>
+  <proof prover="4"><result status="valid" time="0.178925" steps="24160"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.20" expl="type invariant" proved="true">
-  <proof prover="4"><result status="valid" time="0.068268" steps="25397"/></proof>
+  <proof prover="4"><result status="valid" time="0.185875" steps="25436"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.21" expl="postcondition" proved="true">
-  <proof prover="1" timelimit="5" memlimit="2000"><result status="valid" time="1.321324" steps="9948"/></proof>
+  <proof prover="1" timelimit="5" memlimit="2000"><result status="valid" time="0.716177" steps="11893"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.22" expl="integer overflow" proved="true">
-  <proof prover="4"><result status="valid" time="0.958570" steps="86750"/></proof>
+  <proof prover="4"><result status="valid" time="0.728269" steps="85058"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.23" expl="integer overflow" proved="true">
-  <proof prover="4"><result status="valid" time="1.060947" steps="87600"/></proof>
+  <proof prover="4"><result status="valid" time="0.717637" steps="85861"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.24" expl="precondition" proved="true">
-  <proof prover="5" timelimit="5"><result status="valid" time="0.157133" steps="262621"/></proof>
+  <proof prover="5" timelimit="5"><result status="valid" time="0.157133" steps="262690"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.25" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.276484" steps="32796"/></proof>
+  <proof prover="4"><result status="valid" time="0.276484" steps="32840"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.26" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.255111" steps="28453"/></proof>
+  <proof prover="4"><result status="valid" time="0.255111" steps="28492"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.27" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.212105" steps="28426"/></proof>
+  <proof prover="4"><result status="valid" time="0.212105" steps="28465"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.28" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.415345" steps="34747"/></proof>
+  <proof prover="4"><result status="valid" time="0.415345" steps="34791"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.29" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.275779" steps="33473"/></proof>
+  <proof prover="4"><result status="valid" time="0.275779" steps="33517"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.30" expl="loop invariant preservation" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="my_reverse&#39;vc.30.0" expl="loop invariant preservation" proved="true">
-   <proof prover="2"><result status="valid" time="0.753020" steps="91863"/></proof>
+   <proof prover="2"><result status="valid" time="0.514909" steps="92108"/></proof>
    </goal>
   </transf>
   </goal>
   <goal name="my_reverse&#39;vc.31" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="1.296025" steps="386256"/></proof>
+  <proof prover="2"><result status="valid" time="1.296025" steps="385395"/></proof>
   </goal>
   <goal name="my_reverse&#39;vc.32" expl="loop invariant preservation" proved="true">
   <transf name="inline_goal" proved="true" >
    <goal name="my_reverse&#39;vc.32.0" expl="loop invariant preservation" proved="true">
-   <proof prover="2" timelimit="5"><result status="valid" time="1.187945" steps="319172"/></proof>
+   <proof prover="2" timelimit="5"><result status="valid" time="1.187945" steps="318321"/></proof>
    </goal>
   </transf>
   </goal>
diff --git a/creusot/tests/should_succeed/iterators/03_std_iterators/why3shapes.gz b/creusot/tests/should_succeed/iterators/03_std_iterators/why3shapes.gz
index cd34f025c6..879ed20366 100644
Binary files a/creusot/tests/should_succeed/iterators/03_std_iterators/why3shapes.gz and b/creusot/tests/should_succeed/iterators/03_std_iterators/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/iterators/04_skip.mlcfg b/creusot/tests/should_succeed/iterators/04_skip.mlcfg
index 1d2f663617..4cc39b1bca 100644
--- a/creusot/tests/should_succeed/iterators/04_skip.mlcfg
+++ b/creusot/tests/should_succeed/iterators/04_skip.mlcfg
@@ -53,14 +53,21 @@ module C04Skip_Impl0_ProducesRefl_Impl
     requires {[#"../common.rs" 21 82 21 83] inv2 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv2 a) -> ([#"../common.rs" 21 31 21 33] inv1 ab) -> ([#"../common.rs" 21 52 21 53] inv2 b) -> ([#"../common.rs" 21 61 21 63] inv1 bc) -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv2 a)
+   -> ([#"../common.rs" 21 31 21 33] inv1 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv2 b)
+   -> ([#"../common.rs" 21 61 21 63] inv1 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv2 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv2 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   use C04Skip_Skip_Type as C04Skip_Skip_Type
   predicate invariant0 (self : C04Skip_Skip_Type.t_skip i)
   val invariant0 (self : C04Skip_Skip_Type.t_skip i) : bool
@@ -82,16 +89,15 @@ module C04Skip_Impl0_ProducesRefl_Impl
   predicate produces0 [#"../04_skip.rs" 36 4 36 64] (self : C04Skip_Skip_Type.t_skip i) (visited : Seq.seq item0) (o : C04Skip_Skip_Type.t_skip i)
     
    =
-    [#"../04_skip.rs" 37 8 44 9] visited = Seq.empty  /\ self = o \/ UIntSize.to_int (C04Skip_Skip_Type.skip_n o) = 0 /\ Seq.length visited > 0 /\ (exists s : Seq.seq item0 . inv1 s /\ Seq.length s = UIntSize.to_int (C04Skip_Skip_Type.skip_n self) /\ produces1 (C04Skip_Skip_Type.skip_iter self) (Seq.(++) s visited) (C04Skip_Skip_Type.skip_iter o) /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve0 (Seq.get s i)))
+    [#"../04_skip.rs" 37 8 44 9] visited = Seq.empty  /\ self = o \/ UIntSize.to_int (C04Skip_Skip_Type.skip_n o) = 0 /\ Seq.length visited > 0 /\ (exists s : Seq.seq item0 . inv1 s /\ Seq.length s = UIntSize.to_int (C04Skip_Skip_Type.skip_n self) /\ produces1 (C04Skip_Skip_Type.skip_iter self) (Seq.(++) s visited) (C04Skip_Skip_Type.skip_iter o) /\ (forall i : int . 0 <= i /\ i < Seq.length s
+     -> resolve0 (Seq.get s i)))
   val produces0 [#"../04_skip.rs" 36 4 36 64] (self : C04Skip_Skip_Type.t_skip i) (visited : Seq.seq item0) (o : C04Skip_Skip_Type.t_skip i) : bool
     ensures { result = produces0 self visited o }
     
-  let rec ghost function produces_refl [#"../04_skip.rs" 50 4 50 26] (self : C04Skip_Skip_Type.t_skip i) : ()
-    requires {[#"../04_skip.rs" 50 21 50 25] inv0 self}
-    ensures { [#"../04_skip.rs" 49 14 49 45] produces0 self (Seq.empty ) self }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../04_skip.rs" 47 4 47 10] ()
+  constant self  : C04Skip_Skip_Type.t_skip i
+  function produces_refl [#"../04_skip.rs" 50 4 50 26] (self : C04Skip_Skip_Type.t_skip i) : ()
+  goal vc_produces_refl : ([#"../04_skip.rs" 50 21 50 25] inv0 self)
+   -> ([#"../04_skip.rs" 49 14 49 45] produces0 self (Seq.empty ) self)
 end
 module C04Skip_Impl0_ProducesTrans_Impl
   type i
@@ -127,14 +133,21 @@ module C04Skip_Impl0_ProducesTrans_Impl
     requires {[#"../common.rs" 21 82 21 83] inv2 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv2 a) -> ([#"../common.rs" 21 31 21 33] inv1 ab) -> ([#"../common.rs" 21 52 21 53] inv2 b) -> ([#"../common.rs" 21 61 21 63] inv1 bc) -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv2 a)
+   -> ([#"../common.rs" 21 31 21 33] inv1 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv2 b)
+   -> ([#"../common.rs" 21 61 21 63] inv1 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv2 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv2 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   predicate invariant1 (self : Seq.seq item0)
   val invariant1 (self : Seq.seq item0) : bool
     ensures { result = invariant1 self }
@@ -161,22 +174,26 @@ module C04Skip_Impl0_ProducesTrans_Impl
   predicate produces0 [#"../04_skip.rs" 36 4 36 64] (self : C04Skip_Skip_Type.t_skip i) (visited : Seq.seq item0) (o : C04Skip_Skip_Type.t_skip i)
     
    =
-    [#"../04_skip.rs" 37 8 44 9] visited = Seq.empty  /\ self = o \/ UIntSize.to_int (C04Skip_Skip_Type.skip_n o) = 0 /\ Seq.length visited > 0 /\ (exists s : Seq.seq item0 . inv1 s /\ Seq.length s = UIntSize.to_int (C04Skip_Skip_Type.skip_n self) /\ produces1 (C04Skip_Skip_Type.skip_iter self) (Seq.(++) s visited) (C04Skip_Skip_Type.skip_iter o) /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve0 (Seq.get s i)))
+    [#"../04_skip.rs" 37 8 44 9] visited = Seq.empty  /\ self = o \/ UIntSize.to_int (C04Skip_Skip_Type.skip_n o) = 0 /\ Seq.length visited > 0 /\ (exists s : Seq.seq item0 . inv1 s /\ Seq.length s = UIntSize.to_int (C04Skip_Skip_Type.skip_n self) /\ produces1 (C04Skip_Skip_Type.skip_iter self) (Seq.(++) s visited) (C04Skip_Skip_Type.skip_iter o) /\ (forall i : int . 0 <= i /\ i < Seq.length s
+     -> resolve0 (Seq.get s i)))
   val produces0 [#"../04_skip.rs" 36 4 36 64] (self : C04Skip_Skip_Type.t_skip i) (visited : Seq.seq item0) (o : C04Skip_Skip_Type.t_skip i) : bool
     ensures { result = produces0 self visited o }
     
-  let rec ghost function produces_trans [#"../04_skip.rs" 57 4 57 90] (a : C04Skip_Skip_Type.t_skip i) (ab : Seq.seq item0) (b : C04Skip_Skip_Type.t_skip i) (bc : Seq.seq item0) (c : C04Skip_Skip_Type.t_skip i) : ()
-    requires {[#"../04_skip.rs" 54 15 54 32] produces0 a ab b}
-    requires {[#"../04_skip.rs" 55 15 55 32] produces0 b bc c}
-    requires {[#"../04_skip.rs" 57 22 57 23] inv0 a}
-    requires {[#"../04_skip.rs" 57 31 57 33] inv1 ab}
-    requires {[#"../04_skip.rs" 57 52 57 53] inv0 b}
-    requires {[#"../04_skip.rs" 57 61 57 63] inv1 bc}
-    requires {[#"../04_skip.rs" 57 82 57 83] inv0 c}
-    ensures { [#"../04_skip.rs" 56 14 56 42] produces0 a (Seq.(++) ab bc) c }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../04_skip.rs" 52 4 52 10] ()
+  constant a  : C04Skip_Skip_Type.t_skip i
+  constant ab  : Seq.seq item0
+  constant b  : C04Skip_Skip_Type.t_skip i
+  constant bc  : Seq.seq item0
+  constant c  : C04Skip_Skip_Type.t_skip i
+  function produces_trans [#"../04_skip.rs" 57 4 57 90] (a : C04Skip_Skip_Type.t_skip i) (ab : Seq.seq item0) (b : C04Skip_Skip_Type.t_skip i) (bc : Seq.seq item0) (c : C04Skip_Skip_Type.t_skip i) : ()
+    
+  goal vc_produces_trans : ([#"../04_skip.rs" 57 82 57 83] inv0 c)
+   -> ([#"../04_skip.rs" 57 61 57 63] inv1 bc)
+   -> ([#"../04_skip.rs" 57 52 57 53] inv0 b)
+   -> ([#"../04_skip.rs" 57 31 57 33] inv1 ab)
+   -> ([#"../04_skip.rs" 57 22 57 23] inv0 a)
+   -> ([#"../04_skip.rs" 55 15 55 32] produces0 b bc c)
+   -> ([#"../04_skip.rs" 54 15 54 32] produces0 a ab b)
+   -> ([#"../04_skip.rs" 56 14 56 42] produces0 a (Seq.(++) ab bc) c)
 end
 module Core_Option_Option_Type
   type t_option 't =
@@ -288,33 +305,40 @@ module C04Skip_Impl0_Next
     requires {[#"../common.rs" 21 82 21 83] inv3 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv3 a) -> ([#"../common.rs" 21 31 21 33] inv9 ab) -> ([#"../common.rs" 21 52 21 53] inv3 b) -> ([#"../common.rs" 21 61 21 63] inv9 bc) -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces0 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv3 a)
+   -> ([#"../common.rs" 21 31 21 33] inv9 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv3 b)
+   -> ([#"../common.rs" 21 61 21 63] inv9 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv3 c)  -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv3 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
-  use prelude.Ghost
-  predicate invariant1 (self : Ghost.ghost_ty (Seq.seq item0))
-  val invariant1 (self : Ghost.ghost_ty (Seq.seq item0)) : bool
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self)
+   -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
+  use prelude.Snapshot
+  predicate invariant1 (self : Snapshot.snap_ty (Seq.seq item0))
+  val invariant1 (self : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = invariant1 self }
     
-  predicate inv1 (_x : Ghost.ghost_ty (Seq.seq item0))
-  val inv1 (_x : Ghost.ghost_ty (Seq.seq item0)) : bool
+  predicate inv1 (_x : Snapshot.snap_ty (Seq.seq item0))
+  val inv1 (_x : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = inv1 _x }
     
-  axiom inv1 : forall x : Ghost.ghost_ty (Seq.seq item0) . inv1 x = true
-  predicate invariant0 (self : Ghost.ghost_ty (borrowed (C04Skip_Skip_Type.t_skip i)))
-  val invariant0 (self : Ghost.ghost_ty (borrowed (C04Skip_Skip_Type.t_skip i))) : bool
+  axiom inv1 : forall x : Snapshot.snap_ty (Seq.seq item0) . inv1 x = true
+  predicate invariant0 (self : Snapshot.snap_ty (borrowed (C04Skip_Skip_Type.t_skip i)))
+  val invariant0 (self : Snapshot.snap_ty (borrowed (C04Skip_Skip_Type.t_skip i))) : bool
     ensures { result = invariant0 self }
     
-  predicate inv0 (_x : Ghost.ghost_ty (borrowed (C04Skip_Skip_Type.t_skip i)))
-  val inv0 (_x : Ghost.ghost_ty (borrowed (C04Skip_Skip_Type.t_skip i))) : bool
+  predicate inv0 (_x : Snapshot.snap_ty (borrowed (C04Skip_Skip_Type.t_skip i)))
+  val inv0 (_x : Snapshot.snap_ty (borrowed (C04Skip_Skip_Type.t_skip i))) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : Ghost.ghost_ty (borrowed (C04Skip_Skip_Type.t_skip i)) . inv0 x = true
+  axiom inv0 : forall x : Snapshot.snap_ty (borrowed (C04Skip_Skip_Type.t_skip i)) . inv0 x = true
   predicate resolve3 (self : item0)
   val resolve3 (self : item0) : bool
     ensures { result = resolve3 self }
@@ -326,7 +350,8 @@ module C04Skip_Impl0_Next
   predicate produces1 [#"../04_skip.rs" 36 4 36 64] (self : C04Skip_Skip_Type.t_skip i) (visited : Seq.seq item0) (o : C04Skip_Skip_Type.t_skip i)
     
    =
-    [#"../04_skip.rs" 37 8 44 9] visited = Seq.empty  /\ self = o \/ UIntSize.to_int (C04Skip_Skip_Type.skip_n o) = 0 /\ Seq.length visited > 0 /\ (exists s : Seq.seq item0 . inv9 s /\ Seq.length s = UIntSize.to_int (C04Skip_Skip_Type.skip_n self) /\ produces0 (C04Skip_Skip_Type.skip_iter self) (Seq.(++) s visited) (C04Skip_Skip_Type.skip_iter o) /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve3 (Seq.get s i)))
+    [#"../04_skip.rs" 37 8 44 9] visited = Seq.empty  /\ self = o \/ UIntSize.to_int (C04Skip_Skip_Type.skip_n o) = 0 /\ Seq.length visited > 0 /\ (exists s : Seq.seq item0 . inv9 s /\ Seq.length s = UIntSize.to_int (C04Skip_Skip_Type.skip_n self) /\ produces0 (C04Skip_Skip_Type.skip_iter self) (Seq.(++) s visited) (C04Skip_Skip_Type.skip_iter o) /\ (forall i : int . 0 <= i /\ i < Seq.length s
+     -> resolve3 (Seq.get s i)))
   val produces1 [#"../04_skip.rs" 36 4 36 64] (self : C04Skip_Skip_Type.t_skip i) (visited : Seq.seq item0) (o : C04Skip_Skip_Type.t_skip i) : bool
     ensures { result = produces1 self visited o }
     
@@ -335,12 +360,13 @@ module C04Skip_Impl0_Next
     ensures { result = completed1 self }
     
   predicate completed0 [#"../04_skip.rs" 22 4 22 35] (self : borrowed (C04Skip_Skip_Type.t_skip i)) =
-    [#"../04_skip.rs" 23 8 31 9] UIntSize.to_int (C04Skip_Skip_Type.skip_n ( ^ self)) = 0 /\ (exists i : borrowed i . exists s : Seq.seq item0 . inv8 i /\ inv9 s /\ Seq.length s <= UIntSize.to_int (C04Skip_Skip_Type.skip_n ( * self)) /\ produces0 (C04Skip_Skip_Type.skip_iter ( * self)) s ( * i) /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve3 (Seq.get s i)) /\ completed1 i /\  ^ i = C04Skip_Skip_Type.skip_iter ( ^ self))
+    [#"../04_skip.rs" 23 8 31 9] UIntSize.to_int (C04Skip_Skip_Type.skip_n ( ^ self)) = 0 /\ (exists i : borrowed i . exists s : Seq.seq item0 . inv8 i /\ inv9 s /\ Seq.length s <= UIntSize.to_int (C04Skip_Skip_Type.skip_n ( * self)) /\ produces0 (C04Skip_Skip_Type.skip_iter ( * self)) s ( * i) /\ (forall i : int . 0 <= i /\ i < Seq.length s
+     -> resolve3 (Seq.get s i)) /\ completed1 i /\  ^ i = C04Skip_Skip_Type.skip_iter ( ^ self))
   val completed0 [#"../04_skip.rs" 22 4 22 35] (self : borrowed (C04Skip_Skip_Type.t_skip i)) : bool
     ensures { result = completed0 self }
     
   predicate resolve5 (self : borrowed (C04Skip_Skip_Type.t_skip i)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve5 (self : borrowed (C04Skip_Skip_Type.t_skip i)) : bool
     ensures { result = resolve5 self }
     
@@ -357,21 +383,21 @@ module C04Skip_Impl0_Next
       end }
     ensures { [#"../common.rs" 27 26 27 44] inv5 result }
     
-  use prelude.Ghost
-  function index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq item0)) (ix : int) : item0 =
-    [#"../../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Ghost.inner self) ix
-  val index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq item0)) (ix : int) : item0
+  use prelude.Snapshot
+  function index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq item0)) (ix : int) : item0 =
+    [#"../../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Snapshot.inner self) ix
+  val index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq item0)) (ix : int) : item0
     ensures { result = index_logic0 self ix }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  predicate resolve2 (self : Ghost.ghost_ty (Seq.seq item0))
-  val resolve2 (self : Ghost.ghost_ty (Seq.seq item0)) : bool
+  use prelude.Snapshot
+  use prelude.Snapshot
+  predicate resolve2 (self : Snapshot.snap_ty (Seq.seq item0))
+  val resolve2 (self : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = resolve2 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate resolve1 (self : borrowed usize) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve1 (self : borrowed usize) : bool
     ensures { result = resolve1 self }
     
@@ -386,11 +412,11 @@ module C04Skip_Impl0_Next
     ensures { [#"../../../../../creusot-contracts/src/std/mem.rs" 16 22 16 42] is_default0 ( ^ dest) }
     ensures { inv7 result }
     
-  predicate resolve0 (self : Ghost.ghost_ty (borrowed (C04Skip_Skip_Type.t_skip i)))
-  val resolve0 (self : Ghost.ghost_ty (borrowed (C04Skip_Skip_Type.t_skip i))) : bool
+  predicate resolve0 (self : Snapshot.snap_ty (borrowed (C04Skip_Skip_Type.t_skip i)))
+  val resolve0 (self : Snapshot.snap_ty (borrowed (C04Skip_Skip_Type.t_skip i))) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   let rec cfg next [#"../04_skip.rs" 63 4 63 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (C04Skip_Skip_Type.t_skip i)) : Core_Option_Option_Type.t_option item0
     requires {[#"../04_skip.rs" 63 17 63 21] inv2 self}
     ensures { [#"../04_skip.rs" 59 14 62 5] match result with
@@ -402,20 +428,21 @@ module C04Skip_Impl0_Next
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : Core_Option_Option_Type.t_option item0;
   var self : borrowed (C04Skip_Skip_Type.t_skip i) = self;
-  var old_self : Ghost.ghost_ty (borrowed (C04Skip_Skip_Type.t_skip i));
+  var old_self : Snapshot.snap_ty (borrowed (C04Skip_Skip_Type.t_skip i));
   var n : usize;
   var _6 : borrowed usize;
   var _7 : borrowed usize;
-  var skipped : Ghost.ghost_ty (Seq.seq item0);
+  var skipped : Snapshot.snap_ty (Seq.seq item0);
   var r : Core_Option_Option_Type.t_option item0;
   var _18 : borrowed i;
+  var _20 : bool;
   var x : item0;
-  var _25 : Ghost.ghost_ty (Seq.seq item0);
+  var _25 : Snapshot.snap_ty (Seq.seq item0);
   {
     goto BB0
   }
   BB0 {
-    [#"../04_skip.rs" 64 23 64 35] old_self <- ([#"../04_skip.rs" 64 23 64 35] Ghost.new self);
+    [#"../04_skip.rs" 64 23 64 41] old_self <- ([#"../04_skip.rs" 64 23 64 41] Snapshot.new self);
     goto BB1
   }
   BB1 {
@@ -431,7 +458,7 @@ module C04Skip_Impl0_Next
   }
   BB2 {
     assume { resolve1 _7 };
-    [#"../04_skip.rs" 66 26 66 44] skipped <- ([#"../04_skip.rs" 66 26 66 44] Ghost.new (Seq.empty ));
+    [#"../04_skip.rs" 66 26 66 50] skipped <- ([#"../04_skip.rs" 66 26 66 50] Snapshot.new (Seq.empty ));
     goto BB3
   }
   BB3 {
@@ -440,9 +467,10 @@ module C04Skip_Impl0_Next
     goto BB4
   }
   BB4 {
-    invariant { [#"../04_skip.rs" 67 20 67 53] Seq.length (Ghost.inner skipped) + UIntSize.to_int n = UIntSize.to_int (C04Skip_Skip_Type.skip_n ( * Ghost.inner old_self)) };
-    invariant { [#"../04_skip.rs" 67 8 67 55] produces0 (C04Skip_Skip_Type.skip_iter ( * Ghost.inner old_self)) (Ghost.inner skipped) (C04Skip_Skip_Type.skip_iter ( * self)) };
-    invariant { [#"../04_skip.rs" 67 8 67 55] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner skipped) -> resolve3 (index_logic0 skipped i) };
+    invariant { [#"../04_skip.rs" 67 20 67 53] Seq.length (Snapshot.inner skipped) + UIntSize.to_int n = UIntSize.to_int (C04Skip_Skip_Type.skip_n ( * Snapshot.inner old_self)) };
+    invariant { [#"../04_skip.rs" 67 8 67 55] produces0 (C04Skip_Skip_Type.skip_iter ( * Snapshot.inner old_self)) (Snapshot.inner skipped) (C04Skip_Skip_Type.skip_iter ( * self)) };
+    invariant { [#"../04_skip.rs" 67 8 67 55] forall i : int . 0 <= i /\ i < Seq.length (Snapshot.inner skipped)
+     -> resolve3 (index_logic0 skipped i) };
     invariant { [#"../04_skip.rs" 70 20 70 35] UIntSize.to_int (C04Skip_Skip_Type.skip_n ( * self)) = 0 };
     invariant { [#"../04_skip.rs" 71 20 71 29] inv2 self };
     goto BB5
@@ -456,7 +484,8 @@ module C04Skip_Impl0_Next
     goto BB6
   }
   BB6 {
-    switch ([#"../04_skip.rs" 74 15 74 21] ([#"../04_skip.rs" 74 15 74 16] n) = ([#"../04_skip.rs" 74 20 74 21] [#"../04_skip.rs" 74 20 74 21] (0 : usize)))
+    [#"../04_skip.rs" 74 15 74 21] _20 <- n = ([#"../04_skip.rs" 74 20 74 21] (0 : usize));
+    switch (_20)
       | False -> goto BB8
       | True -> goto BB7
       end
@@ -464,8 +493,8 @@ module C04Skip_Impl0_Next
   BB7 {
     assert { [@expl:type invariant] inv2 self };
     assume { resolve5 self };
-    [#"../04_skip.rs" 75 23 75 24] _0 <- ([#"../04_skip.rs" 75 23 75 24] r);
-    [#"../04_skip.rs" 75 23 75 24] r <- any Core_Option_Option_Type.t_option item0;
+    [#"../04_skip.rs" 75 23 75 24] _0 <- r;
+    r <- any Core_Option_Option_Type.t_option item0;
     goto BB15
   }
   BB8 {
@@ -477,29 +506,29 @@ module C04Skip_Impl0_Next
   BB9 {
     assert { [@expl:type invariant] inv2 self };
     assume { resolve5 self };
-    [#"../04_skip.rs" 81 23 81 24] _0 <- ([#"../04_skip.rs" 81 23 81 24] r);
-    [#"../04_skip.rs" 81 23 81 24] r <- any Core_Option_Option_Type.t_option item0;
+    [#"../04_skip.rs" 81 23 81 24] _0 <- r;
+    r <- any Core_Option_Option_Type.t_option item0;
     goto BB15
   }
   BB10 {
     goto BB11
   }
   BB11 {
-    [#"../04_skip.rs" 77 24 77 25] x <- ([#"../04_skip.rs" 77 24 77 25] Core_Option_Option_Type.some_0 r);
-    [#"../04_skip.rs" 77 24 77 25] r <- (let Core_Option_Option_Type.C_Some x0 = r in Core_Option_Option_Type.C_Some (any item0));
+    [#"../04_skip.rs" 77 24 77 25] x <- Core_Option_Option_Type.some_0 r;
+    r <- (let Core_Option_Option_Type.C_Some x0 = r in Core_Option_Option_Type.C_Some (any item0));
     assert { [@expl:type invariant] inv4 x };
     assume { resolve3 x };
     assert { [@expl:type invariant] inv5 r };
     assume { resolve4 r };
-    [#"../04_skip.rs" 78 26 78 67] _25 <- ([#"../04_skip.rs" 78 26 78 67] Ghost.new (Seq.(++) (Ghost.inner skipped) (Seq.singleton x)));
+    [#"../04_skip.rs" 78 26 78 73] _25 <- ([#"../04_skip.rs" 78 26 78 73] Snapshot.new (Seq.(++) (Snapshot.inner skipped) (Seq.singleton x)));
     goto BB12
   }
   BB12 {
-    [#"../04_skip.rs" 78 16 78 67] skipped <- ([#"../04_skip.rs" 78 16 78 67] _25);
-    [#"../04_skip.rs" 78 16 78 67] _25 <- any Ghost.ghost_ty (Seq.seq item0);
+    [#"../04_skip.rs" 78 16 78 73] skipped <- _25;
+    _25 <- any Snapshot.snap_ty (Seq.seq item0);
     assert { [@expl:type invariant] inv1 skipped };
     assume { resolve2 skipped };
-    [#"../04_skip.rs" 79 16 79 22] n <- ([#"../04_skip.rs" 79 16 79 22] n - ([#"../04_skip.rs" 79 21 79 22] [#"../04_skip.rs" 79 21 79 22] (1 : usize)));
+    [#"../04_skip.rs" 79 16 79 22] n <- n - ([#"../04_skip.rs" 79 21 79 22] (1 : usize));
     goto BB13
   }
   BB13 {
@@ -539,41 +568,38 @@ module C04Skip_Impl0
     ensures { result = inv3 _x }
     
   axiom inv3 : forall x : Seq.seq item0 . inv3 x = true
-  use Core_Option_Option_Type as Core_Option_Option_Type
-  predicate invariant2 (self : Core_Option_Option_Type.t_option item0)
-  val invariant2 (self : Core_Option_Option_Type.t_option item0) : bool
+  use C04Skip_Skip_Type as C04Skip_Skip_Type
+  predicate invariant2 (self : C04Skip_Skip_Type.t_skip i)
+  val invariant2 (self : C04Skip_Skip_Type.t_skip i) : bool
     ensures { result = invariant2 self }
     
-  predicate inv2 (_x : Core_Option_Option_Type.t_option item0)
-  val inv2 (_x : Core_Option_Option_Type.t_option item0) : bool
+  predicate inv2 (_x : C04Skip_Skip_Type.t_skip i)
+  val inv2 (_x : C04Skip_Skip_Type.t_skip i) : bool
     ensures { result = inv2 _x }
     
-  axiom inv2 : forall x : Core_Option_Option_Type.t_option item0 . inv2 x = true
-  use C04Skip_Skip_Type as C04Skip_Skip_Type
-  predicate invariant1 (self : borrowed (C04Skip_Skip_Type.t_skip i))
-  val invariant1 (self : borrowed (C04Skip_Skip_Type.t_skip i)) : bool
+  axiom inv2 : forall x : C04Skip_Skip_Type.t_skip i . inv2 x = true
+  use Core_Option_Option_Type as Core_Option_Option_Type
+  predicate invariant1 (self : Core_Option_Option_Type.t_option item0)
+  val invariant1 (self : Core_Option_Option_Type.t_option item0) : bool
     ensures { result = invariant1 self }
     
-  predicate inv1 (_x : borrowed (C04Skip_Skip_Type.t_skip i))
-  val inv1 (_x : borrowed (C04Skip_Skip_Type.t_skip i)) : bool
+  predicate inv1 (_x : Core_Option_Option_Type.t_option item0)
+  val inv1 (_x : Core_Option_Option_Type.t_option item0) : bool
     ensures { result = inv1 _x }
     
-  axiom inv1 : forall x : borrowed (C04Skip_Skip_Type.t_skip i) . inv1 x = true
-  predicate invariant0 (self : C04Skip_Skip_Type.t_skip i)
-  val invariant0 (self : C04Skip_Skip_Type.t_skip i) : bool
+  axiom inv1 : forall x : Core_Option_Option_Type.t_option item0 . inv1 x = true
+  predicate invariant0 (self : borrowed (C04Skip_Skip_Type.t_skip i))
+  val invariant0 (self : borrowed (C04Skip_Skip_Type.t_skip i)) : bool
     ensures { result = invariant0 self }
     
-  predicate inv0 (_x : C04Skip_Skip_Type.t_skip i)
-  val inv0 (_x : C04Skip_Skip_Type.t_skip i) : bool
+  predicate inv0 (_x : borrowed (C04Skip_Skip_Type.t_skip i))
+  val inv0 (_x : borrowed (C04Skip_Skip_Type.t_skip i)) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : C04Skip_Skip_Type.t_skip i . inv0 x = true
+  axiom inv0 : forall x : borrowed (C04Skip_Skip_Type.t_skip i) . inv0 x = true
+  use seq.Seq
   use seq.Seq
   use seq.Seq
-  predicate completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i)
-  val completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool
-    ensures { result = completed1 self }
-    
   predicate resolve0 (self : item0)
   val resolve0 (self : item0) : bool
     ensures { result = resolve0 self }
@@ -586,27 +612,37 @@ module C04Skip_Impl0
   use prelude.Int
   use seq.Seq
   use prelude.UIntSize
-  predicate completed0 [#"../04_skip.rs" 22 4 22 35] (self : borrowed (C04Skip_Skip_Type.t_skip i)) =
-    [#"../04_skip.rs" 23 8 31 9] UIntSize.to_int (C04Skip_Skip_Type.skip_n ( ^ self)) = 0 /\ (exists i : borrowed i . exists s : Seq.seq item0 . inv4 i /\ inv3 s /\ Seq.length s <= UIntSize.to_int (C04Skip_Skip_Type.skip_n ( * self)) /\ produces1 (C04Skip_Skip_Type.skip_iter ( * self)) s ( * i) /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve0 (Seq.get s i)) /\ completed1 i /\  ^ i = C04Skip_Skip_Type.skip_iter ( ^ self))
-  val completed0 [#"../04_skip.rs" 22 4 22 35] (self : borrowed (C04Skip_Skip_Type.t_skip i)) : bool
-    ensures { result = completed0 self }
-    
-  use seq.Seq
-  use seq.Seq
   predicate produces0 [#"../04_skip.rs" 36 4 36 64] (self : C04Skip_Skip_Type.t_skip i) (visited : Seq.seq item0) (o : C04Skip_Skip_Type.t_skip i)
     
    =
-    [#"../04_skip.rs" 37 8 44 9] visited = Seq.empty  /\ self = o \/ UIntSize.to_int (C04Skip_Skip_Type.skip_n o) = 0 /\ Seq.length visited > 0 /\ (exists s : Seq.seq item0 . inv3 s /\ Seq.length s = UIntSize.to_int (C04Skip_Skip_Type.skip_n self) /\ produces1 (C04Skip_Skip_Type.skip_iter self) (Seq.(++) s visited) (C04Skip_Skip_Type.skip_iter o) /\ (forall i : int . 0 <= i /\ i < Seq.length s -> resolve0 (Seq.get s i)))
+    [#"../04_skip.rs" 37 8 44 9] visited = Seq.empty  /\ self = o \/ UIntSize.to_int (C04Skip_Skip_Type.skip_n o) = 0 /\ Seq.length visited > 0 /\ (exists s : Seq.seq item0 . inv3 s /\ Seq.length s = UIntSize.to_int (C04Skip_Skip_Type.skip_n self) /\ produces1 (C04Skip_Skip_Type.skip_iter self) (Seq.(++) s visited) (C04Skip_Skip_Type.skip_iter o) /\ (forall i : int . 0 <= i /\ i < Seq.length s
+     -> resolve0 (Seq.get s i)))
   val produces0 [#"../04_skip.rs" 36 4 36 64] (self : C04Skip_Skip_Type.t_skip i) (visited : Seq.seq item0) (o : C04Skip_Skip_Type.t_skip i) : bool
     ensures { result = produces0 self visited o }
     
-  goal produces_refl_refn : [#"../04_skip.rs" 50 4 50 26] forall self : C04Skip_Skip_Type.t_skip i . inv0 self -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self)
-  goal next_refn : [#"../04_skip.rs" 63 4 63 41] forall self : borrowed (C04Skip_Skip_Type.t_skip i) . inv1 self -> inv1 self /\ (forall result : Core_Option_Option_Type.t_option item0 . inv2 result /\ match result with
+  use seq.Seq
+  predicate completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i)
+  val completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool
+    ensures { result = completed1 self }
+    
+  predicate completed0 [#"../04_skip.rs" 22 4 22 35] (self : borrowed (C04Skip_Skip_Type.t_skip i)) =
+    [#"../04_skip.rs" 23 8 31 9] UIntSize.to_int (C04Skip_Skip_Type.skip_n ( ^ self)) = 0 /\ (exists i : borrowed i . exists s : Seq.seq item0 . inv4 i /\ inv3 s /\ Seq.length s <= UIntSize.to_int (C04Skip_Skip_Type.skip_n ( * self)) /\ produces1 (C04Skip_Skip_Type.skip_iter ( * self)) s ( * i) /\ (forall i : int . 0 <= i /\ i < Seq.length s
+     -> resolve0 (Seq.get s i)) /\ completed1 i /\  ^ i = C04Skip_Skip_Type.skip_iter ( ^ self))
+  val completed0 [#"../04_skip.rs" 22 4 22 35] (self : borrowed (C04Skip_Skip_Type.t_skip i)) : bool
+    ensures { result = completed0 self }
+    
+  goal next_refn : [#"../04_skip.rs" 63 4 63 41] forall self : borrowed (C04Skip_Skip_Type.t_skip i) . inv0 self
+   -> inv0 self /\ (forall result : Core_Option_Option_Type.t_option item0 . inv1 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
-    end -> inv2 result /\ match result with
+    end
+   -> inv1 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
     end)
-  goal produces_trans_refn : [#"../04_skip.rs" 57 4 57 90] forall a : C04Skip_Skip_Type.t_skip i . forall ab : Seq.seq item0 . forall b : C04Skip_Skip_Type.t_skip i . forall bc : Seq.seq item0 . forall c : C04Skip_Skip_Type.t_skip i . inv0 c /\ inv3 bc /\ inv0 b /\ inv3 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b -> inv0 c /\ inv3 bc /\ inv0 b /\ inv3 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c)
+  goal produces_refl_refn : [#"../04_skip.rs" 50 4 50 26] forall self : C04Skip_Skip_Type.t_skip i . inv2 self
+   -> inv2 self /\ (forall result : () . produces0 self (Seq.empty ) self  -> produces0 self (Seq.empty ) self)
+  goal produces_trans_refn : [#"../04_skip.rs" 57 4 57 90] forall a : C04Skip_Skip_Type.t_skip i . forall ab : Seq.seq item0 . forall b : C04Skip_Skip_Type.t_skip i . forall bc : Seq.seq item0 . forall c : C04Skip_Skip_Type.t_skip i . inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b
+   -> inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c
+   -> produces0 a (Seq.(++) ab bc) c)
 end
diff --git a/creusot/tests/should_succeed/iterators/04_skip.rs b/creusot/tests/should_succeed/iterators/04_skip.rs
index ff5ebbc063..792f7a31d8 100644
--- a/creusot/tests/should_succeed/iterators/04_skip.rs
+++ b/creusot/tests/should_succeed/iterators/04_skip.rs
@@ -18,7 +18,7 @@ where
     type Item = I::Item;
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! {
             (^self).n@ == 0 &&
@@ -32,7 +32,7 @@ where
     }
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool {
         pearlite! {
             visited == Seq::EMPTY && self == o ||
@@ -61,9 +61,9 @@ where
       Some(v) => (*self).produces(Seq::singleton(v), ^self)
     })]
     fn next(&mut self) -> Option<I::Item> {
-        let old_self = gh! { self };
+        let old_self = snapshot! { self };
         let mut n = std::mem::take(&mut self.n);
-        let mut skipped = gh! { Seq::EMPTY };
+        let mut skipped = snapshot! { Seq::EMPTY };
         #[invariant(skipped.len() + n@ == old_self.n@)]
         #[invariant(old_self.iter.produces(skipped.inner(), self.iter))]
         #[invariant(forall<i: Int> 0 <= i && i < skipped.len() ==> skipped[i].resolve())]
@@ -75,7 +75,7 @@ where
                 return r;
             }
             if let Some(x) = r {
-                skipped = gh! { skipped.concat(Seq::singleton(x)) };
+                skipped = snapshot! { skipped.concat(Seq::singleton(x)) };
                 n -= 1
             } else {
                 return r;
diff --git a/creusot/tests/should_succeed/iterators/04_skip/why3session.xml b/creusot/tests/should_succeed/iterators/04_skip/why3session.xml
index eaa7b39560..0c1f8d3819 100644
--- a/creusot/tests/should_succeed/iterators/04_skip/why3session.xml
+++ b/creusot/tests/should_succeed/iterators/04_skip/why3session.xml
@@ -7,33 +7,33 @@
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="04_skip.mlcfg"/>
 <theory name="C04Skip_Impl0_ProducesRefl_Impl" proved="true">
- <goal name="produces_refl&#39;vc" expl="VC for produces_refl" proved="true">
+ <goal name="vc_produces_refl" proved="true">
  <proof prover="1"><result status="valid" time="0.025542" steps="7"/></proof>
  </goal>
 </theory>
 <theory name="C04Skip_Impl0_ProducesTrans_Impl" proved="true">
- <goal name="produces_trans&#39;vc" expl="VC for produces_trans" proved="true">
+ <goal name="vc_produces_trans" proved="true">
  <transf name="use_th" proved="true" arg1="seq.FreeMonoid">
-  <goal name="produces_trans&#39;vc.0" expl="VC for produces_trans" proved="true">
-  <proof prover="0"><result status="valid" time="0.077298" steps="11365"/></proof>
+  <goal name="vc_produces_trans.0" proved="true">
+  <proof prover="0"><result status="valid" time="0.077298" steps="11294"/></proof>
   </goal>
  </transf>
  </goal>
 </theory>
 <theory name="C04Skip_Impl0_Next" proved="true">
  <goal name="next&#39;vc" expl="VC for next" proved="true">
- <proof prover="0"><result status="valid" time="0.272542" steps="92219"/></proof>
+ <proof prover="0"><result status="valid" time="0.587002" steps="90879"/></proof>
  </goal>
 </theory>
 <theory name="C04Skip_Impl0" proved="true">
- <goal name="produces_trans_refn" proved="true">
- <proof prover="1"><result status="valid" time="0.013593" steps="2"/></proof>
+ <goal name="next_refn" proved="true">
+ <proof prover="1"><result status="valid" time="0.018475" steps="2"/></proof>
  </goal>
  <goal name="produces_refl_refn" proved="true">
  <proof prover="1"><result status="valid" time="0.009950" steps="2"/></proof>
  </goal>
- <goal name="next_refn" proved="true">
- <proof prover="1"><result status="valid" time="0.018475" steps="2"/></proof>
+ <goal name="produces_trans_refn" proved="true">
+ <proof prover="1"><result status="valid" time="0.013593" steps="2"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/iterators/04_skip/why3shapes.gz b/creusot/tests/should_succeed/iterators/04_skip/why3shapes.gz
index 5c2739aad5..4137c8e3fe 100644
Binary files a/creusot/tests/should_succeed/iterators/04_skip/why3shapes.gz and b/creusot/tests/should_succeed/iterators/04_skip/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/iterators/05_map.mlcfg b/creusot/tests/should_succeed/iterators/05_map.mlcfg
index 73b96c8416..fbed37f4e4 100644
--- a/creusot/tests/should_succeed/iterators/05_map.mlcfg
+++ b/creusot/tests/should_succeed/iterators/05_map.mlcfg
@@ -117,14 +117,21 @@ module C05Map_Impl0_ProducesRefl_Impl
     requires {[#"../common.rs" 21 82 21 83] inv3 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv3 a) -> ([#"../common.rs" 21 31 21 33] inv1 ab) -> ([#"../common.rs" 21 52 21 53] inv3 b) -> ([#"../common.rs" 21 61 21 63] inv1 bc) -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv3 a)
+   -> ([#"../common.rs" 21 31 21 33] inv1 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv3 b)
+   -> ([#"../common.rs" 21 61 21 63] inv1 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv3 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv3 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   predicate resolve0 (self : f)
   val resolve0 (self : f) : bool
     ensures { result = resolve0 self }
@@ -144,7 +151,10 @@ module C05Map_Impl0_ProducesRefl_Impl
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv7 res}
     ensures { result = fn_mut_once0 self args res }
     
-  axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv7 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv5 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
+  axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv4 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv6 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv7 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv5 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
   predicate unnest0 (self : f) (_2 : f)
   val unnest0 (self : f) (_2 : f) : bool
     ensures { result = unnest0 self _2 }
@@ -158,13 +168,19 @@ module C05Map_Impl0_ProducesRefl_Impl
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv4 c}
     ensures { result = unnest_trans0 self b c }
     
-  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv4 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv4 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
+  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv4 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv4 b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv4 c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
   function unnest_refl0 (self : f) : ()
   val unnest_refl0 (self : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv4 self}
     ensures { result = unnest_refl0 self }
     
-  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
+  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv4 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
   function postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : ()
   val postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res}
@@ -173,20 +189,33 @@ module C05Map_Impl0_ProducesRefl_Impl
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv7 res}
     ensures { result = postcondition_mut_unnest0 self args res }
     
-  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv7 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
+  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv5 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv6 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv7 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
   predicate precondition0 (self : f) (_2 : item0)
   val precondition0 (self : f) (_2 : item0) : bool
     ensures { result = precondition0 self _2 }
     
   use seq.Seq
   predicate next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) =
-    [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv3 i -> inv9 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e)
+    [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv3 i
+     -> inv9 e  -> produces1 iter (Seq.singleton e) i  -> precondition0 func (e)
   val next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) : bool
     ensures { result = next_precondition0 iter func }
     
   use seq.Seq
   predicate preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) =
-    [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv3 i -> inv7 b -> inv5 f -> inv9 e2 -> inv9 e1 -> inv1 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1) -> postcondition_mut0 f (e1) b -> precondition0 ( ^ f) (e2)
+    [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv3 i
+     -> inv7 b
+     -> inv5 f
+     -> inv9 e2
+     -> inv9 e1
+     -> inv1 s
+     -> unnest0 func ( * f)
+     -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1)  -> postcondition_mut0 f (e1) b  -> precondition0 ( ^ f) (e2)
   val preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) : bool
     ensures { result = preservation0 iter func }
     
@@ -195,7 +224,8 @@ module C05Map_Impl0_ProducesRefl_Impl
     ensures { result = completed0 self }
     
   predicate reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) =
-    [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv4 func -> inv8 iter -> completed0 iter -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func
+    [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv4 func
+     -> inv8 iter  -> completed0 iter  -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func
   val reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) : bool
     ensures { result = reinitialize0 _1 }
     
@@ -222,21 +252,21 @@ module C05Map_Impl0_ProducesRefl_Impl
   predicate produces0 [@inline:trivial] [#"../05_map.rs" 41 4 41 67] (self : C05Map_Map_Type.t_map i b f) (visited : Seq.seq b) (succ : C05Map_Map_Type.t_map i b f)
     
    =
-    [#"../05_map.rs" 42 8 53 9] unnest0 (C05Map_Map_Type.map_func self) (C05Map_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv1 s /\ Seq.length s = Seq.length visited /\ produces1 (C05Map_Map_Type.map_iter self) s (C05Map_Map_Type.map_iter succ) /\ (exists fs : Seq.seq (borrowed f) . inv2 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
+    [#"../05_map.rs" 42 8 53 9] unnest0 (C05Map_Map_Type.map_func self) (C05Map_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv1 s /\ Seq.length s = Seq.length visited /\ produces1 (C05Map_Map_Type.map_iter self) s (C05Map_Map_Type.map_iter succ) /\ (exists fs : Seq.seq (borrowed f) . inv2 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs
+     ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
       C05Map_Map_Type.map_func self = C05Map_Map_Type.map_func succ
     else
        * Seq.get fs 0 = C05Map_Map_Type.map_func self /\  ^ Seq.get fs (Seq.length visited - 1) = C05Map_Map_Type.map_func succ
-    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C05Map_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i) (Seq.get visited i))))
+    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> unnest0 (C05Map_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i) (Seq.get visited i))))
   val produces0 [@inline:trivial] [#"../05_map.rs" 41 4 41 67] (self : C05Map_Map_Type.t_map i b f) (visited : Seq.seq b) (succ : C05Map_Map_Type.t_map i b f) : bool
     ensures { result = produces0 self visited succ }
     
   use seq.Seq
-  let rec ghost function produces_refl [#"../05_map.rs" 29 4 29 26] (self : C05Map_Map_Type.t_map i b f) : ()
-    requires {[#"../05_map.rs" 29 21 29 25] inv0 self}
-    ensures { [#"../05_map.rs" 28 14 28 45] produces0 self (Seq.empty ) self }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../05_map.rs" 26 4 26 10] ()
+  constant self  : C05Map_Map_Type.t_map i b f
+  function produces_refl [#"../05_map.rs" 29 4 29 26] (self : C05Map_Map_Type.t_map i b f) : ()
+  goal vc_produces_refl : ([#"../05_map.rs" 29 21 29 25] inv0 self)
+   -> ([#"../05_map.rs" 28 14 28 45] produces0 self (Seq.empty ) self)
 end
 module C05Map_Impl0_ProducesTrans_Impl
   type i
@@ -343,14 +373,21 @@ module C05Map_Impl0_ProducesTrans_Impl
     requires {[#"../common.rs" 21 82 21 83] inv4 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv4 a) -> ([#"../common.rs" 21 31 21 33] inv2 ab) -> ([#"../common.rs" 21 52 21 53] inv4 b) -> ([#"../common.rs" 21 61 21 63] inv2 bc) -> ([#"../common.rs" 21 82 21 83] inv4 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv4 a)
+   -> ([#"../common.rs" 21 31 21 33] inv2 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv4 b)
+   -> ([#"../common.rs" 21 61 21 63] inv2 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv4 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv4 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv4 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv4 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   predicate resolve0 (self : f)
   val resolve0 (self : f) : bool
     ensures { result = resolve0 self }
@@ -370,7 +407,10 @@ module C05Map_Impl0_ProducesTrans_Impl
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv8 res}
     ensures { result = fn_mut_once0 self args res }
     
-  axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv7 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv8 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv6 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
+  axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv5 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv7 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv8 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv6 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
   predicate unnest0 (self : f) (_2 : f)
   val unnest0 (self : f) (_2 : f) : bool
     ensures { result = unnest0 self _2 }
@@ -384,13 +424,19 @@ module C05Map_Impl0_ProducesTrans_Impl
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv5 c}
     ensures { result = unnest_trans0 self b c }
     
-  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv5 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv5 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
+  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv5 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv5 b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv5 c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
   function unnest_refl0 (self : f) : ()
   val unnest_refl0 (self : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv5 self}
     ensures { result = unnest_refl0 self }
     
-  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
+  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv5 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
   function postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : ()
   val postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res}
@@ -399,7 +445,11 @@ module C05Map_Impl0_ProducesTrans_Impl
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv8 res}
     ensures { result = postcondition_mut_unnest0 self args res }
     
-  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv7 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv8 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
+  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv7 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv8 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
   predicate invariant1 (self : Seq.seq b)
   val invariant1 (self : Seq.seq b) : bool
     ensures { result = invariant1 self }
@@ -415,13 +465,22 @@ module C05Map_Impl0_ProducesTrans_Impl
     
   use seq.Seq
   predicate next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) =
-    [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv4 i -> inv10 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e)
+    [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv4 i
+     -> inv10 e  -> produces1 iter (Seq.singleton e) i  -> precondition0 func (e)
   val next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) : bool
     ensures { result = next_precondition0 iter func }
     
   use seq.Seq
   predicate preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) =
-    [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv8 b -> inv6 f -> inv10 e2 -> inv10 e1 -> inv2 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1) -> postcondition_mut0 f (e1) b -> precondition0 ( ^ f) (e2)
+    [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i
+     -> inv8 b
+     -> inv6 f
+     -> inv10 e2
+     -> inv10 e1
+     -> inv2 s
+     -> unnest0 func ( * f)
+     -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1)  -> postcondition_mut0 f (e1) b  -> precondition0 ( ^ f) (e2)
   val preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) : bool
     ensures { result = preservation0 iter func }
     
@@ -430,7 +489,8 @@ module C05Map_Impl0_ProducesTrans_Impl
     ensures { result = completed0 self }
     
   predicate reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) =
-    [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv5 func -> inv9 iter -> completed0 iter -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func
+    [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv5 func
+     -> inv9 iter  -> completed0 iter  -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func
   val reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) : bool
     ensures { result = reinitialize0 _1 }
     
@@ -458,26 +518,31 @@ module C05Map_Impl0_ProducesTrans_Impl
   predicate produces0 [@inline:trivial] [#"../05_map.rs" 41 4 41 67] (self : C05Map_Map_Type.t_map i b f) (visited : Seq.seq b) (succ : C05Map_Map_Type.t_map i b f)
     
    =
-    [#"../05_map.rs" 42 8 53 9] unnest0 (C05Map_Map_Type.map_func self) (C05Map_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv2 s /\ Seq.length s = Seq.length visited /\ produces1 (C05Map_Map_Type.map_iter self) s (C05Map_Map_Type.map_iter succ) /\ (exists fs : Seq.seq (borrowed f) . inv3 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
+    [#"../05_map.rs" 42 8 53 9] unnest0 (C05Map_Map_Type.map_func self) (C05Map_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv2 s /\ Seq.length s = Seq.length visited /\ produces1 (C05Map_Map_Type.map_iter self) s (C05Map_Map_Type.map_iter succ) /\ (exists fs : Seq.seq (borrowed f) . inv3 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs
+     ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
       C05Map_Map_Type.map_func self = C05Map_Map_Type.map_func succ
     else
        * Seq.get fs 0 = C05Map_Map_Type.map_func self /\  ^ Seq.get fs (Seq.length visited - 1) = C05Map_Map_Type.map_func succ
-    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C05Map_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i) (Seq.get visited i))))
+    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> unnest0 (C05Map_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i) (Seq.get visited i))))
   val produces0 [@inline:trivial] [#"../05_map.rs" 41 4 41 67] (self : C05Map_Map_Type.t_map i b f) (visited : Seq.seq b) (succ : C05Map_Map_Type.t_map i b f) : bool
     ensures { result = produces0 self visited succ }
     
-  let rec ghost function produces_trans [#"../05_map.rs" 36 4 36 90] (a : C05Map_Map_Type.t_map i b f) (ab : Seq.seq b) (b : C05Map_Map_Type.t_map i b f) (bc : Seq.seq b) (c : C05Map_Map_Type.t_map i b f) : ()
-    requires {[#"../05_map.rs" 33 15 33 32] produces0 a ab b}
-    requires {[#"../05_map.rs" 34 15 34 32] produces0 b bc c}
-    requires {[#"../05_map.rs" 36 22 36 23] inv0 a}
-    requires {[#"../05_map.rs" 36 31 36 33] inv1 ab}
-    requires {[#"../05_map.rs" 36 52 36 53] inv0 b}
-    requires {[#"../05_map.rs" 36 61 36 63] inv1 bc}
-    requires {[#"../05_map.rs" 36 82 36 83] inv0 c}
-    ensures { [#"../05_map.rs" 35 14 35 42] produces0 a (Seq.(++) ab bc) c }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../05_map.rs" 31 4 31 10] ()
+  constant a  : C05Map_Map_Type.t_map i b f
+  constant ab  : Seq.seq b
+  constant b  : C05Map_Map_Type.t_map i b f
+  constant bc  : Seq.seq b
+  constant c  : C05Map_Map_Type.t_map i b f
+  function produces_trans [#"../05_map.rs" 36 4 36 90] (a : C05Map_Map_Type.t_map i b f) (ab : Seq.seq b) (b : C05Map_Map_Type.t_map i b f) (bc : Seq.seq b) (c : C05Map_Map_Type.t_map i b f) : ()
+    
+  goal vc_produces_trans : ([#"../05_map.rs" 36 82 36 83] inv0 c)
+   -> ([#"../05_map.rs" 36 61 36 63] inv1 bc)
+   -> ([#"../05_map.rs" 36 52 36 53] inv0 b)
+   -> ([#"../05_map.rs" 36 31 36 33] inv1 ab)
+   -> ([#"../05_map.rs" 36 22 36 23] inv0 a)
+   -> ([#"../05_map.rs" 34 15 34 32] produces0 b bc c)
+   -> ([#"../05_map.rs" 33 15 33 32] produces0 a ab b)
+   -> ([#"../05_map.rs" 35 14 35 42] produces0 a (Seq.(++) ab bc) c)
 end
 module Core_Option_Option_Type
   type t_option 't =
@@ -587,7 +652,10 @@ module C05Map_Impl1_ProducesOne_Impl
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv1 res}
     ensures { result = fn_mut_once0 self args res }
     
-  axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv9 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv1 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv2 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
+  axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv7 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv9 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv1 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv2 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
   predicate unnest0 (self : f) (_2 : f)
   val unnest0 (self : f) (_2 : f) : bool
     ensures { result = unnest0 self _2 }
@@ -601,13 +669,19 @@ module C05Map_Impl1_ProducesOne_Impl
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv7 c}
     ensures { result = unnest_trans0 self b c }
     
-  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv7 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv7 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
+  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv7 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv7 b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv7 c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
   function unnest_refl0 (self : f) : ()
   val unnest_refl0 (self : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv7 self}
     ensures { result = unnest_refl0 self }
     
-  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
+  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv7 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
   function postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : ()
   val postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res}
@@ -616,16 +690,11 @@ module C05Map_Impl1_ProducesOne_Impl
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv1 res}
     ensures { result = postcondition_mut_unnest0 self args res }
     
-  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv9 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv1 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
-  predicate invariant3 (self : item0)
-  val invariant3 (self : item0) : bool
-    ensures { result = invariant3 self }
-    
-  predicate inv3 (_x : item0)
-  val inv3 (_x : item0) : bool
-    ensures { result = inv3 _x }
-    
-  axiom inv3 : forall x : item0 . inv3 x = true
+  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv9 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv1 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
   use seq.Seq
   predicate produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i)
   val produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) : bool
@@ -643,14 +712,30 @@ module C05Map_Impl1_ProducesOne_Impl
     requires {[#"../common.rs" 21 82 21 83] inv6 c}
     ensures { result = produces_trans1 a ab b bc c }
     
-  axiom produces_trans1_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv6 a) -> ([#"../common.rs" 21 31 21 33] inv4 ab) -> ([#"../common.rs" 21 52 21 53] inv6 b) -> ([#"../common.rs" 21 61 21 63] inv4 bc) -> ([#"../common.rs" 21 82 21 83] inv6 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans1_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv6 a)
+   -> ([#"../common.rs" 21 31 21 33] inv4 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv6 b)
+   -> ([#"../common.rs" 21 61 21 63] inv4 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv6 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl1 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl1 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv6 self}
     ensures { result = produces_refl1 self }
     
-  axiom produces_refl1_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv6 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl1_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv6 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  predicate invariant3 (self : item0)
+  val invariant3 (self : item0) : bool
+    ensures { result = invariant3 self }
+    
+  predicate inv3 (_x : item0)
+  val inv3 (_x : item0) : bool
+    ensures { result = inv3 _x }
+    
+  axiom inv3 : forall x : item0 . inv3 x = true
   predicate invariant2 (self : borrowed f)
   val invariant2 (self : borrowed f) : bool
     ensures { result = invariant2 self }
@@ -676,11 +761,13 @@ module C05Map_Impl1_ProducesOne_Impl
   predicate produces0 [@inline:trivial] [#"../05_map.rs" 41 4 41 67] (self : C05Map_Map_Type.t_map i b f) (visited : Seq.seq b) (succ : C05Map_Map_Type.t_map i b f)
     
    =
-    [#"../05_map.rs" 42 8 53 9] unnest0 (C05Map_Map_Type.map_func self) (C05Map_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv4 s /\ Seq.length s = Seq.length visited /\ produces1 (C05Map_Map_Type.map_iter self) s (C05Map_Map_Type.map_iter succ) /\ (exists fs : Seq.seq (borrowed f) . inv5 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
+    [#"../05_map.rs" 42 8 53 9] unnest0 (C05Map_Map_Type.map_func self) (C05Map_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv4 s /\ Seq.length s = Seq.length visited /\ produces1 (C05Map_Map_Type.map_iter self) s (C05Map_Map_Type.map_iter succ) /\ (exists fs : Seq.seq (borrowed f) . inv5 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs
+     ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
       C05Map_Map_Type.map_func self = C05Map_Map_Type.map_func succ
     else
        * Seq.get fs 0 = C05Map_Map_Type.map_func self /\  ^ Seq.get fs (Seq.length visited - 1) = C05Map_Map_Type.map_func succ
-    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C05Map_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i) (Seq.get visited i))))
+    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> unnest0 (C05Map_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i) (Seq.get visited i))))
   val produces0 [@inline:trivial] [#"../05_map.rs" 41 4 41 67] (self : C05Map_Map_Type.t_map i b f) (visited : Seq.seq b) (succ : C05Map_Map_Type.t_map i b f) : bool
     ensures { result = produces0 self visited succ }
     
@@ -698,7 +785,13 @@ module C05Map_Impl1_ProducesOne_Impl
     requires {[#"../05_map.rs" 36 82 36 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : C05Map_Map_Type.t_map i b f, ab : Seq.seq b, b : C05Map_Map_Type.t_map i b f, bc : Seq.seq b, c : C05Map_Map_Type.t_map i b f . ([#"../05_map.rs" 33 15 33 32] produces0 a ab b) -> ([#"../05_map.rs" 34 15 34 32] produces0 b bc c) -> ([#"../05_map.rs" 36 22 36 23] inv0 a) -> ([#"../05_map.rs" 36 31 36 33] inv8 ab) -> ([#"../05_map.rs" 36 52 36 53] inv0 b) -> ([#"../05_map.rs" 36 61 36 63] inv8 bc) -> ([#"../05_map.rs" 36 82 36 83] inv0 c) -> ([#"../05_map.rs" 35 14 35 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : C05Map_Map_Type.t_map i b f, ab : Seq.seq b, b : C05Map_Map_Type.t_map i b f, bc : Seq.seq b, c : C05Map_Map_Type.t_map i b f . ([#"../05_map.rs" 33 15 33 32] produces0 a ab b)
+   -> ([#"../05_map.rs" 34 15 34 32] produces0 b bc c)
+   -> ([#"../05_map.rs" 36 22 36 23] inv0 a)
+   -> ([#"../05_map.rs" 36 31 36 33] inv8 ab)
+   -> ([#"../05_map.rs" 36 52 36 53] inv0 b)
+   -> ([#"../05_map.rs" 36 61 36 63] inv8 bc)
+   -> ([#"../05_map.rs" 36 82 36 83] inv0 c)  -> ([#"../05_map.rs" 35 14 35 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../05_map.rs" 29 4 29 26] (self : C05Map_Map_Type.t_map i b f) : () =
     [#"../05_map.rs" 26 4 26 10] ()
@@ -706,7 +799,8 @@ module C05Map_Impl1_ProducesOne_Impl
     requires {[#"../05_map.rs" 29 21 29 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : C05Map_Map_Type.t_map i b f . ([#"../05_map.rs" 29 21 29 25] inv0 self) -> ([#"../05_map.rs" 28 14 28 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : C05Map_Map_Type.t_map i b f . ([#"../05_map.rs" 29 21 29 25] inv0 self)
+   -> ([#"../05_map.rs" 28 14 28 45] produces0 self (Seq.empty ) self)
   predicate invariant1 (self : b)
   val invariant1 (self : b) : bool
     ensures { result = invariant1 self }
@@ -714,13 +808,22 @@ module C05Map_Impl1_ProducesOne_Impl
   axiom inv1 : forall x : b . inv1 x = true
   use seq.Seq
   predicate next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) =
-    [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv6 i -> inv3 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e)
+    [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv6 i
+     -> inv3 e  -> produces1 iter (Seq.singleton e) i  -> precondition0 func (e)
   val next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) : bool
     ensures { result = next_precondition0 iter func }
     
   use seq.Seq
   predicate preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) =
-    [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv6 i -> inv1 b -> inv2 f -> inv3 e2 -> inv3 e1 -> inv4 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1) -> postcondition_mut0 f (e1) b -> precondition0 ( ^ f) (e2)
+    [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv6 i
+     -> inv1 b
+     -> inv2 f
+     -> inv3 e2
+     -> inv3 e1
+     -> inv4 s
+     -> unnest0 func ( * f)
+     -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1)  -> postcondition_mut0 f (e1) b  -> precondition0 ( ^ f) (e2)
   val preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) : bool
     ensures { result = preservation0 iter func }
     
@@ -729,7 +832,8 @@ module C05Map_Impl1_ProducesOne_Impl
     ensures { result = completed0 self }
     
   predicate reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) =
-    [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv7 func -> inv10 iter -> completed0 iter -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func
+    [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv7 func
+     -> inv10 iter  -> completed0 iter  -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func
   val reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) : bool
     ensures { result = reinitialize0 _1 }
     
@@ -742,14 +846,15 @@ module C05Map_Impl1_ProducesOne_Impl
     | C05Map_Map_Type.C_Map iter func -> true
     end)
   use seq.Seq
-  let rec ghost predicate produces_one [#"../05_map.rs" 117 4 117 57] (self : C05Map_Map_Type.t_map i b f) (visited : b) (succ : C05Map_Map_Type.t_map i b f)
-    requires {[#"../05_map.rs" 117 20 117 24] inv0 self}
-    requires {[#"../05_map.rs" 117 26 117 33] inv1 visited}
-    requires {[#"../05_map.rs" 117 38 117 42] inv0 succ}
-    ensures { [#"../05_map.rs" 116 14 116 68] result = produces0 self (Seq.singleton visited) succ }
+  constant self  : C05Map_Map_Type.t_map i b f
+  constant visited  : b
+  constant succ  : C05Map_Map_Type.t_map i b f
+  predicate produces_one [#"../05_map.rs" 117 4 117 57] (self : C05Map_Map_Type.t_map i b f) (visited : b) (succ : C05Map_Map_Type.t_map i b f)
     
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../05_map.rs" 118 8 123 9] pure {exists f : borrowed f . inv2 f /\  * f = C05Map_Map_Type.map_func self /\  ^ f = C05Map_Map_Type.map_func succ /\ (exists e : item0 . inv3 e /\ produces1 (C05Map_Map_Type.map_iter self) (Seq.singleton e) (C05Map_Map_Type.map_iter succ) /\ precondition0 ( * f) (e) /\ postcondition_mut0 f (e) visited)}
+  goal vc_produces_one : ([#"../05_map.rs" 117 38 117 42] inv0 succ)
+   -> ([#"../05_map.rs" 117 26 117 33] inv1 visited)
+   -> ([#"../05_map.rs" 117 20 117 24] inv0 self)
+   -> ([#"../05_map.rs" 116 14 116 68] ([#"../05_map.rs" 118 8 123 9] exists f : borrowed f . inv2 f /\  * f = C05Map_Map_Type.map_func self /\  ^ f = C05Map_Map_Type.map_func succ /\ (exists e : item0 . inv3 e /\ produces1 (C05Map_Map_Type.map_iter self) (Seq.singleton e) (C05Map_Map_Type.map_iter succ) /\ precondition0 ( * f) (e) /\ postcondition_mut0 f (e) visited)) = produces0 self (Seq.singleton visited) succ)
 end
 module C05Map_Impl1_ProducesOneInvariant_Impl
   type i
@@ -840,7 +945,8 @@ module C05Map_Impl1_ProducesOneInvariant_Impl
     
   use seq.Seq
   predicate next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) =
-    [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv4 i -> inv1 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e)
+    [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv4 i
+     -> inv1 e  -> produces0 iter (Seq.singleton e) i  -> precondition0 func (e)
   val next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) : bool
     ensures { result = next_precondition0 iter func }
     
@@ -854,7 +960,15 @@ module C05Map_Impl1_ProducesOneInvariant_Impl
     ensures { result = unnest0 self _2 }
     
   predicate preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) =
-    [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv2 b -> inv3 f -> inv1 e2 -> inv1 e1 -> inv5 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1) -> postcondition_mut0 f (e1) b -> precondition0 ( ^ f) (e2)
+    [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i
+     -> inv2 b
+     -> inv3 f
+     -> inv1 e2
+     -> inv1 e1
+     -> inv5 s
+     -> unnest0 func ( * f)
+     -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1)  -> postcondition_mut0 f (e1) b  -> precondition0 ( ^ f) (e2)
   val preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) : bool
     ensures { result = preservation0 iter func }
     
@@ -863,7 +977,8 @@ module C05Map_Impl1_ProducesOneInvariant_Impl
     ensures { result = completed0 self }
     
   predicate reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) =
-    [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv7 func -> inv8 iter -> completed0 iter -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func
+    [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv7 func
+     -> inv8 iter  -> completed0 iter  -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func
   val reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) : bool
     ensures { result = reinitialize0 _1 }
     
@@ -895,7 +1010,10 @@ module C05Map_Impl1_ProducesOneInvariant_Impl
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res}
     ensures { result = fn_mut_once0 self args res }
     
-  axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv3 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
+  axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv7 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv6 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv3 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
   function unnest_trans0 (self : f) (b : f) (c : f) : ()
   val unnest_trans0 (self : f) (b : f) (c : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b}
@@ -905,13 +1023,19 @@ module C05Map_Impl1_ProducesOneInvariant_Impl
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv7 c}
     ensures { result = unnest_trans0 self b c }
     
-  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv7 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv7 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
+  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv7 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv7 b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv7 c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
   function unnest_refl0 (self : f) : ()
   val unnest_refl0 (self : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv7 self}
     ensures { result = unnest_refl0 self }
     
-  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
+  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv7 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
   function postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : ()
   val postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res}
@@ -920,7 +1044,11 @@ module C05Map_Impl1_ProducesOneInvariant_Impl
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res}
     ensures { result = postcondition_mut_unnest0 self args res }
     
-  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
+  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv3 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv6 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
   use seq.Seq
   function produces_trans0 [#"../common.rs" 21 4 21 91] (a : i) (ab : Seq.seq item0) (b : i) (bc : Seq.seq item0) (c : i) : ()
     
@@ -934,28 +1062,42 @@ module C05Map_Impl1_ProducesOneInvariant_Impl
     requires {[#"../common.rs" 21 82 21 83] inv4 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv4 a) -> ([#"../common.rs" 21 31 21 33] inv5 ab) -> ([#"../common.rs" 21 52 21 53] inv4 b) -> ([#"../common.rs" 21 61 21 63] inv5 bc) -> ([#"../common.rs" 21 82 21 83] inv4 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces0 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv4 a)
+   -> ([#"../common.rs" 21 31 21 33] inv5 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv4 b)
+   -> ([#"../common.rs" 21 61 21 63] inv5 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv4 c)  -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv4 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv4 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
-  let rec ghost function produces_one_invariant [#"../05_map.rs" 107 4 107 73] (self : C05Map_Map_Type.t_map i b f) (e : item0) (r : b) (f : borrowed f) (iter : i) : ()
-    requires {[#"../05_map.rs" 102 4 102 60] produces0 (C05Map_Map_Type.map_iter self) (Seq.singleton e) iter}
-    requires {[#"../05_map.rs" 103 15 103 30]  * f = C05Map_Map_Type.map_func self}
-    requires {[#"../05_map.rs" 104 15 104 43] postcondition_mut0 f (e) r}
-    requires {[#"../05_map.rs" 107 30 107 34] inv0 self}
-    requires {[#"../05_map.rs" 107 36 107 37] inv1 e}
-    requires {[#"../05_map.rs" 107 48 107 49] inv2 r}
-    requires {[#"../05_map.rs" 107 54 107 55] inv3 f}
-    requires {[#"../05_map.rs" 107 65 107 69] inv4 iter}
-    ensures { [#"../05_map.rs" 105 14 105 42] preservation0 iter ( ^ f) }
-    ensures { [#"../05_map.rs" 106 14 106 47] next_precondition0 iter ( ^ f) }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../05_map.rs" 101 4 101 12] let _ = let a = pure {forall i : i . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv1 e2 -> inv1 e1 -> inv5 s -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> produces0 (C05Map_Map_Type.map_iter self) (Seq.snoc (Seq.snoc (Seq.(++) (Seq.singleton e) s) e1) e2) i} in assert {a} in ()
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv4 self)
+   -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
+  constant self  : C05Map_Map_Type.t_map i b f
+  constant e  : item0
+  constant r  : b
+  constant f  : borrowed f
+  constant iter  : i
+  function produces_one_invariant [#"../05_map.rs" 107 4 107 73] (self : C05Map_Map_Type.t_map i b f) (e : item0) (r : b) (f : borrowed f) (iter : i) : ()
+    
+  goal vc_produces_one_invariant : ([#"../05_map.rs" 107 65 107 69] inv4 iter)
+   -> ([#"../05_map.rs" 107 54 107 55] inv3 f)
+   -> ([#"../05_map.rs" 107 48 107 49] inv2 r)
+   -> ([#"../05_map.rs" 107 36 107 37] inv1 e)
+   -> ([#"../05_map.rs" 107 30 107 34] inv0 self)
+   -> ([#"../05_map.rs" 104 15 104 43] postcondition_mut0 f (e) r)
+   -> ([#"../05_map.rs" 103 15 103 30]  * f = C05Map_Map_Type.map_func self)
+   -> ([#"../05_map.rs" 102 4 102 60] produces0 (C05Map_Map_Type.map_iter self) (Seq.singleton e) iter)
+   -> ([#"../05_map.rs" 101 4 101 12] forall i : i . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i
+   -> inv1 e2
+   -> inv1 e1
+   -> inv5 s
+   -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i
+   -> produces0 (C05Map_Map_Type.map_iter self) (Seq.snoc (Seq.snoc (Seq.(++) (Seq.singleton e) s) e1) e2) i) && (let _ = () in ([#"../05_map.rs" 106 14 106 47] next_precondition0 iter ( ^ f)) && ([#"../05_map.rs" 105 14 105 42] preservation0 iter ( ^ f)))
 end
 module C05Map_Impl0_Next
   type i
@@ -1036,7 +1178,8 @@ module C05Map_Impl0_Next
     
   use seq.Seq
   predicate next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) =
-    [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv0 i -> inv7 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e)
+    [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv0 i
+     -> inv7 e  -> produces0 iter (Seq.singleton e) i  -> precondition0 func (e)
   val next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) : bool
     ensures { result = next_precondition0 iter func }
     
@@ -1050,7 +1193,15 @@ module C05Map_Impl0_Next
     ensures { result = unnest0 self _2 }
     
   predicate preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) =
-    [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv8 b -> inv9 f -> inv7 e2 -> inv7 e1 -> inv10 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1) -> postcondition_mut0 f (e1) b -> precondition0 ( ^ f) (e2)
+    [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i
+     -> inv8 b
+     -> inv9 f
+     -> inv7 e2
+     -> inv7 e1
+     -> inv10 s
+     -> unnest0 func ( * f)
+     -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1)  -> postcondition_mut0 f (e1) b  -> precondition0 ( ^ f) (e2)
   val preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) : bool
     ensures { result = preservation0 iter func }
     
@@ -1063,7 +1214,8 @@ module C05Map_Impl0_Next
     ensures { result = inv5 _x }
     
   predicate reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) =
-    [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv2 func -> inv5 iter -> completed1 iter -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func
+    [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv2 func
+     -> inv5 iter  -> completed1 iter  -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func
   val reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) : bool
     ensures { result = reinitialize0 _1 }
     
@@ -1095,7 +1247,10 @@ module C05Map_Impl0_Next
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv8 res}
     ensures { result = fn_mut_once0 self args res }
     
-  axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv11 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv8 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv9 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve3 ( ^ s)))
+  axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv11 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv8 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv9 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve3 ( ^ s)))
   function unnest_trans0 (self : f) (b : f) (c : f) : ()
   val unnest_trans0 (self : f) (b : f) (c : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b}
@@ -1105,13 +1260,19 @@ module C05Map_Impl0_Next
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c}
     ensures { result = unnest_trans0 self b c }
     
-  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv2 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
+  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv2 b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
   function unnest_refl0 (self : f) : ()
   val unnest_refl0 (self : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self}
     ensures { result = unnest_refl0 self }
     
-  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
+  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
   function postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : ()
   val postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res}
@@ -1120,7 +1281,11 @@ module C05Map_Impl0_Next
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv8 res}
     ensures { result = postcondition_mut_unnest0 self args res }
     
-  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv9 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv11 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv8 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
+  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv9 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv11 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv8 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
   predicate invariant5 (self : borrowed i)
   val invariant5 (self : borrowed i) : bool
     ensures { result = invariant5 self }
@@ -1172,14 +1337,21 @@ module C05Map_Impl0_Next
     requires {[#"../common.rs" 21 82 21 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv0 a) -> ([#"../common.rs" 21 31 21 33] inv10 ab) -> ([#"../common.rs" 21 52 21 53] inv0 b) -> ([#"../common.rs" 21 61 21 63] inv10 bc) -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces0 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv0 a)
+   -> ([#"../common.rs" 21 31 21 33] inv10 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv0 b)
+   -> ([#"../common.rs" 21 61 21 63] inv10 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv0 c)  -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self)
+   -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
   predicate invariant0 (self : i)
   val invariant0 (self : i) : bool
     ensures { result = invariant0 self }
@@ -1195,11 +1367,13 @@ module C05Map_Impl0_Next
   predicate produces1 [@inline:trivial] [#"../05_map.rs" 41 4 41 67] (self : C05Map_Map_Type.t_map i b f) (visited : Seq.seq b) (succ : C05Map_Map_Type.t_map i b f)
     
    =
-    [#"../05_map.rs" 42 8 53 9] unnest0 (C05Map_Map_Type.map_func self) (C05Map_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv10 s /\ Seq.length s = Seq.length visited /\ produces0 (C05Map_Map_Type.map_iter self) s (C05Map_Map_Type.map_iter succ) /\ (exists fs : Seq.seq (borrowed f) . inv12 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
+    [#"../05_map.rs" 42 8 53 9] unnest0 (C05Map_Map_Type.map_func self) (C05Map_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv10 s /\ Seq.length s = Seq.length visited /\ produces0 (C05Map_Map_Type.map_iter self) s (C05Map_Map_Type.map_iter succ) /\ (exists fs : Seq.seq (borrowed f) . inv12 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs
+     ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
       C05Map_Map_Type.map_func self = C05Map_Map_Type.map_func succ
     else
        * Seq.get fs 0 = C05Map_Map_Type.map_func self /\  ^ Seq.get fs (Seq.length visited - 1) = C05Map_Map_Type.map_func succ
-    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C05Map_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i) (Seq.get visited i))))
+    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> unnest0 (C05Map_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i) (Seq.get visited i))))
   val produces1 [@inline:trivial] [#"../05_map.rs" 41 4 41 67] (self : C05Map_Map_Type.t_map i b f) (visited : Seq.seq b) (succ : C05Map_Map_Type.t_map i b f) : bool
     ensures { result = produces1 self visited succ }
     
@@ -1214,13 +1388,16 @@ module C05Map_Impl0_Next
     requires {[#"../05_map.rs" 117 38 117 42] inv6 succ}
     ensures { result = produces_one0 self visited succ }
     
-  axiom produces_one0_spec : forall self : C05Map_Map_Type.t_map i b f, visited : b, succ : C05Map_Map_Type.t_map i b f . ([#"../05_map.rs" 117 20 117 24] inv6 self) -> ([#"../05_map.rs" 117 26 117 33] inv8 visited) -> ([#"../05_map.rs" 117 38 117 42] inv6 succ) -> ([#"../05_map.rs" 116 14 116 68] produces_one0 self visited succ = produces1 self (Seq.singleton visited) succ)
+  axiom produces_one0_spec : forall self : C05Map_Map_Type.t_map i b f, visited : b, succ : C05Map_Map_Type.t_map i b f . ([#"../05_map.rs" 117 20 117 24] inv6 self)
+   -> ([#"../05_map.rs" 117 26 117 33] inv8 visited)
+   -> ([#"../05_map.rs" 117 38 117 42] inv6 succ)
+   -> ([#"../05_map.rs" 116 14 116 68] produces_one0 self visited succ = produces1 self (Seq.singleton visited) succ)
   predicate completed0 [#"../05_map.rs" 22 4 22 35] (self : borrowed (C05Map_Map_Type.t_map i b f)) =
     [#"../05_map.rs" 23 8 23 75] completed1 (Borrow.borrow_logic (C05Map_Map_Type.map_iter ( * self)) (C05Map_Map_Type.map_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1)) /\ C05Map_Map_Type.map_func ( * self) = C05Map_Map_Type.map_func ( ^ self)
   val completed0 [#"../05_map.rs" 22 4 22 35] (self : borrowed (C05Map_Map_Type.t_map i b f)) : bool
     ensures { result = completed0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate resolve2 (self : borrowed (C05Map_Map_Type.t_map i b f)) =
     [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve2 (self : borrowed (C05Map_Map_Type.t_map i b f)) : bool
@@ -1233,11 +1410,11 @@ module C05Map_Impl0_Next
     ensures { [#"../../../../../creusot-contracts/src/std/ops.rs" 148 0 172 1] postcondition_mut0 self args result }
     ensures { inv8 result }
     
-  predicate resolve1 (self : Ghost.ghost_ty ())
-  val resolve1 (self : Ghost.ghost_ty ()) : bool
+  predicate resolve1 (self : Snapshot.snap_ty ())
+  val resolve1 (self : Snapshot.snap_ty ()) : bool
     ensures { result = resolve1 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   function produces_one_invariant0 [#"../05_map.rs" 107 4 107 73] (self : C05Map_Map_Type.t_map i b f) (e : item0) (r : b) (f : borrowed f) (iter : i) : ()
     
   val produces_one_invariant0 [#"../05_map.rs" 107 4 107 73] (self : C05Map_Map_Type.t_map i b f) (e : item0) (r : b) (f : borrowed f) (iter : i) : ()
@@ -1251,7 +1428,15 @@ module C05Map_Impl0_Next
     requires {[#"../05_map.rs" 107 65 107 69] inv0 iter}
     ensures { result = produces_one_invariant0 self e r f iter }
     
-  axiom produces_one_invariant0_spec : forall self : C05Map_Map_Type.t_map i b f, e : item0, r : b, f : borrowed f, iter : i . ([#"../05_map.rs" 102 4 102 60] produces0 (C05Map_Map_Type.map_iter self) (Seq.singleton e) iter) -> ([#"../05_map.rs" 103 15 103 30]  * f = C05Map_Map_Type.map_func self) -> ([#"../05_map.rs" 104 15 104 43] postcondition_mut0 f (e) r) -> ([#"../05_map.rs" 107 30 107 34] inv6 self) -> ([#"../05_map.rs" 107 36 107 37] inv7 e) -> ([#"../05_map.rs" 107 48 107 49] inv8 r) -> ([#"../05_map.rs" 107 54 107 55] inv9 f) -> ([#"../05_map.rs" 107 65 107 69] inv0 iter) -> ([#"../05_map.rs" 106 14 106 47] next_precondition0 iter ( ^ f)) && ([#"../05_map.rs" 105 14 105 42] preservation0 iter ( ^ f))
+  axiom produces_one_invariant0_spec : forall self : C05Map_Map_Type.t_map i b f, e : item0, r : b, f : borrowed f, iter : i . ([#"../05_map.rs" 102 4 102 60] produces0 (C05Map_Map_Type.map_iter self) (Seq.singleton e) iter)
+   -> ([#"../05_map.rs" 103 15 103 30]  * f = C05Map_Map_Type.map_func self)
+   -> ([#"../05_map.rs" 104 15 104 43] postcondition_mut0 f (e) r)
+   -> ([#"../05_map.rs" 107 30 107 34] inv6 self)
+   -> ([#"../05_map.rs" 107 36 107 37] inv7 e)
+   -> ([#"../05_map.rs" 107 48 107 49] inv8 r)
+   -> ([#"../05_map.rs" 107 54 107 55] inv9 f)
+   -> ([#"../05_map.rs" 107 65 107 69] inv0 iter)
+   -> ([#"../05_map.rs" 106 14 106 47] next_precondition0 iter ( ^ f)) && ([#"../05_map.rs" 105 14 105 42] preservation0 iter ( ^ f))
   predicate resolve0 (self : Core_Option_Option_Type.t_option item0)
   val resolve0 (self : Core_Option_Option_Type.t_option item0) : bool
     ensures { result = resolve0 self }
@@ -1278,9 +1463,10 @@ module C05Map_Impl0_Next
   var _3 : Core_Option_Option_Type.t_option item0;
   var _4 : borrowed i;
   var v : item0;
-  var _9 : Ghost.ghost_ty ();
+  var _9 : Snapshot.snap_ty ();
   var _11 : b;
   var _12 : borrowed f;
+  var _13 : item0;
   {
     goto BB0
   }
@@ -1303,30 +1489,30 @@ module C05Map_Impl0_Next
     assume { resolve0 _3 };
     assert { [@expl:type invariant] inv3 self };
     assume { resolve2 self };
-    [#"../05_map.rs" 67 20 67 24] _0 <- ([#"../05_map.rs" 67 20 67 24] Core_Option_Option_Type.C_None);
+    [#"../05_map.rs" 67 20 67 24] _0 <- Core_Option_Option_Type.C_None;
     goto BB12
   }
   BB3 {
     goto BB5
   }
   BB4 {
-    assert { [@expl:type invariant] inv1 _3 };
-    assume { resolve0 _3 };
     assert { [@expl:type invariant] inv3 self };
     assume { resolve2 self };
+    assert { [@expl:type invariant] inv1 _3 };
+    assume { resolve0 _3 };
     assert { [#"../05_map.rs" 61 14 61 30] false };
     absurd
   }
   BB5 {
-    [#"../05_map.rs" 62 17 62 18] v <- ([#"../05_map.rs" 62 17 62 18] Core_Option_Option_Type.some_0 _3);
-    [#"../05_map.rs" 62 17 62 18] _3 <- (let Core_Option_Option_Type.C_Some x0 = _3 in Core_Option_Option_Type.C_Some (any item0));
+    [#"../05_map.rs" 62 17 62 18] v <- Core_Option_Option_Type.some_0 _3;
+    _3 <- (let Core_Option_Option_Type.C_Some x0 = _3 in Core_Option_Option_Type.C_Some (any item0));
     assert { [@expl:type invariant] inv1 _3 };
     assume { resolve0 _3 };
     assert { [@expl:assertion] [#"../05_map.rs" 63 16 63 62] precondition0 (C05Map_Map_Type.map_func ( * self)) (v) };
     goto BB6
   }
   BB6 {
-    [#"../05_map.rs" 64 16 64 52] _9 <- ([#"../05_map.rs" 64 16 64 52] Ghost.new ());
+    [#"../05_map.rs" 64 16 64 58] _9 <- ([#"../05_map.rs" 64 16 64 58] Snapshot.new ());
     goto BB7
   }
   BB7 {
@@ -1334,9 +1520,11 @@ module C05Map_Impl0_Next
     [#"../05_map.rs" 65 21 65 32] _12 <- Borrow.borrow_final (C05Map_Map_Type.map_func ( * self)) (Borrow.inherit_id (Borrow.get_id self) 2);
     [#"../05_map.rs" 65 21 65 32] self <- { self with current = (let C05Map_Map_Type.C_Map x0 x1 =  * self in C05Map_Map_Type.C_Map x0 ( ^ _12)) ; };
     assume { inv2 ( ^ _12) };
-    [#"../05_map.rs" 65 21 65 35] _11 <- ([#"../05_map.rs" 65 21 65 35] call_mut0 _12 ([#"../05_map.rs" 65 21 65 35] (([#"../05_map.rs" 65 33 65 34] v))));
+    [#"../05_map.rs" 65 21 65 35] _13 <- (v);
+    v <- any item0;
+    [#"../05_map.rs" 65 21 65 35] _11 <- ([#"../05_map.rs" 65 21 65 35] call_mut0 _12 _13);
     _12 <- any borrowed f;
-    [#"../05_map.rs" 65 33 65 34] v <- any item0;
+    _13 <- any item0;
     goto BB8
   }
   BB8 {
@@ -1345,7 +1533,7 @@ module C05Map_Impl0_Next
   BB9 {
     assert { [@expl:type invariant] inv3 self };
     assume { resolve2 self };
-    [#"../05_map.rs" 65 16 65 36] _0 <- ([#"../05_map.rs" 65 16 65 36] Core_Option_Option_Type.C_Some _11);
+    [#"../05_map.rs" 65 16 65 36] _0 <- Core_Option_Option_Type.C_Some _11;
     _11 <- any b;
     goto BB10
   }
@@ -1409,7 +1597,10 @@ module C05Map_Map
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv5 res}
     ensures { result = fn_mut_once0 self args res }
     
-  axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv8 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv5 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv6 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
+  axiom fn_mut_once0_spec : forall self : f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv8 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv5 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv6 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
   predicate unnest0 (self : f) (_2 : f)
   val unnest0 (self : f) (_2 : f) : bool
     ensures { result = unnest0 self _2 }
@@ -1423,13 +1614,19 @@ module C05Map_Map
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c}
     ensures { result = unnest_trans0 self b c }
     
-  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv2 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
+  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv2 b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
   function unnest_refl0 (self : f) : ()
   val unnest_refl0 (self : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self}
     ensures { result = unnest_refl0 self }
     
-  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
+  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
   function postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : ()
   val postcondition_mut_unnest0 (self : borrowed f) (args : item0) (res : b) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res}
@@ -1438,7 +1635,11 @@ module C05Map_Map
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv5 res}
     ensures { result = postcondition_mut_unnest0 self args res }
     
-  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv8 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv5 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
+  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : item0, res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv8 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv5 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
   use seq.Seq
   predicate invariant7 (self : Seq.seq item0)
   val invariant7 (self : Seq.seq item0) : bool
@@ -1486,13 +1687,22 @@ module C05Map_Map
     ensures { result = inv1 _x }
     
   predicate next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) =
-    [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv0 i -> inv1 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e)
+    [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv0 i
+     -> inv1 e  -> produces0 iter (Seq.singleton e) i  -> precondition0 func (e)
   val next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) : bool
     ensures { result = next_precondition0 iter func }
     
   use seq.Seq
   predicate preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) =
-    [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv5 b -> inv6 f -> inv1 e2 -> inv1 e1 -> inv7 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1) -> postcondition_mut0 f (e1) b -> precondition0 ( ^ f) (e2)
+    [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i
+     -> inv5 b
+     -> inv6 f
+     -> inv1 e2
+     -> inv1 e1
+     -> inv7 s
+     -> unnest0 func ( * f)
+     -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1)  -> postcondition_mut0 f (e1) b  -> precondition0 ( ^ f) (e2)
   val preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) : bool
     ensures { result = preservation0 iter func }
     
@@ -1501,7 +1711,8 @@ module C05Map_Map
     ensures { result = completed0 self }
     
   predicate reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) =
-    [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv2 func -> inv4 iter -> completed0 iter -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func
+    [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv2 func
+     -> inv4 iter  -> completed0 iter  -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func
   val reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) : bool
     ensures { result = reinitialize0 _1 }
     
@@ -1546,16 +1757,24 @@ module C05Map_Map
     requires {[#"../common.rs" 21 82 21 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv0 a) -> ([#"../common.rs" 21 31 21 33] inv7 ab) -> ([#"../common.rs" 21 52 21 53] inv0 b) -> ([#"../common.rs" 21 61 21 63] inv7 bc) -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces0 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv0 a)
+   -> ([#"../common.rs" 21 31 21 33] inv7 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv0 b)
+   -> ([#"../common.rs" 21 61 21 63] inv7 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv0 c)  -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self)
+   -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
   let rec cfg map [#"../05_map.rs" 144 0 144 84] [@cfg:stackify] [@cfg:subregion_analysis] (iter : i) (func : f) : C05Map_Map_Type.t_map i b f
-    requires {[#"../05_map.rs" 140 0 140 105] forall i2 : i . forall e : item0 . inv0 i2 -> inv1 e -> produces0 iter (Seq.singleton e) i2 -> precondition0 func (e)}
+    requires {[#"../05_map.rs" 140 0 140 105] forall i2 : i . forall e : item0 . inv0 i2
+     -> inv1 e  -> produces0 iter (Seq.singleton e) i2  -> precondition0 func (e)}
     requires {[#"../05_map.rs" 141 11 141 41] reinitialize0 ()}
     requires {[#"../05_map.rs" 142 11 142 51] preservation0 iter func}
     requires {[#"../05_map.rs" 144 51 144 55] inv0 iter}
@@ -1580,9 +1799,9 @@ module C05Map_Map
     goto BB3
   }
   BB3 {
-    [#"../05_map.rs" 145 4 145 22] _0 <- ([#"../05_map.rs" 145 4 145 22] C05Map_Map_Type.C_Map ([#"../05_map.rs" 145 10 145 14] iter) ([#"../05_map.rs" 145 16 145 20] func));
-    [#"../05_map.rs" 145 10 145 14] iter <- any i;
-    [#"../05_map.rs" 145 16 145 20] func <- any f;
+    [#"../05_map.rs" 145 4 145 22] _0 <- C05Map_Map_Type.C_Map iter func;
+    iter <- any i;
+    func <- any f;
     goto BB4
   }
   BB4 {
@@ -1631,86 +1850,62 @@ module C05Map_Impl0
     ensures { result = inv9 _x }
     
   axiom inv9 : forall x : i . inv9 x = true
-  type item0
-  predicate invariant8 (self : item0)
-  val invariant8 (self : item0) : bool
+  use seq.Seq
+  predicate invariant8 (self : Seq.seq (borrowed f))
+  val invariant8 (self : Seq.seq (borrowed f)) : bool
     ensures { result = invariant8 self }
     
-  predicate inv8 (_x : item0)
-  val inv8 (_x : item0) : bool
+  predicate inv8 (_x : Seq.seq (borrowed f))
+  val inv8 (_x : Seq.seq (borrowed f)) : bool
     ensures { result = inv8 _x }
     
-  axiom inv8 : forall x : item0 . inv8 x = true
-  predicate invariant7 (self : borrowed f)
-  val invariant7 (self : borrowed f) : bool
+  axiom inv8 : forall x : Seq.seq (borrowed f) . inv8 x = true
+  type item0
+  predicate invariant7 (self : Seq.seq item0)
+  val invariant7 (self : Seq.seq item0) : bool
     ensures { result = invariant7 self }
     
-  predicate inv7 (_x : borrowed f)
-  val inv7 (_x : borrowed f) : bool
+  predicate inv7 (_x : Seq.seq item0)
+  val inv7 (_x : Seq.seq item0) : bool
     ensures { result = inv7 _x }
     
-  axiom inv7 : forall x : borrowed f . inv7 x = true
-  predicate invariant6 (self : b)
-  val invariant6 (self : b) : bool
+  axiom inv7 : forall x : Seq.seq item0 . inv7 x = true
+  predicate invariant6 (self : item0)
+  val invariant6 (self : item0) : bool
     ensures { result = invariant6 self }
     
-  predicate inv6 (_x : b)
-  val inv6 (_x : b) : bool
+  predicate inv6 (_x : item0)
+  val inv6 (_x : item0) : bool
     ensures { result = inv6 _x }
     
-  axiom inv6 : forall x : b . inv6 x = true
-  use seq.Seq
-  predicate invariant5 (self : Seq.seq (borrowed f))
-  val invariant5 (self : Seq.seq (borrowed f)) : bool
+  axiom inv6 : forall x : item0 . inv6 x = true
+  predicate invariant5 (self : borrowed f)
+  val invariant5 (self : borrowed f) : bool
     ensures { result = invariant5 self }
     
-  predicate inv5 (_x : Seq.seq (borrowed f))
-  val inv5 (_x : Seq.seq (borrowed f)) : bool
+  predicate inv5 (_x : borrowed f)
+  val inv5 (_x : borrowed f) : bool
     ensures { result = inv5 _x }
     
-  axiom inv5 : forall x : Seq.seq (borrowed f) . inv5 x = true
-  predicate invariant4 (self : Seq.seq item0)
-  val invariant4 (self : Seq.seq item0) : bool
+  axiom inv5 : forall x : borrowed f . inv5 x = true
+  predicate invariant4 (self : b)
+  val invariant4 (self : b) : bool
     ensures { result = invariant4 self }
     
-  predicate inv4 (_x : Seq.seq item0)
-  val inv4 (_x : Seq.seq item0) : bool
+  predicate inv4 (_x : b)
+  val inv4 (_x : b) : bool
     ensures { result = inv4 _x }
     
-  axiom inv4 : forall x : Seq.seq item0 . inv4 x = true
-  use Core_Option_Option_Type as Core_Option_Option_Type
-  predicate invariant3 (self : Core_Option_Option_Type.t_option b)
-  val invariant3 (self : Core_Option_Option_Type.t_option b) : bool
+  axiom inv4 : forall x : b . inv4 x = true
+  predicate invariant3 (self : Seq.seq b)
+  val invariant3 (self : Seq.seq b) : bool
     ensures { result = invariant3 self }
     
-  predicate inv3 (_x : Core_Option_Option_Type.t_option b)
-  val inv3 (_x : Core_Option_Option_Type.t_option b) : bool
+  predicate inv3 (_x : Seq.seq b)
+  val inv3 (_x : Seq.seq b) : bool
     ensures { result = inv3 _x }
     
-  axiom inv3 : forall x : Core_Option_Option_Type.t_option b . inv3 x = true
-  use C05Map_Map_Type as C05Map_Map_Type
-  predicate invariant2 (self : borrowed (C05Map_Map_Type.t_map i b f))
-  val invariant2 (self : borrowed (C05Map_Map_Type.t_map i b f)) : bool
-    ensures { result = invariant2 self }
-    
-  predicate inv0 (_x : C05Map_Map_Type.t_map i b f)
-  val inv0 (_x : C05Map_Map_Type.t_map i b f) : bool
-    ensures { result = inv0 _x }
-    
-  predicate inv2 (_x : borrowed (C05Map_Map_Type.t_map i b f))
-  val inv2 (_x : borrowed (C05Map_Map_Type.t_map i b f)) : bool
-    ensures { result = inv2 _x }
-    
-  axiom inv2 : forall x : borrowed (C05Map_Map_Type.t_map i b f) . inv2 x = (inv0 ( * x) /\ inv0 ( ^ x))
-  predicate invariant1 (self : Seq.seq b)
-  val invariant1 (self : Seq.seq b) : bool
-    ensures { result = invariant1 self }
-    
-  predicate inv1 (_x : Seq.seq b)
-  val inv1 (_x : Seq.seq b) : bool
-    ensures { result = inv1 _x }
-    
-  axiom inv1 : forall x : Seq.seq b . inv1 x = true
+  axiom inv3 : forall x : Seq.seq b . inv3 x = true
   predicate precondition0 (self : f) (_2 : item0)
   val precondition0 (self : f) (_2 : item0) : bool
     ensures { result = precondition0 self _2 }
@@ -1721,7 +1916,8 @@ module C05Map_Impl0
     
   use seq.Seq
   predicate next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) =
-    [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv9 i -> inv8 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e)
+    [#"../05_map.rs" 75 8 77 9] forall i : i . forall e : item0 . inv9 i
+     -> inv6 e  -> produces1 iter (Seq.singleton e) i  -> precondition0 func (e)
   val next_precondition0 [#"../05_map.rs" 74 4 74 50] (iter : i) (func : f) : bool
     ensures { result = next_precondition0 iter func }
     
@@ -1735,7 +1931,15 @@ module C05Map_Impl0
     ensures { result = unnest0 self _2 }
     
   predicate preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) =
-    [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv9 i -> inv6 b -> inv7 f -> inv8 e2 -> inv8 e1 -> inv4 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1) -> postcondition_mut0 f (e1) b -> precondition0 ( ^ f) (e2)
+    [#"../05_map.rs" 82 8 89 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv9 i
+     -> inv4 b
+     -> inv5 f
+     -> inv6 e2
+     -> inv6 e1
+     -> inv7 s
+     -> unnest0 func ( * f)
+     -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1)  -> postcondition_mut0 f (e1) b  -> precondition0 ( ^ f) (e2)
   val preservation0 [#"../05_map.rs" 81 4 81 45] (iter : i) (func : f) : bool
     ensures { result = preservation0 iter func }
     
@@ -1744,18 +1948,43 @@ module C05Map_Impl0
     ensures { result = completed1 self }
     
   predicate reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) =
-    [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv10 func -> inv11 iter -> completed1 iter -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func
+    [#"../05_map.rs" 94 8 98 9] forall func : f . forall iter : borrowed i . inv10 func
+     -> inv11 iter  -> completed1 iter  -> next_precondition0 ( ^ iter) func /\ preservation0 ( ^ iter) func
   val reinitialize0 [#"../05_map.rs" 93 4 93 29] (_1 : ()) : bool
     ensures { result = reinitialize0 _1 }
     
-  predicate invariant0 [#"../05_map.rs" 131 4 131 30] (self : C05Map_Map_Type.t_map i b f) =
+  use C05Map_Map_Type as C05Map_Map_Type
+  predicate invariant2 [#"../05_map.rs" 131 4 131 30] (self : C05Map_Map_Type.t_map i b f) =
     [#"../05_map.rs" 133 12 135 57] reinitialize0 () /\ preservation0 (C05Map_Map_Type.map_iter self) (C05Map_Map_Type.map_func self) /\ next_precondition0 (C05Map_Map_Type.map_iter self) (C05Map_Map_Type.map_func self)
-  val invariant0 [#"../05_map.rs" 131 4 131 30] (self : C05Map_Map_Type.t_map i b f) : bool
-    ensures { result = invariant0 self }
+  val invariant2 [#"../05_map.rs" 131 4 131 30] (self : C05Map_Map_Type.t_map i b f) : bool
+    ensures { result = invariant2 self }
     
-  axiom inv0 : forall x : C05Map_Map_Type.t_map i b f . inv0 x = (invariant0 x /\ match x with
+  predicate inv2 (_x : C05Map_Map_Type.t_map i b f)
+  val inv2 (_x : C05Map_Map_Type.t_map i b f) : bool
+    ensures { result = inv2 _x }
+    
+  axiom inv2 : forall x : C05Map_Map_Type.t_map i b f . inv2 x = (invariant2 x /\ match x with
     | C05Map_Map_Type.C_Map iter func -> true
     end)
+  use Core_Option_Option_Type as Core_Option_Option_Type
+  predicate invariant1 (self : Core_Option_Option_Type.t_option b)
+  val invariant1 (self : Core_Option_Option_Type.t_option b) : bool
+    ensures { result = invariant1 self }
+    
+  predicate inv1 (_x : Core_Option_Option_Type.t_option b)
+  val inv1 (_x : Core_Option_Option_Type.t_option b) : bool
+    ensures { result = inv1 _x }
+    
+  axiom inv1 : forall x : Core_Option_Option_Type.t_option b . inv1 x = true
+  predicate invariant0 (self : borrowed (C05Map_Map_Type.t_map i b f))
+  val invariant0 (self : borrowed (C05Map_Map_Type.t_map i b f)) : bool
+    ensures { result = invariant0 self }
+    
+  predicate inv0 (_x : borrowed (C05Map_Map_Type.t_map i b f))
+  val inv0 (_x : borrowed (C05Map_Map_Type.t_map i b f)) : bool
+    ensures { result = inv0 _x }
+    
+  axiom inv0 : forall x : borrowed (C05Map_Map_Type.t_map i b f) . inv0 x = (inv2 ( * x) /\ inv2 ( ^ x))
   use seq.Seq
   use seq.Seq
   use seq.Seq
@@ -1769,40 +1998,50 @@ module C05Map_Impl0
   predicate produces0 [@inline:trivial] [#"../05_map.rs" 41 4 41 67] (self : C05Map_Map_Type.t_map i b f) (visited : Seq.seq b) (succ : C05Map_Map_Type.t_map i b f)
     
    =
-    [#"../05_map.rs" 42 8 53 9] unnest0 (C05Map_Map_Type.map_func self) (C05Map_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv4 s /\ Seq.length s = Seq.length visited /\ produces1 (C05Map_Map_Type.map_iter self) s (C05Map_Map_Type.map_iter succ) /\ (exists fs : Seq.seq (borrowed f) . inv5 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
+    [#"../05_map.rs" 42 8 53 9] unnest0 (C05Map_Map_Type.map_func self) (C05Map_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv7 s /\ Seq.length s = Seq.length visited /\ produces1 (C05Map_Map_Type.map_iter self) s (C05Map_Map_Type.map_iter succ) /\ (exists fs : Seq.seq (borrowed f) . inv8 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs
+     ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
       C05Map_Map_Type.map_func self = C05Map_Map_Type.map_func succ
     else
        * Seq.get fs 0 = C05Map_Map_Type.map_func self /\  ^ Seq.get fs (Seq.length visited - 1) = C05Map_Map_Type.map_func succ
-    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C05Map_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i) (Seq.get visited i))))
+    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> unnest0 (C05Map_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i) (Seq.get visited i))))
   val produces0 [@inline:trivial] [#"../05_map.rs" 41 4 41 67] (self : C05Map_Map_Type.t_map i b f) (visited : Seq.seq b) (succ : C05Map_Map_Type.t_map i b f) : bool
     ensures { result = produces0 self visited succ }
     
+  use seq.Seq
   predicate produces_one0 [#"../05_map.rs" 117 4 117 57] (self : C05Map_Map_Type.t_map i b f) (visited : b) (succ : C05Map_Map_Type.t_map i b f)
     
    =
-    [#"../05_map.rs" 118 8 123 9] exists f : borrowed f . inv7 f /\  * f = C05Map_Map_Type.map_func self /\  ^ f = C05Map_Map_Type.map_func succ /\ (exists e : item0 . inv8 e /\ produces1 (C05Map_Map_Type.map_iter self) (Seq.singleton e) (C05Map_Map_Type.map_iter succ) /\ precondition0 ( * f) (e) /\ postcondition_mut0 f (e) visited)
+    [#"../05_map.rs" 118 8 123 9] exists f : borrowed f . inv5 f /\  * f = C05Map_Map_Type.map_func self /\  ^ f = C05Map_Map_Type.map_func succ /\ (exists e : item0 . inv6 e /\ produces1 (C05Map_Map_Type.map_iter self) (Seq.singleton e) (C05Map_Map_Type.map_iter succ) /\ precondition0 ( * f) (e) /\ postcondition_mut0 f (e) visited)
   val produces_one0 [#"../05_map.rs" 117 4 117 57] (self : C05Map_Map_Type.t_map i b f) (visited : b) (succ : C05Map_Map_Type.t_map i b f) : bool
-    requires {[#"../05_map.rs" 117 20 117 24] inv0 self}
-    requires {[#"../05_map.rs" 117 26 117 33] inv6 visited}
-    requires {[#"../05_map.rs" 117 38 117 42] inv0 succ}
+    requires {[#"../05_map.rs" 117 20 117 24] inv2 self}
+    requires {[#"../05_map.rs" 117 26 117 33] inv4 visited}
+    requires {[#"../05_map.rs" 117 38 117 42] inv2 succ}
     ensures { result = produces_one0 self visited succ }
     
-  axiom produces_one0_spec : forall self : C05Map_Map_Type.t_map i b f, visited : b, succ : C05Map_Map_Type.t_map i b f . ([#"../05_map.rs" 117 20 117 24] inv0 self) -> ([#"../05_map.rs" 117 26 117 33] inv6 visited) -> ([#"../05_map.rs" 117 38 117 42] inv0 succ) -> ([#"../05_map.rs" 116 14 116 68] produces_one0 self visited succ = produces0 self (Seq.singleton visited) succ)
+  axiom produces_one0_spec : forall self : C05Map_Map_Type.t_map i b f, visited : b, succ : C05Map_Map_Type.t_map i b f . ([#"../05_map.rs" 117 20 117 24] inv2 self)
+   -> ([#"../05_map.rs" 117 26 117 33] inv4 visited)
+   -> ([#"../05_map.rs" 117 38 117 42] inv2 succ)
+   -> ([#"../05_map.rs" 116 14 116 68] produces_one0 self visited succ = produces0 self (Seq.singleton visited) succ)
   predicate completed0 [#"../05_map.rs" 22 4 22 35] (self : borrowed (C05Map_Map_Type.t_map i b f)) =
     [#"../05_map.rs" 23 8 23 75] completed1 (Borrow.borrow_logic (C05Map_Map_Type.map_iter ( * self)) (C05Map_Map_Type.map_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1)) /\ C05Map_Map_Type.map_func ( * self) = C05Map_Map_Type.map_func ( ^ self)
   val completed0 [#"../05_map.rs" 22 4 22 35] (self : borrowed (C05Map_Map_Type.t_map i b f)) : bool
     ensures { result = completed0 self }
     
-  use seq.Seq
-  goal produces_trans_refn : [#"../05_map.rs" 36 4 36 90] forall a : C05Map_Map_Type.t_map i b f . forall ab : Seq.seq b . forall b : C05Map_Map_Type.t_map i b f . forall bc : Seq.seq b . forall c : C05Map_Map_Type.t_map i b f . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c)
-  goal next_refn : [#"../05_map.rs" 60 4 60 44] forall self : borrowed (C05Map_Map_Type.t_map i b f) . inv2 self -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option b . inv3 result /\ match result with
+  goal next_refn : [#"../05_map.rs" 60 4 60 44] forall self : borrowed (C05Map_Map_Type.t_map i b f) . inv0 self
+   -> inv0 self /\ (forall result : Core_Option_Option_Type.t_option b . inv1 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces_one0 ( * self) v ( ^ self)
-    end -> inv3 result /\ match result with
+    end
+   -> inv1 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
     end)
-  goal produces_refl_refn : [#"../05_map.rs" 29 4 29 26] forall self : C05Map_Map_Type.t_map i b f . inv0 self -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self)
+  goal produces_trans_refn : [#"../05_map.rs" 36 4 36 90] forall a : C05Map_Map_Type.t_map i b f . forall ab : Seq.seq b . forall b : C05Map_Map_Type.t_map i b f . forall bc : Seq.seq b . forall c : C05Map_Map_Type.t_map i b f . inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b
+   -> inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c
+   -> produces0 a (Seq.(++) ab bc) c)
+  goal produces_refl_refn : [#"../05_map.rs" 29 4 29 26] forall self : C05Map_Map_Type.t_map i b f . inv2 self
+   -> inv2 self /\ (forall result : () . produces0 self (Seq.empty ) self  -> produces0 self (Seq.empty ) self)
 end
 module C05Map_Impl2
   type i
diff --git a/creusot/tests/should_succeed/iterators/05_map.rs b/creusot/tests/should_succeed/iterators/05_map.rs
index f3bd5283ab..971ea5dbe3 100644
--- a/creusot/tests/should_succeed/iterators/05_map.rs
+++ b/creusot/tests/should_succeed/iterators/05_map.rs
@@ -18,7 +18,7 @@ impl<I: Iterator, B, F: FnMut(I::Item) -> B> Iterator for Map<I, B, F> {
     type Item = B;
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! { self.iter.completed() && (*self).func == (^self).func }
     }
@@ -36,7 +36,7 @@ impl<I: Iterator, B, F: FnMut(I::Item) -> B> Iterator for Map<I, B, F> {
     fn produces_trans(a: Self, ab: Seq<Self::Item>, b: Self, bc: Seq<Self::Item>, c: Self) {}
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     #[why3::attr = "inline:trivial"]
     fn produces(self, visited: Seq<Self::Item>, succ: Self) -> bool {
         pearlite! {
@@ -61,7 +61,7 @@ impl<I: Iterator, B, F: FnMut(I::Item) -> B> Iterator for Map<I, B, F> {
         match self.iter.next() {
             Some(v) => {
                 proof_assert! { self.func.precondition((v,)) };
-                gh! { Self::produces_one_invariant };
+                snapshot! { Self::produces_one_invariant };
                 Some((self.func)(v))
             }
             None => None,
@@ -70,14 +70,14 @@ impl<I: Iterator, B, F: FnMut(I::Item) -> B> Iterator for Map<I, B, F> {
 }
 
 impl<I: Iterator, B, F: FnMut(I::Item) -> B> Map<I, B, F> {
-    #[predicate]
+    #[predicate(prophetic)]
     fn next_precondition(iter: I, func: F) -> bool {
         pearlite! {
             forall<e: I::Item, i: I> iter.produces(Seq::singleton(e), i) ==> func.precondition((e,))
         }
     }
 
-    #[predicate]
+    #[predicate(prophetic)]
     fn preservation(iter: I, func: F) -> bool {
         pearlite! {
             forall<s: Seq<I::Item>, e1: I::Item, e2: I::Item, f: &mut F, b: B, i: I>
@@ -89,7 +89,7 @@ impl<I: Iterator, B, F: FnMut(I::Item) -> B> Map<I, B, F> {
         }
     }
 
-    #[predicate]
+    #[predicate(prophetic)]
     fn reinitialize() -> bool {
         pearlite! {
             forall<iter: &mut I, func: F>
@@ -98,7 +98,7 @@ impl<I: Iterator, B, F: FnMut(I::Item) -> B> Map<I, B, F> {
         }
     }
 
-    #[ghost]
+    #[logic]
     #[requires(self.iter.produces(Seq::singleton(e), iter))]
     #[requires(*f == self.func)]
     #[requires(f.postcondition_mut((e,), r) )]
@@ -112,7 +112,7 @@ impl<I: Iterator, B, F: FnMut(I::Item) -> B> Map<I, B, F> {
         }
     }
 
-    #[predicate]
+    #[predicate(prophetic)]
     #[ensures(result == self.produces(Seq::singleton(visited), succ))]
     fn produces_one(self, visited: B, succ: Self) -> bool {
         pearlite! {
@@ -126,7 +126,7 @@ impl<I: Iterator, B, F: FnMut(I::Item) -> B> Map<I, B, F> {
 
 impl<I: Iterator, B, F: FnMut(I::Item) -> B> Invariant for Map<I, B, F> {
     // Should not quantify over self or the `invariant` cannot be made into a type invariant
-    #[predicate]
+    #[predicate(prophetic)]
     #[open(self)]
     fn invariant(self) -> bool {
         pearlite! {
diff --git a/creusot/tests/should_succeed/iterators/05_map/why3session.xml b/creusot/tests/should_succeed/iterators/05_map/why3session.xml
index cb6a4b742d..f26de167ed 100644
--- a/creusot/tests/should_succeed/iterators/05_map/why3session.xml
+++ b/creusot/tests/should_succeed/iterators/05_map/why3session.xml
@@ -1,24 +1,26 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
-"http://why3.lri.fr/why3session.dtd">
+"https://www.why3.org/why3session.dtd">
 <why3session shape_version="6">
 <prover id="0" name="Z3" version="4.12.4" timelimit="1" steplimit="0" memlimit="1000"/>
-<prover id="3" name="CVC5" version="1.0.5" timelimit="5" steplimit="0" memlimit="1000"/>
+<prover id="1" name="CVC4" version="1.8" timelimit="1" steplimit="0" memlimit="1000"/>
+<prover id="3" name="CVC5" version="1.0.5" timelimit="1" steplimit="0" memlimit="1000"/>
 <prover id="5" name="Alt-Ergo" version="2.4.3" timelimit="1" steplimit="0" memlimit="1000"/>
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="05_map.mlcfg"/>
 <theory name="C05Map_Impl0_ProducesRefl_Impl" proved="true">
- <goal name="produces_refl&#39;vc" expl="VC for produces_refl" proved="true">
+ <goal name="vc_produces_refl" proved="true">
+ <proof prover="3"><result status="valid" time="0.153735" steps="19399"/></proof>
  <transf name="split_vc" proved="true" >
-  <goal name="produces_refl&#39;vc.0" expl="postcondition" proved="true">
+  <goal name="vc_produces_refl.0" proved="true">
   <transf name="inline_goal" proved="true" >
-   <goal name="produces_refl&#39;vc.0.0" expl="postcondition" proved="true">
+   <goal name="vc_produces_refl.0.0" proved="true">
    <transf name="split_all_full" proved="true" >
-    <goal name="produces_refl&#39;vc.0.0.0" expl="VC for produces_refl" proved="true">
-    <proof prover="5"><result status="valid" time="0.000000" steps="10"/></proof>
+    <goal name="vc_produces_refl.0.0.0" proved="true">
+    <proof prover="3"><result status="valid" time="0.167506" steps="7903"/></proof>
     </goal>
-    <goal name="produces_refl&#39;vc.0.0.1" expl="VC for produces_refl" proved="true">
-    <proof prover="3" timelimit="1"><result status="valid" time="0.167506" steps="20870"/></proof>
+    <goal name="vc_produces_refl.0.0.1" proved="true">
+    <proof prover="3"><result status="valid" time="0.137589" steps="20870"/></proof>
     </goal>
    </transf>
    </goal>
@@ -28,60 +30,60 @@
  </goal>
 </theory>
 <theory name="C05Map_Impl0_ProducesTrans_Impl" proved="true">
- <goal name="produces_trans&#39;vc" expl="VC for produces_trans" proved="true">
+ <goal name="vc_produces_trans" proved="true">
  <transf name="split_vc" proved="true" >
-  <goal name="produces_trans&#39;vc.0" expl="postcondition" proved="true">
+  <goal name="vc_produces_trans.0" proved="true">
   <transf name="inline_goal" proved="true" >
-   <goal name="produces_trans&#39;vc.0.0" expl="postcondition" proved="true">
-   <transf name="unfold" proved="true" arg1="produces0" arg2="in" arg3="Requires5,Requires6">
-    <goal name="produces_trans&#39;vc.0.0.0" expl="postcondition" proved="true">
+   <goal name="vc_produces_trans.0.0" proved="true">
+   <transf name="unfold" proved="true" arg1="produces0" arg2="in" arg3="H,H1">
+    <goal name="vc_produces_trans.0.0.0" proved="true">
     <transf name="split_vc" proved="true" >
-     <goal name="produces_trans&#39;vc.0.0.0.0" expl="postcondition" proved="true">
-     <proof prover="5"><result status="valid" time="0.017097" steps="132"/></proof>
+     <goal name="vc_produces_trans.0.0.0.0" proved="true">
+     <proof prover="5"><result status="valid" time="0.016674" steps="124"/></proof>
      </goal>
-     <goal name="produces_trans&#39;vc.0.0.0.1" expl="postcondition" proved="true">
-     <transf name="exists" proved="true" arg1="(s1++s)">
-      <goal name="produces_trans&#39;vc.0.0.0.1.0" proved="true">
+     <goal name="vc_produces_trans.0.0.0.1" proved="true">
+     <transf name="exists" proved="true" arg1="(s++s1)">
+      <goal name="vc_produces_trans.0.0.0.1.0" proved="true">
       <transf name="split_vc" proved="true" >
-       <goal name="produces_trans&#39;vc.0.0.0.1.0.0" proved="true">
-       <proof prover="5"><result status="valid" time="0.012249" steps="40"/></proof>
+       <goal name="vc_produces_trans.0.0.0.1.0.0" proved="true">
+       <proof prover="5"><result status="valid" time="0.014003" steps="40"/></proof>
        </goal>
-       <goal name="produces_trans&#39;vc.0.0.0.1.0.1" proved="true">
-       <proof prover="5"><result status="valid" time="0.012712" steps="42"/></proof>
+       <goal name="vc_produces_trans.0.0.0.1.0.1" proved="true">
+       <proof prover="5"><result status="valid" time="0.013091" steps="42"/></proof>
        </goal>
-       <goal name="produces_trans&#39;vc.0.0.0.1.0.2" proved="true">
-       <proof prover="5"><result status="valid" time="0.015919" steps="118"/></proof>
+       <goal name="vc_produces_trans.0.0.0.1.0.2" proved="true">
+       <proof prover="5"><result status="valid" time="0.015713" steps="118"/></proof>
        </goal>
-       <goal name="produces_trans&#39;vc.0.0.0.1.0.3" proved="true">
-       <transf name="exists" proved="true" arg1="(fs1++fs)">
-        <goal name="produces_trans&#39;vc.0.0.0.1.0.3.0" proved="true">
+       <goal name="vc_produces_trans.0.0.0.1.0.3" proved="true">
+       <transf name="exists" proved="true" arg1="(fs++fs1)">
+        <goal name="vc_produces_trans.0.0.0.1.0.3.0" proved="true">
         <transf name="split_vc" proved="true" >
-         <goal name="produces_trans&#39;vc.0.0.0.1.0.3.0.0" proved="true">
-         <proof prover="5"><result status="valid" time="0.012346" steps="40"/></proof>
+         <goal name="vc_produces_trans.0.0.0.1.0.3.0.0" proved="true">
+         <proof prover="5"><result status="valid" time="0.011917" steps="40"/></proof>
          </goal>
-         <goal name="produces_trans&#39;vc.0.0.0.1.0.3.0.1" proved="true">
-         <proof prover="5"><result status="valid" time="0.012512" steps="42"/></proof>
+         <goal name="vc_produces_trans.0.0.0.1.0.3.0.1" proved="true">
+         <proof prover="5"><result status="valid" time="0.012396" steps="42"/></proof>
          </goal>
-         <goal name="produces_trans&#39;vc.0.0.0.1.0.3.0.2" proved="true">
-         <proof prover="5"><result status="valid" time="0.037825" steps="432"/></proof>
+         <goal name="vc_produces_trans.0.0.0.1.0.3.0.2" proved="true">
+         <proof prover="5"><result status="valid" time="0.030109" steps="309"/></proof>
          </goal>
-         <goal name="produces_trans&#39;vc.0.0.0.1.0.3.0.3" proved="true">
-         <proof prover="5"><result status="valid" time="0.013359" steps="63"/></proof>
+         <goal name="vc_produces_trans.0.0.0.1.0.3.0.3" proved="true">
+         <proof prover="5"><result status="valid" time="0.012800" steps="63"/></proof>
          </goal>
-         <goal name="produces_trans&#39;vc.0.0.0.1.0.3.0.4" proved="true">
-         <proof prover="5"><result status="valid" time="0.019057" steps="180"/></proof>
+         <goal name="vc_produces_trans.0.0.0.1.0.3.0.4" proved="true">
+         <proof prover="5"><result status="valid" time="0.016802" steps="151"/></proof>
          </goal>
-         <goal name="produces_trans&#39;vc.0.0.0.1.0.3.0.5" proved="true">
-         <proof prover="5"><result status="valid" time="0.017845" steps="156"/></proof>
+         <goal name="vc_produces_trans.0.0.0.1.0.3.0.5" proved="true">
+         <proof prover="5"><result status="valid" time="0.019165" steps="181"/></proof>
          </goal>
-         <goal name="produces_trans&#39;vc.0.0.0.1.0.3.0.6" proved="true">
-         <proof prover="5"><result status="valid" time="0.059177" steps="757"/></proof>
+         <goal name="vc_produces_trans.0.0.0.1.0.3.0.6" proved="true">
+         <proof prover="5"><result status="valid" time="0.059910" steps="730"/></proof>
          </goal>
-         <goal name="produces_trans&#39;vc.0.0.0.1.0.3.0.7" proved="true">
-         <proof prover="5"><result status="valid" time="0.049988" steps="660"/></proof>
+         <goal name="vc_produces_trans.0.0.0.1.0.3.0.7" proved="true">
+         <proof prover="5"><result status="valid" time="0.042799" steps="546"/></proof>
          </goal>
-         <goal name="produces_trans&#39;vc.0.0.0.1.0.3.0.8" proved="true">
-         <proof prover="5"><result status="valid" time="0.032869" steps="364"/></proof>
+         <goal name="vc_produces_trans.0.0.0.1.0.3.0.8" proved="true">
+         <proof prover="5"><result status="valid" time="0.036716" steps="440"/></proof>
          </goal>
         </transf>
         </goal>
@@ -101,51 +103,15 @@
  </goal>
 </theory>
 <theory name="C05Map_Impl1_ProducesOne_Impl" proved="true">
- <goal name="produces_one&#39;vc" expl="VC for produces_one" proved="true">
+ <goal name="vc_produces_one" proved="true">
  <transf name="split_vc" proved="true" >
-  <goal name="produces_one&#39;vc.0" expl="postcondition" proved="true">
-  <transf name="split_vc" proved="true" >
-   <goal name="produces_one&#39;vc.0.0" expl="postcondition" proved="true">
-   <transf name="inline_goal" proved="true" >
-    <goal name="produces_one&#39;vc.0.0.0" expl="postcondition" proved="true">
-    <transf name="split_vc" proved="true" >
-     <goal name="produces_one&#39;vc.0.0.0.0" expl="postcondition" proved="true">
-     <proof prover="5"><result status="valid" time="0.010000" steps="86"/></proof>
-     </goal>
-     <goal name="produces_one&#39;vc.0.0.0.1" expl="postcondition" proved="true">
-     <transf name="exists" proved="true" arg1="(singleton e)">
-      <goal name="produces_one&#39;vc.0.0.0.1.0" proved="true">
-      <transf name="split_vc" proved="true" >
-       <goal name="produces_one&#39;vc.0.0.0.1.0.0" proved="true">
-       <proof prover="5"><result status="valid" time="0.023917" steps="22"/></proof>
-       </goal>
-       <goal name="produces_one&#39;vc.0.0.0.1.0.1" proved="true">
-       <proof prover="5"><result status="valid" time="0.010000" steps="22"/></proof>
-       </goal>
-       <goal name="produces_one&#39;vc.0.0.0.1.0.2" proved="true">
-       <proof prover="5"><result status="valid" time="0.010000" steps="20"/></proof>
-       </goal>
-       <goal name="produces_one&#39;vc.0.0.0.1.0.3" proved="true">
-       <transf name="exists" proved="true" arg1="(singleton f)">
-        <goal name="produces_one&#39;vc.0.0.0.1.0.3.0" proved="true">
-        <proof prover="5" timelimit="5"><result status="valid" time="0.010000" steps="175"/></proof>
-        </goal>
-       </transf>
-       </goal>
-      </transf>
-      </goal>
-     </transf>
-     </goal>
-    </transf>
-    </goal>
-   </transf>
-   </goal>
-   <goal name="produces_one&#39;vc.0.1" expl="postcondition" proved="true">
-   <transf name="use_th" proved="true" arg1="seq.FreeMonoid">
-    <goal name="produces_one&#39;vc.0.1.0" expl="postcondition" proved="true">
-    <proof prover="3" memlimit="2000"><result status="valid" time="0.106249" steps="33009"/></proof>
-    </goal>
-   </transf>
+  <goal name="vc_produces_one.0" proved="true">
+  <proof prover="1"><result status="valid" time="0.320443" steps="50233"/></proof>
+  </goal>
+  <goal name="vc_produces_one.1" proved="true">
+  <transf name="use_th" proved="true" arg1="seq.FreeMonoid">
+   <goal name="vc_produces_one.1.0" proved="true">
+   <proof prover="5"><result status="valid" time="0.032162" steps="466"/></proof>
    </goal>
   </transf>
   </goal>
@@ -153,18 +119,18 @@
  </goal>
 </theory>
 <theory name="C05Map_Impl1_ProducesOneInvariant_Impl" proved="true">
- <goal name="produces_one_invariant&#39;vc" expl="VC for produces_one_invariant" proved="true">
+ <goal name="vc_produces_one_invariant" proved="true">
  <transf name="use_th" proved="true" arg1="seq.FreeMonoid">
-  <goal name="produces_one_invariant&#39;vc.0" expl="VC for produces_one_invariant" proved="true">
+  <goal name="vc_produces_one_invariant.0" proved="true">
   <transf name="split_vc" proved="true" >
-   <goal name="produces_one_invariant&#39;vc.0.0" expl="assertion" proved="true">
-   <proof prover="3"><result status="valid" time="0.040690" steps="15478"/></proof>
+   <goal name="vc_produces_one_invariant.0.0" proved="true">
+   <proof prover="3" timelimit="5"><result status="valid" time="0.078660" steps="15478"/></proof>
    </goal>
-   <goal name="produces_one_invariant&#39;vc.0.1" expl="postcondition" proved="true">
-   <proof prover="5" timelimit="5" memlimit="2000"><result status="valid" time="0.059818" steps="1335"/></proof>
+   <goal name="vc_produces_one_invariant.0.1" proved="true">
+   <proof prover="3" timelimit="5"><result status="valid" time="0.172007" steps="24202"/></proof>
    </goal>
-   <goal name="produces_one_invariant&#39;vc.0.2" expl="postcondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.078660" steps="24754"/></proof>
+   <goal name="vc_produces_one_invariant.0.2" proved="true">
+   <proof prover="5"><result status="valid" time="0.039117" steps="1332"/></proof>
    </goal>
   </transf>
   </goal>
@@ -181,7 +147,7 @@
   <proof prover="5"><result status="valid" time="0.020531" steps="20"/></proof>
   </goal>
   <goal name="next&#39;vc.2" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.031142" steps="12439"/></proof>
+  <proof prover="3" timelimit="5"><result status="valid" time="0.031142" steps="12439"/></proof>
   </goal>
   <goal name="next&#39;vc.3" expl="type invariant" proved="true">
   <proof prover="5"><result status="valid" time="0.034554" steps="30"/></proof>
@@ -190,22 +156,22 @@
   <proof prover="5"><result status="valid" time="0.039048" steps="169"/></proof>
   </goal>
   <goal name="next&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.019493" steps="48"/></proof>
+  <proof prover="5"><result status="valid" time="0.019493" steps="49"/></proof>
   </goal>
   <goal name="next&#39;vc.6" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.022767" steps="56"/></proof>
+  <proof prover="5"><result status="valid" time="0.022767" steps="57"/></proof>
   </goal>
   <goal name="next&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="5"><result status="valid" time="0.021483" steps="57"/></proof>
+  <proof prover="5"><result status="valid" time="0.021483" steps="59"/></proof>
   </goal>
   <goal name="next&#39;vc.8" expl="type invariant" proved="true">
-  <proof prover="3" timelimit="1"><result status="valid" time="0.088091" steps="13296"/></proof>
+  <proof prover="3"><result status="valid" time="0.088091" steps="13319"/></proof>
   </goal>
   <goal name="next&#39;vc.9" expl="unreachable point" proved="true">
   <proof prover="5"><result status="valid" time="0.028356" steps="28"/></proof>
   </goal>
   <goal name="next&#39;vc.10" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.076373" steps="409344"/></proof>
+  <proof prover="0"><result status="valid" time="0.076373" steps="409375"/></proof>
   </goal>
   <goal name="next&#39;vc.11" expl="postcondition" proved="true">
   <proof prover="5"><result status="valid" time="0.023519" steps="10"/></proof>
@@ -219,12 +185,12 @@
  </goal>
 </theory>
 <theory name="C05Map_Impl0" proved="true">
+ <goal name="next_refn" proved="true">
+ <proof prover="5"><result status="valid" time="0.010000" steps="1050"/></proof>
+ </goal>
  <goal name="produces_trans_refn" proved="true">
  <proof prover="5"><result status="valid" time="0.000000" steps="0"/></proof>
  </goal>
- <goal name="next_refn" proved="true">
- <proof prover="5"><result status="valid" time="0.010000" steps="1014"/></proof>
- </goal>
  <goal name="produces_refl_refn" proved="true">
  <proof prover="5"><result status="valid" time="0.000000" steps="0"/></proof>
  </goal>
diff --git a/creusot/tests/should_succeed/iterators/05_map/why3shapes.gz b/creusot/tests/should_succeed/iterators/05_map/why3shapes.gz
index 7ee97d5a13..035bfbf58a 100644
Binary files a/creusot/tests/should_succeed/iterators/05_map/why3shapes.gz and b/creusot/tests/should_succeed/iterators/05_map/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/iterators/06_map_precond.mlcfg b/creusot/tests/should_succeed/iterators/06_map_precond.mlcfg
index 199e95d3a6..61c0e297f7 100644
--- a/creusot/tests/should_succeed/iterators/06_map_precond.mlcfg
+++ b/creusot/tests/should_succeed/iterators/06_map_precond.mlcfg
@@ -2,11 +2,11 @@
 module C06MapPrecond_Map_Type
   type item0
   use seq.Seq
-  use prelude.Ghost
+  use prelude.Snapshot
   type t_map 'i 'b 'f 'proj0 =
-    | C_Map 'i 'f (Ghost.ghost_ty (Seq.seq 'proj0))
+    | C_Map 'i 'f (Snapshot.snap_ty (Seq.seq 'proj0))
     
-  let function map_produced (self : t_map 'i 'b 'f 'proj0) : Ghost.ghost_ty (Seq.seq 'proj0)
+  let function map_produced (self : t_map 'i 'b 'f 'proj0) : Snapshot.snap_ty (Seq.seq 'proj0)
    = [@vc:do_not_keep_trace] [@vc:sp]
     match self with
       | C_Map _ _ a -> a
@@ -26,31 +26,31 @@ module C06MapPrecond_Impl1_PreservationInv_Impl
   type f
   type item0
   use seq.Seq
-  use prelude.Ghost
-  predicate invariant6 (self : (item0, Ghost.ghost_ty (Seq.seq item0)))
-  val invariant6 (self : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool
+  use prelude.Snapshot
+  predicate invariant6 (self : (item0, Snapshot.snap_ty (Seq.seq item0)))
+  val invariant6 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool
     ensures { result = invariant6 self }
     
-  predicate inv6 (_x : (item0, Ghost.ghost_ty (Seq.seq item0)))
-  val inv6 (_x : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool
+  predicate inv6 (_x : (item0, Snapshot.snap_ty (Seq.seq item0)))
+  val inv6 (_x : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool
     ensures { result = inv6 _x }
     
-  axiom inv6 : forall x : (item0, Ghost.ghost_ty (Seq.seq item0)) . inv6 x = true
+  axiom inv6 : forall x : (item0, Snapshot.snap_ty (Seq.seq item0)) . inv6 x = true
   predicate resolve0 (self : f)
   val resolve0 (self : f) : bool
     ensures { result = resolve0 self }
     
   use prelude.Borrow
-  predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b)
-  val postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool
+  predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b)
+  val postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool
     ensures { result = postcondition_mut0 self _2 _3 }
     
   predicate inv4 (_x : borrowed f)
   val inv4 (_x : borrowed f) : bool
     ensures { result = inv4 _x }
     
-  predicate postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b)
-  val postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool
+  predicate postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b)
+  val postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool
     ensures { result = postcondition_once0 self _2 _3 }
     
   predicate inv3 (_x : b)
@@ -61,14 +61,17 @@ module C06MapPrecond_Impl1_PreservationInv_Impl
   val inv1 (_x : f) : bool
     ensures { result = inv1 _x }
     
-  function fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
-  val fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
+  function fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
+  val fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv1 self}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv6 args}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv3 res}
     ensures { result = fn_mut_once0 self args res }
     
-  axiom fn_mut_once0_spec : forall self : f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv4 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
+  axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv1 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv6 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv3 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv4 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
   predicate unnest0 (self : f) (_2 : f)
   val unnest0 (self : f) (_2 : f) : bool
     ensures { result = unnest0 self _2 }
@@ -82,22 +85,33 @@ module C06MapPrecond_Impl1_PreservationInv_Impl
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv1 c}
     ensures { result = unnest_trans0 self b c }
     
-  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv1 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv1 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
+  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv1 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv1 b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv1 c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
   function unnest_refl0 (self : f) : ()
   val unnest_refl0 (self : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv1 self}
     ensures { result = unnest_refl0 self }
     
-  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
-  function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
-  val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
+  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv1 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
+  function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
+    
+  val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv4 self}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv6 args}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv3 res}
     ensures { result = postcondition_mut_unnest0 self args res }
     
-  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv6 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv3 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
+  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv4 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv6 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv3 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
   predicate invariant5 (self : item0)
   val invariant5 (self : item0) : bool
     ensures { result = invariant5 self }
@@ -142,14 +156,21 @@ module C06MapPrecond_Impl1_PreservationInv_Impl
     requires {[#"../common.rs" 21 82 21 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv0 a) -> ([#"../common.rs" 21 31 21 33] inv2 ab) -> ([#"../common.rs" 21 52 21 53] inv0 b) -> ([#"../common.rs" 21 61 21 63] inv2 bc) -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces0 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv0 a)
+   -> ([#"../common.rs" 21 31 21 33] inv2 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv0 b)
+   -> ([#"../common.rs" 21 61 21 63] inv2 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv0 c)  -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self)
+   -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
   predicate invariant2 (self : Seq.seq item0)
   val invariant2 (self : Seq.seq item0) : bool
     ensures { result = invariant2 self }
@@ -165,25 +186,45 @@ module C06MapPrecond_Impl1_PreservationInv_Impl
     ensures { result = invariant0 self }
     
   axiom inv0 : forall x : i . inv0 x = true
-  predicate precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0)))
-  val precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool
+  predicate precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0)))
+  val precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool
     ensures { result = precondition0 self _2 }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   use seq.Seq
   predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) =
-    [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv3 b -> inv4 f -> inv5 e2 -> inv5 e1 -> inv2 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1))
+    [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i
+     -> inv3 b
+     -> inv4 f
+     -> inv5 e2
+     -> inv5 e1
+     -> inv2 s
+     -> unnest0 func ( * f)
+     -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new s)
+     -> postcondition_mut0 f (e1, Snapshot.new s) b  -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1))
   val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool
     ensures { result = preservation0 iter func }
     
-  let rec ghost predicate preservation_inv [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0)
-    requires {[#"../06_map_precond.rs" 93 24 93 28] inv0 iter}
-    requires {[#"../06_map_precond.rs" 93 33 93 37] inv1 func}
-    requires {[#"../06_map_precond.rs" 93 42 93 50] inv2 produced}
-    ensures { [#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty  -> result = preservation0 iter func }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../06_map_precond.rs" 94 8 101 9] pure {forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv3 b -> inv4 f -> inv5 e2 -> inv5 e1 -> inv2 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Ghost.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc (Seq.(++) produced s) e1))}
+  constant iter  : i
+  constant func  : f
+  constant produced  : Seq.seq item0
+  predicate preservation_inv [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0)
+  goal vc_preservation_inv : ([#"../06_map_precond.rs" 93 42 93 50] inv2 produced)
+   -> ([#"../06_map_precond.rs" 93 33 93 37] inv1 func)
+   -> ([#"../06_map_precond.rs" 93 24 93 28] inv0 iter)
+   -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty 
+   -> ([#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i
+   -> inv3 b
+   -> inv4 f
+   -> inv5 e2
+   -> inv5 e1
+   -> inv2 s
+   -> unnest0 func ( * f)
+   -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i
+   -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s))
+   -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b
+   -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1))) = preservation0 iter func)
 end
 module C06MapPrecond_Impl0_ProducesRefl_Impl
   type i
@@ -219,16 +260,16 @@ module C06MapPrecond_Impl0_ProducesRefl_Impl
     
   axiom inv8 : forall x : b . inv8 x = true
   use seq.Seq
-  use prelude.Ghost
-  predicate invariant7 (self : (item0, Ghost.ghost_ty (Seq.seq item0)))
-  val invariant7 (self : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool
+  use prelude.Snapshot
+  predicate invariant7 (self : (item0, Snapshot.snap_ty (Seq.seq item0)))
+  val invariant7 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool
     ensures { result = invariant7 self }
     
-  predicate inv7 (_x : (item0, Ghost.ghost_ty (Seq.seq item0)))
-  val inv7 (_x : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool
+  predicate inv7 (_x : (item0, Snapshot.snap_ty (Seq.seq item0)))
+  val inv7 (_x : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool
     ensures { result = inv7 _x }
     
-  axiom inv7 : forall x : (item0, Ghost.ghost_ty (Seq.seq item0)) . inv7 x = true
+  axiom inv7 : forall x : (item0, Snapshot.snap_ty (Seq.seq item0)) . inv7 x = true
   predicate invariant6 (self : borrowed f)
   val invariant6 (self : borrowed f) : bool
     ensures { result = invariant6 self }
@@ -238,15 +279,15 @@ module C06MapPrecond_Impl0_ProducesRefl_Impl
     ensures { result = inv6 _x }
     
   axiom inv6 : forall x : borrowed f . inv6 x = true
-  predicate invariant5 (self : Ghost.ghost_ty (Seq.seq item0))
-  val invariant5 (self : Ghost.ghost_ty (Seq.seq item0)) : bool
+  predicate invariant5 (self : Snapshot.snap_ty (Seq.seq item0))
+  val invariant5 (self : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = invariant5 self }
     
-  predicate inv5 (_x : Ghost.ghost_ty (Seq.seq item0))
-  val inv5 (_x : Ghost.ghost_ty (Seq.seq item0)) : bool
+  predicate inv5 (_x : Snapshot.snap_ty (Seq.seq item0))
+  val inv5 (_x : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = inv5 _x }
     
-  axiom inv5 : forall x : Ghost.ghost_ty (Seq.seq item0) . inv5 x = true
+  axiom inv5 : forall x : Snapshot.snap_ty (Seq.seq item0) . inv5 x = true
   predicate invariant4 (self : f)
   val invariant4 (self : f) : bool
     ensures { result = invariant4 self }
@@ -287,22 +328,25 @@ module C06MapPrecond_Impl0_ProducesRefl_Impl
   val resolve0 (self : f) : bool
     ensures { result = resolve0 self }
     
-  predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b)
-  val postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool
+  predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b)
+  val postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool
     ensures { result = postcondition_mut0 self _2 _3 }
     
-  predicate postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b)
-  val postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool
+  predicate postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b)
+  val postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool
     ensures { result = postcondition_once0 self _2 _3 }
     
-  function fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
-  val fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
+  function fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
+  val fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv4 self}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv7 args}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv8 res}
     ensures { result = fn_mut_once0 self args res }
     
-  axiom fn_mut_once0_spec : forall self : f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv7 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv8 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv6 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
+  axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv4 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv7 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv8 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv6 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
   predicate unnest0 (self : f) (_2 : f)
   val unnest0 (self : f) (_2 : f) : bool
     ensures { result = unnest0 self _2 }
@@ -316,22 +360,33 @@ module C06MapPrecond_Impl0_ProducesRefl_Impl
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv4 c}
     ensures { result = unnest_trans0 self b c }
     
-  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv4 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv4 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
+  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv4 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv4 b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv4 c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
   function unnest_refl0 (self : f) : ()
   val unnest_refl0 (self : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv4 self}
     ensures { result = unnest_refl0 self }
     
-  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
-  function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
-  val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
+  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv4 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
+  function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
+    
+  val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv7 args}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv8 res}
     ensures { result = postcondition_mut_unnest0 self args res }
     
-  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv7 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv8 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
+  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv7 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv8 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
   use seq.Seq
   predicate produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i)
   val produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) : bool
@@ -349,53 +404,85 @@ module C06MapPrecond_Impl0_ProducesRefl_Impl
     requires {[#"../common.rs" 21 82 21 83] inv3 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv3 a) -> ([#"../common.rs" 21 31 21 33] inv1 ab) -> ([#"../common.rs" 21 52 21 53] inv3 b) -> ([#"../common.rs" 21 61 21 63] inv1 bc) -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv3 a)
+   -> ([#"../common.rs" 21 31 21 33] inv1 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv3 b)
+   -> ([#"../common.rs" 21 61 21 63] inv1 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv3 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv3 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
-  predicate precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0)))
-  val precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  predicate precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0)))
+  val precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool
     ensures { result = precondition0 self _2 }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   use seq.Seq
   predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) =
-    [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv3 i -> inv10 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced)
+    [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv3 i
+     -> inv10 e  -> produces1 iter (Seq.singleton e) i  -> precondition0 func (e, Snapshot.new produced)
   val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) : bool
     ensures { result = next_precondition0 iter func produced }
     
   use seq.Seq
   predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) =
-    [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv3 i -> inv8 b -> inv6 f -> inv10 e2 -> inv10 e1 -> inv1 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1))
+    [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv3 i
+     -> inv8 b
+     -> inv6 f
+     -> inv10 e2
+     -> inv10 e1
+     -> inv1 s
+     -> unnest0 func ( * f)
+     -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new s)
+     -> postcondition_mut0 f (e1, Snapshot.new s) b  -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1))
   val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool
     ensures { result = preservation0 iter func }
     
   predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) =
-    [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv3 i -> inv8 b -> inv6 f -> inv10 e2 -> inv10 e1 -> inv1 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Ghost.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc (Seq.(++) produced s) e1))
+    [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv3 i
+     -> inv8 b
+     -> inv6 f
+     -> inv10 e2
+     -> inv10 e1
+     -> inv1 s
+     -> unnest0 func ( * f)
+     -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s))
+     -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b
+     -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1))
   val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) : bool
     requires {[#"../06_map_precond.rs" 93 24 93 28] inv3 iter}
     requires {[#"../06_map_precond.rs" 93 33 93 37] inv4 func}
     requires {[#"../06_map_precond.rs" 93 42 93 50] inv1 produced}
     ensures { result = preservation_inv0 iter func produced }
     
-  axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv3 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv4 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv1 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty  -> preservation_inv0 iter func produced = preservation0 iter func)
-  use prelude.Ghost
+  axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv3 iter)
+   -> ([#"../06_map_precond.rs" 93 33 93 37] inv4 func)
+   -> ([#"../06_map_precond.rs" 93 42 93 50] inv1 produced)
+   -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty 
+   -> preservation_inv0 iter func produced = preservation0 iter func)
+  use prelude.Snapshot
   predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i)
   val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool
     ensures { result = completed0 self }
     
   predicate reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) =
-    [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv4 func -> inv9 iter -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
+    [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv4 func
+     -> inv9 iter  -> completed0 iter  -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
   val reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) : bool
     ensures { result = reinitialize0 _1 }
     
   use C06MapPrecond_Map_Type as C06MapPrecond_Map_Type
   predicate invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) =
-    [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self))
+    [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self))
   val invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) : bool
     ensures { result = invariant0 self }
     
@@ -412,27 +499,27 @@ module C06MapPrecond_Impl0_ProducesRefl_Impl
   use seq.Seq
   use prelude.Int
   use seq.Seq
-  use prelude.Ghost
+  use prelude.Snapshot
   use seq.Seq
   use seq.Seq
   predicate produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0)
     
    =
-    [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv1 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Ghost.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv2 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
+    [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv1 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv2 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs
+     ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
       C06MapPrecond_Map_Type.map_func self = C06MapPrecond_Map_Type.map_func succ
     else
        * Seq.get fs 0 = C06MapPrecond_Map_Type.map_func self /\  ^ Seq.get fs (Seq.length visited - 1) = C06MapPrecond_Map_Type.map_func succ
-    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i))))
+    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i))))
   val produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) : bool
     ensures { result = produces0 self visited succ }
     
   use seq.Seq
-  let rec ghost function produces_refl [#"../06_map_precond.rs" 31 4 31 26] (self : C06MapPrecond_Map_Type.t_map i b f item0) : ()
-    requires {[#"../06_map_precond.rs" 31 21 31 25] inv0 self}
-    ensures { [#"../06_map_precond.rs" 30 14 30 45] produces0 self (Seq.empty ) self }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../06_map_precond.rs" 28 4 28 10] ()
+  constant self  : C06MapPrecond_Map_Type.t_map i b f item0
+  function produces_refl [#"../06_map_precond.rs" 31 4 31 26] (self : C06MapPrecond_Map_Type.t_map i b f item0) : ()
+  goal vc_produces_refl : ([#"../06_map_precond.rs" 31 21 31 25] inv0 self)
+   -> ([#"../06_map_precond.rs" 30 14 30 45] produces0 self (Seq.empty ) self)
 end
 module C06MapPrecond_Impl0_ProducesTrans_Impl
   type i
@@ -468,16 +555,16 @@ module C06MapPrecond_Impl0_ProducesTrans_Impl
     
   axiom inv9 : forall x : b . inv9 x = true
   use seq.Seq
-  use prelude.Ghost
-  predicate invariant8 (self : (item0, Ghost.ghost_ty (Seq.seq item0)))
-  val invariant8 (self : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool
+  use prelude.Snapshot
+  predicate invariant8 (self : (item0, Snapshot.snap_ty (Seq.seq item0)))
+  val invariant8 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool
     ensures { result = invariant8 self }
     
-  predicate inv8 (_x : (item0, Ghost.ghost_ty (Seq.seq item0)))
-  val inv8 (_x : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool
+  predicate inv8 (_x : (item0, Snapshot.snap_ty (Seq.seq item0)))
+  val inv8 (_x : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool
     ensures { result = inv8 _x }
     
-  axiom inv8 : forall x : (item0, Ghost.ghost_ty (Seq.seq item0)) . inv8 x = true
+  axiom inv8 : forall x : (item0, Snapshot.snap_ty (Seq.seq item0)) . inv8 x = true
   predicate invariant7 (self : borrowed f)
   val invariant7 (self : borrowed f) : bool
     ensures { result = invariant7 self }
@@ -487,15 +574,15 @@ module C06MapPrecond_Impl0_ProducesTrans_Impl
     ensures { result = inv7 _x }
     
   axiom inv7 : forall x : borrowed f . inv7 x = true
-  predicate invariant6 (self : Ghost.ghost_ty (Seq.seq item0))
-  val invariant6 (self : Ghost.ghost_ty (Seq.seq item0)) : bool
+  predicate invariant6 (self : Snapshot.snap_ty (Seq.seq item0))
+  val invariant6 (self : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = invariant6 self }
     
-  predicate inv6 (_x : Ghost.ghost_ty (Seq.seq item0))
-  val inv6 (_x : Ghost.ghost_ty (Seq.seq item0)) : bool
+  predicate inv6 (_x : Snapshot.snap_ty (Seq.seq item0))
+  val inv6 (_x : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = inv6 _x }
     
-  axiom inv6 : forall x : Ghost.ghost_ty (Seq.seq item0) . inv6 x = true
+  axiom inv6 : forall x : Snapshot.snap_ty (Seq.seq item0) . inv6 x = true
   predicate invariant5 (self : f)
   val invariant5 (self : f) : bool
     ensures { result = invariant5 self }
@@ -536,22 +623,25 @@ module C06MapPrecond_Impl0_ProducesTrans_Impl
   val resolve0 (self : f) : bool
     ensures { result = resolve0 self }
     
-  predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b)
-  val postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool
+  predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b)
+  val postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool
     ensures { result = postcondition_mut0 self _2 _3 }
     
-  predicate postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b)
-  val postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool
+  predicate postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b)
+  val postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool
     ensures { result = postcondition_once0 self _2 _3 }
     
-  function fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
-  val fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
+  function fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
+  val fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv5 self}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv8 args}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv9 res}
     ensures { result = fn_mut_once0 self args res }
     
-  axiom fn_mut_once0_spec : forall self : f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv8 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv9 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv7 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
+  axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv5 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv8 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv9 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv7 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
   predicate unnest0 (self : f) (_2 : f)
   val unnest0 (self : f) (_2 : f) : bool
     ensures { result = unnest0 self _2 }
@@ -565,22 +655,33 @@ module C06MapPrecond_Impl0_ProducesTrans_Impl
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv5 c}
     ensures { result = unnest_trans0 self b c }
     
-  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv5 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv5 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
+  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv5 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv5 b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv5 c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
   function unnest_refl0 (self : f) : ()
   val unnest_refl0 (self : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv5 self}
     ensures { result = unnest_refl0 self }
     
-  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
-  function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
-  val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
+  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv5 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
+  function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
+    
+  val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv7 self}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv8 args}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv9 res}
     ensures { result = postcondition_mut_unnest0 self args res }
     
-  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv8 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv9 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
+  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv7 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv8 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv9 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
   use seq.Seq
   predicate produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i)
   val produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) : bool
@@ -598,14 +699,21 @@ module C06MapPrecond_Impl0_ProducesTrans_Impl
     requires {[#"../common.rs" 21 82 21 83] inv4 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv4 a) -> ([#"../common.rs" 21 31 21 33] inv2 ab) -> ([#"../common.rs" 21 52 21 53] inv4 b) -> ([#"../common.rs" 21 61 21 63] inv2 bc) -> ([#"../common.rs" 21 82 21 83] inv4 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv4 a)
+   -> ([#"../common.rs" 21 31 21 33] inv2 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv4 b)
+   -> ([#"../common.rs" 21 61 21 63] inv2 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv4 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv4 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv4 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv4 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   predicate invariant1 (self : Seq.seq b)
   val invariant1 (self : Seq.seq b) : bool
     ensures { result = invariant1 self }
@@ -615,45 +723,71 @@ module C06MapPrecond_Impl0_ProducesTrans_Impl
     ensures { result = inv1 _x }
     
   axiom inv1 : forall x : Seq.seq b . inv1 x = true
-  predicate precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0)))
-  val precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool
+  predicate precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0)))
+  val precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool
     ensures { result = precondition0 self _2 }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   use seq.Seq
   predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) =
-    [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv4 i -> inv11 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced)
+    [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv4 i
+     -> inv11 e  -> produces1 iter (Seq.singleton e) i  -> precondition0 func (e, Snapshot.new produced)
   val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) : bool
     ensures { result = next_precondition0 iter func produced }
     
   use seq.Seq
   predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) =
-    [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv9 b -> inv7 f -> inv11 e2 -> inv11 e1 -> inv2 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1))
+    [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i
+     -> inv9 b
+     -> inv7 f
+     -> inv11 e2
+     -> inv11 e1
+     -> inv2 s
+     -> unnest0 func ( * f)
+     -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new s)
+     -> postcondition_mut0 f (e1, Snapshot.new s) b  -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1))
   val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool
     ensures { result = preservation0 iter func }
     
   predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) =
-    [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv9 b -> inv7 f -> inv11 e2 -> inv11 e1 -> inv2 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Ghost.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc (Seq.(++) produced s) e1))
+    [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i
+     -> inv9 b
+     -> inv7 f
+     -> inv11 e2
+     -> inv11 e1
+     -> inv2 s
+     -> unnest0 func ( * f)
+     -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s))
+     -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b
+     -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1))
   val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) : bool
     requires {[#"../06_map_precond.rs" 93 24 93 28] inv4 iter}
     requires {[#"../06_map_precond.rs" 93 33 93 37] inv5 func}
     requires {[#"../06_map_precond.rs" 93 42 93 50] inv2 produced}
     ensures { result = preservation_inv0 iter func produced }
     
-  axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv4 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv5 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv2 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty  -> preservation_inv0 iter func produced = preservation0 iter func)
-  use prelude.Ghost
+  axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv4 iter)
+   -> ([#"../06_map_precond.rs" 93 33 93 37] inv5 func)
+   -> ([#"../06_map_precond.rs" 93 42 93 50] inv2 produced)
+   -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty 
+   -> preservation_inv0 iter func produced = preservation0 iter func)
+  use prelude.Snapshot
   predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i)
   val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool
     ensures { result = completed0 self }
     
   predicate reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) =
-    [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv5 func -> inv10 iter -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
+    [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv5 func
+     -> inv10 iter
+     -> completed0 iter  -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
   val reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) : bool
     ensures { result = reinitialize0 _1 }
     
   use C06MapPrecond_Map_Type as C06MapPrecond_Map_Type
   predicate invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) =
-    [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self))
+    [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self))
   val invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) : bool
     ensures { result = invariant0 self }
     
@@ -671,32 +805,37 @@ module C06MapPrecond_Impl0_ProducesTrans_Impl
   use seq.Seq
   use prelude.Int
   use seq.Seq
-  use prelude.Ghost
+  use prelude.Snapshot
   use seq.Seq
   use seq.Seq
   predicate produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0)
     
    =
-    [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv2 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Ghost.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv3 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
+    [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv2 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv3 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs
+     ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
       C06MapPrecond_Map_Type.map_func self = C06MapPrecond_Map_Type.map_func succ
     else
        * Seq.get fs 0 = C06MapPrecond_Map_Type.map_func self /\  ^ Seq.get fs (Seq.length visited - 1) = C06MapPrecond_Map_Type.map_func succ
-    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i))))
+    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i))))
   val produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) : bool
     ensures { result = produces0 self visited succ }
     
-  let rec ghost function produces_trans [#"../06_map_precond.rs" 38 4 38 90] (a : C06MapPrecond_Map_Type.t_map i b f item0) (ab : Seq.seq b) (b : C06MapPrecond_Map_Type.t_map i b f item0) (bc : Seq.seq b) (c : C06MapPrecond_Map_Type.t_map i b f item0) : ()
-    requires {[#"../06_map_precond.rs" 35 15 35 32] produces0 a ab b}
-    requires {[#"../06_map_precond.rs" 36 15 36 32] produces0 b bc c}
-    requires {[#"../06_map_precond.rs" 38 22 38 23] inv0 a}
-    requires {[#"../06_map_precond.rs" 38 31 38 33] inv1 ab}
-    requires {[#"../06_map_precond.rs" 38 52 38 53] inv0 b}
-    requires {[#"../06_map_precond.rs" 38 61 38 63] inv1 bc}
-    requires {[#"../06_map_precond.rs" 38 82 38 83] inv0 c}
-    ensures { [#"../06_map_precond.rs" 37 14 37 42] produces0 a (Seq.(++) ab bc) c }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../06_map_precond.rs" 33 4 33 10] ()
+  constant a  : C06MapPrecond_Map_Type.t_map i b f item0
+  constant ab  : Seq.seq b
+  constant b  : C06MapPrecond_Map_Type.t_map i b f item0
+  constant bc  : Seq.seq b
+  constant c  : C06MapPrecond_Map_Type.t_map i b f item0
+  function produces_trans [#"../06_map_precond.rs" 38 4 38 90] (a : C06MapPrecond_Map_Type.t_map i b f item0) (ab : Seq.seq b) (b : C06MapPrecond_Map_Type.t_map i b f item0) (bc : Seq.seq b) (c : C06MapPrecond_Map_Type.t_map i b f item0) : ()
+    
+  goal vc_produces_trans : ([#"../06_map_precond.rs" 38 82 38 83] inv0 c)
+   -> ([#"../06_map_precond.rs" 38 61 38 63] inv1 bc)
+   -> ([#"../06_map_precond.rs" 38 52 38 53] inv0 b)
+   -> ([#"../06_map_precond.rs" 38 31 38 33] inv1 ab)
+   -> ([#"../06_map_precond.rs" 38 22 38 23] inv0 a)
+   -> ([#"../06_map_precond.rs" 36 15 36 32] produces0 b bc c)
+   -> ([#"../06_map_precond.rs" 35 15 35 32] produces0 a ab b)
+   -> ([#"../06_map_precond.rs" 37 14 37 42] produces0 a (Seq.(++) ab bc) c)
 end
 module Core_Option_Option_Type
   type t_option 't =
@@ -725,16 +864,16 @@ module C06MapPrecond_Impl1_ProducesOne_Impl
   axiom inv11 : forall x : borrowed i . inv11 x = true
   type item0
   use seq.Seq
-  use prelude.Ghost
-  predicate invariant10 (self : (item0, Ghost.ghost_ty (Seq.seq item0)))
-  val invariant10 (self : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool
+  use prelude.Snapshot
+  predicate invariant10 (self : (item0, Snapshot.snap_ty (Seq.seq item0)))
+  val invariant10 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool
     ensures { result = invariant10 self }
     
-  predicate inv10 (_x : (item0, Ghost.ghost_ty (Seq.seq item0)))
-  val inv10 (_x : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool
+  predicate inv10 (_x : (item0, Snapshot.snap_ty (Seq.seq item0)))
+  val inv10 (_x : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool
     ensures { result = inv10 _x }
     
-  axiom inv10 : forall x : (item0, Ghost.ghost_ty (Seq.seq item0)) . inv10 x = true
+  axiom inv10 : forall x : (item0, Snapshot.snap_ty (Seq.seq item0)) . inv10 x = true
   predicate invariant9 (self : Seq.seq b)
   val invariant9 (self : Seq.seq b) : bool
     ensures { result = invariant9 self }
@@ -744,15 +883,15 @@ module C06MapPrecond_Impl1_ProducesOne_Impl
     ensures { result = inv9 _x }
     
   axiom inv9 : forall x : Seq.seq b . inv9 x = true
-  predicate invariant8 (self : Ghost.ghost_ty (Seq.seq item0))
-  val invariant8 (self : Ghost.ghost_ty (Seq.seq item0)) : bool
+  predicate invariant8 (self : Snapshot.snap_ty (Seq.seq item0))
+  val invariant8 (self : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = invariant8 self }
     
-  predicate inv8 (_x : Ghost.ghost_ty (Seq.seq item0))
-  val inv8 (_x : Ghost.ghost_ty (Seq.seq item0)) : bool
+  predicate inv8 (_x : Snapshot.snap_ty (Seq.seq item0))
+  val inv8 (_x : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = inv8 _x }
     
-  axiom inv8 : forall x : Ghost.ghost_ty (Seq.seq item0) . inv8 x = true
+  axiom inv8 : forall x : Snapshot.snap_ty (Seq.seq item0) . inv8 x = true
   predicate invariant7 (self : f)
   val invariant7 (self : f) : bool
     ensures { result = invariant7 self }
@@ -793,30 +932,33 @@ module C06MapPrecond_Impl1_ProducesOne_Impl
   val resolve0 (self : f) : bool
     ensures { result = resolve0 self }
     
-  predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b)
-  val postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool
+  predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b)
+  val postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool
     ensures { result = postcondition_mut0 self _2 _3 }
     
   predicate inv2 (_x : borrowed f)
   val inv2 (_x : borrowed f) : bool
     ensures { result = inv2 _x }
     
-  predicate postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b)
-  val postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool
+  predicate postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b)
+  val postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool
     ensures { result = postcondition_once0 self _2 _3 }
     
   predicate inv1 (_x : b)
   val inv1 (_x : b) : bool
     ensures { result = inv1 _x }
     
-  function fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
-  val fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
+  function fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
+  val fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv7 self}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv10 args}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv1 res}
     ensures { result = fn_mut_once0 self args res }
     
-  axiom fn_mut_once0_spec : forall self : f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv10 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv1 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv2 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
+  axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv7 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv10 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv1 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv2 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
   predicate unnest0 (self : f) (_2 : f)
   val unnest0 (self : f) (_2 : f) : bool
     ensures { result = unnest0 self _2 }
@@ -830,22 +972,33 @@ module C06MapPrecond_Impl1_ProducesOne_Impl
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv7 c}
     ensures { result = unnest_trans0 self b c }
     
-  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv7 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv7 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
+  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv7 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv7 b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv7 c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
   function unnest_refl0 (self : f) : ()
   val unnest_refl0 (self : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv7 self}
     ensures { result = unnest_refl0 self }
     
-  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
-  function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
-  val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
+  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv7 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
+  function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
+    
+  val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv2 self}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv10 args}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv1 res}
     ensures { result = postcondition_mut_unnest0 self args res }
     
-  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv10 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv1 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
+  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv10 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv1 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
   predicate invariant3 (self : item0)
   val invariant3 (self : item0) : bool
     ensures { result = invariant3 self }
@@ -877,14 +1030,21 @@ module C06MapPrecond_Impl1_ProducesOne_Impl
     requires {[#"../common.rs" 21 82 21 83] inv6 c}
     ensures { result = produces_trans1 a ab b bc c }
     
-  axiom produces_trans1_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv6 a) -> ([#"../common.rs" 21 31 21 33] inv4 ab) -> ([#"../common.rs" 21 52 21 53] inv6 b) -> ([#"../common.rs" 21 61 21 63] inv4 bc) -> ([#"../common.rs" 21 82 21 83] inv6 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans1_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv6 a)
+   -> ([#"../common.rs" 21 31 21 33] inv4 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv6 b)
+   -> ([#"../common.rs" 21 61 21 63] inv4 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv6 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl1 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl1 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv6 self}
     ensures { result = produces_refl1 self }
     
-  axiom produces_refl1_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv6 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl1_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv6 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   use C06MapPrecond_Map_Type as C06MapPrecond_Map_Type
   use seq.Seq
   predicate inv0 (_x : C06MapPrecond_Map_Type.t_map i b f item0)
@@ -892,28 +1052,30 @@ module C06MapPrecond_Impl1_ProducesOne_Impl
     ensures { result = inv0 _x }
     
   use seq.Seq
-  predicate precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0)))
-  val precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool
+  predicate precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0)))
+  val precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool
     ensures { result = precondition0 self _2 }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   use seq_ext.SeqExt
   use seq.Seq
   use seq.Seq
   use prelude.Int
   use seq.Seq
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
   use seq.Seq
   use seq.Seq
   predicate produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0)
     
    =
-    [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv4 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Ghost.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv5 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
+    [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv4 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv5 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs
+     ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
       C06MapPrecond_Map_Type.map_func self = C06MapPrecond_Map_Type.map_func succ
     else
        * Seq.get fs 0 = C06MapPrecond_Map_Type.map_func self /\  ^ Seq.get fs (Seq.length visited - 1) = C06MapPrecond_Map_Type.map_func succ
-    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i))))
+    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i))))
   val produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) : bool
     ensures { result = produces0 self visited succ }
     
@@ -931,7 +1093,14 @@ module C06MapPrecond_Impl1_ProducesOne_Impl
     requires {[#"../06_map_precond.rs" 38 82 38 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : C06MapPrecond_Map_Type.t_map i b f item0, ab : Seq.seq b, b : C06MapPrecond_Map_Type.t_map i b f item0, bc : Seq.seq b, c : C06MapPrecond_Map_Type.t_map i b f item0 . ([#"../06_map_precond.rs" 35 15 35 32] produces0 a ab b) -> ([#"../06_map_precond.rs" 36 15 36 32] produces0 b bc c) -> ([#"../06_map_precond.rs" 38 22 38 23] inv0 a) -> ([#"../06_map_precond.rs" 38 31 38 33] inv9 ab) -> ([#"../06_map_precond.rs" 38 52 38 53] inv0 b) -> ([#"../06_map_precond.rs" 38 61 38 63] inv9 bc) -> ([#"../06_map_precond.rs" 38 82 38 83] inv0 c) -> ([#"../06_map_precond.rs" 37 14 37 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : C06MapPrecond_Map_Type.t_map i b f item0, ab : Seq.seq b, b : C06MapPrecond_Map_Type.t_map i b f item0, bc : Seq.seq b, c : C06MapPrecond_Map_Type.t_map i b f item0 . ([#"../06_map_precond.rs" 35 15 35 32] produces0 a ab b)
+   -> ([#"../06_map_precond.rs" 36 15 36 32] produces0 b bc c)
+   -> ([#"../06_map_precond.rs" 38 22 38 23] inv0 a)
+   -> ([#"../06_map_precond.rs" 38 31 38 33] inv9 ab)
+   -> ([#"../06_map_precond.rs" 38 52 38 53] inv0 b)
+   -> ([#"../06_map_precond.rs" 38 61 38 63] inv9 bc)
+   -> ([#"../06_map_precond.rs" 38 82 38 83] inv0 c)
+   -> ([#"../06_map_precond.rs" 37 14 37 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../06_map_precond.rs" 31 4 31 26] (self : C06MapPrecond_Map_Type.t_map i b f item0) : () =
     [#"../06_map_precond.rs" 28 4 28 10] ()
@@ -939,7 +1108,8 @@ module C06MapPrecond_Impl1_ProducesOne_Impl
     requires {[#"../06_map_precond.rs" 31 21 31 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : C06MapPrecond_Map_Type.t_map i b f item0 . ([#"../06_map_precond.rs" 31 21 31 25] inv0 self) -> ([#"../06_map_precond.rs" 30 14 30 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : C06MapPrecond_Map_Type.t_map i b f item0 . ([#"../06_map_precond.rs" 31 21 31 25] inv0 self)
+   -> ([#"../06_map_precond.rs" 30 14 30 45] produces0 self (Seq.empty ) self)
   predicate invariant1 (self : b)
   val invariant1 (self : b) : bool
     ensures { result = invariant1 self }
@@ -947,36 +1117,62 @@ module C06MapPrecond_Impl1_ProducesOne_Impl
   axiom inv1 : forall x : b . inv1 x = true
   use seq.Seq
   predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) =
-    [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv6 i -> inv3 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced)
+    [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv6 i
+     -> inv3 e  -> produces1 iter (Seq.singleton e) i  -> precondition0 func (e, Snapshot.new produced)
   val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) : bool
     ensures { result = next_precondition0 iter func produced }
     
   use seq.Seq
   predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) =
-    [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv6 i -> inv1 b -> inv2 f -> inv3 e2 -> inv3 e1 -> inv4 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1))
+    [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv6 i
+     -> inv1 b
+     -> inv2 f
+     -> inv3 e2
+     -> inv3 e1
+     -> inv4 s
+     -> unnest0 func ( * f)
+     -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new s)
+     -> postcondition_mut0 f (e1, Snapshot.new s) b  -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1))
   val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool
     ensures { result = preservation0 iter func }
     
   predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) =
-    [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv6 i -> inv1 b -> inv2 f -> inv3 e2 -> inv3 e1 -> inv4 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Ghost.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc (Seq.(++) produced s) e1))
+    [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv6 i
+     -> inv1 b
+     -> inv2 f
+     -> inv3 e2
+     -> inv3 e1
+     -> inv4 s
+     -> unnest0 func ( * f)
+     -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s))
+     -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b
+     -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1))
   val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) : bool
     requires {[#"../06_map_precond.rs" 93 24 93 28] inv6 iter}
     requires {[#"../06_map_precond.rs" 93 33 93 37] inv7 func}
     requires {[#"../06_map_precond.rs" 93 42 93 50] inv4 produced}
     ensures { result = preservation_inv0 iter func produced }
     
-  axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv6 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv7 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv4 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty  -> preservation_inv0 iter func produced = preservation0 iter func)
+  axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv6 iter)
+   -> ([#"../06_map_precond.rs" 93 33 93 37] inv7 func)
+   -> ([#"../06_map_precond.rs" 93 42 93 50] inv4 produced)
+   -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty 
+   -> preservation_inv0 iter func produced = preservation0 iter func)
   predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i)
   val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool
     ensures { result = completed0 self }
     
   predicate reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) =
-    [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv7 func -> inv11 iter -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
+    [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv7 func
+     -> inv11 iter
+     -> completed0 iter  -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
   val reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) : bool
     ensures { result = reinitialize0 _1 }
     
   predicate invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) =
-    [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self))
+    [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self))
   val invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) : bool
     ensures { result = invariant0 self }
     
@@ -984,14 +1180,15 @@ module C06MapPrecond_Impl1_ProducesOne_Impl
     | C06MapPrecond_Map_Type.C_Map iter func produced -> true
     end)
   use seq.Seq
-  let rec ghost predicate produces_one [#"../06_map_precond.rs" 142 4 142 57] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : b) (succ : C06MapPrecond_Map_Type.t_map i b f item0)
-    requires {[#"../06_map_precond.rs" 142 20 142 24] inv0 self}
-    requires {[#"../06_map_precond.rs" 142 26 142 33] inv1 visited}
-    requires {[#"../06_map_precond.rs" 142 38 142 42] inv0 succ}
-    ensures { [#"../06_map_precond.rs" 141 14 141 68] result = produces0 self (Seq.singleton visited) succ }
+  constant self  : C06MapPrecond_Map_Type.t_map i b f item0
+  constant visited  : b
+  constant succ  : C06MapPrecond_Map_Type.t_map i b f item0
+  predicate produces_one [#"../06_map_precond.rs" 142 4 142 57] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : b) (succ : C06MapPrecond_Map_Type.t_map i b f item0)
     
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../06_map_precond.rs" 143 8 149 9] pure {exists f : borrowed f . inv2 f /\  * f = C06MapPrecond_Map_Type.map_func self /\  ^ f = C06MapPrecond_Map_Type.map_func succ /\ (exists e : item0 . inv3 e /\ produces1 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) (C06MapPrecond_Map_Type.map_iter succ) /\ Ghost.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.snoc (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) e /\ precondition0 ( * f) (e, C06MapPrecond_Map_Type.map_produced self) /\ postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) visited)}
+  goal vc_produces_one : ([#"../06_map_precond.rs" 142 38 142 42] inv0 succ)
+   -> ([#"../06_map_precond.rs" 142 26 142 33] inv1 visited)
+   -> ([#"../06_map_precond.rs" 142 20 142 24] inv0 self)
+   -> ([#"../06_map_precond.rs" 141 14 141 68] ([#"../06_map_precond.rs" 143 8 149 9] exists f : borrowed f . inv2 f /\  * f = C06MapPrecond_Map_Type.map_func self /\  ^ f = C06MapPrecond_Map_Type.map_func succ /\ (exists e : item0 . inv3 e /\ produces1 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e /\ precondition0 ( * f) (e, C06MapPrecond_Map_Type.map_produced self) /\ postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) visited)) = produces0 self (Seq.singleton visited) succ)
 end
 module C06MapPrecond_Impl1_ProducesOneInvariant_Impl
   type i
@@ -1009,25 +1206,25 @@ module C06MapPrecond_Impl1_ProducesOneInvariant_Impl
   axiom inv9 : forall x : borrowed i . inv9 x = true
   type item0
   use seq.Seq
-  use prelude.Ghost
-  predicate invariant8 (self : Ghost.ghost_ty (Seq.seq item0))
-  val invariant8 (self : Ghost.ghost_ty (Seq.seq item0)) : bool
+  use prelude.Snapshot
+  predicate invariant8 (self : Snapshot.snap_ty (Seq.seq item0))
+  val invariant8 (self : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = invariant8 self }
     
-  predicate inv8 (_x : Ghost.ghost_ty (Seq.seq item0))
-  val inv8 (_x : Ghost.ghost_ty (Seq.seq item0)) : bool
+  predicate inv8 (_x : Snapshot.snap_ty (Seq.seq item0))
+  val inv8 (_x : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = inv8 _x }
     
-  axiom inv8 : forall x : Ghost.ghost_ty (Seq.seq item0) . inv8 x = true
-  predicate invariant7 (self : (item0, Ghost.ghost_ty (Seq.seq item0)))
-  val invariant7 (self : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool
+  axiom inv8 : forall x : Snapshot.snap_ty (Seq.seq item0) . inv8 x = true
+  predicate invariant7 (self : (item0, Snapshot.snap_ty (Seq.seq item0)))
+  val invariant7 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool
     ensures { result = invariant7 self }
     
-  predicate inv7 (_x : (item0, Ghost.ghost_ty (Seq.seq item0)))
-  val inv7 (_x : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool
+  predicate inv7 (_x : (item0, Snapshot.snap_ty (Seq.seq item0)))
+  val inv7 (_x : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool
     ensures { result = inv7 _x }
     
-  axiom inv7 : forall x : (item0, Ghost.ghost_ty (Seq.seq item0)) . inv7 x = true
+  axiom inv7 : forall x : (item0, Snapshot.snap_ty (Seq.seq item0)) . inv7 x = true
   predicate invariant6 (self : f)
   val invariant6 (self : f) : bool
     ensures { result = invariant6 self }
@@ -1082,23 +1279,24 @@ module C06MapPrecond_Impl1_ProducesOneInvariant_Impl
     ensures { result = inv1 _x }
     
   axiom inv1 : forall x : item0 . inv1 x = true
-  predicate precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0)))
-  val precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool
+  predicate precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0)))
+  val precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool
     ensures { result = precondition0 self _2 }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate produces0 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i)
   val produces0 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) : bool
     ensures { result = produces0 self visited o }
     
   use seq.Seq
   predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) =
-    [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv4 i -> inv1 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced)
+    [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv4 i
+     -> inv1 e  -> produces0 iter (Seq.singleton e) i  -> precondition0 func (e, Snapshot.new produced)
   val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) : bool
     ensures { result = next_precondition0 iter func produced }
     
-  predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b)
-  val postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool
+  predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b)
+  val postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool
     ensures { result = postcondition_mut0 self _2 _3 }
     
   use seq.Seq
@@ -1108,33 +1306,57 @@ module C06MapPrecond_Impl1_ProducesOneInvariant_Impl
     ensures { result = unnest0 self _2 }
     
   predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) =
-    [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv2 b -> inv3 f -> inv1 e2 -> inv1 e1 -> inv5 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1))
+    [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i
+     -> inv2 b
+     -> inv3 f
+     -> inv1 e2
+     -> inv1 e1
+     -> inv5 s
+     -> unnest0 func ( * f)
+     -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new s)
+     -> postcondition_mut0 f (e1, Snapshot.new s) b  -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1))
   val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool
     ensures { result = preservation0 iter func }
     
   use seq.Seq
   predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) =
-    [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv2 b -> inv3 f -> inv1 e2 -> inv1 e1 -> inv5 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Ghost.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc (Seq.(++) produced s) e1))
+    [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i
+     -> inv2 b
+     -> inv3 f
+     -> inv1 e2
+     -> inv1 e1
+     -> inv5 s
+     -> unnest0 func ( * f)
+     -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s))
+     -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b
+     -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1))
   val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) : bool
     requires {[#"../06_map_precond.rs" 93 24 93 28] inv4 iter}
     requires {[#"../06_map_precond.rs" 93 33 93 37] inv6 func}
     requires {[#"../06_map_precond.rs" 93 42 93 50] inv5 produced}
     ensures { result = preservation_inv0 iter func produced }
     
-  axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv4 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv6 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv5 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty  -> preservation_inv0 iter func produced = preservation0 iter func)
-  use prelude.Ghost
+  axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv4 iter)
+   -> ([#"../06_map_precond.rs" 93 33 93 37] inv6 func)
+   -> ([#"../06_map_precond.rs" 93 42 93 50] inv5 produced)
+   -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty 
+   -> preservation_inv0 iter func produced = preservation0 iter func)
+  use prelude.Snapshot
   predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i)
   val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool
     ensures { result = completed0 self }
     
   predicate reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) =
-    [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv6 func -> inv9 iter -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
+    [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv6 func
+     -> inv9 iter  -> completed0 iter  -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
   val reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) : bool
     ensures { result = reinitialize0 _1 }
     
   use C06MapPrecond_Map_Type as C06MapPrecond_Map_Type
   predicate invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) =
-    [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self))
+    [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self))
   val invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) : bool
     ensures { result = invariant0 self }
     
@@ -1149,18 +1371,21 @@ module C06MapPrecond_Impl1_ProducesOneInvariant_Impl
   val resolve0 (self : f) : bool
     ensures { result = resolve0 self }
     
-  predicate postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b)
-  val postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool
+  predicate postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b)
+  val postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool
     ensures { result = postcondition_once0 self _2 _3 }
     
-  function fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
-  val fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
+  function fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
+  val fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv6 self}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv7 args}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res}
     ensures { result = fn_mut_once0 self args res }
     
-  axiom fn_mut_once0_spec : forall self : f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv7 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv3 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
+  axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv6 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv7 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv2 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv3 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
   function unnest_trans0 (self : f) (b : f) (c : f) : ()
   val unnest_trans0 (self : f) (b : f) (c : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b}
@@ -1170,22 +1395,33 @@ module C06MapPrecond_Impl1_ProducesOneInvariant_Impl
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv6 c}
     ensures { result = unnest_trans0 self b c }
     
-  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv6 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv6 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
+  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv6 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv6 b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv6 c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
   function unnest_refl0 (self : f) : ()
   val unnest_refl0 (self : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv6 self}
     ensures { result = unnest_refl0 self }
     
-  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
-  function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
-  val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
+  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv6 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
+  function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
+    
+  val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv3 self}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv7 args}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res}
     ensures { result = postcondition_mut_unnest0 self args res }
     
-  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv7 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
+  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv3 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv7 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv2 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
   function produces_trans0 [#"../common.rs" 21 4 21 91] (a : i) (ab : Seq.seq item0) (b : i) (bc : Seq.seq item0) (c : i) : ()
     
   val produces_trans0 [#"../common.rs" 21 4 21 91] (a : i) (ab : Seq.seq item0) (b : i) (bc : Seq.seq item0) (c : i) : ()
@@ -1198,27 +1434,41 @@ module C06MapPrecond_Impl1_ProducesOneInvariant_Impl
     requires {[#"../common.rs" 21 82 21 83] inv4 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv4 a) -> ([#"../common.rs" 21 31 21 33] inv5 ab) -> ([#"../common.rs" 21 52 21 53] inv4 b) -> ([#"../common.rs" 21 61 21 63] inv5 bc) -> ([#"../common.rs" 21 82 21 83] inv4 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces0 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv4 a)
+   -> ([#"../common.rs" 21 31 21 33] inv5 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv4 b)
+   -> ([#"../common.rs" 21 61 21 63] inv5 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv4 c)  -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv4 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv4 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
-  let rec ghost function produces_one_invariant [#"../06_map_precond.rs" 132 4 132 73] (self : C06MapPrecond_Map_Type.t_map i b f item0) (e : item0) (r : b) (f : borrowed f) (iter : i) : ()
-    requires {[#"../06_map_precond.rs" 127 4 127 60] produces0 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) iter}
-    requires {[#"../06_map_precond.rs" 128 15 128 30]  * f = C06MapPrecond_Map_Type.map_func self}
-    requires {[#"../06_map_precond.rs" 129 15 129 57] postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) r}
-    requires {[#"../06_map_precond.rs" 132 30 132 34] inv0 self}
-    requires {[#"../06_map_precond.rs" 132 36 132 37] inv1 e}
-    requires {[#"../06_map_precond.rs" 132 48 132 49] inv2 r}
-    requires {[#"../06_map_precond.rs" 132 54 132 55] inv3 f}
-    requires {[#"../06_map_precond.rs" 132 65 132 69] inv4 iter}
-    ensures { [#"../06_map_precond.rs" 130 14 130 69] preservation_inv0 iter ( ^ f) (Seq.snoc (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) e) }
-    ensures { [#"../06_map_precond.rs" 131 14 131 70] next_precondition0 iter ( ^ f) (Seq.snoc (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) e) }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../06_map_precond.rs" 126 4 126 12] let _ = let a = pure {forall i : i . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i -> inv1 e2 -> inv1 e1 -> inv5 s -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> produces0 (C06MapPrecond_Map_Type.map_iter self) (Seq.snoc (Seq.snoc (Seq.(++) (Seq.singleton e) s) e1) e2) i} in assert {a} in ()
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv4 self)
+   -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
+  constant self  : C06MapPrecond_Map_Type.t_map i b f item0
+  constant e  : item0
+  constant r  : b
+  constant f  : borrowed f
+  constant iter  : i
+  function produces_one_invariant [#"../06_map_precond.rs" 132 4 132 73] (self : C06MapPrecond_Map_Type.t_map i b f item0) (e : item0) (r : b) (f : borrowed f) (iter : i) : ()
+    
+  goal vc_produces_one_invariant : ([#"../06_map_precond.rs" 132 65 132 69] inv4 iter)
+   -> ([#"../06_map_precond.rs" 132 54 132 55] inv3 f)
+   -> ([#"../06_map_precond.rs" 132 48 132 49] inv2 r)
+   -> ([#"../06_map_precond.rs" 132 36 132 37] inv1 e)
+   -> ([#"../06_map_precond.rs" 132 30 132 34] inv0 self)
+   -> ([#"../06_map_precond.rs" 129 15 129 57] postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) r)
+   -> ([#"../06_map_precond.rs" 128 15 128 30]  * f = C06MapPrecond_Map_Type.map_func self)
+   -> ([#"../06_map_precond.rs" 127 4 127 60] produces0 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) iter)
+   -> ([#"../06_map_precond.rs" 126 4 126 12] forall i : i . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv4 i
+   -> inv1 e2
+   -> inv1 e1
+   -> inv5 s
+   -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i
+   -> produces0 (C06MapPrecond_Map_Type.map_iter self) (Seq.snoc (Seq.snoc (Seq.(++) (Seq.singleton e) s) e1) e2) i) && (let _ = () in ([#"../06_map_precond.rs" 131 14 131 70] next_precondition0 iter ( ^ f) (Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e)) && ([#"../06_map_precond.rs" 130 14 130 69] preservation_inv0 iter ( ^ f) (Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e)))
 end
 module C06MapPrecond_Impl0_Next
   type i
@@ -1254,9 +1504,9 @@ module C06MapPrecond_Impl0_Next
     ensures { result = inv11 _x }
     
   axiom inv11 : forall x : item0 . inv11 x = true
-  use prelude.Ghost
-  predicate inv3 (_x : Ghost.ghost_ty (Seq.seq item0))
-  val inv3 (_x : Ghost.ghost_ty (Seq.seq item0)) : bool
+  use prelude.Snapshot
+  predicate inv3 (_x : Snapshot.snap_ty (Seq.seq item0))
+  val inv3 (_x : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = inv3 _x }
     
   predicate inv2 (_x : f)
@@ -1267,23 +1517,24 @@ module C06MapPrecond_Impl0_Next
   val inv0 (_x : i) : bool
     ensures { result = inv0 _x }
     
-  predicate precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0)))
-  val precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool
+  predicate precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0)))
+  val precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool
     ensures { result = precondition0 self _2 }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate produces0 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i)
   val produces0 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) : bool
     ensures { result = produces0 self visited o }
     
   use seq.Seq
   predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) =
-    [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv0 i -> inv11 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced)
+    [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv0 i
+     -> inv11 e  -> produces0 iter (Seq.singleton e) i  -> precondition0 func (e, Snapshot.new produced)
   val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) : bool
     ensures { result = next_precondition0 iter func produced }
     
-  predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b)
-  val postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool
+  predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b)
+  val postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool
     ensures { result = postcondition_mut0 self _2 _3 }
     
   use seq.Seq
@@ -1301,21 +1552,44 @@ module C06MapPrecond_Impl0_Next
     ensures { result = inv9 _x }
     
   predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) =
-    [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv9 b -> inv7 f -> inv11 e2 -> inv11 e1 -> inv12 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1))
+    [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i
+     -> inv9 b
+     -> inv7 f
+     -> inv11 e2
+     -> inv11 e1
+     -> inv12 s
+     -> unnest0 func ( * f)
+     -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new s)
+     -> postcondition_mut0 f (e1, Snapshot.new s) b  -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1))
   val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool
     ensures { result = preservation0 iter func }
     
   use seq.Seq
   predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) =
-    [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv9 b -> inv7 f -> inv11 e2 -> inv11 e1 -> inv12 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Ghost.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc (Seq.(++) produced s) e1))
+    [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i
+     -> inv9 b
+     -> inv7 f
+     -> inv11 e2
+     -> inv11 e1
+     -> inv12 s
+     -> unnest0 func ( * f)
+     -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s))
+     -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b
+     -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1))
   val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) : bool
     requires {[#"../06_map_precond.rs" 93 24 93 28] inv0 iter}
     requires {[#"../06_map_precond.rs" 93 33 93 37] inv2 func}
     requires {[#"../06_map_precond.rs" 93 42 93 50] inv12 produced}
     ensures { result = preservation_inv0 iter func produced }
     
-  axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv0 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv2 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv12 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty  -> preservation_inv0 iter func produced = preservation0 iter func)
-  use prelude.Ghost
+  axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv0 iter)
+   -> ([#"../06_map_precond.rs" 93 33 93 37] inv2 func)
+   -> ([#"../06_map_precond.rs" 93 42 93 50] inv12 produced)
+   -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty 
+   -> preservation_inv0 iter func produced = preservation0 iter func)
+  use prelude.Snapshot
   predicate completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i)
   val completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool
     ensures { result = completed1 self }
@@ -1325,13 +1599,14 @@ module C06MapPrecond_Impl0_Next
     ensures { result = inv6 _x }
     
   predicate reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) =
-    [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv2 func -> inv6 iter -> completed1 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
+    [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv2 func
+     -> inv6 iter  -> completed1 iter  -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
   val reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) : bool
     ensures { result = reinitialize0 _1 }
     
   use C06MapPrecond_Map_Type as C06MapPrecond_Map_Type
   predicate invariant10 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) =
-    [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self))
+    [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self))
   val invariant10 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) : bool
     ensures { result = invariant10 self }
     
@@ -1351,22 +1626,25 @@ module C06MapPrecond_Impl0_Next
   val resolve4 (self : f) : bool
     ensures { result = resolve4 self }
     
-  predicate postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b)
-  val postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool
+  predicate postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b)
+  val postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool
     ensures { result = postcondition_once0 self _2 _3 }
     
-  predicate inv8 (_x : (item0, Ghost.ghost_ty (Seq.seq item0)))
-  val inv8 (_x : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool
+  predicate inv8 (_x : (item0, Snapshot.snap_ty (Seq.seq item0)))
+  val inv8 (_x : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool
     ensures { result = inv8 _x }
     
-  function fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
-  val fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
+  function fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
+  val fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv8 args}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv9 res}
     ensures { result = fn_mut_once0 self args res }
     
-  axiom fn_mut_once0_spec : forall self : f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv8 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv9 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv7 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve4 ( ^ s)))
+  axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv8 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv9 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv7 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve4 ( ^ s)))
   function unnest_trans0 (self : f) (b : f) (c : f) : ()
   val unnest_trans0 (self : f) (b : f) (c : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b}
@@ -1376,27 +1654,38 @@ module C06MapPrecond_Impl0_Next
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c}
     ensures { result = unnest_trans0 self b c }
     
-  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv2 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
+  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv2 b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
   function unnest_refl0 (self : f) : ()
   val unnest_refl0 (self : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self}
     ensures { result = unnest_refl0 self }
     
-  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
-  function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
-  val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
+  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
+  function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
+    
+  val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv7 self}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv8 args}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv9 res}
     ensures { result = postcondition_mut_unnest0 self args res }
     
-  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv8 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv9 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
-  predicate invariant8 (self : (item0, Ghost.ghost_ty (Seq.seq item0)))
-  val invariant8 (self : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool
+  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv7 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv8 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv9 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
+  predicate invariant8 (self : (item0, Snapshot.snap_ty (Seq.seq item0)))
+  val invariant8 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool
     ensures { result = invariant8 self }
     
-  axiom inv8 : forall x : (item0, Ghost.ghost_ty (Seq.seq item0)) . inv8 x = true
+  axiom inv8 : forall x : (item0, Snapshot.snap_ty (Seq.seq item0)) . inv8 x = true
   predicate invariant7 (self : borrowed f)
   val invariant7 (self : borrowed f) : bool
     ensures { result = invariant7 self }
@@ -1426,11 +1715,11 @@ module C06MapPrecond_Impl0_Next
     ensures { result = inv4 _x }
     
   axiom inv4 : forall x : borrowed (C06MapPrecond_Map_Type.t_map i b f item0) . inv4 x = (inv10 ( * x) /\ inv10 ( ^ x))
-  predicate invariant3 (self : Ghost.ghost_ty (Seq.seq item0))
-  val invariant3 (self : Ghost.ghost_ty (Seq.seq item0)) : bool
+  predicate invariant3 (self : Snapshot.snap_ty (Seq.seq item0))
+  val invariant3 (self : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = invariant3 self }
     
-  axiom inv3 : forall x : Ghost.ghost_ty (Seq.seq item0) . inv3 x = true
+  axiom inv3 : forall x : Snapshot.snap_ty (Seq.seq item0) . inv3 x = true
   predicate invariant2 (self : f)
   val invariant2 (self : f) : bool
     ensures { result = invariant2 self }
@@ -1457,19 +1746,26 @@ module C06MapPrecond_Impl0_Next
     requires {[#"../common.rs" 21 82 21 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv0 a) -> ([#"../common.rs" 21 31 21 33] inv12 ab) -> ([#"../common.rs" 21 52 21 53] inv0 b) -> ([#"../common.rs" 21 61 21 63] inv12 bc) -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces0 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv0 a)
+   -> ([#"../common.rs" 21 31 21 33] inv12 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv0 b)
+   -> ([#"../common.rs" 21 61 21 63] inv12 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv0 c)  -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self)
+   -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
   predicate invariant0 (self : i)
   val invariant0 (self : i) : bool
     ensures { result = invariant0 self }
     
   axiom inv0 : forall x : i . inv0 x = true
-  use prelude.Ghost
+  use prelude.Snapshot
   use seq.Seq
   use seq_ext.SeqExt
   use seq.Seq
@@ -1481,11 +1777,13 @@ module C06MapPrecond_Impl0_Next
   predicate produces1 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0)
     
    =
-    [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv12 s /\ Seq.length s = Seq.length visited /\ produces0 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Ghost.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv13 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
+    [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv12 s /\ Seq.length s = Seq.length visited /\ produces0 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv13 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs
+     ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
       C06MapPrecond_Map_Type.map_func self = C06MapPrecond_Map_Type.map_func succ
     else
        * Seq.get fs 0 = C06MapPrecond_Map_Type.map_func self /\  ^ Seq.get fs (Seq.length visited - 1) = C06MapPrecond_Map_Type.map_func succ
-    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i))))
+    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i))))
   val produces1 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) : bool
     ensures { result = produces1 self visited succ }
     
@@ -1493,25 +1791,28 @@ module C06MapPrecond_Impl0_Next
   predicate produces_one0 [#"../06_map_precond.rs" 142 4 142 57] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : b) (succ : C06MapPrecond_Map_Type.t_map i b f item0)
     
    =
-    [#"../06_map_precond.rs" 143 8 149 9] exists f : borrowed f . inv7 f /\  * f = C06MapPrecond_Map_Type.map_func self /\  ^ f = C06MapPrecond_Map_Type.map_func succ /\ (exists e : item0 . inv11 e /\ produces0 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) (C06MapPrecond_Map_Type.map_iter succ) /\ Ghost.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.snoc (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) e /\ precondition0 ( * f) (e, C06MapPrecond_Map_Type.map_produced self) /\ postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) visited)
+    [#"../06_map_precond.rs" 143 8 149 9] exists f : borrowed f . inv7 f /\  * f = C06MapPrecond_Map_Type.map_func self /\  ^ f = C06MapPrecond_Map_Type.map_func succ /\ (exists e : item0 . inv11 e /\ produces0 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e /\ precondition0 ( * f) (e, C06MapPrecond_Map_Type.map_produced self) /\ postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) visited)
   val produces_one0 [#"../06_map_precond.rs" 142 4 142 57] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) : bool
     requires {[#"../06_map_precond.rs" 142 20 142 24] inv10 self}
     requires {[#"../06_map_precond.rs" 142 26 142 33] inv9 visited}
     requires {[#"../06_map_precond.rs" 142 38 142 42] inv10 succ}
     ensures { result = produces_one0 self visited succ }
     
-  axiom produces_one0_spec : forall self : C06MapPrecond_Map_Type.t_map i b f item0, visited : b, succ : C06MapPrecond_Map_Type.t_map i b f item0 . ([#"../06_map_precond.rs" 142 20 142 24] inv10 self) -> ([#"../06_map_precond.rs" 142 26 142 33] inv9 visited) -> ([#"../06_map_precond.rs" 142 38 142 42] inv10 succ) -> ([#"../06_map_precond.rs" 141 14 141 68] produces_one0 self visited succ = produces1 self (Seq.singleton visited) succ)
+  axiom produces_one0_spec : forall self : C06MapPrecond_Map_Type.t_map i b f item0, visited : b, succ : C06MapPrecond_Map_Type.t_map i b f item0 . ([#"../06_map_precond.rs" 142 20 142 24] inv10 self)
+   -> ([#"../06_map_precond.rs" 142 26 142 33] inv9 visited)
+   -> ([#"../06_map_precond.rs" 142 38 142 42] inv10 succ)
+   -> ([#"../06_map_precond.rs" 141 14 141 68] produces_one0 self visited succ = produces1 self (Seq.singleton visited) succ)
   predicate completed0 [#"../06_map_precond.rs" 21 4 21 35] (self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0))
    =
-    [#"../06_map_precond.rs" 22 8 25 9] Ghost.inner (C06MapPrecond_Map_Type.map_produced ( ^ self)) = Seq.empty  /\ completed1 (Borrow.borrow_logic (C06MapPrecond_Map_Type.map_iter ( * self)) (C06MapPrecond_Map_Type.map_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1)) /\ C06MapPrecond_Map_Type.map_func ( * self) = C06MapPrecond_Map_Type.map_func ( ^ self)
+    [#"../06_map_precond.rs" 22 8 25 9] Snapshot.inner (C06MapPrecond_Map_Type.map_produced ( ^ self)) = Seq.empty  /\ completed1 (Borrow.borrow_logic (C06MapPrecond_Map_Type.map_iter ( * self)) (C06MapPrecond_Map_Type.map_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1)) /\ C06MapPrecond_Map_Type.map_func ( * self) = C06MapPrecond_Map_Type.map_func ( ^ self)
   val completed0 [#"../06_map_precond.rs" 21 4 21 35] (self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0)) : bool
     ensures { result = completed0 self }
     
-  predicate resolve3 (self : Ghost.ghost_ty ())
-  val resolve3 (self : Ghost.ghost_ty ()) : bool
+  predicate resolve3 (self : Snapshot.snap_ty ())
+  val resolve3 (self : Snapshot.snap_ty ()) : bool
     ensures { result = resolve3 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   function produces_one_invariant0 [#"../06_map_precond.rs" 132 4 132 73] (self : C06MapPrecond_Map_Type.t_map i b f item0) (e : item0) (r : b) (f : borrowed f) (iter : i) : ()
     
   val produces_one_invariant0 [#"../06_map_precond.rs" 132 4 132 73] (self : C06MapPrecond_Map_Type.t_map i b f item0) (e : item0) (r : b) (f : borrowed f) (iter : i) : ()
@@ -1525,17 +1826,25 @@ module C06MapPrecond_Impl0_Next
     requires {[#"../06_map_precond.rs" 132 65 132 69] inv0 iter}
     ensures { result = produces_one_invariant0 self e r f iter }
     
-  axiom produces_one_invariant0_spec : forall self : C06MapPrecond_Map_Type.t_map i b f item0, e : item0, r : b, f : borrowed f, iter : i . ([#"../06_map_precond.rs" 127 4 127 60] produces0 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) iter) -> ([#"../06_map_precond.rs" 128 15 128 30]  * f = C06MapPrecond_Map_Type.map_func self) -> ([#"../06_map_precond.rs" 129 15 129 57] postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) r) -> ([#"../06_map_precond.rs" 132 30 132 34] inv10 self) -> ([#"../06_map_precond.rs" 132 36 132 37] inv11 e) -> ([#"../06_map_precond.rs" 132 48 132 49] inv9 r) -> ([#"../06_map_precond.rs" 132 54 132 55] inv7 f) -> ([#"../06_map_precond.rs" 132 65 132 69] inv0 iter) -> ([#"../06_map_precond.rs" 131 14 131 70] next_precondition0 iter ( ^ f) (Seq.snoc (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) e)) && ([#"../06_map_precond.rs" 130 14 130 69] preservation_inv0 iter ( ^ f) (Seq.snoc (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) e))
+  axiom produces_one_invariant0_spec : forall self : C06MapPrecond_Map_Type.t_map i b f item0, e : item0, r : b, f : borrowed f, iter : i . ([#"../06_map_precond.rs" 127 4 127 60] produces0 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) iter)
+   -> ([#"../06_map_precond.rs" 128 15 128 30]  * f = C06MapPrecond_Map_Type.map_func self)
+   -> ([#"../06_map_precond.rs" 129 15 129 57] postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) r)
+   -> ([#"../06_map_precond.rs" 132 30 132 34] inv10 self)
+   -> ([#"../06_map_precond.rs" 132 36 132 37] inv11 e)
+   -> ([#"../06_map_precond.rs" 132 48 132 49] inv9 r)
+   -> ([#"../06_map_precond.rs" 132 54 132 55] inv7 f)
+   -> ([#"../06_map_precond.rs" 132 65 132 69] inv0 iter)
+   -> ([#"../06_map_precond.rs" 131 14 131 70] next_precondition0 iter ( ^ f) (Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e)) && ([#"../06_map_precond.rs" 130 14 130 69] preservation_inv0 iter ( ^ f) (Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e))
   predicate resolve2 (self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0)) =
     [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve2 (self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0)) : bool
     ensures { result = resolve2 self }
     
-  predicate resolve1 (self : Ghost.ghost_ty (Seq.seq item0))
-  val resolve1 (self : Ghost.ghost_ty (Seq.seq item0)) : bool
+  predicate resolve1 (self : Snapshot.snap_ty (Seq.seq item0))
+  val resolve1 (self : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = resolve1 self }
     
-  val call_mut0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) : b
+  val call_mut0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) : b
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 160 27 160 52] precondition0 ( * self) args}
     requires {inv7 self}
     requires {inv8 args}
@@ -1568,11 +1877,12 @@ module C06MapPrecond_Impl0_Next
   var _3 : Core_Option_Option_Type.t_option item0;
   var _4 : borrowed i;
   var v : item0;
-  var produced : Ghost.ghost_ty (Seq.seq item0);
+  var produced : Snapshot.snap_ty (Seq.seq item0);
   var r : b;
   var _12 : borrowed f;
-  var _17 : Ghost.ghost_ty ();
-  var _20 : Ghost.ghost_ty (Seq.seq item0);
+  var _13 : (item0, Snapshot.snap_ty (Seq.seq item0));
+  var _17 : Snapshot.snap_ty ();
+  var _20 : Snapshot.snap_ty (Seq.seq item0);
   {
     goto BB0
   }
@@ -1593,39 +1903,41 @@ module C06MapPrecond_Impl0_Next
   BB2 {
     assert { [@expl:type invariant] inv1 _3 };
     assume { resolve0 _3 };
-    [#"../06_map_precond.rs" 74 32 74 50] _20 <- ([#"../06_map_precond.rs" 74 32 74 50] Ghost.new (Seq.empty ));
+    [#"../06_map_precond.rs" 74 32 74 56] _20 <- ([#"../06_map_precond.rs" 74 32 74 56] Snapshot.new (Seq.empty ));
     goto BB14
   }
   BB3 {
     goto BB5
   }
   BB4 {
-    assert { [@expl:type invariant] inv1 _3 };
-    assume { resolve0 _3 };
     assert { [@expl:type invariant] inv4 self };
     assume { resolve2 self };
+    assert { [@expl:type invariant] inv1 _3 };
+    assume { resolve0 _3 };
     assert { [#"../06_map_precond.rs" 64 14 64 30] false };
     absurd
   }
   BB5 {
-    [#"../06_map_precond.rs" 65 17 65 18] v <- ([#"../06_map_precond.rs" 65 17 65 18] Core_Option_Option_Type.some_0 _3);
-    [#"../06_map_precond.rs" 65 17 65 18] _3 <- (let Core_Option_Option_Type.C_Some x0 = _3 in Core_Option_Option_Type.C_Some (any item0));
+    [#"../06_map_precond.rs" 65 17 65 18] v <- Core_Option_Option_Type.some_0 _3;
+    _3 <- (let Core_Option_Option_Type.C_Some x0 = _3 in Core_Option_Option_Type.C_Some (any item0));
     assert { [@expl:type invariant] inv1 _3 };
     assume { resolve0 _3 };
     assert { [@expl:assertion] [#"../06_map_precond.rs" 66 16 66 76] precondition0 (C06MapPrecond_Map_Type.map_func ( * self)) (v, C06MapPrecond_Map_Type.map_produced ( * self)) };
     goto BB6
   }
   BB6 {
-    [#"../06_map_precond.rs" 67 31 67 60] produced <- ([#"../06_map_precond.rs" 67 31 67 60] Ghost.new (Seq.snoc (Ghost.inner (C06MapPrecond_Map_Type.map_produced ( * self))) v));
+    [#"../06_map_precond.rs" 67 31 67 66] produced <- ([#"../06_map_precond.rs" 67 31 67 66] Snapshot.new (Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced ( * self))) v));
     goto BB7
   }
   BB7 {
     [#"../06_map_precond.rs" 68 24 68 35] _12 <- Borrow.borrow_final (C06MapPrecond_Map_Type.map_func ( * self)) (Borrow.inherit_id (Borrow.get_id self) 2);
     [#"../06_map_precond.rs" 68 24 68 35] self <- { self with current = (let C06MapPrecond_Map_Type.C_Map x0 x1 x2 =  * self in C06MapPrecond_Map_Type.C_Map x0 ( ^ _12) x2) ; };
     assume { inv2 ( ^ _12) };
-    [#"../06_map_precond.rs" 68 24 68 53] r <- ([#"../06_map_precond.rs" 68 24 68 53] call_mut0 _12 ([#"../06_map_precond.rs" 68 24 68 53] (([#"../06_map_precond.rs" 68 36 68 37] v), ([#"../06_map_precond.rs" 68 39 68 52] C06MapPrecond_Map_Type.map_produced ( * self)))));
+    [#"../06_map_precond.rs" 68 24 68 53] _13 <- (v, C06MapPrecond_Map_Type.map_produced ( * self));
+    v <- any item0;
+    [#"../06_map_precond.rs" 68 24 68 53] r <- ([#"../06_map_precond.rs" 68 24 68 53] call_mut0 _12 _13);
     _12 <- any borrowed f;
-    [#"../06_map_precond.rs" 68 36 68 37] v <- any item0;
+    _13 <- any (item0, Snapshot.snap_ty (Seq.seq item0));
     goto BB8
   }
   BB8 {
@@ -1634,18 +1946,18 @@ module C06MapPrecond_Impl0_Next
   BB9 {
     assert { [@expl:type invariant] inv3 produced };
     assume { resolve1 produced };
-    [#"../06_map_precond.rs" 69 16 69 40] self <- { self with current = (let C06MapPrecond_Map_Type.C_Map x0 x1 x2 =  * self in C06MapPrecond_Map_Type.C_Map x0 x1 ([#"../06_map_precond.rs" 69 32 69 40] produced)) ; };
+    [#"../06_map_precond.rs" 69 16 69 40] self <- { self with current = (let C06MapPrecond_Map_Type.C_Map x0 x1 x2 =  * self in C06MapPrecond_Map_Type.C_Map x0 x1 produced) ; };
     assert { [@expl:type invariant] inv3 (C06MapPrecond_Map_Type.map_produced ( * self)) };
     assume { resolve1 (C06MapPrecond_Map_Type.map_produced ( * self)) };
     assert { [@expl:type invariant] inv4 self };
     assume { resolve2 self };
-    [#"../06_map_precond.rs" 70 16 70 52] _17 <- ([#"../06_map_precond.rs" 70 16 70 52] Ghost.new ());
+    [#"../06_map_precond.rs" 70 16 70 58] _17 <- ([#"../06_map_precond.rs" 70 16 70 58] Snapshot.new ());
     goto BB10
   }
   BB10 {
     assume { resolve3 _17 };
-    [#"../06_map_precond.rs" 71 16 71 23] _0 <- ([#"../06_map_precond.rs" 71 16 71 23] Core_Option_Option_Type.C_Some ([#"../06_map_precond.rs" 71 21 71 22] r));
-    [#"../06_map_precond.rs" 71 21 71 22] r <- any b;
+    [#"../06_map_precond.rs" 71 16 71 23] _0 <- Core_Option_Option_Type.C_Some r;
+    r <- any b;
     goto BB11
   }
   BB11 {
@@ -1658,13 +1970,13 @@ module C06MapPrecond_Impl0_Next
     goto BB15
   }
   BB14 {
-    [#"../06_map_precond.rs" 74 16 74 50] self <- { self with current = (let C06MapPrecond_Map_Type.C_Map x0 x1 x2 =  * self in C06MapPrecond_Map_Type.C_Map x0 x1 ([#"../06_map_precond.rs" 74 16 74 50] _20)) ; };
-    [#"../06_map_precond.rs" 74 16 74 50] _20 <- any Ghost.ghost_ty (Seq.seq item0);
+    [#"../06_map_precond.rs" 74 16 74 56] self <- { self with current = (let C06MapPrecond_Map_Type.C_Map x0 x1 x2 =  * self in C06MapPrecond_Map_Type.C_Map x0 x1 _20) ; };
+    _20 <- any Snapshot.snap_ty (Seq.seq item0);
     assert { [@expl:type invariant] inv3 (C06MapPrecond_Map_Type.map_produced ( * self)) };
     assume { resolve1 (C06MapPrecond_Map_Type.map_produced ( * self)) };
     assert { [@expl:type invariant] inv4 self };
     assume { resolve2 self };
-    [#"../06_map_precond.rs" 75 16 75 20] _0 <- ([#"../06_map_precond.rs" 75 16 75 20] Core_Option_Option_Type.C_None);
+    [#"../06_map_precond.rs" 75 16 75 20] _0 <- Core_Option_Option_Type.C_None;
     goto BB15
   }
   BB15 {
@@ -1681,40 +1993,40 @@ module C06MapPrecond_Map
   type f
   type item0
   use seq.Seq
-  use prelude.Ghost
-  predicate invariant9 (self : (item0, Ghost.ghost_ty (Seq.seq item0)))
-  val invariant9 (self : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool
+  use prelude.Snapshot
+  predicate invariant9 (self : (item0, Snapshot.snap_ty (Seq.seq item0)))
+  val invariant9 (self : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool
     ensures { result = invariant9 self }
     
-  predicate inv9 (_x : (item0, Ghost.ghost_ty (Seq.seq item0)))
-  val inv9 (_x : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool
+  predicate inv9 (_x : (item0, Snapshot.snap_ty (Seq.seq item0)))
+  val inv9 (_x : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool
     ensures { result = inv9 _x }
     
-  axiom inv9 : forall x : (item0, Ghost.ghost_ty (Seq.seq item0)) . inv9 x = true
-  predicate invariant8 (self : Ghost.ghost_ty (Seq.seq item0))
-  val invariant8 (self : Ghost.ghost_ty (Seq.seq item0)) : bool
+  axiom inv9 : forall x : (item0, Snapshot.snap_ty (Seq.seq item0)) . inv9 x = true
+  predicate invariant8 (self : Snapshot.snap_ty (Seq.seq item0))
+  val invariant8 (self : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = invariant8 self }
     
-  predicate inv8 (_x : Ghost.ghost_ty (Seq.seq item0))
-  val inv8 (_x : Ghost.ghost_ty (Seq.seq item0)) : bool
+  predicate inv8 (_x : Snapshot.snap_ty (Seq.seq item0))
+  val inv8 (_x : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = inv8 _x }
     
-  axiom inv8 : forall x : Ghost.ghost_ty (Seq.seq item0) . inv8 x = true
+  axiom inv8 : forall x : Snapshot.snap_ty (Seq.seq item0) . inv8 x = true
   predicate resolve0 (self : f)
   val resolve0 (self : f) : bool
     ensures { result = resolve0 self }
     
   use prelude.Borrow
-  predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b)
-  val postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool
+  predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b)
+  val postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool
     ensures { result = postcondition_mut0 self _2 _3 }
     
   predicate inv6 (_x : borrowed f)
   val inv6 (_x : borrowed f) : bool
     ensures { result = inv6 _x }
     
-  predicate postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b)
-  val postcondition_once0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool
+  predicate postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b)
+  val postcondition_once0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool
     ensures { result = postcondition_once0 self _2 _3 }
     
   predicate inv5 (_x : b)
@@ -1725,14 +2037,17 @@ module C06MapPrecond_Map
   val inv2 (_x : f) : bool
     ensures { result = inv2 _x }
     
-  function fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
-  val fn_mut_once0 (self : f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
+  function fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
+  val fn_mut_once0 (self : f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv9 args}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv5 res}
     ensures { result = fn_mut_once0 self args res }
     
-  axiom fn_mut_once0_spec : forall self : f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv9 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv5 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv6 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
+  axiom fn_mut_once0_spec : forall self : f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 19 123 23] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 25 123 29] inv9 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 123 37 123 40] inv5 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 122 14 122 135] postcondition_once0 self args res = (exists s : borrowed f . inv6 s /\  * s = self /\ postcondition_mut0 s args res /\ resolve0 ( ^ s)))
   predicate unnest0 (self : f) (_2 : f)
   val unnest0 (self : f) (_2 : f) : bool
     ensures { result = unnest0 self _2 }
@@ -1746,22 +2061,33 @@ module C06MapPrecond_Map
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c}
     ensures { result = unnest_trans0 self b c }
     
-  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv2 b) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
+  axiom unnest_trans0_spec : forall self : f, b : f, c : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 114 15 114 29] unnest0 self b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 115 15 115 26] unnest0 b c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 20 117 24] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 26 117 27] inv2 b)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 117 35 117 36] inv2 c)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 116 14 116 28] unnest0 self c)
   function unnest_refl0 (self : f) : ()
   val unnest_refl0 (self : f) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self}
     ensures { result = unnest_refl0 self }
     
-  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
-  function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
-  val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (res : b) : ()
+  axiom unnest_refl0_spec : forall self : f . ([#"../../../../../creusot-contracts/src/std/ops.rs" 110 19 110 23] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 109 14 109 31] unnest0 self self)
+  function postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
+    
+  val postcondition_mut_unnest0 (self : borrowed f) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (res : b) : ()
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv9 args}
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv5 res}
     ensures { result = postcondition_mut_unnest0 self args res }
     
-  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Ghost.ghost_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv9 args) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv5 res) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
+  axiom postcondition_mut_unnest0_spec : forall self : borrowed f, args : (item0, Snapshot.snap_ty (Seq.seq item0)), res : b . ([#"../../../../../creusot-contracts/src/std/ops.rs" 103 15 103 48] postcondition_mut0 self args res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 37 105 41] inv6 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 43 105 47] inv9 args)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 105 55 105 58] inv5 res)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 104 14 104 35] unnest0 ( * self) ( ^ self))
   predicate invariant7 (self : Seq.seq item0)
   val invariant7 (self : Seq.seq item0) : bool
     ensures { result = invariant7 self }
@@ -1794,11 +2120,11 @@ module C06MapPrecond_Map
   val inv0 (_x : i) : bool
     ensures { result = inv0 _x }
     
-  predicate precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0)))
-  val precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool
+  predicate precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0)))
+  val precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool
     ensures { result = precondition0 self _2 }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate produces0 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i)
   val produces0 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) : bool
     ensures { result = produces0 self visited o }
@@ -1809,40 +2135,65 @@ module C06MapPrecond_Map
     ensures { result = inv1 _x }
     
   predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) =
-    [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv0 i -> inv1 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced)
+    [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv0 i
+     -> inv1 e  -> produces0 iter (Seq.singleton e) i  -> precondition0 func (e, Snapshot.new produced)
   val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) : bool
     ensures { result = next_precondition0 iter func produced }
     
   use seq.Seq
   use seq.Seq
   predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) =
-    [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv5 b -> inv6 f -> inv1 e2 -> inv1 e1 -> inv7 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1))
+    [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i
+     -> inv5 b
+     -> inv6 f
+     -> inv1 e2
+     -> inv1 e1
+     -> inv7 s
+     -> unnest0 func ( * f)
+     -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new s)
+     -> postcondition_mut0 f (e1, Snapshot.new s) b  -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1))
   val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool
     ensures { result = preservation0 iter func }
     
   use seq.Seq
   predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) =
-    [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i -> inv5 b -> inv6 f -> inv1 e2 -> inv1 e1 -> inv7 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Ghost.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc (Seq.(++) produced s) e1))
+    [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv0 i
+     -> inv5 b
+     -> inv6 f
+     -> inv1 e2
+     -> inv1 e1
+     -> inv7 s
+     -> unnest0 func ( * f)
+     -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s))
+     -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b
+     -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1))
   val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) : bool
     requires {[#"../06_map_precond.rs" 93 24 93 28] inv0 iter}
     requires {[#"../06_map_precond.rs" 93 33 93 37] inv2 func}
     requires {[#"../06_map_precond.rs" 93 42 93 50] inv7 produced}
     ensures { result = preservation_inv0 iter func produced }
     
-  axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv0 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv2 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv7 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty  -> preservation_inv0 iter func produced = preservation0 iter func)
-  use prelude.Ghost
+  axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv0 iter)
+   -> ([#"../06_map_precond.rs" 93 33 93 37] inv2 func)
+   -> ([#"../06_map_precond.rs" 93 42 93 50] inv7 produced)
+   -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty 
+   -> preservation_inv0 iter func produced = preservation0 iter func)
+  use prelude.Snapshot
   predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i)
   val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool
     ensures { result = completed0 self }
     
   predicate reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) =
-    [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv2 func -> inv4 iter -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
+    [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv2 func
+     -> inv4 iter  -> completed0 iter  -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
   val reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) : bool
     ensures { result = reinitialize0 _1 }
     
   use C06MapPrecond_Map_Type as C06MapPrecond_Map_Type
   predicate invariant3 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) =
-    [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self))
+    [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self))
   val invariant3 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) : bool
     ensures { result = invariant3 self }
     
@@ -1880,27 +2231,35 @@ module C06MapPrecond_Map
     requires {[#"../common.rs" 21 82 21 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv0 a) -> ([#"../common.rs" 21 31 21 33] inv7 ab) -> ([#"../common.rs" 21 52 21 53] inv0 b) -> ([#"../common.rs" 21 61 21 63] inv7 bc) -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces0 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv0 a)
+   -> ([#"../common.rs" 21 31 21 33] inv7 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv0 b)
+   -> ([#"../common.rs" 21 61 21 63] inv7 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv0 c)  -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self)
+   -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
   let rec cfg map [#"../06_map_precond.rs" 170 0 173 17] [@cfg:stackify] [@cfg:subregion_analysis] (iter : i) (func : f) : C06MapPrecond_Map_Type.t_map i b f item0
-    requires {[#"../06_map_precond.rs" 166 0 166 128] forall i2 : i . forall e : item0 . inv0 i2 -> inv1 e -> produces0 iter (Seq.singleton e) i2 -> precondition0 func (e, Ghost.new (Seq.empty ))}
+    requires {[#"../06_map_precond.rs" 166 0 166 131] forall i2 : i . forall e : item0 . inv0 i2
+     -> inv1 e  -> produces0 iter (Seq.singleton e) i2  -> precondition0 func (e, Snapshot.new (Seq.empty ))}
     requires {[#"../06_map_precond.rs" 167 11 167 41] reinitialize0 ()}
     requires {[#"../06_map_precond.rs" 168 11 168 51] preservation0 iter func}
     requires {[#"../06_map_precond.rs" 171 4 171 8] inv0 iter}
     requires {[#"../06_map_precond.rs" 172 4 172 8] inv2 func}
-    ensures { [#"../06_map_precond.rs" 169 10 169 72] result = C06MapPrecond_Map_Type.C_Map iter func (Ghost.new (Seq.empty )) }
+    ensures { [#"../06_map_precond.rs" 169 10 169 75] result = C06MapPrecond_Map_Type.C_Map iter func (Snapshot.new (Seq.empty )) }
     ensures { [#"../06_map_precond.rs" 173 5 173 17] inv3 result }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : C06MapPrecond_Map_Type.t_map i b f item0;
   var iter : i = iter;
   var func : f = func;
-  var _9 : Ghost.ghost_ty (Seq.seq item0);
+  var _9 : Snapshot.snap_ty (Seq.seq item0);
   {
     goto BB0
   }
@@ -1914,14 +2273,14 @@ module C06MapPrecond_Map
     goto BB3
   }
   BB3 {
-    [#"../06_map_precond.rs" 174 32 174 48] _9 <- ([#"../06_map_precond.rs" 174 32 174 48] Ghost.new (Seq.empty ));
+    [#"../06_map_precond.rs" 174 32 174 54] _9 <- ([#"../06_map_precond.rs" 174 32 174 54] Snapshot.new (Seq.empty ));
     goto BB4
   }
   BB4 {
-    [#"../06_map_precond.rs" 174 4 174 50] _0 <- ([#"../06_map_precond.rs" 174 4 174 50] C06MapPrecond_Map_Type.C_Map ([#"../06_map_precond.rs" 174 10 174 14] iter) ([#"../06_map_precond.rs" 174 16 174 20] func) _9);
-    [#"../06_map_precond.rs" 174 10 174 14] iter <- any i;
-    [#"../06_map_precond.rs" 174 16 174 20] func <- any f;
-    _9 <- any Ghost.ghost_ty (Seq.seq item0);
+    [#"../06_map_precond.rs" 174 4 174 56] _0 <- C06MapPrecond_Map_Type.C_Map iter func _9;
+    iter <- any i;
+    func <- any f;
+    _9 <- any Snapshot.snap_ty (Seq.seq item0);
     goto BB5
   }
   BB5 {
@@ -1942,7 +2301,7 @@ module C06MapPrecond_Identity_Closure0_Type
   use seq.Seq
   use seq.Seq
   use seq.Seq
-  use prelude.Ghost
+  use prelude.Snapshot
   use prelude.Int16
   type c06mapprecond_identity_closure0 'i =
     | C06MapPrecond_Identity_Closure0
@@ -1979,16 +2338,16 @@ module C06MapPrecond_Identity_Closure0
     ensures { result = inv1 _x }
     
   axiom inv1 : forall x : item0 . inv1 x = true
-  use prelude.Ghost
-  predicate invariant0 (self : Ghost.ghost_ty (Seq.seq item0))
-  val invariant0 (self : Ghost.ghost_ty (Seq.seq item0)) : bool
+  use prelude.Snapshot
+  predicate invariant0 (self : Snapshot.snap_ty (Seq.seq item0))
+  val invariant0 (self : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = invariant0 self }
     
-  predicate inv0 (_x : Ghost.ghost_ty (Seq.seq item0))
-  val inv0 (_x : Ghost.ghost_ty (Seq.seq item0)) : bool
+  predicate inv0 (_x : Snapshot.snap_ty (Seq.seq item0))
+  val inv0 (_x : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : Ghost.ghost_ty (Seq.seq item0) . inv0 x = true
+  axiom inv0 : forall x : Snapshot.snap_ty (Seq.seq item0) . inv0 x = true
   use seq.Seq
   predicate produces0 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i)
   val produces0 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) : bool
@@ -2006,14 +2365,21 @@ module C06MapPrecond_Identity_Closure0
     requires {[#"../common.rs" 21 82 21 83] inv2 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv2 a) -> ([#"../common.rs" 21 31 21 33] inv3 ab) -> ([#"../common.rs" 21 52 21 53] inv2 b) -> ([#"../common.rs" 21 61 21 63] inv3 bc) -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces0 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv2 a)
+   -> ([#"../common.rs" 21 31 21 33] inv3 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv2 b)
+   -> ([#"../common.rs" 21 61 21 63] inv3 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv2 c)  -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv2 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self)
+   -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
   use prelude.Int16
   use C06MapPrecond_Identity_Closure0_Type as C06MapPrecond_Identity_Closure0
   predicate unnest0 [#"../06_map_precond.rs" 178 14 178 20] (self : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) (_2 : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i)
@@ -2026,11 +2392,11 @@ module C06MapPrecond_Identity_Closure0
   val resolve1 (self : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i)) : bool
     ensures { result = resolve1 self }
     
-  predicate resolve0 (self : Ghost.ghost_ty (Seq.seq item0))
-  val resolve0 (self : Ghost.ghost_ty (Seq.seq item0)) : bool
+  predicate resolve0 (self : Snapshot.snap_ty (Seq.seq item0))
+  val resolve0 (self : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = resolve0 self }
     
-  let rec cfg c06MapPrecond_Identity_Closure0 [#"../06_map_precond.rs" 178 14 178 20] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i)) (x : item0) (_3 : Ghost.ghost_ty (Seq.seq item0)) : item0
+  let rec cfg c06MapPrecond_Identity_Closure0 [#"../06_map_precond.rs" 178 14 178 20] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i)) (x : item0) (_3 : Snapshot.snap_ty (Seq.seq item0)) : item0
     requires {[#"../06_map_precond.rs" 178 15 178 16] inv1 x}
     requires {inv0 _3}
     ensures { unnest0 ( * _1) ( ^ _1) }
@@ -2040,13 +2406,13 @@ module C06MapPrecond_Identity_Closure0
   var _0 : item0;
   var _1 : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) = _1;
   var x : item0 = x;
-  var _3 : Ghost.ghost_ty (Seq.seq item0) = _3;
+  var _3 : Snapshot.snap_ty (Seq.seq item0) = _3;
   {
     goto BB0
   }
   BB0 {
-    [#"../06_map_precond.rs" 178 21 178 22] _0 <- ([#"../06_map_precond.rs" 178 21 178 22] x);
-    [#"../06_map_precond.rs" 178 21 178 22] x <- any item0;
+    [#"../06_map_precond.rs" 178 21 178 22] _0 <- x;
+    x <- any item0;
     assert { [@expl:type invariant] inv0 _3 };
     assume { resolve0 _3 };
     assume { resolve1 _1 };
@@ -2061,16 +2427,16 @@ module C06MapPrecond_Identity
   type i
   type item0
   use seq.Seq
-  use prelude.Ghost
-  predicate invariant7 (self : Ghost.ghost_ty (Seq.seq item0))
-  val invariant7 (self : Ghost.ghost_ty (Seq.seq item0)) : bool
+  use prelude.Snapshot
+  predicate invariant7 (self : Snapshot.snap_ty (Seq.seq item0))
+  val invariant7 (self : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = invariant7 self }
     
-  predicate inv7 (_x : Ghost.ghost_ty (Seq.seq item0))
-  val inv7 (_x : Ghost.ghost_ty (Seq.seq item0)) : bool
+  predicate inv7 (_x : Snapshot.snap_ty (Seq.seq item0))
+  val inv7 (_x : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = inv7 _x }
     
-  axiom inv7 : forall x : Ghost.ghost_ty (Seq.seq item0) . inv7 x = true
+  axiom inv7 : forall x : Snapshot.snap_ty (Seq.seq item0) . inv7 x = true
   predicate invariant6 (self : Seq.seq item0)
   val invariant6 (self : Seq.seq item0) : bool
     ensures { result = invariant6 self }
@@ -2145,24 +2511,32 @@ module C06MapPrecond_Identity
     requires {[#"../common.rs" 21 82 21 83] inv1 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv1 a) -> ([#"../common.rs" 21 31 21 33] inv6 ab) -> ([#"../common.rs" 21 52 21 53] inv1 b) -> ([#"../common.rs" 21 61 21 63] inv6 bc) -> ([#"../common.rs" 21 82 21 83] inv1 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces0 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv1 a)
+   -> ([#"../common.rs" 21 31 21 33] inv6 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv1 b)
+   -> ([#"../common.rs" 21 61 21 63] inv6 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv1 c)  -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv1 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv1 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
-  predicate precondition0 [#"../06_map_precond.rs" 178 14 178 20] (self : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) (args : (item0, Ghost.ghost_ty (Seq.seq item0)))
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv1 self)
+   -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
+  predicate precondition0 [#"../06_map_precond.rs" 178 14 178 20] (self : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) (args : (item0, Snapshot.snap_ty (Seq.seq item0)))
     
    =
     let (x, _3) = args in true
-  use prelude.Ghost
+  use prelude.Snapshot
   use seq.Seq
   predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) (produced : Seq.seq item0)
     
    =
-    [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv1 i -> inv2 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced)
+    [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv1 i
+     -> inv2 e  -> produces0 iter (Seq.singleton e) i  -> precondition0 func (e, Snapshot.new produced)
   val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) (produced : Seq.seq item0) : bool
     ensures { result = next_precondition0 iter func produced }
     
@@ -2170,7 +2544,7 @@ module C06MapPrecond_Identity
     
    =
     true
-  predicate postcondition_mut0 [#"../06_map_precond.rs" 178 14 178 20] (self : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i)) (args : (item0, Ghost.ghost_ty (Seq.seq item0))) (result : item0)
+  predicate postcondition_mut0 [#"../06_map_precond.rs" 178 14 178 20] (self : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i)) (args : (item0, Snapshot.snap_ty (Seq.seq item0))) (result : item0)
     
    =
     (let (x, _3) = args in true) /\ unnest0 ( * self) ( ^ self)
@@ -2178,28 +2552,52 @@ module C06MapPrecond_Identity
   predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i)
     
    =
-    [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : item0 . forall f : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv1 i -> inv2 b -> inv5 f -> inv2 e2 -> inv2 e1 -> inv6 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1))
+    [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : item0 . forall f : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv1 i
+     -> inv2 b
+     -> inv5 f
+     -> inv2 e2
+     -> inv2 e1
+     -> inv6 s
+     -> unnest0 func ( * f)
+     -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new s)
+     -> postcondition_mut0 f (e1, Snapshot.new s) b  -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1))
   val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) : bool
     ensures { result = preservation0 iter func }
     
   predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) (produced : Seq.seq item0)
     
    =
-    [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : item0 . forall f : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv1 i -> inv2 b -> inv5 f -> inv2 e2 -> inv2 e1 -> inv6 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Ghost.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc (Seq.(++) produced s) e1))
+    [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : item0 . forall f : borrowed (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv1 i
+     -> inv2 b
+     -> inv5 f
+     -> inv2 e2
+     -> inv2 e1
+     -> inv6 s
+     -> unnest0 func ( * f)
+     -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s))
+     -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b
+     -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1))
   val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) (produced : Seq.seq item0) : bool
     requires {[#"../06_map_precond.rs" 93 24 93 28] inv1 iter}
     requires {[#"../06_map_precond.rs" 93 33 93 37] inv3 func}
     requires {[#"../06_map_precond.rs" 93 42 93 50] inv6 produced}
     ensures { result = preservation_inv0 iter func produced }
     
-  axiom preservation_inv0_spec : forall iter : i, func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv1 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv3 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv6 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty  -> preservation_inv0 iter func produced = preservation0 iter func)
-  use prelude.Ghost
+  axiom preservation_inv0_spec : forall iter : i, func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv1 iter)
+   -> ([#"../06_map_precond.rs" 93 33 93 37] inv3 func)
+   -> ([#"../06_map_precond.rs" 93 42 93 50] inv6 produced)
+   -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty 
+   -> preservation_inv0 iter func produced = preservation0 iter func)
+  use prelude.Snapshot
   predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i)
   val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool
     ensures { result = completed0 self }
     
   predicate reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) =
-    [#"../06_map_precond.rs" 118 8 123 9] forall func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i . forall iter : borrowed i . inv3 func -> inv4 iter -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
+    [#"../06_map_precond.rs" 118 8 123 9] forall func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i . forall iter : borrowed i . inv3 func
+     -> inv4 iter  -> completed0 iter  -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
   val reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) : bool
     ensures { result = reinitialize0 _1 }
     
@@ -2207,7 +2605,7 @@ module C06MapPrecond_Identity
   predicate invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i item0 (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) item0)
     
    =
-    [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self))
+    [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self))
   val invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i item0 (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) item0) : bool
     ensures { result = invariant0 self }
     
@@ -2225,12 +2623,13 @@ module C06MapPrecond_Identity
     ensures { result = resolve0 self }
     
   val map0 [#"../06_map_precond.rs" 170 0 173 17] (iter : i) (func : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) : C06MapPrecond_Map_Type.t_map i item0 (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) item0
-    requires {[#"../06_map_precond.rs" 166 0 166 128] forall i2 : i . forall e : item0 . inv1 i2 -> inv2 e -> produces0 iter (Seq.singleton e) i2 -> precondition0 func (e, Ghost.new (Seq.empty ))}
+    requires {[#"../06_map_precond.rs" 166 0 166 131] forall i2 : i . forall e : item0 . inv1 i2
+     -> inv2 e  -> produces0 iter (Seq.singleton e) i2  -> precondition0 func (e, Snapshot.new (Seq.empty ))}
     requires {[#"../06_map_precond.rs" 167 11 167 41] reinitialize0 ()}
     requires {[#"../06_map_precond.rs" 168 11 168 51] preservation0 iter func}
     requires {[#"../06_map_precond.rs" 171 4 171 8] inv1 iter}
     requires {[#"../06_map_precond.rs" 172 4 172 8] inv3 func}
-    ensures { [#"../06_map_precond.rs" 169 10 169 72] result = C06MapPrecond_Map_Type.C_Map iter func (Ghost.new (Seq.empty )) }
+    ensures { [#"../06_map_precond.rs" 169 10 169 75] result = C06MapPrecond_Map_Type.C_Map iter func (Snapshot.new (Seq.empty )) }
     ensures { [#"../06_map_precond.rs" 173 5 173 17] inv0 result }
     
   let rec cfg identity [#"../06_map_precond.rs" 177 0 177 37] [@cfg:stackify] [@cfg:subregion_analysis] (iter : i) : ()
@@ -2240,12 +2639,15 @@ module C06MapPrecond_Identity
   var _0 : ();
   var iter : i = iter;
   var _2 : C06MapPrecond_Map_Type.t_map i item0 (C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i) item0;
+  var _4 : C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i;
   {
     goto BB0
   }
   BB0 {
-    [#"../06_map_precond.rs" 178 4 178 23] _2 <- ([#"../06_map_precond.rs" 178 4 178 23] map0 ([#"../06_map_precond.rs" 178 8 178 12] iter) ([#"../06_map_precond.rs" 178 14 178 22] C06MapPrecond_Identity_Closure0.C06MapPrecond_Identity_Closure0));
-    [#"../06_map_precond.rs" 178 8 178 12] iter <- any i;
+    [#"../06_map_precond.rs" 178 14 178 22] _4 <- C06MapPrecond_Identity_Closure0.C06MapPrecond_Identity_Closure0;
+    [#"../06_map_precond.rs" 178 4 178 23] _2 <- ([#"../06_map_precond.rs" 178 4 178 23] map0 iter _4);
+    iter <- any i;
+    _4 <- any C06MapPrecond_Identity_Closure0.c06mapprecond_identity_closure0 i;
     goto BB1
   }
   BB1 {
@@ -2265,7 +2667,7 @@ end
 module C06MapPrecond_Increment_Closure2_Type
   use prelude.UInt32
   use seq.Seq
-  use prelude.Ghost
+  use prelude.Snapshot
   use prelude.Int16
   type c06mapprecond_increment_closure2 'u =
     | C06MapPrecond_Increment_Closure2
@@ -2276,7 +2678,7 @@ module C06MapPrecond_Increment_Closure2
   use prelude.Int16
   use prelude.UInt32
   use seq.Seq
-  use prelude.Ghost
+  use prelude.Snapshot
   use C06MapPrecond_Increment_Closure2_Type as C06MapPrecond_Increment_Closure2
   predicate unnest0 [#"../06_map_precond.rs" 189 8 189 35] (self : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) (_2 : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u)
     
@@ -2290,7 +2692,7 @@ module C06MapPrecond_Increment_Closure2
   val resolve0 (self : borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u)) : bool
     ensures { result = resolve0 self }
     
-  let rec cfg c06MapPrecond_Increment_Closure2 [#"../06_map_precond.rs" 189 8 189 35] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u)) (x : uint32) (_3 : Ghost.ghost_ty (Seq.seq uint32)) : uint32
+  let rec cfg c06MapPrecond_Increment_Closure2 [#"../06_map_precond.rs" 189 8 189 35] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u)) (x : uint32) (_3 : Snapshot.snap_ty (Seq.seq uint32)) : uint32
     requires {[#"../06_map_precond.rs" 188 19 188 27] UInt32.to_int x <= 15}
     ensures { [#"../06_map_precond.rs" 189 18 189 33] UInt32.to_int result = UInt32.to_int x + 1 }
     ensures { unnest0 ( * _1) ( ^ _1) }
@@ -2306,9 +2708,9 @@ module C06MapPrecond_Increment_Closure2
   }
   BB0 {
     assume { resolve0 _1 };
-    [#"../06_map_precond.rs" 190 20 190 25] res1 <- ([#"../06_map_precond.rs" 190 20 190 25] ([#"../06_map_precond.rs" 190 20 190 21] x) + ([#"../06_map_precond.rs" 190 24 190 25] [#"../06_map_precond.rs" 190 24 190 25] (1 : uint32)));
-    [#"../06_map_precond.rs" 188 8 188 29] res <- ([#"../06_map_precond.rs" 188 8 188 29] res1);
-    [#"../06_map_precond.rs" 189 8 189 35] _0 <- ([#"../06_map_precond.rs" 189 8 189 35] res);
+    [#"../06_map_precond.rs" 190 20 190 25] res1 <- x + ([#"../06_map_precond.rs" 190 24 190 25] (1 : uint32));
+    [#"../06_map_precond.rs" 188 8 188 29] res <- res1;
+    [#"../06_map_precond.rs" 189 8 189 35] _0 <- res;
     return _0
   }
   
@@ -2317,17 +2719,17 @@ module C06MapPrecond_Increment
   type u
   use prelude.UInt32
   use seq.Seq
-  use prelude.Ghost
-  predicate invariant8 (self : Ghost.ghost_ty (Seq.seq uint32)) =
+  use prelude.Snapshot
+  predicate invariant8 (self : Snapshot.snap_ty (Seq.seq uint32)) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
-  val invariant8 (self : Ghost.ghost_ty (Seq.seq uint32)) : bool
+  val invariant8 (self : Snapshot.snap_ty (Seq.seq uint32)) : bool
     ensures { result = invariant8 self }
     
-  predicate inv8 (_x : Ghost.ghost_ty (Seq.seq uint32))
-  val inv8 (_x : Ghost.ghost_ty (Seq.seq uint32)) : bool
+  predicate inv8 (_x : Snapshot.snap_ty (Seq.seq uint32))
+  val inv8 (_x : Snapshot.snap_ty (Seq.seq uint32)) : bool
     ensures { result = inv8 _x }
     
-  axiom inv8 : forall x : Ghost.ghost_ty (Seq.seq uint32) . inv8 x = true
+  axiom inv8 : forall x : Snapshot.snap_ty (Seq.seq uint32) . inv8 x = true
   use prelude.Int16
   use C06MapPrecond_Increment_Closure2_Type as C06MapPrecond_Increment_Closure2
   use prelude.Borrow
@@ -2408,14 +2810,21 @@ module C06MapPrecond_Increment
     requires {[#"../common.rs" 21 82 21 83] inv2 c}
     ensures { result = produces_trans1 a ab b bc c }
     
-  axiom produces_trans1_spec : forall a : u, ab : Seq.seq uint32, b : u, bc : Seq.seq uint32, c : u . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv2 a) -> ([#"../common.rs" 21 31 21 33] inv5 ab) -> ([#"../common.rs" 21 52 21 53] inv2 b) -> ([#"../common.rs" 21 61 21 63] inv5 bc) -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans1_spec : forall a : u, ab : Seq.seq uint32, b : u, bc : Seq.seq uint32, c : u . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv2 a)
+   -> ([#"../common.rs" 21 31 21 33] inv5 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv2 b)
+   -> ([#"../common.rs" 21 61 21 63] inv5 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv2 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl1 [#"../common.rs" 15 4 15 27] (self : u) : ()
   val produces_refl1 [#"../common.rs" 15 4 15 27] (self : u) : ()
     requires {[#"../common.rs" 15 21 15 25] inv2 self}
     ensures { result = produces_refl1 self }
     
-  axiom produces_refl1_spec : forall self : u . ([#"../common.rs" 15 21 15 25] inv2 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl1_spec : forall self : u . ([#"../common.rs" 15 21 15 25] inv2 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   predicate invariant1 (self : borrowed u)
   val invariant1 (self : borrowed u) : bool
     ensures { result = invariant1 self }
@@ -2437,30 +2846,32 @@ module C06MapPrecond_Increment
     true
   use prelude.UInt32
   use prelude.Int
-  predicate postcondition_mut0 [#"../06_map_precond.rs" 189 8 189 35] (self : borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u)) (args : (uint32, Ghost.ghost_ty (Seq.seq uint32))) (result : uint32)
+  predicate postcondition_mut0 [#"../06_map_precond.rs" 189 8 189 35] (self : borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u)) (args : (uint32, Snapshot.snap_ty (Seq.seq uint32))) (result : uint32)
     
    =
     (let (x, _3) = args in UInt32.to_int result = UInt32.to_int x + 1) /\ unnest0 ( * self) ( ^ self)
-  predicate precondition0 [#"../06_map_precond.rs" 189 8 189 35] (self : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) (args : (uint32, Ghost.ghost_ty (Seq.seq uint32)))
+  predicate precondition0 [#"../06_map_precond.rs" 189 8 189 35] (self : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) (args : (uint32, Snapshot.snap_ty (Seq.seq uint32)))
     
    =
     [#"../06_map_precond.rs" 188 19 188 27] let (x, _3) = args in UInt32.to_int x <= 15
-  use prelude.Ghost
+  use prelude.Snapshot
   use seq_ext.SeqExt
   use seq.Seq
   use seq.Seq
   use seq.Seq
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
   use seq.Seq
   predicate produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32) (visited : Seq.seq uint32) (succ : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32)
     
    =
-    [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq uint32 . inv5 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Ghost.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u)) . inv6 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
+    [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq uint32 . inv5 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u)) . inv6 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs
+     ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
       C06MapPrecond_Map_Type.map_func self = C06MapPrecond_Map_Type.map_func succ
     else
        * Seq.get fs 0 = C06MapPrecond_Map_Type.map_func self /\  ^ Seq.get fs (Seq.length visited - 1) = C06MapPrecond_Map_Type.map_func succ
-    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i))))
+    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i))))
   val produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32) (visited : Seq.seq uint32) (succ : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32) : bool
     ensures { result = produces0 self visited succ }
     
@@ -2478,7 +2889,14 @@ module C06MapPrecond_Increment
     requires {[#"../06_map_precond.rs" 38 82 38 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32, ab : Seq.seq uint32, b : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32, bc : Seq.seq uint32, c : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32 . ([#"../06_map_precond.rs" 35 15 35 32] produces0 a ab b) -> ([#"../06_map_precond.rs" 36 15 36 32] produces0 b bc c) -> ([#"../06_map_precond.rs" 38 22 38 23] inv0 a) -> ([#"../06_map_precond.rs" 38 31 38 33] inv5 ab) -> ([#"../06_map_precond.rs" 38 52 38 53] inv0 b) -> ([#"../06_map_precond.rs" 38 61 38 63] inv5 bc) -> ([#"../06_map_precond.rs" 38 82 38 83] inv0 c) -> ([#"../06_map_precond.rs" 37 14 37 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32, ab : Seq.seq uint32, b : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32, bc : Seq.seq uint32, c : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32 . ([#"../06_map_precond.rs" 35 15 35 32] produces0 a ab b)
+   -> ([#"../06_map_precond.rs" 36 15 36 32] produces0 b bc c)
+   -> ([#"../06_map_precond.rs" 38 22 38 23] inv0 a)
+   -> ([#"../06_map_precond.rs" 38 31 38 33] inv5 ab)
+   -> ([#"../06_map_precond.rs" 38 52 38 53] inv0 b)
+   -> ([#"../06_map_precond.rs" 38 61 38 63] inv5 bc)
+   -> ([#"../06_map_precond.rs" 38 82 38 83] inv0 c)
+   -> ([#"../06_map_precond.rs" 37 14 37 42] produces0 a (Seq.(++) ab bc) c)
   function produces_refl0 [#"../06_map_precond.rs" 31 4 31 26] (self : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32) : ()
     
    =
@@ -2487,12 +2905,14 @@ module C06MapPrecond_Increment
     requires {[#"../06_map_precond.rs" 31 21 31 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32 . ([#"../06_map_precond.rs" 31 21 31 25] inv0 self) -> ([#"../06_map_precond.rs" 30 14 30 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32 . ([#"../06_map_precond.rs" 31 21 31 25] inv0 self)
+   -> ([#"../06_map_precond.rs" 30 14 30 45] produces0 self (Seq.empty ) self)
   use seq.Seq
   predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : u) (func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) (produced : Seq.seq uint32)
     
    =
-    [#"../06_map_precond.rs" 84 8 88 9] forall i : u . forall e : uint32 . inv2 i -> inv3 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced)
+    [#"../06_map_precond.rs" 84 8 88 9] forall i : u . forall e : uint32 . inv2 i
+     -> inv3 e  -> produces1 iter (Seq.singleton e) i  -> precondition0 func (e, Snapshot.new produced)
   val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : u) (func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) (produced : Seq.seq uint32) : bool
     ensures { result = next_precondition0 iter func produced }
     
@@ -2500,34 +2920,58 @@ module C06MapPrecond_Increment
   predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : u) (func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u)
     
    =
-    [#"../06_map_precond.rs" 106 8 113 9] forall i : u . forall b : uint32 . forall f : borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i -> inv3 b -> inv7 f -> inv3 e2 -> inv3 e1 -> inv5 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1))
+    [#"../06_map_precond.rs" 106 8 113 9] forall i : u . forall b : uint32 . forall f : borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i
+     -> inv3 b
+     -> inv7 f
+     -> inv3 e2
+     -> inv3 e1
+     -> inv5 s
+     -> unnest0 func ( * f)
+     -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new s)
+     -> postcondition_mut0 f (e1, Snapshot.new s) b  -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1))
   val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : u) (func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) : bool
     ensures { result = preservation0 iter func }
     
   predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : u) (func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) (produced : Seq.seq uint32)
     
    =
-    [#"../06_map_precond.rs" 94 8 101 9] forall i : u . forall b : uint32 . forall f : borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i -> inv3 b -> inv7 f -> inv3 e2 -> inv3 e1 -> inv5 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Ghost.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc (Seq.(++) produced s) e1))
+    [#"../06_map_precond.rs" 94 8 101 9] forall i : u . forall b : uint32 . forall f : borrowed (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i
+     -> inv3 b
+     -> inv7 f
+     -> inv3 e2
+     -> inv3 e1
+     -> inv5 s
+     -> unnest0 func ( * f)
+     -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s))
+     -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b
+     -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1))
   val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : u) (func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) (produced : Seq.seq uint32) : bool
     requires {[#"../06_map_precond.rs" 93 24 93 28] inv2 iter}
     requires {[#"../06_map_precond.rs" 93 33 93 37] inv4 func}
     requires {[#"../06_map_precond.rs" 93 42 93 50] inv5 produced}
     ensures { result = preservation_inv0 iter func produced }
     
-  axiom preservation_inv0_spec : forall iter : u, func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u, produced : Seq.seq uint32 . ([#"../06_map_precond.rs" 93 24 93 28] inv2 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv4 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv5 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty  -> preservation_inv0 iter func produced = preservation0 iter func)
+  axiom preservation_inv0_spec : forall iter : u, func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u, produced : Seq.seq uint32 . ([#"../06_map_precond.rs" 93 24 93 28] inv2 iter)
+   -> ([#"../06_map_precond.rs" 93 33 93 37] inv4 func)
+   -> ([#"../06_map_precond.rs" 93 42 93 50] inv5 produced)
+   -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty 
+   -> preservation_inv0 iter func produced = preservation0 iter func)
   predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed u)
   val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed u) : bool
     ensures { result = completed0 self }
     
   predicate reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) =
-    [#"../06_map_precond.rs" 118 8 123 9] forall func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u . forall iter : borrowed u . inv4 func -> inv1 iter -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
+    [#"../06_map_precond.rs" 118 8 123 9] forall func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u . forall iter : borrowed u . inv4 func
+     -> inv1 iter  -> completed0 iter  -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
   val reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) : bool
     ensures { result = reinitialize0 _1 }
     
   predicate invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32)
     
    =
-    [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self))
+    [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self))
   val invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32) : bool
     ensures { result = invariant0 self }
     
@@ -2540,23 +2984,30 @@ module C06MapPrecond_Increment
     ensures { result = resolve0 self }
     
   val map0 [#"../06_map_precond.rs" 170 0 173 17] (iter : u) (func : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32
-    requires {[#"../06_map_precond.rs" 166 0 166 128] forall i2 : u . forall e : uint32 . inv2 i2 -> inv3 e -> produces1 iter (Seq.singleton e) i2 -> precondition0 func (e, Ghost.new (Seq.empty ))}
+    requires {[#"../06_map_precond.rs" 166 0 166 131] forall i2 : u . forall e : uint32 . inv2 i2
+     -> inv3 e  -> produces1 iter (Seq.singleton e) i2  -> precondition0 func (e, Snapshot.new (Seq.empty ))}
     requires {[#"../06_map_precond.rs" 167 11 167 41] reinitialize0 ()}
     requires {[#"../06_map_precond.rs" 168 11 168 51] preservation0 iter func}
     requires {[#"../06_map_precond.rs" 171 4 171 8] inv2 iter}
     requires {[#"../06_map_precond.rs" 172 4 172 8] inv4 func}
-    ensures { [#"../06_map_precond.rs" 169 10 169 72] result = C06MapPrecond_Map_Type.C_Map iter func (Ghost.new (Seq.empty )) }
+    ensures { [#"../06_map_precond.rs" 169 10 169 75] result = C06MapPrecond_Map_Type.C_Map iter func (Snapshot.new (Seq.empty )) }
     ensures { [#"../06_map_precond.rs" 173 5 173 17] inv0 result }
     
   let rec cfg increment [#"../06_map_precond.rs" 185 0 185 50] [@cfg:stackify] [@cfg:subregion_analysis] (iter : u) : ()
-    requires {[#"../06_map_precond.rs" 181 0 181 158] forall done' : borrowed u . inv1 done' -> completed0 done' -> (forall steps : Seq.seq uint32 . forall next : u . inv2 next -> produces1 ( ^ done') steps next -> steps = Seq.empty  /\  ^ done' = next)}
-    requires {[#"../06_map_precond.rs" 182 0 184 2] forall fin : u . forall prod : Seq.seq uint32 . inv2 fin -> produces1 iter prod fin -> (forall x : int . 0 <= x /\ x < Seq.length prod -> Seq.get prod x <= (10 : uint32))}
+    requires {[#"../06_map_precond.rs" 181 0 181 158] forall done' : borrowed u . inv1 done'
+     -> completed0 done'
+     -> (forall steps : Seq.seq uint32 . forall next : u . inv2 next
+     -> produces1 ( ^ done') steps next  -> steps = Seq.empty  /\  ^ done' = next)}
+    requires {[#"../06_map_precond.rs" 182 0 184 2] forall fin : u . forall prod : Seq.seq uint32 . inv2 fin
+     -> produces1 iter prod fin
+     -> (forall x : int . 0 <= x /\ x < Seq.length prod  -> Seq.get prod x <= (10 : uint32))}
     requires {[#"../06_map_precond.rs" 185 42 185 46] inv2 iter}
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var iter : u = iter;
   var i : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32;
+  var _6 : C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u;
   {
     goto BB0
   }
@@ -2564,14 +3015,17 @@ module C06MapPrecond_Increment
     goto BB1
   }
   BB1 {
-    [#"../06_map_precond.rs" 186 12 191 5] i <- ([#"../06_map_precond.rs" 186 12 191 5] map0 ([#"../06_map_precond.rs" 187 8 187 12] iter) ([#"../06_map_precond.rs" 189 8 189 35] C06MapPrecond_Increment_Closure2.C06MapPrecond_Increment_Closure2));
-    [#"../06_map_precond.rs" 187 8 187 12] iter <- any u;
+    [#"../06_map_precond.rs" 189 8 189 35] _6 <- C06MapPrecond_Increment_Closure2.C06MapPrecond_Increment_Closure2;
+    [#"../06_map_precond.rs" 186 12 191 5] i <- ([#"../06_map_precond.rs" 186 12 191 5] map0 iter _6);
+    iter <- any u;
+    _6 <- any C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u;
     goto BB2
   }
   BB2 {
     assert { [@expl:type invariant] inv0 i };
     assume { resolve0 i };
-    assert { [@expl:assertion] [#"../06_map_precond.rs" 193 4 196 5] forall fin : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32 . forall prod : Seq.seq uint32 . inv0 fin -> produces0 i prod fin -> (forall x : int . 0 <= x /\ x < Seq.length prod -> Seq.get prod x <= (11 : uint32)) };
+    assert { [@expl:assertion] [#"../06_map_precond.rs" 193 4 196 5] forall fin : C06MapPrecond_Map_Type.t_map u uint32 (C06MapPrecond_Increment_Closure2.c06mapprecond_increment_closure2 u) uint32 . forall prod : Seq.seq uint32 . inv0 fin
+     -> produces0 i prod fin  -> (forall x : int . 0 <= x /\ x < Seq.length prod  -> Seq.get prod x <= (11 : uint32)) };
     goto BB3
   }
   BB3 {
@@ -2589,7 +3043,7 @@ end
 module C06MapPrecond_Counter_Closure2_Type
   use prelude.UInt32
   use seq.Seq
-  use prelude.Ghost
+  use prelude.Snapshot
   use prelude.Int16
   use prelude.UIntSize
   use prelude.Int
@@ -2603,7 +3057,7 @@ module C06MapPrecond_Counter_Closure2
   use prelude.Int16
   use prelude.UInt32
   use seq.Seq
-  use prelude.Ghost
+  use prelude.Snapshot
   use prelude.Int
   use prelude.UIntSize
   use prelude.Borrow
@@ -2622,15 +3076,15 @@ module C06MapPrecond_Counter_Closure2
   let constant max0  : usize = [@vc:do_not_keep_trace] [@vc:sp]
     (18446744073709551615 : usize)
   use seq.Seq
-  use prelude.Ghost
+  use prelude.Snapshot
   use prelude.UIntSize
   predicate resolve0 (self : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i)) =
     [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve0 (self : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i)) : bool
     ensures { result = resolve0 self }
     
-  let rec cfg c06MapPrecond_Counter_Closure2 [#"../06_map_precond.rs" 206 8 206 41] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i)) (x : uint32) (_prod : Ghost.ghost_ty (Seq.seq uint32)) : uint32
-    requires {[#"../06_map_precond.rs" 205 19 205 61] UIntSize.to_int ( * field_00 ( * _1)) = Seq.length (Ghost.inner _prod) /\  * field_00 ( * _1) < max0}
+  let rec cfg c06MapPrecond_Counter_Closure2 [#"../06_map_precond.rs" 206 8 206 41] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i)) (x : uint32) (_prod : Snapshot.snap_ty (Seq.seq uint32)) : uint32
+    requires {[#"../06_map_precond.rs" 205 19 205 61] UIntSize.to_int ( * field_00 ( * _1)) = Seq.length (Snapshot.inner _prod) /\  * field_00 ( * _1) < max0}
     ensures { [#"../06_map_precond.rs" 206 18 206 39] UIntSize.to_int ( * field_00 ( ^ _1)) = UIntSize.to_int ( * field_00 ( * _1)) + 1 }
     ensures { unnest0 ( * _1) ( ^ _1) }
     
@@ -2644,11 +3098,11 @@ module C06MapPrecond_Counter_Closure2
     goto BB0
   }
   BB0 {
-    [#"../06_map_precond.rs" 208 12 208 20] _1 <- { _1 with current = (let C06MapPrecond_Counter_Closure2.C06MapPrecond_Counter_Closure2 x0 =  * _1 in C06MapPrecond_Counter_Closure2.C06MapPrecond_Counter_Closure2 ({ (field_00 ( * _1)) with current = ([#"../06_map_precond.rs" 208 12 208 20]  * field_00 ( * _1) + ([#"../06_map_precond.rs" 208 19 208 20] [#"../06_map_precond.rs" 208 19 208 20] (1 : usize))) ; })) ; };
+    [#"../06_map_precond.rs" 208 12 208 20] _1 <- { _1 with current = (let C06MapPrecond_Counter_Closure2.C06MapPrecond_Counter_Closure2 x0 =  * _1 in C06MapPrecond_Counter_Closure2.C06MapPrecond_Counter_Closure2 ({ (field_00 ( * _1)) with current = ( * field_00 ( * _1) + ([#"../06_map_precond.rs" 208 19 208 20] (1 : usize))) ; })) ; };
     assume { resolve0 _1 };
-    [#"../06_map_precond.rs" 209 12 209 13] res1 <- ([#"../06_map_precond.rs" 209 12 209 13] x);
-    [#"../06_map_precond.rs" 205 8 205 63] res <- ([#"../06_map_precond.rs" 205 8 205 63] res1);
-    [#"../06_map_precond.rs" 206 8 206 41] _0 <- ([#"../06_map_precond.rs" 206 8 206 41] res);
+    [#"../06_map_precond.rs" 209 12 209 13] res1 <- x;
+    [#"../06_map_precond.rs" 205 8 205 63] res <- res1;
+    [#"../06_map_precond.rs" 206 8 206 41] _0 <- res;
     return _0
   }
   
@@ -2657,17 +3111,17 @@ module C06MapPrecond_Counter
   type i
   use prelude.UInt32
   use seq.Seq
-  use prelude.Ghost
-  predicate invariant7 (self : Ghost.ghost_ty (Seq.seq uint32)) =
+  use prelude.Snapshot
+  predicate invariant7 (self : Snapshot.snap_ty (Seq.seq uint32)) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
-  val invariant7 (self : Ghost.ghost_ty (Seq.seq uint32)) : bool
+  val invariant7 (self : Snapshot.snap_ty (Seq.seq uint32)) : bool
     ensures { result = invariant7 self }
     
-  predicate inv7 (_x : Ghost.ghost_ty (Seq.seq uint32))
-  val inv7 (_x : Ghost.ghost_ty (Seq.seq uint32)) : bool
+  predicate inv7 (_x : Snapshot.snap_ty (Seq.seq uint32))
+  val inv7 (_x : Snapshot.snap_ty (Seq.seq uint32)) : bool
     ensures { result = inv7 _x }
     
-  axiom inv7 : forall x : Ghost.ghost_ty (Seq.seq uint32) . inv7 x = true
+  axiom inv7 : forall x : Snapshot.snap_ty (Seq.seq uint32) . inv7 x = true
   predicate invariant6 (self : Seq.seq uint32) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant6 (self : Seq.seq uint32) : bool
@@ -2738,14 +3192,21 @@ module C06MapPrecond_Counter
     requires {[#"../common.rs" 21 82 21 83] inv2 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq uint32, b : i, bc : Seq.seq uint32, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv2 a) -> ([#"../common.rs" 21 31 21 33] inv6 ab) -> ([#"../common.rs" 21 52 21 53] inv2 b) -> ([#"../common.rs" 21 61 21 63] inv6 bc) -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq uint32, b : i, bc : Seq.seq uint32, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces0 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv2 a)
+   -> ([#"../common.rs" 21 31 21 33] inv6 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv2 b)
+   -> ([#"../common.rs" 21 61 21 63] inv6 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv2 c)  -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv2 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self)
+   -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
   predicate invariant1 (self : borrowed i)
   val invariant1 (self : borrowed i) : bool
     ensures { result = invariant1 self }
@@ -2759,7 +3220,7 @@ module C06MapPrecond_Counter
   let constant max0  : usize = [@vc:do_not_keep_trace] [@vc:sp]
     (18446744073709551615 : usize)
   use seq.Seq
-  use prelude.Ghost
+  use prelude.Snapshot
   use prelude.UIntSize
   function field_00 [#"../06_map_precond.rs" 206 8 206 41] (self : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) : borrowed usize
     
@@ -2768,16 +3229,17 @@ module C06MapPrecond_Counter
   val field_00 [#"../06_map_precond.rs" 206 8 206 41] (self : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) : borrowed usize
     ensures { result = field_00 self }
     
-  predicate precondition0 [#"../06_map_precond.rs" 206 8 206 41] (self : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) (args : (uint32, Ghost.ghost_ty (Seq.seq uint32)))
+  predicate precondition0 [#"../06_map_precond.rs" 206 8 206 41] (self : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) (args : (uint32, Snapshot.snap_ty (Seq.seq uint32)))
     
    =
-    [#"../06_map_precond.rs" 205 19 205 61] let (x, _prod) = args in UIntSize.to_int ( * field_00 self) = Seq.length (Ghost.inner _prod) /\  * field_00 self < max0
-  use prelude.Ghost
+    [#"../06_map_precond.rs" 205 19 205 61] let (x, _prod) = args in UIntSize.to_int ( * field_00 self) = Seq.length (Snapshot.inner _prod) /\  * field_00 self < max0
+  use prelude.Snapshot
   use seq.Seq
   predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) (produced : Seq.seq uint32)
     
    =
-    [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : uint32 . inv2 i -> inv3 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced)
+    [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : uint32 . inv2 i
+     -> inv3 e  -> produces0 iter (Seq.singleton e) i  -> precondition0 func (e, Snapshot.new produced)
   val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) (produced : Seq.seq uint32) : bool
     ensures { result = next_precondition0 iter func produced }
     
@@ -2785,7 +3247,7 @@ module C06MapPrecond_Counter
     
    =
      ^ field_00 _2 =  ^ field_00 self
-  predicate postcondition_mut0 [#"../06_map_precond.rs" 206 8 206 41] (self : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i)) (args : (uint32, Ghost.ghost_ty (Seq.seq uint32))) (result : uint32)
+  predicate postcondition_mut0 [#"../06_map_precond.rs" 206 8 206 41] (self : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i)) (args : (uint32, Snapshot.snap_ty (Seq.seq uint32))) (result : uint32)
     
    =
     (let (x, _prod) = args in UIntSize.to_int ( * field_00 ( ^ self)) = UIntSize.to_int ( * field_00 ( * self)) + 1) /\ unnest0 ( * self) ( ^ self)
@@ -2793,27 +3255,51 @@ module C06MapPrecond_Counter
   predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i)
     
    =
-    [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : uint32 . forall f : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i -> inv3 b -> inv5 f -> inv3 e2 -> inv3 e1 -> inv6 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1))
+    [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : uint32 . forall f : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i
+     -> inv3 b
+     -> inv5 f
+     -> inv3 e2
+     -> inv3 e1
+     -> inv6 s
+     -> unnest0 func ( * f)
+     -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new s)
+     -> postcondition_mut0 f (e1, Snapshot.new s) b  -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1))
   val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) : bool
     ensures { result = preservation0 iter func }
     
   predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) (produced : Seq.seq uint32)
     
    =
-    [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : uint32 . forall f : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i -> inv3 b -> inv5 f -> inv3 e2 -> inv3 e1 -> inv6 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Ghost.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc (Seq.(++) produced s) e1))
+    [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : uint32 . forall f : borrowed (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) . forall e2 : uint32 . forall e1 : uint32 . forall s : Seq.seq uint32 . inv2 i
+     -> inv3 b
+     -> inv5 f
+     -> inv3 e2
+     -> inv3 e1
+     -> inv6 s
+     -> unnest0 func ( * f)
+     -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s))
+     -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b
+     -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1))
   val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) (produced : Seq.seq uint32) : bool
     requires {[#"../06_map_precond.rs" 93 24 93 28] inv2 iter}
     requires {[#"../06_map_precond.rs" 93 33 93 37] inv4 func}
     requires {[#"../06_map_precond.rs" 93 42 93 50] inv6 produced}
     ensures { result = preservation_inv0 iter func produced }
     
-  axiom preservation_inv0_spec : forall iter : i, func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i, produced : Seq.seq uint32 . ([#"../06_map_precond.rs" 93 24 93 28] inv2 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv4 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv6 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty  -> preservation_inv0 iter func produced = preservation0 iter func)
+  axiom preservation_inv0_spec : forall iter : i, func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i, produced : Seq.seq uint32 . ([#"../06_map_precond.rs" 93 24 93 28] inv2 iter)
+   -> ([#"../06_map_precond.rs" 93 33 93 37] inv4 func)
+   -> ([#"../06_map_precond.rs" 93 42 93 50] inv6 produced)
+   -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty 
+   -> preservation_inv0 iter func produced = preservation0 iter func)
   predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i)
   val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool
     ensures { result = completed0 self }
     
   predicate reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) =
-    [#"../06_map_precond.rs" 118 8 123 9] forall func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i . forall iter : borrowed i . inv4 func -> inv1 iter -> completed0 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
+    [#"../06_map_precond.rs" 118 8 123 9] forall func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i . forall iter : borrowed i . inv4 func
+     -> inv1 iter  -> completed0 iter  -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
   val reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) : bool
     ensures { result = reinitialize0 _1 }
     
@@ -2821,7 +3307,7 @@ module C06MapPrecond_Counter
   predicate invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i uint32 (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) uint32)
     
    =
-    [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self))
+    [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self))
   val invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i uint32 (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) uint32) : bool
     ensures { result = invariant0 self }
     
@@ -2839,17 +3325,22 @@ module C06MapPrecond_Counter
     ensures { result = resolve0 self }
     
   val map0 [#"../06_map_precond.rs" 170 0 173 17] (iter : i) (func : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) : C06MapPrecond_Map_Type.t_map i uint32 (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) uint32
-    requires {[#"../06_map_precond.rs" 166 0 166 128] forall i2 : i . forall e : uint32 . inv2 i2 -> inv3 e -> produces0 iter (Seq.singleton e) i2 -> precondition0 func (e, Ghost.new (Seq.empty ))}
+    requires {[#"../06_map_precond.rs" 166 0 166 131] forall i2 : i . forall e : uint32 . inv2 i2
+     -> inv3 e  -> produces0 iter (Seq.singleton e) i2  -> precondition0 func (e, Snapshot.new (Seq.empty ))}
     requires {[#"../06_map_precond.rs" 167 11 167 41] reinitialize0 ()}
     requires {[#"../06_map_precond.rs" 168 11 168 51] preservation0 iter func}
     requires {[#"../06_map_precond.rs" 171 4 171 8] inv2 iter}
     requires {[#"../06_map_precond.rs" 172 4 172 8] inv4 func}
-    ensures { [#"../06_map_precond.rs" 169 10 169 72] result = C06MapPrecond_Map_Type.C_Map iter func (Ghost.new (Seq.empty )) }
+    ensures { [#"../06_map_precond.rs" 169 10 169 75] result = C06MapPrecond_Map_Type.C_Map iter func (Snapshot.new (Seq.empty )) }
     ensures { [#"../06_map_precond.rs" 173 5 173 17] inv0 result }
     
   let rec cfg counter [#"../06_map_precond.rs" 201 0 201 48] [@cfg:stackify] [@cfg:subregion_analysis] (iter : i) : ()
-    requires {[#"../06_map_precond.rs" 199 0 199 158] forall done' : borrowed i . inv1 done' -> completed0 done' -> (forall steps : Seq.seq uint32 . forall next : i . inv2 next -> produces0 ( ^ done') steps next -> steps = Seq.empty  /\  ^ done' = next)}
-    requires {[#"../06_map_precond.rs" 200 0 200 92] forall fin : i . forall prod : Seq.seq uint32 . inv2 fin -> produces0 iter prod fin -> Seq.length prod <= UIntSize.to_int max0}
+    requires {[#"../06_map_precond.rs" 199 0 199 158] forall done' : borrowed i . inv1 done'
+     -> completed0 done'
+     -> (forall steps : Seq.seq uint32 . forall next : i . inv2 next
+     -> produces0 ( ^ done') steps next  -> steps = Seq.empty  /\  ^ done' = next)}
+    requires {[#"../06_map_precond.rs" 200 0 200 92] forall fin : i . forall prod : Seq.seq uint32 . inv2 fin
+     -> produces0 iter prod fin  -> Seq.length prod <= UIntSize.to_int max0}
     requires {[#"../06_map_precond.rs" 201 40 201 44] inv2 iter}
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -2857,6 +3348,7 @@ module C06MapPrecond_Counter
   var iter : i = iter;
   var cnt : usize;
   var _5 : C06MapPrecond_Map_Type.t_map i uint32 (C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i) uint32;
+  var _7 : C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i;
   var _8 : borrowed usize;
   {
     goto BB0
@@ -2865,12 +3357,14 @@ module C06MapPrecond_Counter
     goto BB1
   }
   BB1 {
-    [#"../06_map_precond.rs" 202 18 202 19] cnt <- ([#"../06_map_precond.rs" 202 18 202 19] [#"../06_map_precond.rs" 202 18 202 19] (0 : usize));
+    [#"../06_map_precond.rs" 202 18 202 19] cnt <- ([#"../06_map_precond.rs" 202 18 202 19] (0 : usize));
     [#"../06_map_precond.rs" 206 8 206 41] _8 <- Borrow.borrow_mut cnt;
     [#"../06_map_precond.rs" 206 8 206 41] cnt <-  ^ _8;
-    [#"../06_map_precond.rs" 203 4 211 5] _5 <- ([#"../06_map_precond.rs" 203 4 211 5] map0 ([#"../06_map_precond.rs" 204 8 204 12] iter) ([#"../06_map_precond.rs" 206 8 206 41] C06MapPrecond_Counter_Closure2.C06MapPrecond_Counter_Closure2 _8));
-    [#"../06_map_precond.rs" 204 8 204 12] iter <- any i;
+    [#"../06_map_precond.rs" 206 8 206 41] _7 <- C06MapPrecond_Counter_Closure2.C06MapPrecond_Counter_Closure2 _8;
     _8 <- any borrowed usize;
+    [#"../06_map_precond.rs" 203 4 211 5] _5 <- ([#"../06_map_precond.rs" 203 4 211 5] map0 iter _7);
+    iter <- any i;
+    _7 <- any C06MapPrecond_Counter_Closure2.c06mapprecond_counter_closure2 i;
     goto BB2
   }
   BB2 {
@@ -2903,16 +3397,16 @@ module C06MapPrecond_Impl0
   axiom inv12 : forall x : borrowed i . inv12 x = true
   type item0
   use seq.Seq
-  use prelude.Ghost
-  predicate invariant11 (self : Ghost.ghost_ty (Seq.seq item0))
-  val invariant11 (self : Ghost.ghost_ty (Seq.seq item0)) : bool
+  use prelude.Snapshot
+  predicate invariant11 (self : Snapshot.snap_ty (Seq.seq item0))
+  val invariant11 (self : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = invariant11 self }
     
-  predicate inv11 (_x : Ghost.ghost_ty (Seq.seq item0))
-  val inv11 (_x : Ghost.ghost_ty (Seq.seq item0)) : bool
+  predicate inv11 (_x : Snapshot.snap_ty (Seq.seq item0))
+  val inv11 (_x : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = inv11 _x }
     
-  axiom inv11 : forall x : Ghost.ghost_ty (Seq.seq item0) . inv11 x = true
+  axiom inv11 : forall x : Snapshot.snap_ty (Seq.seq item0) . inv11 x = true
   predicate invariant10 (self : f)
   val invariant10 (self : f) : bool
     ensures { result = invariant10 self }
@@ -2931,77 +3425,102 @@ module C06MapPrecond_Impl0
     ensures { result = inv9 _x }
     
   axiom inv9 : forall x : i . inv9 x = true
-  predicate invariant8 (self : Seq.seq (borrowed f))
-  val invariant8 (self : Seq.seq (borrowed f)) : bool
+  predicate invariant8 (self : item0)
+  val invariant8 (self : item0) : bool
     ensures { result = invariant8 self }
     
-  predicate inv8 (_x : Seq.seq (borrowed f))
-  val inv8 (_x : Seq.seq (borrowed f)) : bool
+  predicate inv8 (_x : item0)
+  val inv8 (_x : item0) : bool
     ensures { result = inv8 _x }
     
-  axiom inv8 : forall x : Seq.seq (borrowed f) . inv8 x = true
-  predicate invariant7 (self : Seq.seq item0)
-  val invariant7 (self : Seq.seq item0) : bool
+  axiom inv8 : forall x : item0 . inv8 x = true
+  predicate invariant7 (self : borrowed f)
+  val invariant7 (self : borrowed f) : bool
     ensures { result = invariant7 self }
     
-  predicate inv7 (_x : Seq.seq item0)
-  val inv7 (_x : Seq.seq item0) : bool
+  predicate inv7 (_x : borrowed f)
+  val inv7 (_x : borrowed f) : bool
     ensures { result = inv7 _x }
     
-  axiom inv7 : forall x : Seq.seq item0 . inv7 x = true
-  predicate invariant6 (self : item0)
-  val invariant6 (self : item0) : bool
+  axiom inv7 : forall x : borrowed f . inv7 x = true
+  predicate invariant6 (self : b)
+  val invariant6 (self : b) : bool
     ensures { result = invariant6 self }
     
-  predicate inv6 (_x : item0)
-  val inv6 (_x : item0) : bool
+  predicate inv6 (_x : b)
+  val inv6 (_x : b) : bool
     ensures { result = inv6 _x }
     
-  axiom inv6 : forall x : item0 . inv6 x = true
-  predicate invariant5 (self : borrowed f)
-  val invariant5 (self : borrowed f) : bool
+  axiom inv6 : forall x : b . inv6 x = true
+  predicate invariant5 (self : Seq.seq (borrowed f))
+  val invariant5 (self : Seq.seq (borrowed f)) : bool
     ensures { result = invariant5 self }
     
-  predicate inv5 (_x : borrowed f)
-  val inv5 (_x : borrowed f) : bool
+  predicate inv5 (_x : Seq.seq (borrowed f))
+  val inv5 (_x : Seq.seq (borrowed f)) : bool
     ensures { result = inv5 _x }
     
-  axiom inv5 : forall x : borrowed f . inv5 x = true
-  predicate invariant4 (self : b)
-  val invariant4 (self : b) : bool
+  axiom inv5 : forall x : Seq.seq (borrowed f) . inv5 x = true
+  predicate invariant4 (self : Seq.seq item0)
+  val invariant4 (self : Seq.seq item0) : bool
     ensures { result = invariant4 self }
     
-  predicate inv4 (_x : b)
-  val inv4 (_x : b) : bool
+  predicate inv4 (_x : Seq.seq item0)
+  val inv4 (_x : Seq.seq item0) : bool
     ensures { result = inv4 _x }
     
-  axiom inv4 : forall x : b . inv4 x = true
-  predicate invariant3 (self : Seq.seq b)
-  val invariant3 (self : Seq.seq b) : bool
+  axiom inv4 : forall x : Seq.seq item0 . inv4 x = true
+  use Core_Option_Option_Type as Core_Option_Option_Type
+  predicate invariant3 (self : Core_Option_Option_Type.t_option b)
+  val invariant3 (self : Core_Option_Option_Type.t_option b) : bool
     ensures { result = invariant3 self }
     
-  predicate inv3 (_x : Seq.seq b)
-  val inv3 (_x : Seq.seq b) : bool
+  predicate inv3 (_x : Core_Option_Option_Type.t_option b)
+  val inv3 (_x : Core_Option_Option_Type.t_option b) : bool
     ensures { result = inv3 _x }
     
-  axiom inv3 : forall x : Seq.seq b . inv3 x = true
-  predicate precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0)))
-  val precondition0 (self : f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) : bool
+  axiom inv3 : forall x : Core_Option_Option_Type.t_option b . inv3 x = true
+  use C06MapPrecond_Map_Type as C06MapPrecond_Map_Type
+  predicate invariant2 (self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0))
+  val invariant2 (self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0)) : bool
+    ensures { result = invariant2 self }
+    
+  predicate inv0 (_x : C06MapPrecond_Map_Type.t_map i b f item0)
+  val inv0 (_x : C06MapPrecond_Map_Type.t_map i b f item0) : bool
+    ensures { result = inv0 _x }
+    
+  predicate inv2 (_x : borrowed (C06MapPrecond_Map_Type.t_map i b f item0))
+  val inv2 (_x : borrowed (C06MapPrecond_Map_Type.t_map i b f item0)) : bool
+    ensures { result = inv2 _x }
+    
+  axiom inv2 : forall x : borrowed (C06MapPrecond_Map_Type.t_map i b f item0) . inv2 x = (inv0 ( * x) /\ inv0 ( ^ x))
+  predicate invariant1 (self : Seq.seq b)
+  val invariant1 (self : Seq.seq b) : bool
+    ensures { result = invariant1 self }
+    
+  predicate inv1 (_x : Seq.seq b)
+  val inv1 (_x : Seq.seq b) : bool
+    ensures { result = inv1 _x }
+    
+  axiom inv1 : forall x : Seq.seq b . inv1 x = true
+  predicate precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0)))
+  val precondition0 (self : f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) : bool
     ensures { result = precondition0 self _2 }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i)
   val produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) : bool
     ensures { result = produces1 self visited o }
     
   use seq.Seq
   predicate next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) =
-    [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv9 i -> inv6 e -> produces1 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced)
+    [#"../06_map_precond.rs" 84 8 88 9] forall i : i . forall e : item0 . inv9 i
+     -> inv8 e  -> produces1 iter (Seq.singleton e) i  -> precondition0 func (e, Snapshot.new produced)
   val next_precondition0 [#"../06_map_precond.rs" 83 4 83 74] (iter : i) (func : f) (produced : Seq.seq item0) : bool
     ensures { result = next_precondition0 iter func produced }
     
-  predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b)
-  val postcondition_mut0 (self : borrowed f) (_2 : (item0, Ghost.ghost_ty (Seq.seq item0))) (_3 : b) : bool
+  predicate postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b)
+  val postcondition_mut0 (self : borrowed f) (_2 : (item0, Snapshot.snap_ty (Seq.seq item0))) (_3 : b) : bool
     ensures { result = postcondition_mut0 self _2 _3 }
     
   use seq.Seq
@@ -3011,112 +3530,123 @@ module C06MapPrecond_Impl0
     ensures { result = unnest0 self _2 }
     
   predicate preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) =
-    [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv9 i -> inv4 b -> inv5 f -> inv6 e2 -> inv6 e1 -> inv7 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1))
+    [#"../06_map_precond.rs" 106 8 113 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv9 i
+     -> inv6 b
+     -> inv7 f
+     -> inv8 e2
+     -> inv8 e1
+     -> inv4 s
+     -> unnest0 func ( * f)
+     -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new s)
+     -> postcondition_mut0 f (e1, Snapshot.new s) b  -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1))
   val preservation0 [#"../06_map_precond.rs" 105 4 105 45] (iter : i) (func : f) : bool
     ensures { result = preservation0 iter func }
     
   use seq.Seq
   predicate preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) =
-    [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv9 i -> inv4 b -> inv5 f -> inv6 e2 -> inv6 e1 -> inv7 s -> unnest0 func ( * f) -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new (Seq.(++) produced s)) -> postcondition_mut0 f (e1, Ghost.new (Seq.(++) produced s)) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc (Seq.(++) produced s) e1))
+    [#"../06_map_precond.rs" 94 8 101 9] forall i : i . forall b : b . forall f : borrowed f . forall e2 : item0 . forall e1 : item0 . forall s : Seq.seq item0 . inv9 i
+     -> inv6 b
+     -> inv7 f
+     -> inv8 e2
+     -> inv8 e1
+     -> inv4 s
+     -> unnest0 func ( * f)
+     -> produces1 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new (Seq.(++) produced s))
+     -> postcondition_mut0 f (e1, Snapshot.new (Seq.(++) produced s)) b
+     -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc (Seq.(++) produced s) e1))
   val preservation_inv0 [#"../06_map_precond.rs" 93 4 93 73] (iter : i) (func : f) (produced : Seq.seq item0) : bool
     requires {[#"../06_map_precond.rs" 93 24 93 28] inv9 iter}
     requires {[#"../06_map_precond.rs" 93 33 93 37] inv10 func}
-    requires {[#"../06_map_precond.rs" 93 42 93 50] inv7 produced}
+    requires {[#"../06_map_precond.rs" 93 42 93 50] inv4 produced}
     ensures { result = preservation_inv0 iter func produced }
     
-  axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv9 iter) -> ([#"../06_map_precond.rs" 93 33 93 37] inv10 func) -> ([#"../06_map_precond.rs" 93 42 93 50] inv7 produced) -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty  -> preservation_inv0 iter func produced = preservation0 iter func)
-  use prelude.Ghost
+  axiom preservation_inv0_spec : forall iter : i, func : f, produced : Seq.seq item0 . ([#"../06_map_precond.rs" 93 24 93 28] inv9 iter)
+   -> ([#"../06_map_precond.rs" 93 33 93 37] inv10 func)
+   -> ([#"../06_map_precond.rs" 93 42 93 50] inv4 produced)
+   -> ([#"../06_map_precond.rs" 92 4 92 83] produced = Seq.empty 
+   -> preservation_inv0 iter func produced = preservation0 iter func)
+  use prelude.Snapshot
   predicate completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i)
   val completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool
     ensures { result = completed1 self }
     
   predicate reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) =
-    [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv10 func -> inv12 iter -> completed1 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
+    [#"../06_map_precond.rs" 118 8 123 9] forall func : f . forall iter : borrowed i . inv10 func
+     -> inv12 iter
+     -> completed1 iter  -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
   val reinitialize0 [#"../06_map_precond.rs" 117 4 117 29] (_1 : ()) : bool
     ensures { result = reinitialize0 _1 }
     
-  use C06MapPrecond_Map_Type as C06MapPrecond_Map_Type
-  predicate invariant2 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) =
-    [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self))
-  val invariant2 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) : bool
-    ensures { result = invariant2 self }
-    
-  predicate inv2 (_x : C06MapPrecond_Map_Type.t_map i b f item0)
-  val inv2 (_x : C06MapPrecond_Map_Type.t_map i b f item0) : bool
-    ensures { result = inv2 _x }
+  predicate invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) =
+    [#"../06_map_precond.rs" 159 12 161 73] reinitialize0 () /\ preservation_inv0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) /\ next_precondition0 (C06MapPrecond_Map_Type.map_iter self) (C06MapPrecond_Map_Type.map_func self) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self))
+  val invariant0 [#"../06_map_precond.rs" 157 4 157 30] (self : C06MapPrecond_Map_Type.t_map i b f item0) : bool
+    ensures { result = invariant0 self }
     
-  axiom inv2 : forall x : C06MapPrecond_Map_Type.t_map i b f item0 . inv2 x = (invariant2 x /\ match x with
+  axiom inv0 : forall x : C06MapPrecond_Map_Type.t_map i b f item0 . inv0 x = (invariant0 x /\ match x with
     | C06MapPrecond_Map_Type.C_Map iter func produced -> true
     end)
-  use Core_Option_Option_Type as Core_Option_Option_Type
-  predicate invariant1 (self : Core_Option_Option_Type.t_option b)
-  val invariant1 (self : Core_Option_Option_Type.t_option b) : bool
-    ensures { result = invariant1 self }
-    
-  predicate inv1 (_x : Core_Option_Option_Type.t_option b)
-  val inv1 (_x : Core_Option_Option_Type.t_option b) : bool
-    ensures { result = inv1 _x }
-    
-  axiom inv1 : forall x : Core_Option_Option_Type.t_option b . inv1 x = true
-  predicate invariant0 (self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0))
-  val invariant0 (self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0)) : bool
-    ensures { result = invariant0 self }
-    
-  predicate inv0 (_x : borrowed (C06MapPrecond_Map_Type.t_map i b f item0))
-  val inv0 (_x : borrowed (C06MapPrecond_Map_Type.t_map i b f item0)) : bool
-    ensures { result = inv0 _x }
-    
-  axiom inv0 : forall x : borrowed (C06MapPrecond_Map_Type.t_map i b f item0) . inv0 x = (inv2 ( * x) /\ inv2 ( ^ x))
-  use seq.Seq
-  use seq.Seq
   use seq.Seq
+  use prelude.Snapshot
   use seq.Seq
   use seq_ext.SeqExt
   use seq.Seq
   use seq.Seq
   use prelude.Int
   use seq.Seq
-  use prelude.Ghost
   use seq.Seq
   use seq.Seq
   predicate produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0)
     
    =
-    [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv7 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Ghost.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv8 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
+    [#"../06_map_precond.rs" 44 8 56 9] unnest0 (C06MapPrecond_Map_Type.map_func self) (C06MapPrecond_Map_Type.map_func succ) /\ (exists s : Seq.seq item0 . inv4 s /\ Seq.length s = Seq.length visited /\ produces1 (C06MapPrecond_Map_Type.map_iter self) s (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) s /\ (exists fs : Seq.seq (borrowed f) . inv5 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs
+     ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
       C06MapPrecond_Map_Type.map_func self = C06MapPrecond_Map_Type.map_func succ
     else
        * Seq.get fs 0 = C06MapPrecond_Map_Type.map_func self /\  ^ Seq.get fs (Seq.length visited - 1) = C06MapPrecond_Map_Type.map_func succ
-    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i))))
+    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> unnest0 (C06MapPrecond_Map_Type.map_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i))))
   val produces0 [@inline:trivial] [#"../06_map_precond.rs" 43 4 43 67] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : Seq.seq b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) : bool
     ensures { result = produces0 self visited succ }
     
-  use seq.Seq
   predicate produces_one0 [#"../06_map_precond.rs" 142 4 142 57] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : b) (succ : C06MapPrecond_Map_Type.t_map i b f item0)
     
    =
-    [#"../06_map_precond.rs" 143 8 149 9] exists f : borrowed f . inv5 f /\  * f = C06MapPrecond_Map_Type.map_func self /\  ^ f = C06MapPrecond_Map_Type.map_func succ /\ (exists e : item0 . inv6 e /\ produces1 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) (C06MapPrecond_Map_Type.map_iter succ) /\ Ghost.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.snoc (Ghost.inner (C06MapPrecond_Map_Type.map_produced self)) e /\ precondition0 ( * f) (e, C06MapPrecond_Map_Type.map_produced self) /\ postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) visited)
+    [#"../06_map_precond.rs" 143 8 149 9] exists f : borrowed f . inv7 f /\  * f = C06MapPrecond_Map_Type.map_func self /\  ^ f = C06MapPrecond_Map_Type.map_func succ /\ (exists e : item0 . inv8 e /\ produces1 (C06MapPrecond_Map_Type.map_iter self) (Seq.singleton e) (C06MapPrecond_Map_Type.map_iter succ) /\ Snapshot.inner (C06MapPrecond_Map_Type.map_produced succ) = Seq.snoc (Snapshot.inner (C06MapPrecond_Map_Type.map_produced self)) e /\ precondition0 ( * f) (e, C06MapPrecond_Map_Type.map_produced self) /\ postcondition_mut0 f (e, C06MapPrecond_Map_Type.map_produced self) visited)
   val produces_one0 [#"../06_map_precond.rs" 142 4 142 57] (self : C06MapPrecond_Map_Type.t_map i b f item0) (visited : b) (succ : C06MapPrecond_Map_Type.t_map i b f item0) : bool
-    requires {[#"../06_map_precond.rs" 142 20 142 24] inv2 self}
-    requires {[#"../06_map_precond.rs" 142 26 142 33] inv4 visited}
-    requires {[#"../06_map_precond.rs" 142 38 142 42] inv2 succ}
+    requires {[#"../06_map_precond.rs" 142 20 142 24] inv0 self}
+    requires {[#"../06_map_precond.rs" 142 26 142 33] inv6 visited}
+    requires {[#"../06_map_precond.rs" 142 38 142 42] inv0 succ}
     ensures { result = produces_one0 self visited succ }
     
-  axiom produces_one0_spec : forall self : C06MapPrecond_Map_Type.t_map i b f item0, visited : b, succ : C06MapPrecond_Map_Type.t_map i b f item0 . ([#"../06_map_precond.rs" 142 20 142 24] inv2 self) -> ([#"../06_map_precond.rs" 142 26 142 33] inv4 visited) -> ([#"../06_map_precond.rs" 142 38 142 42] inv2 succ) -> ([#"../06_map_precond.rs" 141 14 141 68] produces_one0 self visited succ = produces0 self (Seq.singleton visited) succ)
+  axiom produces_one0_spec : forall self : C06MapPrecond_Map_Type.t_map i b f item0, visited : b, succ : C06MapPrecond_Map_Type.t_map i b f item0 . ([#"../06_map_precond.rs" 142 20 142 24] inv0 self)
+   -> ([#"../06_map_precond.rs" 142 26 142 33] inv6 visited)
+   -> ([#"../06_map_precond.rs" 142 38 142 42] inv0 succ)
+   -> ([#"../06_map_precond.rs" 141 14 141 68] produces_one0 self visited succ = produces0 self (Seq.singleton visited) succ)
   predicate completed0 [#"../06_map_precond.rs" 21 4 21 35] (self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0))
    =
-    [#"../06_map_precond.rs" 22 8 25 9] Ghost.inner (C06MapPrecond_Map_Type.map_produced ( ^ self)) = Seq.empty  /\ completed1 (Borrow.borrow_logic (C06MapPrecond_Map_Type.map_iter ( * self)) (C06MapPrecond_Map_Type.map_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1)) /\ C06MapPrecond_Map_Type.map_func ( * self) = C06MapPrecond_Map_Type.map_func ( ^ self)
+    [#"../06_map_precond.rs" 22 8 25 9] Snapshot.inner (C06MapPrecond_Map_Type.map_produced ( ^ self)) = Seq.empty  /\ completed1 (Borrow.borrow_logic (C06MapPrecond_Map_Type.map_iter ( * self)) (C06MapPrecond_Map_Type.map_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1)) /\ C06MapPrecond_Map_Type.map_func ( * self) = C06MapPrecond_Map_Type.map_func ( ^ self)
   val completed0 [#"../06_map_precond.rs" 21 4 21 35] (self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0)) : bool
     ensures { result = completed0 self }
     
-  goal next_refn : [#"../06_map_precond.rs" 63 4 63 44] forall self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0) . inv0 self -> inv0 self /\ (forall result : Core_Option_Option_Type.t_option b . inv1 result /\ match result with
+  use seq.Seq
+  use seq.Seq
+  use seq.Seq
+  goal produces_refl_refn : [#"../06_map_precond.rs" 31 4 31 26] forall self : C06MapPrecond_Map_Type.t_map i b f item0 . inv0 self
+   -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self  -> produces0 self (Seq.empty ) self)
+  goal produces_trans_refn : [#"../06_map_precond.rs" 38 4 38 90] forall a : C06MapPrecond_Map_Type.t_map i b f item0 . forall ab : Seq.seq b . forall b : C06MapPrecond_Map_Type.t_map i b f item0 . forall bc : Seq.seq b . forall c : C06MapPrecond_Map_Type.t_map i b f item0 . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b
+   -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c
+   -> produces0 a (Seq.(++) ab bc) c)
+  goal next_refn : [#"../06_map_precond.rs" 63 4 63 44] forall self : borrowed (C06MapPrecond_Map_Type.t_map i b f item0) . inv2 self
+   -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option b . inv3 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces_one0 ( * self) v ( ^ self)
-    end -> inv1 result /\ match result with
+    end
+   -> inv3 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
     end)
-  goal produces_trans_refn : [#"../06_map_precond.rs" 38 4 38 90] forall a : C06MapPrecond_Map_Type.t_map i b f item0 . forall ab : Seq.seq b . forall b : C06MapPrecond_Map_Type.t_map i b f item0 . forall bc : Seq.seq b . forall c : C06MapPrecond_Map_Type.t_map i b f item0 . inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b -> inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c)
-  goal produces_refl_refn : [#"../06_map_precond.rs" 31 4 31 26] forall self : C06MapPrecond_Map_Type.t_map i b f item0 . inv2 self -> inv2 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self)
 end
 module C06MapPrecond_Impl2
   type i
diff --git a/creusot/tests/should_succeed/iterators/06_map_precond.rs b/creusot/tests/should_succeed/iterators/06_map_precond.rs
index edf08f99a5..c2fccaec51 100644
--- a/creusot/tests/should_succeed/iterators/06_map_precond.rs
+++ b/creusot/tests/should_succeed/iterators/06_map_precond.rs
@@ -7,17 +7,17 @@ mod common;
 use common::Iterator;
 
 // FIXME: make it Map<I, A, F> again
-pub struct Map<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B> {
+pub struct Map<I: Iterator, B, F: FnMut(I::Item, Snapshot<Seq<I::Item>>) -> B> {
     iter: I,
     func: F,
-    produced: Ghost<Seq<I::Item>>,
+    produced: Snapshot<Seq<I::Item>>,
 }
 
-impl<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B> Iterator for Map<I, B, F> {
+impl<I: Iterator, B, F: FnMut(I::Item, Snapshot<Seq<I::Item>>) -> B> Iterator for Map<I, B, F> {
     type Item = B;
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! {
             *(^self).produced == Seq::EMPTY &&
@@ -38,7 +38,7 @@ impl<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B> Iterator for M
     fn produces_trans(a: Self, ab: Seq<Self::Item>, b: Self, bc: Seq<Self::Item>, c: Self) {}
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     #[why3::attr = "inline:trivial"]
     fn produces(self, visited: Seq<Self::Item>, succ: Self) -> bool {
         pearlite! {
@@ -51,8 +51,8 @@ impl<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B> Iterator for M
                else { *fs[0] == self.func &&  ^fs[visited.len() - 1] == succ.func }
             && forall<i : Int> 0 <= i && i < visited.len() ==>
                  self.func.unnest(*fs[i])
-                 && (*fs[i]).precondition((s[i], Ghost::new(self.produced.concat(s.subsequence(0, i)))))
-                 && fs[i].postcondition_mut((s[i], Ghost::new(self.produced.concat(s.subsequence(0, i)))), visited[i])
+                 && (*fs[i]).precondition((s[i], Snapshot::new(self.produced.concat(s.subsequence(0, i)))))
+                 && fs[i].postcondition_mut((s[i], Snapshot::new(self.produced.concat(s.subsequence(0, i)))), visited[i])
         }
     }
 
@@ -64,56 +64,56 @@ impl<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B> Iterator for M
         match self.iter.next() {
             Some(v) => {
                 proof_assert! { self.func.precondition((v, self.produced)) };
-                let produced = gh! { self.produced.push(v) };
+                let produced = snapshot! { self.produced.push(v) };
                 let r = (self.func)(v, self.produced);
                 self.produced = produced;
-                gh! { Self::produces_one_invariant };
+                snapshot! { Self::produces_one_invariant };
                 Some(r)
             }
             None => {
-                self.produced = gh! { Seq::EMPTY };
+                self.produced = snapshot! { Seq::EMPTY };
                 None
             }
         }
     }
 }
 
-impl<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B> Map<I, B, F> {
-    #[predicate]
+impl<I: Iterator, B, F: FnMut(I::Item, Snapshot<Seq<I::Item>>) -> B> Map<I, B, F> {
+    #[predicate(prophetic)]
     fn next_precondition(iter: I, func: F, produced: Seq<I::Item>) -> bool {
         pearlite! {
             forall<e: I::Item, i: I>
                 iter.produces(Seq::singleton(e), i) ==>
-                func.precondition((e, Ghost::new(produced)))
+                func.precondition((e, Snapshot::new(produced)))
         }
     }
 
-    #[predicate]
+    #[predicate(prophetic)]
     #[ensures(produced == Seq::EMPTY ==> result == Self::preservation(iter, func))]
     fn preservation_inv(iter: I, func: F, produced: Seq<I::Item>) -> bool {
         pearlite! {
             forall<s: Seq<I::Item>, e1: I::Item, e2: I::Item, f: &mut F, b: B, i: I>
                 func.unnest(*f) ==>
                 iter.produces(s.push(e1).push(e2), i) ==>
-                (*f).precondition((e1, Ghost::new(produced.concat(s)))) ==>
-                f.postcondition_mut((e1, Ghost::new(produced.concat(s))), b) ==>
-                (^f).precondition((e2, Ghost::new(produced.concat(s).push(e1))))
+                (*f).precondition((e1, Snapshot::new(produced.concat(s)))) ==>
+                f.postcondition_mut((e1, Snapshot::new(produced.concat(s))), b) ==>
+                (^f).precondition((e2, Snapshot::new(produced.concat(s).push(e1))))
         }
     }
 
-    #[predicate]
+    #[predicate(prophetic)]
     fn preservation(iter: I, func: F) -> bool {
         pearlite! {
             forall<s: Seq<I::Item>, e1: I::Item, e2: I::Item, f: &mut F, b: B, i: I>
                 func.unnest(*f) ==>
                 iter.produces(s.push(e1).push(e2), i) ==>
-                (*f).precondition((e1, Ghost::new(s))) ==>
-                f.postcondition_mut((e1, Ghost::new(s)), b) ==>
-                (^f).precondition((e2, Ghost::new(s.push(e1))))
+                (*f).precondition((e1, Snapshot::new(s))) ==>
+                f.postcondition_mut((e1, Snapshot::new(s)), b) ==>
+                (^f).precondition((e2, Snapshot::new(s.push(e1))))
         }
     }
 
-    #[predicate]
+    #[predicate(prophetic)]
     fn reinitialize() -> bool {
         pearlite! {
             forall<iter: &mut I, func: F>
@@ -123,7 +123,7 @@ impl<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B> Map<I, B, F> {
         }
     }
 
-    #[ghost]
+    #[logic]
     #[requires(self.iter.produces(Seq::singleton(e), iter))]
     #[requires(*f == self.func)]
     #[requires(f.postcondition_mut((e, self.produced), r) )]
@@ -137,7 +137,7 @@ impl<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B> Map<I, B, F> {
         }
     }
 
-    #[predicate]
+    #[predicate(prophetic)]
     #[ensures(result == self.produces(Seq::singleton(visited), succ))]
     fn produces_one(self, visited: B, succ: Self) -> bool {
         pearlite! {
@@ -150,9 +150,9 @@ impl<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B> Map<I, B, F> {
     }
 }
 
-impl<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B> Invariant for Map<I, B, F> {
+impl<I: Iterator, B, F: FnMut(I::Item, Snapshot<Seq<I::Item>>) -> B> Invariant for Map<I, B, F> {
     // Should not quantify over self or the `invariant` cannot be made into a type invariant
-    #[predicate]
+    #[predicate(prophetic)]
     #[open(self)]
     fn invariant(self) -> bool {
         pearlite! {
@@ -163,15 +163,15 @@ impl<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B> Invariant for
     }
 }
 
-#[requires(forall<e : I::Item, i2 : I> iter.produces(Seq::singleton(e), i2) ==> func.precondition((e, Ghost::new(Seq::EMPTY))))]
+#[requires(forall<e : I::Item, i2 : I> iter.produces(Seq::singleton(e), i2) ==> func.precondition((e, Snapshot::new(Seq::EMPTY))))]
 #[requires(Map::<I, B, F>::reinitialize())]
 #[requires(Map::<I, B, F>::preservation(iter, func))]
-#[ensures(result == Map { iter, func, produced: Ghost::new(Seq::EMPTY) })]
-pub fn map<I: Iterator, B, F: FnMut(I::Item, Ghost<Seq<I::Item>>) -> B>(
+#[ensures(result == Map { iter, func, produced: Snapshot::new(Seq::EMPTY) })]
+pub fn map<I: Iterator, B, F: FnMut(I::Item, Snapshot<Seq<I::Item>>) -> B>(
     iter: I,
     func: F,
 ) -> Map<I, B, F> {
-    Map { iter, func, produced: gh! {Seq::EMPTY} }
+    Map { iter, func, produced: snapshot! {Seq::EMPTY} }
 }
 
 pub fn identity<I: Iterator>(iter: I) {
@@ -204,7 +204,7 @@ pub fn counter<I: Iterator<Item = u32>>(iter: I) {
         iter,
         #[requires(cnt@ == (*_prod).len() && cnt < usize::MAX)]
         #[ensures(cnt@ == old(cnt)@ + 1)]
-        |x, _prod: Ghost<Seq<_>>| {
+        |x, _prod: Snapshot<Seq<_>>| {
             cnt += 1;
             x
         },
diff --git a/creusot/tests/should_succeed/iterators/06_map_precond/why3session.xml b/creusot/tests/should_succeed/iterators/06_map_precond/why3session.xml
index 5aefe21b75..d8b13b8927 100644
--- a/creusot/tests/should_succeed/iterators/06_map_precond/why3session.xml
+++ b/creusot/tests/should_succeed/iterators/06_map_precond/why3session.xml
@@ -8,23 +8,23 @@
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="06_map_precond.mlcfg"/>
 <theory name="C06MapPrecond_Impl1_PreservationInv_Impl" proved="true">
- <goal name="preservation_inv&#39;vc" expl="VC for preservation_inv" proved="true">
+ <goal name="vc_preservation_inv" proved="true">
  <transf name="use_th" proved="true" arg1="seq.FreeMonoid">
-  <goal name="preservation_inv&#39;vc.0" expl="VC for preservation_inv" proved="true">
-  <proof prover="4"><result status="valid" time="0.099951" steps="37326"/></proof>
+  <goal name="vc_preservation_inv.0" proved="true">
+  <proof prover="4"><result status="valid" time="0.099951" steps="37233"/></proof>
   </goal>
  </transf>
  </goal>
 </theory>
 <theory name="C06MapPrecond_Impl0_ProducesRefl_Impl" proved="true">
- <goal name="produces_refl&#39;vc" expl="VC for produces_refl" proved="true">
+ <goal name="vc_produces_refl" proved="true">
  <transf name="split_vc" proved="true" >
-  <goal name="produces_refl&#39;vc.0" expl="postcondition" proved="true">
+  <goal name="vc_produces_refl.0" proved="true">
   <transf name="inline_goal" proved="true" >
-   <goal name="produces_refl&#39;vc.0.0" expl="postcondition" proved="true">
+   <goal name="vc_produces_refl.0.0" proved="true">
    <transf name="use_th" proved="true" arg1="seq.FreeMonoid">
-    <goal name="produces_refl&#39;vc.0.0.0" expl="postcondition" proved="true">
-    <proof prover="4"><result status="valid" time="0.915522" steps="95579"/></proof>
+    <goal name="vc_produces_refl.0.0.0" proved="true">
+    <proof prover="4"><result status="valid" time="0.712615" steps="93356"/></proof>
     </goal>
    </transf>
    </goal>
@@ -34,66 +34,66 @@
  </goal>
 </theory>
 <theory name="C06MapPrecond_Impl0_ProducesTrans_Impl" proved="true">
- <goal name="produces_trans&#39;vc" expl="VC for produces_trans" proved="true">
+ <goal name="vc_produces_trans" proved="true">
  <transf name="unfold" proved="true" arg1="produces0">
-  <goal name="produces_trans&#39;vc.0" expl="VC for produces_trans" proved="true">
+  <goal name="vc_produces_trans.0" proved="true">
   <transf name="split_vc" proved="true" >
-   <goal name="produces_trans&#39;vc.0.0" expl="VC for produces_trans" proved="true">
-   <proof prover="0"><result status="valid" time="0.019211" steps="162"/></proof>
+   <goal name="vc_produces_trans.0.0" proved="true">
+   <proof prover="0"><result status="valid" time="0.015019" steps="157"/></proof>
    </goal>
-   <goal name="produces_trans&#39;vc.0.1" expl="VC for produces_trans" proved="true">
-   <transf name="exists" proved="true" arg1="(s1 ++ s)">
-    <goal name="produces_trans&#39;vc.0.1.0" proved="true">
+   <goal name="vc_produces_trans.0.1" proved="true">
+   <transf name="exists" proved="true" arg1="(s ++ s1)">
+    <goal name="vc_produces_trans.0.1.0" proved="true">
     <transf name="split_vc" proved="true" >
-     <goal name="produces_trans&#39;vc.0.1.0.0" proved="true">
-     <proof prover="0"><result status="valid" time="0.013505" steps="44"/></proof>
+     <goal name="vc_produces_trans.0.1.0.0" proved="true">
+     <proof prover="0"><result status="valid" time="0.011463" steps="44"/></proof>
      </goal>
-     <goal name="produces_trans&#39;vc.0.1.0.1" proved="true">
-     <proof prover="0"><result status="valid" time="0.014444" steps="49"/></proof>
+     <goal name="vc_produces_trans.0.1.0.1" proved="true">
+     <proof prover="0"><result status="valid" time="0.012112" steps="49"/></proof>
      </goal>
-     <goal name="produces_trans&#39;vc.0.1.0.2" proved="true">
-     <proof prover="0"><result status="valid" time="0.018245" steps="163"/></proof>
+     <goal name="vc_produces_trans.0.1.0.2" proved="true">
+     <proof prover="0"><result status="valid" time="0.014672" steps="165"/></proof>
      </goal>
-     <goal name="produces_trans&#39;vc.0.1.0.3" proved="true">
+     <goal name="vc_produces_trans.0.1.0.3" proved="true">
      <transf name="use_th" proved="true" arg1="seq.FreeMonoid">
-      <goal name="produces_trans&#39;vc.0.1.0.3.0" proved="true">
-      <proof prover="0"><result status="valid" time="0.014181" steps="49"/></proof>
+      <goal name="vc_produces_trans.0.1.0.3.0" proved="true">
+      <proof prover="0"><result status="valid" time="0.016467" steps="49"/></proof>
       </goal>
      </transf>
      </goal>
-     <goal name="produces_trans&#39;vc.0.1.0.4" proved="true">
-     <transf name="exists" proved="true" arg1="(fs1++fs)">
-      <goal name="produces_trans&#39;vc.0.1.0.4.0" proved="true">
+     <goal name="vc_produces_trans.0.1.0.4" proved="true">
+     <transf name="exists" proved="true" arg1="(fs ++ fs1)">
+      <goal name="vc_produces_trans.0.1.0.4.0" proved="true">
       <transf name="split_vc" proved="true" >
-       <goal name="produces_trans&#39;vc.0.1.0.4.0.0" proved="true">
-       <proof prover="0"><result status="valid" time="0.013607" steps="44"/></proof>
+       <goal name="vc_produces_trans.0.1.0.4.0.0" proved="true">
+       <proof prover="0"><result status="valid" time="0.013062" steps="44"/></proof>
        </goal>
-       <goal name="produces_trans&#39;vc.0.1.0.4.0.1" proved="true">
-       <proof prover="0"><result status="valid" time="0.014432" steps="49"/></proof>
+       <goal name="vc_produces_trans.0.1.0.4.0.1" proved="true">
+       <proof prover="0"><result status="valid" time="0.012345" steps="49"/></proof>
        </goal>
-       <goal name="produces_trans&#39;vc.0.1.0.4.0.2" proved="true">
-       <proof prover="0"><result status="valid" time="0.045168" steps="523"/></proof>
+       <goal name="vc_produces_trans.0.1.0.4.0.2" proved="true">
+       <proof prover="0"><result status="valid" time="0.033742" steps="501"/></proof>
        </goal>
-       <goal name="produces_trans&#39;vc.0.1.0.4.0.3" proved="true">
-       <proof prover="0"><result status="valid" time="0.015055" steps="77"/></proof>
+       <goal name="vc_produces_trans.0.1.0.4.0.3" proved="true">
+       <proof prover="0"><result status="valid" time="0.012183" steps="77"/></proof>
        </goal>
-       <goal name="produces_trans&#39;vc.0.1.0.4.0.4" proved="true">
-       <proof prover="0"><result status="valid" time="0.021948" steps="222"/></proof>
+       <goal name="vc_produces_trans.0.1.0.4.0.4" proved="true">
+       <proof prover="0"><result status="valid" time="0.015515" steps="188"/></proof>
        </goal>
-       <goal name="produces_trans&#39;vc.0.1.0.4.0.5" proved="true">
-       <proof prover="0"><result status="valid" time="0.020306" steps="188"/></proof>
+       <goal name="vc_produces_trans.0.1.0.4.0.5" proved="true">
+       <proof prover="0"><result status="valid" time="0.016892" steps="223"/></proof>
        </goal>
-       <goal name="produces_trans&#39;vc.0.1.0.4.0.6" proved="true">
-       <proof prover="0"><result status="valid" time="0.048112" steps="564"/></proof>
+       <goal name="vc_produces_trans.0.1.0.4.0.6" proved="true">
+       <proof prover="0"><result status="valid" time="0.042316" steps="638"/></proof>
        </goal>
-       <goal name="produces_trans&#39;vc.0.1.0.4.0.7" proved="true">
-       <transf name="instantiate" proved="true" arg1="H2" arg2="(i-length ab)">
-        <goal name="produces_trans&#39;vc.0.1.0.4.0.7.0" proved="true">
-        <transf name="instantiate" proved="true" arg1="H12" arg2="i">
-         <goal name="produces_trans&#39;vc.0.1.0.4.0.7.0.0" proved="true">
+       <goal name="vc_produces_trans.0.1.0.4.0.7" proved="true">
+       <transf name="instantiate" proved="true" arg1="H2" arg2="i">
+        <goal name="vc_produces_trans.0.1.0.4.0.7.0" proved="true">
+        <transf name="instantiate" proved="true" arg1="H12" arg2="(i - length ab)">
+         <goal name="vc_produces_trans.0.1.0.4.0.7.0.0" proved="true">
          <transf name="use_th" proved="true" arg1="seq.FreeMonoid">
-          <goal name="produces_trans&#39;vc.0.1.0.4.0.7.0.0.0" proved="true">
-          <proof prover="0"><result status="valid" time="0.745031" steps="5635"/></proof>
+          <goal name="vc_produces_trans.0.1.0.4.0.7.0.0.0" proved="true">
+          <proof prover="0" timelimit="30" memlimit="4000"><result status="valid" time="0.293550" steps="4865"/></proof>
           </goal>
          </transf>
          </goal>
@@ -101,14 +101,14 @@
         </goal>
        </transf>
        </goal>
-       <goal name="produces_trans&#39;vc.0.1.0.4.0.8" proved="true">
-       <transf name="instantiate" proved="true" arg1="H2" arg2="(i-length ab)">
-        <goal name="produces_trans&#39;vc.0.1.0.4.0.8.0" proved="true">
-        <transf name="instantiate" proved="true" arg1="H12" arg2="i">
-         <goal name="produces_trans&#39;vc.0.1.0.4.0.8.0.0" proved="true">
+       <goal name="vc_produces_trans.0.1.0.4.0.8" proved="true">
+       <transf name="instantiate" proved="true" arg1="H2" arg2="i">
+        <goal name="vc_produces_trans.0.1.0.4.0.8.0" proved="true">
+        <transf name="instantiate" proved="true" arg1="H12" arg2="(i - length ab)">
+         <goal name="vc_produces_trans.0.1.0.4.0.8.0.0" proved="true">
          <transf name="use_th" proved="true" arg1="seq.FreeMonoid">
-          <goal name="produces_trans&#39;vc.0.1.0.4.0.8.0.0.0" proved="true">
-          <proof prover="0" timelimit="30" memlimit="4000"><result status="valid" time="0.930000" steps="5407"/></proof>
+          <goal name="vc_produces_trans.0.1.0.4.0.8.0.0.0" proved="true">
+          <proof prover="0" timelimit="30" memlimit="4000"><result status="valid" time="0.245215" steps="4174"/></proof>
           </goal>
          </transf>
          </goal>
@@ -130,99 +130,99 @@
  </goal>
 </theory>
 <theory name="C06MapPrecond_Impl1_ProducesOne_Impl" proved="true">
- <goal name="produces_one&#39;vc" expl="VC for produces_one" proved="true">
+ <goal name="vc_produces_one" proved="true">
  <transf name="split_vc" proved="true" >
-  <goal name="produces_one&#39;vc.0" expl="postcondition" proved="true">
+  <goal name="vc_produces_one.0" proved="true">
   <transf name="split_vc" proved="true" >
-   <goal name="produces_one&#39;vc.0.0" expl="postcondition" proved="true">
+   <goal name="vc_produces_one.0.0" proved="true">
    <transf name="unfold" proved="true" arg1="produces0">
-    <goal name="produces_one&#39;vc.0.0.0" expl="VC for produces_one" proved="true">
+    <goal name="vc_produces_one.0.0.0" proved="true">
     <transf name="split_vc" proved="true" >
-     <goal name="produces_one&#39;vc.0.0.0.0" expl="VC for produces_one" proved="true">
-     <proof prover="0"><result status="valid" time="0.018941" steps="111"/></proof>
+     <goal name="vc_produces_one.0.0.0.0" proved="true">
+     <proof prover="0"><result status="valid" time="0.016712" steps="111"/></proof>
      </goal>
-     <goal name="produces_one&#39;vc.0.0.0.1" expl="VC for produces_one" proved="true">
+     <goal name="vc_produces_one.0.0.0.1" proved="true">
      <transf name="exists" proved="true" arg1="(singleton e)">
-      <goal name="produces_one&#39;vc.0.0.0.1.0" proved="true">
+      <goal name="vc_produces_one.0.0.0.1.0" proved="true">
       <transf name="split_vc" proved="true" >
-       <goal name="produces_one&#39;vc.0.0.0.1.0.0" proved="true">
-       <proof prover="0"><result status="valid" time="0.014271" steps="24"/></proof>
-       <proof prover="2"><result status="valid" time="0.024516" steps="75990"/></proof>
-       <proof prover="4"><result status="valid" time="0.068981" steps="12541"/></proof>
+       <goal name="vc_produces_one.0.0.0.1.0.0" proved="true">
+       <proof prover="0"><result status="valid" time="0.013181" steps="24"/></proof>
+       <proof prover="2"><result status="valid" time="0.020326" steps="76005"/></proof>
+       <proof prover="4"><result status="valid" time="0.055417" steps="12541"/></proof>
        </goal>
-       <goal name="produces_one&#39;vc.0.0.0.1.0.1" proved="true">
-       <proof prover="0"><result status="valid" time="0.015154" steps="26"/></proof>
-       <proof prover="2"><result status="valid" time="0.030299" steps="107385"/></proof>
-       <proof prover="4"><result status="valid" time="0.124842" steps="17912"/></proof>
+       <goal name="vc_produces_one.0.0.0.1.0.1" proved="true">
+       <proof prover="0"><result status="valid" time="0.012033" steps="26"/></proof>
+       <proof prover="2"><result status="valid" time="0.024662" steps="107400"/></proof>
+       <proof prover="4"><result status="valid" time="0.100925" steps="17912"/></proof>
        </goal>
-       <goal name="produces_one&#39;vc.0.0.0.1.0.2" proved="true">
-       <proof prover="0"><result status="valid" time="0.012277" steps="22"/></proof>
-       <proof prover="2"><result status="valid" time="0.013187" steps="7212"/></proof>
-       <proof prover="4"><result status="valid" time="0.054772" steps="11815"/></proof>
+       <goal name="vc_produces_one.0.0.0.1.0.2" proved="true">
+       <proof prover="0"><result status="valid" time="0.009999" steps="22"/></proof>
+       <proof prover="2"><result status="valid" time="0.010803" steps="7212"/></proof>
+       <proof prover="4"><result status="valid" time="0.044571" steps="11815"/></proof>
        </goal>
-       <goal name="produces_one&#39;vc.0.0.0.1.0.3" proved="true">
+       <goal name="vc_produces_one.0.0.0.1.0.3" proved="true">
        <transf name="use_th" proved="true" arg1="seq.FreeMonoid">
-        <goal name="produces_one&#39;vc.0.0.0.1.0.3.0" proved="true">
-        <proof prover="0"><result status="valid" time="0.015237" steps="24"/></proof>
-        <proof prover="2"><result status="valid" time="0.026879" steps="86479"/></proof>
-        <proof prover="4"><result status="valid" time="0.078333" steps="14209"/></proof>
+        <goal name="vc_produces_one.0.0.0.1.0.3.0" proved="true">
+        <proof prover="0"><result status="valid" time="0.012098" steps="24"/></proof>
+        <proof prover="2"><result status="valid" time="0.022250" steps="86479"/></proof>
+        <proof prover="4"><result status="valid" time="0.064758" steps="14209"/></proof>
         </goal>
        </transf>
        </goal>
-       <goal name="produces_one&#39;vc.0.0.0.1.0.4" proved="true">
+       <goal name="vc_produces_one.0.0.0.1.0.4" proved="true">
        <transf name="exists" proved="true" arg1="(singleton f)">
-        <goal name="produces_one&#39;vc.0.0.0.1.0.4.0" proved="true">
+        <goal name="vc_produces_one.0.0.0.1.0.4.0" proved="true">
         <transf name="split_vc" proved="true" >
-         <goal name="produces_one&#39;vc.0.0.0.1.0.4.0.0" proved="true">
-         <proof prover="0"><result status="valid" time="0.014575" steps="24"/></proof>
-         <proof prover="2"><result status="valid" time="0.025123" steps="77466"/></proof>
-         <proof prover="4"><result status="valid" time="0.069736" steps="12718"/></proof>
+         <goal name="vc_produces_one.0.0.0.1.0.4.0.0" proved="true">
+         <proof prover="0"><result status="valid" time="0.011752" steps="24"/></proof>
+         <proof prover="2"><result status="valid" time="0.020753" steps="77466"/></proof>
+         <proof prover="4"><result status="valid" time="0.056473" steps="12718"/></proof>
          </goal>
-         <goal name="produces_one&#39;vc.0.0.0.1.0.4.0.1" proved="true">
-         <proof prover="0"><result status="valid" time="0.014934" steps="27"/></proof>
-         <proof prover="2"><result status="valid" time="0.031792" steps="111666"/></proof>
-         <proof prover="4"><result status="valid" time="0.134423" steps="19425"/></proof>
+         <goal name="vc_produces_one.0.0.0.1.0.4.0.1" proved="true">
+         <proof prover="0"><result status="valid" time="0.012017" steps="27"/></proof>
+         <proof prover="2"><result status="valid" time="0.025316" steps="111681"/></proof>
+         <proof prover="4"><result status="valid" time="0.108376" steps="19425"/></proof>
          </goal>
-         <goal name="produces_one&#39;vc.0.0.0.1.0.4.0.2" proved="true">
-         <proof prover="0"><result status="valid" time="0.015166" steps="28"/></proof>
-         <proof prover="2"><result status="valid" time="0.028872" steps="97804"/></proof>
-         <proof prover="4"><result status="valid" time="0.120377" steps="17572"/></proof>
+         <goal name="vc_produces_one.0.0.0.1.0.4.0.2" proved="true">
+         <proof prover="0"><result status="valid" time="0.011937" steps="28"/></proof>
+         <proof prover="2"><result status="valid" time="0.024098" steps="97796"/></proof>
+         <proof prover="4"><result status="valid" time="0.096617" steps="17572"/></proof>
          </goal>
-         <goal name="produces_one&#39;vc.0.0.0.1.0.4.0.3" proved="true">
-         <proof prover="0"><result status="valid" time="0.014812" steps="26"/></proof>
-         <proof prover="2"><result status="valid" time="0.028581" steps="98107"/></proof>
-         <proof prover="4"><result status="valid" time="0.087981" steps="15068"/></proof>
+         <goal name="vc_produces_one.0.0.0.1.0.4.0.3" proved="true">
+         <proof prover="0"><result status="valid" time="0.012075" steps="26"/></proof>
+         <proof prover="2"><result status="valid" time="0.023324" steps="98107"/></proof>
+         <proof prover="4"><result status="valid" time="0.071896" steps="15068"/></proof>
          </goal>
-         <goal name="produces_one&#39;vc.0.0.0.1.0.4.0.4" proved="true">
-         <proof prover="0"><result status="valid" time="0.014754" steps="26"/></proof>
-         <proof prover="2"><result status="valid" time="0.031022" steps="111117"/></proof>
-         <proof prover="4"><result status="valid" time="0.103990" steps="17613"/></proof>
+         <goal name="vc_produces_one.0.0.0.1.0.4.0.4" proved="true">
+         <proof prover="0"><result status="valid" time="0.011953" steps="26"/></proof>
+         <proof prover="2"><result status="valid" time="0.025087" steps="111117"/></proof>
+         <proof prover="4"><result status="valid" time="0.083729" steps="17613"/></proof>
          </goal>
-         <goal name="produces_one&#39;vc.0.0.0.1.0.4.0.5" proved="true">
-         <proof prover="0"><result status="valid" time="0.015149" steps="27"/></proof>
-         <proof prover="2"><result status="valid" time="0.031796" steps="114935"/></proof>
-         <proof prover="4"><result status="valid" time="0.131878" steps="19124"/></proof>
+         <goal name="vc_produces_one.0.0.0.1.0.4.0.5" proved="true">
+         <proof prover="0"><result status="valid" time="0.012075" steps="27"/></proof>
+         <proof prover="2"><result status="valid" time="0.026983" steps="114935"/></proof>
+         <proof prover="4"><result status="valid" time="0.108613" steps="19124"/></proof>
          </goal>
-         <goal name="produces_one&#39;vc.0.0.0.1.0.4.0.6" proved="true">
-         <proof prover="0"><result status="valid" time="0.015533" steps="41"/></proof>
-         <proof prover="2"><result status="valid" time="0.749391" steps="803225"/></proof>
-         <proof prover="4"><result status="valid" time="0.133789" steps="19143"/></proof>
+         <goal name="vc_produces_one.0.0.0.1.0.4.0.6" proved="true">
+         <proof prover="0"><result status="valid" time="0.012871" steps="41"/></proof>
+         <proof prover="2"><result status="valid" time="0.162516" steps="600205"/></proof>
+         <proof prover="4"><result status="valid" time="0.110594" steps="19143"/></proof>
          </goal>
-         <goal name="produces_one&#39;vc.0.0.0.1.0.4.0.7" proved="true">
+         <goal name="vc_produces_one.0.0.0.1.0.4.0.7" proved="true">
          <transf name="use_th" proved="true" arg1="seq.FreeMonoid">
-          <goal name="produces_one&#39;vc.0.0.0.1.0.4.0.7.0" proved="true">
-          <proof prover="0"><result status="valid" time="0.033025" steps="387"/></proof>
-          <proof prover="2"><result status="valid" time="0.786306" steps="908983"/></proof>
-          <proof prover="4"><result status="valid" time="0.181228" steps="25173"/></proof>
+          <goal name="vc_produces_one.0.0.0.1.0.4.0.7.0" proved="true">
+          <proof prover="0"><result status="valid" time="0.026888" steps="388"/></proof>
+          <proof prover="2"><result status="valid" time="0.287393" steps="912369"/></proof>
+          <proof prover="4"><result status="valid" time="0.156156" steps="25173"/></proof>
           </goal>
          </transf>
          </goal>
-         <goal name="produces_one&#39;vc.0.0.0.1.0.4.0.8" proved="true">
+         <goal name="vc_produces_one.0.0.0.1.0.4.0.8" proved="true">
          <transf name="use_th" proved="true" arg1="seq.FreeMonoid">
-          <goal name="produces_one&#39;vc.0.0.0.1.0.4.0.8.0" proved="true">
-          <proof prover="0"><result status="valid" time="0.033549" steps="391"/></proof>
-          <proof prover="2"><result status="valid" time="0.308679" steps="375426"/></proof>
-          <proof prover="4"><result status="valid" time="0.184920" steps="25398"/></proof>
+          <goal name="vc_produces_one.0.0.0.1.0.4.0.8.0" proved="true">
+          <proof prover="0"><result status="valid" time="0.028328" steps="391"/></proof>
+          <proof prover="2"><result status="valid" time="0.096270" steps="374660"/></proof>
+          <proof prover="4"><result status="valid" time="0.156603" steps="25398"/></proof>
           </goal>
          </transf>
          </goal>
@@ -238,12 +238,12 @@
     </goal>
    </transf>
    </goal>
-   <goal name="produces_one&#39;vc.0.1" expl="postcondition" proved="true">
-   <transf name="use_th" proved="true" arg1="seq.FreeMonoid">
-    <goal name="produces_one&#39;vc.0.1.0" expl="postcondition" proved="true">
-    <proof prover="4"><result status="valid" time="0.677519" steps="69177"/></proof>
-    </goal>
-   </transf>
+  </transf>
+  </goal>
+  <goal name="vc_produces_one.1" proved="true">
+  <transf name="use_th" proved="true" arg1="seq.FreeMonoid">
+   <goal name="vc_produces_one.1.0" proved="true">
+   <proof prover="4"><result status="valid" time="0.426506" steps="69177"/></proof>
    </goal>
   </transf>
   </goal>
@@ -251,18 +251,18 @@
  </goal>
 </theory>
 <theory name="C06MapPrecond_Impl1_ProducesOneInvariant_Impl" proved="true">
- <goal name="produces_one_invariant&#39;vc" expl="VC for produces_one_invariant" proved="true">
+ <goal name="vc_produces_one_invariant" proved="true">
  <transf name="use_th" proved="true" arg1="seq.FreeMonoid">
-  <goal name="produces_one_invariant&#39;vc.0" expl="VC for produces_one_invariant" proved="true">
+  <goal name="vc_produces_one_invariant.0" proved="true">
   <transf name="split_vc" proved="true" >
-   <goal name="produces_one_invariant&#39;vc.0.0" expl="assertion" proved="true">
-   <proof prover="4" timelimit="5"><result status="valid" time="0.165938" steps="17320"/></proof>
+   <goal name="vc_produces_one_invariant.0.0" proved="true">
+   <proof prover="4" timelimit="5"><result status="valid" time="0.100350" steps="17320"/></proof>
    </goal>
-   <goal name="produces_one_invariant&#39;vc.0.1" expl="postcondition" proved="true">
-   <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.277452" steps="1827"/></proof>
+   <goal name="vc_produces_one_invariant.0.1" proved="true">
+   <proof prover="4" timelimit="5"><result status="valid" time="0.349452" steps="50068"/></proof>
    </goal>
-   <goal name="produces_one_invariant&#39;vc.0.2" expl="postcondition" proved="true">
-   <proof prover="4" timelimit="5"><result status="valid" time="0.765389" steps="70837"/></proof>
+   <goal name="vc_produces_one_invariant.0.2" proved="true">
+   <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.061877" steps="1825"/></proof>
    </goal>
   </transf>
   </goal>
@@ -291,28 +291,28 @@
   <proof prover="0"><result status="valid" time="0.025172" steps="199"/></proof>
   </goal>
   <goal name="next&#39;vc.6" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.015449" steps="72"/></proof>
+  <proof prover="0"><result status="valid" time="0.015449" steps="75"/></proof>
   </goal>
   <goal name="next&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.013939" steps="70"/></proof>
+  <proof prover="0"><result status="valid" time="0.013939" steps="71"/></proof>
   </goal>
   <goal name="next&#39;vc.8" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.015299" steps="71"/></proof>
+  <proof prover="0"><result status="valid" time="0.015299" steps="73"/></proof>
   </goal>
   <goal name="next&#39;vc.9" expl="type invariant" proved="true">
-  <proof prover="4" timelimit="5"><result status="valid" time="0.079981" steps="14653"/></proof>
+  <proof prover="4" timelimit="5"><result status="valid" time="0.079981" steps="14687"/></proof>
   </goal>
   <goal name="next&#39;vc.10" expl="type invariant" proved="true">
-  <proof prover="0" timelimit="5"><result status="valid" time="0.011114" steps="91"/></proof>
+  <proof prover="0" timelimit="5"><result status="valid" time="0.011114" steps="93"/></proof>
   </goal>
   <goal name="next&#39;vc.11" expl="type invariant" proved="true">
-  <proof prover="0"><result status="valid" time="0.013144" steps="602"/></proof>
+  <proof prover="0"><result status="valid" time="0.013144" steps="605"/></proof>
   </goal>
   <goal name="next&#39;vc.12" expl="unreachable point" proved="true">
   <proof prover="0"><result status="valid" time="0.012501" steps="31"/></proof>
   </goal>
   <goal name="next&#39;vc.13" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.073346" steps="27414"/></proof>
+  <proof prover="4"><result status="valid" time="0.257169" steps="39446"/></proof>
   </goal>
   <goal name="next&#39;vc.14" expl="postcondition" proved="true">
   <proof prover="0"><result status="valid" time="0.015445" steps="10"/></proof>
@@ -374,18 +374,18 @@
 </theory>
 <theory name="C06MapPrecond_Counter" proved="true">
  <goal name="counter&#39;vc" expl="VC for counter" proved="true">
- <proof prover="0"><result status="valid" time="0.054988" steps="810"/></proof>
+ <proof prover="0"><result status="valid" time="0.054988" steps="689"/></proof>
  </goal>
 </theory>
 <theory name="C06MapPrecond_Impl0" proved="true">
- <goal name="next_refn" proved="true">
- <proof prover="0"><result status="valid" time="0.079489" steps="1234"/></proof>
+ <goal name="produces_refl_refn" proved="true">
+ <proof prover="0"><result status="valid" time="0.000000" steps="0"/></proof>
  </goal>
  <goal name="produces_trans_refn" proved="true">
  <proof prover="0"><result status="valid" time="0.000000" steps="0"/></proof>
  </goal>
- <goal name="produces_refl_refn" proved="true">
- <proof prover="0"><result status="valid" time="0.000000" steps="0"/></proof>
+ <goal name="next_refn" proved="true">
+ <proof prover="0"><result status="valid" time="0.079489" steps="1235"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/iterators/06_map_precond/why3shapes.gz b/creusot/tests/should_succeed/iterators/06_map_precond/why3shapes.gz
index 9af660d528..2a03277499 100644
Binary files a/creusot/tests/should_succeed/iterators/06_map_precond/why3shapes.gz and b/creusot/tests/should_succeed/iterators/06_map_precond/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/iterators/07_fuse.mlcfg b/creusot/tests/should_succeed/iterators/07_fuse.mlcfg
index 9fdd4524f4..32f660efa8 100644
--- a/creusot/tests/should_succeed/iterators/07_fuse.mlcfg
+++ b/creusot/tests/should_succeed/iterators/07_fuse.mlcfg
@@ -74,14 +74,21 @@ module C07Fuse_Impl0_Next
     requires {[#"../common.rs" 21 82 21 83] inv3 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv3 a) -> ([#"../common.rs" 21 31 21 33] inv6 ab) -> ([#"../common.rs" 21 52 21 53] inv3 b) -> ([#"../common.rs" 21 61 21 63] inv6 bc) -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv3 a)
+   -> ([#"../common.rs" 21 31 21 33] inv6 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv3 b)
+   -> ([#"../common.rs" 21 61 21 63] inv6 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv3 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv3 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   predicate invariant3 (self : i)
   val invariant3 (self : i) : bool
     ensures { result = invariant3 self }
@@ -147,7 +154,7 @@ module C07Fuse_Impl0_Next
     ensures { result = resolve3 self }
     
   predicate resolve2 (self : borrowed i) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve2 (self : borrowed i) : bool
     ensures { result = resolve2 self }
     
@@ -160,12 +167,12 @@ module C07Fuse_Impl0_Next
     ensures { [#"../common.rs" 27 26 27 44] inv5 result }
     
   predicate resolve1 (self : borrowed (C07Fuse_Fuse_Type.t_fuse i)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve1 (self : borrowed (C07Fuse_Fuse_Type.t_fuse i)) : bool
     ensures { result = resolve1 self }
     
   predicate resolve0 (self : borrowed (Core_Option_Option_Type.t_option i)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (Core_Option_Option_Type.t_option i)) : bool
     ensures { result = resolve0 self }
     
@@ -184,6 +191,7 @@ module C07Fuse_Impl0_Next
   var iter : borrowed i;
   var _6 : Core_Option_Option_Type.t_option item0;
   var _7 : borrowed i;
+  var _9 : Core_Option_Option_Type.t_option i;
   var x : Core_Option_Option_Type.t_option item0;
   {
     goto BB0
@@ -222,7 +230,7 @@ module C07Fuse_Impl0_Next
   BB4 {
     assert { [@expl:type invariant] inv1 _3 };
     assume { resolve0 _3 };
-    [#"../07_fuse.rs" 41 20 41 24] _0 <- ([#"../07_fuse.rs" 41 20 41 24] Core_Option_Option_Type.C_None);
+    [#"../07_fuse.rs" 41 20 41 24] _0 <- Core_Option_Option_Type.C_None;
     assert { [@expl:type invariant] inv2 self };
     assume { resolve1 self };
     goto BB15
@@ -243,19 +251,21 @@ module C07Fuse_Impl0_Next
   BB7 {
     assert { [@expl:type invariant] inv2 self };
     assume { resolve1 self };
-    [#"../07_fuse.rs" 47 16 47 17] x <- ([#"../07_fuse.rs" 47 16 47 17] _6);
-    [#"../07_fuse.rs" 47 16 47 17] _6 <- any Core_Option_Option_Type.t_option item0;
-    [#"../07_fuse.rs" 47 21 47 22] _0 <- ([#"../07_fuse.rs" 47 21 47 22] x);
-    [#"../07_fuse.rs" 47 21 47 22] x <- any Core_Option_Option_Type.t_option item0;
+    [#"../07_fuse.rs" 47 16 47 17] x <- _6;
+    _6 <- any Core_Option_Option_Type.t_option item0;
+    [#"../07_fuse.rs" 47 21 47 22] _0 <- x;
+    x <- any Core_Option_Option_Type.t_option item0;
     goto BB12
   }
   BB8 {
     assert { [@expl:type invariant] inv5 _6 };
     assume { resolve3 _6 };
+    [#"../07_fuse.rs" 44 32 44 36] _9 <- Core_Option_Option_Type.C_None;
     goto BB9
   }
   BB9 {
-    [#"../07_fuse.rs" 44 20 44 29] self <- { self with current = (let C07Fuse_Fuse_Type.C_Fuse x0 =  * self in C07Fuse_Fuse_Type.C_Fuse ([#"../07_fuse.rs" 44 32 44 36] Core_Option_Option_Type.C_None)) ; };
+    [#"../07_fuse.rs" 44 20 44 29] self <- { self with current = (let C07Fuse_Fuse_Type.C_Fuse x0 =  * self in C07Fuse_Fuse_Type.C_Fuse _9) ; };
+    _9 <- any Core_Option_Option_Type.t_option i;
     assert { [@expl:type invariant] inv0 (C07Fuse_Fuse_Type.fuse_iter ( * self)) };
     assume { resolve4 (C07Fuse_Fuse_Type.fuse_iter ( * self)) };
     assert { [@expl:type invariant] inv2 self };
@@ -263,7 +273,7 @@ module C07Fuse_Impl0_Next
     goto BB11
   }
   BB11 {
-    [#"../07_fuse.rs" 45 20 45 24] _0 <- ([#"../07_fuse.rs" 45 20 45 24] Core_Option_Option_Type.C_None);
+    [#"../07_fuse.rs" 45 20 45 24] _0 <- Core_Option_Option_Type.C_None;
     goto BB13
   }
   BB12 {
@@ -319,14 +329,21 @@ module C07Fuse_Impl0_ProducesRefl_Impl
     requires {[#"../common.rs" 21 82 21 83] inv1 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv1 a) -> ([#"../common.rs" 21 31 21 33] inv2 ab) -> ([#"../common.rs" 21 52 21 53] inv1 b) -> ([#"../common.rs" 21 61 21 63] inv2 bc) -> ([#"../common.rs" 21 82 21 83] inv1 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv1 a)
+   -> ([#"../common.rs" 21 31 21 33] inv2 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv1 b)
+   -> ([#"../common.rs" 21 61 21 63] inv2 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv1 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv1 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv1 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv1 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   use C07Fuse_Fuse_Type as C07Fuse_Fuse_Type
   predicate invariant0 (self : C07Fuse_Fuse_Type.t_fuse i)
   val invariant0 (self : C07Fuse_Fuse_Type.t_fuse i) : bool
@@ -351,12 +368,10 @@ module C07Fuse_Impl0_ProducesRefl_Impl
   val produces0 [#"../07_fuse.rs" 25 4 25 65] (self : C07Fuse_Fuse_Type.t_fuse i) (prod : Seq.seq item0) (other : C07Fuse_Fuse_Type.t_fuse i) : bool
     ensures { result = produces0 self prod other }
     
-  let rec ghost function produces_refl [#"../07_fuse.rs" 55 4 55 26] (self : C07Fuse_Fuse_Type.t_fuse i) : ()
-    requires {[#"../07_fuse.rs" 55 21 55 25] inv0 self}
-    ensures { [#"../07_fuse.rs" 54 14 54 45] produces0 self (Seq.empty ) self }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../07_fuse.rs" 52 4 52 10] ()
+  constant self  : C07Fuse_Fuse_Type.t_fuse i
+  function produces_refl [#"../07_fuse.rs" 55 4 55 26] (self : C07Fuse_Fuse_Type.t_fuse i) : ()
+  goal vc_produces_refl : ([#"../07_fuse.rs" 55 21 55 25] inv0 self)
+   -> ([#"../07_fuse.rs" 54 14 54 45] produces0 self (Seq.empty ) self)
 end
 module C07Fuse_Impl0_ProducesTrans_Impl
   type i
@@ -392,14 +407,21 @@ module C07Fuse_Impl0_ProducesTrans_Impl
     requires {[#"../common.rs" 21 82 21 83] inv2 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv2 a) -> ([#"../common.rs" 21 31 21 33] inv1 ab) -> ([#"../common.rs" 21 52 21 53] inv2 b) -> ([#"../common.rs" 21 61 21 63] inv1 bc) -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv2 a)
+   -> ([#"../common.rs" 21 31 21 33] inv1 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv2 b)
+   -> ([#"../common.rs" 21 61 21 63] inv1 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv2 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv2 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   predicate invariant1 (self : Seq.seq item0)
   val invariant1 (self : Seq.seq item0) : bool
     ensures { result = invariant1 self }
@@ -429,18 +451,21 @@ module C07Fuse_Impl0_ProducesTrans_Impl
   val produces0 [#"../07_fuse.rs" 25 4 25 65] (self : C07Fuse_Fuse_Type.t_fuse i) (prod : Seq.seq item0) (other : C07Fuse_Fuse_Type.t_fuse i) : bool
     ensures { result = produces0 self prod other }
     
-  let rec ghost function produces_trans [#"../07_fuse.rs" 62 4 62 90] (a : C07Fuse_Fuse_Type.t_fuse i) (ab : Seq.seq item0) (b : C07Fuse_Fuse_Type.t_fuse i) (bc : Seq.seq item0) (c : C07Fuse_Fuse_Type.t_fuse i) : ()
-    requires {[#"../07_fuse.rs" 59 15 59 32] produces0 a ab b}
-    requires {[#"../07_fuse.rs" 60 15 60 32] produces0 b bc c}
-    requires {[#"../07_fuse.rs" 62 22 62 23] inv0 a}
-    requires {[#"../07_fuse.rs" 62 31 62 33] inv1 ab}
-    requires {[#"../07_fuse.rs" 62 52 62 53] inv0 b}
-    requires {[#"../07_fuse.rs" 62 61 62 63] inv1 bc}
-    requires {[#"../07_fuse.rs" 62 82 62 83] inv0 c}
-    ensures { [#"../07_fuse.rs" 61 14 61 42] produces0 a (Seq.(++) ab bc) c }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../07_fuse.rs" 57 4 57 10] ()
+  constant a  : C07Fuse_Fuse_Type.t_fuse i
+  constant ab  : Seq.seq item0
+  constant b  : C07Fuse_Fuse_Type.t_fuse i
+  constant bc  : Seq.seq item0
+  constant c  : C07Fuse_Fuse_Type.t_fuse i
+  function produces_trans [#"../07_fuse.rs" 62 4 62 90] (a : C07Fuse_Fuse_Type.t_fuse i) (ab : Seq.seq item0) (b : C07Fuse_Fuse_Type.t_fuse i) (bc : Seq.seq item0) (c : C07Fuse_Fuse_Type.t_fuse i) : ()
+    
+  goal vc_produces_trans : ([#"../07_fuse.rs" 62 82 62 83] inv0 c)
+   -> ([#"../07_fuse.rs" 62 61 62 63] inv1 bc)
+   -> ([#"../07_fuse.rs" 62 52 62 53] inv0 b)
+   -> ([#"../07_fuse.rs" 62 31 62 33] inv1 ab)
+   -> ([#"../07_fuse.rs" 62 22 62 23] inv0 a)
+   -> ([#"../07_fuse.rs" 60 15 60 32] produces0 b bc c)
+   -> ([#"../07_fuse.rs" 59 15 59 32] produces0 a ab b)
+   -> ([#"../07_fuse.rs" 61 14 61 42] produces0 a (Seq.(++) ab bc) c)
 end
 module C07Fuse_Impl1_IsFused_Impl
   type i
@@ -486,14 +511,21 @@ module C07Fuse_Impl1_IsFused_Impl
     requires {[#"../common.rs" 21 82 21 83] inv4 c}
     ensures { result = produces_trans1 a ab b bc c }
     
-  axiom produces_trans1_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv4 a) -> ([#"../common.rs" 21 31 21 33] inv1 ab) -> ([#"../common.rs" 21 52 21 53] inv4 b) -> ([#"../common.rs" 21 61 21 63] inv1 bc) -> ([#"../common.rs" 21 82 21 83] inv4 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans1_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv4 a)
+   -> ([#"../common.rs" 21 31 21 33] inv1 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv4 b)
+   -> ([#"../common.rs" 21 61 21 63] inv1 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv4 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl1 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl1 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv4 self}
     ensures { result = produces_refl1 self }
     
-  axiom produces_refl1_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv4 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl1_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv4 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   use C07Fuse_Fuse_Type as C07Fuse_Fuse_Type
   predicate invariant2 (self : C07Fuse_Fuse_Type.t_fuse i)
   val invariant2 (self : C07Fuse_Fuse_Type.t_fuse i) : bool
@@ -546,14 +578,21 @@ module C07Fuse_Impl1_IsFused_Impl
     requires {[#"../07_fuse.rs" 62 82 62 83] inv2 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : C07Fuse_Fuse_Type.t_fuse i, ab : Seq.seq item0, b : C07Fuse_Fuse_Type.t_fuse i, bc : Seq.seq item0, c : C07Fuse_Fuse_Type.t_fuse i . ([#"../07_fuse.rs" 59 15 59 32] produces0 a ab b) -> ([#"../07_fuse.rs" 60 15 60 32] produces0 b bc c) -> ([#"../07_fuse.rs" 62 22 62 23] inv2 a) -> ([#"../07_fuse.rs" 62 31 62 33] inv1 ab) -> ([#"../07_fuse.rs" 62 52 62 53] inv2 b) -> ([#"../07_fuse.rs" 62 61 62 63] inv1 bc) -> ([#"../07_fuse.rs" 62 82 62 83] inv2 c) -> ([#"../07_fuse.rs" 61 14 61 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : C07Fuse_Fuse_Type.t_fuse i, ab : Seq.seq item0, b : C07Fuse_Fuse_Type.t_fuse i, bc : Seq.seq item0, c : C07Fuse_Fuse_Type.t_fuse i . ([#"../07_fuse.rs" 59 15 59 32] produces0 a ab b)
+   -> ([#"../07_fuse.rs" 60 15 60 32] produces0 b bc c)
+   -> ([#"../07_fuse.rs" 62 22 62 23] inv2 a)
+   -> ([#"../07_fuse.rs" 62 31 62 33] inv1 ab)
+   -> ([#"../07_fuse.rs" 62 52 62 53] inv2 b)
+   -> ([#"../07_fuse.rs" 62 61 62 63] inv1 bc)
+   -> ([#"../07_fuse.rs" 62 82 62 83] inv2 c)  -> ([#"../07_fuse.rs" 61 14 61 42] produces0 a (Seq.(++) ab bc) c)
   function produces_refl0 [#"../07_fuse.rs" 55 4 55 26] (self : C07Fuse_Fuse_Type.t_fuse i) : () =
     [#"../07_fuse.rs" 52 4 52 10] ()
   val produces_refl0 [#"../07_fuse.rs" 55 4 55 26] (self : C07Fuse_Fuse_Type.t_fuse i) : ()
     requires {[#"../07_fuse.rs" 55 21 55 25] inv2 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : C07Fuse_Fuse_Type.t_fuse i . ([#"../07_fuse.rs" 55 21 55 25] inv2 self) -> ([#"../07_fuse.rs" 54 14 54 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : C07Fuse_Fuse_Type.t_fuse i . ([#"../07_fuse.rs" 55 21 55 25] inv2 self)
+   -> ([#"../07_fuse.rs" 54 14 54 45] produces0 self (Seq.empty ) self)
   predicate completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i)
   val completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool
     ensures { result = completed1 self }
@@ -563,16 +602,17 @@ module C07Fuse_Impl1_IsFused_Impl
   val completed0 [#"../07_fuse.rs" 16 4 16 35] (self : borrowed (C07Fuse_Fuse_Type.t_fuse i)) : bool
     ensures { result = completed0 self }
     
-  let rec ghost function is_fused [#"../07_fuse.rs" 81 4 81 62] (self : borrowed (C07Fuse_Fuse_Type.t_fuse i)) (steps : Seq.seq item0) (next : C07Fuse_Fuse_Type.t_fuse i) : ()
-    requires {[#"../07_fuse.rs" 78 15 78 31] completed0 self}
-    requires {[#"../07_fuse.rs" 79 15 79 44] produces0 ( ^ self) steps next}
-    requires {[#"../07_fuse.rs" 81 21 81 25] inv0 self}
-    requires {[#"../07_fuse.rs" 81 27 81 32] inv1 steps}
-    requires {[#"../07_fuse.rs" 81 51 81 55] inv2 next}
-    ensures { [#"../07_fuse.rs" 80 14 80 50] steps = Seq.empty  /\  ^ self = next }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../07_fuse.rs" 76 4 76 10] ()
+  constant self  : borrowed (C07Fuse_Fuse_Type.t_fuse i)
+  constant steps  : Seq.seq item0
+  constant next  : C07Fuse_Fuse_Type.t_fuse i
+  function is_fused [#"../07_fuse.rs" 81 4 81 62] (self : borrowed (C07Fuse_Fuse_Type.t_fuse i)) (steps : Seq.seq item0) (next : C07Fuse_Fuse_Type.t_fuse i) : ()
+    
+  goal vc_is_fused : ([#"../07_fuse.rs" 81 51 81 55] inv2 next)
+   -> ([#"../07_fuse.rs" 81 27 81 32] inv1 steps)
+   -> ([#"../07_fuse.rs" 81 21 81 25] inv0 self)
+   -> ([#"../07_fuse.rs" 79 15 79 44] produces0 ( ^ self) steps next)
+   -> ([#"../07_fuse.rs" 78 15 78 31] completed0 self)
+   -> ([#"../07_fuse.rs" 80 14 80 50] steps = Seq.empty  /\  ^ self = next)
 end
 module C07Fuse_Impl0
   type i
@@ -627,6 +667,8 @@ module C07Fuse_Impl0
     
   axiom inv0 : forall x : C07Fuse_Fuse_Type.t_fuse i . inv0 x = true
   use seq.Seq
+  use seq.Seq
+  use seq.Seq
   predicate completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i)
   val completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool
     ensures { result = completed1 self }
@@ -636,8 +678,6 @@ module C07Fuse_Impl0
   val completed0 [#"../07_fuse.rs" 16 4 16 35] (self : borrowed (C07Fuse_Fuse_Type.t_fuse i)) : bool
     ensures { result = completed0 self }
     
-  use seq.Seq
-  use seq.Seq
   use seq.Seq
   predicate produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i)
   val produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) : bool
@@ -656,15 +696,20 @@ module C07Fuse_Impl0
   val produces0 [#"../07_fuse.rs" 25 4 25 65] (self : C07Fuse_Fuse_Type.t_fuse i) (prod : Seq.seq item0) (other : C07Fuse_Fuse_Type.t_fuse i) : bool
     ensures { result = produces0 self prod other }
     
-  goal produces_trans_refn : [#"../07_fuse.rs" 62 4 62 90] forall a : C07Fuse_Fuse_Type.t_fuse i . forall ab : Seq.seq item0 . forall b : C07Fuse_Fuse_Type.t_fuse i . forall bc : Seq.seq item0 . forall c : C07Fuse_Fuse_Type.t_fuse i . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c)
-  goal produces_refl_refn : [#"../07_fuse.rs" 55 4 55 26] forall self : C07Fuse_Fuse_Type.t_fuse i . inv0 self -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self)
-  goal next_refn : [#"../07_fuse.rs" 39 4 39 44] forall self : borrowed (C07Fuse_Fuse_Type.t_fuse i) . inv2 self -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option item0 . inv3 result /\ match result with
+  goal produces_trans_refn : [#"../07_fuse.rs" 62 4 62 90] forall a : C07Fuse_Fuse_Type.t_fuse i . forall ab : Seq.seq item0 . forall b : C07Fuse_Fuse_Type.t_fuse i . forall bc : Seq.seq item0 . forall c : C07Fuse_Fuse_Type.t_fuse i . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b
+   -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c
+   -> produces0 a (Seq.(++) ab bc) c)
+  goal next_refn : [#"../07_fuse.rs" 39 4 39 44] forall self : borrowed (C07Fuse_Fuse_Type.t_fuse i) . inv2 self
+   -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option item0 . inv3 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
-    end -> inv3 result /\ match result with
+    end
+   -> inv3 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
     end)
+  goal produces_refl_refn : [#"../07_fuse.rs" 55 4 55 26] forall self : C07Fuse_Fuse_Type.t_fuse i . inv0 self
+   -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self  -> produces0 self (Seq.empty ) self)
 end
 module C07Fuse_Impl1
   type i
@@ -737,5 +782,7 @@ module C07Fuse_Impl1
   val produces0 [#"../07_fuse.rs" 25 4 25 65] (self : C07Fuse_Fuse_Type.t_fuse i) (prod : Seq.seq item0) (other : C07Fuse_Fuse_Type.t_fuse i) : bool
     ensures { result = produces0 self prod other }
     
-  goal is_fused_refn : [#"../07_fuse.rs" 81 4 81 62] forall self : borrowed (C07Fuse_Fuse_Type.t_fuse i) . forall steps : Seq.seq item0 . forall next : C07Fuse_Fuse_Type.t_fuse i . inv0 next /\ inv1 steps /\ inv2 self /\ produces0 ( ^ self) steps next /\ completed0 self -> inv0 next /\ inv1 steps /\ inv2 self /\ produces0 ( ^ self) steps next /\ completed0 self /\ (forall result : () . steps = Seq.empty  /\  ^ self = next -> steps = Seq.empty  /\  ^ self = next)
+  goal is_fused_refn : [#"../07_fuse.rs" 81 4 81 62] forall self : borrowed (C07Fuse_Fuse_Type.t_fuse i) . forall steps : Seq.seq item0 . forall next : C07Fuse_Fuse_Type.t_fuse i . inv0 next /\ inv1 steps /\ inv2 self /\ produces0 ( ^ self) steps next /\ completed0 self
+   -> inv0 next /\ inv1 steps /\ inv2 self /\ produces0 ( ^ self) steps next /\ completed0 self /\ (forall result : () . steps = Seq.empty  /\  ^ self = next
+   -> steps = Seq.empty  /\  ^ self = next)
 end
diff --git a/creusot/tests/should_succeed/iterators/07_fuse.rs b/creusot/tests/should_succeed/iterators/07_fuse.rs
index 878ec75dba..c8bc3eb543 100644
--- a/creusot/tests/should_succeed/iterators/07_fuse.rs
+++ b/creusot/tests/should_succeed/iterators/07_fuse.rs
@@ -12,7 +12,7 @@ impl<I: Iterator> Iterator for Fuse<I> {
     type Item = I::Item;
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! {
             (self.iter == None || exists<it:&mut I> it.completed() && self.iter == Some(*it)) &&
@@ -21,7 +21,7 @@ impl<I: Iterator> Iterator for Fuse<I> {
     }
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn produces(self, prod: Seq<Self::Item>, other: Self) -> bool {
         match self.iter {
             None => prod == Seq::EMPTY && other.iter == self.iter,
diff --git a/creusot/tests/should_succeed/iterators/07_fuse/why3session.xml b/creusot/tests/should_succeed/iterators/07_fuse/why3session.xml
index cc9b9853c2..f88983a51b 100644
--- a/creusot/tests/should_succeed/iterators/07_fuse/why3session.xml
+++ b/creusot/tests/should_succeed/iterators/07_fuse/why3session.xml
@@ -8,25 +8,25 @@
 <path name=".."/><path name="07_fuse.mlcfg"/>
 <theory name="C07Fuse_Impl0_Next" proved="true">
  <goal name="next&#39;vc" expl="VC for next" proved="true">
- <proof prover="0"><result status="valid" time="0.087006" steps="2022"/></proof>
+ <proof prover="0"><result status="valid" time="0.087006" steps="2024"/></proof>
  </goal>
 </theory>
 <theory name="C07Fuse_Impl0_ProducesRefl_Impl" proved="true">
- <goal name="produces_refl&#39;vc" expl="VC for produces_refl" proved="true">
- <proof prover="0"><result status="valid" time="0.010276" steps="39"/></proof>
+ <goal name="vc_produces_refl" proved="true">
+ <proof prover="0"><result status="valid" time="0.010276" steps="38"/></proof>
  </goal>
 </theory>
 <theory name="C07Fuse_Impl0_ProducesTrans_Impl" proved="true">
- <goal name="produces_trans&#39;vc" expl="VC for produces_trans" proved="true">
+ <goal name="vc_produces_trans" proved="true">
  <transf name="compute_specified" proved="true" >
-  <goal name="produces_trans&#39;vc.0" expl="VC for produces_trans" proved="true">
+  <goal name="vc_produces_trans.0" proved="true">
   <transf name="split_vc" proved="true" >
-   <goal name="produces_trans&#39;vc.0.0" expl="postcondition" proved="true">
+   <goal name="vc_produces_trans.0.0" proved="true">
    <transf name="split_vc" proved="true" >
-    <goal name="produces_trans&#39;vc.0.0.0" expl="postcondition" proved="true">
+    <goal name="vc_produces_trans.0.0.0" proved="true">
     <transf name="inline_goal" proved="true" >
-     <goal name="produces_trans&#39;vc.0.0.0.0" expl="postcondition" proved="true">
-     <proof prover="1"><result status="valid" time="0.127221" steps="19312"/></proof>
+     <goal name="vc_produces_trans.0.0.0.0" proved="true">
+     <proof prover="1"><result status="valid" time="0.127221" steps="30805"/></proof>
      </goal>
     </transf>
     </goal>
@@ -38,8 +38,8 @@
  </goal>
 </theory>
 <theory name="C07Fuse_Impl1_IsFused_Impl" proved="true">
- <goal name="is_fused&#39;vc" expl="VC for is_fused" proved="true">
- <proof prover="0"><result status="valid" time="0.020265" steps="34"/></proof>
+ <goal name="vc_is_fused" proved="true">
+ <proof prover="0"><result status="valid" time="0.020265" steps="32"/></proof>
  </goal>
 </theory>
 <theory name="C07Fuse_Impl0" proved="true">
diff --git a/creusot/tests/should_succeed/iterators/07_fuse/why3shapes.gz b/creusot/tests/should_succeed/iterators/07_fuse/why3shapes.gz
index 57e6d7442f..7e6033a116 100644
Binary files a/creusot/tests/should_succeed/iterators/07_fuse/why3shapes.gz and b/creusot/tests/should_succeed/iterators/07_fuse/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/iterators/08_collect_extend.mlcfg b/creusot/tests/should_succeed/iterators/08_collect_extend.mlcfg
index 5df00269c1..17cec339b9 100644
--- a/creusot/tests/should_succeed/iterators/08_collect_extend.mlcfg
+++ b/creusot/tests/should_succeed/iterators/08_collect_extend.mlcfg
@@ -28,12 +28,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -98,7 +104,8 @@ module C08CollectExtend_Extend
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self}
     ensures { result = shallow_model2 self }
     
-  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
+  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
   predicate invariant6 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv8 (shallow_model2 self)
   val invariant6 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -144,54 +151,62 @@ module C08CollectExtend_Extend
     requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv3 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv3 a) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv8 ab) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv3 b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv8 bc) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv3 c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv3 a)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv8 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv3 b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv8 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv3 c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : i) : ()
   val produces_refl0 (self : i) : ()
     requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv3 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv3 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces0 self (Seq.empty ) self)
   predicate invariant3 (self : i)
   val invariant3 (self : i) : bool
     ensures { result = invariant3 self }
     
   axiom inv3 : forall x : i . inv3 x = true
-  use prelude.Ghost
-  predicate invariant2 (self : Ghost.ghost_ty (Seq.seq t))
-  val invariant2 (self : Ghost.ghost_ty (Seq.seq t)) : bool
+  use prelude.Snapshot
+  predicate invariant2 (self : Snapshot.snap_ty (Seq.seq t))
+  val invariant2 (self : Snapshot.snap_ty (Seq.seq t)) : bool
     ensures { result = invariant2 self }
     
-  predicate inv2 (_x : Ghost.ghost_ty (Seq.seq t))
-  val inv2 (_x : Ghost.ghost_ty (Seq.seq t)) : bool
+  predicate inv2 (_x : Snapshot.snap_ty (Seq.seq t))
+  val inv2 (_x : Snapshot.snap_ty (Seq.seq t)) : bool
     ensures { result = inv2 _x }
     
-  axiom inv2 : forall x : Ghost.ghost_ty (Seq.seq t) . inv2 x = true
-  predicate invariant1 (self : Ghost.ghost_ty i)
-  val invariant1 (self : Ghost.ghost_ty i) : bool
+  axiom inv2 : forall x : Snapshot.snap_ty (Seq.seq t) . inv2 x = true
+  predicate invariant1 (self : Snapshot.snap_ty i)
+  val invariant1 (self : Snapshot.snap_ty i) : bool
     ensures { result = invariant1 self }
     
-  predicate inv1 (_x : Ghost.ghost_ty i)
-  val inv1 (_x : Ghost.ghost_ty i) : bool
+  predicate inv1 (_x : Snapshot.snap_ty i)
+  val inv1 (_x : Snapshot.snap_ty i) : bool
     ensures { result = inv1 _x }
     
-  axiom inv1 : forall x : Ghost.ghost_ty i . inv1 x = true
-  predicate invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+  axiom inv1 : forall x : Snapshot.snap_ty i . inv1 x = true
+  predicate invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
     
-  val invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  val invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = invariant0 self }
     
-  predicate inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
-  val inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  predicate inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+  val inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true
+  axiom inv0 : forall x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true
   predicate completed0 (self : borrowed i)
   val completed0 (self : borrowed i) : bool
     ensures { result = completed0 self }
     
   predicate resolve6 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve6 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = resolve6 self }
     
@@ -202,7 +217,7 @@ module C08CollectExtend_Extend
   use seq.Seq
   function shallow_model0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
    =
-    [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model2 ( * self)
+    [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model2 ( * self)
   val shallow_model0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
     ensures { result = shallow_model0 self }
     
@@ -217,7 +232,7 @@ module C08CollectExtend_Extend
     ensures { result = resolve4 self }
     
   predicate resolve3 (self : borrowed i) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve3 (self : borrowed i) : bool
     ensures { result = resolve3 self }
     
@@ -230,33 +245,33 @@ module C08CollectExtend_Extend
     ensures { inv5 result }
     
   use seq.Seq
-  use prelude.Ghost
+  use prelude.Snapshot
   function shallow_model3 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
    =
-    [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model0 self
+    [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model0 self
   val shallow_model3 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
     ensures { result = shallow_model3 self }
     
-  use prelude.Ghost
-  function shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
+  use prelude.Snapshot
+  function shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
     
    =
-    [#"../../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model3 (Ghost.inner self)
-  val shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
+    [#"../../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model3 (Snapshot.inner self)
+  val shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
     ensures { result = shallow_model1 self }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  predicate resolve2 (self : Ghost.ghost_ty (Seq.seq t))
-  val resolve2 (self : Ghost.ghost_ty (Seq.seq t)) : bool
+  use prelude.Snapshot
+  use prelude.Snapshot
+  predicate resolve2 (self : Snapshot.snap_ty (Seq.seq t))
+  val resolve2 (self : Snapshot.snap_ty (Seq.seq t)) : bool
     ensures { result = resolve2 self }
     
-  use prelude.Ghost
-  predicate resolve1 (self : Ghost.ghost_ty i)
-  val resolve1 (self : Ghost.ghost_ty i) : bool
+  use prelude.Snapshot
+  predicate resolve1 (self : Snapshot.snap_ty i)
+  val resolve1 (self : Snapshot.snap_ty i) : bool
     ensures { result = resolve1 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate into_iter_post0 (self : i) (res : i) =
     [#"../../../../../creusot-contracts/src/std/iter.rs" 80 8 80 19] self = res
   val into_iter_post0 (self : i) (res : i) : bool
@@ -273,11 +288,12 @@ module C08CollectExtend_Extend
     ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 89 0 166 1] into_iter_post0 self result }
     ensures { inv3 result }
     
-  predicate resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
-  val resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  predicate resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+    
+  val resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   let rec cfg extend [#"../08_collect_extend.rs" 25 0 25 66] [@cfg:stackify] [@cfg:subregion_analysis] (vec : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) (iter : i) : ()
     requires {[#"../08_collect_extend.rs" 25 40 25 43] inv7 vec}
     requires {[#"../08_collect_extend.rs" 25 58 25 62] inv3 iter}
@@ -287,15 +303,15 @@ module C08CollectExtend_Extend
   var _0 : ();
   var vec : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = vec;
   var iter : i = iter;
-  var old_vec : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)));
+  var old_vec : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)));
   var iter1 : i;
-  var iter_old : Ghost.ghost_ty i;
-  var produced : Ghost.ghost_ty (Seq.seq t);
+  var iter_old : Snapshot.snap_ty i;
+  var produced : Snapshot.snap_ty (Seq.seq t);
   var _17 : Core_Option_Option_Type.t_option t;
   var _18 : borrowed i;
   var _19 : borrowed i;
   var __creusot_proc_iter_elem : t;
-  var _22 : Ghost.ghost_ty (Seq.seq t);
+  var _22 : Snapshot.snap_ty (Seq.seq t);
   var x : t;
   var _25 : ();
   var _26 : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
@@ -306,24 +322,24 @@ module C08CollectExtend_Extend
     goto BB1
   }
   BB1 {
-    [#"../08_collect_extend.rs" 26 18 26 29] old_vec <- ([#"../08_collect_extend.rs" 26 18 26 29] Ghost.new vec);
+    [#"../08_collect_extend.rs" 26 18 26 35] old_vec <- ([#"../08_collect_extend.rs" 26 18 26 35] Snapshot.new vec);
     goto BB2
   }
   BB2 {
     assert { [@expl:type invariant] inv0 old_vec };
     assume { resolve0 old_vec };
-    [#"../08_collect_extend.rs" 27 4 27 35] iter1 <- ([#"../08_collect_extend.rs" 27 4 27 35] into_iter0 ([#"../08_collect_extend.rs" 29 13 29 17] iter));
-    [#"../08_collect_extend.rs" 29 13 29 17] iter <- any i;
+    [#"../08_collect_extend.rs" 27 4 27 35] iter1 <- ([#"../08_collect_extend.rs" 27 4 27 35] into_iter0 iter);
+    iter <- any i;
     goto BB3
   }
   BB3 {
-    [#"../08_collect_extend.rs" 27 4 27 35] iter_old <- ([#"../08_collect_extend.rs" 27 4 27 35] Ghost.new iter1);
+    [#"../08_collect_extend.rs" 27 4 27 35] iter_old <- ([#"../08_collect_extend.rs" 27 4 27 35] Snapshot.new iter1);
     goto BB4
   }
   BB4 {
     assert { [@expl:type invariant] inv1 iter_old };
     assume { resolve1 iter_old };
-    [#"../08_collect_extend.rs" 27 4 27 35] produced <- ([#"../08_collect_extend.rs" 27 4 27 35] Ghost.new (Seq.empty ));
+    [#"../08_collect_extend.rs" 27 4 27 35] produced <- ([#"../08_collect_extend.rs" 27 4 27 35] Snapshot.new (Seq.empty ));
     goto BB5
   }
   BB5 {
@@ -339,9 +355,9 @@ module C08CollectExtend_Extend
   }
   BB8 {
     invariant { [#"../08_collect_extend.rs" 27 4 27 35] inv3 iter1 };
-    invariant { [#"../08_collect_extend.rs" 27 4 27 35] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter1 };
-    invariant { [#"../08_collect_extend.rs" 27 16 27 33]  ^ Ghost.inner old_vec =  ^ vec };
-    invariant { [#"../08_collect_extend.rs" 27 4 27 35] Seq.(==) (shallow_model0 vec) (Seq.(++) (shallow_model1 old_vec) (Ghost.inner produced)) };
+    invariant { [#"../08_collect_extend.rs" 27 4 27 35] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter1 };
+    invariant { [#"../08_collect_extend.rs" 27 16 27 33]  ^ Snapshot.inner old_vec =  ^ vec };
+    invariant { [#"../08_collect_extend.rs" 27 4 27 35] Seq.(==) (shallow_model0 vec) (Seq.(++) (shallow_model1 old_vec) (Snapshot.inner produced)) };
     goto BB9
   }
   BB9 {
@@ -377,36 +393,36 @@ module C08CollectExtend_Extend
     goto BB14
   }
   BB13 {
-    assert { [@expl:type invariant] inv5 _17 };
-    assume { resolve4 _17 };
     assert { [@expl:type invariant] inv3 iter1 };
     assume { resolve5 iter1 };
     assert { [@expl:type invariant] inv7 vec };
     assume { resolve6 vec };
+    assert { [@expl:type invariant] inv5 _17 };
+    assume { resolve4 _17 };
     assert { [#"../08_collect_extend.rs" 27 4 27 35] false };
     absurd
   }
   BB14 {
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _17);
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] _17 <- (let Core_Option_Option_Type.C_Some x0 = _17 in Core_Option_Option_Type.C_Some (any t));
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _17;
+    _17 <- (let Core_Option_Option_Type.C_Some x0 = _17 in Core_Option_Option_Type.C_Some (any t));
     assert { [@expl:type invariant] inv5 _17 };
     assume { resolve4 _17 };
-    [#"../08_collect_extend.rs" 27 4 27 35] _22 <- ([#"../08_collect_extend.rs" 27 4 27 35] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../08_collect_extend.rs" 27 4 27 35] _22 <- ([#"../08_collect_extend.rs" 27 4 27 35] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB15
   }
   BB15 {
-    [#"../08_collect_extend.rs" 27 4 27 35] produced <- ([#"../08_collect_extend.rs" 27 4 27 35] _22);
-    [#"../08_collect_extend.rs" 27 4 27 35] _22 <- any Ghost.ghost_ty (Seq.seq t);
+    [#"../08_collect_extend.rs" 27 4 27 35] produced <- _22;
+    _22 <- any Snapshot.snap_ty (Seq.seq t);
     assert { [@expl:type invariant] inv2 produced };
     assume { resolve2 produced };
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] x <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem);
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- any t;
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] x <- __creusot_proc_iter_elem;
+    __creusot_proc_iter_elem <- any t;
     [#"../08_collect_extend.rs" 30 8 30 11] _26 <- Borrow.borrow_mut ( * vec);
     [#"../08_collect_extend.rs" 30 8 30 11] vec <- { vec with current = ( ^ _26) ; };
     assume { inv6 ( ^ _26) };
-    [#"../08_collect_extend.rs" 30 8 30 19] _25 <- ([#"../08_collect_extend.rs" 30 8 30 19] push0 _26 ([#"../08_collect_extend.rs" 30 17 30 18] x));
+    [#"../08_collect_extend.rs" 30 8 30 19] _25 <- ([#"../08_collect_extend.rs" 30 8 30 19] push0 _26 x);
     _26 <- any borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
-    [#"../08_collect_extend.rs" 30 17 30 18] x <- any t;
+    x <- any t;
     goto BB16
   }
   BB16 {
@@ -481,7 +497,8 @@ module C08CollectExtend_Collect
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec item0 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec item0 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant5 (self : Alloc_Vec_Vec_Type.t_vec item0 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv6 (shallow_model0 self)
   val invariant5 (self : Alloc_Vec_Vec_Type.t_vec item0 (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -527,38 +544,46 @@ module C08CollectExtend_Collect
     requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv2 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv2 a) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv6 ab) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv2 b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv6 bc) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv2 c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv2 a)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv6 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv2 b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv6 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv2 c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : i) : ()
   val produces_refl0 (self : i) : ()
     requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv2 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces0 self (Seq.empty ) self)
   predicate invariant2 (self : i)
   val invariant2 (self : i) : bool
     ensures { result = invariant2 self }
     
   axiom inv2 : forall x : i . inv2 x = true
-  use prelude.Ghost
-  predicate invariant1 (self : Ghost.ghost_ty (Seq.seq item0))
-  val invariant1 (self : Ghost.ghost_ty (Seq.seq item0)) : bool
+  use prelude.Snapshot
+  predicate invariant1 (self : Snapshot.snap_ty (Seq.seq item0))
+  val invariant1 (self : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = invariant1 self }
     
-  predicate inv1 (_x : Ghost.ghost_ty (Seq.seq item0))
-  val inv1 (_x : Ghost.ghost_ty (Seq.seq item0)) : bool
+  predicate inv1 (_x : Snapshot.snap_ty (Seq.seq item0))
+  val inv1 (_x : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = inv1 _x }
     
-  axiom inv1 : forall x : Ghost.ghost_ty (Seq.seq item0) . inv1 x = true
-  predicate invariant0 (self : Ghost.ghost_ty i)
-  val invariant0 (self : Ghost.ghost_ty i) : bool
+  axiom inv1 : forall x : Snapshot.snap_ty (Seq.seq item0) . inv1 x = true
+  predicate invariant0 (self : Snapshot.snap_ty i)
+  val invariant0 (self : Snapshot.snap_ty i) : bool
     ensures { result = invariant0 self }
     
-  predicate inv0 (_x : Ghost.ghost_ty i)
-  val inv0 (_x : Ghost.ghost_ty i) : bool
+  predicate inv0 (_x : Snapshot.snap_ty i)
+  val inv0 (_x : Snapshot.snap_ty i) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : Ghost.ghost_ty i . inv0 x = true
+  axiom inv0 : forall x : Snapshot.snap_ty i . inv0 x = true
   predicate completed0 (self : borrowed i)
   val completed0 (self : borrowed i) : bool
     ensures { result = completed0 self }
@@ -576,7 +601,8 @@ module C08CollectExtend_Collect
     ensures { result = index_logic0 self ix }
     
   predicate resolve5 (self : Alloc_Vec_Vec_Type.t_vec item0 (Alloc_Alloc_Global_Type.t_global)) =
-    [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve6 (index_logic0 self i)
+    [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self)
+     -> resolve6 (index_logic0 self i)
   val resolve5 (self : Alloc_Vec_Vec_Type.t_vec item0 (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve5 self }
     
@@ -588,7 +614,7 @@ module C08CollectExtend_Collect
   function shallow_model2 (self : borrowed (Alloc_Vec_Vec_Type.t_vec item0 (Alloc_Alloc_Global_Type.t_global))) : Seq.seq item0
     
    =
-    [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model0 ( * self)
+    [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model0 ( * self)
   val shallow_model2 (self : borrowed (Alloc_Vec_Vec_Type.t_vec item0 (Alloc_Alloc_Global_Type.t_global))) : Seq.seq item0
     ensures { result = shallow_model2 self }
     
@@ -603,7 +629,7 @@ module C08CollectExtend_Collect
     ensures { result = resolve3 self }
     
   predicate resolve2 (self : borrowed i) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve2 (self : borrowed i) : bool
     ensures { result = resolve2 self }
     
@@ -616,19 +642,19 @@ module C08CollectExtend_Collect
     ensures { inv4 result }
     
   use seq.Seq
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  predicate resolve1 (self : Ghost.ghost_ty (Seq.seq item0))
-  val resolve1 (self : Ghost.ghost_ty (Seq.seq item0)) : bool
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  predicate resolve1 (self : Snapshot.snap_ty (Seq.seq item0))
+  val resolve1 (self : Snapshot.snap_ty (Seq.seq item0)) : bool
     ensures { result = resolve1 self }
     
-  use prelude.Ghost
-  predicate resolve0 (self : Ghost.ghost_ty i)
-  val resolve0 (self : Ghost.ghost_ty i) : bool
+  use prelude.Snapshot
+  predicate resolve0 (self : Snapshot.snap_ty i)
+  val resolve0 (self : Snapshot.snap_ty i) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate into_iter_post0 (self : i) (res : i) =
     [#"../../../../../creusot-contracts/src/std/iter.rs" 80 8 80 19] self = res
   val into_iter_post0 (self : i) (res : i) : bool
@@ -659,13 +685,13 @@ module C08CollectExtend_Collect
   var iter : i = iter;
   var res : Alloc_Vec_Vec_Type.t_vec item0 (Alloc_Alloc_Global_Type.t_global);
   var iter1 : i;
-  var iter_old : Ghost.ghost_ty i;
-  var produced : Ghost.ghost_ty (Seq.seq item0);
+  var iter_old : Snapshot.snap_ty i;
+  var produced : Snapshot.snap_ty (Seq.seq item0);
   var _15 : Core_Option_Option_Type.t_option item0;
   var _16 : borrowed i;
   var _17 : borrowed i;
   var __creusot_proc_iter_elem : item0;
-  var _20 : Ghost.ghost_ty (Seq.seq item0);
+  var _20 : Snapshot.snap_ty (Seq.seq item0);
   var x : item0;
   var _23 : ();
   var _24 : borrowed (Alloc_Vec_Vec_Type.t_vec item0 (Alloc_Alloc_Global_Type.t_global));
@@ -676,22 +702,22 @@ module C08CollectExtend_Collect
     goto BB1
   }
   BB1 {
-    [#"../08_collect_extend.rs" 43 18 43 28] res <- ([#"../08_collect_extend.rs" 43 18 43 28] new0 ());
+    [#"../08_collect_extend.rs" 43 18 43 28] res <- ([#"../08_collect_extend.rs" 43 18 43 28] new0 ([#"../08_collect_extend.rs" 43 18 43 28] ()));
     goto BB2
   }
   BB2 {
-    [#"../08_collect_extend.rs" 45 4 45 40] iter1 <- ([#"../08_collect_extend.rs" 45 4 45 40] into_iter0 ([#"../08_collect_extend.rs" 46 13 46 17] iter));
-    [#"../08_collect_extend.rs" 46 13 46 17] iter <- any i;
+    [#"../08_collect_extend.rs" 45 4 45 40] iter1 <- ([#"../08_collect_extend.rs" 45 4 45 40] into_iter0 iter);
+    iter <- any i;
     goto BB3
   }
   BB3 {
-    [#"../08_collect_extend.rs" 45 4 45 40] iter_old <- ([#"../08_collect_extend.rs" 45 4 45 40] Ghost.new iter1);
+    [#"../08_collect_extend.rs" 45 4 45 40] iter_old <- ([#"../08_collect_extend.rs" 45 4 45 40] Snapshot.new iter1);
     goto BB4
   }
   BB4 {
     assert { [@expl:type invariant] inv0 iter_old };
     assume { resolve0 iter_old };
-    [#"../08_collect_extend.rs" 45 4 45 40] produced <- ([#"../08_collect_extend.rs" 45 4 45 40] Ghost.new (Seq.empty ));
+    [#"../08_collect_extend.rs" 45 4 45 40] produced <- ([#"../08_collect_extend.rs" 45 4 45 40] Snapshot.new (Seq.empty ));
     goto BB5
   }
   BB5 {
@@ -710,8 +736,8 @@ module C08CollectExtend_Collect
   }
   BB9 {
     invariant { [#"../08_collect_extend.rs" 45 4 45 40] inv2 iter1 };
-    invariant { [#"../08_collect_extend.rs" 45 4 45 40] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter1 };
-    invariant { [#"../08_collect_extend.rs" 45 4 45 40] Seq.(==) (shallow_model0 res) (Ghost.inner produced) };
+    invariant { [#"../08_collect_extend.rs" 45 4 45 40] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter1 };
+    invariant { [#"../08_collect_extend.rs" 45 4 45 40] Seq.(==) (shallow_model0 res) (Snapshot.inner produced) };
     goto BB10
   }
   BB10 {
@@ -744,36 +770,36 @@ module C08CollectExtend_Collect
     goto BB15
   }
   BB14 {
-    assert { [@expl:type invariant] inv4 _15 };
-    assume { resolve3 _15 };
     assert { [@expl:type invariant] inv2 iter1 };
     assume { resolve4 iter1 };
     assert { [@expl:type invariant] inv5 res };
     assume { resolve5 res };
+    assert { [@expl:type invariant] inv4 _15 };
+    assume { resolve3 _15 };
     assert { [#"../08_collect_extend.rs" 45 4 45 40] false };
     absurd
   }
   BB15 {
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _15);
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] _15 <- (let Core_Option_Option_Type.C_Some x0 = _15 in Core_Option_Option_Type.C_Some (any item0));
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _15;
+    _15 <- (let Core_Option_Option_Type.C_Some x0 = _15 in Core_Option_Option_Type.C_Some (any item0));
     assert { [@expl:type invariant] inv4 _15 };
     assume { resolve3 _15 };
-    [#"../08_collect_extend.rs" 45 4 45 40] _20 <- ([#"../08_collect_extend.rs" 45 4 45 40] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../08_collect_extend.rs" 45 4 45 40] _20 <- ([#"../08_collect_extend.rs" 45 4 45 40] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB16
   }
   BB16 {
-    [#"../08_collect_extend.rs" 45 4 45 40] produced <- ([#"../08_collect_extend.rs" 45 4 45 40] _20);
-    [#"../08_collect_extend.rs" 45 4 45 40] _20 <- any Ghost.ghost_ty (Seq.seq item0);
+    [#"../08_collect_extend.rs" 45 4 45 40] produced <- _20;
+    _20 <- any Snapshot.snap_ty (Seq.seq item0);
     assert { [@expl:type invariant] inv1 produced };
     assume { resolve1 produced };
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] x <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem);
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- any item0;
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] x <- __creusot_proc_iter_elem;
+    __creusot_proc_iter_elem <- any item0;
     [#"../08_collect_extend.rs" 47 8 47 11] _24 <- Borrow.borrow_mut res;
     [#"../08_collect_extend.rs" 47 8 47 11] res <-  ^ _24;
     assume { inv5 ( ^ _24) };
-    [#"../08_collect_extend.rs" 47 8 47 19] _23 <- ([#"../08_collect_extend.rs" 47 8 47 19] push0 _24 ([#"../08_collect_extend.rs" 47 17 47 18] x));
+    [#"../08_collect_extend.rs" 47 8 47 19] _23 <- ([#"../08_collect_extend.rs" 47 8 47 19] push0 _24 x);
     _24 <- any borrowed (Alloc_Vec_Vec_Type.t_vec item0 (Alloc_Alloc_Global_Type.t_global));
-    [#"../08_collect_extend.rs" 47 17 47 18] x <- any item0;
+    x <- any item0;
     goto BB17
   }
   BB17 {
@@ -792,8 +818,8 @@ module C08CollectExtend_Collect
     goto BB22
   }
   BB22 {
-    [#"../08_collect_extend.rs" 49 4 49 7] _0 <- ([#"../08_collect_extend.rs" 49 4 49 7] res);
-    [#"../08_collect_extend.rs" 49 4 49 7] res <- any Alloc_Vec_Vec_Type.t_vec item0 (Alloc_Alloc_Global_Type.t_global);
+    [#"../08_collect_extend.rs" 49 4 49 7] _0 <- res;
+    res <- any Alloc_Vec_Vec_Type.t_vec item0 (Alloc_Alloc_Global_Type.t_global);
     goto BB23
   }
   BB23 {
@@ -817,7 +843,7 @@ module Alloc_Vec_IntoIter_IntoIter_Type
   use Core_Marker_PhantomData_Type as Core_Marker_PhantomData_Type
   use Core_Ptr_NonNull_NonNull_Type as Core_Ptr_NonNull_NonNull_Type
   type t_intoiter 't 'a =
-    | C_IntoIter (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) usize (Core_Mem_ManuallyDrop_ManuallyDrop_Type.t_manuallydrop 'a) opaque_ptr opaque_ptr
+    | C_IntoIter (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) usize (Core_Mem_ManuallyDrop_ManuallyDrop_Type.t_manuallydrop 'a) (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) opaque_ptr
     
 end
 module C08CollectExtend_ExtendIndex
@@ -871,7 +897,14 @@ module C08CollectExtend_ExtendIndex
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv3 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global), ab : Seq.seq uint32, b : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global), bc : Seq.seq uint32, c : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 248 15 248 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 249 15 249 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 22 251 23] inv3 a) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 31 251 33] inv5 ab) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 43 251 44] inv3 b) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 52 251 54] inv5 bc) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv3 c) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 250 14 250 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global), ab : Seq.seq uint32, b : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global), bc : Seq.seq uint32, c : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 248 15 248 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 249 15 249 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 22 251 23] inv3 a)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 31 251 33] inv5 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 43 251 44] inv3 b)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 52 251 54] inv5 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv3 c)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 250 14 250 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global)) : ()
     
@@ -881,7 +914,8 @@ module C08CollectExtend_ExtendIndex
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv3 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 243 14 243 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv3 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 243 14 243 45] produces0 self (Seq.empty ) self)
   use prelude.Borrow
   predicate invariant6 (self : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global)))
     
@@ -933,7 +967,8 @@ module C08CollectExtend_ExtendIndex
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv5 (shallow_model0 self)
   val invariant2 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -960,7 +995,7 @@ module C08CollectExtend_ExtendIndex
     ensures { result = inv0 _x }
     
   axiom inv0 : forall x : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . inv0 x = true
-  use prelude.Ghost
+  use prelude.Snapshot
   use seq.Seq
   use prelude.Slice
   function shallow_model6 (self : slice uint32) : Seq.seq uint32
@@ -968,20 +1003,21 @@ module C08CollectExtend_ExtendIndex
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv7 self}
     ensures { result = shallow_model6 self }
     
-  axiom shallow_model6_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv5 (shallow_model6 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0)
+  axiom shallow_model6_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv7 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv5 (shallow_model6 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0)
   function shallow_model2 (self : slice uint32) : Seq.seq uint32 =
-    [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model6 self
+    [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model6 self
   val shallow_model2 (self : slice uint32) : Seq.seq uint32
     ensures { result = shallow_model2 self }
     
-  use prelude.Ghost
-  function shallow_model1 (self : Ghost.ghost_ty (slice uint32)) : Seq.seq uint32 =
-    [#"../../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model2 (Ghost.inner self)
-  val shallow_model1 (self : Ghost.ghost_ty (slice uint32)) : Seq.seq uint32
+  use prelude.Snapshot
+  function shallow_model1 (self : Snapshot.snap_ty (slice uint32)) : Seq.seq uint32 =
+    [#"../../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model2 (Snapshot.inner self)
+  val shallow_model1 (self : Snapshot.snap_ty (slice uint32)) : Seq.seq uint32
     ensures { result = shallow_model1 self }
     
   predicate resolve2 (self : uint32) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
+    [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true
   val resolve2 (self : uint32) : bool
     ensures { result = resolve2 self }
     
@@ -994,33 +1030,34 @@ module C08CollectExtend_ExtendIndex
     ensures { result = index_logic0 self ix }
     
   predicate resolve1 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) =
-    [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve2 (index_logic0 self i)
+    [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self)
+     -> resolve2 (index_logic0 self i)
   val resolve1 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve1 self }
     
   predicate resolve0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global))) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = resolve0 self }
     
   function shallow_model4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global))) : Seq.seq uint32
     
    =
-    [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model0 ( * self)
+    [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model0 ( * self)
   val shallow_model4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global))) : Seq.seq uint32
     ensures { result = shallow_model4 self }
     
   function shallow_model8 (self : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global))) : Seq.seq uint32
     
    =
-    [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model7 ( * self)
+    [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model7 ( * self)
   val shallow_model8 (self : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global))) : Seq.seq uint32
     ensures { result = shallow_model8 self }
     
   predicate resolve3 (self : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global)))
     
    =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve3 (self : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter uint32 (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = resolve3 self }
     
@@ -1054,9 +1091,9 @@ module C08CollectExtend_ExtendIndex
     ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 89 0 166 1] into_iter_post0 self result }
     ensures { inv3 result }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   function shallow_model3 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : Seq.seq uint32 =
-    [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model0 self
+    [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model0 self
   val shallow_model3 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : Seq.seq uint32
     ensures { result = shallow_model3 self }
     
@@ -1071,8 +1108,8 @@ module C08CollectExtend_ExtendIndex
   var _0 : ();
   var v1 : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) = v1;
   var v2 : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) = v2;
-  var oldv1 : Ghost.ghost_ty (slice uint32);
-  var oldv2 : Ghost.ghost_ty (slice uint32);
+  var oldv1 : Snapshot.snap_ty (slice uint32);
+  var oldv2 : Snapshot.snap_ty (slice uint32);
   var _7 : ();
   var _8 : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global));
   var _9 : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global));
@@ -1081,11 +1118,11 @@ module C08CollectExtend_ExtendIndex
     goto BB0
   }
   BB0 {
-    [#"../08_collect_extend.rs" 53 16 53 27] oldv1 <- ([#"../08_collect_extend.rs" 53 16 53 27] Ghost.new (deref0 v1));
+    [#"../08_collect_extend.rs" 53 16 53 33] oldv1 <- ([#"../08_collect_extend.rs" 53 16 53 33] Snapshot.new (deref0 v1));
     goto BB1
   }
   BB1 {
-    [#"../08_collect_extend.rs" 54 16 54 27] oldv2 <- ([#"../08_collect_extend.rs" 54 16 54 27] Ghost.new (deref0 v2));
+    [#"../08_collect_extend.rs" 54 16 54 33] oldv2 <- ([#"../08_collect_extend.rs" 54 16 54 33] Snapshot.new (deref0 v2));
     goto BB2
   }
   BB2 {
@@ -1093,8 +1130,8 @@ module C08CollectExtend_ExtendIndex
     [#"../08_collect_extend.rs" 55 11 55 18] v1 <-  ^ _9;
     [#"../08_collect_extend.rs" 55 11 55 18] _8 <- Borrow.borrow_final ( * _9) (Borrow.get_id _9);
     [#"../08_collect_extend.rs" 55 11 55 18] _9 <- { _9 with current = ( ^ _8) ; };
-    [#"../08_collect_extend.rs" 55 20 55 34] _10 <- ([#"../08_collect_extend.rs" 55 20 55 34] into_iter0 ([#"../08_collect_extend.rs" 55 20 55 22] v2));
-    [#"../08_collect_extend.rs" 55 20 55 22] v2 <- any Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global);
+    [#"../08_collect_extend.rs" 55 20 55 34] _10 <- ([#"../08_collect_extend.rs" 55 20 55 34] into_iter0 v2);
+    v2 <- any Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global);
     goto BB3
   }
   BB3 {
@@ -1146,7 +1183,8 @@ module C08CollectExtend_CollectExample
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model0 self)
   val invariant3 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -1189,14 +1227,22 @@ module C08CollectExtend_CollectExample
     requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq uint32, b : i, bc : Seq.seq uint32, c : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv0 a) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv1 ab) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv1 bc) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq uint32, b : i, bc : Seq.seq uint32, c : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv0 a)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv1 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv0 b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv1 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv0 c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : i) : ()
   val produces_refl0 (self : i) : ()
     requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces0 self (Seq.empty ) self)
   predicate invariant0 (self : i)
   val invariant0 (self : i) : bool
     ensures { result = invariant0 self }
@@ -1212,12 +1258,13 @@ module C08CollectExtend_CollectExample
     ensures { result = index_logic0 self ix }
     
   predicate resolve1 (self : uint32) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
+    [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true
   val resolve1 (self : uint32) : bool
     ensures { result = resolve1 self }
     
   predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) =
-    [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve1 (index_logic0 self i)
+    [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self)
+     -> resolve1 (index_logic0 self i)
   val resolve0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve0 self }
     
@@ -1231,7 +1278,9 @@ module C08CollectExtend_CollectExample
     ensures { [#"../08_collect_extend.rs" 42 40 42 52] inv3 result }
     
   let rec cfg collect_example [#"../08_collect_extend.rs" 61 0 61 56] [@cfg:stackify] [@cfg:subregion_analysis] (iter : i) : ()
-    requires {[#"../08_collect_extend.rs" 60 0 60 130] forall fin : i . forall prod : Seq.seq uint32 . inv0 fin -> produces0 iter prod fin -> (forall i : int . 0 <= i /\ i < Seq.length prod -> UInt32.to_int (Seq.get prod i) = i)}
+    requires {[#"../08_collect_extend.rs" 60 0 60 130] forall fin : i . forall prod : Seq.seq uint32 . inv0 fin
+     -> produces0 iter prod fin
+     -> (forall i : int . 0 <= i /\ i < Seq.length prod  -> UInt32.to_int (Seq.get prod i) = i)}
     requires {[#"../08_collect_extend.rs" 61 48 61 52] inv0 iter}
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -1245,13 +1294,14 @@ module C08CollectExtend_CollectExample
     goto BB1
   }
   BB1 {
-    [#"../08_collect_extend.rs" 62 22 62 35] v <- ([#"../08_collect_extend.rs" 62 22 62 35] collect0 ([#"../08_collect_extend.rs" 62 30 62 34] iter));
-    [#"../08_collect_extend.rs" 62 30 62 34] iter <- any i;
+    [#"../08_collect_extend.rs" 62 22 62 35] v <- ([#"../08_collect_extend.rs" 62 22 62 35] collect0 iter);
+    iter <- any i;
     goto BB2
   }
   BB2 {
     assume { resolve0 v };
-    assert { [@expl:assertion] [#"../08_collect_extend.rs" 64 4 64 75] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 v) -> UInt32.to_int (index_logic0 v i) = i };
+    assert { [@expl:assertion] [#"../08_collect_extend.rs" 64 4 64 75] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 v)
+     -> UInt32.to_int (index_logic0 v i) = i };
     goto BB3
   }
   BB3 {
diff --git a/creusot/tests/should_succeed/iterators/08_collect_extend.rs b/creusot/tests/should_succeed/iterators/08_collect_extend.rs
index 166950392d..1a6d1857e3 100644
--- a/creusot/tests/should_succeed/iterators/08_collect_extend.rs
+++ b/creusot/tests/should_succeed/iterators/08_collect_extend.rs
@@ -23,7 +23,7 @@ use creusot_contracts::{
     done.completed() && iter.produces(prod, *done) && (^vec)@ == vec@.concat(prod)
 )]
 pub fn extend<T, I: Iterator<Item = T>>(vec: &mut Vec<T>, iter: I) {
-    let old_vec = gh! { vec };
+    let old_vec = snapshot! { vec };
     #[invariant(^*old_vec == ^vec)]
     #[invariant(vec@.ext_eq(old_vec@.concat(*produced)))]
     for x in iter {
@@ -50,8 +50,8 @@ pub fn collect<I: Iterator>(iter: I) -> Vec<I::Item> {
 }
 
 pub fn extend_index(mut v1: Vec<u32>, v2: Vec<u32>) {
-    let oldv1 = gh! { *v1 };
-    let oldv2 = gh! { *v2 };
+    let oldv1 = snapshot! { *v1 };
+    let oldv2 = snapshot! { *v2 };
     extend(&mut v1, v2.into_iter());
 
     proof_assert! { v1@.ext_eq(oldv1@.concat(oldv2@)) };
diff --git a/creusot/tests/should_succeed/iterators/08_collect_extend/why3session.xml b/creusot/tests/should_succeed/iterators/08_collect_extend/why3session.xml
index 1272e78d25..106d904224 100644
--- a/creusot/tests/should_succeed/iterators/08_collect_extend/why3session.xml
+++ b/creusot/tests/should_succeed/iterators/08_collect_extend/why3session.xml
@@ -51,7 +51,7 @@
   <proof prover="0"><result status="valid" time="0.018691" steps="68"/></proof>
   </goal>
   <goal name="extend&#39;vc.14" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.010000" steps="193"/></proof>
+  <proof prover="0"><result status="valid" time="0.010000" steps="192"/></proof>
   </goal>
   <goal name="extend&#39;vc.15" expl="type invariant" proved="true">
   <proof prover="0"><result status="valid" time="0.013205" steps="68"/></proof>
@@ -75,7 +75,7 @@
   <proof prover="0"><result status="valid" time="0.010000" steps="96"/></proof>
   </goal>
   <goal name="extend&#39;vc.22" expl="loop invariant preservation" proved="true">
-  <proof prover="0"><result status="valid" time="0.046107" steps="755"/></proof>
+  <proof prover="0"><result status="valid" time="0.046107" steps="758"/></proof>
   </goal>
   <goal name="extend&#39;vc.23" expl="unreachable point" proved="true">
   <proof prover="0"><result status="valid" time="0.010000" steps="65"/></proof>
@@ -144,7 +144,7 @@
   <proof prover="0"><result status="valid" time="0.010000" steps="302"/></proof>
   </goal>
   <goal name="collect&#39;vc.19" expl="loop invariant preservation" proved="true">
-  <proof prover="0"><result status="valid" time="0.020000" steps="366"/></proof>
+  <proof prover="0"><result status="valid" time="0.020000" steps="364"/></proof>
   </goal>
   <goal name="collect&#39;vc.20" expl="unreachable point" proved="true">
   <proof prover="0"><result status="valid" time="0.010000" steps="55"/></proof>
@@ -154,7 +154,7 @@
 </theory>
 <theory name="C08CollectExtend_ExtendIndex" proved="true">
  <goal name="extend_index&#39;vc" expl="VC for extend_index" proved="true">
- <proof prover="0"><result status="valid" time="0.040000" steps="434"/></proof>
+ <proof prover="0"><result status="valid" time="0.040000" steps="437"/></proof>
  </goal>
 </theory>
 <theory name="C08CollectExtend_CollectExample" proved="true">
diff --git a/creusot/tests/should_succeed/iterators/08_collect_extend/why3shapes.gz b/creusot/tests/should_succeed/iterators/08_collect_extend/why3shapes.gz
index c9201d300e..0ad26e67a4 100644
Binary files a/creusot/tests/should_succeed/iterators/08_collect_extend/why3shapes.gz and b/creusot/tests/should_succeed/iterators/08_collect_extend/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/iterators/09_empty.mlcfg b/creusot/tests/should_succeed/iterators/09_empty.mlcfg
index aa0a110dd9..5277971fac 100644
--- a/creusot/tests/should_succeed/iterators/09_empty.mlcfg
+++ b/creusot/tests/should_succeed/iterators/09_empty.mlcfg
@@ -22,11 +22,9 @@ module C09Empty_Impl0_ProducesRefl_Impl
   val produces0 [#"../09_empty.rs" 21 4 21 64] (self : C09Empty_Empty_Type.t_empty t) (visited : Seq.seq t) (o : C09Empty_Empty_Type.t_empty t) : bool
     ensures { result = produces0 self visited o }
     
-  let rec ghost function produces_refl [#"../09_empty.rs" 28 4 28 26] (self : C09Empty_Empty_Type.t_empty t) : ()
-    ensures { [#"../09_empty.rs" 27 14 27 45] produces0 self (Seq.empty ) self }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../09_empty.rs" 25 4 25 10] ()
+  constant self  : C09Empty_Empty_Type.t_empty t
+  function produces_refl [#"../09_empty.rs" 28 4 28 26] (self : C09Empty_Empty_Type.t_empty t) : ()
+  goal vc_produces_refl : [#"../09_empty.rs" 27 14 27 45] produces0 self (Seq.empty ) self
 end
 module C09Empty_Impl0_ProducesTrans_Impl
   type t
@@ -50,15 +48,18 @@ module C09Empty_Impl0_ProducesTrans_Impl
   val produces0 [#"../09_empty.rs" 21 4 21 64] (self : C09Empty_Empty_Type.t_empty t) (visited : Seq.seq t) (o : C09Empty_Empty_Type.t_empty t) : bool
     ensures { result = produces0 self visited o }
     
-  let rec ghost function produces_trans [#"../09_empty.rs" 35 4 35 90] (a : C09Empty_Empty_Type.t_empty t) (ab : Seq.seq t) (b : C09Empty_Empty_Type.t_empty t) (bc : Seq.seq t) (c : C09Empty_Empty_Type.t_empty t) : ()
-    requires {[#"../09_empty.rs" 32 15 32 32] produces0 a ab b}
-    requires {[#"../09_empty.rs" 33 15 33 32] produces0 b bc c}
-    requires {[#"../09_empty.rs" 35 31 35 33] inv0 ab}
-    requires {[#"../09_empty.rs" 35 61 35 63] inv0 bc}
-    ensures { [#"../09_empty.rs" 34 14 34 42] produces0 a (Seq.(++) ab bc) c }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../09_empty.rs" 30 4 30 10] ()
+  constant a  : C09Empty_Empty_Type.t_empty t
+  constant ab  : Seq.seq t
+  constant b  : C09Empty_Empty_Type.t_empty t
+  constant bc  : Seq.seq t
+  constant c  : C09Empty_Empty_Type.t_empty t
+  function produces_trans [#"../09_empty.rs" 35 4 35 90] (a : C09Empty_Empty_Type.t_empty t) (ab : Seq.seq t) (b : C09Empty_Empty_Type.t_empty t) (bc : Seq.seq t) (c : C09Empty_Empty_Type.t_empty t) : ()
+    
+  goal vc_produces_trans : ([#"../09_empty.rs" 35 61 35 63] inv0 bc)
+   -> ([#"../09_empty.rs" 35 31 35 33] inv0 ab)
+   -> ([#"../09_empty.rs" 33 15 33 32] produces0 b bc c)
+   -> ([#"../09_empty.rs" 32 15 32 32] produces0 a ab b)
+   -> ([#"../09_empty.rs" 34 14 34 42] produces0 a (Seq.(++) ab bc) c)
 end
 module Core_Option_Option_Type
   type t_option 't =
@@ -91,7 +92,7 @@ module C09Empty_Impl0_Next
   use seq.Seq
   use prelude.Borrow
   predicate resolve0 (self : borrowed (C09Empty_Empty_Type.t_empty t)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (C09Empty_Empty_Type.t_empty t)) : bool
     ensures { result = resolve0 self }
     
@@ -115,44 +116,44 @@ module C09Empty_Impl0_Next
   }
   BB0 {
     assume { resolve0 self };
-    [#"../09_empty.rs" 42 8 42 12] _0 <- ([#"../09_empty.rs" 42 8 42 12] Core_Option_Option_Type.C_None);
+    [#"../09_empty.rs" 42 8 42 12] _0 <- Core_Option_Option_Type.C_None;
     return _0
   }
   
 end
 module C09Empty_Impl0
   type t
-  use Core_Option_Option_Type as Core_Option_Option_Type
-  predicate invariant3 (self : Core_Option_Option_Type.t_option t)
-  val invariant3 (self : Core_Option_Option_Type.t_option t) : bool
+  use seq.Seq
+  predicate invariant3 (self : Seq.seq t)
+  val invariant3 (self : Seq.seq t) : bool
     ensures { result = invariant3 self }
     
-  predicate inv3 (_x : Core_Option_Option_Type.t_option t)
-  val inv3 (_x : Core_Option_Option_Type.t_option t) : bool
+  predicate inv3 (_x : Seq.seq t)
+  val inv3 (_x : Seq.seq t) : bool
     ensures { result = inv3 _x }
     
-  axiom inv3 : forall x : Core_Option_Option_Type.t_option t . inv3 x = true
-  use C09Empty_Empty_Type as C09Empty_Empty_Type
-  use prelude.Borrow
-  predicate invariant2 (self : borrowed (C09Empty_Empty_Type.t_empty t))
-  val invariant2 (self : borrowed (C09Empty_Empty_Type.t_empty t)) : bool
+  axiom inv3 : forall x : Seq.seq t . inv3 x = true
+  use Core_Option_Option_Type as Core_Option_Option_Type
+  predicate invariant2 (self : Core_Option_Option_Type.t_option t)
+  val invariant2 (self : Core_Option_Option_Type.t_option t) : bool
     ensures { result = invariant2 self }
     
-  predicate inv2 (_x : borrowed (C09Empty_Empty_Type.t_empty t))
-  val inv2 (_x : borrowed (C09Empty_Empty_Type.t_empty t)) : bool
+  predicate inv2 (_x : Core_Option_Option_Type.t_option t)
+  val inv2 (_x : Core_Option_Option_Type.t_option t) : bool
     ensures { result = inv2 _x }
     
-  axiom inv2 : forall x : borrowed (C09Empty_Empty_Type.t_empty t) . inv2 x = true
-  use seq.Seq
-  predicate invariant1 (self : Seq.seq t)
-  val invariant1 (self : Seq.seq t) : bool
+  axiom inv2 : forall x : Core_Option_Option_Type.t_option t . inv2 x = true
+  use C09Empty_Empty_Type as C09Empty_Empty_Type
+  use prelude.Borrow
+  predicate invariant1 (self : borrowed (C09Empty_Empty_Type.t_empty t))
+  val invariant1 (self : borrowed (C09Empty_Empty_Type.t_empty t)) : bool
     ensures { result = invariant1 self }
     
-  predicate inv1 (_x : Seq.seq t)
-  val inv1 (_x : Seq.seq t) : bool
+  predicate inv1 (_x : borrowed (C09Empty_Empty_Type.t_empty t))
+  val inv1 (_x : borrowed (C09Empty_Empty_Type.t_empty t)) : bool
     ensures { result = inv1 _x }
     
-  axiom inv1 : forall x : Seq.seq t . inv1 x = true
+  axiom inv1 : forall x : borrowed (C09Empty_Empty_Type.t_empty t) . inv1 x = true
   predicate invariant0 (self : C09Empty_Empty_Type.t_empty t)
   val invariant0 (self : C09Empty_Empty_Type.t_empty t) : bool
     ensures { result = invariant0 self }
@@ -163,8 +164,9 @@ module C09Empty_Impl0
     
   axiom inv0 : forall x : C09Empty_Empty_Type.t_empty t . inv0 x = true
   use seq.Seq
+  use seq.Seq
   predicate resolve0 (self : borrowed (C09Empty_Empty_Type.t_empty t)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (C09Empty_Empty_Type.t_empty t)) : bool
     ensures { result = resolve0 self }
     
@@ -173,7 +175,6 @@ module C09Empty_Impl0
   val completed0 [#"../09_empty.rs" 15 4 15 35] (self : borrowed (C09Empty_Empty_Type.t_empty t)) : bool
     ensures { result = completed0 self }
     
-  use seq.Seq
   use seq.Seq
   use seq.Seq
   predicate produces0 [#"../09_empty.rs" 21 4 21 64] (self : C09Empty_Empty_Type.t_empty t) (visited : Seq.seq t) (o : C09Empty_Empty_Type.t_empty t)
@@ -183,13 +184,18 @@ module C09Empty_Impl0
   val produces0 [#"../09_empty.rs" 21 4 21 64] (self : C09Empty_Empty_Type.t_empty t) (visited : Seq.seq t) (o : C09Empty_Empty_Type.t_empty t) : bool
     ensures { result = produces0 self visited o }
     
-  goal produces_refl_refn : [#"../09_empty.rs" 28 4 28 26] forall self : C09Empty_Empty_Type.t_empty t . inv0 self -> (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self)
-  goal produces_trans_refn : [#"../09_empty.rs" 35 4 35 90] forall a : C09Empty_Empty_Type.t_empty t . forall ab : Seq.seq t . forall b : C09Empty_Empty_Type.t_empty t . forall bc : Seq.seq t . forall c : C09Empty_Empty_Type.t_empty t . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b -> inv1 bc /\ inv1 ab /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c)
-  goal next_refn : [#"../09_empty.rs" 41 4 41 35] forall self : borrowed (C09Empty_Empty_Type.t_empty t) . inv2 self -> (forall result : Core_Option_Option_Type.t_option t . inv3 result /\ match result with
+  goal produces_refl_refn : [#"../09_empty.rs" 28 4 28 26] forall self : C09Empty_Empty_Type.t_empty t . inv0 self
+   -> (forall result : () . produces0 self (Seq.empty ) self  -> produces0 self (Seq.empty ) self)
+  goal next_refn : [#"../09_empty.rs" 41 4 41 35] forall self : borrowed (C09Empty_Empty_Type.t_empty t) . inv1 self
+   -> (forall result : Core_Option_Option_Type.t_option t . inv2 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
-    end -> inv3 result /\ match result with
+    end
+   -> inv2 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
     end)
+  goal produces_trans_refn : [#"../09_empty.rs" 35 4 35 90] forall a : C09Empty_Empty_Type.t_empty t . forall ab : Seq.seq t . forall b : C09Empty_Empty_Type.t_empty t . forall bc : Seq.seq t . forall c : C09Empty_Empty_Type.t_empty t . inv0 c /\ inv3 bc /\ inv0 b /\ inv3 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b
+   -> inv3 bc /\ inv3 ab /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c
+   -> produces0 a (Seq.(++) ab bc) c)
 end
diff --git a/creusot/tests/should_succeed/iterators/09_empty.rs b/creusot/tests/should_succeed/iterators/09_empty.rs
index 0fd5cb45f6..e0658ab9f2 100644
--- a/creusot/tests/should_succeed/iterators/09_empty.rs
+++ b/creusot/tests/should_succeed/iterators/09_empty.rs
@@ -11,7 +11,7 @@ impl<T> Iterator for Empty<T> {
     type Item = T;
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! { self.resolve() }
     }
diff --git a/creusot/tests/should_succeed/iterators/09_empty/why3session.xml b/creusot/tests/should_succeed/iterators/09_empty/why3session.xml
index aa5a4de574..6401fbd274 100644
--- a/creusot/tests/should_succeed/iterators/09_empty/why3session.xml
+++ b/creusot/tests/should_succeed/iterators/09_empty/why3session.xml
@@ -1,18 +1,18 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
-"http://why3.lri.fr/why3session.dtd">
+"https://www.why3.org/why3session.dtd">
 <why3session shape_version="6">
 <prover id="0" name="Alt-Ergo" version="2.4.3" timelimit="1" steplimit="0" memlimit="1000"/>
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="09_empty.mlcfg"/>
 <theory name="C09Empty_Impl0_ProducesRefl_Impl" proved="true">
- <goal name="produces_refl&#39;vc" expl="VC for produces_refl" proved="true">
- <proof prover="0"><result status="valid" time="0.000000" steps="4"/></proof>
+ <goal name="vc_produces_refl" proved="true">
+ <proof prover="0"><result status="valid" time="0.000000" steps="2"/></proof>
  </goal>
 </theory>
 <theory name="C09Empty_Impl0_ProducesTrans_Impl" proved="true">
- <goal name="produces_trans&#39;vc" expl="VC for produces_trans" proved="true">
- <proof prover="0"><result status="valid" time="0.097871" steps="1851"/></proof>
+ <goal name="vc_produces_trans" proved="true">
+ <proof prover="0"><result status="valid" time="0.097871" steps="1773"/></proof>
  </goal>
 </theory>
 <theory name="C09Empty_Impl0_Next" proved="true">
@@ -21,15 +21,15 @@
  </goal>
 </theory>
 <theory name="C09Empty_Impl0" proved="true">
- <goal name="produces_trans_refn" proved="true">
- <proof prover="0"><result status="valid" time="0.000000" steps="14"/></proof>
- </goal>
  <goal name="produces_refl_refn" proved="true">
  <proof prover="0"><result status="valid" time="0.000000" steps="0"/></proof>
  </goal>
  <goal name="next_refn" proved="true">
  <proof prover="0"><result status="valid" time="0.010000" steps="0"/></proof>
  </goal>
+ <goal name="produces_trans_refn" proved="true">
+ <proof prover="0"><result status="valid" time="0.000000" steps="14"/></proof>
+ </goal>
 </theory>
 </file>
 </why3session>
diff --git a/creusot/tests/should_succeed/iterators/09_empty/why3shapes.gz b/creusot/tests/should_succeed/iterators/09_empty/why3shapes.gz
index d7a57fcd7f..088a39e76a 100644
Binary files a/creusot/tests/should_succeed/iterators/09_empty/why3shapes.gz and b/creusot/tests/should_succeed/iterators/09_empty/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/iterators/10_once.mlcfg b/creusot/tests/should_succeed/iterators/10_once.mlcfg
index c3807d8877..5608fd49d5 100644
--- a/creusot/tests/should_succeed/iterators/10_once.mlcfg
+++ b/creusot/tests/should_succeed/iterators/10_once.mlcfg
@@ -47,12 +47,10 @@ module C10Once_Impl0_ProducesRefl_Impl
   val produces0 [#"../10_once.rs" 21 4 21 64] (self : C10Once_Once_Type.t_once t) (visited : Seq.seq t) (o : C10Once_Once_Type.t_once t) : bool
     ensures { result = produces0 self visited o }
     
-  let rec ghost function produces_refl [#"../10_once.rs" 31 4 31 26] (self : C10Once_Once_Type.t_once t) : ()
-    requires {[#"../10_once.rs" 31 21 31 25] inv0 self}
-    ensures { [#"../10_once.rs" 30 14 30 45] produces0 self (Seq.empty ) self }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../10_once.rs" 28 4 28 10] ()
+  constant self  : C10Once_Once_Type.t_once t
+  function produces_refl [#"../10_once.rs" 31 4 31 26] (self : C10Once_Once_Type.t_once t) : ()
+  goal vc_produces_refl : ([#"../10_once.rs" 31 21 31 25] inv0 self)
+   -> ([#"../10_once.rs" 30 14 30 45] produces0 self (Seq.empty ) self)
 end
 module C10Once_Impl0_ProducesTrans_Impl
   type t
@@ -96,18 +94,21 @@ module C10Once_Impl0_ProducesTrans_Impl
   val produces0 [#"../10_once.rs" 21 4 21 64] (self : C10Once_Once_Type.t_once t) (visited : Seq.seq t) (o : C10Once_Once_Type.t_once t) : bool
     ensures { result = produces0 self visited o }
     
-  let rec ghost function produces_trans [#"../10_once.rs" 38 4 38 90] (a : C10Once_Once_Type.t_once t) (ab : Seq.seq t) (b : C10Once_Once_Type.t_once t) (bc : Seq.seq t) (c : C10Once_Once_Type.t_once t) : ()
-    requires {[#"../10_once.rs" 35 15 35 32] produces0 a ab b}
-    requires {[#"../10_once.rs" 36 15 36 32] produces0 b bc c}
-    requires {[#"../10_once.rs" 38 22 38 23] inv0 a}
-    requires {[#"../10_once.rs" 38 31 38 33] inv1 ab}
-    requires {[#"../10_once.rs" 38 52 38 53] inv0 b}
-    requires {[#"../10_once.rs" 38 61 38 63] inv1 bc}
-    requires {[#"../10_once.rs" 38 82 38 83] inv0 c}
-    ensures { [#"../10_once.rs" 37 14 37 42] produces0 a (Seq.(++) ab bc) c }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../10_once.rs" 33 4 33 10] ()
+  constant a  : C10Once_Once_Type.t_once t
+  constant ab  : Seq.seq t
+  constant b  : C10Once_Once_Type.t_once t
+  constant bc  : Seq.seq t
+  constant c  : C10Once_Once_Type.t_once t
+  function produces_trans [#"../10_once.rs" 38 4 38 90] (a : C10Once_Once_Type.t_once t) (ab : Seq.seq t) (b : C10Once_Once_Type.t_once t) (bc : Seq.seq t) (c : C10Once_Once_Type.t_once t) : ()
+    
+  goal vc_produces_trans : ([#"../10_once.rs" 38 82 38 83] inv0 c)
+   -> ([#"../10_once.rs" 38 61 38 63] inv1 bc)
+   -> ([#"../10_once.rs" 38 52 38 53] inv0 b)
+   -> ([#"../10_once.rs" 38 31 38 33] inv1 ab)
+   -> ([#"../10_once.rs" 38 22 38 23] inv0 a)
+   -> ([#"../10_once.rs" 36 15 36 32] produces0 b bc c)
+   -> ([#"../10_once.rs" 35 15 35 32] produces0 a ab b)
+   -> ([#"../10_once.rs" 37 14 37 42] produces0 a (Seq.(++) ab bc) c)
 end
 module C10Once_Impl0_Next
   type t
@@ -161,7 +162,7 @@ module C10Once_Impl0_Next
     ensures { result = produces0 self visited o }
     
   predicate resolve0 (self : borrowed (C10Once_Once_Type.t_once t)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (C10Once_Once_Type.t_once t)) : bool
     ensures { result = resolve0 self }
     
@@ -257,8 +258,10 @@ module C10Once_Impl0
     
   axiom inv0 : forall x : C10Once_Once_Type.t_once t . inv0 x = true
   use seq.Seq
+  use seq.Seq
+  use seq.Seq
   predicate resolve0 (self : borrowed (C10Once_Once_Type.t_once t)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (C10Once_Once_Type.t_once t)) : bool
     ensures { result = resolve0 self }
     
@@ -267,8 +270,6 @@ module C10Once_Impl0
   val completed0 [#"../10_once.rs" 15 4 15 35] (self : borrowed (C10Once_Once_Type.t_once t)) : bool
     ensures { result = completed0 self }
     
-  use seq.Seq
-  use seq.Seq
   use seq.Seq
   predicate produces0 [#"../10_once.rs" 21 4 21 64] (self : C10Once_Once_Type.t_once t) (visited : Seq.seq t) (o : C10Once_Once_Type.t_once t)
     
@@ -277,13 +278,18 @@ module C10Once_Impl0
   val produces0 [#"../10_once.rs" 21 4 21 64] (self : C10Once_Once_Type.t_once t) (visited : Seq.seq t) (o : C10Once_Once_Type.t_once t) : bool
     ensures { result = produces0 self visited o }
     
-  goal produces_trans_refn : [#"../10_once.rs" 38 4 38 90] forall a : C10Once_Once_Type.t_once t . forall ab : Seq.seq t . forall b : C10Once_Once_Type.t_once t . forall bc : Seq.seq t . forall c : C10Once_Once_Type.t_once t . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c)
-  goal produces_refl_refn : [#"../10_once.rs" 31 4 31 26] forall self : C10Once_Once_Type.t_once t . inv0 self -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self)
-  goal next_refn : [#"../10_once.rs" 44 4 44 35] forall self : borrowed (C10Once_Once_Type.t_once t) . inv2 self -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option t . inv3 result /\ match result with
+  goal produces_trans_refn : [#"../10_once.rs" 38 4 38 90] forall a : C10Once_Once_Type.t_once t . forall ab : Seq.seq t . forall b : C10Once_Once_Type.t_once t . forall bc : Seq.seq t . forall c : C10Once_Once_Type.t_once t . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b
+   -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c
+   -> produces0 a (Seq.(++) ab bc) c)
+  goal next_refn : [#"../10_once.rs" 44 4 44 35] forall self : borrowed (C10Once_Once_Type.t_once t) . inv2 self
+   -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option t . inv3 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
-    end -> inv3 result /\ match result with
+    end
+   -> inv3 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
     end)
+  goal produces_refl_refn : [#"../10_once.rs" 31 4 31 26] forall self : C10Once_Once_Type.t_once t . inv0 self
+   -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self  -> produces0 self (Seq.empty ) self)
 end
diff --git a/creusot/tests/should_succeed/iterators/10_once.rs b/creusot/tests/should_succeed/iterators/10_once.rs
index bf2e7392ce..3562488054 100644
--- a/creusot/tests/should_succeed/iterators/10_once.rs
+++ b/creusot/tests/should_succeed/iterators/10_once.rs
@@ -11,7 +11,7 @@ impl<T> Iterator for Once<T> {
     type Item = T;
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! { *self == Once(None) && self.resolve() }
     }
diff --git a/creusot/tests/should_succeed/iterators/10_once/why3session.xml b/creusot/tests/should_succeed/iterators/10_once/why3session.xml
index 01828c4b5a..a4d1cb9ffe 100644
--- a/creusot/tests/should_succeed/iterators/10_once/why3session.xml
+++ b/creusot/tests/should_succeed/iterators/10_once/why3session.xml
@@ -1,20 +1,20 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
-"http://why3.lri.fr/why3session.dtd">
+"https://www.why3.org/why3session.dtd">
 <why3session shape_version="6">
 <prover id="0" name="Alt-Ergo" version="2.4.3" timelimit="1" steplimit="0" memlimit="1000"/>
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="10_once.mlcfg"/>
 <theory name="C10Once_Impl0_ProducesRefl_Impl" proved="true">
- <goal name="produces_refl&#39;vc" expl="VC for produces_refl" proved="true">
- <proof prover="0"><result status="valid" time="0.000000" steps="6"/></proof>
+ <goal name="vc_produces_refl" proved="true">
+ <proof prover="0"><result status="valid" time="0.000000" steps="4"/></proof>
  </goal>
 </theory>
 <theory name="C10Once_Impl0_ProducesTrans_Impl" proved="true">
- <goal name="produces_trans&#39;vc" expl="VC for produces_trans" proved="true">
+ <goal name="vc_produces_trans" proved="true">
  <transf name="use_th" proved="true" arg1="seq.FreeMonoid">
-  <goal name="produces_trans&#39;vc.0" expl="VC for produces_trans" proved="true">
-  <proof prover="0"><result status="valid" time="0.019793" steps="199"/></proof>
+  <goal name="vc_produces_trans.0" proved="true">
+  <proof prover="0"><result status="valid" time="0.019793" steps="226"/></proof>
   </goal>
  </transf>
  </goal>
@@ -25,13 +25,13 @@
  </goal>
 </theory>
 <theory name="C10Once_Impl0" proved="true">
- <goal name="produces_refl_refn" proved="true">
+ <goal name="produces_trans_refn" proved="true">
  <proof prover="0"><result status="valid" time="0.000000" steps="0"/></proof>
  </goal>
  <goal name="next_refn" proved="true">
  <proof prover="0"><result status="valid" time="0.010000" steps="0"/></proof>
  </goal>
- <goal name="produces_trans_refn" proved="true">
+ <goal name="produces_refl_refn" proved="true">
  <proof prover="0"><result status="valid" time="0.000000" steps="0"/></proof>
  </goal>
 </theory>
diff --git a/creusot/tests/should_succeed/iterators/10_once/why3shapes.gz b/creusot/tests/should_succeed/iterators/10_once/why3shapes.gz
index 22af7df85b..961a920272 100644
Binary files a/creusot/tests/should_succeed/iterators/10_once/why3shapes.gz and b/creusot/tests/should_succeed/iterators/10_once/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/iterators/11_repeat.mlcfg b/creusot/tests/should_succeed/iterators/11_repeat.mlcfg
index 0537f4533d..b24d183ced 100644
--- a/creusot/tests/should_succeed/iterators/11_repeat.mlcfg
+++ b/creusot/tests/should_succeed/iterators/11_repeat.mlcfg
@@ -27,17 +27,16 @@ module C11Repeat_Impl0_ProducesRefl_Impl
   predicate produces0 [#"../11_repeat.rs" 23 4 23 64] (self : C11Repeat_Repeat_Type.t_repeat a) (visited : Seq.seq a) (o : C11Repeat_Repeat_Type.t_repeat a)
     
    =
-    [#"../11_repeat.rs" 24 8 27 9] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = C11Repeat_Repeat_Type.repeat_element self)
+    [#"../11_repeat.rs" 24 8 27 9] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> Seq.get visited i = C11Repeat_Repeat_Type.repeat_element self)
   val produces0 [#"../11_repeat.rs" 23 4 23 64] (self : C11Repeat_Repeat_Type.t_repeat a) (visited : Seq.seq a) (o : C11Repeat_Repeat_Type.t_repeat a) : bool
     ensures { result = produces0 self visited o }
     
   use seq.Seq
-  let rec ghost function produces_refl [#"../11_repeat.rs" 33 4 33 26] (self : C11Repeat_Repeat_Type.t_repeat a) : ()
-    requires {[#"../11_repeat.rs" 33 21 33 25] inv0 self}
-    ensures { [#"../11_repeat.rs" 32 14 32 45] produces0 self (Seq.empty ) self }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../11_repeat.rs" 30 4 30 10] ()
+  constant self  : C11Repeat_Repeat_Type.t_repeat a
+  function produces_refl [#"../11_repeat.rs" 33 4 33 26] (self : C11Repeat_Repeat_Type.t_repeat a) : ()
+  goal vc_produces_refl : ([#"../11_repeat.rs" 33 21 33 25] inv0 self)
+   -> ([#"../11_repeat.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
 end
 module C11Repeat_Impl0_ProducesTrans_Impl
   type a
@@ -68,22 +67,26 @@ module C11Repeat_Impl0_ProducesTrans_Impl
   predicate produces0 [#"../11_repeat.rs" 23 4 23 64] (self : C11Repeat_Repeat_Type.t_repeat a) (visited : Seq.seq a) (o : C11Repeat_Repeat_Type.t_repeat a)
     
    =
-    [#"../11_repeat.rs" 24 8 27 9] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = C11Repeat_Repeat_Type.repeat_element self)
+    [#"../11_repeat.rs" 24 8 27 9] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> Seq.get visited i = C11Repeat_Repeat_Type.repeat_element self)
   val produces0 [#"../11_repeat.rs" 23 4 23 64] (self : C11Repeat_Repeat_Type.t_repeat a) (visited : Seq.seq a) (o : C11Repeat_Repeat_Type.t_repeat a) : bool
     ensures { result = produces0 self visited o }
     
-  let rec ghost function produces_trans [#"../11_repeat.rs" 40 4 40 90] (a : C11Repeat_Repeat_Type.t_repeat a) (ab : Seq.seq a) (b : C11Repeat_Repeat_Type.t_repeat a) (bc : Seq.seq a) (c : C11Repeat_Repeat_Type.t_repeat a) : ()
-    requires {[#"../11_repeat.rs" 37 15 37 32] produces0 a ab b}
-    requires {[#"../11_repeat.rs" 38 15 38 32] produces0 b bc c}
-    requires {[#"../11_repeat.rs" 40 22 40 23] inv0 a}
-    requires {[#"../11_repeat.rs" 40 31 40 33] inv1 ab}
-    requires {[#"../11_repeat.rs" 40 52 40 53] inv0 b}
-    requires {[#"../11_repeat.rs" 40 61 40 63] inv1 bc}
-    requires {[#"../11_repeat.rs" 40 82 40 83] inv0 c}
-    ensures { [#"../11_repeat.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../11_repeat.rs" 35 4 35 10] ()
+  constant a  : C11Repeat_Repeat_Type.t_repeat a
+  constant ab  : Seq.seq a
+  constant b  : C11Repeat_Repeat_Type.t_repeat a
+  constant bc  : Seq.seq a
+  constant c  : C11Repeat_Repeat_Type.t_repeat a
+  function produces_trans [#"../11_repeat.rs" 40 4 40 90] (a : C11Repeat_Repeat_Type.t_repeat a) (ab : Seq.seq a) (b : C11Repeat_Repeat_Type.t_repeat a) (bc : Seq.seq a) (c : C11Repeat_Repeat_Type.t_repeat a) : ()
+    
+  goal vc_produces_trans : ([#"../11_repeat.rs" 40 82 40 83] inv0 c)
+   -> ([#"../11_repeat.rs" 40 61 40 63] inv1 bc)
+   -> ([#"../11_repeat.rs" 40 52 40 53] inv0 b)
+   -> ([#"../11_repeat.rs" 40 31 40 33] inv1 ab)
+   -> ([#"../11_repeat.rs" 40 22 40 23] inv0 a)
+   -> ([#"../11_repeat.rs" 38 15 38 32] produces0 b bc c)
+   -> ([#"../11_repeat.rs" 37 15 37 32] produces0 a ab b)
+   -> ([#"../11_repeat.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
 end
 module Core_Option_Option_Type
   type t_option 't =
@@ -139,7 +142,8 @@ module C11Repeat_Impl0_Next
   predicate produces0 [#"../11_repeat.rs" 23 4 23 64] (self : C11Repeat_Repeat_Type.t_repeat a) (visited : Seq.seq a) (o : C11Repeat_Repeat_Type.t_repeat a)
     
    =
-    [#"../11_repeat.rs" 24 8 27 9] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = C11Repeat_Repeat_Type.repeat_element self)
+    [#"../11_repeat.rs" 24 8 27 9] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> Seq.get visited i = C11Repeat_Repeat_Type.repeat_element self)
   val produces0 [#"../11_repeat.rs" 23 4 23 64] (self : C11Repeat_Repeat_Type.t_repeat a) (visited : Seq.seq a) (o : C11Repeat_Repeat_Type.t_repeat a) : bool
     ensures { result = produces0 self visited o }
     
@@ -175,13 +179,13 @@ module C11Repeat_Impl0_Next
     goto BB0
   }
   BB0 {
-    [#"../11_repeat.rs" 47 13 47 33] _3 <- ([#"../11_repeat.rs" 47 13 47 33] clone0 ([#"../11_repeat.rs" 47 13 47 25] C11Repeat_Repeat_Type.repeat_element ( * self)));
+    [#"../11_repeat.rs" 47 13 47 33] _3 <- ([#"../11_repeat.rs" 47 13 47 33] clone0 (C11Repeat_Repeat_Type.repeat_element ( * self)));
     goto BB1
   }
   BB1 {
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../11_repeat.rs" 47 8 47 34] _0 <- ([#"../11_repeat.rs" 47 8 47 34] Core_Option_Option_Type.C_Some _3);
+    [#"../11_repeat.rs" 47 8 47 34] _0 <- Core_Option_Option_Type.C_Some _3;
     _3 <- any a;
     goto BB2
   }
@@ -233,6 +237,8 @@ module C11Repeat_Impl0
     
   axiom inv0 : forall x : C11Repeat_Repeat_Type.t_repeat a . inv0 x = true
   use seq.Seq
+  use seq.Seq
+  use seq.Seq
   predicate completed0 [#"../11_repeat.rs" 17 4 17 35] (self : borrowed (C11Repeat_Repeat_Type.t_repeat a)) =
     [#"../11_repeat.rs" 18 20 18 25] false
   val completed0 [#"../11_repeat.rs" 17 4 17 35] (self : borrowed (C11Repeat_Repeat_Type.t_repeat a)) : bool
@@ -241,23 +247,27 @@ module C11Repeat_Impl0
   use seq.Seq
   use seq.Seq
   use seq.Seq
-  use seq.Seq
   use prelude.Int
   predicate produces0 [#"../11_repeat.rs" 23 4 23 64] (self : C11Repeat_Repeat_Type.t_repeat a) (visited : Seq.seq a) (o : C11Repeat_Repeat_Type.t_repeat a)
     
    =
-    [#"../11_repeat.rs" 24 8 27 9] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = C11Repeat_Repeat_Type.repeat_element self)
+    [#"../11_repeat.rs" 24 8 27 9] self = o /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> Seq.get visited i = C11Repeat_Repeat_Type.repeat_element self)
   val produces0 [#"../11_repeat.rs" 23 4 23 64] (self : C11Repeat_Repeat_Type.t_repeat a) (visited : Seq.seq a) (o : C11Repeat_Repeat_Type.t_repeat a) : bool
     ensures { result = produces0 self visited o }
     
-  use seq.Seq
-  goal produces_refl_refn : [#"../11_repeat.rs" 33 4 33 26] forall self : C11Repeat_Repeat_Type.t_repeat a . inv0 self -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self)
-  goal produces_trans_refn : [#"../11_repeat.rs" 40 4 40 90] forall a : C11Repeat_Repeat_Type.t_repeat a . forall ab : Seq.seq a . forall b : C11Repeat_Repeat_Type.t_repeat a . forall bc : Seq.seq a . forall c : C11Repeat_Repeat_Type.t_repeat a . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c)
-  goal next_refn : [#"../11_repeat.rs" 46 4 46 35] forall self : borrowed (C11Repeat_Repeat_Type.t_repeat a) . inv2 self -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option a . inv3 result /\ match result with
+  goal produces_trans_refn : [#"../11_repeat.rs" 40 4 40 90] forall a : C11Repeat_Repeat_Type.t_repeat a . forall ab : Seq.seq a . forall b : C11Repeat_Repeat_Type.t_repeat a . forall bc : Seq.seq a . forall c : C11Repeat_Repeat_Type.t_repeat a . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b
+   -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c
+   -> produces0 a (Seq.(++) ab bc) c)
+  goal next_refn : [#"../11_repeat.rs" 46 4 46 35] forall self : borrowed (C11Repeat_Repeat_Type.t_repeat a) . inv2 self
+   -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option a . inv3 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
-    end -> inv3 result /\ match result with
+    end
+   -> inv3 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
     end)
+  goal produces_refl_refn : [#"../11_repeat.rs" 33 4 33 26] forall self : C11Repeat_Repeat_Type.t_repeat a . inv0 self
+   -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self  -> produces0 self (Seq.empty ) self)
 end
diff --git a/creusot/tests/should_succeed/iterators/11_repeat/why3session.xml b/creusot/tests/should_succeed/iterators/11_repeat/why3session.xml
index 4559255de1..d12c471928 100644
--- a/creusot/tests/should_succeed/iterators/11_repeat/why3session.xml
+++ b/creusot/tests/should_succeed/iterators/11_repeat/why3session.xml
@@ -1,18 +1,18 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
-"http://why3.lri.fr/why3session.dtd">
+"https://www.why3.org/why3session.dtd">
 <why3session shape_version="6">
 <prover id="0" name="Alt-Ergo" version="2.4.3" timelimit="1" steplimit="0" memlimit="1000"/>
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="11_repeat.mlcfg"/>
 <theory name="C11Repeat_Impl0_ProducesRefl_Impl" proved="true">
- <goal name="produces_refl&#39;vc" expl="VC for produces_refl" proved="true">
- <proof prover="0"><result status="valid" time="0.000000" steps="10"/></proof>
+ <goal name="vc_produces_refl" proved="true">
+ <proof prover="0"><result status="valid" time="0.000000" steps="8"/></proof>
  </goal>
 </theory>
 <theory name="C11Repeat_Impl0_ProducesTrans_Impl" proved="true">
- <goal name="produces_trans&#39;vc" expl="VC for produces_trans" proved="true">
- <proof prover="0"><result status="valid" time="0.010000" steps="67"/></proof>
+ <goal name="vc_produces_trans" proved="true">
+ <proof prover="0"><result status="valid" time="0.010000" steps="61"/></proof>
  </goal>
 </theory>
 <theory name="C11Repeat_Impl0_Next" proved="true">
@@ -21,10 +21,10 @@
  </goal>
 </theory>
 <theory name="C11Repeat_Impl0" proved="true">
- <goal name="produces_trans_refn" proved="true">
+ <goal name="produces_refl_refn" proved="true">
  <proof prover="0"><result status="valid" time="0.010000" steps="0"/></proof>
  </goal>
- <goal name="produces_refl_refn" proved="true">
+ <goal name="produces_trans_refn" proved="true">
  <proof prover="0"><result status="valid" time="0.010000" steps="0"/></proof>
  </goal>
  <goal name="next_refn" proved="true">
diff --git a/creusot/tests/should_succeed/iterators/11_repeat/why3shapes.gz b/creusot/tests/should_succeed/iterators/11_repeat/why3shapes.gz
index 95c7eed615..c09e6ad31d 100644
Binary files a/creusot/tests/should_succeed/iterators/11_repeat/why3shapes.gz and b/creusot/tests/should_succeed/iterators/11_repeat/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/iterators/12_zip.mlcfg b/creusot/tests/should_succeed/iterators/12_zip.mlcfg
index 0156b0b27b..b0bd009d3c 100644
--- a/creusot/tests/should_succeed/iterators/12_zip.mlcfg
+++ b/creusot/tests/should_succeed/iterators/12_zip.mlcfg
@@ -71,14 +71,21 @@ module C12Zip_Impl0_ProducesRefl_Impl
     requires {[#"../common.rs" 21 82 21 83] inv4 c}
     ensures { result = produces_trans1 a ab b bc c }
     
-  axiom produces_trans1_spec : forall a : b, ab : Seq.seq item1, b : b, bc : Seq.seq item1, c : b . ([#"../common.rs" 18 15 18 32] produces2 a ab b) -> ([#"../common.rs" 19 15 19 32] produces2 b bc c) -> ([#"../common.rs" 21 22 21 23] inv4 a) -> ([#"../common.rs" 21 31 21 33] inv1 ab) -> ([#"../common.rs" 21 52 21 53] inv4 b) -> ([#"../common.rs" 21 61 21 63] inv1 bc) -> ([#"../common.rs" 21 82 21 83] inv4 c) -> ([#"../common.rs" 20 14 20 42] produces2 a (Seq.(++) ab bc) c)
+  axiom produces_trans1_spec : forall a : b, ab : Seq.seq item1, b : b, bc : Seq.seq item1, c : b . ([#"../common.rs" 18 15 18 32] produces2 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces2 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv4 a)
+   -> ([#"../common.rs" 21 31 21 33] inv1 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv4 b)
+   -> ([#"../common.rs" 21 61 21 63] inv1 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv4 c)  -> ([#"../common.rs" 20 14 20 42] produces2 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl1 [#"../common.rs" 15 4 15 27] (self : b) : ()
   val produces_refl1 [#"../common.rs" 15 4 15 27] (self : b) : ()
     requires {[#"../common.rs" 15 21 15 25] inv4 self}
     ensures { result = produces_refl1 self }
     
-  axiom produces_refl1_spec : forall self : b . ([#"../common.rs" 15 21 15 25] inv4 self) -> ([#"../common.rs" 14 14 14 45] produces2 self (Seq.empty ) self)
+  axiom produces_refl1_spec : forall self : b . ([#"../common.rs" 15 21 15 25] inv4 self)
+   -> ([#"../common.rs" 14 14 14 45] produces2 self (Seq.empty ) self)
   use seq.Seq
   predicate produces1 [#"../common.rs" 8 4 8 65] (self : a) (visited : Seq.seq item0) (o : a)
   val produces1 [#"../common.rs" 8 4 8 65] (self : a) (visited : Seq.seq item0) (o : a) : bool
@@ -96,14 +103,21 @@ module C12Zip_Impl0_ProducesRefl_Impl
     requires {[#"../common.rs" 21 82 21 83] inv3 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : a, ab : Seq.seq item0, b : a, bc : Seq.seq item0, c : a . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv3 a) -> ([#"../common.rs" 21 31 21 33] inv2 ab) -> ([#"../common.rs" 21 52 21 53] inv3 b) -> ([#"../common.rs" 21 61 21 63] inv2 bc) -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : a, ab : Seq.seq item0, b : a, bc : Seq.seq item0, c : a . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv3 a)
+   -> ([#"../common.rs" 21 31 21 33] inv2 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv3 b)
+   -> ([#"../common.rs" 21 61 21 63] inv2 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv3 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : a) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : a) : ()
     requires {[#"../common.rs" 15 21 15 25] inv3 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : a . ([#"../common.rs" 15 21 15 25] inv3 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : a . ([#"../common.rs" 15 21 15 25] inv3 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   use C12Zip_Zip_Type as C12Zip_Zip_Type
   predicate invariant0 (self : C12Zip_Zip_Type.t_zip a b)
   val invariant0 (self : C12Zip_Zip_Type.t_zip a b) : bool
@@ -124,17 +138,16 @@ module C12Zip_Impl0_ProducesRefl_Impl
   predicate produces0 [#"../12_zip.rs" 28 4 28 65] (self : C12Zip_Zip_Type.t_zip a b) (visited : Seq.seq (item0, item1)) (tl : C12Zip_Zip_Type.t_zip a b)
     
    =
-    [#"../12_zip.rs" 29 8 35 9] exists p2 : Seq.seq item1 . exists p1 : Seq.seq item0 . inv1 p2 /\ inv2 p1 /\ Seq.length p1 = Seq.length p2 /\ Seq.length p2 = Seq.length visited /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) /\ produces1 (C12Zip_Zip_Type.zip_a self) p1 (C12Zip_Zip_Type.zip_a tl) /\ produces2 (C12Zip_Zip_Type.zip_b self) p2 (C12Zip_Zip_Type.zip_b tl)
+    [#"../12_zip.rs" 29 8 35 9] exists p2 : Seq.seq item1 . exists p1 : Seq.seq item0 . inv1 p2 /\ inv2 p1 /\ Seq.length p1 = Seq.length p2 /\ Seq.length p2 = Seq.length visited /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) /\ produces1 (C12Zip_Zip_Type.zip_a self) p1 (C12Zip_Zip_Type.zip_a tl) /\ produces2 (C12Zip_Zip_Type.zip_b self) p2 (C12Zip_Zip_Type.zip_b tl)
   val produces0 [#"../12_zip.rs" 28 4 28 65] (self : C12Zip_Zip_Type.t_zip a b) (visited : Seq.seq (item0, item1)) (tl : C12Zip_Zip_Type.t_zip a b) : bool
     ensures { result = produces0 self visited tl }
     
   use seq.Seq
-  let rec ghost function produces_refl [#"../12_zip.rs" 41 4 41 26] (self : C12Zip_Zip_Type.t_zip a b) : ()
-    requires {[#"../12_zip.rs" 41 21 41 25] inv0 self}
-    ensures { [#"../12_zip.rs" 40 14 40 45] produces0 self (Seq.empty ) self }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../12_zip.rs" 38 4 38 10] ()
+  constant self  : C12Zip_Zip_Type.t_zip a b
+  function produces_refl [#"../12_zip.rs" 41 4 41 26] (self : C12Zip_Zip_Type.t_zip a b) : ()
+  goal vc_produces_refl : ([#"../12_zip.rs" 41 21 41 25] inv0 self)
+   -> ([#"../12_zip.rs" 40 14 40 45] produces0 self (Seq.empty ) self)
 end
 module C12Zip_Impl0_ProducesTrans_Impl
   type a
@@ -195,14 +208,21 @@ module C12Zip_Impl0_ProducesTrans_Impl
     requires {[#"../common.rs" 21 82 21 83] inv5 c}
     ensures { result = produces_trans1 a ab b bc c }
     
-  axiom produces_trans1_spec : forall a : b, ab : Seq.seq item1, b : b, bc : Seq.seq item1, c : b . ([#"../common.rs" 18 15 18 32] produces2 a ab b) -> ([#"../common.rs" 19 15 19 32] produces2 b bc c) -> ([#"../common.rs" 21 22 21 23] inv5 a) -> ([#"../common.rs" 21 31 21 33] inv2 ab) -> ([#"../common.rs" 21 52 21 53] inv5 b) -> ([#"../common.rs" 21 61 21 63] inv2 bc) -> ([#"../common.rs" 21 82 21 83] inv5 c) -> ([#"../common.rs" 20 14 20 42] produces2 a (Seq.(++) ab bc) c)
+  axiom produces_trans1_spec : forall a : b, ab : Seq.seq item1, b : b, bc : Seq.seq item1, c : b . ([#"../common.rs" 18 15 18 32] produces2 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces2 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv5 a)
+   -> ([#"../common.rs" 21 31 21 33] inv2 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv5 b)
+   -> ([#"../common.rs" 21 61 21 63] inv2 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv5 c)  -> ([#"../common.rs" 20 14 20 42] produces2 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl1 [#"../common.rs" 15 4 15 27] (self : b) : ()
   val produces_refl1 [#"../common.rs" 15 4 15 27] (self : b) : ()
     requires {[#"../common.rs" 15 21 15 25] inv5 self}
     ensures { result = produces_refl1 self }
     
-  axiom produces_refl1_spec : forall self : b . ([#"../common.rs" 15 21 15 25] inv5 self) -> ([#"../common.rs" 14 14 14 45] produces2 self (Seq.empty ) self)
+  axiom produces_refl1_spec : forall self : b . ([#"../common.rs" 15 21 15 25] inv5 self)
+   -> ([#"../common.rs" 14 14 14 45] produces2 self (Seq.empty ) self)
   use seq.Seq
   predicate produces1 [#"../common.rs" 8 4 8 65] (self : a) (visited : Seq.seq item0) (o : a)
   val produces1 [#"../common.rs" 8 4 8 65] (self : a) (visited : Seq.seq item0) (o : a) : bool
@@ -220,14 +240,21 @@ module C12Zip_Impl0_ProducesTrans_Impl
     requires {[#"../common.rs" 21 82 21 83] inv4 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : a, ab : Seq.seq item0, b : a, bc : Seq.seq item0, c : a . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv4 a) -> ([#"../common.rs" 21 31 21 33] inv3 ab) -> ([#"../common.rs" 21 52 21 53] inv4 b) -> ([#"../common.rs" 21 61 21 63] inv3 bc) -> ([#"../common.rs" 21 82 21 83] inv4 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : a, ab : Seq.seq item0, b : a, bc : Seq.seq item0, c : a . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv4 a)
+   -> ([#"../common.rs" 21 31 21 33] inv3 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv4 b)
+   -> ([#"../common.rs" 21 61 21 63] inv3 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv4 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : a) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : a) : ()
     requires {[#"../common.rs" 15 21 15 25] inv4 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : a . ([#"../common.rs" 15 21 15 25] inv4 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : a . ([#"../common.rs" 15 21 15 25] inv4 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   predicate invariant1 (self : Seq.seq (item0, item1))
   val invariant1 (self : Seq.seq (item0, item1)) : bool
     ensures { result = invariant1 self }
@@ -258,22 +285,26 @@ module C12Zip_Impl0_ProducesTrans_Impl
   predicate produces0 [#"../12_zip.rs" 28 4 28 65] (self : C12Zip_Zip_Type.t_zip a b) (visited : Seq.seq (item0, item1)) (tl : C12Zip_Zip_Type.t_zip a b)
     
    =
-    [#"../12_zip.rs" 29 8 35 9] exists p2 : Seq.seq item1 . exists p1 : Seq.seq item0 . inv2 p2 /\ inv3 p1 /\ Seq.length p1 = Seq.length p2 /\ Seq.length p2 = Seq.length visited /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) /\ produces1 (C12Zip_Zip_Type.zip_a self) p1 (C12Zip_Zip_Type.zip_a tl) /\ produces2 (C12Zip_Zip_Type.zip_b self) p2 (C12Zip_Zip_Type.zip_b tl)
+    [#"../12_zip.rs" 29 8 35 9] exists p2 : Seq.seq item1 . exists p1 : Seq.seq item0 . inv2 p2 /\ inv3 p1 /\ Seq.length p1 = Seq.length p2 /\ Seq.length p2 = Seq.length visited /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) /\ produces1 (C12Zip_Zip_Type.zip_a self) p1 (C12Zip_Zip_Type.zip_a tl) /\ produces2 (C12Zip_Zip_Type.zip_b self) p2 (C12Zip_Zip_Type.zip_b tl)
   val produces0 [#"../12_zip.rs" 28 4 28 65] (self : C12Zip_Zip_Type.t_zip a b) (visited : Seq.seq (item0, item1)) (tl : C12Zip_Zip_Type.t_zip a b) : bool
     ensures { result = produces0 self visited tl }
     
-  let rec ghost function produces_trans [#"../12_zip.rs" 48 4 48 90] (a : C12Zip_Zip_Type.t_zip a b) (ab : Seq.seq (item0, item1)) (b : C12Zip_Zip_Type.t_zip a b) (bc : Seq.seq (item0, item1)) (c : C12Zip_Zip_Type.t_zip a b) : ()
-    requires {[#"../12_zip.rs" 45 15 45 32] produces0 a ab b}
-    requires {[#"../12_zip.rs" 46 15 46 32] produces0 b bc c}
-    requires {[#"../12_zip.rs" 48 22 48 23] inv0 a}
-    requires {[#"../12_zip.rs" 48 31 48 33] inv1 ab}
-    requires {[#"../12_zip.rs" 48 52 48 53] inv0 b}
-    requires {[#"../12_zip.rs" 48 61 48 63] inv1 bc}
-    requires {[#"../12_zip.rs" 48 82 48 83] inv0 c}
-    ensures { [#"../12_zip.rs" 47 14 47 42] produces0 a (Seq.(++) ab bc) c }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../12_zip.rs" 43 4 43 10] ()
+  constant a  : C12Zip_Zip_Type.t_zip a b
+  constant ab  : Seq.seq (item0, item1)
+  constant b  : C12Zip_Zip_Type.t_zip a b
+  constant bc  : Seq.seq (item0, item1)
+  constant c  : C12Zip_Zip_Type.t_zip a b
+  function produces_trans [#"../12_zip.rs" 48 4 48 90] (a : C12Zip_Zip_Type.t_zip a b) (ab : Seq.seq (item0, item1)) (b : C12Zip_Zip_Type.t_zip a b) (bc : Seq.seq (item0, item1)) (c : C12Zip_Zip_Type.t_zip a b) : ()
+    
+  goal vc_produces_trans : ([#"../12_zip.rs" 48 82 48 83] inv0 c)
+   -> ([#"../12_zip.rs" 48 61 48 63] inv1 bc)
+   -> ([#"../12_zip.rs" 48 52 48 53] inv0 b)
+   -> ([#"../12_zip.rs" 48 31 48 33] inv1 ab)
+   -> ([#"../12_zip.rs" 48 22 48 23] inv0 a)
+   -> ([#"../12_zip.rs" 46 15 46 32] produces0 b bc c)
+   -> ([#"../12_zip.rs" 45 15 45 32] produces0 a ab b)
+   -> ([#"../12_zip.rs" 47 14 47 42] produces0 a (Seq.(++) ab bc) c)
 end
 module Core_Option_Option_Type
   type t_option 't =
@@ -378,14 +409,21 @@ module C12Zip_Impl0_Next
     requires {[#"../common.rs" 21 82 21 83] inv3 c}
     ensures { result = produces_trans1 a ab b bc c }
     
-  axiom produces_trans1_spec : forall a : b, ab : Seq.seq item1, b : b, bc : Seq.seq item1, c : b . ([#"../common.rs" 18 15 18 32] produces2 a ab b) -> ([#"../common.rs" 19 15 19 32] produces2 b bc c) -> ([#"../common.rs" 21 22 21 23] inv3 a) -> ([#"../common.rs" 21 31 21 33] inv9 ab) -> ([#"../common.rs" 21 52 21 53] inv3 b) -> ([#"../common.rs" 21 61 21 63] inv9 bc) -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces2 a (Seq.(++) ab bc) c)
+  axiom produces_trans1_spec : forall a : b, ab : Seq.seq item1, b : b, bc : Seq.seq item1, c : b . ([#"../common.rs" 18 15 18 32] produces2 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces2 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv3 a)
+   -> ([#"../common.rs" 21 31 21 33] inv9 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv3 b)
+   -> ([#"../common.rs" 21 61 21 63] inv9 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv3 c)  -> ([#"../common.rs" 20 14 20 42] produces2 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl1 [#"../common.rs" 15 4 15 27] (self : b) : ()
   val produces_refl1 [#"../common.rs" 15 4 15 27] (self : b) : ()
     requires {[#"../common.rs" 15 21 15 25] inv3 self}
     ensures { result = produces_refl1 self }
     
-  axiom produces_refl1_spec : forall self : b . ([#"../common.rs" 15 21 15 25] inv3 self) -> ([#"../common.rs" 14 14 14 45] produces2 self (Seq.empty ) self)
+  axiom produces_refl1_spec : forall self : b . ([#"../common.rs" 15 21 15 25] inv3 self)
+   -> ([#"../common.rs" 14 14 14 45] produces2 self (Seq.empty ) self)
   predicate invariant3 (self : b)
   val invariant3 (self : b) : bool
     ensures { result = invariant3 self }
@@ -431,14 +469,21 @@ module C12Zip_Impl0_Next
     requires {[#"../common.rs" 21 82 21 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : a, ab : Seq.seq item0, b : a, bc : Seq.seq item0, c : a . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv0 a) -> ([#"../common.rs" 21 31 21 33] inv10 ab) -> ([#"../common.rs" 21 52 21 53] inv0 b) -> ([#"../common.rs" 21 61 21 63] inv10 bc) -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : a, ab : Seq.seq item0, b : a, bc : Seq.seq item0, c : a . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv0 a)
+   -> ([#"../common.rs" 21 31 21 33] inv10 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv0 b)
+   -> ([#"../common.rs" 21 61 21 63] inv10 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv0 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : a) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : a) : ()
     requires {[#"../common.rs" 15 21 15 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : a . ([#"../common.rs" 15 21 15 25] inv0 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : a . ([#"../common.rs" 15 21 15 25] inv0 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   predicate invariant0 (self : a)
   val invariant0 (self : a) : bool
     ensures { result = invariant0 self }
@@ -454,7 +499,8 @@ module C12Zip_Impl0_Next
   predicate produces0 [#"../12_zip.rs" 28 4 28 65] (self : C12Zip_Zip_Type.t_zip a b) (visited : Seq.seq (item0, item1)) (tl : C12Zip_Zip_Type.t_zip a b)
     
    =
-    [#"../12_zip.rs" 29 8 35 9] exists p2 : Seq.seq item1 . exists p1 : Seq.seq item0 . inv9 p2 /\ inv10 p1 /\ Seq.length p1 = Seq.length p2 /\ Seq.length p2 = Seq.length visited /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) /\ produces1 (C12Zip_Zip_Type.zip_a self) p1 (C12Zip_Zip_Type.zip_a tl) /\ produces2 (C12Zip_Zip_Type.zip_b self) p2 (C12Zip_Zip_Type.zip_b tl)
+    [#"../12_zip.rs" 29 8 35 9] exists p2 : Seq.seq item1 . exists p1 : Seq.seq item0 . inv9 p2 /\ inv10 p1 /\ Seq.length p1 = Seq.length p2 /\ Seq.length p2 = Seq.length visited /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) /\ produces1 (C12Zip_Zip_Type.zip_a self) p1 (C12Zip_Zip_Type.zip_a tl) /\ produces2 (C12Zip_Zip_Type.zip_b self) p2 (C12Zip_Zip_Type.zip_b tl)
   val produces0 [#"../12_zip.rs" 28 4 28 65] (self : C12Zip_Zip_Type.t_zip a b) (visited : Seq.seq (item0, item1)) (tl : C12Zip_Zip_Type.t_zip a b) : bool
     ensures { result = produces0 self visited tl }
     
@@ -526,6 +572,7 @@ module C12Zip_Impl0_Next
   var _10 : Core_Option_Option_Type.t_option item1;
   var _11 : borrowed b;
   var y1 : item1;
+  var _15 : (item0, item1);
   {
     goto BB0
   }
@@ -547,15 +594,19 @@ module C12Zip_Impl0_Next
     goto BB5
   }
   BB3 {
-    [#"../12_zip.rs" 57 17 57 18] x1 <- ([#"../12_zip.rs" 57 17 57 18] Core_Option_Option_Type.some_0 _4);
-    [#"../12_zip.rs" 57 17 57 18] _4 <- (let Core_Option_Option_Type.C_Some x0 = _4 in Core_Option_Option_Type.C_Some (any item0));
+    [#"../12_zip.rs" 57 17 57 18] x1 <- Core_Option_Option_Type.some_0 _4;
+    _4 <- (let Core_Option_Option_Type.C_Some x0 = _4 in Core_Option_Option_Type.C_Some (any item0));
     assert { [@expl:type invariant] inv1 _4 };
     assume { resolve0 _4 };
-    [#"../12_zip.rs" 57 23 57 24] x <- ([#"../12_zip.rs" 57 23 57 24] x1);
-    [#"../12_zip.rs" 57 23 57 24] x1 <- any item0;
+    [#"../12_zip.rs" 57 23 57 24] x <- x1;
+    x1 <- any item0;
     goto BB6
   }
   BB4 {
+    assert { [@expl:type invariant] inv2 self };
+    assume { resolve1 self };
+    assert { [@expl:type invariant] inv1 _4 };
+    assume { resolve0 _4 };
     assert { [#"../12_zip.rs" 55 22 55 35] false };
     absurd
   }
@@ -564,8 +615,8 @@ module C12Zip_Impl0_Next
     assume { resolve0 _4 };
     assert { [@expl:type invariant] inv2 self };
     assume { resolve1 self };
-    [#"../12_zip.rs" 56 27 56 31] _0 <- ([#"../12_zip.rs" 56 27 56 31] Core_Option_Option_Type.C_None);
-    goto BB20
+    [#"../12_zip.rs" 56 27 56 31] _0 <- Core_Option_Option_Type.C_None;
+    goto BB21
   }
   BB6 {
     goto BB7
@@ -587,74 +638,70 @@ module C12Zip_Impl0_Next
       end
   }
   BB9 {
-    goto BB11
+    goto BB12
   }
   BB10 {
-    [#"../12_zip.rs" 61 17 61 18] y1 <- ([#"../12_zip.rs" 61 17 61 18] Core_Option_Option_Type.some_0 _10);
-    [#"../12_zip.rs" 61 17 61 18] _10 <- (let Core_Option_Option_Type.C_Some x0 = _10 in Core_Option_Option_Type.C_Some (any item1));
+    [#"../12_zip.rs" 61 17 61 18] y1 <- Core_Option_Option_Type.some_0 _10;
+    _10 <- (let Core_Option_Option_Type.C_Some x0 = _10 in Core_Option_Option_Type.C_Some (any item1));
     assert { [@expl:type invariant] inv4 _10 };
     assume { resolve2 _10 };
-    [#"../12_zip.rs" 61 23 61 24] y <- ([#"../12_zip.rs" 61 23 61 24] y1);
-    [#"../12_zip.rs" 61 23 61 24] y1 <- any item1;
-    goto BB12
+    [#"../12_zip.rs" 61 23 61 24] y <- y1;
+    y1 <- any item1;
+    goto BB13
   }
   BB11 {
-    assert { [@expl:type invariant] inv4 _10 };
-    assume { resolve2 _10 };
     assert { [@expl:type invariant] inv5 x };
     assume { resolve3 x };
-    [#"../12_zip.rs" 60 27 60 31] _0 <- ([#"../12_zip.rs" 60 27 60 31] Core_Option_Option_Type.C_None);
-    goto BB19
+    assert { [@expl:type invariant] inv4 _10 };
+    assume { resolve2 _10 };
+    assert { [#"../12_zip.rs" 59 22 59 35] false };
+    absurd
   }
   BB12 {
-    goto BB13
+    assert { [@expl:type invariant] inv4 _10 };
+    assume { resolve2 _10 };
+    assert { [@expl:type invariant] inv5 x };
+    assume { resolve3 x };
+    [#"../12_zip.rs" 60 27 60 31] _0 <- Core_Option_Option_Type.C_None;
+    goto BB20
   }
   BB13 {
     goto BB14
   }
   BB14 {
+    [#"../12_zip.rs" 63 13 63 19] _15 <- (x, y);
+    x <- any item0;
+    y <- any item1;
     goto BB15
   }
   BB15 {
-    [#"../12_zip.rs" 63 8 63 20] _0 <- ([#"../12_zip.rs" 63 8 63 20] Core_Option_Option_Type.C_Some ([#"../12_zip.rs" 63 13 63 19] (([#"../12_zip.rs" 63 14 63 15] x), ([#"../12_zip.rs" 63 17 63 18] y))));
-    [#"../12_zip.rs" 63 14 63 15] x <- any item0;
-    [#"../12_zip.rs" 63 17 63 18] y <- any item1;
     goto BB16
   }
   BB16 {
+    [#"../12_zip.rs" 63 8 63 20] _0 <- Core_Option_Option_Type.C_Some _15;
+    _15 <- any (item0, item1);
     goto BB17
   }
   BB17 {
     goto BB18
   }
   BB18 {
-    goto BB22
+    goto BB19
   }
   BB19 {
-    goto BB21
+    goto BB23
   }
   BB20 {
-    goto BB21
+    goto BB22
   }
   BB21 {
     goto BB22
   }
   BB22 {
-    return _0
+    goto BB23
   }
-  BB30 {
-    assert { [@expl:type invariant] inv1 _4 };
-    assume { resolve0 _4 };
-    assert { [@expl:type invariant] inv2 self };
-    assume { resolve1 self };
-    goto BB4
-  }
-  BB31 {
-    assert { [@expl:type invariant] inv4 _10 };
-    assume { resolve2 _10 };
-    assert { [@expl:type invariant] inv5 x };
-    assume { resolve3 x };
-    goto BB4
+  BB23 {
+    return _0
   }
   
 end
@@ -769,17 +816,23 @@ module C12Zip_Impl0
   predicate produces0 [#"../12_zip.rs" 28 4 28 65] (self : C12Zip_Zip_Type.t_zip a b) (visited : Seq.seq (item0, item1)) (tl : C12Zip_Zip_Type.t_zip a b)
     
    =
-    [#"../12_zip.rs" 29 8 35 9] exists p2 : Seq.seq item1 . exists p1 : Seq.seq item0 . inv4 p2 /\ inv5 p1 /\ Seq.length p1 = Seq.length p2 /\ Seq.length p2 = Seq.length visited /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) /\ produces1 (C12Zip_Zip_Type.zip_a self) p1 (C12Zip_Zip_Type.zip_a tl) /\ produces2 (C12Zip_Zip_Type.zip_b self) p2 (C12Zip_Zip_Type.zip_b tl)
+    [#"../12_zip.rs" 29 8 35 9] exists p2 : Seq.seq item1 . exists p1 : Seq.seq item0 . inv4 p2 /\ inv5 p1 /\ Seq.length p1 = Seq.length p2 /\ Seq.length p2 = Seq.length visited /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> Seq.get visited i = (Seq.get p1 i, Seq.get p2 i)) /\ produces1 (C12Zip_Zip_Type.zip_a self) p1 (C12Zip_Zip_Type.zip_a tl) /\ produces2 (C12Zip_Zip_Type.zip_b self) p2 (C12Zip_Zip_Type.zip_b tl)
   val produces0 [#"../12_zip.rs" 28 4 28 65] (self : C12Zip_Zip_Type.t_zip a b) (visited : Seq.seq (item0, item1)) (tl : C12Zip_Zip_Type.t_zip a b) : bool
     ensures { result = produces0 self visited tl }
     
   use seq.Seq
-  goal produces_refl_refn : [#"../12_zip.rs" 41 4 41 26] forall self : C12Zip_Zip_Type.t_zip a b . inv0 self -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self)
-  goal produces_trans_refn : [#"../12_zip.rs" 48 4 48 90] forall a : C12Zip_Zip_Type.t_zip a b . forall ab : Seq.seq (item0, item1) . forall b : C12Zip_Zip_Type.t_zip a b . forall bc : Seq.seq (item0, item1) . forall c : C12Zip_Zip_Type.t_zip a b . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c)
-  goal next_refn : [#"../12_zip.rs" 54 4 54 44] forall self : borrowed (C12Zip_Zip_Type.t_zip a b) . inv2 self -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option (item0, item1) . inv3 result /\ match result with
+  goal produces_refl_refn : [#"../12_zip.rs" 41 4 41 26] forall self : C12Zip_Zip_Type.t_zip a b . inv0 self
+   -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self  -> produces0 self (Seq.empty ) self)
+  goal produces_trans_refn : [#"../12_zip.rs" 48 4 48 90] forall a : C12Zip_Zip_Type.t_zip a b . forall ab : Seq.seq (item0, item1) . forall b : C12Zip_Zip_Type.t_zip a b . forall bc : Seq.seq (item0, item1) . forall c : C12Zip_Zip_Type.t_zip a b . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b
+   -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c
+   -> produces0 a (Seq.(++) ab bc) c)
+  goal next_refn : [#"../12_zip.rs" 54 4 54 44] forall self : borrowed (C12Zip_Zip_Type.t_zip a b) . inv2 self
+   -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option (item0, item1) . inv3 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
-    end -> inv3 result /\ match result with
+    end
+   -> inv3 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
     end)
diff --git a/creusot/tests/should_succeed/iterators/12_zip.rs b/creusot/tests/should_succeed/iterators/12_zip.rs
index 38e5172a97..cf9eff0d14 100644
--- a/creusot/tests/should_succeed/iterators/12_zip.rs
+++ b/creusot/tests/should_succeed/iterators/12_zip.rs
@@ -14,7 +14,7 @@ impl<A: Iterator, B: Iterator> Iterator for Zip<A, B> {
     type Item = (A::Item, B::Item);
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! {
              (self.a.completed() && (*self).b == (^self).b)
@@ -24,7 +24,7 @@ impl<A: Iterator, B: Iterator> Iterator for Zip<A, B> {
     }
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn produces(self, visited: Seq<Self::Item>, tl: Self) -> bool {
         pearlite! {
             // Using an `unzip` definition doesn't work well because of issues related to datatypes and `match`
diff --git a/creusot/tests/should_succeed/iterators/12_zip/why3session.xml b/creusot/tests/should_succeed/iterators/12_zip/why3session.xml
index 982695965e..87581fa2d5 100644
--- a/creusot/tests/should_succeed/iterators/12_zip/why3session.xml
+++ b/creusot/tests/should_succeed/iterators/12_zip/why3session.xml
@@ -1,55 +1,55 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
-"http://why3.lri.fr/why3session.dtd">
+"https://www.why3.org/why3session.dtd">
 <why3session shape_version="6">
 <prover id="1" name="CVC5" version="1.0.5" timelimit="5" steplimit="0" memlimit="1000"/>
 <prover id="2" name="Alt-Ergo" version="2.4.3" timelimit="1" steplimit="0" memlimit="1000"/>
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="12_zip.mlcfg"/>
 <theory name="C12Zip_Impl0_ProducesRefl_Impl" proved="true">
- <goal name="produces_refl&#39;vc" expl="VC for produces_refl" proved="true">
- <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="0.017139" steps="266"/></proof>
+ <goal name="vc_produces_refl" proved="true">
+ <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="0.017139" steps="274"/></proof>
  </goal>
 </theory>
 <theory name="C12Zip_Impl0_ProducesTrans_Impl" proved="true">
- <goal name="produces_trans&#39;vc" expl="VC for produces_trans" proved="true">
+ <goal name="vc_produces_trans" proved="true">
  <transf name="split_vc" proved="true" >
-  <goal name="produces_trans&#39;vc.0" expl="postcondition" proved="true">
+  <goal name="vc_produces_trans.0" proved="true">
   <transf name="use_th" proved="true" arg1="seq.FreeMonoid">
-   <goal name="produces_trans&#39;vc.0.0" expl="postcondition" proved="true">
+   <goal name="vc_produces_trans.0.0" proved="true">
    <transf name="unfold" proved="true" arg1="produces0">
-    <goal name="produces_trans&#39;vc.0.0.0" expl="VC for produces_trans" proved="true">
-    <transf name="unfold" proved="true" arg1="produces0" arg2="in" arg3="Requires5,Requires6">
-     <goal name="produces_trans&#39;vc.0.0.0.0" expl="VC for produces_trans" proved="true">
-     <transf name="destruct_rec" proved="true" arg1="Requires6">
-      <goal name="produces_trans&#39;vc.0.0.0.0.0" expl="VC for produces_trans" proved="true">
-      <transf name="destruct_rec" proved="true" arg1="Requires5">
-       <goal name="produces_trans&#39;vc.0.0.0.0.0.0" expl="VC for produces_trans" proved="true">
-       <transf name="exists" proved="true" arg1="(p21++p2)">
-        <goal name="produces_trans&#39;vc.0.0.0.0.0.0.0" proved="true">
-        <transf name="exists" proved="true" arg1="(p11++p1)">
-         <goal name="produces_trans&#39;vc.0.0.0.0.0.0.0.0" proved="true">
+    <goal name="vc_produces_trans.0.0.0" proved="true">
+    <transf name="unfold" proved="true" arg1="produces0" arg2="in" arg3="H,H1">
+     <goal name="vc_produces_trans.0.0.0.0" proved="true">
+     <transf name="destruct_rec" proved="true" arg1="H">
+      <goal name="vc_produces_trans.0.0.0.0.0" proved="true">
+      <transf name="destruct_rec" proved="true" arg1="H7">
+       <goal name="vc_produces_trans.0.0.0.0.0.0" proved="true">
+       <transf name="exists" proved="true" arg1="(p2 ++p21)">
+        <goal name="vc_produces_trans.0.0.0.0.0.0.0" proved="true">
+        <transf name="exists" proved="true" arg1="(p1 ++ p11)">
+         <goal name="vc_produces_trans.0.0.0.0.0.0.0.0" proved="true">
          <transf name="split_vc" proved="true" >
-          <goal name="produces_trans&#39;vc.0.0.0.0.0.0.0.0.0" proved="true">
-          <proof prover="2"><result status="valid" time="0.011443" steps="36"/></proof>
+          <goal name="vc_produces_trans.0.0.0.0.0.0.0.0.0" proved="true">
+          <proof prover="2"><result status="valid" time="0.011385" steps="36"/></proof>
           </goal>
-          <goal name="produces_trans&#39;vc.0.0.0.0.0.0.0.0.1" proved="true">
-          <proof prover="2"><result status="valid" time="0.011081" steps="36"/></proof>
+          <goal name="vc_produces_trans.0.0.0.0.0.0.0.0.1" proved="true">
+          <proof prover="2"><result status="valid" time="0.011496" steps="36"/></proof>
           </goal>
-          <goal name="produces_trans&#39;vc.0.0.0.0.0.0.0.0.2" proved="true">
-          <proof prover="2"><result status="valid" time="0.012099" steps="39"/></proof>
+          <goal name="vc_produces_trans.0.0.0.0.0.0.0.0.2" proved="true">
+          <proof prover="2"><result status="valid" time="0.011830" steps="39"/></proof>
           </goal>
-          <goal name="produces_trans&#39;vc.0.0.0.0.0.0.0.0.3" proved="true">
-          <proof prover="2"><result status="valid" time="0.011603" steps="39"/></proof>
+          <goal name="vc_produces_trans.0.0.0.0.0.0.0.0.3" proved="true">
+          <proof prover="2"><result status="valid" time="0.011861" steps="39"/></proof>
           </goal>
-          <goal name="produces_trans&#39;vc.0.0.0.0.0.0.0.0.4" proved="true">
-          <proof prover="2"><result status="valid" time="0.023011" steps="249"/></proof>
+          <goal name="vc_produces_trans.0.0.0.0.0.0.0.0.4" proved="true">
+          <proof prover="2"><result status="valid" time="0.023607" steps="249"/></proof>
           </goal>
-          <goal name="produces_trans&#39;vc.0.0.0.0.0.0.0.0.5" proved="true">
-          <proof prover="2"><result status="valid" time="0.014035" steps="95"/></proof>
+          <goal name="vc_produces_trans.0.0.0.0.0.0.0.0.5" proved="true">
+          <proof prover="2"><result status="valid" time="0.013565" steps="95"/></proof>
           </goal>
-          <goal name="produces_trans&#39;vc.0.0.0.0.0.0.0.0.6" proved="true">
-          <proof prover="2"><result status="valid" time="0.013065" steps="94"/></proof>
+          <goal name="vc_produces_trans.0.0.0.0.0.0.0.0.6" proved="true">
+          <proof prover="2"><result status="valid" time="0.013294" steps="94"/></proof>
           </goal>
          </transf>
          </goal>
@@ -72,7 +72,7 @@
 </theory>
 <theory name="C12Zip_Impl0_Next" proved="true">
  <goal name="next&#39;vc" expl="VC for next" proved="true">
- <proof prover="1"><result status="valid" time="0.083699" steps="39913"/></proof>
+ <proof prover="1"><result status="valid" time="0.083699" steps="39993"/></proof>
  </goal>
 </theory>
 <theory name="C12Zip_Impl0" proved="true">
diff --git a/creusot/tests/should_succeed/iterators/12_zip/why3shapes.gz b/creusot/tests/should_succeed/iterators/12_zip/why3shapes.gz
index b5093cc438..6eed7c329a 100644
Binary files a/creusot/tests/should_succeed/iterators/12_zip/why3shapes.gz and b/creusot/tests/should_succeed/iterators/12_zip/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/iterators/13_cloned.mlcfg b/creusot/tests/should_succeed/iterators/13_cloned.mlcfg
index 8bd9feb500..7aa3f7d0c2 100644
--- a/creusot/tests/should_succeed/iterators/13_cloned.mlcfg
+++ b/creusot/tests/should_succeed/iterators/13_cloned.mlcfg
@@ -41,14 +41,21 @@ module C13Cloned_Impl0_ProducesRefl_Impl
     requires {[#"../common.rs" 21 82 21 83] inv2 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv2 a) -> ([#"../common.rs" 21 31 21 33] inv1 ab) -> ([#"../common.rs" 21 52 21 53] inv2 b) -> ([#"../common.rs" 21 61 21 63] inv1 bc) -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv2 a)
+   -> ([#"../common.rs" 21 31 21 33] inv1 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv2 b)
+   -> ([#"../common.rs" 21 61 21 63] inv1 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv2 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv2 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   predicate invariant1 (self : Seq.seq t)
   val invariant1 (self : Seq.seq t) : bool
     ensures { result = invariant1 self }
@@ -73,17 +80,16 @@ module C13Cloned_Impl0_ProducesRefl_Impl
   predicate produces0 [#"../13_cloned.rs" 28 4 28 64] (self : C13Cloned_Cloned_Type.t_cloned i) (visited : Seq.seq t) (o : C13Cloned_Cloned_Type.t_cloned i)
     
    =
-    [#"../13_cloned.rs" 29 8 33 9] exists s : Seq.seq t . inv1 s /\ produces1 (C13Cloned_Cloned_Type.cloned_iter self) s (C13Cloned_Cloned_Type.cloned_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i)
+    [#"../13_cloned.rs" 29 8 33 9] exists s : Seq.seq t . inv1 s /\ produces1 (C13Cloned_Cloned_Type.cloned_iter self) s (C13Cloned_Cloned_Type.cloned_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s
+     -> Seq.get visited i = Seq.get s i)
   val produces0 [#"../13_cloned.rs" 28 4 28 64] (self : C13Cloned_Cloned_Type.t_cloned i) (visited : Seq.seq t) (o : C13Cloned_Cloned_Type.t_cloned i) : bool
     ensures { result = produces0 self visited o }
     
   use seq.Seq
-  let rec ghost function produces_refl [#"../13_cloned.rs" 39 4 39 26] (self : C13Cloned_Cloned_Type.t_cloned i) : ()
-    requires {[#"../13_cloned.rs" 39 21 39 25] inv0 self}
-    ensures { [#"../13_cloned.rs" 38 14 38 45] produces0 self (Seq.empty ) self }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../13_cloned.rs" 36 4 36 10] ()
+  constant self  : C13Cloned_Cloned_Type.t_cloned i
+  function produces_refl [#"../13_cloned.rs" 39 4 39 26] (self : C13Cloned_Cloned_Type.t_cloned i) : ()
+  goal vc_produces_refl : ([#"../13_cloned.rs" 39 21 39 25] inv0 self)
+   -> ([#"../13_cloned.rs" 38 14 38 45] produces0 self (Seq.empty ) self)
 end
 module C13Cloned_Impl0_ProducesTrans_Impl
   type i
@@ -118,14 +124,21 @@ module C13Cloned_Impl0_ProducesTrans_Impl
     requires {[#"../common.rs" 21 82 21 83] inv3 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv3 a) -> ([#"../common.rs" 21 31 21 33] inv2 ab) -> ([#"../common.rs" 21 52 21 53] inv3 b) -> ([#"../common.rs" 21 61 21 63] inv2 bc) -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv3 a)
+   -> ([#"../common.rs" 21 31 21 33] inv2 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv3 b)
+   -> ([#"../common.rs" 21 61 21 63] inv2 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv3 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv3 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   predicate invariant2 (self : Seq.seq t)
   val invariant2 (self : Seq.seq t) : bool
     ensures { result = invariant2 self }
@@ -160,22 +173,26 @@ module C13Cloned_Impl0_ProducesTrans_Impl
   predicate produces0 [#"../13_cloned.rs" 28 4 28 64] (self : C13Cloned_Cloned_Type.t_cloned i) (visited : Seq.seq t) (o : C13Cloned_Cloned_Type.t_cloned i)
     
    =
-    [#"../13_cloned.rs" 29 8 33 9] exists s : Seq.seq t . inv2 s /\ produces1 (C13Cloned_Cloned_Type.cloned_iter self) s (C13Cloned_Cloned_Type.cloned_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i)
+    [#"../13_cloned.rs" 29 8 33 9] exists s : Seq.seq t . inv2 s /\ produces1 (C13Cloned_Cloned_Type.cloned_iter self) s (C13Cloned_Cloned_Type.cloned_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s
+     -> Seq.get visited i = Seq.get s i)
   val produces0 [#"../13_cloned.rs" 28 4 28 64] (self : C13Cloned_Cloned_Type.t_cloned i) (visited : Seq.seq t) (o : C13Cloned_Cloned_Type.t_cloned i) : bool
     ensures { result = produces0 self visited o }
     
-  let rec ghost function produces_trans [#"../13_cloned.rs" 46 4 46 90] (a : C13Cloned_Cloned_Type.t_cloned i) (ab : Seq.seq t) (b : C13Cloned_Cloned_Type.t_cloned i) (bc : Seq.seq t) (c : C13Cloned_Cloned_Type.t_cloned i) : ()
-    requires {[#"../13_cloned.rs" 43 15 43 32] produces0 a ab b}
-    requires {[#"../13_cloned.rs" 44 15 44 32] produces0 b bc c}
-    requires {[#"../13_cloned.rs" 46 22 46 23] inv0 a}
-    requires {[#"../13_cloned.rs" 46 31 46 33] inv1 ab}
-    requires {[#"../13_cloned.rs" 46 52 46 53] inv0 b}
-    requires {[#"../13_cloned.rs" 46 61 46 63] inv1 bc}
-    requires {[#"../13_cloned.rs" 46 82 46 83] inv0 c}
-    ensures { [#"../13_cloned.rs" 45 14 45 42] produces0 a (Seq.(++) ab bc) c }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../13_cloned.rs" 41 4 41 10] ()
+  constant a  : C13Cloned_Cloned_Type.t_cloned i
+  constant ab  : Seq.seq t
+  constant b  : C13Cloned_Cloned_Type.t_cloned i
+  constant bc  : Seq.seq t
+  constant c  : C13Cloned_Cloned_Type.t_cloned i
+  function produces_trans [#"../13_cloned.rs" 46 4 46 90] (a : C13Cloned_Cloned_Type.t_cloned i) (ab : Seq.seq t) (b : C13Cloned_Cloned_Type.t_cloned i) (bc : Seq.seq t) (c : C13Cloned_Cloned_Type.t_cloned i) : ()
+    
+  goal vc_produces_trans : ([#"../13_cloned.rs" 46 82 46 83] inv0 c)
+   -> ([#"../13_cloned.rs" 46 61 46 63] inv1 bc)
+   -> ([#"../13_cloned.rs" 46 52 46 53] inv0 b)
+   -> ([#"../13_cloned.rs" 46 31 46 33] inv1 ab)
+   -> ([#"../13_cloned.rs" 46 22 46 23] inv0 a)
+   -> ([#"../13_cloned.rs" 44 15 44 32] produces0 b bc c)
+   -> ([#"../13_cloned.rs" 43 15 43 32] produces0 a ab b)
+   -> ([#"../13_cloned.rs" 45 14 45 42] produces0 a (Seq.(++) ab bc) c)
 end
 module Core_Option_Option_Type
   type t_option 't =
@@ -264,14 +281,21 @@ module C13Cloned_Impl0_Next
     requires {[#"../common.rs" 21 82 21 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv0 a) -> ([#"../common.rs" 21 31 21 33] inv6 ab) -> ([#"../common.rs" 21 52 21 53] inv0 b) -> ([#"../common.rs" 21 61 21 63] inv6 bc) -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv0 a)
+   -> ([#"../common.rs" 21 31 21 33] inv6 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv0 b)
+   -> ([#"../common.rs" 21 61 21 63] inv6 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv0 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   predicate invariant0 (self : i)
   val invariant0 (self : i) : bool
     ensures { result = invariant0 self }
@@ -285,7 +309,8 @@ module C13Cloned_Impl0_Next
   predicate produces0 [#"../13_cloned.rs" 28 4 28 64] (self : C13Cloned_Cloned_Type.t_cloned i) (visited : Seq.seq t) (o : C13Cloned_Cloned_Type.t_cloned i)
     
    =
-    [#"../13_cloned.rs" 29 8 33 9] exists s : Seq.seq t . inv6 s /\ produces1 (C13Cloned_Cloned_Type.cloned_iter self) s (C13Cloned_Cloned_Type.cloned_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i)
+    [#"../13_cloned.rs" 29 8 33 9] exists s : Seq.seq t . inv6 s /\ produces1 (C13Cloned_Cloned_Type.cloned_iter self) s (C13Cloned_Cloned_Type.cloned_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s
+     -> Seq.get visited i = Seq.get s i)
   val produces0 [#"../13_cloned.rs" 28 4 28 64] (self : C13Cloned_Cloned_Type.t_cloned i) (visited : Seq.seq t) (o : C13Cloned_Cloned_Type.t_cloned i) : bool
     ensures { result = produces0 self visited o }
     
@@ -301,7 +326,8 @@ module C13Cloned_Impl0_Next
     
   val cloned0 (self : Core_Option_Option_Type.t_option t) : Core_Option_Option_Type.t_option t
     requires {inv4 self}
-    ensures { [#"../../../../../creusot-contracts/src/std/option.rs" 92 16 92 59] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../../creusot-contracts/src/std/option.rs" 92 16 92 59] self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self = Core_Option_Option_Type.C_None \/ (exists t : t . inv5 t /\ self = Core_Option_Option_Type.C_Some t /\ result = Core_Option_Option_Type.C_Some t) }
     ensures { inv2 result }
     
@@ -421,7 +447,6 @@ module C13Cloned_Impl0
   use seq.Seq
   use seq.Seq
   use seq.Seq
-  use seq.Seq
   use prelude.Int
   use seq.Seq
   use seq.Seq
@@ -432,16 +457,23 @@ module C13Cloned_Impl0
   predicate produces0 [#"../13_cloned.rs" 28 4 28 64] (self : C13Cloned_Cloned_Type.t_cloned i) (visited : Seq.seq t) (o : C13Cloned_Cloned_Type.t_cloned i)
     
    =
-    [#"../13_cloned.rs" 29 8 33 9] exists s : Seq.seq t . inv4 s /\ produces1 (C13Cloned_Cloned_Type.cloned_iter self) s (C13Cloned_Cloned_Type.cloned_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i)
+    [#"../13_cloned.rs" 29 8 33 9] exists s : Seq.seq t . inv4 s /\ produces1 (C13Cloned_Cloned_Type.cloned_iter self) s (C13Cloned_Cloned_Type.cloned_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s
+     -> Seq.get visited i = Seq.get s i)
   val produces0 [#"../13_cloned.rs" 28 4 28 64] (self : C13Cloned_Cloned_Type.t_cloned i) (visited : Seq.seq t) (o : C13Cloned_Cloned_Type.t_cloned i) : bool
     ensures { result = produces0 self visited o }
     
-  goal produces_trans_refn : [#"../13_cloned.rs" 46 4 46 90] forall a : C13Cloned_Cloned_Type.t_cloned i . forall ab : Seq.seq t . forall b : C13Cloned_Cloned_Type.t_cloned i . forall bc : Seq.seq t . forall c : C13Cloned_Cloned_Type.t_cloned i . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c)
-  goal produces_refl_refn : [#"../13_cloned.rs" 39 4 39 26] forall self : C13Cloned_Cloned_Type.t_cloned i . inv0 self -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self)
-  goal next_refn : [#"../13_cloned.rs" 52 4 52 35] forall self : borrowed (C13Cloned_Cloned_Type.t_cloned i) . inv2 self -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option t . inv3 result /\ match result with
+  use seq.Seq
+  goal produces_refl_refn : [#"../13_cloned.rs" 39 4 39 26] forall self : C13Cloned_Cloned_Type.t_cloned i . inv0 self
+   -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self  -> produces0 self (Seq.empty ) self)
+  goal produces_trans_refn : [#"../13_cloned.rs" 46 4 46 90] forall a : C13Cloned_Cloned_Type.t_cloned i . forall ab : Seq.seq t . forall b : C13Cloned_Cloned_Type.t_cloned i . forall bc : Seq.seq t . forall c : C13Cloned_Cloned_Type.t_cloned i . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b
+   -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c
+   -> produces0 a (Seq.(++) ab bc) c)
+  goal next_refn : [#"../13_cloned.rs" 52 4 52 35] forall self : borrowed (C13Cloned_Cloned_Type.t_cloned i) . inv2 self
+   -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option t . inv3 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
-    end -> inv3 result /\ match result with
+    end
+   -> inv3 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
     end)
diff --git a/creusot/tests/should_succeed/iterators/13_cloned.rs b/creusot/tests/should_succeed/iterators/13_cloned.rs
index d68f82990a..c7ec63276d 100644
--- a/creusot/tests/should_succeed/iterators/13_cloned.rs
+++ b/creusot/tests/should_succeed/iterators/13_cloned.rs
@@ -18,13 +18,13 @@ where
     type Item = T;
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! { self.iter.completed() }
     }
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool {
         pearlite! {
             exists<s: Seq<&'a T>> self.iter.produces(s, o.iter)
diff --git a/creusot/tests/should_succeed/iterators/13_cloned/why3session.xml b/creusot/tests/should_succeed/iterators/13_cloned/why3session.xml
index 69a0b0d1a3..e31fb4ea76 100644
--- a/creusot/tests/should_succeed/iterators/13_cloned/why3session.xml
+++ b/creusot/tests/should_succeed/iterators/13_cloned/why3session.xml
@@ -6,12 +6,12 @@
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="13_cloned.mlcfg"/>
 <theory name="C13Cloned_Impl0_ProducesRefl_Impl" proved="true">
- <goal name="produces_refl&#39;vc" expl="VC for produces_refl" proved="true">
- <proof prover="0"><result status="valid" time="0.000000" steps="20"/></proof>
+ <goal name="vc_produces_refl" proved="true">
+ <proof prover="0"><result status="valid" time="0.000000" steps="19"/></proof>
  </goal>
 </theory>
 <theory name="C13Cloned_Impl0_ProducesTrans_Impl" proved="true">
- <goal name="produces_trans&#39;vc" expl="VC for produces_trans" proved="true">
+ <goal name="vc_produces_trans" proved="true">
  <proof prover="0"><result status="valid" time="0.030000" steps="165"/></proof>
  </goal>
 </theory>
diff --git a/creusot/tests/should_succeed/iterators/13_cloned/why3shapes.gz b/creusot/tests/should_succeed/iterators/13_cloned/why3shapes.gz
index 019ccdbb4d..6f78d5a947 100644
Binary files a/creusot/tests/should_succeed/iterators/13_cloned/why3shapes.gz and b/creusot/tests/should_succeed/iterators/13_cloned/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/iterators/14_copied.mlcfg b/creusot/tests/should_succeed/iterators/14_copied.mlcfg
index e8d2ad3206..01083f76d5 100644
--- a/creusot/tests/should_succeed/iterators/14_copied.mlcfg
+++ b/creusot/tests/should_succeed/iterators/14_copied.mlcfg
@@ -41,14 +41,21 @@ module C14Copied_Impl0_ProducesRefl_Impl
     requires {[#"../common.rs" 21 82 21 83] inv2 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv2 a) -> ([#"../common.rs" 21 31 21 33] inv1 ab) -> ([#"../common.rs" 21 52 21 53] inv2 b) -> ([#"../common.rs" 21 61 21 63] inv1 bc) -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv2 a)
+   -> ([#"../common.rs" 21 31 21 33] inv1 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv2 b)
+   -> ([#"../common.rs" 21 61 21 63] inv1 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv2 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv2 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   predicate invariant1 (self : Seq.seq t)
   val invariant1 (self : Seq.seq t) : bool
     ensures { result = invariant1 self }
@@ -73,17 +80,16 @@ module C14Copied_Impl0_ProducesRefl_Impl
   predicate produces0 [#"../14_copied.rs" 28 4 28 64] (self : C14Copied_Copied_Type.t_copied i) (visited : Seq.seq t) (o : C14Copied_Copied_Type.t_copied i)
     
    =
-    [#"../14_copied.rs" 29 8 33 9] exists s : Seq.seq t . inv1 s /\ produces1 (C14Copied_Copied_Type.copied_iter self) s (C14Copied_Copied_Type.copied_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i)
+    [#"../14_copied.rs" 29 8 33 9] exists s : Seq.seq t . inv1 s /\ produces1 (C14Copied_Copied_Type.copied_iter self) s (C14Copied_Copied_Type.copied_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s
+     -> Seq.get visited i = Seq.get s i)
   val produces0 [#"../14_copied.rs" 28 4 28 64] (self : C14Copied_Copied_Type.t_copied i) (visited : Seq.seq t) (o : C14Copied_Copied_Type.t_copied i) : bool
     ensures { result = produces0 self visited o }
     
   use seq.Seq
-  let rec ghost function produces_refl [#"../14_copied.rs" 39 4 39 26] (self : C14Copied_Copied_Type.t_copied i) : ()
-    requires {[#"../14_copied.rs" 39 21 39 25] inv0 self}
-    ensures { [#"../14_copied.rs" 38 14 38 45] produces0 self (Seq.empty ) self }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../14_copied.rs" 36 4 36 10] ()
+  constant self  : C14Copied_Copied_Type.t_copied i
+  function produces_refl [#"../14_copied.rs" 39 4 39 26] (self : C14Copied_Copied_Type.t_copied i) : ()
+  goal vc_produces_refl : ([#"../14_copied.rs" 39 21 39 25] inv0 self)
+   -> ([#"../14_copied.rs" 38 14 38 45] produces0 self (Seq.empty ) self)
 end
 module C14Copied_Impl0_ProducesTrans_Impl
   type i
@@ -118,14 +124,21 @@ module C14Copied_Impl0_ProducesTrans_Impl
     requires {[#"../common.rs" 21 82 21 83] inv3 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv3 a) -> ([#"../common.rs" 21 31 21 33] inv2 ab) -> ([#"../common.rs" 21 52 21 53] inv3 b) -> ([#"../common.rs" 21 61 21 63] inv2 bc) -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv3 a)
+   -> ([#"../common.rs" 21 31 21 33] inv2 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv3 b)
+   -> ([#"../common.rs" 21 61 21 63] inv2 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv3 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv3 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   predicate invariant2 (self : Seq.seq t)
   val invariant2 (self : Seq.seq t) : bool
     ensures { result = invariant2 self }
@@ -160,22 +173,26 @@ module C14Copied_Impl0_ProducesTrans_Impl
   predicate produces0 [#"../14_copied.rs" 28 4 28 64] (self : C14Copied_Copied_Type.t_copied i) (visited : Seq.seq t) (o : C14Copied_Copied_Type.t_copied i)
     
    =
-    [#"../14_copied.rs" 29 8 33 9] exists s : Seq.seq t . inv2 s /\ produces1 (C14Copied_Copied_Type.copied_iter self) s (C14Copied_Copied_Type.copied_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i)
+    [#"../14_copied.rs" 29 8 33 9] exists s : Seq.seq t . inv2 s /\ produces1 (C14Copied_Copied_Type.copied_iter self) s (C14Copied_Copied_Type.copied_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s
+     -> Seq.get visited i = Seq.get s i)
   val produces0 [#"../14_copied.rs" 28 4 28 64] (self : C14Copied_Copied_Type.t_copied i) (visited : Seq.seq t) (o : C14Copied_Copied_Type.t_copied i) : bool
     ensures { result = produces0 self visited o }
     
-  let rec ghost function produces_trans [#"../14_copied.rs" 46 4 46 90] (a : C14Copied_Copied_Type.t_copied i) (ab : Seq.seq t) (b : C14Copied_Copied_Type.t_copied i) (bc : Seq.seq t) (c : C14Copied_Copied_Type.t_copied i) : ()
-    requires {[#"../14_copied.rs" 43 15 43 32] produces0 a ab b}
-    requires {[#"../14_copied.rs" 44 15 44 32] produces0 b bc c}
-    requires {[#"../14_copied.rs" 46 22 46 23] inv0 a}
-    requires {[#"../14_copied.rs" 46 31 46 33] inv1 ab}
-    requires {[#"../14_copied.rs" 46 52 46 53] inv0 b}
-    requires {[#"../14_copied.rs" 46 61 46 63] inv1 bc}
-    requires {[#"../14_copied.rs" 46 82 46 83] inv0 c}
-    ensures { [#"../14_copied.rs" 45 14 45 42] produces0 a (Seq.(++) ab bc) c }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../14_copied.rs" 41 4 41 10] ()
+  constant a  : C14Copied_Copied_Type.t_copied i
+  constant ab  : Seq.seq t
+  constant b  : C14Copied_Copied_Type.t_copied i
+  constant bc  : Seq.seq t
+  constant c  : C14Copied_Copied_Type.t_copied i
+  function produces_trans [#"../14_copied.rs" 46 4 46 90] (a : C14Copied_Copied_Type.t_copied i) (ab : Seq.seq t) (b : C14Copied_Copied_Type.t_copied i) (bc : Seq.seq t) (c : C14Copied_Copied_Type.t_copied i) : ()
+    
+  goal vc_produces_trans : ([#"../14_copied.rs" 46 82 46 83] inv0 c)
+   -> ([#"../14_copied.rs" 46 61 46 63] inv1 bc)
+   -> ([#"../14_copied.rs" 46 52 46 53] inv0 b)
+   -> ([#"../14_copied.rs" 46 31 46 33] inv1 ab)
+   -> ([#"../14_copied.rs" 46 22 46 23] inv0 a)
+   -> ([#"../14_copied.rs" 44 15 44 32] produces0 b bc c)
+   -> ([#"../14_copied.rs" 43 15 43 32] produces0 a ab b)
+   -> ([#"../14_copied.rs" 45 14 45 42] produces0 a (Seq.(++) ab bc) c)
 end
 module Core_Option_Option_Type
   type t_option 't =
@@ -264,14 +281,21 @@ module C14Copied_Impl0_Next
     requires {[#"../common.rs" 21 82 21 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv0 a) -> ([#"../common.rs" 21 31 21 33] inv6 ab) -> ([#"../common.rs" 21 52 21 53] inv0 b) -> ([#"../common.rs" 21 61 21 63] inv6 bc) -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq t, b : i, bc : Seq.seq t, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv0 a)
+   -> ([#"../common.rs" 21 31 21 33] inv6 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv0 b)
+   -> ([#"../common.rs" 21 61 21 63] inv6 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv0 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   predicate invariant0 (self : i)
   val invariant0 (self : i) : bool
     ensures { result = invariant0 self }
@@ -285,7 +309,8 @@ module C14Copied_Impl0_Next
   predicate produces0 [#"../14_copied.rs" 28 4 28 64] (self : C14Copied_Copied_Type.t_copied i) (visited : Seq.seq t) (o : C14Copied_Copied_Type.t_copied i)
     
    =
-    [#"../14_copied.rs" 29 8 33 9] exists s : Seq.seq t . inv6 s /\ produces1 (C14Copied_Copied_Type.copied_iter self) s (C14Copied_Copied_Type.copied_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i)
+    [#"../14_copied.rs" 29 8 33 9] exists s : Seq.seq t . inv6 s /\ produces1 (C14Copied_Copied_Type.copied_iter self) s (C14Copied_Copied_Type.copied_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s
+     -> Seq.get visited i = Seq.get s i)
   val produces0 [#"../14_copied.rs" 28 4 28 64] (self : C14Copied_Copied_Type.t_copied i) (visited : Seq.seq t) (o : C14Copied_Copied_Type.t_copied i) : bool
     ensures { result = produces0 self visited o }
     
@@ -301,12 +326,13 @@ module C14Copied_Impl0_Next
     
   val copied0 (self : Core_Option_Option_Type.t_option t) : Core_Option_Option_Type.t_option t
     requires {inv4 self}
-    ensures { [#"../../../../../creusot-contracts/src/std/option.rs" 86 16 86 59] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../../creusot-contracts/src/std/option.rs" 86 16 86 59] self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self = Core_Option_Option_Type.C_None \/ (exists t : t . inv5 t /\ self = Core_Option_Option_Type.C_Some t /\ result = Core_Option_Option_Type.C_Some t) }
     ensures { inv2 result }
     
   predicate resolve0 (self : borrowed (C14Copied_Copied_Type.t_copied i)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (C14Copied_Copied_Type.t_copied i)) : bool
     ensures { result = resolve0 self }
     
@@ -368,47 +394,57 @@ module C14Copied_Impl0
     ensures { result = inv4 _x }
     
   axiom inv4 : forall x : Seq.seq t . inv4 x = true
-  predicate invariant3 (self : Seq.seq t)
-  val invariant3 (self : Seq.seq t) : bool
+  use Core_Option_Option_Type as Core_Option_Option_Type
+  predicate invariant3 (self : Core_Option_Option_Type.t_option t)
+  val invariant3 (self : Core_Option_Option_Type.t_option t) : bool
     ensures { result = invariant3 self }
     
-  predicate inv3 (_x : Seq.seq t)
-  val inv3 (_x : Seq.seq t) : bool
+  predicate inv3 (_x : Core_Option_Option_Type.t_option t)
+  val inv3 (_x : Core_Option_Option_Type.t_option t) : bool
     ensures { result = inv3 _x }
     
-  axiom inv3 : forall x : Seq.seq t . inv3 x = true
+  axiom inv3 : forall x : Core_Option_Option_Type.t_option t . inv3 x = true
   use C14Copied_Copied_Type as C14Copied_Copied_Type
-  predicate invariant2 (self : C14Copied_Copied_Type.t_copied i)
-  val invariant2 (self : C14Copied_Copied_Type.t_copied i) : bool
+  use prelude.Borrow
+  predicate invariant2 (self : borrowed (C14Copied_Copied_Type.t_copied i))
+  val invariant2 (self : borrowed (C14Copied_Copied_Type.t_copied i)) : bool
     ensures { result = invariant2 self }
     
-  predicate inv2 (_x : C14Copied_Copied_Type.t_copied i)
-  val inv2 (_x : C14Copied_Copied_Type.t_copied i) : bool
+  predicate inv2 (_x : borrowed (C14Copied_Copied_Type.t_copied i))
+  val inv2 (_x : borrowed (C14Copied_Copied_Type.t_copied i)) : bool
     ensures { result = inv2 _x }
     
-  axiom inv2 : forall x : C14Copied_Copied_Type.t_copied i . inv2 x = true
-  use Core_Option_Option_Type as Core_Option_Option_Type
-  predicate invariant1 (self : Core_Option_Option_Type.t_option t)
-  val invariant1 (self : Core_Option_Option_Type.t_option t) : bool
+  axiom inv2 : forall x : borrowed (C14Copied_Copied_Type.t_copied i) . inv2 x = true
+  predicate invariant1 (self : Seq.seq t)
+  val invariant1 (self : Seq.seq t) : bool
     ensures { result = invariant1 self }
     
-  predicate inv1 (_x : Core_Option_Option_Type.t_option t)
-  val inv1 (_x : Core_Option_Option_Type.t_option t) : bool
+  predicate inv1 (_x : Seq.seq t)
+  val inv1 (_x : Seq.seq t) : bool
     ensures { result = inv1 _x }
     
-  axiom inv1 : forall x : Core_Option_Option_Type.t_option t . inv1 x = true
-  use prelude.Borrow
-  predicate invariant0 (self : borrowed (C14Copied_Copied_Type.t_copied i))
-  val invariant0 (self : borrowed (C14Copied_Copied_Type.t_copied i)) : bool
+  axiom inv1 : forall x : Seq.seq t . inv1 x = true
+  predicate invariant0 (self : C14Copied_Copied_Type.t_copied i)
+  val invariant0 (self : C14Copied_Copied_Type.t_copied i) : bool
     ensures { result = invariant0 self }
     
-  predicate inv0 (_x : borrowed (C14Copied_Copied_Type.t_copied i))
-  val inv0 (_x : borrowed (C14Copied_Copied_Type.t_copied i)) : bool
+  predicate inv0 (_x : C14Copied_Copied_Type.t_copied i)
+  val inv0 (_x : C14Copied_Copied_Type.t_copied i) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : borrowed (C14Copied_Copied_Type.t_copied i) . inv0 x = true
+  axiom inv0 : forall x : C14Copied_Copied_Type.t_copied i . inv0 x = true
+  use seq.Seq
   use seq.Seq
   use seq.Seq
+  predicate completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i)
+  val completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool
+    ensures { result = completed1 self }
+    
+  predicate completed0 [#"../14_copied.rs" 22 4 22 35] (self : borrowed (C14Copied_Copied_Type.t_copied i)) =
+    [#"../14_copied.rs" 23 8 23 43] completed1 (Borrow.borrow_logic (C14Copied_Copied_Type.copied_iter ( * self)) (C14Copied_Copied_Type.copied_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1))
+  val completed0 [#"../14_copied.rs" 22 4 22 35] (self : borrowed (C14Copied_Copied_Type.t_copied i)) : bool
+    ensures { result = completed0 self }
+    
   use seq.Seq
   use seq.Seq
   use seq.Seq
@@ -422,27 +458,23 @@ module C14Copied_Impl0
   predicate produces0 [#"../14_copied.rs" 28 4 28 64] (self : C14Copied_Copied_Type.t_copied i) (visited : Seq.seq t) (o : C14Copied_Copied_Type.t_copied i)
     
    =
-    [#"../14_copied.rs" 29 8 33 9] exists s : Seq.seq t . inv4 s /\ produces1 (C14Copied_Copied_Type.copied_iter self) s (C14Copied_Copied_Type.copied_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> Seq.get visited i = Seq.get s i)
+    [#"../14_copied.rs" 29 8 33 9] exists s : Seq.seq t . inv4 s /\ produces1 (C14Copied_Copied_Type.copied_iter self) s (C14Copied_Copied_Type.copied_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s
+     -> Seq.get visited i = Seq.get s i)
   val produces0 [#"../14_copied.rs" 28 4 28 64] (self : C14Copied_Copied_Type.t_copied i) (visited : Seq.seq t) (o : C14Copied_Copied_Type.t_copied i) : bool
     ensures { result = produces0 self visited o }
     
-  use seq.Seq
-  predicate completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i)
-  val completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool
-    ensures { result = completed1 self }
-    
-  predicate completed0 [#"../14_copied.rs" 22 4 22 35] (self : borrowed (C14Copied_Copied_Type.t_copied i)) =
-    [#"../14_copied.rs" 23 8 23 43] completed1 (Borrow.borrow_logic (C14Copied_Copied_Type.copied_iter ( * self)) (C14Copied_Copied_Type.copied_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1))
-  val completed0 [#"../14_copied.rs" 22 4 22 35] (self : borrowed (C14Copied_Copied_Type.t_copied i)) : bool
-    ensures { result = completed0 self }
-    
-  goal next_refn : [#"../14_copied.rs" 52 4 52 35] forall self : borrowed (C14Copied_Copied_Type.t_copied i) . inv0 self -> inv0 self /\ (forall result : Core_Option_Option_Type.t_option t . inv1 result /\ match result with
+  goal produces_trans_refn : [#"../14_copied.rs" 46 4 46 90] forall a : C14Copied_Copied_Type.t_copied i . forall ab : Seq.seq t . forall b : C14Copied_Copied_Type.t_copied i . forall bc : Seq.seq t . forall c : C14Copied_Copied_Type.t_copied i . inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b
+   -> inv0 c /\ inv1 bc /\ inv0 b /\ inv1 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c
+   -> produces0 a (Seq.(++) ab bc) c)
+  goal next_refn : [#"../14_copied.rs" 52 4 52 35] forall self : borrowed (C14Copied_Copied_Type.t_copied i) . inv2 self
+   -> inv2 self /\ (forall result : Core_Option_Option_Type.t_option t . inv3 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
-    end -> inv1 result /\ match result with
+    end
+   -> inv3 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
     end)
-  goal produces_trans_refn : [#"../14_copied.rs" 46 4 46 90] forall a : C14Copied_Copied_Type.t_copied i . forall ab : Seq.seq t . forall b : C14Copied_Copied_Type.t_copied i . forall bc : Seq.seq t . forall c : C14Copied_Copied_Type.t_copied i . inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b -> inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c)
-  goal produces_refl_refn : [#"../14_copied.rs" 39 4 39 26] forall self : C14Copied_Copied_Type.t_copied i . inv2 self -> inv2 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self)
+  goal produces_refl_refn : [#"../14_copied.rs" 39 4 39 26] forall self : C14Copied_Copied_Type.t_copied i . inv0 self
+   -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self  -> produces0 self (Seq.empty ) self)
 end
diff --git a/creusot/tests/should_succeed/iterators/14_copied.rs b/creusot/tests/should_succeed/iterators/14_copied.rs
index c29d7aa0dc..4a63babd9b 100644
--- a/creusot/tests/should_succeed/iterators/14_copied.rs
+++ b/creusot/tests/should_succeed/iterators/14_copied.rs
@@ -18,13 +18,13 @@ where
     type Item = T;
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! { self.iter.completed() }
     }
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool {
         pearlite! {
             exists<s: Seq<&'a T>> self.iter.produces(s, o.iter)
diff --git a/creusot/tests/should_succeed/iterators/14_copied/why3session.xml b/creusot/tests/should_succeed/iterators/14_copied/why3session.xml
index 1de23695ca..ad84849a1f 100644
--- a/creusot/tests/should_succeed/iterators/14_copied/why3session.xml
+++ b/creusot/tests/should_succeed/iterators/14_copied/why3session.xml
@@ -6,12 +6,12 @@
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="14_copied.mlcfg"/>
 <theory name="C14Copied_Impl0_ProducesRefl_Impl" proved="true">
- <goal name="produces_refl&#39;vc" expl="VC for produces_refl" proved="true">
- <proof prover="0"><result status="valid" time="0.010000" steps="20"/></proof>
+ <goal name="vc_produces_refl" proved="true">
+ <proof prover="0"><result status="valid" time="0.010000" steps="19"/></proof>
  </goal>
 </theory>
 <theory name="C14Copied_Impl0_ProducesTrans_Impl" proved="true">
- <goal name="produces_trans&#39;vc" expl="VC for produces_trans" proved="true">
+ <goal name="vc_produces_trans" proved="true">
  <proof prover="0"><result status="valid" time="0.040000" steps="165"/></proof>
  </goal>
 </theory>
diff --git a/creusot/tests/should_succeed/iterators/14_copied/why3shapes.gz b/creusot/tests/should_succeed/iterators/14_copied/why3shapes.gz
index 7b03763cb4..dd930c6d47 100644
Binary files a/creusot/tests/should_succeed/iterators/14_copied/why3shapes.gz and b/creusot/tests/should_succeed/iterators/14_copied/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/iterators/15_enumerate.mlcfg b/creusot/tests/should_succeed/iterators/15_enumerate.mlcfg
index 68f4eccae9..a11fcd7b95 100644
--- a/creusot/tests/should_succeed/iterators/15_enumerate.mlcfg
+++ b/creusot/tests/should_succeed/iterators/15_enumerate.mlcfg
@@ -63,14 +63,21 @@ module C15Enumerate_Impl0_ProducesRefl_Impl
     requires {[#"../common.rs" 21 82 21 83] inv2 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv2 a) -> ([#"../common.rs" 21 31 21 33] inv1 ab) -> ([#"../common.rs" 21 52 21 53] inv2 b) -> ([#"../common.rs" 21 61 21 63] inv1 bc) -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv2 a)
+   -> ([#"../common.rs" 21 31 21 33] inv1 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv2 b)
+   -> ([#"../common.rs" 21 61 21 63] inv1 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv2 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv2 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   use prelude.UIntSize
   predicate completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i)
   val completed0 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool
@@ -83,7 +90,11 @@ module C15Enumerate_Impl0_ProducesRefl_Impl
   use prelude.UIntSize
   use C15Enumerate_Enumerate_Type as C15Enumerate_Enumerate_Type
   predicate invariant0 [#"../15_enumerate.rs" 71 4 71 30] (self : C15Enumerate_Enumerate_Type.t_enumerate i) =
-    [#"../15_enumerate.rs" 73 12 74 79] (forall i : i . forall s : Seq.seq item0 . inv2 i -> inv1 s -> produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s i -> UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + Seq.length s < UIntSize.to_int max0) /\ (forall i : borrowed i . inv3 i -> completed0 i -> produces1 ( * i) (Seq.empty ) ( ^ i))
+    [#"../15_enumerate.rs" 73 12 74 79] (forall i : i . forall s : Seq.seq item0 . inv2 i
+     -> inv1 s
+     -> produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s i
+     -> UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + Seq.length s < UIntSize.to_int max0) /\ (forall i : borrowed i . inv3 i
+     -> completed0 i  -> produces1 ( * i) (Seq.empty ) ( ^ i))
   val invariant0 [#"../15_enumerate.rs" 71 4 71 30] (self : C15Enumerate_Enumerate_Type.t_enumerate i) : bool
     ensures { result = invariant0 self }
     
@@ -100,17 +111,16 @@ module C15Enumerate_Impl0_ProducesRefl_Impl
   predicate produces0 [#"../15_enumerate.rs" 28 4 28 64] (self : C15Enumerate_Enumerate_Type.t_enumerate i) (visited : Seq.seq (usize, item0)) (o : C15Enumerate_Enumerate_Type.t_enumerate i)
     
    =
-    [#"../15_enumerate.rs" 29 8 34 9] Seq.length visited = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count o) - UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) /\ (exists s : Seq.seq item0 . inv1 s /\ produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s (C15Enumerate_Enumerate_Type.enumerate_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + i /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i))
+    [#"../15_enumerate.rs" 29 8 34 9] Seq.length visited = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count o) - UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) /\ (exists s : Seq.seq item0 . inv1 s /\ produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s (C15Enumerate_Enumerate_Type.enumerate_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s
+     -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + i /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i))
   val produces0 [#"../15_enumerate.rs" 28 4 28 64] (self : C15Enumerate_Enumerate_Type.t_enumerate i) (visited : Seq.seq (usize, item0)) (o : C15Enumerate_Enumerate_Type.t_enumerate i) : bool
     ensures { result = produces0 self visited o }
     
   use seq.Seq
-  let rec ghost function produces_refl [#"../15_enumerate.rs" 40 4 40 26] (self : C15Enumerate_Enumerate_Type.t_enumerate i) : ()
-    requires {[#"../15_enumerate.rs" 40 21 40 25] inv0 self}
-    ensures { [#"../15_enumerate.rs" 39 14 39 45] produces0 self (Seq.empty ) self }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../15_enumerate.rs" 37 4 37 10] ()
+  constant self  : C15Enumerate_Enumerate_Type.t_enumerate i
+  function produces_refl [#"../15_enumerate.rs" 40 4 40 26] (self : C15Enumerate_Enumerate_Type.t_enumerate i) : ()
+  goal vc_produces_refl : ([#"../15_enumerate.rs" 40 21 40 25] inv0 self)
+   -> ([#"../15_enumerate.rs" 39 14 39 45] produces0 self (Seq.empty ) self)
 end
 module C15Enumerate_Impl0_ProducesTrans_Impl
   type i
@@ -161,14 +171,21 @@ module C15Enumerate_Impl0_ProducesTrans_Impl
     requires {[#"../common.rs" 21 82 21 83] inv3 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv3 a) -> ([#"../common.rs" 21 31 21 33] inv2 ab) -> ([#"../common.rs" 21 52 21 53] inv3 b) -> ([#"../common.rs" 21 61 21 63] inv2 bc) -> ([#"../common.rs" 21 82 21 83] inv3 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv3 a)
+   -> ([#"../common.rs" 21 31 21 33] inv2 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv3 b)
+   -> ([#"../common.rs" 21 61 21 63] inv2 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv3 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv3 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv3 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   use prelude.UIntSize
   predicate invariant1 (self : Seq.seq (usize, item0))
   val invariant1 (self : Seq.seq (usize, item0)) : bool
@@ -190,7 +207,11 @@ module C15Enumerate_Impl0_ProducesTrans_Impl
   use prelude.UIntSize
   use C15Enumerate_Enumerate_Type as C15Enumerate_Enumerate_Type
   predicate invariant0 [#"../15_enumerate.rs" 71 4 71 30] (self : C15Enumerate_Enumerate_Type.t_enumerate i) =
-    [#"../15_enumerate.rs" 73 12 74 79] (forall i : i . forall s : Seq.seq item0 . inv3 i -> inv2 s -> produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s i -> UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + Seq.length s < UIntSize.to_int max0) /\ (forall i : borrowed i . inv4 i -> completed0 i -> produces1 ( * i) (Seq.empty ) ( ^ i))
+    [#"../15_enumerate.rs" 73 12 74 79] (forall i : i . forall s : Seq.seq item0 . inv3 i
+     -> inv2 s
+     -> produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s i
+     -> UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + Seq.length s < UIntSize.to_int max0) /\ (forall i : borrowed i . inv4 i
+     -> completed0 i  -> produces1 ( * i) (Seq.empty ) ( ^ i))
   val invariant0 [#"../15_enumerate.rs" 71 4 71 30] (self : C15Enumerate_Enumerate_Type.t_enumerate i) : bool
     ensures { result = invariant0 self }
     
@@ -208,22 +229,26 @@ module C15Enumerate_Impl0_ProducesTrans_Impl
   predicate produces0 [#"../15_enumerate.rs" 28 4 28 64] (self : C15Enumerate_Enumerate_Type.t_enumerate i) (visited : Seq.seq (usize, item0)) (o : C15Enumerate_Enumerate_Type.t_enumerate i)
     
    =
-    [#"../15_enumerate.rs" 29 8 34 9] Seq.length visited = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count o) - UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) /\ (exists s : Seq.seq item0 . inv2 s /\ produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s (C15Enumerate_Enumerate_Type.enumerate_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + i /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i))
+    [#"../15_enumerate.rs" 29 8 34 9] Seq.length visited = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count o) - UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) /\ (exists s : Seq.seq item0 . inv2 s /\ produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s (C15Enumerate_Enumerate_Type.enumerate_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s
+     -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + i /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i))
   val produces0 [#"../15_enumerate.rs" 28 4 28 64] (self : C15Enumerate_Enumerate_Type.t_enumerate i) (visited : Seq.seq (usize, item0)) (o : C15Enumerate_Enumerate_Type.t_enumerate i) : bool
     ensures { result = produces0 self visited o }
     
-  let rec ghost function produces_trans [#"../15_enumerate.rs" 47 4 47 90] (a : C15Enumerate_Enumerate_Type.t_enumerate i) (ab : Seq.seq (usize, item0)) (b : C15Enumerate_Enumerate_Type.t_enumerate i) (bc : Seq.seq (usize, item0)) (c : C15Enumerate_Enumerate_Type.t_enumerate i) : ()
-    requires {[#"../15_enumerate.rs" 44 15 44 32] produces0 a ab b}
-    requires {[#"../15_enumerate.rs" 45 15 45 32] produces0 b bc c}
-    requires {[#"../15_enumerate.rs" 47 22 47 23] inv0 a}
-    requires {[#"../15_enumerate.rs" 47 31 47 33] inv1 ab}
-    requires {[#"../15_enumerate.rs" 47 52 47 53] inv0 b}
-    requires {[#"../15_enumerate.rs" 47 61 47 63] inv1 bc}
-    requires {[#"../15_enumerate.rs" 47 82 47 83] inv0 c}
-    ensures { [#"../15_enumerate.rs" 46 14 46 42] produces0 a (Seq.(++) ab bc) c }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../15_enumerate.rs" 42 4 42 10] ()
+  constant a  : C15Enumerate_Enumerate_Type.t_enumerate i
+  constant ab  : Seq.seq (usize, item0)
+  constant b  : C15Enumerate_Enumerate_Type.t_enumerate i
+  constant bc  : Seq.seq (usize, item0)
+  constant c  : C15Enumerate_Enumerate_Type.t_enumerate i
+  function produces_trans [#"../15_enumerate.rs" 47 4 47 90] (a : C15Enumerate_Enumerate_Type.t_enumerate i) (ab : Seq.seq (usize, item0)) (b : C15Enumerate_Enumerate_Type.t_enumerate i) (bc : Seq.seq (usize, item0)) (c : C15Enumerate_Enumerate_Type.t_enumerate i) : ()
+    
+  goal vc_produces_trans : ([#"../15_enumerate.rs" 47 82 47 83] inv0 c)
+   -> ([#"../15_enumerate.rs" 47 61 47 63] inv1 bc)
+   -> ([#"../15_enumerate.rs" 47 52 47 53] inv0 b)
+   -> ([#"../15_enumerate.rs" 47 31 47 33] inv1 ab)
+   -> ([#"../15_enumerate.rs" 47 22 47 23] inv0 a)
+   -> ([#"../15_enumerate.rs" 45 15 45 32] produces0 b bc c)
+   -> ([#"../15_enumerate.rs" 44 15 44 32] produces0 a ab b)
+   -> ([#"../15_enumerate.rs" 46 14 46 42] produces0 a (Seq.(++) ab bc) c)
 end
 module Core_Option_Option_Type
   type t_option 't =
@@ -270,7 +295,11 @@ module C15Enumerate_Impl0_Next
     
   use C15Enumerate_Enumerate_Type as C15Enumerate_Enumerate_Type
   predicate invariant6 [#"../15_enumerate.rs" 71 4 71 30] (self : C15Enumerate_Enumerate_Type.t_enumerate i) =
-    [#"../15_enumerate.rs" 73 12 74 79] (forall i : i . forall s : Seq.seq item0 . inv0 i -> inv5 s -> produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s i -> UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + Seq.length s < UIntSize.to_int max0) /\ (forall i : borrowed i . inv4 i -> completed1 i -> produces1 ( * i) (Seq.empty ) ( ^ i))
+    [#"../15_enumerate.rs" 73 12 74 79] (forall i : i . forall s : Seq.seq item0 . inv0 i
+     -> inv5 s
+     -> produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s i
+     -> UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + Seq.length s < UIntSize.to_int max0) /\ (forall i : borrowed i . inv4 i
+     -> completed1 i  -> produces1 ( * i) (Seq.empty ) ( ^ i))
   val invariant6 [#"../15_enumerate.rs" 71 4 71 30] (self : C15Enumerate_Enumerate_Type.t_enumerate i) : bool
     ensures { result = invariant6 self }
     
@@ -332,13 +361,20 @@ module C15Enumerate_Impl0_Next
     requires {[#"../common.rs" 21 82 21 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv0 a) -> ([#"../common.rs" 21 31 21 33] inv5 ab) -> ([#"../common.rs" 21 52 21 53] inv0 b) -> ([#"../common.rs" 21 61 21 63] inv5 bc) -> ([#"../common.rs" 21 82 21 83] inv0 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv0 a)
+   -> ([#"../common.rs" 21 31 21 33] inv5 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv0 b)
+   -> ([#"../common.rs" 21 61 21 63] inv5 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv0 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv0 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   predicate invariant0 (self : i)
   val invariant0 (self : i) : bool
     ensures { result = invariant0 self }
@@ -350,7 +386,8 @@ module C15Enumerate_Impl0_Next
   predicate produces0 [#"../15_enumerate.rs" 28 4 28 64] (self : C15Enumerate_Enumerate_Type.t_enumerate i) (visited : Seq.seq (usize, item0)) (o : C15Enumerate_Enumerate_Type.t_enumerate i)
     
    =
-    [#"../15_enumerate.rs" 29 8 34 9] Seq.length visited = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count o) - UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) /\ (exists s : Seq.seq item0 . inv5 s /\ produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s (C15Enumerate_Enumerate_Type.enumerate_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + i /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i))
+    [#"../15_enumerate.rs" 29 8 34 9] Seq.length visited = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count o) - UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) /\ (exists s : Seq.seq item0 . inv5 s /\ produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s (C15Enumerate_Enumerate_Type.enumerate_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s
+     -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + i /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i))
   val produces0 [#"../15_enumerate.rs" 28 4 28 64] (self : C15Enumerate_Enumerate_Type.t_enumerate i) (visited : Seq.seq (usize, item0)) (o : C15Enumerate_Enumerate_Type.t_enumerate i) : bool
     ensures { result = produces0 self visited o }
     
@@ -362,7 +399,7 @@ module C15Enumerate_Impl0_Next
     ensures { result = completed0 self }
     
   predicate resolve1 (self : borrowed (C15Enumerate_Enumerate_Type.t_enumerate i)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve1 (self : borrowed (C15Enumerate_Enumerate_Type.t_enumerate i)) : bool
     ensures { result = resolve1 self }
     
@@ -394,6 +431,7 @@ module C15Enumerate_Impl0_Next
   var _4 : borrowed i;
   var x : item0;
   var n : usize;
+  var _8 : (usize, item0);
   {
     goto BB0
   }
@@ -415,21 +453,23 @@ module C15Enumerate_Impl0_Next
     goto BB5
   }
   BB3 {
-    [#"../15_enumerate.rs" 56 17 56 18] x <- ([#"../15_enumerate.rs" 56 17 56 18] Core_Option_Option_Type.some_0 _3);
-    [#"../15_enumerate.rs" 56 17 56 18] _3 <- (let Core_Option_Option_Type.C_Some x0 = _3 in Core_Option_Option_Type.C_Some (any item0));
+    [#"../15_enumerate.rs" 56 17 56 18] x <- Core_Option_Option_Type.some_0 _3;
+    _3 <- (let Core_Option_Option_Type.C_Some x0 = _3 in Core_Option_Option_Type.C_Some (any item0));
     assert { [@expl:type invariant] inv1 _3 };
     assume { resolve0 _3 };
-    [#"../15_enumerate.rs" 57 24 57 34] n <- ([#"../15_enumerate.rs" 57 24 57 34] C15Enumerate_Enumerate_Type.enumerate_count ( * self));
-    [#"../15_enumerate.rs" 58 16 58 31] self <- { self with current = (let C15Enumerate_Enumerate_Type.C_Enumerate x0 x1 =  * self in C15Enumerate_Enumerate_Type.C_Enumerate x0 ([#"../15_enumerate.rs" 58 16 58 31] C15Enumerate_Enumerate_Type.enumerate_count ( * self) + ([#"../15_enumerate.rs" 58 30 58 31] [#"../15_enumerate.rs" 58 30 58 31] (1 : usize)))) ; };
+    [#"../15_enumerate.rs" 57 24 57 34] n <- C15Enumerate_Enumerate_Type.enumerate_count ( * self);
+    [#"../15_enumerate.rs" 58 16 58 31] self <- { self with current = (let C15Enumerate_Enumerate_Type.C_Enumerate x0 x1 =  * self in C15Enumerate_Enumerate_Type.C_Enumerate x0 (C15Enumerate_Enumerate_Type.enumerate_count ( * self) + ([#"../15_enumerate.rs" 58 30 58 31] (1 : usize)))) ; };
     assert { [@expl:type invariant] inv2 self };
     assume { resolve1 self };
+    [#"../15_enumerate.rs" 59 21 59 27] _8 <- (n, x);
+    x <- any item0;
     goto BB6
   }
   BB4 {
-    assert { [@expl:type invariant] inv1 _3 };
-    assume { resolve0 _3 };
     assert { [@expl:type invariant] inv2 self };
     assume { resolve1 self };
+    assert { [@expl:type invariant] inv1 _3 };
+    assume { resolve0 _3 };
     assert { [#"../15_enumerate.rs" 54 14 54 30] false };
     absurd
   }
@@ -438,12 +478,12 @@ module C15Enumerate_Impl0_Next
     assume { resolve0 _3 };
     assert { [@expl:type invariant] inv2 self };
     assume { resolve1 self };
-    [#"../15_enumerate.rs" 55 20 55 24] _0 <- ([#"../15_enumerate.rs" 55 20 55 24] Core_Option_Option_Type.C_None);
+    [#"../15_enumerate.rs" 55 20 55 24] _0 <- Core_Option_Option_Type.C_None;
     goto BB9
   }
   BB6 {
-    [#"../15_enumerate.rs" 59 16 59 28] _0 <- ([#"../15_enumerate.rs" 59 16 59 28] Core_Option_Option_Type.C_Some ([#"../15_enumerate.rs" 59 21 59 27] (([#"../15_enumerate.rs" 59 22 59 23] n), ([#"../15_enumerate.rs" 59 25 59 26] x))));
-    [#"../15_enumerate.rs" 59 25 59 26] x <- any item0;
+    [#"../15_enumerate.rs" 59 16 59 28] _0 <- Core_Option_Option_Type.C_Some _8;
+    _8 <- any (usize, item0);
     goto BB7
   }
   BB7 {
@@ -494,7 +534,11 @@ module C15Enumerate_Enumerate
     
   use C15Enumerate_Enumerate_Type as C15Enumerate_Enumerate_Type
   predicate invariant3 [#"../15_enumerate.rs" 71 4 71 30] (self : C15Enumerate_Enumerate_Type.t_enumerate i) =
-    [#"../15_enumerate.rs" 73 12 74 79] (forall i : i . forall s : Seq.seq item0 . inv1 i -> inv2 s -> produces0 (C15Enumerate_Enumerate_Type.enumerate_iter self) s i -> UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + Seq.length s < UIntSize.to_int max0) /\ (forall i : borrowed i . inv0 i -> completed0 i -> produces0 ( * i) (Seq.empty ) ( ^ i))
+    [#"../15_enumerate.rs" 73 12 74 79] (forall i : i . forall s : Seq.seq item0 . inv1 i
+     -> inv2 s
+     -> produces0 (C15Enumerate_Enumerate_Type.enumerate_iter self) s i
+     -> UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + Seq.length s < UIntSize.to_int max0) /\ (forall i : borrowed i . inv0 i
+     -> completed0 i  -> produces0 ( * i) (Seq.empty ) ( ^ i))
   val invariant3 [#"../15_enumerate.rs" 71 4 71 30] (self : C15Enumerate_Enumerate_Type.t_enumerate i) : bool
     ensures { result = invariant3 self }
     
@@ -528,21 +572,30 @@ module C15Enumerate_Enumerate
     requires {[#"../common.rs" 21 82 21 83] inv1 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b) -> ([#"../common.rs" 19 15 19 32] produces0 b bc c) -> ([#"../common.rs" 21 22 21 23] inv1 a) -> ([#"../common.rs" 21 31 21 33] inv2 ab) -> ([#"../common.rs" 21 52 21 53] inv1 b) -> ([#"../common.rs" 21 61 21 63] inv2 bc) -> ([#"../common.rs" 21 82 21 83] inv1 c) -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces0 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces0 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv1 a)
+   -> ([#"../common.rs" 21 31 21 33] inv2 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv1 b)
+   -> ([#"../common.rs" 21 61 21 63] inv2 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv1 c)  -> ([#"../common.rs" 20 14 20 42] produces0 a (Seq.(++) ab bc) c)
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv1 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv1 self) -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv1 self)
+   -> ([#"../common.rs" 14 14 14 45] produces0 self (Seq.empty ) self)
   predicate invariant0 (self : borrowed i)
   val invariant0 (self : borrowed i) : bool
     ensures { result = invariant0 self }
     
   axiom inv0 : forall x : borrowed i . inv0 x = true
   let rec cfg enumerate [#"../15_enumerate.rs" 81 0 81 54] [@cfg:stackify] [@cfg:subregion_analysis] (iter : i) : C15Enumerate_Enumerate_Type.t_enumerate i
-    requires {[#"../15_enumerate.rs" 79 0 79 75] forall i : borrowed i . inv0 i -> completed0 i -> produces0 ( * i) (Seq.empty ) ( ^ i)}
-    requires {[#"../15_enumerate.rs" 80 0 80 93] forall i : i . forall s : Seq.seq item0 . inv1 i -> inv2 s -> produces0 iter s i -> Seq.length s < UIntSize.to_int max0}
+    requires {[#"../15_enumerate.rs" 79 0 79 75] forall i : borrowed i . inv0 i
+     -> completed0 i  -> produces0 ( * i) (Seq.empty ) ( ^ i)}
+    requires {[#"../15_enumerate.rs" 80 0 80 93] forall i : i . forall s : Seq.seq item0 . inv1 i
+     -> inv2 s  -> produces0 iter s i  -> Seq.length s < UIntSize.to_int max0}
     requires {[#"../15_enumerate.rs" 81 30 81 34] inv1 iter}
     ensures { [#"../15_enumerate.rs" 81 42 81 54] inv3 result }
     
@@ -556,8 +609,8 @@ module C15Enumerate_Enumerate
     goto BB1
   }
   BB1 {
-    [#"../15_enumerate.rs" 82 4 82 32] _0 <- ([#"../15_enumerate.rs" 82 4 82 32] C15Enumerate_Enumerate_Type.C_Enumerate ([#"../15_enumerate.rs" 82 16 82 20] iter) ([#"../15_enumerate.rs" 82 29 82 30] [#"../15_enumerate.rs" 82 29 82 30] (0 : usize)));
-    [#"../15_enumerate.rs" 82 16 82 20] iter <- any i;
+    [#"../15_enumerate.rs" 82 4 82 32] _0 <- C15Enumerate_Enumerate_Type.C_Enumerate iter ([#"../15_enumerate.rs" 82 29 82 30] (0 : usize));
+    iter <- any i;
     goto BB2
   }
   BB2 {
@@ -610,30 +663,6 @@ module C15Enumerate_Impl0
     ensures { result = inv3 _x }
     
   axiom inv3 : forall x : Seq.seq (usize, item0) . inv3 x = true
-  use Core_Option_Option_Type as Core_Option_Option_Type
-  predicate invariant2 (self : Core_Option_Option_Type.t_option (usize, item0))
-  val invariant2 (self : Core_Option_Option_Type.t_option (usize, item0)) : bool
-    ensures { result = invariant2 self }
-    
-  predicate inv2 (_x : Core_Option_Option_Type.t_option (usize, item0))
-  val inv2 (_x : Core_Option_Option_Type.t_option (usize, item0)) : bool
-    ensures { result = inv2 _x }
-    
-  axiom inv2 : forall x : Core_Option_Option_Type.t_option (usize, item0) . inv2 x = true
-  use C15Enumerate_Enumerate_Type as C15Enumerate_Enumerate_Type
-  predicate invariant1 (self : borrowed (C15Enumerate_Enumerate_Type.t_enumerate i))
-  val invariant1 (self : borrowed (C15Enumerate_Enumerate_Type.t_enumerate i)) : bool
-    ensures { result = invariant1 self }
-    
-  predicate inv0 (_x : C15Enumerate_Enumerate_Type.t_enumerate i)
-  val inv0 (_x : C15Enumerate_Enumerate_Type.t_enumerate i) : bool
-    ensures { result = inv0 _x }
-    
-  predicate inv1 (_x : borrowed (C15Enumerate_Enumerate_Type.t_enumerate i))
-  val inv1 (_x : borrowed (C15Enumerate_Enumerate_Type.t_enumerate i)) : bool
-    ensures { result = inv1 _x }
-    
-  axiom inv1 : forall x : borrowed (C15Enumerate_Enumerate_Type.t_enumerate i) . inv1 x = (inv0 ( * x) /\ inv0 ( ^ x))
   use seq.Seq
   predicate completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i)
   val completed1 [#"../common.rs" 11 4 11 36] (self : borrowed i) : bool
@@ -648,22 +677,44 @@ module C15Enumerate_Impl0
   val produces1 [#"../common.rs" 8 4 8 65] (self : i) (visited : Seq.seq item0) (o : i) : bool
     ensures { result = produces1 self visited o }
     
-  predicate invariant0 [#"../15_enumerate.rs" 71 4 71 30] (self : C15Enumerate_Enumerate_Type.t_enumerate i) =
-    [#"../15_enumerate.rs" 73 12 74 79] (forall i : i . forall s : Seq.seq item0 . inv5 i -> inv4 s -> produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s i -> UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + Seq.length s < UIntSize.to_int max0) /\ (forall i : borrowed i . inv6 i -> completed1 i -> produces1 ( * i) (Seq.empty ) ( ^ i))
-  val invariant0 [#"../15_enumerate.rs" 71 4 71 30] (self : C15Enumerate_Enumerate_Type.t_enumerate i) : bool
-    ensures { result = invariant0 self }
+  use C15Enumerate_Enumerate_Type as C15Enumerate_Enumerate_Type
+  predicate invariant2 [#"../15_enumerate.rs" 71 4 71 30] (self : C15Enumerate_Enumerate_Type.t_enumerate i) =
+    [#"../15_enumerate.rs" 73 12 74 79] (forall i : i . forall s : Seq.seq item0 . inv5 i
+     -> inv4 s
+     -> produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s i
+     -> UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + Seq.length s < UIntSize.to_int max0) /\ (forall i : borrowed i . inv6 i
+     -> completed1 i  -> produces1 ( * i) (Seq.empty ) ( ^ i))
+  val invariant2 [#"../15_enumerate.rs" 71 4 71 30] (self : C15Enumerate_Enumerate_Type.t_enumerate i) : bool
+    ensures { result = invariant2 self }
     
-  axiom inv0 : forall x : C15Enumerate_Enumerate_Type.t_enumerate i . inv0 x = (invariant0 x /\ match x with
+  predicate inv2 (_x : C15Enumerate_Enumerate_Type.t_enumerate i)
+  val inv2 (_x : C15Enumerate_Enumerate_Type.t_enumerate i) : bool
+    ensures { result = inv2 _x }
+    
+  axiom inv2 : forall x : C15Enumerate_Enumerate_Type.t_enumerate i . inv2 x = (invariant2 x /\ match x with
     | C15Enumerate_Enumerate_Type.C_Enumerate iter count -> true
     end)
+  use Core_Option_Option_Type as Core_Option_Option_Type
+  predicate invariant1 (self : Core_Option_Option_Type.t_option (usize, item0))
+  val invariant1 (self : Core_Option_Option_Type.t_option (usize, item0)) : bool
+    ensures { result = invariant1 self }
+    
+  predicate inv1 (_x : Core_Option_Option_Type.t_option (usize, item0))
+  val inv1 (_x : Core_Option_Option_Type.t_option (usize, item0)) : bool
+    ensures { result = inv1 _x }
+    
+  axiom inv1 : forall x : Core_Option_Option_Type.t_option (usize, item0) . inv1 x = true
+  predicate invariant0 (self : borrowed (C15Enumerate_Enumerate_Type.t_enumerate i))
+  val invariant0 (self : borrowed (C15Enumerate_Enumerate_Type.t_enumerate i)) : bool
+    ensures { result = invariant0 self }
+    
+  predicate inv0 (_x : borrowed (C15Enumerate_Enumerate_Type.t_enumerate i))
+  val inv0 (_x : borrowed (C15Enumerate_Enumerate_Type.t_enumerate i)) : bool
+    ensures { result = inv0 _x }
+    
+  axiom inv0 : forall x : borrowed (C15Enumerate_Enumerate_Type.t_enumerate i) . inv0 x = (inv2 ( * x) /\ inv2 ( ^ x))
   use seq.Seq
   use seq.Seq
-  predicate completed0 [#"../15_enumerate.rs" 22 4 22 35] (self : borrowed (C15Enumerate_Enumerate_Type.t_enumerate i))
-   =
-    [#"../15_enumerate.rs" 23 8 23 43] completed1 (Borrow.borrow_logic (C15Enumerate_Enumerate_Type.enumerate_iter ( * self)) (C15Enumerate_Enumerate_Type.enumerate_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1))
-  val completed0 [#"../15_enumerate.rs" 22 4 22 35] (self : borrowed (C15Enumerate_Enumerate_Type.t_enumerate i)) : bool
-    ensures { result = completed0 self }
-    
   use seq.Seq
   use seq.Seq
   use seq.Seq
@@ -671,20 +722,32 @@ module C15Enumerate_Impl0
   predicate produces0 [#"../15_enumerate.rs" 28 4 28 64] (self : C15Enumerate_Enumerate_Type.t_enumerate i) (visited : Seq.seq (usize, item0)) (o : C15Enumerate_Enumerate_Type.t_enumerate i)
     
    =
-    [#"../15_enumerate.rs" 29 8 34 9] Seq.length visited = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count o) - UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) /\ (exists s : Seq.seq item0 . inv4 s /\ produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s (C15Enumerate_Enumerate_Type.enumerate_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + i /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i))
+    [#"../15_enumerate.rs" 29 8 34 9] Seq.length visited = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count o) - UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) /\ (exists s : Seq.seq item0 . inv4 s /\ produces1 (C15Enumerate_Enumerate_Type.enumerate_iter self) s (C15Enumerate_Enumerate_Type.enumerate_iter o) /\ Seq.length visited = Seq.length s /\ (forall i : int . 0 <= i /\ i < Seq.length s
+     -> UIntSize.to_int (let (a, _) = Seq.get visited i in a) = UIntSize.to_int (C15Enumerate_Enumerate_Type.enumerate_count self) + i /\ (let (_, a) = Seq.get visited i in a) = Seq.get s i))
   val produces0 [#"../15_enumerate.rs" 28 4 28 64] (self : C15Enumerate_Enumerate_Type.t_enumerate i) (visited : Seq.seq (usize, item0)) (o : C15Enumerate_Enumerate_Type.t_enumerate i) : bool
     ensures { result = produces0 self visited o }
     
   use seq.Seq
-  goal produces_refl_refn : [#"../15_enumerate.rs" 40 4 40 26] forall self : C15Enumerate_Enumerate_Type.t_enumerate i . inv0 self -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self)
-  goal next_refn : [#"../15_enumerate.rs" 53 4 53 44] forall self : borrowed (C15Enumerate_Enumerate_Type.t_enumerate i) . inv1 self -> inv1 self /\ (forall result : Core_Option_Option_Type.t_option (usize, item0) . inv2 result /\ match result with
+  predicate completed0 [#"../15_enumerate.rs" 22 4 22 35] (self : borrowed (C15Enumerate_Enumerate_Type.t_enumerate i))
+   =
+    [#"../15_enumerate.rs" 23 8 23 43] completed1 (Borrow.borrow_logic (C15Enumerate_Enumerate_Type.enumerate_iter ( * self)) (C15Enumerate_Enumerate_Type.enumerate_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1))
+  val completed0 [#"../15_enumerate.rs" 22 4 22 35] (self : borrowed (C15Enumerate_Enumerate_Type.t_enumerate i)) : bool
+    ensures { result = completed0 self }
+    
+  goal next_refn : [#"../15_enumerate.rs" 53 4 53 44] forall self : borrowed (C15Enumerate_Enumerate_Type.t_enumerate i) . inv0 self
+   -> inv0 self /\ (forall result : Core_Option_Option_Type.t_option (usize, item0) . inv1 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
-    end -> inv2 result /\ match result with
+    end
+   -> inv1 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
     end)
-  goal produces_trans_refn : [#"../15_enumerate.rs" 47 4 47 90] forall a : C15Enumerate_Enumerate_Type.t_enumerate i . forall ab : Seq.seq (usize, item0) . forall b : C15Enumerate_Enumerate_Type.t_enumerate i . forall bc : Seq.seq (usize, item0) . forall c : C15Enumerate_Enumerate_Type.t_enumerate i . inv0 c /\ inv3 bc /\ inv0 b /\ inv3 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b -> inv0 c /\ inv3 bc /\ inv0 b /\ inv3 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c)
+  goal produces_trans_refn : [#"../15_enumerate.rs" 47 4 47 90] forall a : C15Enumerate_Enumerate_Type.t_enumerate i . forall ab : Seq.seq (usize, item0) . forall b : C15Enumerate_Enumerate_Type.t_enumerate i . forall bc : Seq.seq (usize, item0) . forall c : C15Enumerate_Enumerate_Type.t_enumerate i . inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b
+   -> inv2 c /\ inv3 bc /\ inv2 b /\ inv3 ab /\ inv2 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c
+   -> produces0 a (Seq.(++) ab bc) c)
+  goal produces_refl_refn : [#"../15_enumerate.rs" 40 4 40 26] forall self : C15Enumerate_Enumerate_Type.t_enumerate i . inv2 self
+   -> inv2 self /\ (forall result : () . produces0 self (Seq.empty ) self  -> produces0 self (Seq.empty ) self)
 end
 module C15Enumerate_Impl1
   type i
diff --git a/creusot/tests/should_succeed/iterators/15_enumerate.rs b/creusot/tests/should_succeed/iterators/15_enumerate.rs
index f0f7c28c7f..d800aecd7c 100644
--- a/creusot/tests/should_succeed/iterators/15_enumerate.rs
+++ b/creusot/tests/should_succeed/iterators/15_enumerate.rs
@@ -18,13 +18,13 @@ where
     type Item = (usize, I::Item);
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! { self.iter.completed() }
     }
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool {
         pearlite! {
             visited.len() == o.count@ - self.count@
@@ -67,7 +67,7 @@ where
     I: Iterator,
 {
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn invariant(self) -> bool {
         pearlite! {
             (forall<s: Seq<I::Item>, i: I> self.iter.produces(s, i) ==> self.count@ + s.len() < std::usize::MAX@)
diff --git a/creusot/tests/should_succeed/iterators/15_enumerate/why3session.xml b/creusot/tests/should_succeed/iterators/15_enumerate/why3session.xml
index 56fc594e56..f6b39fd698 100644
--- a/creusot/tests/should_succeed/iterators/15_enumerate/why3session.xml
+++ b/creusot/tests/should_succeed/iterators/15_enumerate/why3session.xml
@@ -7,12 +7,12 @@
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="15_enumerate.mlcfg"/>
 <theory name="C15Enumerate_Impl0_ProducesRefl_Impl" proved="true">
- <goal name="produces_refl&#39;vc" expl="VC for produces_refl" proved="true">
- <proof prover="3"><result status="valid" time="0.010000" steps="469"/></proof>
+ <goal name="vc_produces_refl" proved="true">
+ <proof prover="3"><result status="valid" time="0.010000" steps="473"/></proof>
  </goal>
 </theory>
 <theory name="C15Enumerate_Impl0_ProducesTrans_Impl" proved="true">
- <goal name="produces_trans&#39;vc" expl="VC for produces_trans" proved="true">
+ <goal name="vc_produces_trans" proved="true">
  <proof prover="3"><result status="valid" time="0.110000" steps="274"/></proof>
  </goal>
 </theory>
@@ -41,7 +41,7 @@
   <proof prover="3"><result status="valid" time="0.016682" steps="31"/></proof>
   </goal>
   <goal name="next&#39;vc.7" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.558531" steps="246406"/></proof>
+  <proof prover="0"><result status="valid" time="0.061827" steps="243417"/></proof>
   </goal>
   <goal name="next&#39;vc.8" expl="postcondition" proved="true">
   <proof prover="3"><result status="valid" time="0.017161" steps="12"/></proof>
@@ -58,10 +58,10 @@
  <goal name="next_refn" proved="true">
  <proof prover="3"><result status="valid" time="0.010000" steps="2"/></proof>
  </goal>
- <goal name="produces_refl_refn" proved="true">
+ <goal name="produces_trans_refn" proved="true">
  <proof prover="3"><result status="valid" time="0.010000" steps="2"/></proof>
  </goal>
- <goal name="produces_trans_refn" proved="true">
+ <goal name="produces_refl_refn" proved="true">
  <proof prover="3"><result status="valid" time="0.010000" steps="2"/></proof>
  </goal>
 </theory>
diff --git a/creusot/tests/should_succeed/iterators/15_enumerate/why3shapes.gz b/creusot/tests/should_succeed/iterators/15_enumerate/why3shapes.gz
index c05292fe52..735d97ebf2 100644
Binary files a/creusot/tests/should_succeed/iterators/15_enumerate/why3shapes.gz and b/creusot/tests/should_succeed/iterators/15_enumerate/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/iterators/16_take.mlcfg b/creusot/tests/should_succeed/iterators/16_take.mlcfg
index 37d9327947..be7b28c8c6 100644
--- a/creusot/tests/should_succeed/iterators/16_take.mlcfg
+++ b/creusot/tests/should_succeed/iterators/16_take.mlcfg
@@ -53,14 +53,21 @@ module C16Take_Impl0_ProducesRefl_Impl
     requires {[#"../common.rs" 21 82 21 83] inv1 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv1 a) -> ([#"../common.rs" 21 31 21 33] inv2 ab) -> ([#"../common.rs" 21 52 21 53] inv1 b) -> ([#"../common.rs" 21 61 21 63] inv2 bc) -> ([#"../common.rs" 21 82 21 83] inv1 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv1 a)
+   -> ([#"../common.rs" 21 31 21 33] inv2 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv1 b)
+   -> ([#"../common.rs" 21 61 21 63] inv2 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv1 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv1 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv1 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv1 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   use C16Take_Take_Type as C16Take_Take_Type
   predicate invariant0 (self : C16Take_Take_Type.t_take i)
   val invariant0 (self : C16Take_Take_Type.t_take i) : bool
@@ -81,12 +88,10 @@ module C16Take_Impl0_ProducesRefl_Impl
   val produces0 [#"../16_take.rs" 31 4 31 64] (self : C16Take_Take_Type.t_take i) (visited : Seq.seq item0) (o : C16Take_Take_Type.t_take i) : bool
     ensures { result = produces0 self visited o }
     
-  let rec ghost function produces_refl [#"../16_take.rs" 40 4 40 26] (self : C16Take_Take_Type.t_take i) : ()
-    requires {[#"../16_take.rs" 40 21 40 25] inv0 self}
-    ensures { [#"../16_take.rs" 39 14 39 45] produces0 self (Seq.empty ) self }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../16_take.rs" 37 4 37 10] ()
+  constant self  : C16Take_Take_Type.t_take i
+  function produces_refl [#"../16_take.rs" 40 4 40 26] (self : C16Take_Take_Type.t_take i) : ()
+  goal vc_produces_refl : ([#"../16_take.rs" 40 21 40 25] inv0 self)
+   -> ([#"../16_take.rs" 39 14 39 45] produces0 self (Seq.empty ) self)
 end
 module C16Take_Impl0_ProducesTrans_Impl
   type i
@@ -122,14 +127,21 @@ module C16Take_Impl0_ProducesTrans_Impl
     requires {[#"../common.rs" 21 82 21 83] inv2 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv2 a) -> ([#"../common.rs" 21 31 21 33] inv1 ab) -> ([#"../common.rs" 21 52 21 53] inv2 b) -> ([#"../common.rs" 21 61 21 63] inv1 bc) -> ([#"../common.rs" 21 82 21 83] inv2 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv2 a)
+   -> ([#"../common.rs" 21 31 21 33] inv1 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv2 b)
+   -> ([#"../common.rs" 21 61 21 63] inv1 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv2 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv2 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv2 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   predicate invariant1 (self : Seq.seq item0)
   val invariant1 (self : Seq.seq item0) : bool
     ensures { result = invariant1 self }
@@ -155,18 +167,21 @@ module C16Take_Impl0_ProducesTrans_Impl
   val produces0 [#"../16_take.rs" 31 4 31 64] (self : C16Take_Take_Type.t_take i) (visited : Seq.seq item0) (o : C16Take_Take_Type.t_take i) : bool
     ensures { result = produces0 self visited o }
     
-  let rec ghost function produces_trans [#"../16_take.rs" 47 4 47 90] (a : C16Take_Take_Type.t_take i) (ab : Seq.seq item0) (b : C16Take_Take_Type.t_take i) (bc : Seq.seq item0) (c : C16Take_Take_Type.t_take i) : ()
-    requires {[#"../16_take.rs" 44 15 44 32] produces0 a ab b}
-    requires {[#"../16_take.rs" 45 15 45 32] produces0 b bc c}
-    requires {[#"../16_take.rs" 47 22 47 23] inv0 a}
-    requires {[#"../16_take.rs" 47 31 47 33] inv1 ab}
-    requires {[#"../16_take.rs" 47 52 47 53] inv0 b}
-    requires {[#"../16_take.rs" 47 61 47 63] inv1 bc}
-    requires {[#"../16_take.rs" 47 82 47 83] inv0 c}
-    ensures { [#"../16_take.rs" 46 14 46 42] produces0 a (Seq.(++) ab bc) c }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../16_take.rs" 42 4 42 10] ()
+  constant a  : C16Take_Take_Type.t_take i
+  constant ab  : Seq.seq item0
+  constant b  : C16Take_Take_Type.t_take i
+  constant bc  : Seq.seq item0
+  constant c  : C16Take_Take_Type.t_take i
+  function produces_trans [#"../16_take.rs" 47 4 47 90] (a : C16Take_Take_Type.t_take i) (ab : Seq.seq item0) (b : C16Take_Take_Type.t_take i) (bc : Seq.seq item0) (c : C16Take_Take_Type.t_take i) : ()
+    
+  goal vc_produces_trans : ([#"../16_take.rs" 47 82 47 83] inv0 c)
+   -> ([#"../16_take.rs" 47 61 47 63] inv1 bc)
+   -> ([#"../16_take.rs" 47 52 47 53] inv0 b)
+   -> ([#"../16_take.rs" 47 31 47 33] inv1 ab)
+   -> ([#"../16_take.rs" 47 22 47 23] inv0 a)
+   -> ([#"../16_take.rs" 45 15 45 32] produces0 b bc c)
+   -> ([#"../16_take.rs" 44 15 44 32] produces0 a ab b)
+   -> ([#"../16_take.rs" 46 14 46 42] produces0 a (Seq.(++) ab bc) c)
 end
 module Core_Option_Option_Type
   type t_option 't =
@@ -228,14 +243,21 @@ module C16Take_Impl0_Next
     requires {[#"../common.rs" 21 82 21 83] inv1 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b) -> ([#"../common.rs" 19 15 19 32] produces1 b bc c) -> ([#"../common.rs" 21 22 21 23] inv1 a) -> ([#"../common.rs" 21 31 21 33] inv4 ab) -> ([#"../common.rs" 21 52 21 53] inv1 b) -> ([#"../common.rs" 21 61 21 63] inv4 bc) -> ([#"../common.rs" 21 82 21 83] inv1 c) -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : i, ab : Seq.seq item0, b : i, bc : Seq.seq item0, c : i . ([#"../common.rs" 18 15 18 32] produces1 a ab b)
+   -> ([#"../common.rs" 19 15 19 32] produces1 b bc c)
+   -> ([#"../common.rs" 21 22 21 23] inv1 a)
+   -> ([#"../common.rs" 21 31 21 33] inv4 ab)
+   -> ([#"../common.rs" 21 52 21 53] inv1 b)
+   -> ([#"../common.rs" 21 61 21 63] inv4 bc)
+   -> ([#"../common.rs" 21 82 21 83] inv1 c)  -> ([#"../common.rs" 20 14 20 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
   val produces_refl0 [#"../common.rs" 15 4 15 27] (self : i) : ()
     requires {[#"../common.rs" 15 21 15 25] inv1 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv1 self) -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : i . ([#"../common.rs" 15 21 15 25] inv1 self)
+   -> ([#"../common.rs" 14 14 14 45] produces1 self (Seq.empty ) self)
   predicate invariant1 (self : i)
   val invariant1 (self : i) : bool
     ensures { result = invariant1 self }
@@ -296,18 +318,20 @@ module C16Take_Impl0_Next
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : Core_Option_Option_Type.t_option item0;
   var self : borrowed (C16Take_Take_Type.t_take i) = self;
+  var _3 : bool;
   var _5 : borrowed i;
   {
     goto BB0
   }
   BB0 {
-    switch ([#"../16_take.rs" 54 11 54 22] ([#"../16_take.rs" 54 11 54 17] C16Take_Take_Type.take_n ( * self)) <> ([#"../16_take.rs" 54 21 54 22] [#"../16_take.rs" 54 21 54 22] (0 : usize)))
+    [#"../16_take.rs" 54 11 54 22] _3 <- C16Take_Take_Type.take_n ( * self) <> ([#"../16_take.rs" 54 21 54 22] (0 : usize));
+    switch (_3)
       | False -> goto BB3
       | True -> goto BB1
       end
   }
   BB1 {
-    [#"../16_take.rs" 55 12 55 23] self <- { self with current = (let C16Take_Take_Type.C_Take x0 x1 =  * self in C16Take_Take_Type.C_Take x0 ([#"../16_take.rs" 55 12 55 23] C16Take_Take_Type.take_n ( * self) - ([#"../16_take.rs" 55 22 55 23] [#"../16_take.rs" 55 22 55 23] (1 : usize)))) ; };
+    [#"../16_take.rs" 55 12 55 23] self <- { self with current = (let C16Take_Take_Type.C_Take x0 x1 =  * self in C16Take_Take_Type.C_Take x0 (C16Take_Take_Type.take_n ( * self) - ([#"../16_take.rs" 55 22 55 23] (1 : usize)))) ; };
     [#"../16_take.rs" 56 12 56 21] _5 <- Borrow.borrow_final (C16Take_Take_Type.take_iter ( * self)) (Borrow.inherit_id (Borrow.get_id self) 1);
     [#"../16_take.rs" 56 12 56 21] self <- { self with current = (let C16Take_Take_Type.C_Take x0 x1 =  * self in C16Take_Take_Type.C_Take ( ^ _5) x1) ; };
     assume { inv1 ( ^ _5) };
@@ -323,7 +347,7 @@ module C16Take_Impl0_Next
   BB3 {
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../16_take.rs" 58 12 58 16] _0 <- ([#"../16_take.rs" 58 12 58 16] Core_Option_Option_Type.C_None);
+    [#"../16_take.rs" 58 12 58 16] _0 <- Core_Option_Option_Type.C_None;
     goto BB4
   }
   BB4 {
@@ -406,13 +430,18 @@ module C16Take_Impl0
     ensures { result = produces0 self visited o }
     
   use seq.Seq
-  goal produces_refl_refn : [#"../16_take.rs" 40 4 40 26] forall self : C16Take_Take_Type.t_take i . inv0 self -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self -> produces0 self (Seq.empty ) self)
-  goal next_refn : [#"../16_take.rs" 53 4 53 41] forall self : borrowed (C16Take_Take_Type.t_take i) . inv1 self -> inv1 self /\ (forall result : Core_Option_Option_Type.t_option item0 . inv2 result /\ match result with
+  goal produces_refl_refn : [#"../16_take.rs" 40 4 40 26] forall self : C16Take_Take_Type.t_take i . inv0 self
+   -> inv0 self /\ (forall result : () . produces0 self (Seq.empty ) self  -> produces0 self (Seq.empty ) self)
+  goal next_refn : [#"../16_take.rs" 53 4 53 41] forall self : borrowed (C16Take_Take_Type.t_take i) . inv1 self
+   -> inv1 self /\ (forall result : Core_Option_Option_Type.t_option item0 . inv2 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
-    end -> inv2 result /\ match result with
+    end
+   -> inv2 result /\ match result with
     | Core_Option_Option_Type.C_None -> completed0 self
     | Core_Option_Option_Type.C_Some v -> produces0 ( * self) (Seq.singleton v) ( ^ self)
     end)
-  goal produces_trans_refn : [#"../16_take.rs" 47 4 47 90] forall a : C16Take_Take_Type.t_take i . forall ab : Seq.seq item0 . forall b : C16Take_Take_Type.t_take i . forall bc : Seq.seq item0 . forall c : C16Take_Take_Type.t_take i . inv0 c /\ inv3 bc /\ inv0 b /\ inv3 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b -> inv0 c /\ inv3 bc /\ inv0 b /\ inv3 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c -> produces0 a (Seq.(++) ab bc) c)
+  goal produces_trans_refn : [#"../16_take.rs" 47 4 47 90] forall a : C16Take_Take_Type.t_take i . forall ab : Seq.seq item0 . forall b : C16Take_Take_Type.t_take i . forall bc : Seq.seq item0 . forall c : C16Take_Take_Type.t_take i . inv0 c /\ inv3 bc /\ inv0 b /\ inv3 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b
+   -> inv0 c /\ inv3 bc /\ inv0 b /\ inv3 ab /\ inv0 a /\ produces0 b bc c /\ produces0 a ab b /\ (forall result : () . produces0 a (Seq.(++) ab bc) c
+   -> produces0 a (Seq.(++) ab bc) c)
 end
diff --git a/creusot/tests/should_succeed/iterators/16_take.rs b/creusot/tests/should_succeed/iterators/16_take.rs
index 77a3350d59..7563da5509 100644
--- a/creusot/tests/should_succeed/iterators/16_take.rs
+++ b/creusot/tests/should_succeed/iterators/16_take.rs
@@ -18,7 +18,7 @@ where
     type Item = I::Item;
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool {
         pearlite! {
             (*self).n@ == 0 && self.resolve() ||
@@ -27,7 +27,7 @@ where
     }
 
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool {
         pearlite! {
             self.n@ == o.n@ + visited.len() && self.iter.produces(visited, o.iter)
diff --git a/creusot/tests/should_succeed/iterators/16_take/why3session.xml b/creusot/tests/should_succeed/iterators/16_take/why3session.xml
index 0f29b2ddb3..270c9442ac 100644
--- a/creusot/tests/should_succeed/iterators/16_take/why3session.xml
+++ b/creusot/tests/should_succeed/iterators/16_take/why3session.xml
@@ -6,18 +6,18 @@
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="16_take.mlcfg"/>
 <theory name="C16Take_Impl0_ProducesRefl_Impl" proved="true">
- <goal name="produces_refl&#39;vc" expl="VC for produces_refl" proved="true">
+ <goal name="vc_produces_refl" proved="true">
  <proof prover="0"><result status="valid" time="0.010000" steps="17"/></proof>
  </goal>
 </theory>
 <theory name="C16Take_Impl0_ProducesTrans_Impl" proved="true">
- <goal name="produces_trans&#39;vc" expl="VC for produces_trans" proved="true">
+ <goal name="vc_produces_trans" proved="true">
  <proof prover="0"><result status="valid" time="0.010000" steps="92"/></proof>
  </goal>
 </theory>
 <theory name="C16Take_Impl0_Next" proved="true">
  <goal name="next&#39;vc" expl="VC for next" proved="true">
- <proof prover="0"><result status="valid" time="0.080000" steps="833"/></proof>
+ <proof prover="0"><result status="valid" time="0.080000" steps="854"/></proof>
  </goal>
 </theory>
 <theory name="C16Take_Impl0" proved="true">
diff --git a/creusot/tests/should_succeed/iterators/16_take/why3shapes.gz b/creusot/tests/should_succeed/iterators/16_take/why3shapes.gz
index da6067f4e1..a500e09d8c 100644
Binary files a/creusot/tests/should_succeed/iterators/16_take/why3shapes.gz and b/creusot/tests/should_succeed/iterators/16_take/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/iterators/common.rs b/creusot/tests/should_succeed/iterators/common.rs
index fb815fb51c..17f5e5e258 100644
--- a/creusot/tests/should_succeed/iterators/common.rs
+++ b/creusot/tests/should_succeed/iterators/common.rs
@@ -4,10 +4,10 @@ use creusot_contracts::{logic::Seq, *};
 pub trait Iterator {
     type Item;
 
-    #[predicate]
+    #[predicate(prophetic)]
     fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool;
 
-    #[predicate]
+    #[predicate(prophetic)]
     fn completed(&mut self) -> bool;
 
     #[law]
diff --git a/creusot/tests/should_succeed/knapsack.mlcfg b/creusot/tests/should_succeed/knapsack.mlcfg
index f95260bb60..a41e8db657 100644
--- a/creusot/tests/should_succeed/knapsack.mlcfg
+++ b/creusot/tests/should_succeed/knapsack.mlcfg
@@ -12,21 +12,23 @@ module Knapsack_Max
   var _0 : usize;
   var a : usize = a;
   var b : usize = b;
+  var _5 : bool;
   {
     goto BB0
   }
   BB0 {
-    switch ([#"../knapsack.rs" 16 7 16 12] ([#"../knapsack.rs" 16 7 16 8] a) < ([#"../knapsack.rs" 16 11 16 12] b))
+    [#"../knapsack.rs" 16 7 16 12] _5 <- a < b;
+    switch (_5)
       | False -> goto BB2
       | True -> goto BB1
       end
   }
   BB1 {
-    [#"../knapsack.rs" 17 8 17 9] _0 <- ([#"../knapsack.rs" 17 8 17 9] b);
+    [#"../knapsack.rs" 17 8 17 9] _0 <- b;
     goto BB3
   }
   BB2 {
-    [#"../knapsack.rs" 19 8 19 9] _0 <- ([#"../knapsack.rs" 19 8 19 9] a);
+    [#"../knapsack.rs" 19 8 19 9] _0 <- a;
     goto BB3
   }
   BB3 {
@@ -64,26 +66,27 @@ module Knapsack_M_Impl
   axiom inv0 : forall x : Seq.seq (Knapsack_Item_Type.t_item name) . inv0 x = true
   use int.MinMax
   use prelude.UIntSize
+  use prelude.UIntSize
   use seq.Seq
   use seq.Seq
   use prelude.Int
-  let rec ghost function m [#"../knapsack.rs" 34 0 34 57] (items : Seq.seq (Knapsack_Item_Type.t_item name)) (i : int) (w : int) : int
-    requires {[#"../knapsack.rs" 31 11 31 37] 0 <= i /\ i <= Seq.length items}
-    requires {[#"../knapsack.rs" 32 11 32 17] 0 <= w}
-    requires {[#"../knapsack.rs" 34 11 34 16] inv0 items}
-    ensures { [#"../knapsack.rs" 33 10 33 21] result >= 0 }
-    variant {[#"../knapsack.rs" 30 10 30 11] i}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../knapsack.rs" 35 4 42 5] if pure {i = 0} then
-      0
-    else
-      if pure {UIntSize.to_int (Knapsack_Item_Type.item_weight (Seq.get items (i - 1))) > w} then
-        m items (i - 1) w
-      else
-        let a' = m items (i - 1) w in let b' = m items (i - 1) (w - UIntSize.to_int (Knapsack_Item_Type.item_weight (Seq.get items (i - 1)))) + UIntSize.to_int (Knapsack_Item_Type.item_value (Seq.get items (i - 1))) in MinMax.max a' b'
-      
-    
+  constant items  : Seq.seq (Knapsack_Item_Type.t_item name)
+  constant i  : int
+  constant w  : int
+  function m [#"../knapsack.rs" 34 0 34 57] (items : Seq.seq (Knapsack_Item_Type.t_item name)) (i : int) (w : int) : int
+  goal vc_m : ([#"../knapsack.rs" 34 11 34 16] inv0 items)
+   -> ([#"../knapsack.rs" 32 11 32 17] 0 <= w)
+   -> ([#"../knapsack.rs" 31 11 31 37] 0 <= i /\ i <= Seq.length items)
+   -> match i = 0 with
+    | True -> [#"../knapsack.rs" 33 10 33 21] 0 >= 0
+    | False -> match UIntSize.to_int (Knapsack_Item_Type.item_weight (Seq.get items (i - 1))) > w with
+      | True -> ((([#"../knapsack.rs" 34 11 34 16] inv0 items) && ([#"../knapsack.rs" 32 11 32 17] 0 <= w) && ([#"../knapsack.rs" 31 11 31 37] 0 <= i - 1 /\ i - 1 <= Seq.length items)) /\ 0 <= ([#"../knapsack.rs" 30 10 30 11] i) /\ ([#"../knapsack.rs" 30 10 30 11] i - 1) < ([#"../knapsack.rs" 30 10 30 11] i)) /\ (([#"../knapsack.rs" 33 10 33 21] m items (i - 1) w >= 0)
+       -> ([#"../knapsack.rs" 33 10 33 21] m items (i - 1) w >= 0))
+      | False -> ((([#"../knapsack.rs" 34 11 34 16] inv0 items) && ([#"../knapsack.rs" 32 11 32 17] 0 <= w) && ([#"../knapsack.rs" 31 11 31 37] 0 <= i - 1 /\ i - 1 <= Seq.length items)) /\ 0 <= ([#"../knapsack.rs" 30 10 30 11] i) /\ ([#"../knapsack.rs" 30 10 30 11] i - 1) < ([#"../knapsack.rs" 30 10 30 11] i)) /\ (([#"../knapsack.rs" 33 10 33 21] m items (i - 1) w >= 0)
+       -> ((([#"../knapsack.rs" 34 11 34 16] inv0 items) && ([#"../knapsack.rs" 32 11 32 17] 0 <= w - UIntSize.to_int (Knapsack_Item_Type.item_weight (Seq.get items (i - 1)))) && ([#"../knapsack.rs" 31 11 31 37] 0 <= i - 1 /\ i - 1 <= Seq.length items)) /\ 0 <= ([#"../knapsack.rs" 30 10 30 11] i) /\ ([#"../knapsack.rs" 30 10 30 11] i - 1) < ([#"../knapsack.rs" 30 10 30 11] i)) /\ (([#"../knapsack.rs" 33 10 33 21] m items (i - 1) (w - UIntSize.to_int (Knapsack_Item_Type.item_weight (Seq.get items (i - 1)))) >= 0)
+       -> ([#"../knapsack.rs" 33 10 33 21] MinMax.max (m items (i - 1) w) (m items (i - 1) (w - UIntSize.to_int (Knapsack_Item_Type.item_weight (Seq.get items (i - 1)))) + UIntSize.to_int (Knapsack_Item_Type.item_value (Seq.get items (i - 1)))) >= 0)))
+      end
+    end
 end
 module Core_Ptr_NonNull_NonNull_Type
   use prelude.Opaque
@@ -103,12 +106,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -159,7 +168,8 @@ module Knapsack_Knapsack01Dyn
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv16 self}
     ensures { result = shallow_model4 self }
     
-  axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv16 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max1)
+  axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv16 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max1)
   predicate invariant16 (self : Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -283,7 +293,8 @@ module Knapsack_Knapsack01Dyn
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self}
     ensures { result = shallow_model1 self }
     
-  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max1)
+  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max1)
   predicate invariant5 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -302,7 +313,8 @@ module Knapsack_Knapsack01Dyn
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self}
     ensures { result = shallow_model3 self }
     
-  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv7 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max1)
+  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv7 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max1)
   predicate invariant4 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv7 (shallow_model3 self)
   val invariant4 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -330,7 +342,8 @@ module Knapsack_Knapsack01Dyn
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self}
     ensures { result = shallow_model5 self }
     
-  axiom shallow_model5_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv17 (shallow_model5 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max1)
+  axiom shallow_model5_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv17 (shallow_model5 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max1)
   predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -367,19 +380,20 @@ module Knapsack_Knapsack01Dyn
     ensures { result = index_logic2 self ix }
     
   predicate resolve4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = resolve4 self }
     
   predicate resolve3 (self : borrowed usize) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve3 (self : borrowed usize) : bool
     ensures { result = resolve3 self }
     
   use prelude.Slice
   use seq.Seq
   predicate resolve_elswhere1 [@inline:trivial] (self : usize) (old' : Seq.seq usize) (fin : Seq.seq usize) =
-    [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i
+    [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old'
+     -> Seq.get old' i = Seq.get fin i
   val resolve_elswhere1 [@inline:trivial] (self : usize) (old' : Seq.seq usize) (fin : Seq.seq usize) : bool
     ensures { result = resolve_elswhere1 self old' fin }
     
@@ -396,7 +410,7 @@ module Knapsack_Knapsack01Dyn
   function shallow_model10 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : Seq.seq usize
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model3 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model3 ( * self)
   val shallow_model10 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : Seq.seq usize
     ensures { result = shallow_model10 self }
     
@@ -414,7 +428,8 @@ module Knapsack_Knapsack01Dyn
   predicate resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) (fin : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)))
     
    =
-    [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i
+    [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old'
+     -> Seq.get old' i = Seq.get fin i
   val resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) (fin : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = resolve_elswhere0 self old' fin }
     
@@ -435,7 +450,7 @@ module Knapsack_Knapsack01Dyn
   function shallow_model9 (self : borrowed (Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global))) : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model1 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model1 ( * self)
   val shallow_model9 (self : borrowed (Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global))) : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))
     ensures { result = shallow_model9 self }
     
@@ -458,7 +473,7 @@ module Knapsack_Knapsack01Dyn
   function shallow_model8 (self : borrowed (Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global))) : Seq.seq (Knapsack_Item_Type.t_item name)
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model5 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model5 ( * self)
   val shallow_model8 (self : borrowed (Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global))) : Seq.seq (Knapsack_Item_Type.t_item name)
     ensures { result = shallow_model8 self }
     
@@ -468,7 +483,7 @@ module Knapsack_Knapsack01Dyn
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 78 26 78 51] shallow_model5 ( ^ self) = Seq.snoc (shallow_model8 self) value }
     
   function shallow_model7 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : Seq.seq usize =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model3 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model3 self
   val shallow_model7 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : Seq.seq usize
     ensures { result = shallow_model7 self }
     
@@ -482,7 +497,7 @@ module Knapsack_Knapsack01Dyn
   function shallow_model6 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model1 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model1 self
   val shallow_model6 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))
     ensures { result = shallow_model6 self }
     
@@ -512,7 +527,7 @@ module Knapsack_Knapsack01Dyn
   function shallow_model0 (self : Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) : Seq.seq (Knapsack_Item_Type.t_item name)
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model4 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model4 self
   val shallow_model0 (self : Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) : Seq.seq (Knapsack_Item_Type.t_item name)
     ensures { result = shallow_model0 self }
     
@@ -529,7 +544,7 @@ module Knapsack_Knapsack01Dyn
     ensures { result = resolve1 self }
     
   predicate resolve6 (self : usize) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
+    [#"../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true
   val resolve6 (self : usize) : bool
     ensures { result = resolve6 self }
     
@@ -541,7 +556,8 @@ module Knapsack_Knapsack01Dyn
     ensures { result = index_logic3 self ix }
     
   predicate resolve5 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
-    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) -> resolve6 (index_logic3 self i)
+    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self)
+     -> resolve6 (index_logic3 self i)
   val resolve5 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve5 self }
     
@@ -555,7 +571,8 @@ module Knapsack_Knapsack01Dyn
   predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global))
     
    =
-    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self) -> resolve5 (index_logic0 self i)
+    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self)
+     -> resolve5 (index_logic0 self i)
   val resolve0 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve0 self }
     
@@ -580,11 +597,14 @@ module Knapsack_Knapsack01Dyn
     requires {[#"../knapsack.rs" 34 11 34 16] inv8 items}
     ensures { result = m0 items i w }
     
-  axiom m0_spec : forall items : Seq.seq (Knapsack_Item_Type.t_item name), i : int, w : int . ([#"../knapsack.rs" 31 11 31 37] 0 <= i /\ i <= Seq.length items) -> ([#"../knapsack.rs" 32 11 32 17] 0 <= w) -> ([#"../knapsack.rs" 34 11 34 16] inv8 items) -> ([#"../knapsack.rs" 33 10 33 21] m0 items i w >= 0)
+  axiom m0_spec : forall items : Seq.seq (Knapsack_Item_Type.t_item name), i : int, w : int . ([#"../knapsack.rs" 31 11 31 37] 0 <= i /\ i <= Seq.length items)
+   -> ([#"../knapsack.rs" 32 11 32 17] 0 <= w)
+   -> ([#"../knapsack.rs" 34 11 34 16] inv8 items)  -> ([#"../knapsack.rs" 33 10 33 21] m0 items i w >= 0)
   val from_elem1 (elem : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (n : usize) : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)
     requires {inv4 elem}
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 157 22 157 41] Seq.length (shallow_model1 result) = UIntSize.to_int n }
-    ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n -> index_logic0 result i = elem }
+    ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n
+     -> index_logic0 result i = elem }
     ensures { inv5 result }
     
   val len0 (self : Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) : usize
@@ -594,13 +614,15 @@ module Knapsack_Knapsack01Dyn
   val from_elem0 (elem : usize) (n : usize) : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)
     requires {inv3 elem}
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 157 22 157 41] Seq.length (shallow_model3 result) = UIntSize.to_int n }
-    ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n -> index_logic3 result i = elem }
+    ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n
+     -> index_logic3 result i = elem }
     ensures { inv4 result }
     
   let rec cfg knapsack01_dyn [#"../knapsack.rs" 48 0 48 91] [@cfg:stackify] [@cfg:subregion_analysis] (items : Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) (max_weight : usize) : Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)
     requires {[#"../knapsack.rs" 45 11 45 34] Seq.length (shallow_model0 items) < 10000000}
     requires {[#"../knapsack.rs" 46 11 46 33] UIntSize.to_int max_weight < 10000000}
-    requires {[#"../knapsack.rs" 47 0 47 86] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 items) -> UIntSize.to_int (Knapsack_Item_Type.item_value (index_logic2 items i)) <= 10000000}
+    requires {[#"../knapsack.rs" 47 0 47 86] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 items)
+     -> UIntSize.to_int (Knapsack_Item_Type.item_value (index_logic2 items i)) <= 10000000}
     requires {[#"../knapsack.rs" 48 28 48 33] inv0 items}
     ensures { [#"../knapsack.rs" 48 75 48 91] inv2 result }
     
@@ -610,32 +632,43 @@ module Knapsack_Knapsack01Dyn
   var max_weight : usize = max_weight;
   var best_value : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global);
   var _7 : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global);
+  var _8 : usize;
+  var _10 : usize;
   var _11 : usize;
   var i : usize;
   var _19 : ();
+  var _20 : bool;
   var _22 : usize;
   var it : Knapsack_Item_Type.t_item name;
   var _25 : Knapsack_Item_Type.t_item name;
   var w : usize;
+  var _35 : bool;
   var _38 : usize;
+  var _39 : bool;
   var _42 : usize;
   var _44 : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global);
   var _49 : usize;
   var _51 : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global);
+  var _55 : usize;
   var _57 : usize;
   var _59 : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global);
+  var _62 : usize;
   var _66 : borrowed usize;
   var _67 : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global));
   var _68 : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global));
   var _69 : borrowed (Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global));
+  var _70 : usize;
   var result : Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global);
   var _80 : usize;
   var left_weight : usize;
   var j : usize;
+  var _88 : bool;
   var it1 : Knapsack_Item_Type.t_item name;
   var _91 : Knapsack_Item_Type.t_item name;
+  var _94 : bool;
   var _96 : usize;
   var _98 : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global);
+  var _100 : usize;
   var _104 : usize;
   var _106 : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global);
   var _110 : ();
@@ -644,21 +677,25 @@ module Knapsack_Knapsack01Dyn
     goto BB0
   }
   BB0 {
-    [#"../../../../creusot-contracts/src/lib.rs" 196 8 196 40] _7 <- ([#"../knapsack.rs" 49 30 49 53] from_elem0 ([#"../knapsack.rs" 49 35 49 36] [#"../knapsack.rs" 49 35 49 36] (0 : usize)) ([#"../knapsack.rs" 49 38 49 52] ([#"../knapsack.rs" 49 38 49 48] max_weight) + ([#"../knapsack.rs" 49 51 49 52] [#"../knapsack.rs" 49 51 49 52] (1 : usize))));
+    [#"../knapsack.rs" 49 38 49 52] _8 <- max_weight + ([#"../knapsack.rs" 49 51 49 52] (1 : usize));
+    [#"../knapsack.rs" 49 30 49 53] _7 <- ([#"../knapsack.rs" 49 30 49 53] from_elem0 ([#"../knapsack.rs" 49 35 49 36] (0 : usize)) _8);
+    _8 <- any usize;
     goto BB1
   }
   BB1 {
-    [#"../knapsack.rs" 49 55 49 66] _11 <- ([#"../knapsack.rs" 49 55 49 66] len0 ([#"../knapsack.rs" 49 55 49 60] items));
+    [#"../knapsack.rs" 49 55 49 66] _11 <- ([#"../knapsack.rs" 49 55 49 66] len0 items);
     goto BB2
   }
   BB2 {
-    [#"../../../../creusot-contracts/src/lib.rs" 196 8 196 40] best_value <- ([#"../knapsack.rs" 49 25 49 71] from_elem1 _7 ([#"../knapsack.rs" 49 55 49 70] _11 + ([#"../knapsack.rs" 49 69 49 70] [#"../knapsack.rs" 49 69 49 70] (1 : usize))));
-    _7 <- any Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global);
+    [#"../knapsack.rs" 49 55 49 70] _10 <- _11 + ([#"../knapsack.rs" 49 69 49 70] (1 : usize));
     _11 <- any usize;
+    [#"../knapsack.rs" 49 25 49 71] best_value <- ([#"../knapsack.rs" 49 25 49 71] from_elem1 _7 _10);
+    _7 <- any Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global);
+    _10 <- any usize;
     goto BB3
   }
   BB3 {
-    [#"../knapsack.rs" 50 16 50 17] i <- ([#"../knapsack.rs" 50 16 50 17] [#"../knapsack.rs" 50 16 50 17] (0 : usize));
+    [#"../knapsack.rs" 50 16 50 17] i <- ([#"../knapsack.rs" 50 16 50 17] (0 : usize));
     goto BB4
   }
   BB4 {
@@ -675,30 +712,35 @@ module Knapsack_Knapsack01Dyn
   }
   BB8 {
     invariant { [#"../knapsack.rs" 52 16 52 53] Seq.length (shallow_model0 items) + 1 = Seq.length (shallow_model1 best_value) };
-    invariant { [#"../knapsack.rs" 52 4 52 55] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 best_value) -> UIntSize.to_int max_weight + 1 = Seq.length (shallow_model3 (index_logic0 best_value i)) };
-    invariant { [#"../knapsack.rs" 52 4 52 55] forall ww : int . forall ii : int . 0 <= ii /\ ii <= UIntSize.to_int i /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) = m0 (shallow_model0 items) ii ww };
-    invariant { [#"../knapsack.rs" 52 4 52 55] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (shallow_model0 items) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) <= 10000000 * ii };
+    invariant { [#"../knapsack.rs" 52 4 52 55] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 best_value)
+     -> UIntSize.to_int max_weight + 1 = Seq.length (shallow_model3 (index_logic0 best_value i)) };
+    invariant { [#"../knapsack.rs" 52 4 52 55] forall ww : int . forall ii : int . 0 <= ii /\ ii <= UIntSize.to_int i /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight
+     -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) = m0 (shallow_model0 items) ii ww };
+    invariant { [#"../knapsack.rs" 52 4 52 55] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (shallow_model0 items) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight
+     -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) <= 10000000 * ii };
     goto BB9
   }
   BB9 {
-    [#"../knapsack.rs" 59 14 59 25] _22 <- ([#"../knapsack.rs" 59 14 59 25] len0 ([#"../knapsack.rs" 59 14 59 19] items));
+    [#"../knapsack.rs" 59 14 59 25] _22 <- ([#"../knapsack.rs" 59 14 59 25] len0 items);
     goto BB10
   }
   BB10 {
-    switch ([#"../knapsack.rs" 59 10 59 25] ([#"../knapsack.rs" 59 10 59 11] i) < _22)
+    [#"../knapsack.rs" 59 10 59 25] _20 <- i < _22;
+    _22 <- any usize;
+    switch (_20)
       | False -> goto BB34
       | True -> goto BB11
       end
   }
   BB11 {
-    [#"../knapsack.rs" 60 23 60 26] _25 <- ([#"../knapsack.rs" 60 23 60 26] index0 ([#"../knapsack.rs" 60 18 60 23] items) ([#"../knapsack.rs" 60 24 60 25] i));
+    [#"../knapsack.rs" 60 23 60 26] _25 <- ([#"../knapsack.rs" 60 23 60 26] index0 items i);
     goto BB12
   }
   BB12 {
-    [#"../knapsack.rs" 60 17 60 26] it <- ([#"../knapsack.rs" 60 17 60 26] _25);
+    [#"../knapsack.rs" 60 17 60 26] it <- _25;
     assert { [@expl:type invariant] inv1 _25 };
     assume { resolve2 _25 };
-    [#"../knapsack.rs" 64 20 64 21] w <- ([#"../knapsack.rs" 64 20 64 21] [#"../knapsack.rs" 64 20 64 21] (0 : usize));
+    [#"../knapsack.rs" 64 20 64 21] w <- ([#"../knapsack.rs" 64 20 64 21] (0 : usize));
     goto BB13
   }
   BB13 {
@@ -718,54 +760,64 @@ module Knapsack_Knapsack01Dyn
   }
   BB18 {
     invariant { [#"../knapsack.rs" 66 20 66 57] Seq.length (shallow_model0 items) + 1 = Seq.length (shallow_model1 best_value) };
-    invariant { [#"../knapsack.rs" 66 8 66 59] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 best_value) -> UIntSize.to_int max_weight + 1 = Seq.length (shallow_model3 (index_logic0 best_value i)) };
-    invariant { [#"../knapsack.rs" 66 8 66 59] forall ww : int . forall ii : int . 0 <= ii /\ ii <= UIntSize.to_int i /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) = m0 (shallow_model0 items) ii ww };
-    invariant { [#"../knapsack.rs" 66 8 66 59] forall ww : int . 0 <= ww /\ ww <= UIntSize.to_int w - 1 -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value (UIntSize.to_int i + 1))) ww) = m0 (shallow_model0 items) (UIntSize.to_int i + 1) ww };
-    invariant { [#"../knapsack.rs" 66 8 66 59] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (shallow_model0 items) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) <= 10000000 * ii };
+    invariant { [#"../knapsack.rs" 66 8 66 59] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 best_value)
+     -> UIntSize.to_int max_weight + 1 = Seq.length (shallow_model3 (index_logic0 best_value i)) };
+    invariant { [#"../knapsack.rs" 66 8 66 59] forall ww : int . forall ii : int . 0 <= ii /\ ii <= UIntSize.to_int i /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight
+     -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) = m0 (shallow_model0 items) ii ww };
+    invariant { [#"../knapsack.rs" 66 8 66 59] forall ww : int . 0 <= ww /\ ww <= UIntSize.to_int w - 1
+     -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value (UIntSize.to_int i + 1))) ww) = m0 (shallow_model0 items) (UIntSize.to_int i + 1) ww };
+    invariant { [#"../knapsack.rs" 66 8 66 59] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (shallow_model0 items) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight
+     -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) <= 10000000 * ii };
     goto BB19
   }
   BB19 {
-    switch ([#"../knapsack.rs" 76 14 76 29] ([#"../knapsack.rs" 76 14 76 15] w) <= ([#"../knapsack.rs" 76 19 76 29] max_weight))
+    [#"../knapsack.rs" 76 14 76 29] _35 <- w <= max_weight;
+    switch (_35)
       | False -> goto BB33
       | True -> goto BB20
       end
   }
   BB20 {
-    switch ([#"../knapsack.rs" 77 38 77 51] ([#"../knapsack.rs" 77 38 77 47] Knapsack_Item_Type.item_weight it) > ([#"../knapsack.rs" 77 50 77 51] w))
+    [#"../knapsack.rs" 77 38 77 51] _39 <- Knapsack_Item_Type.item_weight it > w;
+    switch (_39)
       | False -> goto BB24
       | True -> goto BB21
       end
   }
   BB21 {
-    [#"../knapsack.rs" 78 26 78 29] _44 <- ([#"../knapsack.rs" 78 26 78 29] index1 ([#"../knapsack.rs" 78 16 78 26] best_value) ([#"../knapsack.rs" 78 27 78 28] i));
+    [#"../knapsack.rs" 78 26 78 29] _44 <- ([#"../knapsack.rs" 78 26 78 29] index1 best_value i);
     goto BB22
   }
   BB22 {
-    [#"../knapsack.rs" 78 29 78 32] _42 <- ([#"../knapsack.rs" 78 29 78 32] index2 ([#"../knapsack.rs" 78 16 78 29] _44) ([#"../knapsack.rs" 78 30 78 31] w));
+    [#"../knapsack.rs" 78 29 78 32] _42 <- ([#"../knapsack.rs" 78 29 78 32] index2 _44 w);
     goto BB23
   }
   BB23 {
-    [#"../knapsack.rs" 78 16 78 32] _38 <- ([#"../knapsack.rs" 78 16 78 32] _42);
+    [#"../knapsack.rs" 78 16 78 32] _38 <- _42;
     goto BB30
   }
   BB24 {
-    [#"../knapsack.rs" 80 30 80 33] _51 <- ([#"../knapsack.rs" 80 30 80 33] index1 ([#"../knapsack.rs" 80 20 80 30] best_value) ([#"../knapsack.rs" 80 31 80 32] i));
+    [#"../knapsack.rs" 80 30 80 33] _51 <- ([#"../knapsack.rs" 80 30 80 33] index1 best_value i);
     goto BB25
   }
   BB25 {
-    [#"../knapsack.rs" 80 33 80 36] _49 <- ([#"../knapsack.rs" 80 33 80 36] index2 ([#"../knapsack.rs" 80 20 80 33] _51) ([#"../knapsack.rs" 80 34 80 35] w));
+    [#"../knapsack.rs" 80 33 80 36] _49 <- ([#"../knapsack.rs" 80 33 80 36] index2 _51 w);
     goto BB26
   }
   BB26 {
-    [#"../knapsack.rs" 80 48 80 51] _59 <- ([#"../knapsack.rs" 80 48 80 51] index1 ([#"../knapsack.rs" 80 38 80 48] best_value) ([#"../knapsack.rs" 80 49 80 50] i));
+    [#"../knapsack.rs" 80 48 80 51] _59 <- ([#"../knapsack.rs" 80 48 80 51] index1 best_value i);
     goto BB27
   }
   BB27 {
-    [#"../knapsack.rs" 80 51 80 66] _57 <- ([#"../knapsack.rs" 80 51 80 66] index2 ([#"../knapsack.rs" 80 38 80 51] _59) ([#"../knapsack.rs" 80 52 80 65] ([#"../knapsack.rs" 80 52 80 53] w) - ([#"../knapsack.rs" 80 56 80 65] Knapsack_Item_Type.item_weight it)));
+    [#"../knapsack.rs" 80 52 80 65] _62 <- w - Knapsack_Item_Type.item_weight it;
+    [#"../knapsack.rs" 80 51 80 66] _57 <- ([#"../knapsack.rs" 80 51 80 66] index2 _59 _62);
+    _62 <- any usize;
     goto BB28
   }
   BB28 {
-    [#"../knapsack.rs" 80 16 80 78] _38 <- ([#"../knapsack.rs" 80 16 80 78] max0 ([#"../knapsack.rs" 80 20 80 36] _49) ([#"../knapsack.rs" 80 38 80 77] ([#"../knapsack.rs" 80 38 80 66] _57) + ([#"../knapsack.rs" 80 69 80 77] Knapsack_Item_Type.item_value it)));
+    [#"../knapsack.rs" 80 38 80 77] _55 <- _57 + Knapsack_Item_Type.item_value it;
+    [#"../knapsack.rs" 80 16 80 78] _38 <- ([#"../knapsack.rs" 80 16 80 78] max0 _49 _55);
+    _55 <- any usize;
     goto BB29
   }
   BB29 {
@@ -774,35 +826,37 @@ module Knapsack_Knapsack01Dyn
   BB30 {
     [#"../knapsack.rs" 77 12 77 22] _69 <- Borrow.borrow_mut best_value;
     [#"../knapsack.rs" 77 12 77 22] best_value <-  ^ _69;
-    [#"../knapsack.rs" 77 22 77 29] _68 <- ([#"../knapsack.rs" 77 22 77 29] index_mut0 _69 ([#"../knapsack.rs" 77 23 77 28] ([#"../knapsack.rs" 77 23 77 24] i) + ([#"../knapsack.rs" 77 27 77 28] [#"../knapsack.rs" 77 27 77 28] (1 : usize))));
+    [#"../knapsack.rs" 77 23 77 28] _70 <- i + ([#"../knapsack.rs" 77 27 77 28] (1 : usize));
+    [#"../knapsack.rs" 77 22 77 29] _68 <- ([#"../knapsack.rs" 77 22 77 29] index_mut0 _69 _70);
     _69 <- any borrowed (Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global));
+    _70 <- any usize;
     goto BB31
   }
   BB31 {
     [#"../knapsack.rs" 77 12 77 29] _67 <- Borrow.borrow_final ( * _68) (Borrow.get_id _68);
     [#"../knapsack.rs" 77 12 77 29] _68 <- { _68 with current = ( ^ _67) ; };
-    [#"../knapsack.rs" 77 29 77 32] _66 <- ([#"../knapsack.rs" 77 29 77 32] index_mut1 _67 ([#"../knapsack.rs" 77 30 77 31] w));
+    [#"../knapsack.rs" 77 29 77 32] _66 <- ([#"../knapsack.rs" 77 29 77 32] index_mut1 _67 w);
     _67 <- any borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global));
     goto BB32
   }
   BB32 {
-    [#"../knapsack.rs" 77 12 81 13] _66 <- { _66 with current = ([#"../knapsack.rs" 77 12 81 13] _38) ; };
-    [#"../knapsack.rs" 77 12 81 13] _38 <- any usize;
+    [#"../knapsack.rs" 77 12 81 13] _66 <- { _66 with current = _38 ; };
+    _38 <- any usize;
     assume { resolve3 _66 };
     assume { resolve4 _68 };
-    [#"../knapsack.rs" 82 12 82 18] w <- ([#"../knapsack.rs" 82 12 82 18] w + ([#"../knapsack.rs" 82 17 82 18] [#"../knapsack.rs" 82 17 82 18] (1 : usize)));
+    [#"../knapsack.rs" 82 12 82 18] w <- w + ([#"../knapsack.rs" 82 17 82 18] (1 : usize));
     [#"../knapsack.rs" 82 12 82 18] _19 <- ([#"../knapsack.rs" 82 12 82 18] ());
     goto BB18
   }
   BB33 {
     assert { [@expl:type invariant] inv1 it };
     assume { resolve2 it };
-    [#"../knapsack.rs" 84 8 84 14] i <- ([#"../knapsack.rs" 84 8 84 14] i + ([#"../knapsack.rs" 84 13 84 14] [#"../knapsack.rs" 84 13 84 14] (1 : usize)));
+    [#"../knapsack.rs" 84 8 84 14] i <- i + ([#"../knapsack.rs" 84 13 84 14] (1 : usize));
     [#"../knapsack.rs" 84 8 84 14] _19 <- ([#"../knapsack.rs" 84 8 84 14] ());
     goto BB8
   }
   BB34 {
-    [#"../knapsack.rs" 87 40 87 51] _80 <- ([#"../knapsack.rs" 87 40 87 51] len0 ([#"../knapsack.rs" 87 40 87 45] items));
+    [#"../knapsack.rs" 87 40 87 51] _80 <- ([#"../knapsack.rs" 87 40 87 51] len0 items);
     goto BB35
   }
   BB35 {
@@ -811,8 +865,8 @@ module Knapsack_Knapsack01Dyn
     goto BB36
   }
   BB36 {
-    [#"../knapsack.rs" 88 26 88 36] left_weight <- ([#"../knapsack.rs" 88 26 88 36] max_weight);
-    [#"../knapsack.rs" 90 16 90 27] j <- ([#"../knapsack.rs" 90 16 90 27] len0 ([#"../knapsack.rs" 90 16 90 21] items));
+    [#"../knapsack.rs" 88 26 88 36] left_weight <- max_weight;
+    [#"../knapsack.rs" 90 16 90 27] j <- ([#"../knapsack.rs" 90 16 90 27] len0 items);
     goto BB37
   }
   BB37 {
@@ -824,37 +878,41 @@ module Knapsack_Knapsack01Dyn
     goto BB39
   }
   BB39 {
-    switch ([#"../knapsack.rs" 93 10 93 15] ([#"../knapsack.rs" 93 10 93 11] [#"../knapsack.rs" 93 10 93 11] (0 : usize)) < ([#"../knapsack.rs" 93 14 93 15] j))
+    [#"../knapsack.rs" 93 10 93 15] _88 <- ([#"../knapsack.rs" 93 10 93 11] (0 : usize)) < j;
+    switch (_88)
       | False -> goto BB50
       | True -> goto BB40
       end
   }
   BB40 {
-    [#"../knapsack.rs" 94 8 94 14] j <- ([#"../knapsack.rs" 94 8 94 14] j - ([#"../knapsack.rs" 94 13 94 14] [#"../knapsack.rs" 94 13 94 14] (1 : usize)));
-    [#"../knapsack.rs" 95 23 95 26] _91 <- ([#"../knapsack.rs" 95 23 95 26] index0 ([#"../knapsack.rs" 95 18 95 23] items) ([#"../knapsack.rs" 95 24 95 25] j));
+    [#"../knapsack.rs" 94 8 94 14] j <- j - ([#"../knapsack.rs" 94 13 94 14] (1 : usize));
+    [#"../knapsack.rs" 95 23 95 26] _91 <- ([#"../knapsack.rs" 95 23 95 26] index0 items j);
     goto BB41
   }
   BB41 {
-    [#"../knapsack.rs" 95 17 95 26] it1 <- ([#"../knapsack.rs" 95 17 95 26] _91);
+    [#"../knapsack.rs" 95 17 95 26] it1 <- _91;
     assert { [@expl:type invariant] inv1 _91 };
     assume { resolve2 _91 };
-    [#"../knapsack.rs" 96 21 96 28] _98 <- ([#"../knapsack.rs" 96 21 96 28] index1 ([#"../knapsack.rs" 96 11 96 21] best_value) ([#"../knapsack.rs" 96 22 96 27] ([#"../knapsack.rs" 96 22 96 23] j) + ([#"../knapsack.rs" 96 26 96 27] [#"../knapsack.rs" 96 26 96 27] (1 : usize))));
+    [#"../knapsack.rs" 96 22 96 27] _100 <- j + ([#"../knapsack.rs" 96 26 96 27] (1 : usize));
+    [#"../knapsack.rs" 96 21 96 28] _98 <- ([#"../knapsack.rs" 96 21 96 28] index1 best_value _100);
+    _100 <- any usize;
     goto BB42
   }
   BB42 {
-    [#"../knapsack.rs" 96 28 96 41] _96 <- ([#"../knapsack.rs" 96 28 96 41] index2 ([#"../knapsack.rs" 96 11 96 28] _98) ([#"../knapsack.rs" 96 29 96 40] left_weight));
+    [#"../knapsack.rs" 96 28 96 41] _96 <- ([#"../knapsack.rs" 96 28 96 41] index2 _98 left_weight);
     goto BB43
   }
   BB43 {
-    [#"../knapsack.rs" 96 55 96 58] _106 <- ([#"../knapsack.rs" 96 55 96 58] index1 ([#"../knapsack.rs" 96 45 96 55] best_value) ([#"../knapsack.rs" 96 56 96 57] j));
+    [#"../knapsack.rs" 96 55 96 58] _106 <- ([#"../knapsack.rs" 96 55 96 58] index1 best_value j);
     goto BB44
   }
   BB44 {
-    [#"../knapsack.rs" 96 58 96 71] _104 <- ([#"../knapsack.rs" 96 58 96 71] index2 ([#"../knapsack.rs" 96 45 96 58] _106) ([#"../knapsack.rs" 96 59 96 70] left_weight));
+    [#"../knapsack.rs" 96 58 96 71] _104 <- ([#"../knapsack.rs" 96 58 96 71] index2 _106 left_weight);
     goto BB45
   }
   BB45 {
-    switch ([#"../knapsack.rs" 96 11 96 71] ([#"../knapsack.rs" 96 11 96 41] _96) <> ([#"../knapsack.rs" 96 45 96 71] _104))
+    [#"../knapsack.rs" 96 11 96 71] _94 <- _96 <> _104;
+    switch (_94)
       | False -> goto BB48
       | True -> goto BB46
       end
@@ -863,14 +921,14 @@ module Knapsack_Knapsack01Dyn
     [#"../knapsack.rs" 97 12 97 18] _111 <- Borrow.borrow_mut result;
     [#"../knapsack.rs" 97 12 97 18] result <-  ^ _111;
     assume { inv2 ( ^ _111) };
-    [#"../knapsack.rs" 97 12 97 27] _110 <- ([#"../knapsack.rs" 97 12 97 27] push0 _111 ([#"../knapsack.rs" 97 24 97 26] it1));
+    [#"../knapsack.rs" 97 12 97 27] _110 <- ([#"../knapsack.rs" 97 12 97 27] push0 _111 it1);
     _111 <- any borrowed (Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global));
     goto BB47
   }
   BB47 {
     assert { [@expl:type invariant] inv1 it1 };
     assume { resolve2 it1 };
-    [#"../knapsack.rs" 98 12 98 36] left_weight <- ([#"../knapsack.rs" 98 12 98 36] left_weight - ([#"../knapsack.rs" 98 27 98 36] Knapsack_Item_Type.item_weight it1));
+    [#"../knapsack.rs" 98 12 98 36] left_weight <- left_weight - Knapsack_Item_Type.item_weight it1;
     [#"../knapsack.rs" 96 72 99 9] _19 <- ([#"../knapsack.rs" 96 72 99 9] ());
     goto BB49
   }
@@ -887,8 +945,8 @@ module Knapsack_Knapsack01Dyn
     assume { resolve0 best_value };
     assert { [@expl:type invariant] inv0 items };
     assume { resolve1 items };
-    [#"../knapsack.rs" 102 4 102 10] _0 <- ([#"../knapsack.rs" 102 4 102 10] result);
-    [#"../knapsack.rs" 102 4 102 10] result <- any Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global);
+    [#"../knapsack.rs" 102 4 102 10] _0 <- result;
+    result <- any Alloc_Vec_Vec_Type.t_vec (Knapsack_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global);
     goto BB51
   }
   BB51 {
diff --git a/creusot/tests/should_succeed/knapsack.rs b/creusot/tests/should_succeed/knapsack.rs
index 90ddb4b5c0..bbbf0c160c 100644
--- a/creusot/tests/should_succeed/knapsack.rs
+++ b/creusot/tests/should_succeed/knapsack.rs
@@ -26,7 +26,7 @@ fn max(a: usize, b: usize) -> usize {
 /// *   $m[0,\,w]=0$
 /// *   $m[i,\,w]=m[i-1,\,w]$ if $w_i > w\,\!$ (the new item is more than the current weight limit)
 /// *   $m[i,\,w]=\max(m[i-1,\,w],\,m[i-1,w-w_i]+v_i)$ if $w_i \leqslant w$.
-#[ghost]
+#[logic]
 #[variant(i)]
 #[requires(0 <= i && i <= items.len())]
 #[requires(0 <= w)]
diff --git a/creusot/tests/should_succeed/knapsack/why3session.xml b/creusot/tests/should_succeed/knapsack/why3session.xml
index 7ba3a17b69..35af7bc97c 100644
--- a/creusot/tests/should_succeed/knapsack/why3session.xml
+++ b/creusot/tests/should_succeed/knapsack/why3session.xml
@@ -8,12 +8,12 @@
 <path name=".."/><path name="knapsack.mlcfg"/>
 <theory name="Knapsack_Max" proved="true">
  <goal name="max&#39;vc" expl="VC for max" proved="true">
- <proof prover="0"><result status="valid" time="0.010475" steps="1914"/></proof>
+ <proof prover="0"><result status="valid" time="0.010475" steps="2085"/></proof>
  </goal>
 </theory>
 <theory name="Knapsack_M_Impl" proved="true">
- <goal name="m&#39;vc" expl="VC for m" proved="true">
- <proof prover="4"><result status="valid" time="0.011091" steps="96"/></proof>
+ <goal name="vc_m" proved="true">
+ <proof prover="4"><result status="valid" time="0.011091" steps="43"/></proof>
  </goal>
 </theory>
 <theory name="Knapsack_Knapsack01Dyn" proved="true">
@@ -43,10 +43,10 @@
   <proof prover="4"><result status="valid" time="0.014523" steps="49"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.7" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.012191" steps="288"/></proof>
+  <proof prover="4"><result status="valid" time="0.012191" steps="290"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.8" expl="loop invariant init" proved="true">
-  <proof prover="0"><result status="valid" time="0.034418" steps="150430"/></proof>
+  <proof prover="0"><result status="valid" time="0.034418" steps="150438"/></proof>
   <proof prover="4"><result status="valid" time="0.040132" steps="209"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.9" expl="precondition" proved="true">
@@ -54,267 +54,267 @@
   <proof prover="4"><result status="valid" time="0.033104" steps="30"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.034403" steps="33"/></proof>
+  <proof prover="4"><result status="valid" time="0.016541" steps="34"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.016541" steps="34"/></proof>
+  <proof prover="0"><result status="valid" time="0.035227" steps="11433"/></proof>
+  <proof prover="4"><result status="valid" time="0.024569" steps="43"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.012134" steps="62"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.12" expl="loop invariant init" proved="true">
+  <proof prover="0"><result status="valid" time="0.021945" steps="73401"/></proof>
+  <proof prover="4"><result status="valid" time="0.020432" steps="47"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.13" expl="type invariant" proved="true">
-  <proof prover="0"><result status="valid" time="0.014373" steps="11399"/></proof>
-  <proof prover="4"><result status="valid" time="0.016321" steps="38"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.13" expl="loop invariant init" proved="true">
+  <proof prover="4"><result status="valid" time="0.012313" steps="47"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.14" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.011246" steps="42"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.14" expl="type invariant" proved="true">
+  <proof prover="4"><result status="valid" time="0.012153" steps="54"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.15" expl="loop invariant init" proved="true">
-  <proof prover="0"><result status="valid" time="0.033589" steps="140348"/></proof>
-  <proof prover="4"><result status="valid" time="0.024306" steps="70"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.15" expl="postcondition" proved="true">
+  <proof prover="4"><result status="valid" time="0.016143" steps="109"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.16" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.015213" steps="79"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.16" expl="integer overflow" proved="true">
+  <proof prover="4"><result status="valid" time="0.016329" steps="104"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.17" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.025233" steps="44"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.17" expl="precondition" proved="true">
+  <proof prover="0"><result status="valid" time="0.034686" steps="144988"/></proof>
+  <proof prover="4"><result status="valid" time="0.039702" steps="55"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.18" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.019913" steps="79"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.18" expl="precondition" proved="true">
+  <proof prover="4"><result status="valid" time="0.017497" steps="55"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.19" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.234663" steps="143287"/></proof>
-  <proof prover="4"><result status="valid" time="0.026965" steps="48"/></proof>
+  <proof prover="4"><result status="valid" time="0.010686" steps="117"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.20" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.015702" steps="88"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.20" expl="type invariant" proved="true">
+  <proof prover="4"><result status="valid" time="0.014471" steps="60"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.21" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.021750" steps="89"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.21" expl="integer overflow" proved="true">
+  <proof prover="4"><result status="valid" time="0.017070" steps="122"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.22" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.012635" steps="99"/></proof>
+  <proof prover="4"><result status="valid" time="0.019122" steps="64"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.23" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.018302" steps="54"/></proof>
+  <proof prover="4"><result status="valid" time="0.016731" steps="133"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.24" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.012902" steps="96"/></proof>
+  <proof prover="4"><result status="valid" time="0.013462" steps="134"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.25" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.017967" steps="48"/></proof>
+  <proof prover="0"><result status="valid" time="0.033715" steps="159028"/></proof>
+  <proof prover="4"><result status="valid" time="0.017439" steps="147"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.26" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.034484" steps="144670"/></proof>
-  <proof prover="4"><result status="valid" time="0.024108" steps="88"/></proof>
+  <proof prover="4"><result status="valid" time="0.016020" steps="70"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.27" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.014616" steps="144743"/></proof>
-  <proof prover="4"><result status="valid" time="0.019176" steps="89"/></proof>
+  <proof prover="4"><result status="valid" time="0.011598" steps="144"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.28" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.011640" steps="99"/></proof>
+  <proof prover="4"><result status="valid" time="0.020090" steps="72"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.29" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.033914" steps="11831"/></proof>
-  <proof prover="4"><result status="valid" time="0.040180" steps="54"/></proof>
+  <proof prover="0"><result status="valid" time="0.034261" steps="147643"/></proof>
+  <proof prover="4"><result status="valid" time="0.020592" steps="149"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.30" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.013089" steps="96"/></proof>
+  <proof prover="0"><result status="valid" time="0.014438" steps="147718"/></proof>
+  <proof prover="4"><result status="valid" time="0.017682" steps="150"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.31" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.013287" steps="56"/></proof>
+  <proof prover="4"><result status="valid" time="0.013227" steps="163"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.32" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.034551" steps="145211"/></proof>
-  <proof prover="4"><result status="valid" time="0.022048" steps="99"/></proof>
+  <proof prover="0"><result status="valid" time="0.034121" steps="11634"/></proof>
+  <proof prover="4"><result status="valid" time="0.047239" steps="78"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.33" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.011772" steps="101"/></proof>
+  <proof prover="0"><result status="valid" time="0.018436" steps="147975"/></proof>
+  <proof prover="4"><result status="valid" time="0.017651" steps="158"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.34" expl="integer overflow" proved="true">
-  <proof prover="4"><result status="valid" time="0.017363" steps="134"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.34" expl="type invariant" proved="true">
+  <proof prover="4"><result status="valid" time="0.012565" steps="84"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.35" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.013132" steps="146"/></proof>
+  <proof prover="4"><result status="valid" time="0.016001" steps="200"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.36" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.016266" steps="63"/></proof>
+  <proof prover="0"><result status="valid" time="0.014454" steps="40777"/></proof>
+  <proof prover="4"><result status="valid" time="0.020645" steps="90"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.37" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.013464" steps="124"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.37" expl="type invariant" proved="true">
+  <proof prover="0"><result status="valid" time="0.014367" steps="40727"/></proof>
+  <proof prover="4"><result status="valid" time="0.026674" steps="90"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.38" expl="integer overflow" proved="true">
-  <proof prover="4"><result status="valid" time="0.057712" steps="881"/></proof>
+  <proof prover="0"><result status="valid" time="0.046638" steps="205609"/></proof>
+  <proof prover="4"><result status="valid" time="0.540940" steps="6540"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.39" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.015254" steps="11881"/></proof>
-  <proof prover="4"><result status="valid" time="0.023774" steps="65"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.39" expl="loop invariant preservation" proved="true">
+  <proof prover="4"><result status="valid" time="0.014308" steps="96"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.40" expl="type invariant" proved="true">
-  <proof prover="0"><result status="valid" time="0.018467" steps="35330"/></proof>
-  <proof prover="4"><result status="valid" time="0.026172" steps="46"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.40" expl="loop invariant preservation" proved="true">
+  <proof prover="0"><result status="valid" time="0.037301" steps="162258"/></proof>
+  <proof prover="4"><result status="valid" time="0.047101" steps="427"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.41" expl="integer overflow" proved="true">
-  <proof prover="4"><result status="valid" time="0.015728" steps="92"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.41" expl="precondition" proved="true">
+  <proof prover="4"><result status="valid" time="0.034403" steps="35"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.42" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.013130" steps="50"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.42" expl="precondition" proved="true">
+  <proof prover="4"><result status="valid" time="0.016318" steps="35"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.43" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.051104" steps="94"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.43" expl="precondition" proved="true">
+  <proof prover="4"><result status="valid" time="0.012134" steps="62"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.44" expl="loop invariant preservation" proved="true">
-  <proof prover="0"><result status="valid" time="0.041703" steps="169604"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.44" expl="type invariant" proved="true">
+  <proof prover="0"><result status="valid" time="0.014373" steps="11420"/></proof>
+  <proof prover="4"><result status="valid" time="0.016321" steps="40"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.45" expl="loop invariant preservation" proved="true">
-  <proof prover="0"><result status="valid" time="0.034712" steps="147078"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.45" expl="loop invariant init" proved="true">
+  <proof prover="4"><result status="valid" time="0.011246" steps="44"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.46" expl="integer overflow" proved="true">
-  <proof prover="4"><result status="valid" time="0.138196" steps="116"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.46" expl="loop invariant init" proved="true">
+  <proof prover="0"><result status="valid" time="0.033589" steps="145666"/></proof>
+  <proof prover="4"><result status="valid" time="0.024306" steps="71"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.47" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.018226" steps="120"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.47" expl="loop invariant init" proved="true">
+  <proof prover="4"><result status="valid" time="0.015213" steps="80"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.48" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.013882" steps="148313"/></proof>
-  <proof prover="4"><result status="valid" time="0.020366" steps="114"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.48" expl="loop invariant init" proved="true">
+  <proof prover="4"><result status="valid" time="0.025233" steps="46"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.49" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.021684" steps="115"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.49" expl="loop invariant init" proved="true">
+  <proof prover="4"><result status="valid" time="0.019913" steps="79"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.50" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.012752" steps="332"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.50" expl="type invariant" proved="true">
+  <proof prover="0"><result status="valid" time="0.018467" steps="40979"/></proof>
+  <proof prover="4"><result status="valid" time="0.026172" steps="50"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.51" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.013922" steps="140"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.51" expl="integer overflow" proved="true">
+  <proof prover="4"><result status="valid" time="0.015988" steps="95"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.52" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.013591" steps="139"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.52" expl="loop invariant preservation" proved="true">
+  <proof prover="4"><result status="valid" time="0.023658" steps="54"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.53" expl="integer overflow" proved="true">
-  <proof prover="4"><result status="valid" time="0.023103" steps="173"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.53" expl="loop invariant preservation" proved="true">
+  <proof prover="4"><result status="valid" time="0.051104" steps="96"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.54" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.023658" steps="175"/></proof>
+  <proof prover="0"><result status="valid" time="0.036858" steps="175299"/></proof>
+  <proof prover="4"><result status="valid" time="0.048129" steps="227"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.55" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.016105" steps="606"/></proof>
+  <proof prover="0"><result status="valid" time="0.042696" steps="152809"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.56" expl="loop invariant preservation" proved="true">
-  <proof prover="0"><result status="valid" time="0.036858" steps="157375"/></proof>
-  <proof prover="4"><result status="valid" time="0.048129" steps="687"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.56" expl="precondition" proved="true">
+  <proof prover="4"><result status="valid" time="0.017967" steps="54"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.57" expl="loop invariant preservation" proved="true">
-  <proof prover="0"><result status="valid" time="0.064285" steps="187543"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.57" expl="precondition" proved="true">
+  <proof prover="0"><result status="valid" time="0.034484" steps="150395"/></proof>
+  <proof prover="4"><result status="valid" time="0.024108" steps="91"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.58" expl="loop invariant preservation" proved="true">
-  <proof prover="0"><result status="valid" time="0.042696" steps="187535"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.58" expl="precondition" proved="true">
+  <proof prover="0"><result status="valid" time="0.014616" steps="150470"/></proof>
+  <proof prover="4"><result status="valid" time="0.019176" steps="92"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.59" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.035227" steps="11384"/></proof>
-  <proof prover="4"><result status="valid" time="0.024569" steps="33"/></proof>
+  <proof prover="4"><result status="valid" time="0.011640" steps="103"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.60" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.017497" steps="41"/></proof>
+  <proof prover="0"><result status="valid" time="0.033914" steps="11882"/></proof>
+  <proof prover="4"><result status="valid" time="0.040180" steps="60"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.61" expl="loop invariant init" proved="true">
-  <proof prover="0"><result status="valid" time="0.021945" steps="68093"/></proof>
-  <proof prover="4"><result status="valid" time="0.020432" steps="46"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.61" expl="precondition" proved="true">
+  <proof prover="4"><result status="valid" time="0.013089" steps="100"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.62" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.012313" steps="47"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.62" expl="precondition" proved="true">
+  <proof prover="4"><result status="valid" time="0.013287" steps="62"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.63" expl="integer overflow" proved="true">
-  <proof prover="4"><result status="valid" time="0.016329" steps="100"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.63" expl="precondition" proved="true">
+  <proof prover="0"><result status="valid" time="0.034551" steps="150950"/></proof>
+  <proof prover="4"><result status="valid" time="0.022048" steps="103"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.64" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.034686" steps="139595"/></proof>
-  <proof prover="4"><result status="valid" time="0.039702" steps="53"/></proof>
+  <proof prover="4"><result status="valid" time="0.011772" steps="104"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.65" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.016318" steps="53"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.65" expl="integer overflow" proved="true">
+  <proof prover="4"><result status="valid" time="0.017363" steps="138"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.66" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.010686" steps="113"/></proof>
+  <proof prover="4"><result status="valid" time="0.013132" steps="150"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.67" expl="type invariant" proved="true">
-  <proof prover="4"><result status="valid" time="0.014471" steps="56"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.67" expl="precondition" proved="true">
+  <proof prover="4"><result status="valid" time="0.016266" steps="69"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.68" expl="integer overflow" proved="true">
-  <proof prover="4"><result status="valid" time="0.017070" steps="119"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.68" expl="precondition" proved="true">
+  <proof prover="4"><result status="valid" time="0.013464" steps="128"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.69" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.019122" steps="61"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.69" expl="integer overflow" proved="true">
+  <proof prover="4"><result status="valid" time="0.057712" steps="992"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.70" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.016731" steps="131"/></proof>
+  <proof prover="0"><result status="valid" time="0.015254" steps="11932"/></proof>
+  <proof prover="4"><result status="valid" time="0.023774" steps="71"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.71" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.013462" steps="131"/></proof>
+  <proof prover="0"><result status="valid" time="0.034830" steps="149001"/></proof>
+  <proof prover="4"><result status="valid" time="0.026965" steps="54"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.72" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.033715" steps="153607"/></proof>
-  <proof prover="4"><result status="valid" time="0.017439" steps="146"/></proof>
+  <proof prover="4"><result status="valid" time="0.015702" steps="91"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.73" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.016020" steps="66"/></proof>
+  <proof prover="4"><result status="valid" time="0.021750" steps="92"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.74" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.018436" steps="141990"/></proof>
-  <proof prover="4"><result status="valid" time="0.017651" steps="141"/></proof>
+  <proof prover="4"><result status="valid" time="0.012635" steps="103"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.75" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.020090" steps="68"/></proof>
+  <proof prover="4"><result status="valid" time="0.018302" steps="60"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.76" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.034261" steps="142210"/></proof>
-  <proof prover="4"><result status="valid" time="0.020592" steps="146"/></proof>
+  <proof prover="4"><result status="valid" time="0.013591" steps="100"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.77" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.014438" steps="142283"/></proof>
-  <proof prover="4"><result status="valid" time="0.017682" steps="148"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.77" expl="integer overflow" proved="true">
+  <proof prover="4"><result status="valid" time="0.015728" steps="119"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.78" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.013227" steps="161"/></proof>
+  <proof prover="4"><result status="valid" time="0.018226" steps="123"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.79" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.034121" steps="11596"/></proof>
-  <proof prover="4"><result status="valid" time="0.047239" steps="74"/></proof>
+  <proof prover="0"><result status="valid" time="0.013882" steps="154536"/></proof>
+  <proof prover="4"><result status="valid" time="0.020366" steps="117"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.80" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.011598" steps="155"/></proof>
+  <proof prover="4"><result status="valid" time="0.021684" steps="118"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.81" expl="type invariant" proved="true">
-  <proof prover="4"><result status="valid" time="0.012565" steps="78"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.81" expl="precondition" proved="true">
+  <proof prover="4"><result status="valid" time="0.012752" steps="337"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.82" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.016001" steps="196"/></proof>
+  <proof prover="4"><result status="valid" time="0.013922" steps="143"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.83" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.014454" steps="40546"/></proof>
-  <proof prover="4"><result status="valid" time="0.020645" steps="84"/></proof>
+  <proof prover="4"><result status="valid" time="0.012902" steps="142"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.84" expl="type invariant" proved="true">
-  <proof prover="0"><result status="valid" time="0.014367" steps="40496"/></proof>
-  <proof prover="4"><result status="valid" time="0.026674" steps="84"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.84" expl="integer overflow" proved="true">
+  <proof prover="4"><result status="valid" time="0.023103" steps="177"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.85" expl="integer overflow" proved="true">
-  <proof prover="0"><result status="valid" time="0.046638" steps="205908"/></proof>
-  <proof prover="4"><result status="valid" time="0.955648" steps="3528"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.85" expl="loop invariant preservation" proved="true">
+  <proof prover="4"><result status="valid" time="0.013130" steps="178"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.86" expl="type invariant" proved="true">
-  <proof prover="4"><result status="valid" time="0.012153" steps="50"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.86" expl="loop invariant preservation" proved="true">
+  <proof prover="4"><result status="valid" time="0.016105" steps="609"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.87" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.016143" steps="106"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.87" expl="loop invariant preservation" proved="true">
+  <proof prover="0"><result status="valid" time="0.041703" steps="163861"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.88" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.014308" steps="78"/></proof>
+  <proof prover="0"><result status="valid" time="0.064285" steps="190588"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.89" expl="loop invariant preservation" proved="true">
-  <proof prover="0"><result status="valid" time="0.037301" steps="156569"/></proof>
-  <proof prover="4"><result status="valid" time="0.047101" steps="290"/></proof>
+  <proof prover="0"><result status="valid" time="0.034712" steps="195057"/></proof>
   </goal>
  </transf>
  </goal>
diff --git a/creusot/tests/should_succeed/knapsack/why3shapes.gz b/creusot/tests/should_succeed/knapsack/why3shapes.gz
index 0dd9b5ce0c..86b2531a68 100644
Binary files a/creusot/tests/should_succeed/knapsack/why3shapes.gz and b/creusot/tests/should_succeed/knapsack/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/knapsack_full.mlcfg b/creusot/tests/should_succeed/knapsack_full.mlcfg
index d7b1b2ff29..484edcce8c 100644
--- a/creusot/tests/should_succeed/knapsack_full.mlcfg
+++ b/creusot/tests/should_succeed/knapsack_full.mlcfg
@@ -11,21 +11,23 @@ module KnapsackFull_Max
   var _0 : usize;
   var a : usize = a;
   var b : usize = b;
+  var _4 : bool;
   {
     goto BB0
   }
   BB0 {
-    switch ([#"../knapsack_full.rs" 16 7 16 12] ([#"../knapsack_full.rs" 16 7 16 8] a) < ([#"../knapsack_full.rs" 16 11 16 12] b))
+    [#"../knapsack_full.rs" 16 7 16 12] _4 <- a < b;
+    switch (_4)
       | False -> goto BB2
       | True -> goto BB1
       end
   }
   BB1 {
-    [#"../knapsack_full.rs" 17 8 17 9] _0 <- ([#"../knapsack_full.rs" 17 8 17 9] b);
+    [#"../knapsack_full.rs" 17 8 17 9] _0 <- b;
     goto BB3
   }
   BB2 {
-    [#"../knapsack_full.rs" 19 8 19 9] _0 <- ([#"../knapsack_full.rs" 19 8 19 9] a);
+    [#"../knapsack_full.rs" 19 8 19 9] _0 <- a;
     goto BB3
   }
   BB3 {
@@ -62,42 +64,42 @@ module KnapsackFull_SumWeights_Impl
     
   axiom inv0 : forall x : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv0 x = true
   use prelude.UIntSize
+  use prelude.UIntSize
   use seq.Seq
   use prelude.Borrow
   use seq.Seq
   use prelude.Int
-  let rec ghost function sum_weights [#"../knapsack_full.rs" 27 0 27 56] (s : Seq.seq (KnapsackFull_Item_Type.t_item name)) (i : int) : int
-    requires {[#"../knapsack_full.rs" 25 11 25 33] 0 <= i /\ i <= Seq.length s}
-    requires {[#"../knapsack_full.rs" 27 21 27 22] inv0 s}
-    ensures { [#"../knapsack_full.rs" 26 10 26 21] result >= 0 }
-    variant {[#"../knapsack_full.rs" 24 10 24 19] Seq.length s - i}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../knapsack_full.rs" 28 4 31 5] if pure {i = Seq.length s} then
-      0
-    else
-      UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get s i)) + sum_weights s (i + 1)
-    
+  constant s  : Seq.seq (KnapsackFull_Item_Type.t_item name)
+  constant i  : int
+  function sum_weights [#"../knapsack_full.rs" 27 0 27 56] (s : Seq.seq (KnapsackFull_Item_Type.t_item name)) (i : int) : int
+    
+  goal vc_sum_weights : ([#"../knapsack_full.rs" 27 21 27 22] inv0 s)
+   -> ([#"../knapsack_full.rs" 25 11 25 33] 0 <= i /\ i <= Seq.length s)
+   -> match i = Seq.length s with
+    | True -> [#"../knapsack_full.rs" 26 10 26 21] 0 >= 0
+    | False -> ((([#"../knapsack_full.rs" 27 21 27 22] inv0 s) && ([#"../knapsack_full.rs" 25 11 25 33] 0 <= i + 1 /\ i + 1 <= Seq.length s)) /\ 0 <= ([#"../knapsack_full.rs" 24 10 24 19] Seq.length s - i) /\ ([#"../knapsack_full.rs" 24 10 24 19] Seq.length s - (i + 1)) < ([#"../knapsack_full.rs" 24 10 24 19] Seq.length s - i)) /\ (([#"../knapsack_full.rs" 26 10 26 21] sum_weights s (i + 1) >= 0)
+     -> ([#"../knapsack_full.rs" 26 10 26 21] UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get s i)) + sum_weights s (i + 1) >= 0))
+    end
 end
 module KnapsackFull_SumValues_Impl
   type name
   use prelude.UIntSize
+  use prelude.UIntSize
   use seq.Seq
   use KnapsackFull_Item_Type as KnapsackFull_Item_Type
   use prelude.Borrow
   use seq.Seq
   use seq.Seq
   use prelude.Int
-  let rec ghost function sum_values [#"../knapsack_full.rs" 37 0 37 55] (s : Seq.seq (KnapsackFull_Item_Type.t_item name)) (i : int) : int
-    requires {[#"../knapsack_full.rs" 36 11 36 33] i >= 0 /\ i <= Seq.length s}
-    variant {[#"../knapsack_full.rs" 35 10 35 19] Seq.length s - i}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../knapsack_full.rs" 38 4 41 5] if pure {i = Seq.length s} then
-      0
-    else
-      UIntSize.to_int (KnapsackFull_Item_Type.item_value (Seq.get s i)) + sum_values s (i + 1)
-    
+  constant s  : Seq.seq (KnapsackFull_Item_Type.t_item name)
+  constant i  : int
+  function sum_values [#"../knapsack_full.rs" 37 0 37 55] (s : Seq.seq (KnapsackFull_Item_Type.t_item name)) (i : int) : int
+    
+  goal vc_sum_values : ([#"../knapsack_full.rs" 36 11 36 33] i >= 0 /\ i <= Seq.length s)
+   -> match i = Seq.length s with
+    | True -> true
+    | False -> ([#"../knapsack_full.rs" 36 11 36 33] i + 1 >= 0 /\ i + 1 <= Seq.length s) /\ 0 <= ([#"../knapsack_full.rs" 35 10 35 19] Seq.length s - i) /\ ([#"../knapsack_full.rs" 35 10 35 19] Seq.length s - (i + 1)) < ([#"../knapsack_full.rs" 35 10 35 19] Seq.length s - i)
+    end
 end
 module KnapsackFull_SubseqRev_Impl
   type t
@@ -108,17 +110,25 @@ module KnapsackFull_SubseqRev_Impl
   use seq.Seq
   use seq.Seq
   use prelude.Int
-  let rec ghost predicate subseq_rev [#"../knapsack_full.rs" 48 0 48 67] (s1 : Seq.seq t) (i1 : int) (s2 : Seq.seq t) (i2 : int)
-    requires {[#"../knapsack_full.rs" 46 11 46 36] 0 <= i1 /\ i1 <= Seq.length s1}
-    requires {[#"../knapsack_full.rs" 47 11 47 36] 0 <= i2 /\ i2 <= Seq.length s2}
-    variant {[#"../knapsack_full.rs" 45 10 45 12] i2}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../knapsack_full.rs" 49 4 55 5] if pure {i2 = 0} then
-      pure {i1 = Seq.length s1}
+  constant s1  : Seq.seq t
+  constant i1  : int
+  constant s2  : Seq.seq t
+  constant i2  : int
+  predicate subseq_rev [#"../knapsack_full.rs" 48 0 48 67] (s1 : Seq.seq t) (i1 : int) (s2 : Seq.seq t) (i2 : int)
+  goal vc_subseq_rev : ([#"../knapsack_full.rs" 47 11 47 36] 0 <= i2 /\ i2 <= Seq.length s2)
+   -> ([#"../knapsack_full.rs" 46 11 46 36] 0 <= i1 /\ i1 <= Seq.length s1)
+   -> match i2 = 0 with
+    | True -> true
+    | False -> if i1 < Seq.length s1 then
+      if Seq.get s1 i1 = Seq.get s2 (i2 - 1) then
+        ((([#"../knapsack_full.rs" 47 11 47 36] 0 <= i2 - 1 /\ i2 - 1 <= Seq.length s2) && ([#"../knapsack_full.rs" 46 11 46 36] 0 <= i1 + 1 /\ i1 + 1 <= Seq.length s1)) /\ 0 <= ([#"../knapsack_full.rs" 45 10 45 12] i2) /\ ([#"../knapsack_full.rs" 45 10 45 12] i2 - 1) < ([#"../knapsack_full.rs" 45 10 45 12] i2)) /\ (([#"../knapsack_full.rs" 47 11 47 36] 0 <= i2 - 1 /\ i2 - 1 <= Seq.length s2) && ([#"../knapsack_full.rs" 46 11 46 36] 0 <= i1 /\ i1 <= Seq.length s1)) /\ 0 <= ([#"../knapsack_full.rs" 45 10 45 12] i2) /\ ([#"../knapsack_full.rs" 45 10 45 12] i2 - 1) < ([#"../knapsack_full.rs" 45 10 45 12] i2)
+      else
+        (([#"../knapsack_full.rs" 47 11 47 36] 0 <= i2 - 1 /\ i2 - 1 <= Seq.length s2) && ([#"../knapsack_full.rs" 46 11 46 36] 0 <= i1 /\ i1 <= Seq.length s1)) /\ 0 <= ([#"../knapsack_full.rs" 45 10 45 12] i2) /\ ([#"../knapsack_full.rs" 45 10 45 12] i2 - 1) < ([#"../knapsack_full.rs" 45 10 45 12] i2)
+      
     else
-      pure {i1 < Seq.length s1} && pure {Seq.get s1 i1 = Seq.get s2 (i2 - 1)} && subseq_rev s1 (i1 + 1) s2 (i2 - 1) || subseq_rev s1 i1 s2 (i2 - 1)
+      (([#"../knapsack_full.rs" 47 11 47 36] 0 <= i2 - 1 /\ i2 - 1 <= Seq.length s2) && ([#"../knapsack_full.rs" 46 11 46 36] 0 <= i1 /\ i1 <= Seq.length s1)) /\ 0 <= ([#"../knapsack_full.rs" 45 10 45 12] i2) /\ ([#"../knapsack_full.rs" 45 10 45 12] i2 - 1) < ([#"../knapsack_full.rs" 45 10 45 12] i2)
     
+    end
 end
 module KnapsackFull_M_Impl
   type name
@@ -144,6 +154,7 @@ module KnapsackFull_M_Impl
   axiom inv0 : forall x : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv0 x = true
   use int.MinMax
   use prelude.UIntSize
+  use prelude.UIntSize
   use seq.Seq
   use seq.Seq
   use prelude.Borrow
@@ -172,7 +183,8 @@ module KnapsackFull_M_Impl
     requires {[#"../knapsack_full.rs" 27 21 27 22] inv1 s}
     ensures { result = sum_weights0 s i }
     
-  axiom sum_weights0_spec : forall s : Seq.seq (KnapsackFull_Item_Type.t_item name), i : int . ([#"../knapsack_full.rs" 25 11 25 33] 0 <= i /\ i <= Seq.length s) -> ([#"../knapsack_full.rs" 27 21 27 22] inv1 s) -> ([#"../knapsack_full.rs" 26 10 26 21] sum_weights0 s i >= 0)
+  axiom sum_weights0_spec : forall s : Seq.seq (KnapsackFull_Item_Type.t_item name), i : int . ([#"../knapsack_full.rs" 25 11 25 33] 0 <= i /\ i <= Seq.length s)
+   -> ([#"../knapsack_full.rs" 27 21 27 22] inv1 s)  -> ([#"../knapsack_full.rs" 26 10 26 21] sum_weights0 s i >= 0)
   use seq.Seq
   predicate subseq_rev0 [#"../knapsack_full.rs" 48 0 48 67] (s1 : Seq.seq (KnapsackFull_Item_Type.t_item name)) (i1 : int) (s2 : Seq.seq (KnapsackFull_Item_Type.t_item name)) (i2 : int)
     
@@ -186,24 +198,36 @@ module KnapsackFull_M_Impl
     requires {[#"../knapsack_full.rs" 47 11 47 36] 0 <= i2 /\ i2 <= Seq.length s2}
     ensures { result = subseq_rev0 s1 i1 s2 i2 }
     
-  let rec ghost function m [#"../knapsack_full.rs" 66 0 66 57] (items : Seq.seq (KnapsackFull_Item_Type.t_item name)) (i : int) (w : int) : int
-    requires {[#"../knapsack_full.rs" 60 11 60 37] 0 <= i /\ i <= Seq.length items}
-    requires {[#"../knapsack_full.rs" 61 11 61 17] 0 <= w}
-    requires {[#"../knapsack_full.rs" 66 11 66 16] inv0 items}
-    ensures { [#"../knapsack_full.rs" 62 10 62 21] result >= 0 }
-    ensures { [#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv1 s -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items i /\ sum_weights0 s j <= w -> sum_values0 s j <= result }
-    variant {[#"../knapsack_full.rs" 59 10 59 11] i}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../knapsack_full.rs" 67 4 74 5] if pure {i = 0} then
-      0
-    else
-      if pure {UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get items (i - 1))) > w} then
-        m items (i - 1) w
-      else
-        let a' = m items (i - 1) w in let b' = m items (i - 1) (w - UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get items (i - 1)))) + UIntSize.to_int (KnapsackFull_Item_Type.item_value (Seq.get items (i - 1))) in MinMax.max a' b'
-      
-    
+  constant items  : Seq.seq (KnapsackFull_Item_Type.t_item name)
+  constant i  : int
+  constant w  : int
+  function m [#"../knapsack_full.rs" 66 0 66 57] (items : Seq.seq (KnapsackFull_Item_Type.t_item name)) (i : int) (w : int) : int
+    
+  goal vc_m : ([#"../knapsack_full.rs" 66 11 66 16] inv0 items)
+   -> ([#"../knapsack_full.rs" 61 11 61 17] 0 <= w)
+   -> ([#"../knapsack_full.rs" 60 11 60 37] 0 <= i /\ i <= Seq.length items)
+   -> match i = 0 with
+    | True -> let result = 0 in ([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv1 s
+     -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items i /\ sum_weights0 s j <= w
+     -> sum_values0 s j <= result) && ([#"../knapsack_full.rs" 62 10 62 21] result >= 0)
+    | False -> match UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get items (i - 1))) > w with
+      | True -> ((([#"../knapsack_full.rs" 66 11 66 16] inv0 items) && ([#"../knapsack_full.rs" 61 11 61 17] 0 <= w) && ([#"../knapsack_full.rs" 60 11 60 37] 0 <= i - 1 /\ i - 1 <= Seq.length items)) /\ 0 <= ([#"../knapsack_full.rs" 59 10 59 11] i) /\ ([#"../knapsack_full.rs" 59 10 59 11] i - 1) < ([#"../knapsack_full.rs" 59 10 59 11] i)) /\ (([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv1 s
+       -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items (i - 1) /\ sum_weights0 s j <= w
+       -> sum_values0 s j <= m items (i - 1) w) && ([#"../knapsack_full.rs" 62 10 62 21] m items (i - 1) w >= 0)
+       -> (let result = m items (i - 1) w in ([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv1 s
+       -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items i /\ sum_weights0 s j <= w
+       -> sum_values0 s j <= result) && ([#"../knapsack_full.rs" 62 10 62 21] result >= 0)))
+      | False -> ((([#"../knapsack_full.rs" 66 11 66 16] inv0 items) && ([#"../knapsack_full.rs" 61 11 61 17] 0 <= w) && ([#"../knapsack_full.rs" 60 11 60 37] 0 <= i - 1 /\ i - 1 <= Seq.length items)) /\ 0 <= ([#"../knapsack_full.rs" 59 10 59 11] i) /\ ([#"../knapsack_full.rs" 59 10 59 11] i - 1) < ([#"../knapsack_full.rs" 59 10 59 11] i)) /\ (([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv1 s
+       -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items (i - 1) /\ sum_weights0 s j <= w
+       -> sum_values0 s j <= m items (i - 1) w) && ([#"../knapsack_full.rs" 62 10 62 21] m items (i - 1) w >= 0)
+       -> ((([#"../knapsack_full.rs" 66 11 66 16] inv0 items) && ([#"../knapsack_full.rs" 61 11 61 17] 0 <= w - UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get items (i - 1)))) && ([#"../knapsack_full.rs" 60 11 60 37] 0 <= i - 1 /\ i - 1 <= Seq.length items)) /\ 0 <= ([#"../knapsack_full.rs" 59 10 59 11] i) /\ ([#"../knapsack_full.rs" 59 10 59 11] i - 1) < ([#"../knapsack_full.rs" 59 10 59 11] i)) /\ (([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv1 s
+       -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items (i - 1) /\ sum_weights0 s j <= w - UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get items (i - 1)))
+       -> sum_values0 s j <= m items (i - 1) (w - UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get items (i - 1))))) && ([#"../knapsack_full.rs" 62 10 62 21] m items (i - 1) (w - UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get items (i - 1)))) >= 0)
+       -> (let result = MinMax.max (m items (i - 1) w) (m items (i - 1) (w - UIntSize.to_int (KnapsackFull_Item_Type.item_weight (Seq.get items (i - 1)))) + UIntSize.to_int (KnapsackFull_Item_Type.item_value (Seq.get items (i - 1)))) in ([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv1 s
+       -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items i /\ sum_weights0 s j <= w
+       -> sum_values0 s j <= result) && ([#"../knapsack_full.rs" 62 10 62 21] result >= 0))))
+      end
+    end
 end
 module Core_Ptr_NonNull_NonNull_Type
   use prelude.Opaque
@@ -223,12 +247,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -307,7 +337,8 @@ module KnapsackFull_Knapsack01Dyn
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv22 self}
     ensures { result = shallow_model5 self }
     
-  axiom shallow_model5_spec : forall self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv22 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv11 (shallow_model5 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max1)
+  axiom shallow_model5_spec : forall self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv22 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv11 (shallow_model5 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max1)
   predicate invariant22 (self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -464,7 +495,8 @@ module KnapsackFull_Knapsack01Dyn
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self}
     ensures { result = shallow_model1 self }
     
-  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv9 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max1)
+  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv9 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max1)
   predicate invariant8 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -483,7 +515,8 @@ module KnapsackFull_Knapsack01Dyn
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self}
     ensures { result = shallow_model3 self }
     
-  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max1)
+  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max1)
   predicate invariant7 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv10 (shallow_model3 self)
   val invariant7 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -500,9 +533,9 @@ module KnapsackFull_Knapsack01Dyn
     ensures { result = inv6 _x }
     
   axiom inv6 : forall x : usize . inv6 x = true
-  predicate inv3 (_x : Seq.seq (KnapsackFull_Item_Type.t_item name))
-  val inv3 (_x : Seq.seq (KnapsackFull_Item_Type.t_item name)) : bool
-    ensures { result = inv3 _x }
+  predicate inv4 (_x : Seq.seq (KnapsackFull_Item_Type.t_item name))
+  val inv4 (_x : Seq.seq (KnapsackFull_Item_Type.t_item name)) : bool
+    ensures { result = inv4 _x }
     
   use seq.Seq
   predicate inv5 (_x : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global))
@@ -515,30 +548,31 @@ module KnapsackFull_Knapsack01Dyn
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self}
     ensures { result = shallow_model4 self }
     
-  axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max1)
+  axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max1)
   predicate invariant5 (self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global))
     
    =
-    [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv3 (shallow_model4 self)
+    [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv4 (shallow_model4 self)
   val invariant5 (self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = invariant5 self }
     
   axiom inv5 : forall x : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global) . inv5 x = true
-  predicate invariant4 (self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global))
-    
-  val invariant4 (self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) : bool
+  predicate invariant4 (self : Seq.seq (KnapsackFull_Item_Type.t_item name))
+  val invariant4 (self : Seq.seq (KnapsackFull_Item_Type.t_item name)) : bool
     ensures { result = invariant4 self }
     
-  predicate inv4 (_x : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global))
-  val inv4 (_x : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) : bool
-    ensures { result = inv4 _x }
+  axiom inv4 : forall x : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv4 x = true
+  predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global))
     
-  axiom inv4 : forall x : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global) . inv4 x = true
-  predicate invariant3 (self : Seq.seq (KnapsackFull_Item_Type.t_item name))
-  val invariant3 (self : Seq.seq (KnapsackFull_Item_Type.t_item name)) : bool
+  val invariant3 (self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = invariant3 self }
     
-  axiom inv3 : forall x : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv3 x = true
+  predicate inv3 (_x : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global))
+  val inv3 (_x : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) : bool
+    ensures { result = inv3 _x }
+    
+  axiom inv3 : forall x : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global) . inv3 x = true
   use seq.Seq
   predicate inv2 (_x : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize)
   val inv2 (_x : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) : bool
@@ -565,7 +599,9 @@ module KnapsackFull_Knapsack01Dyn
     requires {[#"../../../../creusot-contracts/src/std/ops.rs" 207 20 207 24] inv2 self}
     ensures { result = is_empty_log0 self }
     
-  axiom is_empty_log0_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../creusot-contracts/src/std/ops.rs" 207 20 207 24] inv2 self) -> ([#"../../../../creusot-contracts/src/std/ops.rs" 206 4 206 88] not is_empty_log0 self -> deep_model0 (start_log0 self) <= deep_model0 (end_log0 self))
+  axiom is_empty_log0_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../creusot-contracts/src/std/ops.rs" 207 20 207 24] inv2 self)
+   -> ([#"../../../../creusot-contracts/src/std/ops.rs" 206 4 206 88] not is_empty_log0 self
+   -> deep_model0 (start_log0 self) <= deep_model0 (end_log0 self))
   function range_inclusive_len0 (r : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) : int =
     [#"../../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5] if is_empty_log0 r then
       0
@@ -576,11 +612,14 @@ module KnapsackFull_Knapsack01Dyn
     requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 46 62 46 63] inv2 r}
     ensures { result = range_inclusive_len0 r }
     
-  axiom range_inclusive_len0_spec : forall r : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 46 62 46 63] inv2 r) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43] is_empty_log0 r = (range_inclusive_len0 r = 0))
+  axiom range_inclusive_len0_spec : forall r : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 46 62 46 63] inv2 r)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43] is_empty_log0 r = (range_inclusive_len0 r = 0))
   predicate produces1 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) (visited : Seq.seq usize) (o : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize)
     
    =
-    [#"../../../../creusot-contracts/src/std/iter/range.rs" 65 8 71 9] Seq.length visited = range_inclusive_len0 self - range_inclusive_len0 o /\ (is_empty_log0 self -> is_empty_log0 o) /\ (is_empty_log0 o \/ end_log0 self = end_log0 o) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (start_log0 self) + i)
+    [#"../../../../creusot-contracts/src/std/iter/range.rs" 65 8 71 9] Seq.length visited = range_inclusive_len0 self - range_inclusive_len0 o /\ (is_empty_log0 self
+     -> is_empty_log0 o) /\ (is_empty_log0 o \/ end_log0 self = end_log0 o) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> deep_model0 (Seq.get visited i) = deep_model0 (start_log0 self) + i)
   val produces1 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) (visited : Seq.seq usize) (o : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) : bool
     ensures { result = produces1 self visited o }
     
@@ -598,7 +637,14 @@ module KnapsackFull_Knapsack01Dyn
     requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 84 82 84 83] inv2 c}
     ensures { result = produces_trans1 a ab b bc c }
     
-  axiom produces_trans1_spec : forall a : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize, ab : Seq.seq usize, b : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize, bc : Seq.seq usize, c : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 81 15 81 32] produces1 a ab b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 82 15 82 32] produces1 b bc c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 22 84 23] inv2 a) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 31 84 33] inv10 ab) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 52 84 53] inv2 b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 61 84 63] inv10 bc) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 82 84 83] inv2 c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 83 14 83 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans1_spec : forall a : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize, ab : Seq.seq usize, b : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize, bc : Seq.seq usize, c : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 81 15 81 32] produces1 a ab b)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 82 15 82 32] produces1 b bc c)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 22 84 23] inv2 a)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 31 84 33] inv10 ab)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 52 84 53] inv2 b)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 61 84 63] inv10 bc)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 82 84 83] inv2 c)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 83 14 83 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl1 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) : () =
     [#"../../../../creusot-contracts/src/std/iter/range.rs" 74 4 74 10] ()
@@ -606,7 +652,8 @@ module KnapsackFull_Knapsack01Dyn
     requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 77 21 77 25] inv2 self}
     ensures { result = produces_refl1 self }
     
-  axiom produces_refl1_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 77 21 77 25] inv2 self) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 76 14 76 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl1_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 77 21 77 25] inv2 self)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 76 14 76 45] produces1 self (Seq.empty ) self)
   predicate invariant2 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) =
     [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant2 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) : bool
@@ -629,7 +676,9 @@ module KnapsackFull_Knapsack01Dyn
   predicate produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize)
     
    =
-    [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
+    [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0
+     -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
   val produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool
     ensures { result = produces0 self visited o }
     
@@ -645,13 +694,21 @@ module KnapsackFull_Knapsack01Dyn
     requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv10 ab) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv10 bc) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv10 ab)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv10 bc)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
   function produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
   val produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
     requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
   predicate invariant0 (self : Core_Ops_Range_Range_Type.t_range usize) =
     [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant0 (self : Core_Ops_Range_Range_Type.t_range usize) : bool
@@ -666,12 +723,12 @@ module KnapsackFull_Knapsack01Dyn
   val index_logic4 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) (ix : int) : KnapsackFull_Item_Type.t_item name
     ensures { result = index_logic4 self ix }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   use seq.Seq
   function shallow_model10 (self : borrowed (Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global))) : Seq.seq (KnapsackFull_Item_Type.t_item name)
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model4 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model4 ( * self)
   val shallow_model10 (self : borrowed (Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global))) : Seq.seq (KnapsackFull_Item_Type.t_item name)
     ensures { result = shallow_model10 self }
     
@@ -680,43 +737,6 @@ module KnapsackFull_Knapsack01Dyn
     requires {inv1 value}
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 78 26 78 51] shallow_model4 ( ^ self) = Seq.snoc (shallow_model10 self) value }
     
-  predicate resolve6 (self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global))
-    
-  val resolve6 (self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) : bool
-    ensures { result = resolve6 self }
-    
-  predicate resolve8 (self : usize) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
-  val resolve8 (self : usize) : bool
-    ensures { result = resolve8 self }
-    
-  function index_logic5 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (ix : int) : usize
-    
-   =
-    [#"../../../../creusot-contracts/src/logic/ops.rs" 20 8 20 31] Seq.get (shallow_model3 self) ix
-  val index_logic5 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (ix : int) : usize
-    ensures { result = index_logic5 self ix }
-    
-  predicate resolve7 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
-    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) -> resolve8 (index_logic5 self i)
-  val resolve7 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
-    ensures { result = resolve7 self }
-    
-  use seq.Seq
-  function index_logic0 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) (ix : int) : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)
-    
-   =
-    [#"../../../../creusot-contracts/src/logic/ops.rs" 20 8 20 31] Seq.get (shallow_model1 self) ix
-  val index_logic0 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) (ix : int) : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)
-    ensures { result = index_logic0 self ix }
-    
-  predicate resolve5 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global))
-    
-   =
-    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self) -> resolve7 (index_logic0 self i)
-  val resolve5 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) : bool
-    ensures { result = resolve5 self }
-    
   use seq.Seq
   predicate subseq_rev0 [#"../knapsack_full.rs" 48 0 48 67] (s1 : Seq.seq (KnapsackFull_Item_Type.t_item name)) (i1 : int) (s2 : Seq.seq (KnapsackFull_Item_Type.t_item name)) (i2 : int)
     
@@ -750,10 +770,11 @@ module KnapsackFull_Knapsack01Dyn
   )
   val sum_weights0 [#"../knapsack_full.rs" 27 0 27 56] (s : Seq.seq (KnapsackFull_Item_Type.t_item name)) (i : int) : int
     requires {[#"../knapsack_full.rs" 25 11 25 33] 0 <= i /\ i <= Seq.length s}
-    requires {[#"../knapsack_full.rs" 27 21 27 22] inv3 s}
+    requires {[#"../knapsack_full.rs" 27 21 27 22] inv4 s}
     ensures { result = sum_weights0 s i }
     
-  axiom sum_weights0_spec : forall s : Seq.seq (KnapsackFull_Item_Type.t_item name), i : int . ([#"../knapsack_full.rs" 25 11 25 33] 0 <= i /\ i <= Seq.length s) -> ([#"../knapsack_full.rs" 27 21 27 22] inv3 s) -> ([#"../knapsack_full.rs" 26 10 26 21] sum_weights0 s i >= 0)
+  axiom sum_weights0_spec : forall s : Seq.seq (KnapsackFull_Item_Type.t_item name), i : int . ([#"../knapsack_full.rs" 25 11 25 33] 0 <= i /\ i <= Seq.length s)
+   -> ([#"../knapsack_full.rs" 27 21 27 22] inv4 s)  -> ([#"../knapsack_full.rs" 26 10 26 21] sum_weights0 s i >= 0)
   function index_logic2 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) (ix : int) : KnapsackFull_Item_Type.t_item name
     
    =
@@ -765,19 +786,59 @@ module KnapsackFull_Knapsack01Dyn
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 71 26 71 44] Seq.length (shallow_model4 result) = 0 }
     ensures { inv5 result }
     
+  predicate resolve6 (self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global))
+    
+  val resolve6 (self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) : bool
+    ensures { result = resolve6 self }
+    
+  predicate resolve8 (self : usize) =
+    [#"../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true
+  val resolve8 (self : usize) : bool
+    ensures { result = resolve8 self }
+    
+  function index_logic5 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (ix : int) : usize
+    
+   =
+    [#"../../../../creusot-contracts/src/logic/ops.rs" 20 8 20 31] Seq.get (shallow_model3 self) ix
+  val index_logic5 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (ix : int) : usize
+    ensures { result = index_logic5 self ix }
+    
+  predicate resolve7 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
+    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self)
+     -> resolve8 (index_logic5 self i)
+  val resolve7 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
+    ensures { result = resolve7 self }
+    
+  use seq.Seq
+  function index_logic0 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) (ix : int) : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)
+    
+   =
+    [#"../../../../creusot-contracts/src/logic/ops.rs" 20 8 20 31] Seq.get (shallow_model1 self) ix
+  val index_logic0 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) (ix : int) : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)
+    ensures { result = index_logic0 self ix }
+    
+  predicate resolve5 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global))
+    
+   =
+    [#"../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self)
+     -> resolve7 (index_logic0 self i)
+  val resolve5 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) : bool
+    ensures { result = resolve5 self }
+    
   predicate resolve4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = resolve4 self }
     
   predicate resolve3 (self : borrowed usize) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve3 (self : borrowed usize) : bool
     ensures { result = resolve3 self }
     
   use prelude.Slice
   predicate resolve_elswhere1 [@inline:trivial] (self : usize) (old' : Seq.seq usize) (fin : Seq.seq usize) =
-    [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i
+    [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old'
+     -> Seq.get old' i = Seq.get fin i
   val resolve_elswhere1 [@inline:trivial] (self : usize) (old' : Seq.seq usize) (fin : Seq.seq usize) : bool
     ensures { result = resolve_elswhere1 self old' fin }
     
@@ -794,7 +855,7 @@ module KnapsackFull_Knapsack01Dyn
   function shallow_model9 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : Seq.seq usize
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model3 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model3 ( * self)
   val shallow_model9 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : Seq.seq usize
     ensures { result = shallow_model9 self }
     
@@ -811,7 +872,8 @@ module KnapsackFull_Knapsack01Dyn
   predicate resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) (fin : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)))
     
    =
-    [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i
+    [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old'
+     -> Seq.get old' i = Seq.get fin i
   val resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) (fin : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = resolve_elswhere0 self old' fin }
     
@@ -832,7 +894,7 @@ module KnapsackFull_Knapsack01Dyn
   function shallow_model8 (self : borrowed (Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global))) : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model1 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model1 ( * self)
   val shallow_model8 (self : borrowed (Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global))) : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))
     ensures { result = shallow_model8 self }
     
@@ -851,7 +913,7 @@ module KnapsackFull_Knapsack01Dyn
     ensures { [#"../knapsack_full.rs" 14 10 14 31] UIntSize.to_int result = MinMax.max (UIntSize.to_int a) (UIntSize.to_int b) }
     
   function shallow_model7 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : Seq.seq usize =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model3 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model3 self
   val shallow_model7 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : Seq.seq usize
     ensures { result = shallow_model7 self }
     
@@ -865,7 +927,7 @@ module KnapsackFull_Knapsack01Dyn
   function shallow_model6 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model1 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model1 self
   val shallow_model6 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))
     ensures { result = shallow_model6 self }
     
@@ -877,7 +939,7 @@ module KnapsackFull_Knapsack01Dyn
     ensures { inv16 result }
     
   predicate resolve2 (self : borrowed (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize)) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve2 (self : borrowed (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize)) : bool
     ensures { result = resolve2 self }
     
@@ -895,8 +957,8 @@ module KnapsackFull_Knapsack01Dyn
       end }
     ensures { inv13 result }
     
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate into_iter_post1 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) (res : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize)
     
    =
@@ -920,7 +982,8 @@ module KnapsackFull_Knapsack01Dyn
     requires {inv6 end'}
     ensures { [#"../../../../creusot-contracts/src/std/ops.rs" 220 26 220 53] start_log0 result = start }
     ensures { [#"../../../../creusot-contracts/src/std/ops.rs" 221 26 221 49] end_log0 result = end' }
-    ensures { [#"../../../../creusot-contracts/src/std/ops.rs" 222 16 222 93] deep_model0 start <= deep_model0 end' -> not is_empty_log0 result }
+    ensures { [#"../../../../creusot-contracts/src/std/ops.rs" 222 16 222 93] deep_model0 start <= deep_model0 end'
+     -> not is_empty_log0 result }
     ensures { inv2 result }
     
   predicate resolve1 (self : KnapsackFull_Item_Type.t_item name)
@@ -942,19 +1005,19 @@ module KnapsackFull_Knapsack01Dyn
   function shallow_model0 (self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) : Seq.seq (KnapsackFull_Item_Type.t_item name)
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model5 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model5 self
   val shallow_model0 (self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) : Seq.seq (KnapsackFull_Item_Type.t_item name)
     ensures { result = shallow_model0 self }
     
   val index0 (self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) (index : usize) : KnapsackFull_Item_Type.t_item name
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 141 27 141 46] in_bounds0 index (shallow_model0 self)}
-    requires {inv4 self}
+    requires {inv3 self}
     requires {inv6 index}
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 142 26 142 54] has_value0 index (shallow_model0 self) result }
     ensures { inv1 result }
     
   predicate resolve0 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) : bool
     ensures { result = resolve0 self }
     
@@ -988,12 +1051,17 @@ module KnapsackFull_Knapsack01Dyn
     requires {[#"../knapsack_full.rs" 66 11 66 16] inv11 items}
     ensures { result = m0 items i w }
     
-  axiom m0_spec : forall items : Seq.seq (KnapsackFull_Item_Type.t_item name), i : int, w : int . ([#"../knapsack_full.rs" 60 11 60 37] 0 <= i /\ i <= Seq.length items) -> ([#"../knapsack_full.rs" 61 11 61 17] 0 <= w) -> ([#"../knapsack_full.rs" 66 11 66 16] inv11 items) -> ([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv3 s -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items i /\ sum_weights0 s j <= w -> sum_values0 s j <= m0 items i w) && ([#"../knapsack_full.rs" 62 10 62 21] m0 items i w >= 0)
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  axiom m0_spec : forall items : Seq.seq (KnapsackFull_Item_Type.t_item name), i : int, w : int . ([#"../knapsack_full.rs" 60 11 60 37] 0 <= i /\ i <= Seq.length items)
+   -> ([#"../knapsack_full.rs" 61 11 61 17] 0 <= w)
+   -> ([#"../knapsack_full.rs" 66 11 66 16] inv11 items)
+   -> ([#"../knapsack_full.rs" 63 0 65 2] forall j : int . forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv4 s
+   -> 0 <= j /\ j <= Seq.length s /\ subseq_rev0 s j items i /\ sum_weights0 s j <= w
+   -> sum_values0 s j <= m0 items i w) && ([#"../knapsack_full.rs" 62 10 62 21] m0 items i w >= 0)
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate into_iter_post0 (self : Core_Ops_Range_Range_Type.t_range usize) (res : Core_Ops_Range_Range_Type.t_range usize)
     
    =
@@ -1015,27 +1083,32 @@ module KnapsackFull_Knapsack01Dyn
   val from_elem1 (elem : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (n : usize) : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)
     requires {inv7 elem}
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 157 22 157 41] Seq.length (shallow_model1 result) = UIntSize.to_int n }
-    ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n -> index_logic0 result i = elem }
+    ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n
+     -> index_logic0 result i = elem }
     ensures { inv8 result }
     
   val len0 (self : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) : usize
-    requires {inv4 self}
+    requires {inv3 self}
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 75 26 75 48] UIntSize.to_int result = Seq.length (shallow_model0 self) }
     
   val from_elem0 (elem : usize) (n : usize) : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)
     requires {inv6 elem}
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 157 22 157 41] Seq.length (shallow_model3 result) = UIntSize.to_int n }
-    ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n -> index_logic5 result i = elem }
+    ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n
+     -> index_logic5 result i = elem }
     ensures { inv7 result }
     
   let rec cfg knapsack01_dyn [#"../knapsack_full.rs" 85 0 85 91] [@cfg:stackify] [@cfg:subregion_analysis] (items : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)) (max_weight : usize) : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global)
     requires {[#"../knapsack_full.rs" 77 11 77 34] Seq.length (shallow_model0 items) < 10000000}
     requires {[#"../knapsack_full.rs" 78 11 78 33] UIntSize.to_int max_weight < 10000000}
-    requires {[#"../knapsack_full.rs" 79 0 79 86] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 items) -> UIntSize.to_int (KnapsackFull_Item_Type.item_value (index_logic4 items i)) <= 10000000}
-    requires {[#"../knapsack_full.rs" 85 28 85 33] inv4 items}
+    requires {[#"../knapsack_full.rs" 79 0 79 86] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 items)
+     -> UIntSize.to_int (KnapsackFull_Item_Type.item_value (index_logic4 items i)) <= 10000000}
+    requires {[#"../knapsack_full.rs" 85 28 85 33] inv3 items}
     ensures { [#"../knapsack_full.rs" 80 10 80 60] sum_weights0 (shallow_model4 result) (Seq.length (shallow_model4 result)) <= UIntSize.to_int max_weight }
     ensures { [#"../knapsack_full.rs" 81 10 81 54] subseq_rev0 (shallow_model4 result) 0 (shallow_model0 items) (Seq.length (shallow_model0 items)) }
-    ensures { [#"../knapsack_full.rs" 82 0 84 2] forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv3 s -> subseq_rev0 s 0 (shallow_model0 items) (Seq.length (shallow_model0 items)) /\ sum_weights0 s (Seq.length s) <= UIntSize.to_int max_weight -> sum_values0 s (Seq.length s) <= sum_values0 (shallow_model4 result) (Seq.length (shallow_model4 result)) }
+    ensures { [#"../knapsack_full.rs" 82 0 84 2] forall s : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv4 s
+     -> subseq_rev0 s 0 (shallow_model0 items) (Seq.length (shallow_model0 items)) /\ sum_weights0 s (Seq.length s) <= UIntSize.to_int max_weight
+     -> sum_values0 s (Seq.length s) <= sum_values0 (shallow_model4 result) (Seq.length (shallow_model4 result)) }
     ensures { [#"../knapsack_full.rs" 85 75 85 91] inv5 result }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -1044,49 +1117,59 @@ module KnapsackFull_Knapsack01Dyn
   var max_weight : usize = max_weight;
   var best_value : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global);
   var _10 : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global);
+  var _11 : usize;
+  var _13 : usize;
   var _14 : usize;
   var iter : Core_Ops_Range_Range_Type.t_range usize;
+  var _18 : Core_Ops_Range_Range_Type.t_range usize;
   var _19 : usize;
-  var iter_old : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range usize);
-  var produced : Ghost.ghost_ty (Seq.seq usize);
+  var iter_old : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range usize);
+  var produced : Snapshot.snap_ty (Seq.seq usize);
   var _31 : ();
   var _32 : Core_Option_Option_Type.t_option usize;
   var _33 : borrowed (Core_Ops_Range_Range_Type.t_range usize);
   var _34 : borrowed (Core_Ops_Range_Range_Type.t_range usize);
   var __creusot_proc_iter_elem : usize;
-  var _37 : Ghost.ghost_ty (Seq.seq usize);
+  var _37 : Snapshot.snap_ty (Seq.seq usize);
   var i : usize;
   var it : KnapsackFull_Item_Type.t_item name;
   var _41 : KnapsackFull_Item_Type.t_item name;
   var iter1 : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize;
   var _45 : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize;
-  var iter_old1 : Ghost.ghost_ty (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize);
-  var produced1 : Ghost.ghost_ty (Seq.seq usize);
+  var iter_old1 : Snapshot.snap_ty (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize);
+  var produced1 : Snapshot.snap_ty (Seq.seq usize);
   var _58 : Core_Option_Option_Type.t_option usize;
   var _59 : borrowed (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize);
   var _60 : borrowed (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize);
   var __creusot_proc_iter_elem1 : usize;
-  var _63 : Ghost.ghost_ty (Seq.seq usize);
+  var _63 : Snapshot.snap_ty (Seq.seq usize);
   var w : usize;
   var _66 : usize;
+  var _67 : bool;
   var _70 : usize;
   var _72 : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global);
   var _77 : usize;
   var _79 : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global);
+  var _83 : usize;
   var _85 : usize;
   var _87 : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global);
+  var _90 : usize;
   var _94 : borrowed usize;
   var _95 : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global));
   var _96 : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global));
   var _97 : borrowed (Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global));
+  var _98 : usize;
   var result : Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global);
   var _104 : usize;
   var left_weight : usize;
   var j : usize;
+  var _115 : bool;
   var it1 : KnapsackFull_Item_Type.t_item name;
   var _118 : KnapsackFull_Item_Type.t_item name;
+  var _121 : bool;
   var _123 : usize;
   var _125 : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global);
+  var _127 : usize;
   var _131 : usize;
   var _133 : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global);
   var _137 : ();
@@ -1095,34 +1178,40 @@ module KnapsackFull_Knapsack01Dyn
     goto BB0
   }
   BB0 {
-    [#"../../../../creusot-contracts/src/lib.rs" 196 8 196 40] _10 <- ([#"../knapsack_full.rs" 86 30 86 53] from_elem0 ([#"../knapsack_full.rs" 86 35 86 36] [#"../knapsack_full.rs" 86 35 86 36] (0 : usize)) ([#"../knapsack_full.rs" 86 38 86 52] ([#"../knapsack_full.rs" 86 38 86 48] max_weight) + ([#"../knapsack_full.rs" 86 51 86 52] [#"../knapsack_full.rs" 86 51 86 52] (1 : usize))));
+    [#"../knapsack_full.rs" 86 38 86 52] _11 <- max_weight + ([#"../knapsack_full.rs" 86 51 86 52] (1 : usize));
+    [#"../knapsack_full.rs" 86 30 86 53] _10 <- ([#"../knapsack_full.rs" 86 30 86 53] from_elem0 ([#"../knapsack_full.rs" 86 35 86 36] (0 : usize)) _11);
+    _11 <- any usize;
     goto BB1
   }
   BB1 {
-    [#"../knapsack_full.rs" 86 55 86 66] _14 <- ([#"../knapsack_full.rs" 86 55 86 66] len0 ([#"../knapsack_full.rs" 86 55 86 60] items));
+    [#"../knapsack_full.rs" 86 55 86 66] _14 <- ([#"../knapsack_full.rs" 86 55 86 66] len0 items);
     goto BB2
   }
   BB2 {
-    [#"../../../../creusot-contracts/src/lib.rs" 196 8 196 40] best_value <- ([#"../knapsack_full.rs" 86 25 86 71] from_elem1 _10 ([#"../knapsack_full.rs" 86 55 86 70] _14 + ([#"../knapsack_full.rs" 86 69 86 70] [#"../knapsack_full.rs" 86 69 86 70] (1 : usize))));
-    _10 <- any Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global);
+    [#"../knapsack_full.rs" 86 55 86 70] _13 <- _14 + ([#"../knapsack_full.rs" 86 69 86 70] (1 : usize));
     _14 <- any usize;
+    [#"../knapsack_full.rs" 86 25 86 71] best_value <- ([#"../knapsack_full.rs" 86 25 86 71] from_elem1 _10 _13);
+    _10 <- any Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global);
+    _13 <- any usize;
     goto BB3
   }
   BB3 {
-    [#"../knapsack_full.rs" 95 16 95 27] _19 <- ([#"../knapsack_full.rs" 95 16 95 27] len0 ([#"../knapsack_full.rs" 95 16 95 21] items));
+    [#"../knapsack_full.rs" 95 16 95 27] _19 <- ([#"../knapsack_full.rs" 95 16 95 27] len0 items);
     goto BB4
   }
   BB4 {
-    [#"../knapsack_full.rs" 88 4 88 55] iter <- ([#"../knapsack_full.rs" 88 4 88 55] into_iter0 ([#"../knapsack_full.rs" 95 13 95 27] Core_Ops_Range_Range_Type.C_Range ([#"../knapsack_full.rs" 95 13 95 14] [#"../knapsack_full.rs" 95 13 95 14] (0 : usize)) _19));
+    [#"../knapsack_full.rs" 95 13 95 27] _18 <- Core_Ops_Range_Range_Type.C_Range ([#"../knapsack_full.rs" 95 13 95 14] (0 : usize)) _19;
     _19 <- any usize;
+    [#"../knapsack_full.rs" 88 4 88 55] iter <- ([#"../knapsack_full.rs" 88 4 88 55] into_iter0 _18);
+    _18 <- any Core_Ops_Range_Range_Type.t_range usize;
     goto BB5
   }
   BB5 {
-    [#"../knapsack_full.rs" 88 4 88 55] iter_old <- ([#"../knapsack_full.rs" 88 4 88 55] Ghost.new iter);
+    [#"../knapsack_full.rs" 88 4 88 55] iter_old <- ([#"../knapsack_full.rs" 88 4 88 55] Snapshot.new iter);
     goto BB6
   }
   BB6 {
-    [#"../knapsack_full.rs" 88 4 88 55] produced <- ([#"../knapsack_full.rs" 88 4 88 55] Ghost.new (Seq.empty ));
+    [#"../knapsack_full.rs" 88 4 88 55] produced <- ([#"../knapsack_full.rs" 88 4 88 55] Snapshot.new (Seq.empty ));
     goto BB7
   }
   BB7 {
@@ -1142,11 +1231,14 @@ module KnapsackFull_Knapsack01Dyn
   }
   BB12 {
     invariant { [#"../knapsack_full.rs" 88 4 88 55] inv0 iter };
-    invariant { [#"../knapsack_full.rs" 88 4 88 55] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter };
+    invariant { [#"../knapsack_full.rs" 88 4 88 55] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter };
     invariant { [#"../knapsack_full.rs" 88 16 88 53] Seq.length (shallow_model0 items) + 1 = Seq.length (shallow_model1 best_value) };
-    invariant { [#"../knapsack_full.rs" 88 4 88 55] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 best_value) -> UIntSize.to_int max_weight + 1 = Seq.length (shallow_model3 (index_logic0 best_value i)) };
-    invariant { [#"../knapsack_full.rs" 88 4 88 55] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (Ghost.inner produced) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) = m0 (shallow_model0 items) ii ww };
-    invariant { [#"../knapsack_full.rs" 88 4 88 55] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (shallow_model0 items) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) <= 10000000 * ii };
+    invariant { [#"../knapsack_full.rs" 88 4 88 55] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 best_value)
+     -> UIntSize.to_int max_weight + 1 = Seq.length (shallow_model3 (index_logic0 best_value i)) };
+    invariant { [#"../knapsack_full.rs" 88 4 88 55] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (Snapshot.inner produced) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight
+     -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) = m0 (shallow_model0 items) ii ww };
+    invariant { [#"../knapsack_full.rs" 88 4 88 55] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (shallow_model0 items) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight
+     -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) <= 10000000 * ii };
     goto BB13
   }
   BB13 {
@@ -1166,33 +1258,36 @@ module KnapsackFull_Knapsack01Dyn
       end
   }
   BB15 {
-    [#"../knapsack_full.rs" 119 49 119 60] _104 <- ([#"../knapsack_full.rs" 119 49 119 60] len0 ([#"../knapsack_full.rs" 119 49 119 54] items));
-    goto BB49
+    [#"../knapsack_full.rs" 119 49 119 60] _104 <- ([#"../knapsack_full.rs" 119 49 119 60] len0 items);
+    goto BB50
   }
   BB16 {
     goto BB18
   }
   BB17 {
+    assume { resolve5 best_value };
+    assert { [@expl:type invariant] inv3 items };
+    assume { resolve6 items };
     assert { [#"../knapsack_full.rs" 88 4 88 55] false };
     absurd
   }
   BB18 {
-    [#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _32);
-    [#"../knapsack_full.rs" 88 4 88 55] _37 <- ([#"../knapsack_full.rs" 88 4 88 55] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _32;
+    [#"../knapsack_full.rs" 88 4 88 55] _37 <- ([#"../knapsack_full.rs" 88 4 88 55] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB19
   }
   BB19 {
-    [#"../knapsack_full.rs" 88 4 88 55] produced <- ([#"../knapsack_full.rs" 88 4 88 55] _37);
-    [#"../knapsack_full.rs" 88 4 88 55] _37 <- any Ghost.ghost_ty (Seq.seq usize);
-    [#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] i <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem);
-    [#"../knapsack_full.rs" 96 23 96 26] _41 <- ([#"../knapsack_full.rs" 96 23 96 26] index0 ([#"../knapsack_full.rs" 96 18 96 23] items) ([#"../knapsack_full.rs" 96 24 96 25] i));
+    [#"../knapsack_full.rs" 88 4 88 55] produced <- _37;
+    _37 <- any Snapshot.snap_ty (Seq.seq usize);
+    [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] i <- __creusot_proc_iter_elem;
+    [#"../knapsack_full.rs" 96 23 96 26] _41 <- ([#"../knapsack_full.rs" 96 23 96 26] index0 items i);
     goto BB20
   }
   BB20 {
-    [#"../knapsack_full.rs" 96 17 96 26] it <- ([#"../knapsack_full.rs" 96 17 96 26] _41);
+    [#"../knapsack_full.rs" 96 17 96 26] it <- _41;
     assert { [@expl:type invariant] inv1 _41 };
     assume { resolve1 _41 };
-    [#"../knapsack_full.rs" 110 17 110 31] _45 <- ([#"../knapsack_full.rs" 110 17 110 31] new2 ([#"../knapsack_full.rs" 110 17 110 18] [#"../knapsack_full.rs" 110 17 110 18] (0 : usize)) ([#"../knapsack_full.rs" 110 21 110 31] max_weight));
+    [#"../knapsack_full.rs" 110 17 110 31] _45 <- ([#"../knapsack_full.rs" 110 17 110 31] new2 ([#"../knapsack_full.rs" 110 17 110 18] (0 : usize)) max_weight);
     goto BB21
   }
   BB21 {
@@ -1201,11 +1296,11 @@ module KnapsackFull_Knapsack01Dyn
     goto BB22
   }
   BB22 {
-    [#"../knapsack_full.rs" 98 8 98 59] iter_old1 <- ([#"../knapsack_full.rs" 98 8 98 59] Ghost.new iter1);
+    [#"../knapsack_full.rs" 98 8 98 59] iter_old1 <- ([#"../knapsack_full.rs" 98 8 98 59] Snapshot.new iter1);
     goto BB23
   }
   BB23 {
-    [#"../knapsack_full.rs" 98 8 98 59] produced1 <- ([#"../knapsack_full.rs" 98 8 98 59] Ghost.new (Seq.empty ));
+    [#"../knapsack_full.rs" 98 8 98 59] produced1 <- ([#"../knapsack_full.rs" 98 8 98 59] Snapshot.new (Seq.empty ));
     goto BB24
   }
   BB24 {
@@ -1228,12 +1323,16 @@ module KnapsackFull_Knapsack01Dyn
   }
   BB30 {
     invariant { [#"../knapsack_full.rs" 98 8 98 59] inv2 iter1 };
-    invariant { [#"../knapsack_full.rs" 98 8 98 59] produces1 (Ghost.inner iter_old1) (Ghost.inner produced1) iter1 };
+    invariant { [#"../knapsack_full.rs" 98 8 98 59] produces1 (Snapshot.inner iter_old1) (Snapshot.inner produced1) iter1 };
     invariant { [#"../knapsack_full.rs" 98 20 98 57] Seq.length (shallow_model0 items) + 1 = Seq.length (shallow_model1 best_value) };
-    invariant { [#"../knapsack_full.rs" 98 8 98 59] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 best_value) -> UIntSize.to_int max_weight + 1 = Seq.length (shallow_model3 (index_logic0 best_value i)) };
-    invariant { [#"../knapsack_full.rs" 98 8 98 59] forall ww : int . forall ii : int . 0 <= ii /\ ii <= UIntSize.to_int i /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) = m0 (shallow_model0 items) ii ww };
-    invariant { [#"../knapsack_full.rs" 98 8 98 59] forall ww : int . 0 <= ww /\ ww <= Seq.length (Ghost.inner produced1) - 1 -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value (UIntSize.to_int i + 1))) ww) = m0 (shallow_model0 items) (UIntSize.to_int i + 1) ww };
-    invariant { [#"../knapsack_full.rs" 98 8 98 59] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (shallow_model0 items) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) <= 10000000 * ii };
+    invariant { [#"../knapsack_full.rs" 98 8 98 59] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 best_value)
+     -> UIntSize.to_int max_weight + 1 = Seq.length (shallow_model3 (index_logic0 best_value i)) };
+    invariant { [#"../knapsack_full.rs" 98 8 98 59] forall ww : int . forall ii : int . 0 <= ii /\ ii <= UIntSize.to_int i /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight
+     -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) = m0 (shallow_model0 items) ii ww };
+    invariant { [#"../knapsack_full.rs" 98 8 98 59] forall ww : int . 0 <= ww /\ ww <= Seq.length (Snapshot.inner produced1) - 1
+     -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value (UIntSize.to_int i + 1))) ww) = m0 (shallow_model0 items) (UIntSize.to_int i + 1) ww };
+    invariant { [#"../knapsack_full.rs" 98 8 98 59] forall ww : int . forall ii : int . 0 <= ii /\ ii <= Seq.length (shallow_model0 items) /\ 0 <= ww /\ ww <= UIntSize.to_int max_weight
+     -> UIntSize.to_int (Seq.get (shallow_model3 (index_logic0 best_value ii)) ww) <= 10000000 * ii };
     goto BB31
   }
   BB31 {
@@ -1259,90 +1358,103 @@ module KnapsackFull_Knapsack01Dyn
     goto BB12
   }
   BB34 {
-    goto BB35
+    goto BB36
   }
   BB35 {
-    [#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem1 <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _58);
-    [#"../knapsack_full.rs" 98 8 98 59] _63 <- ([#"../knapsack_full.rs" 98 8 98 59] Ghost.new (Seq.(++) (Ghost.inner produced1) (Seq.singleton __creusot_proc_iter_elem1)));
-    goto BB36
+    assert { [@expl:type invariant] inv1 it };
+    assume { resolve1 it };
+    assume { resolve5 best_value };
+    assert { [@expl:type invariant] inv3 items };
+    assume { resolve6 items };
+    assert { [#"../knapsack_full.rs" 98 8 98 59] false };
+    absurd
   }
   BB36 {
-    [#"../knapsack_full.rs" 98 8 98 59] produced1 <- ([#"../knapsack_full.rs" 98 8 98 59] _63);
-    [#"../knapsack_full.rs" 98 8 98 59] _63 <- any Ghost.ghost_ty (Seq.seq usize);
-    [#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] w <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem1);
-    switch ([#"../knapsack_full.rs" 111 38 111 51] ([#"../knapsack_full.rs" 111 38 111 47] KnapsackFull_Item_Type.item_weight it) > ([#"../knapsack_full.rs" 111 50 111 51] w))
-      | False -> goto BB40
-      | True -> goto BB37
-      end
+    [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem1 <- Core_Option_Option_Type.some_0 _58;
+    [#"../knapsack_full.rs" 98 8 98 59] _63 <- ([#"../knapsack_full.rs" 98 8 98 59] Snapshot.new (Seq.(++) (Snapshot.inner produced1) (Seq.singleton __creusot_proc_iter_elem1)));
+    goto BB37
   }
   BB37 {
-    [#"../knapsack_full.rs" 112 26 112 29] _72 <- ([#"../knapsack_full.rs" 112 26 112 29] index1 ([#"../knapsack_full.rs" 112 16 112 26] best_value) ([#"../knapsack_full.rs" 112 27 112 28] i));
-    goto BB38
+    [#"../knapsack_full.rs" 98 8 98 59] produced1 <- _63;
+    _63 <- any Snapshot.snap_ty (Seq.seq usize);
+    [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] w <- __creusot_proc_iter_elem1;
+    [#"../knapsack_full.rs" 111 38 111 51] _67 <- KnapsackFull_Item_Type.item_weight it > w;
+    switch (_67)
+      | False -> goto BB41
+      | True -> goto BB38
+      end
   }
   BB38 {
-    [#"../knapsack_full.rs" 112 29 112 32] _70 <- ([#"../knapsack_full.rs" 112 29 112 32] index2 ([#"../knapsack_full.rs" 112 16 112 29] _72) ([#"../knapsack_full.rs" 112 30 112 31] w));
+    [#"../knapsack_full.rs" 112 26 112 29] _72 <- ([#"../knapsack_full.rs" 112 26 112 29] index1 best_value i);
     goto BB39
   }
   BB39 {
-    [#"../knapsack_full.rs" 112 16 112 32] _66 <- ([#"../knapsack_full.rs" 112 16 112 32] _70);
-    goto BB46
+    [#"../knapsack_full.rs" 112 29 112 32] _70 <- ([#"../knapsack_full.rs" 112 29 112 32] index2 _72 w);
+    goto BB40
   }
   BB40 {
-    [#"../knapsack_full.rs" 114 30 114 33] _79 <- ([#"../knapsack_full.rs" 114 30 114 33] index1 ([#"../knapsack_full.rs" 114 20 114 30] best_value) ([#"../knapsack_full.rs" 114 31 114 32] i));
-    goto BB41
+    [#"../knapsack_full.rs" 112 16 112 32] _66 <- _70;
+    goto BB47
   }
   BB41 {
-    [#"../knapsack_full.rs" 114 33 114 36] _77 <- ([#"../knapsack_full.rs" 114 33 114 36] index2 ([#"../knapsack_full.rs" 114 20 114 33] _79) ([#"../knapsack_full.rs" 114 34 114 35] w));
+    [#"../knapsack_full.rs" 114 30 114 33] _79 <- ([#"../knapsack_full.rs" 114 30 114 33] index1 best_value i);
     goto BB42
   }
   BB42 {
-    [#"../knapsack_full.rs" 114 48 114 51] _87 <- ([#"../knapsack_full.rs" 114 48 114 51] index1 ([#"../knapsack_full.rs" 114 38 114 48] best_value) ([#"../knapsack_full.rs" 114 49 114 50] i));
+    [#"../knapsack_full.rs" 114 33 114 36] _77 <- ([#"../knapsack_full.rs" 114 33 114 36] index2 _79 w);
     goto BB43
   }
   BB43 {
-    [#"../knapsack_full.rs" 114 51 114 66] _85 <- ([#"../knapsack_full.rs" 114 51 114 66] index2 ([#"../knapsack_full.rs" 114 38 114 51] _87) ([#"../knapsack_full.rs" 114 52 114 65] ([#"../knapsack_full.rs" 114 52 114 53] w) - ([#"../knapsack_full.rs" 114 56 114 65] KnapsackFull_Item_Type.item_weight it)));
+    [#"../knapsack_full.rs" 114 48 114 51] _87 <- ([#"../knapsack_full.rs" 114 48 114 51] index1 best_value i);
     goto BB44
   }
   BB44 {
-    [#"../knapsack_full.rs" 114 16 114 78] _66 <- ([#"../knapsack_full.rs" 114 16 114 78] max0 ([#"../knapsack_full.rs" 114 20 114 36] _77) ([#"../knapsack_full.rs" 114 38 114 77] ([#"../knapsack_full.rs" 114 38 114 66] _85) + ([#"../knapsack_full.rs" 114 69 114 77] KnapsackFull_Item_Type.item_value it)));
+    [#"../knapsack_full.rs" 114 52 114 65] _90 <- w - KnapsackFull_Item_Type.item_weight it;
+    [#"../knapsack_full.rs" 114 51 114 66] _85 <- ([#"../knapsack_full.rs" 114 51 114 66] index2 _87 _90);
+    _90 <- any usize;
     goto BB45
   }
   BB45 {
+    [#"../knapsack_full.rs" 114 38 114 77] _83 <- _85 + KnapsackFull_Item_Type.item_value it;
+    [#"../knapsack_full.rs" 114 16 114 78] _66 <- ([#"../knapsack_full.rs" 114 16 114 78] max0 _77 _83);
+    _83 <- any usize;
     goto BB46
   }
   BB46 {
+    goto BB47
+  }
+  BB47 {
     [#"../knapsack_full.rs" 111 12 111 22] _97 <- Borrow.borrow_mut best_value;
     [#"../knapsack_full.rs" 111 12 111 22] best_value <-  ^ _97;
-    [#"../knapsack_full.rs" 111 22 111 29] _96 <- ([#"../knapsack_full.rs" 111 22 111 29] index_mut0 _97 ([#"../knapsack_full.rs" 111 23 111 28] ([#"../knapsack_full.rs" 111 23 111 24] i) + ([#"../knapsack_full.rs" 111 27 111 28] [#"../knapsack_full.rs" 111 27 111 28] (1 : usize))));
+    [#"../knapsack_full.rs" 111 23 111 28] _98 <- i + ([#"../knapsack_full.rs" 111 27 111 28] (1 : usize));
+    [#"../knapsack_full.rs" 111 22 111 29] _96 <- ([#"../knapsack_full.rs" 111 22 111 29] index_mut0 _97 _98);
     _97 <- any borrowed (Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global));
-    goto BB47
+    _98 <- any usize;
+    goto BB48
   }
-  BB47 {
+  BB48 {
     [#"../knapsack_full.rs" 111 12 111 29] _95 <- Borrow.borrow_final ( * _96) (Borrow.get_id _96);
     [#"../knapsack_full.rs" 111 12 111 29] _96 <- { _96 with current = ( ^ _95) ; };
-    [#"../knapsack_full.rs" 111 29 111 32] _94 <- ([#"../knapsack_full.rs" 111 29 111 32] index_mut1 _95 ([#"../knapsack_full.rs" 111 30 111 31] w));
+    [#"../knapsack_full.rs" 111 29 111 32] _94 <- ([#"../knapsack_full.rs" 111 29 111 32] index_mut1 _95 w);
     _95 <- any borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global));
-    goto BB48
+    goto BB49
   }
-  BB48 {
-    [#"../knapsack_full.rs" 111 12 115 13] _94 <- { _94 with current = ([#"../knapsack_full.rs" 111 12 115 13] _66) ; };
-    [#"../knapsack_full.rs" 111 12 115 13] _66 <- any usize;
+  BB49 {
+    [#"../knapsack_full.rs" 111 12 115 13] _94 <- { _94 with current = _66 ; };
+    _66 <- any usize;
     assume { resolve3 _94 };
     assume { resolve4 _96 };
     [#"../knapsack_full.rs" 110 32 116 9] _31 <- ([#"../knapsack_full.rs" 110 32 116 9] ());
     goto BB30
   }
-  BB49 {
+  BB50 {
     [#"../knapsack_full.rs" 119 30 119 61] result <- ([#"../knapsack_full.rs" 119 30 119 61] with_capacity0 _104);
     _104 <- any usize;
-    goto BB50
-  }
-  BB50 {
-    [#"../knapsack_full.rs" 120 26 120 36] left_weight <- ([#"../knapsack_full.rs" 120 26 120 36] max_weight);
-    [#"../knapsack_full.rs" 122 16 122 27] j <- ([#"../knapsack_full.rs" 122 16 122 27] len0 ([#"../knapsack_full.rs" 122 16 122 21] items));
     goto BB51
   }
   BB51 {
+    [#"../knapsack_full.rs" 120 26 120 36] left_weight <- max_weight;
+    [#"../knapsack_full.rs" 122 16 122 27] j <- ([#"../knapsack_full.rs" 122 16 122 27] len0 items);
     goto BB52
   }
   BB52 {
@@ -1355,100 +1467,102 @@ module KnapsackFull_Knapsack01Dyn
     goto BB55
   }
   BB55 {
-    invariant { [#"../knapsack_full.rs" 123 16 123 34] UIntSize.to_int j <= Seq.length (shallow_model0 items) };
-    invariant { [#"../knapsack_full.rs" 124 16 124 43] UIntSize.to_int left_weight <= UIntSize.to_int max_weight };
-    invariant { [#"../knapsack_full.rs" 123 4 123 36] forall r : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv3 r -> Seq.length (shallow_model4 result) <= Seq.length r /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 result) -> index_logic2 result i = Seq.get r i) /\ sum_weights0 r (Seq.length (shallow_model4 result)) <= UIntSize.to_int left_weight -> sum_weights0 r 0 <= UIntSize.to_int max_weight };
-    invariant { [#"../knapsack_full.rs" 123 4 123 36] forall r : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv3 r -> Seq.length (shallow_model4 result) <= Seq.length r /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 result) -> index_logic2 result i = Seq.get r i) /\ sum_values0 r (Seq.length (shallow_model4 result)) = m0 (shallow_model0 items) (UIntSize.to_int j) (UIntSize.to_int left_weight) -> sum_values0 r 0 = m0 (shallow_model0 items) (Seq.length (shallow_model0 items)) (UIntSize.to_int max_weight) };
-    invariant { [#"../knapsack_full.rs" 123 4 123 36] forall r : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv3 r -> Seq.length (shallow_model4 result) <= Seq.length r /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 result) -> index_logic2 result i = Seq.get r i) /\ subseq_rev0 r (Seq.length (shallow_model4 result)) (shallow_model0 items) (UIntSize.to_int j) -> subseq_rev0 r 0 (shallow_model0 items) (Seq.length (shallow_model0 items)) };
     goto BB56
   }
   BB56 {
-    switch ([#"../knapsack_full.rs" 140 10 140 15] ([#"../knapsack_full.rs" 140 10 140 11] [#"../knapsack_full.rs" 140 10 140 11] (0 : usize)) < ([#"../knapsack_full.rs" 140 14 140 15] j))
-      | False -> goto BB67
-      | True -> goto BB57
-      end
+    invariant { [#"../knapsack_full.rs" 123 16 123 34] UIntSize.to_int j <= Seq.length (shallow_model0 items) };
+    invariant { [#"../knapsack_full.rs" 124 16 124 43] UIntSize.to_int left_weight <= UIntSize.to_int max_weight };
+    invariant { [#"../knapsack_full.rs" 123 4 123 36] forall r : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv4 r
+     -> Seq.length (shallow_model4 result) <= Seq.length r /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 result)
+     -> index_logic2 result i = Seq.get r i) /\ sum_weights0 r (Seq.length (shallow_model4 result)) <= UIntSize.to_int left_weight
+     -> sum_weights0 r 0 <= UIntSize.to_int max_weight };
+    invariant { [#"../knapsack_full.rs" 123 4 123 36] forall r : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv4 r
+     -> Seq.length (shallow_model4 result) <= Seq.length r /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 result)
+     -> index_logic2 result i = Seq.get r i) /\ sum_values0 r (Seq.length (shallow_model4 result)) = m0 (shallow_model0 items) (UIntSize.to_int j) (UIntSize.to_int left_weight)
+     -> sum_values0 r 0 = m0 (shallow_model0 items) (Seq.length (shallow_model0 items)) (UIntSize.to_int max_weight) };
+    invariant { [#"../knapsack_full.rs" 123 4 123 36] forall r : Seq.seq (KnapsackFull_Item_Type.t_item name) . inv4 r
+     -> Seq.length (shallow_model4 result) <= Seq.length r /\ (forall i : int . 0 <= i /\ i < Seq.length (shallow_model4 result)
+     -> index_logic2 result i = Seq.get r i) /\ subseq_rev0 r (Seq.length (shallow_model4 result)) (shallow_model0 items) (UIntSize.to_int j)
+     -> subseq_rev0 r 0 (shallow_model0 items) (Seq.length (shallow_model0 items)) };
+    goto BB57
   }
   BB57 {
-    [#"../knapsack_full.rs" 141 8 141 14] j <- ([#"../knapsack_full.rs" 141 8 141 14] j - ([#"../knapsack_full.rs" 141 13 141 14] [#"../knapsack_full.rs" 141 13 141 14] (1 : usize)));
-    [#"../knapsack_full.rs" 142 23 142 26] _118 <- ([#"../knapsack_full.rs" 142 23 142 26] index0 ([#"../knapsack_full.rs" 142 18 142 23] items) ([#"../knapsack_full.rs" 142 24 142 25] j));
-    goto BB58
+    [#"../knapsack_full.rs" 140 10 140 15] _115 <- ([#"../knapsack_full.rs" 140 10 140 11] (0 : usize)) < j;
+    switch (_115)
+      | False -> goto BB68
+      | True -> goto BB58
+      end
   }
   BB58 {
-    [#"../knapsack_full.rs" 142 17 142 26] it1 <- ([#"../knapsack_full.rs" 142 17 142 26] _118);
-    assert { [@expl:type invariant] inv1 _118 };
-    assume { resolve1 _118 };
-    [#"../knapsack_full.rs" 143 21 143 28] _125 <- ([#"../knapsack_full.rs" 143 21 143 28] index1 ([#"../knapsack_full.rs" 143 11 143 21] best_value) ([#"../knapsack_full.rs" 143 22 143 27] ([#"../knapsack_full.rs" 143 22 143 23] j) + ([#"../knapsack_full.rs" 143 26 143 27] [#"../knapsack_full.rs" 143 26 143 27] (1 : usize))));
+    [#"../knapsack_full.rs" 141 8 141 14] j <- j - ([#"../knapsack_full.rs" 141 13 141 14] (1 : usize));
+    [#"../knapsack_full.rs" 142 23 142 26] _118 <- ([#"../knapsack_full.rs" 142 23 142 26] index0 items j);
     goto BB59
   }
   BB59 {
-    [#"../knapsack_full.rs" 143 28 143 41] _123 <- ([#"../knapsack_full.rs" 143 28 143 41] index2 ([#"../knapsack_full.rs" 143 11 143 28] _125) ([#"../knapsack_full.rs" 143 29 143 40] left_weight));
+    [#"../knapsack_full.rs" 142 17 142 26] it1 <- _118;
+    assert { [@expl:type invariant] inv1 _118 };
+    assume { resolve1 _118 };
+    [#"../knapsack_full.rs" 143 22 143 27] _127 <- j + ([#"../knapsack_full.rs" 143 26 143 27] (1 : usize));
+    [#"../knapsack_full.rs" 143 21 143 28] _125 <- ([#"../knapsack_full.rs" 143 21 143 28] index1 best_value _127);
+    _127 <- any usize;
     goto BB60
   }
   BB60 {
-    [#"../knapsack_full.rs" 143 55 143 58] _133 <- ([#"../knapsack_full.rs" 143 55 143 58] index1 ([#"../knapsack_full.rs" 143 45 143 55] best_value) ([#"../knapsack_full.rs" 143 56 143 57] j));
+    [#"../knapsack_full.rs" 143 28 143 41] _123 <- ([#"../knapsack_full.rs" 143 28 143 41] index2 _125 left_weight);
     goto BB61
   }
   BB61 {
-    [#"../knapsack_full.rs" 143 58 143 71] _131 <- ([#"../knapsack_full.rs" 143 58 143 71] index2 ([#"../knapsack_full.rs" 143 45 143 58] _133) ([#"../knapsack_full.rs" 143 59 143 70] left_weight));
+    [#"../knapsack_full.rs" 143 55 143 58] _133 <- ([#"../knapsack_full.rs" 143 55 143 58] index1 best_value j);
     goto BB62
   }
   BB62 {
-    switch ([#"../knapsack_full.rs" 143 11 143 71] ([#"../knapsack_full.rs" 143 11 143 41] _123) <> ([#"../knapsack_full.rs" 143 45 143 71] _131))
-      | False -> goto BB65
-      | True -> goto BB63
-      end
+    [#"../knapsack_full.rs" 143 58 143 71] _131 <- ([#"../knapsack_full.rs" 143 58 143 71] index2 _133 left_weight);
+    goto BB63
   }
   BB63 {
+    [#"../knapsack_full.rs" 143 11 143 71] _121 <- _123 <> _131;
+    switch (_121)
+      | False -> goto BB66
+      | True -> goto BB64
+      end
+  }
+  BB64 {
     [#"../knapsack_full.rs" 144 12 144 18] _138 <- Borrow.borrow_mut result;
     [#"../knapsack_full.rs" 144 12 144 18] result <-  ^ _138;
     assume { inv5 ( ^ _138) };
-    [#"../knapsack_full.rs" 144 12 144 27] _137 <- ([#"../knapsack_full.rs" 144 12 144 27] push0 _138 ([#"../knapsack_full.rs" 144 24 144 26] it1));
+    [#"../knapsack_full.rs" 144 12 144 27] _137 <- ([#"../knapsack_full.rs" 144 12 144 27] push0 _138 it1);
     _138 <- any borrowed (Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global));
-    goto BB64
+    goto BB65
   }
-  BB64 {
+  BB65 {
     assert { [@expl:type invariant] inv1 it1 };
     assume { resolve1 it1 };
-    [#"../knapsack_full.rs" 145 12 145 36] left_weight <- ([#"../knapsack_full.rs" 145 12 145 36] left_weight - ([#"../knapsack_full.rs" 145 27 145 36] KnapsackFull_Item_Type.item_weight it1));
+    [#"../knapsack_full.rs" 145 12 145 36] left_weight <- left_weight - KnapsackFull_Item_Type.item_weight it1;
     [#"../knapsack_full.rs" 143 72 146 9] _31 <- ([#"../knapsack_full.rs" 143 72 146 9] ());
-    goto BB66
+    goto BB67
   }
-  BB65 {
+  BB66 {
     assert { [@expl:type invariant] inv1 it1 };
     assume { resolve1 it1 };
     [#"../knapsack_full.rs" 146 9 146 9] _31 <- ([#"../knapsack_full.rs" 146 9 146 9] ());
-    goto BB66
-  }
-  BB66 {
-    goto BB55
+    goto BB67
   }
   BB67 {
-    assume { resolve5 best_value };
-    assert { [@expl:type invariant] inv4 items };
-    assume { resolve6 items };
-    [#"../knapsack_full.rs" 149 4 149 10] _0 <- ([#"../knapsack_full.rs" 149 4 149 10] result);
-    [#"../knapsack_full.rs" 149 4 149 10] result <- any Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global);
-    goto BB68
+    goto BB56
   }
   BB68 {
+    assume { resolve5 best_value };
+    assert { [@expl:type invariant] inv3 items };
+    assume { resolve6 items };
+    [#"../knapsack_full.rs" 149 4 149 10] _0 <- result;
+    result <- any Alloc_Vec_Vec_Type.t_vec (KnapsackFull_Item_Type.t_item name) (Alloc_Alloc_Global_Type.t_global);
     goto BB69
   }
   BB69 {
-    return _0
-  }
-  BB74 {
-    assume { resolve5 best_value };
-    assert { [@expl:type invariant] inv4 items };
-    assume { resolve6 items };
-    goto BB17
+    goto BB70
   }
-  BB75 {
-    assert { [@expl:type invariant] inv1 it };
-    assume { resolve1 it };
-    assume { resolve5 best_value };
-    assert { [@expl:type invariant] inv4 items };
-    assume { resolve6 items };
-    goto BB17
+  BB70 {
+    return _0
   }
   
 end
diff --git a/creusot/tests/should_succeed/knapsack_full.rs b/creusot/tests/should_succeed/knapsack_full.rs
index 915d02bb5d..359165faae 100644
--- a/creusot/tests/should_succeed/knapsack_full.rs
+++ b/creusot/tests/should_succeed/knapsack_full.rs
@@ -20,7 +20,7 @@ fn max(a: usize, b: usize) -> usize {
     }
 }
 
-#[ghost]
+#[logic]
 #[variant(s.len()-i)]
 #[requires(0 <= i && i <= s.len())]
 #[ensures(result >= 0)]
@@ -31,7 +31,7 @@ fn sum_weights<Name>(s: Seq<&Item<Name>>, i: Int) -> Int {
     }
 }
 
-#[ghost]
+#[logic]
 #[variant(s.len()-i)]
 #[requires(i >= 0 && i <= s.len())]
 fn sum_values<Name>(s: Seq<&Item<Name>>, i: Int) -> Int {
@@ -55,7 +55,7 @@ fn subseq_rev<T>(s1: Seq<&T>, i1: Int, s2: Seq<T>, i2: Int) -> bool {
     }
 }
 
-#[ghost]
+#[logic]
 #[variant(i)]
 #[requires(0 <= i && i <= items.len())]
 #[requires(0 <= w)]
diff --git a/creusot/tests/should_succeed/knapsack_full/why3session.xml b/creusot/tests/should_succeed/knapsack_full/why3session.xml
index 909372f228..c07fb1345f 100644
--- a/creusot/tests/should_succeed/knapsack_full/why3session.xml
+++ b/creusot/tests/should_succeed/knapsack_full/why3session.xml
@@ -10,27 +10,27 @@
 <path name=".."/><path name="knapsack_full.mlcfg"/>
 <theory name="KnapsackFull_Max" proved="true">
  <goal name="max&#39;vc" expl="VC for max" proved="true">
- <proof prover="1"><result status="valid" time="0.008841" steps="1914"/></proof>
+ <proof prover="1"><result status="valid" time="0.008841" steps="2085"/></proof>
  </goal>
 </theory>
 <theory name="KnapsackFull_SumWeights_Impl" proved="true">
- <goal name="sum_weights&#39;vc" expl="VC for sum_weights" proved="true">
- <proof prover="0"><result status="valid" time="0.057561" steps="8050"/></proof>
+ <goal name="vc_sum_weights" proved="true">
+ <proof prover="0"><result status="valid" time="0.057561" steps="7795"/></proof>
  </goal>
 </theory>
 <theory name="KnapsackFull_SumValues_Impl" proved="true">
- <goal name="sum_values&#39;vc" expl="VC for sum_values" proved="true">
- <proof prover="6"><result status="valid" time="0.008662" steps="12"/></proof>
+ <goal name="vc_sum_values" proved="true">
+ <proof prover="6"><result status="valid" time="0.008662" steps="8"/></proof>
  </goal>
 </theory>
 <theory name="KnapsackFull_SubseqRev_Impl" proved="true">
- <goal name="subseq_rev&#39;vc" expl="VC for subseq_rev" proved="true">
- <proof prover="1"><result status="valid" time="0.015920" steps="42227"/></proof>
+ <goal name="vc_subseq_rev" proved="true">
+ <proof prover="6"><result status="valid" time="0.009124" steps="10"/></proof>
  </goal>
 </theory>
 <theory name="KnapsackFull_M_Impl" proved="true">
- <goal name="m&#39;vc" expl="VC for m" proved="true">
- <proof prover="1"><result status="valid" time="0.019525" steps="71776"/></proof>
+ <goal name="vc_m" proved="true">
+ <proof prover="1"><result status="valid" time="0.019525" steps="84429"/></proof>
  </goal>
 </theory>
 <theory name="KnapsackFull_Knapsack01Dyn" proved="true">
@@ -55,333 +55,326 @@
   <proof prover="1"><result status="valid" time="0.013403" steps="13023"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.6" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.017854" steps="29"/></proof>
+  <proof prover="6"><result status="valid" time="0.017854" steps="31"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.034141" steps="148413"/></proof>
+  <proof prover="1"><result status="valid" time="0.034141" steps="161631"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.8" expl="loop invariant init" proved="true">
-  <proof prover="1"><result status="valid" time="0.013758" steps="13380"/></proof>
+  <proof prover="1"><result status="valid" time="0.013758" steps="13385"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.9" expl="loop invariant init" proved="true">
-  <proof prover="6"><result status="valid" time="0.016613" steps="65"/></proof>
+  <proof prover="6"><result status="valid" time="0.016613" steps="66"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.10" expl="loop invariant init" proved="true">
-  <proof prover="6"><result status="valid" time="0.011336" steps="36"/></proof>
+  <proof prover="6"><result status="valid" time="0.011336" steps="38"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.11" expl="loop invariant init" proved="true">
-  <proof prover="6"><result status="valid" time="0.013452" steps="70"/></proof>
+  <proof prover="6"><result status="valid" time="0.013452" steps="72"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.12" expl="loop invariant init" proved="true">
-  <proof prover="6"><result status="valid" time="0.024395" steps="343"/></proof>
+  <proof prover="6"><result status="valid" time="0.024395" steps="344"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.13" expl="loop invariant init" proved="true">
-  <proof prover="6"><result status="valid" time="0.018805" steps="173"/></proof>
+  <proof prover="6"><result status="valid" time="0.018805" steps="176"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.016312" steps="79"/></proof>
+  <proof prover="6"><result status="valid" time="0.016312" steps="80"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.066507" steps="56"/></proof>
+  <proof prover="1"><result status="valid" time="0.013598" steps="13760"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.014599" steps="64"/></proof>
+  <proof prover="6"><result status="valid" time="0.011820" steps="66"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.17" expl="loop invariant init" proved="true">
-  <proof prover="6"><result status="valid" time="0.012700" steps="66"/></proof>
+  <proof prover="6"><result status="valid" time="0.012700" steps="68"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.18" expl="loop invariant init" proved="true">
-  <proof prover="6"><result status="valid" time="0.012375" steps="68"/></proof>
+  <proof prover="6"><result status="valid" time="0.012375" steps="69"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.19" expl="loop invariant init" proved="true">
-  <proof prover="6"><result status="valid" time="0.012916" steps="74"/></proof>
+  <proof prover="6"><result status="valid" time="0.012916" steps="76"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.20" expl="loop invariant init" proved="true">
-  <proof prover="1"><result status="valid" time="0.022066" steps="89129"/></proof>
+  <proof prover="1"><result status="valid" time="0.022066" steps="89157"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.21" expl="loop invariant init" proved="true">
-  <proof prover="6"><result status="valid" time="0.013177" steps="74"/></proof>
+  <proof prover="6"><result status="valid" time="0.013177" steps="76"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.22" expl="integer overflow" proved="true">
-  <proof prover="6"><result status="valid" time="0.016048" steps="121"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.22" expl="type invariant" proved="true">
+  <proof prover="6"><result status="valid" time="0.025140" steps="78"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.23" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.040548" steps="180195"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.23" expl="postcondition" proved="true">
+  <proof prover="6"><result status="valid" time="0.061701" steps="739"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.24" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.013598" steps="14220"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.24" expl="postcondition" proved="true">
+  <proof prover="1"><result status="valid" time="0.078676" steps="451626"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.25" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.012444" steps="183248"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.25" expl="postcondition" proved="true">
+  <proof prover="1"><result status="valid" time="0.034538" steps="186361"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.26" expl="type invariant" proved="true">
-  <proof prover="6"><result status="valid" time="0.017596" steps="80"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.26" expl="postcondition" proved="true">
+  <proof prover="6"><result status="valid" time="0.036480" steps="138"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.27" expl="integer overflow" proved="true">
-  <proof prover="6"><result status="valid" time="0.016336" steps="137"/></proof>
+  <proof prover="6"><result status="valid" time="0.016048" steps="123"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.28" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.018504" steps="84"/></proof>
+  <proof prover="1"><result status="valid" time="0.040548" steps="180466"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.29" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.016999" steps="149"/></proof>
+  <proof prover="6"><result status="valid" time="0.066507" steps="79"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.30" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.035417" steps="184068"/></proof>
+  <proof prover="1"><result status="valid" time="0.014097" steps="183519"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.31" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.013700" steps="166"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.31" expl="type invariant" proved="true">
+  <proof prover="6"><result status="valid" time="0.017596" steps="84"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.32" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.017476" steps="90"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.32" expl="integer overflow" proved="true">
+  <proof prover="6"><result status="valid" time="0.016336" steps="140"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.33" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.014143" steps="158"/></proof>
+  <proof prover="6"><result status="valid" time="0.018504" steps="88"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.34" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.055707" steps="92"/></proof>
+  <proof prover="6"><result status="valid" time="0.017609" steps="151"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.35" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.017609" steps="165"/></proof>
+  <proof prover="1"><result status="valid" time="0.035641" steps="184339"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.36" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.014097" steps="184579"/></proof>
+  <proof prover="6"><result status="valid" time="0.013700" steps="167"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.37" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.013470" steps="181"/></proof>
+  <proof prover="6"><result status="valid" time="0.017476" steps="94"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.38" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.015952" steps="98"/></proof>
+  <proof prover="6"><result status="valid" time="0.014143" steps="161"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.39" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.017854" steps="172"/></proof>
+  <proof prover="6"><result status="valid" time="0.055707" steps="96"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.40" expl="type invariant" proved="true">
-  <proof prover="6"><result status="valid" time="0.013722" steps="102"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.40" expl="precondition" proved="true">
+  <proof prover="6"><result status="valid" time="0.016999" steps="167"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.41" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.018274" steps="186049"/></proof>
+  <proof prover="1"><result status="valid" time="0.012444" steps="184850"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.42" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.014302" steps="110"/></proof>
+  <proof prover="6"><result status="valid" time="0.013470" steps="184"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.43" expl="type invariant" proved="true">
-  <proof prover="6"><result status="valid" time="0.014203" steps="110"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.43" expl="precondition" proved="true">
+  <proof prover="6"><result status="valid" time="0.015952" steps="102"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.44" expl="integer overflow" proved="true">
-  <proof prover="1"><result status="valid" time="0.145125" steps="662161"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.44" expl="precondition" proved="true">
+  <proof prover="6"><result status="valid" time="0.017854" steps="175"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.45" expl="type invariant" proved="true">
-  <proof prover="6"><result status="valid" time="0.025140" steps="74"/></proof>
+  <proof prover="6"><result status="valid" time="0.013722" steps="108"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.46" expl="postcondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.061701" steps="718"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.46" expl="precondition" proved="true">
+  <proof prover="1"><result status="valid" time="0.018274" steps="186150"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.47" expl="postcondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.078676" steps="451532"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.47" expl="precondition" proved="true">
+  <proof prover="6"><result status="valid" time="0.014302" steps="116"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.48" expl="postcondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.034538" steps="186253"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.48" expl="type invariant" proved="true">
+  <proof prover="6"><result status="valid" time="0.014203" steps="116"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.49" expl="postcondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.036480" steps="135"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.49" expl="integer overflow" proved="true">
+  <proof prover="1"><result status="valid" time="0.145125" steps="662244"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.50" expl="loop invariant preservation" proved="true">
-  <proof prover="6"><result status="valid" time="0.020488" steps="102"/></proof>
+  <proof prover="6"><result status="valid" time="0.020488" steps="120"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.51" expl="loop invariant preservation" proved="true">
-  <proof prover="6"><result status="valid" time="0.024641" steps="324"/></proof>
+  <proof prover="6"><result status="valid" time="0.024641" steps="486"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.52" expl="loop invariant preservation" proved="true">
-  <proof prover="1"><result status="valid" time="0.406472" steps="1049418"/></proof>
+  <proof prover="1"><result status="valid" time="0.406472" steps="1230760"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.53" expl="loop invariant preservation" proved="true">
-  <proof prover="1"><result status="valid" time="0.538858" steps="1560453"/></proof>
+  <proof prover="1"><result status="valid" time="0.669028" steps="4123010"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.54" expl="loop invariant preservation" proved="true">
-  <proof prover="1"><result status="valid" time="0.110153" steps="493483"/></proof>
+  <proof prover="1"><result status="valid" time="0.303310" steps="1098260"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.55" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.043258" steps="183831"/></proof>
+  <proof prover="1"><result status="valid" time="0.043258" steps="183857"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.56" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.011820" steps="70"/></proof>
+  <proof prover="6"><result status="valid" time="0.014599" steps="72"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.57" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.021841" steps="107"/></proof>
+  <proof prover="1"><result status="valid" time="0.014478" steps="171606"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.58" expl="type invariant" proved="true">
-  <proof prover="6"><result status="valid" time="0.014931" steps="74"/></proof>
+  <proof prover="6"><result status="valid" time="0.014931" steps="76"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.59" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.033029" steps="109"/></proof>
+  <proof prover="6"><result status="valid" time="0.033029" steps="110"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.60" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.058942" steps="111"/></proof>
+  <proof prover="6"><result status="valid" time="0.058942" steps="112"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.61" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.011043" steps="82"/></proof>
+  <proof prover="6"><result status="valid" time="0.011043" steps="84"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.62" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.014713" steps="82"/></proof>
+  <proof prover="6"><result status="valid" time="0.014713" steps="84"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.63" expl="loop invariant init" proved="true">
-  <proof prover="1"><result status="valid" time="0.012712" steps="14130"/></proof>
+  <proof prover="1"><result status="valid" time="0.012712" steps="14135"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.64" expl="loop invariant init" proved="true">
-  <proof prover="6"><result status="valid" time="0.013632" steps="132"/></proof>
+  <proof prover="6"><result status="valid" time="0.013632" steps="134"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.65" expl="loop invariant init" proved="true">
-  <proof prover="1"><result status="valid" time="0.014170" steps="13990"/></proof>
+  <proof prover="1"><result status="valid" time="0.014170" steps="13995"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.66" expl="loop invariant init" proved="true">
-  <proof prover="6"><result status="valid" time="0.016992" steps="133"/></proof>
+  <proof prover="6"><result status="valid" time="0.016992" steps="134"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.67" expl="loop invariant init" proved="true">
-  <proof prover="6"><result status="valid" time="0.049417" steps="828"/></proof>
+  <proof prover="6"><result status="valid" time="0.049417" steps="825"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.68" expl="loop invariant init" proved="true">
-  <proof prover="6"><result status="valid" time="0.018353" steps="153"/></proof>
+  <proof prover="6"><result status="valid" time="0.018353" steps="154"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.69" expl="loop invariant init" proved="true">
-  <proof prover="6"><result status="valid" time="0.017460" steps="140"/></proof>
+  <proof prover="6"><result status="valid" time="0.017460" steps="141"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.70" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.035299" steps="178767"/></proof>
+  <proof prover="1"><result status="valid" time="0.035299" steps="178793"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.71" expl="type invariant" proved="true">
-  <proof prover="1"><result status="valid" time="0.018851" steps="50820"/></proof>
+  <proof prover="1"><result status="valid" time="0.018851" steps="50848"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.72" expl="loop invariant preservation" proved="true">
-  <proof prover="0"><result status="valid" time="0.128749" steps="24066"/></proof>
+  <proof prover="0"><result status="valid" time="0.128749" steps="24265"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.73" expl="loop invariant preservation" proved="true">
-  <proof prover="1"><result status="valid" time="0.238214" steps="803459"/></proof>
+  <proof prover="1"><result status="valid" time="0.238214" steps="803473"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.74" expl="loop invariant preservation" proved="true">
-  <proof prover="6"><result status="valid" time="0.026553" steps="117"/></proof>
+  <proof prover="6"><result status="valid" time="0.026553" steps="119"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.75" expl="loop invariant preservation" proved="true">
-  <proof prover="6"><result status="valid" time="0.049064" steps="159"/></proof>
+  <proof prover="6"><result status="valid" time="0.049064" steps="161"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.76" expl="loop invariant preservation" proved="true">
   <proof prover="6" timelimit="5" memlimit="2000"><result status="valid" time="0.205650" steps="1227"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.77" expl="loop invariant preservation" proved="true">
-  <proof prover="1"><result status="valid" time="0.036477" steps="189363"/></proof>
+  <proof prover="1"><result status="valid" time="0.041231" steps="189391"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.78" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.258779" steps="1301"/></proof>
+  <proof prover="1"><result status="valid" time="0.048551" steps="220166"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.79" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.034240" steps="183637"/></proof>
+  <proof prover="6"><result status="valid" time="0.018515" steps="188"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.80" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.014478" steps="183712"/></proof>
+  <proof prover="6"><result status="valid" time="0.015843" steps="189"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.81" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.500832" steps="1231836"/></proof>
+  <proof prover="2"><result status="valid" time="0.372058" steps="57258"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.82" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.022194" steps="131"/></proof>
+  <proof prover="1"><result status="valid" time="0.032934" steps="14799"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.83" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.035028" steps="183964"/></proof>
+  <proof prover="1"><result status="valid" time="0.035028" steps="190721"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.84" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.048816" steps="213360"/></proof>
+  <proof prover="6"><result status="valid" time="0.099321" steps="1375"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.85" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.034266" steps="183590"/></proof>
+  <proof prover="1"><result status="valid" time="0.034240" steps="190944"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.86" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.015843" steps="186"/></proof>
+  <proof prover="0"><result status="valid" time="0.107794" steps="24975"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.87" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.664853" steps="57317"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.87" expl="integer overflow" proved="true">
+  <proof prover="6"><result status="valid" time="0.022286" steps="265"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.88" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.032934" steps="14777"/></proof>
+  <proof prover="1"><result status="valid" time="0.355222" steps="1282472"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.89" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.040623" steps="195"/></proof>
+  <proof prover="1"><result status="valid" time="0.035633" steps="14856"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.90" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.048551" steps="213963"/></proof>
+  <proof prover="1"><result status="valid" time="0.035417" steps="191345"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.91" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.018515" steps="198"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.91" expl="integer overflow" proved="true">
+  <proof prover="1"><result status="valid" time="0.362721" steps="1266230"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.92" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.107794" steps="24747"/></proof>
+  <proof prover="1"><result status="valid" time="0.048816" steps="220198"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.93" expl="integer overflow" proved="true">
-  <proof prover="6"><result status="valid" time="0.022286" steps="262"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.93" expl="precondition" proved="true">
+  <proof prover="1"><result status="valid" time="0.034266" steps="190434"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.94" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.737148" steps="1275650"/></proof>
+  <proof prover="6"><result status="valid" time="0.021841" steps="189"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.95" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.035633" steps="14834"/></proof>
+  <proof prover="1"><result status="valid" time="0.346653" steps="1238613"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.96" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.035641" steps="184541"/></proof>
+  <proof prover="6"><result status="valid" time="0.022194" steps="135"/></proof>
   </goal>
-  <goal name="knapsack01_dyn&#39;vc.97" expl="integer overflow" proved="true">
-  <proof prover="1"><result status="valid" time="0.680346" steps="1259451"/></proof>
+  <goal name="knapsack01_dyn&#39;vc.97" expl="precondition" proved="true">
+  <proof prover="6"><result status="valid" time="0.033259" steps="196"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.98" expl="integer overflow" proved="true">
-  <proof prover="6"><result status="valid" time="0.070200" steps="944"/></proof>
+  <proof prover="6"><result status="valid" time="0.070200" steps="950"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.99" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.148180" steps="918"/></proof>
+  <proof prover="6"><result status="valid" time="0.148180" steps="924"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.100" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.020097" steps="168"/></proof>
+  <proof prover="6"><result status="valid" time="0.020097" steps="170"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.101" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.035901" steps="193851"/></proof>
+  <proof prover="1"><result status="valid" time="0.035901" steps="194336"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.102" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.342224" steps="43989"/></proof>
+  <proof prover="0"><result status="valid" time="0.192092" steps="44412"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.103" expl="precondition" proved="true">
   <proof prover="6"><result status="valid" time="0.015268" steps="202"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.104" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.033259" steps="201"/></proof>
+  <proof prover="6"><result status="valid" time="0.040623" steps="202"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.105" expl="loop invariant preservation" proved="true">
-  <proof prover="1"><result status="valid" time="0.035649" steps="198670"/></proof>
+  <proof prover="1"><result status="valid" time="0.035649" steps="199105"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.106" expl="loop invariant preservation" proved="true">
-  <proof prover="0"><result status="valid" time="0.263423" steps="36661"/></proof>
+  <proof prover="0"><result status="valid" time="0.263423" steps="36783"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.107" expl="loop invariant preservation" proved="true">
-  <proof prover="6"><result status="valid" time="0.014586" steps="231"/></proof>
+  <proof prover="6"><result status="valid" time="0.014586" steps="232"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.108" expl="loop invariant preservation" proved="true">
-  <proof prover="6"><result status="valid" time="0.060599" steps="1038"/></proof>
+  <proof prover="6"><result status="valid" time="0.060599" steps="1043"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.109" expl="loop invariant preservation" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="knapsack01_dyn&#39;vc.109.0" expl="loop invariant preservation" proved="true">
-   <transf name="split_vc" proved="true" >
-    <goal name="knapsack01_dyn&#39;vc.109.0.0" expl="loop invariant preservation" proved="true">
-    <proof prover="1"><result status="valid" time="0.868099" steps="1623214"/></proof>
-    </goal>
-    <goal name="knapsack01_dyn&#39;vc.109.0.1" expl="loop invariant preservation" proved="true">
-    <proof prover="0" timelimit="5"><result status="valid" time="0.640925" steps="48540"/></proof>
-    </goal>
-   </transf>
+   <proof prover="6"><result status="valid" time="0.664418" steps="10196"/></proof>
    </goal>
   </transf>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.110" expl="loop invariant preservation" proved="true">
-  <proof prover="1" timelimit="5"><result status="valid" time="1.764700" steps="3733295"/></proof>
+  <proof prover="1" timelimit="5"><result status="valid" time="0.778141" steps="2427964"/></proof>
   </goal>
   <goal name="knapsack01_dyn&#39;vc.111" expl="loop invariant preservation" proved="true">
-  <proof prover="0"><result status="valid" time="0.524849" steps="69545"/></proof>
+  <proof prover="0"><result status="valid" time="1.143127" steps="224157"/></proof>
   </goal>
  </transf>
  </goal>
diff --git a/creusot/tests/should_succeed/knapsack_full/why3shapes.gz b/creusot/tests/should_succeed/knapsack_full/why3shapes.gz
index 96abf9b3dc..c622b5b72b 100644
Binary files a/creusot/tests/should_succeed/knapsack_full/why3shapes.gz and b/creusot/tests/should_succeed/knapsack_full/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/lang/assoc_type.rs b/creusot/tests/should_succeed/lang/assoc_type.rs
index f738dba4f5..a64edf665a 100644
--- a/creusot/tests/should_succeed/lang/assoc_type.rs
+++ b/creusot/tests/should_succeed/lang/assoc_type.rs
@@ -43,7 +43,7 @@ pub fn uses3<T: Tr>(_: Nested<T>) {}
 
 // pub struct Map<I: Tr> {
 //     pub iter: I,
-//     pub produced: Ghost<Seq<I::A>>,
+//     pub produced: Snapshot<Seq<I::A>>,
 // }
 
 // pub fn use_map<I: Tr>(_: Map<I>) {}
diff --git a/creusot/tests/should_succeed/lang/branch_borrow_2.mlcfg b/creusot/tests/should_succeed/lang/branch_borrow_2.mlcfg
index a55bc8ee7b..42f94f7ad8 100644
--- a/creusot/tests/should_succeed/lang/branch_borrow_2.mlcfg
+++ b/creusot/tests/should_succeed/lang/branch_borrow_2.mlcfg
@@ -21,22 +21,23 @@ module BranchBorrow2_F
   var _8 : ();
   var _11 : borrowed int32;
   var _12 : borrowed int32;
+  var _14 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../branch_borrow_2.rs" 4 16 4 18] a <- ([#"../branch_borrow_2.rs" 4 16 4 18] [#"../branch_borrow_2.rs" 4 16 4 18] (10 : int32));
-    [#"../branch_borrow_2.rs" 5 16 5 18] b <- ([#"../branch_borrow_2.rs" 5 16 5 18] [#"../branch_borrow_2.rs" 5 16 5 18] (10 : int32));
-    [#"../branch_borrow_2.rs" 6 16 6 18] c <- ([#"../branch_borrow_2.rs" 6 16 6 18] [#"../branch_borrow_2.rs" 6 16 6 18] (10 : int32));
+    [#"../branch_borrow_2.rs" 4 16 4 18] a <- ([#"../branch_borrow_2.rs" 4 16 4 18] (10 : int32));
+    [#"../branch_borrow_2.rs" 5 16 5 18] b <- ([#"../branch_borrow_2.rs" 5 16 5 18] (10 : int32));
+    [#"../branch_borrow_2.rs" 6 16 6 18] c <- ([#"../branch_borrow_2.rs" 6 16 6 18] (10 : int32));
     [#"../branch_borrow_2.rs" 8 12 8 18] x <- Borrow.borrow_mut a;
     [#"../branch_borrow_2.rs" 8 12 8 18] a <-  ^ x;
     [#"../branch_borrow_2.rs" 9 12 9 18] y <- Borrow.borrow_mut b;
     [#"../branch_borrow_2.rs" 9 12 9 18] b <-  ^ y;
     [#"../branch_borrow_2.rs" 10 12 10 18] z <- Borrow.borrow_mut c;
     [#"../branch_borrow_2.rs" 10 12 10 18] c <-  ^ z;
-    switch (([#"../branch_borrow_2.rs" 13 10 13 11] [#"../branch_borrow_2.rs" 13 10 13 11] (3 : int32)) = 1)
+    switch (([#"../branch_borrow_2.rs" 13 10 13 11] (3 : int32)) = 1)
       | True -> goto BB1
-      | False -> switch (([#"../branch_borrow_2.rs" 13 10 13 11] [#"../branch_borrow_2.rs" 13 10 13 11] (3 : int32)) = 2)
+      | False -> switch (([#"../branch_borrow_2.rs" 13 10 13 11] (3 : int32)) = 2)
         | True -> goto BB2
         | False -> goto BB12
         end
@@ -49,39 +50,40 @@ module BranchBorrow2_F
     goto BB5
   }
   BB3 {
-    [#"../branch_borrow_2.rs" 23 12 23 18] z <- { z with current = ([#"../branch_borrow_2.rs" 23 12 23 18] [#"../branch_borrow_2.rs" 23 17 23 18] (8 : int32)) ; };
+    [#"../branch_borrow_2.rs" 23 12 23 18] z <- { z with current = ([#"../branch_borrow_2.rs" 23 17 23 18] (8 : int32)) ; };
     [#"../branch_borrow_2.rs" 24 16 24 17] _12 <- Borrow.borrow_final ( * z) (Borrow.get_id z);
     [#"../branch_borrow_2.rs" 24 16 24 17] z <- { z with current = ( ^ _12) ; };
-    [#"../branch_borrow_2.rs" 24 12 24 17] w <- ([#"../branch_borrow_2.rs" 24 12 24 17] _12);
-    [#"../branch_borrow_2.rs" 24 12 24 17] _12 <- any borrowed int32;
+    [#"../branch_borrow_2.rs" 24 12 24 17] w <- _12;
+    _12 <- any borrowed int32;
     [#"../branch_borrow_2.rs" 22 13 25 9] _8 <- ([#"../branch_borrow_2.rs" 22 13 25 9] ());
     goto BB6
   }
   BB4 {
     assume { resolve0 z };
     assume { resolve0 y };
-    [#"../branch_borrow_2.rs" 15 12 15 18] x <- { x with current = ([#"../branch_borrow_2.rs" 15 12 15 18] [#"../branch_borrow_2.rs" 15 17 15 18] (6 : int32)) ; };
-    [#"../branch_borrow_2.rs" 16 12 16 17] w <- ([#"../branch_borrow_2.rs" 16 16 16 17] x);
-    [#"../branch_borrow_2.rs" 16 16 16 17] x <- any borrowed int32;
+    [#"../branch_borrow_2.rs" 15 12 15 18] x <- { x with current = ([#"../branch_borrow_2.rs" 15 17 15 18] (6 : int32)) ; };
+    [#"../branch_borrow_2.rs" 16 12 16 17] w <- x;
+    x <- any borrowed int32;
     [#"../branch_borrow_2.rs" 14 13 17 9] _8 <- ([#"../branch_borrow_2.rs" 14 13 17 9] ());
     goto BB6
   }
   BB5 {
     assume { resolve0 z };
-    [#"../branch_borrow_2.rs" 19 12 19 18] y <- { y with current = ([#"../branch_borrow_2.rs" 19 12 19 18] [#"../branch_borrow_2.rs" 19 17 19 18] (7 : int32)) ; };
+    [#"../branch_borrow_2.rs" 19 12 19 18] y <- { y with current = ([#"../branch_borrow_2.rs" 19 17 19 18] (7 : int32)) ; };
     [#"../branch_borrow_2.rs" 20 16 20 17] _11 <- Borrow.borrow_final ( * y) (Borrow.get_id y);
     [#"../branch_borrow_2.rs" 20 16 20 17] y <- { y with current = ( ^ _11) ; };
-    [#"../branch_borrow_2.rs" 20 12 20 17] w <- ([#"../branch_borrow_2.rs" 20 12 20 17] _11);
-    [#"../branch_borrow_2.rs" 20 12 20 17] _11 <- any borrowed int32;
+    [#"../branch_borrow_2.rs" 20 12 20 17] w <- _11;
+    _11 <- any borrowed int32;
     [#"../branch_borrow_2.rs" 18 13 21 9] _8 <- ([#"../branch_borrow_2.rs" 18 13 21 9] ());
     goto BB6
   }
   BB6 {
-    [#"../branch_borrow_2.rs" 28 4 28 10] w <- { w with current = ([#"../branch_borrow_2.rs" 28 4 28 10] [#"../branch_borrow_2.rs" 28 9 28 10] (5 : int32)) ; };
+    [#"../branch_borrow_2.rs" 28 4 28 10] w <- { w with current = ([#"../branch_borrow_2.rs" 28 9 28 10] (5 : int32)) ; };
     assume { resolve0 w };
     assume { resolve0 z };
     assume { resolve0 y };
-    switch ([#"../branch_borrow_2.rs" 30 12 30 18] ([#"../branch_borrow_2.rs" 30 12 30 13] c) = ([#"../branch_borrow_2.rs" 30 17 30 18] [#"../branch_borrow_2.rs" 30 17 30 18] (5 : int32)))
+    [#"../branch_borrow_2.rs" 30 12 30 18] _14 <- c = ([#"../branch_borrow_2.rs" 30 17 30 18] (5 : int32));
+    switch (_14)
       | False -> goto BB8
       | True -> goto BB7
       end
@@ -149,6 +151,8 @@ module BranchBorrow2_G
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var a : (BranchBorrow2_MyInt_Type.t_myint, BranchBorrow2_MyInt_Type.t_myint);
+  var _2 : BranchBorrow2_MyInt_Type.t_myint;
+  var _3 : BranchBorrow2_MyInt_Type.t_myint;
   var b : borrowed (BranchBorrow2_MyInt_Type.t_myint, BranchBorrow2_MyInt_Type.t_myint);
   var c : borrowed (BranchBorrow2_MyInt_Type.t_myint);
   var d : borrowed (BranchBorrow2_MyInt_Type.t_myint);
@@ -156,7 +160,11 @@ module BranchBorrow2_G
     goto BB0
   }
   BB0 {
-    [#"../branch_borrow_2.rs" 36 16 36 37] a <- ([#"../branch_borrow_2.rs" 36 16 36 37] (([#"../branch_borrow_2.rs" 36 17 36 26] BranchBorrow2_MyInt_Type.C_MyInt ([#"../branch_borrow_2.rs" 36 23 36 25] [#"../branch_borrow_2.rs" 36 23 36 25] (10 : usize))), ([#"../branch_borrow_2.rs" 36 28 36 36] BranchBorrow2_MyInt_Type.C_MyInt ([#"../branch_borrow_2.rs" 36 34 36 35] [#"../branch_borrow_2.rs" 36 34 36 35] (5 : usize)))));
+    [#"../branch_borrow_2.rs" 36 17 36 26] _2 <- BranchBorrow2_MyInt_Type.C_MyInt ([#"../branch_borrow_2.rs" 36 23 36 25] (10 : usize));
+    [#"../branch_borrow_2.rs" 36 28 36 36] _3 <- BranchBorrow2_MyInt_Type.C_MyInt ([#"../branch_borrow_2.rs" 36 34 36 35] (5 : usize));
+    [#"../branch_borrow_2.rs" 36 16 36 37] a <- (_2, _3);
+    _2 <- any BranchBorrow2_MyInt_Type.t_myint;
+    _3 <- any BranchBorrow2_MyInt_Type.t_myint;
     [#"../branch_borrow_2.rs" 37 12 37 18] b <- Borrow.borrow_mut a;
     [#"../branch_borrow_2.rs" 37 12 37 18] a <-  ^ b;
     [#"../branch_borrow_2.rs" 39 12 39 20] c <- Borrow.borrow_final (let (_, a) =  * b in a) (Borrow.inherit_id (Borrow.get_id b) 2);
@@ -195,32 +203,32 @@ module BranchBorrow2_H
     goto BB0
   }
   BB0 {
-    [#"../branch_borrow_2.rs" 46 16 46 18] a <- ([#"../branch_borrow_2.rs" 46 16 46 18] [#"../branch_borrow_2.rs" 46 16 46 18] (10 : int32));
-    [#"../branch_borrow_2.rs" 47 16 47 18] b <- ([#"../branch_borrow_2.rs" 47 16 47 18] [#"../branch_borrow_2.rs" 47 16 47 18] (10 : int32));
+    [#"../branch_borrow_2.rs" 46 16 46 18] a <- ([#"../branch_borrow_2.rs" 46 16 46 18] (10 : int32));
+    [#"../branch_borrow_2.rs" 47 16 47 18] b <- ([#"../branch_borrow_2.rs" 47 16 47 18] (10 : int32));
     [#"../branch_borrow_2.rs" 49 12 49 18] x <- Borrow.borrow_mut a;
     [#"../branch_borrow_2.rs" 49 12 49 18] a <-  ^ x;
     [#"../branch_borrow_2.rs" 50 12 50 18] y <- Borrow.borrow_mut b;
     [#"../branch_borrow_2.rs" 50 12 50 18] b <-  ^ y;
-    switch ([#"../branch_borrow_2.rs" 52 7 52 11] [#"../branch_borrow_2.rs" 52 7 52 11] true)
+    switch ([#"../branch_borrow_2.rs" 52 7 52 11] true)
       | False -> goto BB2
       | True -> goto BB1
       end
   }
   BB1 {
     assume { resolve0 y };
-    [#"../branch_borrow_2.rs" 53 8 53 14] x <- { x with current = ([#"../branch_borrow_2.rs" 53 8 53 14] [#"../branch_borrow_2.rs" 53 13 53 14] (5 : int32)) ; };
-    [#"../branch_borrow_2.rs" 54 8 54 13] w <- ([#"../branch_borrow_2.rs" 54 12 54 13] x);
-    [#"../branch_borrow_2.rs" 54 12 54 13] x <- any borrowed int32;
+    [#"../branch_borrow_2.rs" 53 8 53 14] x <- { x with current = ([#"../branch_borrow_2.rs" 53 13 53 14] (5 : int32)) ; };
+    [#"../branch_borrow_2.rs" 54 8 54 13] w <- x;
+    x <- any borrowed int32;
     [#"../branch_borrow_2.rs" 52 12 55 5] _6 <- ([#"../branch_borrow_2.rs" 52 12 55 5] ());
     goto BB3
   }
   BB2 {
     assume { resolve0 x };
-    [#"../branch_borrow_2.rs" 56 8 56 14] y <- { y with current = ([#"../branch_borrow_2.rs" 56 8 56 14] [#"../branch_borrow_2.rs" 56 13 56 14] (6 : int32)) ; };
+    [#"../branch_borrow_2.rs" 56 8 56 14] y <- { y with current = ([#"../branch_borrow_2.rs" 56 13 56 14] (6 : int32)) ; };
     [#"../branch_borrow_2.rs" 57 12 57 13] _9 <- Borrow.borrow_final ( * y) (Borrow.get_id y);
     [#"../branch_borrow_2.rs" 57 12 57 13] y <- { y with current = ( ^ _9) ; };
-    [#"../branch_borrow_2.rs" 57 8 57 13] w <- ([#"../branch_borrow_2.rs" 57 8 57 13] _9);
-    [#"../branch_borrow_2.rs" 57 8 57 13] _9 <- any borrowed int32;
+    [#"../branch_borrow_2.rs" 57 8 57 13] w <- _9;
+    _9 <- any borrowed int32;
     [#"../branch_borrow_2.rs" 55 11 60 5] _6 <- ([#"../branch_borrow_2.rs" 55 11 60 5] ());
     goto BB3
   }
diff --git a/creusot/tests/should_succeed/lang/const.mlcfg b/creusot/tests/should_succeed/lang/const.mlcfg
index a792facef9..f70cc9cd93 100644
--- a/creusot/tests/should_succeed/lang/const.mlcfg
+++ b/creusot/tests/should_succeed/lang/const.mlcfg
@@ -11,7 +11,7 @@ module Const_Foo
     goto BB0
   }
   BB0 {
-    [#"../const.rs" 9 4 9 7] _0 <- ([#"../const.rs" 9 4 9 7] [#"../const.rs" 9 4 9 7] (42 : usize));
+    [#"../const.rs" 9 4 9 7] _0 <- ([#"../const.rs" 9 4 9 7] (42 : usize));
     return _0
   }
   
diff --git a/creusot/tests/should_succeed/lang/float_ops.mlcfg b/creusot/tests/should_succeed/lang/float_ops.mlcfg
index bca734789b..fc4f2ba490 100644
--- a/creusot/tests/should_succeed/lang/float_ops.mlcfg
+++ b/creusot/tests/should_succeed/lang/float_ops.mlcfg
@@ -10,7 +10,7 @@ module FloatOps_Eq
     goto BB0
   }
   BB0 {
-    [#"../float_ops.rs" 6 4 6 14] _0 <- ([#"../float_ops.rs" 6 4 6 14] ([#"../float_ops.rs" 6 4 6 7] [#"../float_ops.rs" 6 4 6 7] (1.0 : Float64.t)) .= ([#"../float_ops.rs" 6 11 6 14] [#"../float_ops.rs" 6 11 6 14] (2.0 : Float64.t)));
+    [#"../float_ops.rs" 6 4 6 14] _0 <- ([#"../float_ops.rs" 6 4 6 7] (1.0 : Float64.t)) .= ([#"../float_ops.rs" 6 11 6 14] (2.0 : Float64.t));
     return _0
   }
   
@@ -26,7 +26,7 @@ module FloatOps_Lt
     goto BB0
   }
   BB0 {
-    [#"../float_ops.rs" 11 4 11 13] _0 <- ([#"../float_ops.rs" 11 4 11 13] ([#"../float_ops.rs" 11 4 11 7] [#"../float_ops.rs" 11 4 11 7] (1.0 : Float64.t)) .< ([#"../float_ops.rs" 11 10 11 13] [#"../float_ops.rs" 11 10 11 13] (2.0 : Float64.t)));
+    [#"../float_ops.rs" 11 4 11 13] _0 <- ([#"../float_ops.rs" 11 4 11 7] (1.0 : Float64.t)) .< ([#"../float_ops.rs" 11 10 11 13] (2.0 : Float64.t));
     return _0
   }
   
@@ -42,7 +42,7 @@ module FloatOps_Le
     goto BB0
   }
   BB0 {
-    [#"../float_ops.rs" 16 4 16 14] _0 <- ([#"../float_ops.rs" 16 4 16 14] ([#"../float_ops.rs" 16 4 16 7] [#"../float_ops.rs" 16 4 16 7] (1.0 : Float64.t)) .<= ([#"../float_ops.rs" 16 11 16 14] [#"../float_ops.rs" 16 11 16 14] (2.0 : Float64.t)));
+    [#"../float_ops.rs" 16 4 16 14] _0 <- ([#"../float_ops.rs" 16 4 16 7] (1.0 : Float64.t)) .<= ([#"../float_ops.rs" 16 11 16 14] (2.0 : Float64.t));
     return _0
   }
   
@@ -58,7 +58,7 @@ module FloatOps_Gt
     goto BB0
   }
   BB0 {
-    [#"../float_ops.rs" 21 4 21 13] _0 <- ([#"../float_ops.rs" 21 4 21 13] ([#"../float_ops.rs" 21 4 21 7] [#"../float_ops.rs" 21 4 21 7] (2.0 : Float64.t)) .> ([#"../float_ops.rs" 21 10 21 13] [#"../float_ops.rs" 21 10 21 13] (1.0 : Float64.t)));
+    [#"../float_ops.rs" 21 4 21 13] _0 <- ([#"../float_ops.rs" 21 4 21 7] (2.0 : Float64.t)) .> ([#"../float_ops.rs" 21 10 21 13] (1.0 : Float64.t));
     return _0
   }
   
@@ -74,7 +74,7 @@ module FloatOps_Ge
     goto BB0
   }
   BB0 {
-    [#"../float_ops.rs" 26 4 26 14] _0 <- ([#"../float_ops.rs" 26 4 26 14] ([#"../float_ops.rs" 26 4 26 7] [#"../float_ops.rs" 26 4 26 7] (2.0 : Float64.t)) .>= ([#"../float_ops.rs" 26 11 26 14] [#"../float_ops.rs" 26 11 26 14] (1.0 : Float64.t)));
+    [#"../float_ops.rs" 26 4 26 14] _0 <- ([#"../float_ops.rs" 26 4 26 7] (2.0 : Float64.t)) .>= ([#"../float_ops.rs" 26 11 26 14] (1.0 : Float64.t));
     return _0
   }
   
@@ -90,7 +90,7 @@ module FloatOps_Neg
     goto BB0
   }
   BB0 {
-    [#"../float_ops.rs" 31 4 31 15] _0 <- ([#"../float_ops.rs" 31 4 31 15] ([#"../float_ops.rs" 31 4 31 8] [#"../float_ops.rs" 31 4 31 8] (-2.0 : Float64.t)) .<= ([#"../float_ops.rs" 31 12 31 15] [#"../float_ops.rs" 31 12 31 15] (1.0 : Float64.t)));
+    [#"../float_ops.rs" 31 4 31 15] _0 <- ([#"../float_ops.rs" 31 4 31 8] (-2.0 : Float64.t)) .<= ([#"../float_ops.rs" 31 12 31 15] (1.0 : Float64.t));
     return _0
   }
   
diff --git a/creusot/tests/should_succeed/lang/literals.mlcfg b/creusot/tests/should_succeed/lang/literals.mlcfg
index 5fa569fbe6..1fe4e21fa5 100644
--- a/creusot/tests/should_succeed/lang/literals.mlcfg
+++ b/creusot/tests/should_succeed/lang/literals.mlcfg
@@ -6,22 +6,27 @@ module Literals_FloatOperation
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : Float32.t;
   var x : Float32.t;
+  var _2 : bool;
+  var _3 : Float32.t;
   {
     goto BB0
   }
   BB0 {
-    [#"../literals.rs" 4 17 4 20] x <- ([#"../literals.rs" 4 17 4 20] [#"../literals.rs" 4 17 4 20] (0.0 : Float32.t));
-    switch ([#"../literals.rs" 6 7 6 24] ([#"../literals.rs" 6 7 6 17] ([#"../literals.rs" 6 7 6 8] x) .+ ([#"../literals.rs" 6 11 6 17] [#"../literals.rs" 6 11 6 17] (0x1.020c40000000p0 : Float32.t))) .= ([#"../literals.rs" 6 21 6 24] [#"../literals.rs" 6 21 6 24] (2.0 : Float32.t)))
+    [#"../literals.rs" 4 17 4 20] x <- ([#"../literals.rs" 4 17 4 20] (0.0 : Float32.t));
+    [#"../literals.rs" 6 7 6 17] _3 <- x .+ ([#"../literals.rs" 6 11 6 17] (0x1.020c40000000p0 : Float32.t));
+    [#"../literals.rs" 6 7 6 24] _2 <- _3 .= ([#"../literals.rs" 6 21 6 24] (2.0 : Float32.t));
+    _3 <- any Float32.t;
+    switch (_2)
       | False -> goto BB2
       | True -> goto BB1
       end
   }
   BB1 {
-    [#"../literals.rs" 7 8 7 17] _0 <- ([#"../literals.rs" 7 8 7 17] ([#"../literals.rs" 7 8 7 11] [#"../literals.rs" 7 8 7 11] (3.0 : Float32.t)) .- ([#"../literals.rs" 7 14 7 17] [#"../literals.rs" 7 14 7 17] (1.0 : Float32.t)));
+    [#"../literals.rs" 7 8 7 17] _0 <- ([#"../literals.rs" 7 8 7 11] (3.0 : Float32.t)) .- ([#"../literals.rs" 7 14 7 17] (1.0 : Float32.t));
     goto BB3
   }
   BB2 {
-    [#"../literals.rs" 9 8 9 11] _0 <- ([#"../literals.rs" 9 8 9 11] [#"../literals.rs" 9 8 9 11] (0.0 : Float32.t));
+    [#"../literals.rs" 9 8 9 11] _0 <- ([#"../literals.rs" 9 8 9 11] (0.0 : Float32.t));
     goto BB3
   }
   BB3 {
diff --git a/creusot/tests/should_succeed/lang/module_paths.rs b/creusot/tests/should_succeed/lang/module_paths.rs
index f5af6af454..3e67b9f7df 100644
--- a/creusot/tests/should_succeed/lang/module_paths.rs
+++ b/creusot/tests/should_succeed/lang/module_paths.rs
@@ -3,16 +3,16 @@ extern crate creusot_contracts;
 // Check that module paths are properly printed in MLCFG.
 
 mod a {
-    pub struct T(u32);
+    pub struct T(pub u32);
 }
 
-pub struct S(a::T);
+pub struct S(pub a::T);
 
 mod b {
-    pub struct O(u32);
+    pub struct O(pub u32);
 
     pub mod c {
-        pub struct T(::a::T);
+        pub struct T(pub ::a::T);
 
         #[allow(dead_code)]
         pub struct U(super::O);
diff --git a/creusot/tests/should_succeed/lang/modules.mlcfg b/creusot/tests/should_succeed/lang/modules.mlcfg
index a353e82c30..48fb723cc2 100644
--- a/creusot/tests/should_succeed/lang/modules.mlcfg
+++ b/creusot/tests/should_succeed/lang/modules.mlcfg
@@ -23,9 +23,9 @@ module Modules_Nested_InnerFunc
     goto BB0
   }
   BB0 {
-    [#"../modules.rs" 14 16 14 28] _2 <- ([#"../modules.rs" 14 16 14 28] Modules_Nested_Nested_Type.C_Test);
+    [#"../modules.rs" 14 16 14 28] _2 <- Modules_Nested_Nested_Type.C_Test;
     assume { resolve0 _2 };
-    [#"../modules.rs" 15 8 15 12] _0 <- ([#"../modules.rs" 15 8 15 12] [#"../modules.rs" 15 8 15 12] true);
+    [#"../modules.rs" 15 8 15 12] _0 <- ([#"../modules.rs" 15 8 15 12] true);
     return _0
   }
   
@@ -38,7 +38,7 @@ module Modules_Nested_Further_Another
     goto BB0
   }
   BB0 {
-    [#"../modules.rs" 20 12 20 17] _0 <- ([#"../modules.rs" 20 12 20 17] [#"../modules.rs" 20 12 20 17] false);
+    [#"../modules.rs" 20 12 20 17] _0 <- ([#"../modules.rs" 20 12 20 17] false);
     return _0
   }
   
@@ -57,11 +57,11 @@ module Modules_F
     goto BB0
   }
   BB0 {
-    [#"../modules.rs" 26 4 26 24] _1 <- ([#"../modules.rs" 26 4 26 24] inner_func0 ());
+    [#"../modules.rs" 26 4 26 24] _1 <- ([#"../modules.rs" 26 4 26 24] inner_func0 ([#"../modules.rs" 26 4 26 24] ()));
     goto BB1
   }
   BB1 {
-    [#"../modules.rs" 28 4 28 13] _2 <- ([#"../modules.rs" 28 4 28 13] another0 ());
+    [#"../modules.rs" 28 4 28 13] _2 <- ([#"../modules.rs" 28 4 28 13] another0 ([#"../modules.rs" 28 4 28 13] ()));
     goto BB2
   }
   BB2 {
diff --git a/creusot/tests/should_succeed/lang/move_path.mlcfg b/creusot/tests/should_succeed/lang/move_path.mlcfg
index e475a4ed82..bef707368f 100644
--- a/creusot/tests/should_succeed/lang/move_path.mlcfg
+++ b/creusot/tests/should_succeed/lang/move_path.mlcfg
@@ -19,14 +19,14 @@ module MovePath_F
     goto BB0
   }
   BB0 {
-    [#"../move_path.rs" 4 16 4 17] x <- ([#"../move_path.rs" 4 16 4 17] [#"../move_path.rs" 4 16 4 17] (1 : int32));
+    [#"../move_path.rs" 4 16 4 17] x <- ([#"../move_path.rs" 4 16 4 17] (1 : int32));
     [#"../move_path.rs" 6 12 6 18] y <- Borrow.borrow_mut x;
     [#"../move_path.rs" 6 12 6 18] x <-  ^ y;
-    [#"../move_path.rs" 7 12 7 13] d <- ([#"../move_path.rs" 7 12 7 13] y);
-    [#"../move_path.rs" 7 12 7 13] y <- any borrowed int32;
-    [#"../move_path.rs" 8 12 8 13] z <- ([#"../move_path.rs" 8 12 8 13] d);
-    [#"../move_path.rs" 8 12 8 13] d <- any borrowed int32;
-    [#"../move_path.rs" 10 12 10 18] z <- { z with current = ([#"../move_path.rs" 10 12 10 18] [#"../move_path.rs" 10 17 10 18] (2 : int32)) ; };
+    [#"../move_path.rs" 7 12 7 13] d <- y;
+    y <- any borrowed int32;
+    [#"../move_path.rs" 8 12 8 13] z <- d;
+    d <- any borrowed int32;
+    [#"../move_path.rs" 10 12 10 18] z <- { z with current = ([#"../move_path.rs" 10 17 10 18] (2 : int32)) ; };
     assume { resolve0 z };
     [#"../move_path.rs" 3 11 15 1] _0 <- ([#"../move_path.rs" 3 11 15 1] ());
     return _0
diff --git a/creusot/tests/should_succeed/lang/multiple_scopes.mlcfg b/creusot/tests/should_succeed/lang/multiple_scopes.mlcfg
index 6ad2202d29..6c2c0f432b 100644
--- a/creusot/tests/should_succeed/lang/multiple_scopes.mlcfg
+++ b/creusot/tests/should_succeed/lang/multiple_scopes.mlcfg
@@ -13,10 +13,10 @@ module MultipleScopes_MultipleScopes
     goto BB0
   }
   BB0 {
-    [#"../multiple_scopes.rs" 5 17 5 18] _x <- ([#"../multiple_scopes.rs" 5 17 5 18] [#"../multiple_scopes.rs" 5 17 5 18] (1 : int32));
-    [#"../multiple_scopes.rs" 6 13 6 14] _y <- ([#"../multiple_scopes.rs" 6 13 6 14] [#"../multiple_scopes.rs" 6 13 6 14] (2 : int32));
-    [#"../multiple_scopes.rs" 8 17 8 18] _y1 <- ([#"../multiple_scopes.rs" 8 17 8 18] [#"../multiple_scopes.rs" 8 17 8 18] (3 : int32));
-    [#"../multiple_scopes.rs" 9 8 9 15] _x <- ([#"../multiple_scopes.rs" 9 13 9 15] _y1);
+    [#"../multiple_scopes.rs" 5 17 5 18] _x <- ([#"../multiple_scopes.rs" 5 17 5 18] (1 : int32));
+    [#"../multiple_scopes.rs" 6 13 6 14] _y <- ([#"../multiple_scopes.rs" 6 13 6 14] (2 : int32));
+    [#"../multiple_scopes.rs" 8 17 8 18] _y1 <- ([#"../multiple_scopes.rs" 8 17 8 18] (3 : int32));
+    [#"../multiple_scopes.rs" 9 8 9 15] _x <- _y1;
     [#"../multiple_scopes.rs" 7 4 10 5] _0 <- ([#"../multiple_scopes.rs" 7 4 10 5] ());
     return _0
   }
diff --git a/creusot/tests/should_succeed/lang/promoted_constants.mlcfg b/creusot/tests/should_succeed/lang/promoted_constants.mlcfg
index 2260f05bc5..e80da6757c 100644
--- a/creusot/tests/should_succeed/lang/promoted_constants.mlcfg
+++ b/creusot/tests/should_succeed/lang/promoted_constants.mlcfg
@@ -22,10 +22,10 @@ module PromotedConstants_PromotedNone
   use prelude.Int
   let constant promoted0 [#"../promoted_constants.rs" 3 0 3 22]  : Core_Option_Option_Type.t_option int32
    = [@vc:do_not_keep_trace] [@vc:sp]
-    let _1 = [#"../promoted_constants.rs" 6 23 6 31] Core_Option_Option_Type.C_Some ([#"../promoted_constants.rs" 6 28 6 30] [#"../promoted_constants.rs" 6 28 6 30] (43 : int32)) in let _0 = [#"../promoted_constants.rs" 6 22 6 31] _1 in _0
+    let _1 = Core_Option_Option_Type.C_Some ([#"../promoted_constants.rs" 6 28 6 30] (43 : int32)) in let _0 = _1 in _0
   let constant promoted1 [#"../promoted_constants.rs" 3 0 3 22]  : Core_Option_Option_Type.t_option int32
    = [@vc:do_not_keep_trace] [@vc:sp]
-    let _1 = [#"../promoted_constants.rs" 6 12 6 20] Core_Option_Option_Type.C_Some ([#"../promoted_constants.rs" 6 17 6 19] [#"../promoted_constants.rs" 6 17 6 19] (42 : int32)) in let _0 = [#"../promoted_constants.rs" 6 11 6 20] _1 in _0
+    let _1 = Core_Option_Option_Type.C_Some ([#"../promoted_constants.rs" 6 17 6 19] (42 : int32)) in let _0 = _1 in _0
   let rec cfg promoted_none [#"../promoted_constants.rs" 3 0 3 22] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -38,10 +38,10 @@ module PromotedConstants_PromotedNone
     goto BB0
   }
   BB0 {
-    [#"../promoted_constants.rs" 4 14 4 21] _ix <- ([#"../promoted_constants.rs" 4 14 4 21] Core_Option_Option_Type.C_Some ([#"../promoted_constants.rs" 4 19 4 20] [#"../promoted_constants.rs" 4 19 4 20] (0 : int32)));
-    [#"../promoted_constants.rs" 6 11 6 20] _11 <- ([#"../promoted_constants.rs" 6 11 6 20] [#"../promoted_constants.rs" 6 11 6 20] promoted1);
-    [#"../promoted_constants.rs" 6 22 6 31] _10 <- ([#"../promoted_constants.rs" 6 22 6 31] [#"../promoted_constants.rs" 6 22 6 31] promoted0);
-    [#"../promoted_constants.rs" 6 10 6 32] _2 <- ([#"../promoted_constants.rs" 6 10 6 32] (([#"../promoted_constants.rs" 6 11 6 20] _11), ([#"../promoted_constants.rs" 6 22 6 31] _10)));
+    [#"../promoted_constants.rs" 4 14 4 21] _ix <- Core_Option_Option_Type.C_Some ([#"../promoted_constants.rs" 4 19 4 20] (0 : int32));
+    [#"../promoted_constants.rs" 6 11 6 20] _11 <- ([#"../promoted_constants.rs" 6 11 6 20] promoted1);
+    [#"../promoted_constants.rs" 6 22 6 31] _10 <- ([#"../promoted_constants.rs" 6 22 6 31] promoted0);
+    [#"../promoted_constants.rs" 6 10 6 32] _2 <- (_11, _10);
     switch (let (a, _) = _2 in a)
       | Core_Option_Option_Type.C_None -> goto BB1
       | _ -> goto BB6
@@ -58,7 +58,7 @@ module PromotedConstants_PromotedNone
     goto BB4
   }
   BB3 {
-    [#"../promoted_constants.rs" 8 13 8 15] _0 <- ([#"../promoted_constants.rs" 8 13 8 15] ());
+    [#"../promoted_constants.rs" 8 13 8 15] _0 <- ();
     return _0
   }
   BB4 {
@@ -76,20 +76,22 @@ module PromotedConstants_PromotedInt
   use prelude.Int32
   use prelude.Int
   let constant promoted0 [#"../promoted_constants.rs" 12 0 12 21]  : int32 = [@vc:do_not_keep_trace] [@vc:sp]
-    let _2 = [#"../promoted_constants.rs" 13 15 13 20] ([#"../promoted_constants.rs" 13 15 13 16] [#"../promoted_constants.rs" 13 15 13 16] (1 : int32)) + ([#"../promoted_constants.rs" 13 19 13 20] [#"../promoted_constants.rs" 13 19 13 20] (5 : int32)) in let _1 = [#"../promoted_constants.rs" 13 14 13 26] _2 + ([#"../promoted_constants.rs" 13 23 13 25] [#"../promoted_constants.rs" 13 23 13 25] (10 : int32)) in let _2 = any int32 in let _0 = [#"../promoted_constants.rs" 13 13 13 26] _1 in _0
+    let _2 = ([#"../promoted_constants.rs" 13 15 13 16] (1 : int32)) + ([#"../promoted_constants.rs" 13 19 13 20] (5 : int32)) in let _1 = _2 + ([#"../promoted_constants.rs" 13 23 13 25] (10 : int32)) in let _2 = any int32 in let _0 = _1 in _0
   let rec cfg promoted_int [#"../promoted_constants.rs" 12 0 12 21] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var ix : int32;
+  var _4 : bool;
   var _9 : int32;
   {
     goto BB0
   }
   BB0 {
-    [#"../promoted_constants.rs" 13 13 13 26] _9 <- ([#"../promoted_constants.rs" 13 13 13 26] [#"../promoted_constants.rs" 13 13 13 26] promoted0);
-    [#"../promoted_constants.rs" 13 13 13 26] ix <- ([#"../promoted_constants.rs" 13 13 13 26] _9);
-    switch ([#"../promoted_constants.rs" 15 7 15 16] ([#"../promoted_constants.rs" 15 7 15 10] ix) <> ([#"../promoted_constants.rs" 15 14 15 16] [#"../promoted_constants.rs" 15 14 15 16] (16 : int32)))
+    [#"../promoted_constants.rs" 13 13 13 26] _9 <- ([#"../promoted_constants.rs" 13 13 13 26] promoted0);
+    [#"../promoted_constants.rs" 13 13 13 26] ix <- _9;
+    [#"../promoted_constants.rs" 15 7 15 16] _4 <- ix <> ([#"../promoted_constants.rs" 15 14 15 16] (16 : int32));
+    switch (_4)
       | False -> goto BB2
       | True -> goto BB1
       end
@@ -122,12 +124,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -180,7 +188,7 @@ module PromotedConstants_Str
     goto BB0
   }
   BB0 {
-    [#"../promoted_constants.rs" 23 13 23 115] _s <- ([#"../promoted_constants.rs" 23 13 23 115] [#"../promoted_constants.rs" 23 13 23 115] "1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890");
+    [#"../promoted_constants.rs" 23 13 23 115] _s <- ([#"../promoted_constants.rs" 23 13 23 115] "1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890");
     [#"../promoted_constants.rs" 22 13 24 1] _0 <- ([#"../promoted_constants.rs" 22 13 24 1] ());
     return _0
   }
diff --git a/creusot/tests/should_succeed/lang/unary_op.mlcfg b/creusot/tests/should_succeed/lang/unary_op.mlcfg
index fc10b391f0..af4775f8ec 100644
--- a/creusot/tests/should_succeed/lang/unary_op.mlcfg
+++ b/creusot/tests/should_succeed/lang/unary_op.mlcfg
@@ -7,7 +7,7 @@ module UnaryOp_F
     goto BB0
   }
   BB0 {
-    switch ([#"../unary_op.rs" 5 13 5 18] [#"../unary_op.rs" 5 13 5 18] false)
+    switch ([#"../unary_op.rs" 5 13 5 18] false)
       | False -> goto BB2
       | True -> goto BB1
       end
diff --git a/creusot/tests/should_succeed/lang/while_let.mlcfg b/creusot/tests/should_succeed/lang/while_let.mlcfg
index 2dc03fce6d..3afe3d7cdd 100644
--- a/creusot/tests/should_succeed/lang/while_let.mlcfg
+++ b/creusot/tests/should_succeed/lang/while_let.mlcfg
@@ -20,11 +20,12 @@ module WhileLet_F
   var _0 : ();
   var a : Core_Option_Option_Type.t_option int32;
   var b : borrowed (Core_Option_Option_Type.t_option int32);
+  var _6 : Core_Option_Option_Type.t_option int32;
   {
     goto BB0
   }
   BB0 {
-    [#"../while_let.rs" 5 16 5 24] a <- ([#"../while_let.rs" 5 16 5 24] Core_Option_Option_Type.C_Some ([#"../while_let.rs" 5 21 5 23] [#"../while_let.rs" 5 21 5 23] (10 : int32)));
+    [#"../while_let.rs" 5 16 5 24] a <- Core_Option_Option_Type.C_Some ([#"../while_let.rs" 5 21 5 23] (10 : int32));
     [#"../while_let.rs" 6 12 6 18] b <- Borrow.borrow_mut a;
     [#"../while_let.rs" 6 12 6 18] a <-  ^ b;
     goto BB1
@@ -43,7 +44,9 @@ module WhileLet_F
     goto BB4
   }
   BB4 {
-    [#"../while_let.rs" 10 8 10 17] b <- { b with current = ([#"../while_let.rs" 10 13 10 17] Core_Option_Option_Type.C_None) ; };
+    [#"../while_let.rs" 10 13 10 17] _6 <- Core_Option_Option_Type.C_None;
+    [#"../while_let.rs" 10 8 10 17] b <- { b with current = _6 ; };
+    _6 <- any Core_Option_Option_Type.t_option int32;
     goto BB1
   }
   BB5 {
diff --git a/creusot/tests/should_succeed/list_index_mut.mlcfg b/creusot/tests/should_succeed/list_index_mut.mlcfg
index f155d60de8..65d38ff2f1 100644
--- a/creusot/tests/should_succeed/list_index_mut.mlcfg
+++ b/creusot/tests/should_succeed/list_index_mut.mlcfg
@@ -57,7 +57,7 @@ module ListIndexMut_IndexMut
   axiom inv0 : forall x : borrowed (Core_Option_Option_Type.t_option (ListIndexMut_List_Type.t_list)) . inv0 x = true
   use prelude.UInt32
   use prelude.UIntSize
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate resolve2 (self : borrowed (ListIndexMut_List_Type.t_list)) =
     [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve2 (self : borrowed (ListIndexMut_List_Type.t_list)) : bool
@@ -71,7 +71,8 @@ module ListIndexMut_IndexMut
     
   val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option (ListIndexMut_List_Type.t_list))) : Core_Option_Option_Type.t_option (borrowed (ListIndexMut_List_Type.t_list))
     requires {inv0 self}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18]  * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed (ListIndexMut_List_Type.t_list) . inv1 r /\ result = Core_Option_Option_Type.C_Some r /\  * self = Core_Option_Option_Type.C_Some ( * r) /\  ^ self = Core_Option_Option_Type.C_Some ( ^ r)) }
     ensures { inv2 result }
     
@@ -92,13 +93,13 @@ module ListIndexMut_IndexMut
   val shallow_model2 (self : usize) : int
     ensures { result = shallow_model2 self }
     
-  use prelude.Ghost
-  function shallow_model1 (self : Ghost.ghost_ty usize) : int =
-    [#"../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model2 (Ghost.inner self)
-  val shallow_model1 (self : Ghost.ghost_ty usize) : int
+  use prelude.Snapshot
+  function shallow_model1 (self : Snapshot.snap_ty usize) : int =
+    [#"../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model2 (Snapshot.inner self)
+  val shallow_model1 (self : Snapshot.snap_ty usize) : int
     ensures { result = shallow_model1 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   use prelude.Int
   function get0 [#"../list_index_mut.rs" 18 4 18 46] (self : ListIndexMut_List_Type.t_list) (ix : int) : Core_Option_Option_Type.t_option uint32
     
@@ -122,22 +123,24 @@ module ListIndexMut_IndexMut
   val len0 [#"../list_index_mut.rs" 7 4 7 29] (self : ListIndexMut_List_Type.t_list) : int
     ensures { result = len0 self }
     
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
   let rec cfg index_mut [#"../list_index_mut.rs" 37 0 37 61] [@cfg:stackify] [@cfg:subregion_analysis] (l : borrowed (ListIndexMut_List_Type.t_list)) (ix : usize) : borrowed uint32
     requires {[#"../list_index_mut.rs" 32 11 32 24] UIntSize.to_int ix < len0 ( * l)}
     ensures { [#"../list_index_mut.rs" 33 10 33 37] Core_Option_Option_Type.C_Some ( * result) = get0 ( * l) (UIntSize.to_int ix) }
     ensures { [#"../list_index_mut.rs" 34 10 34 40] Core_Option_Option_Type.C_Some ( ^ result) = get0 ( ^ l) (UIntSize.to_int ix) }
     ensures { [#"../list_index_mut.rs" 35 10 35 34] len0 ( ^ l) = len0 ( * l) }
-    ensures { [#"../list_index_mut.rs" 36 0 36 87] forall i : int . 0 <= i /\ i < len0 ( * l) /\ i <> UIntSize.to_int ix -> get0 ( * l) i = get0 ( ^ l) i }
+    ensures { [#"../list_index_mut.rs" 36 0 36 87] forall i : int . 0 <= i /\ i < len0 ( * l) /\ i <> UIntSize.to_int ix
+     -> get0 ( * l) i = get0 ( ^ l) i }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : borrowed uint32;
   var l : borrowed (ListIndexMut_List_Type.t_list) = l;
   var ix : usize = ix;
   var _3 : borrowed uint32;
-  var old_l : Ghost.ghost_ty (borrowed (ListIndexMut_List_Type.t_list));
-  var old_ix : Ghost.ghost_ty usize;
+  var old_l : Snapshot.snap_ty (borrowed (ListIndexMut_List_Type.t_list));
+  var old_ix : Snapshot.snap_ty usize;
+  var _20 : bool;
   var _22 : borrowed (ListIndexMut_List_Type.t_list);
   var _23 : borrowed (ListIndexMut_List_Type.t_list);
   var _24 : Core_Option_Option_Type.t_option (borrowed (ListIndexMut_List_Type.t_list));
@@ -147,11 +150,11 @@ module ListIndexMut_IndexMut
     goto BB0
   }
   BB0 {
-    [#"../list_index_mut.rs" 38 16 38 25] old_l <- ([#"../list_index_mut.rs" 38 16 38 25] Ghost.new l);
+    [#"../list_index_mut.rs" 38 16 38 31] old_l <- ([#"../list_index_mut.rs" 38 16 38 31] Snapshot.new l);
     goto BB1
   }
   BB1 {
-    [#"../list_index_mut.rs" 39 17 39 27] old_ix <- ([#"../list_index_mut.rs" 39 17 39 27] Ghost.new ix);
+    [#"../list_index_mut.rs" 39 17 39 33] old_ix <- ([#"../list_index_mut.rs" 39 17 39 33] Snapshot.new ix);
     goto BB2
   }
   BB2 {
@@ -159,14 +162,19 @@ module ListIndexMut_IndexMut
   }
   BB3 {
     invariant { [#"../list_index_mut.rs" 40 16 40 45] (0 : usize) <= ix /\ UIntSize.to_int ix < len0 ( * l) };
-    invariant { [#"../list_index_mut.rs" 41 16 41 52] get0 ( * l) (UIntSize.to_int ix) = get0 ( * Ghost.inner old_l) (shallow_model1 old_ix) };
-    invariant { [#"../list_index_mut.rs" 42 16 42 55] get0 ( ^ l) (UIntSize.to_int ix) = get0 ( ^ Ghost.inner old_l) (shallow_model1 old_ix) };
-    invariant { [#"../list_index_mut.rs" 40 4 40 47] len0 ( ^ l) = len0 ( * l) -> len0 ( ^ Ghost.inner old_l) = len0 ( * Ghost.inner old_l) };
-    invariant { [#"../list_index_mut.rs" 40 4 40 47] (forall i : int . 0 <= i /\ i < len0 ( * l) /\ i <> UIntSize.to_int ix -> get0 ( ^ l) i = get0 ( * l) i) -> (forall i : int . 0 <= i /\ i < len0 ( * Ghost.inner old_l) /\ i <> shallow_model1 old_ix -> get0 ( ^ Ghost.inner old_l) i = get0 ( * Ghost.inner old_l) i) };
+    invariant { [#"../list_index_mut.rs" 41 16 41 52] get0 ( * l) (UIntSize.to_int ix) = get0 ( * Snapshot.inner old_l) (shallow_model1 old_ix) };
+    invariant { [#"../list_index_mut.rs" 42 16 42 55] get0 ( ^ l) (UIntSize.to_int ix) = get0 ( ^ Snapshot.inner old_l) (shallow_model1 old_ix) };
+    invariant { [#"../list_index_mut.rs" 40 4 40 47] len0 ( ^ l) = len0 ( * l)
+     -> len0 ( ^ Snapshot.inner old_l) = len0 ( * Snapshot.inner old_l) };
+    invariant { [#"../list_index_mut.rs" 40 4 40 47] (forall i : int . 0 <= i /\ i < len0 ( * l) /\ i <> UIntSize.to_int ix
+     -> get0 ( ^ l) i = get0 ( * l) i)
+     -> (forall i : int . 0 <= i /\ i < len0 ( * Snapshot.inner old_l) /\ i <> shallow_model1 old_ix
+     -> get0 ( ^ Snapshot.inner old_l) i = get0 ( * Snapshot.inner old_l) i) };
     goto BB4
   }
   BB4 {
-    switch ([#"../list_index_mut.rs" 49 10 49 16] ([#"../list_index_mut.rs" 49 10 49 12] ix) > ([#"../list_index_mut.rs" 49 15 49 16] [#"../list_index_mut.rs" 49 15 49 16] (0 : usize)))
+    [#"../list_index_mut.rs" 49 10 49 16] _20 <- ix > ([#"../list_index_mut.rs" 49 15 49 16] (0 : usize));
+    switch (_20)
       | False -> goto BB8
       | True -> goto BB5
       end
@@ -187,10 +195,10 @@ module ListIndexMut_IndexMut
     [#"../list_index_mut.rs" 50 12 50 33] _22 <- Borrow.borrow_mut ( * _23);
     [#"../list_index_mut.rs" 50 12 50 33] _23 <- { _23 with current = ( ^ _22) ; };
     assume { resolve1 l };
-    [#"../list_index_mut.rs" 50 8 50 33] l <- ([#"../list_index_mut.rs" 50 8 50 33] _22);
-    [#"../list_index_mut.rs" 50 8 50 33] _22 <- any borrowed (ListIndexMut_List_Type.t_list);
+    [#"../list_index_mut.rs" 50 8 50 33] l <- _22;
+    _22 <- any borrowed (ListIndexMut_List_Type.t_list);
     assume { resolve2 _23 };
-    [#"../list_index_mut.rs" 52 8 52 15] ix <- ([#"../list_index_mut.rs" 52 8 52 15] ix - ([#"../list_index_mut.rs" 52 14 52 15] [#"../list_index_mut.rs" 52 14 52 15] (1 : usize)));
+    [#"../list_index_mut.rs" 52 8 52 15] ix <- ix - ([#"../list_index_mut.rs" 52 14 52 15] (1 : usize));
     goto BB3
   }
   BB8 {
@@ -252,13 +260,15 @@ module ListIndexMut_Write
     ensures { [#"../list_index_mut.rs" 33 10 33 37] Core_Option_Option_Type.C_Some ( * result) = get0 ( * l) (UIntSize.to_int ix) }
     ensures { [#"../list_index_mut.rs" 34 10 34 40] Core_Option_Option_Type.C_Some ( ^ result) = get0 ( ^ l) (UIntSize.to_int ix) }
     ensures { [#"../list_index_mut.rs" 35 10 35 34] len0 ( ^ l) = len0 ( * l) }
-    ensures { [#"../list_index_mut.rs" 36 0 36 87] forall i : int . 0 <= i /\ i < len0 ( * l) /\ i <> UIntSize.to_int ix -> get0 ( * l) i = get0 ( ^ l) i }
+    ensures { [#"../list_index_mut.rs" 36 0 36 87] forall i : int . 0 <= i /\ i < len0 ( * l) /\ i <> UIntSize.to_int ix
+     -> get0 ( * l) i = get0 ( ^ l) i }
     
   let rec cfg write [#"../list_index_mut.rs" 63 0 63 45] [@cfg:stackify] [@cfg:subregion_analysis] (l : borrowed (ListIndexMut_List_Type.t_list)) (ix : usize) (v : uint32) : ()
     requires {[#"../list_index_mut.rs" 59 11 59 24] UIntSize.to_int ix < len0 ( * l)}
     ensures { [#"../list_index_mut.rs" 60 10 60 34] Core_Option_Option_Type.C_Some v = get0 ( ^ l) (UIntSize.to_int ix) }
     ensures { [#"../list_index_mut.rs" 61 10 61 31] len0 ( ^ l) = len0 ( * l) }
-    ensures { [#"../list_index_mut.rs" 62 0 62 87] forall i : int . 0 <= i /\ i < len0 ( * l) /\ i <> UIntSize.to_int ix -> get0 ( * l) i = get0 ( ^ l) i }
+    ensures { [#"../list_index_mut.rs" 62 0 62 87] forall i : int . 0 <= i /\ i < len0 ( * l) /\ i <> UIntSize.to_int ix
+     -> get0 ( * l) i = get0 ( ^ l) i }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
@@ -273,12 +283,12 @@ module ListIndexMut_Write
   BB0 {
     [#"../list_index_mut.rs" 64 15 64 16] _10 <- Borrow.borrow_final ( * l) (Borrow.get_id l);
     [#"../list_index_mut.rs" 64 15 64 16] l <- { l with current = ( ^ _10) ; };
-    [#"../list_index_mut.rs" 64 5 64 21] _9 <- ([#"../list_index_mut.rs" 64 5 64 21] index_mut0 _10 ([#"../list_index_mut.rs" 64 18 64 20] ix));
+    [#"../list_index_mut.rs" 64 5 64 21] _9 <- ([#"../list_index_mut.rs" 64 5 64 21] index_mut0 _10 ix);
     _10 <- any borrowed (ListIndexMut_List_Type.t_list);
     goto BB1
   }
   BB1 {
-    [#"../list_index_mut.rs" 64 4 64 25] _9 <- { _9 with current = ([#"../list_index_mut.rs" 64 24 64 25] v) ; };
+    [#"../list_index_mut.rs" 64 4 64 25] _9 <- { _9 with current = v ; };
     assume { resolve0 _9 };
     assume { resolve1 l };
     [#"../list_index_mut.rs" 63 46 65 1] _0 <- ([#"../list_index_mut.rs" 63 46 65 1] ());
@@ -325,12 +335,16 @@ module ListIndexMut_F
     requires {[#"../list_index_mut.rs" 59 11 59 24] UIntSize.to_int ix < len0 ( * l)}
     ensures { [#"../list_index_mut.rs" 60 10 60 34] Core_Option_Option_Type.C_Some v = get0 ( ^ l) (UIntSize.to_int ix) }
     ensures { [#"../list_index_mut.rs" 61 10 61 31] len0 ( ^ l) = len0 ( * l) }
-    ensures { [#"../list_index_mut.rs" 62 0 62 87] forall i : int . 0 <= i /\ i < len0 ( * l) /\ i <> UIntSize.to_int ix -> get0 ( * l) i = get0 ( ^ l) i }
+    ensures { [#"../list_index_mut.rs" 62 0 62 87] forall i : int . 0 <= i /\ i < len0 ( * l) /\ i <> UIntSize.to_int ix
+     -> get0 ( * l) i = get0 ( ^ l) i }
     
   let rec cfg f [#"../list_index_mut.rs" 67 0 67 10] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var l : ListIndexMut_List_Type.t_list;
+  var _2 : Core_Option_Option_Type.t_option (ListIndexMut_List_Type.t_list);
+  var _4 : ListIndexMut_List_Type.t_list;
+  var _5 : Core_Option_Option_Type.t_option (ListIndexMut_List_Type.t_list);
   var _6 : ();
   var _7 : borrowed (ListIndexMut_List_Type.t_list);
   var _8 : borrowed (ListIndexMut_List_Type.t_list);
@@ -338,16 +352,22 @@ module ListIndexMut_F
     goto BB0
   }
   BB0 {
+    [#"../list_index_mut.rs" 68 47 68 51] _5 <- Core_Option_Option_Type.C_None;
+    [#"../list_index_mut.rs" 68 38 68 52] _4 <- ListIndexMut_List_Type.C_List ([#"../list_index_mut.rs" 68 43 68 45] (10 : uint32)) _5;
+    _5 <- any Core_Option_Option_Type.t_option (ListIndexMut_List_Type.t_list);
     goto BB1
   }
   BB1 {
     goto BB2
   }
   BB2 {
+    [#"../list_index_mut.rs" 68 24 68 54] _2 <- Core_Option_Option_Type.C_Some _4;
+    _4 <- any ListIndexMut_List_Type.t_list;
     goto BB3
   }
   BB3 {
-    [#"../list_index_mut.rs" 68 16 68 55] l <- ([#"../list_index_mut.rs" 68 16 68 55] ListIndexMut_List_Type.C_List ([#"../list_index_mut.rs" 68 21 68 22] [#"../list_index_mut.rs" 68 21 68 22] (1 : uint32)) ([#"../list_index_mut.rs" 68 24 68 54] Core_Option_Option_Type.C_Some ([#"../list_index_mut.rs" 68 38 68 52] ListIndexMut_List_Type.C_List ([#"../list_index_mut.rs" 68 43 68 45] [#"../list_index_mut.rs" 68 43 68 45] (10 : uint32)) ([#"../list_index_mut.rs" 68 47 68 51] Core_Option_Option_Type.C_None))));
+    [#"../list_index_mut.rs" 68 16 68 55] l <- ListIndexMut_List_Type.C_List ([#"../list_index_mut.rs" 68 21 68 22] (1 : uint32)) _2;
+    _2 <- any Core_Option_Option_Type.t_option (ListIndexMut_List_Type.t_list);
     goto BB4
   }
   BB4 {
@@ -355,7 +375,7 @@ module ListIndexMut_F
     [#"../list_index_mut.rs" 69 10 69 16] l <-  ^ _8;
     [#"../list_index_mut.rs" 69 10 69 16] _7 <- Borrow.borrow_final ( * _8) (Borrow.get_id _8);
     [#"../list_index_mut.rs" 69 10 69 16] _8 <- { _8 with current = ( ^ _7) ; };
-    [#"../list_index_mut.rs" 69 4 69 23] _6 <- ([#"../list_index_mut.rs" 69 4 69 23] write0 _7 ([#"../list_index_mut.rs" 69 18 69 19] [#"../list_index_mut.rs" 69 18 69 19] (0 : usize)) ([#"../list_index_mut.rs" 69 21 69 22] [#"../list_index_mut.rs" 69 21 69 22] (2 : uint32)));
+    [#"../list_index_mut.rs" 69 4 69 23] _6 <- ([#"../list_index_mut.rs" 69 4 69 23] write0 _7 ([#"../list_index_mut.rs" 69 18 69 19] (0 : usize)) ([#"../list_index_mut.rs" 69 21 69 22] (2 : uint32)));
     _7 <- any borrowed (ListIndexMut_List_Type.t_list);
     goto BB5
   }
diff --git a/creusot/tests/should_succeed/list_index_mut.rs b/creusot/tests/should_succeed/list_index_mut.rs
index 9291581962..ddf3a8a26b 100644
--- a/creusot/tests/should_succeed/list_index_mut.rs
+++ b/creusot/tests/should_succeed/list_index_mut.rs
@@ -3,7 +3,7 @@ use creusot_contracts::{logic::Int, *};
 
 pub struct List(u32, Option<Box<List>>);
 impl List {
-    #[ghost]
+    #[logic]
     fn len(self: List) -> Int {
         {
             let List(_, ls) = self;
@@ -14,7 +14,7 @@ impl List {
         }
     }
 
-    #[ghost]
+    #[logic]
     fn get(self: List, ix: Int) -> Option<u32> {
         {
             let List(i, ls) = self;
@@ -35,8 +35,8 @@ impl List {
 #[ensures((^l).len() == (*l).len())]
 #[ensures(forall<i:Int> 0 <= i && i < l.len() && i != ix@ ==> l.get(i) == (^l).get(i))]
 pub fn index_mut(mut l: &mut List, mut ix: usize) -> &mut u32 {
-    let old_l = gh! { l };
-    let old_ix = gh! { ix };
+    let old_l = snapshot! { l };
+    let old_ix = snapshot! { ix };
     #[invariant(0usize <= ix && ix@ < l.len())]
     #[invariant(l.get(ix@) == (**old_l).get(old_ix@))]
     #[invariant((^l).get(ix@) == (^*old_l).get(old_ix@))]
diff --git a/creusot/tests/should_succeed/list_index_mut/why3session.xml b/creusot/tests/should_succeed/list_index_mut/why3session.xml
index 7236aee344..a7d03fcecf 100644
--- a/creusot/tests/should_succeed/list_index_mut/why3session.xml
+++ b/creusot/tests/should_succeed/list_index_mut/why3session.xml
@@ -7,7 +7,7 @@
 <path name=".."/><path name="list_index_mut.mlcfg"/>
 <theory name="ListIndexMut_IndexMut" proved="true">
  <goal name="index_mut&#39;vc" expl="VC for index_mut" proved="true">
- <proof prover="0"><result status="valid" time="0.098784" steps="2325"/></proof>
+ <proof prover="0"><result status="valid" time="0.229601" steps="3909"/></proof>
  </goal>
 </theory>
 <theory name="ListIndexMut_Write" proved="true">
@@ -17,7 +17,7 @@
 </theory>
 <theory name="ListIndexMut_F" proved="true">
  <goal name="f&#39;vc" expl="VC for f" proved="true">
- <proof prover="0"><result status="valid" time="0.009247" steps="66"/></proof>
+ <proof prover="0"><result status="valid" time="0.009247" steps="86"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/list_index_mut/why3shapes.gz b/creusot/tests/should_succeed/list_index_mut/why3shapes.gz
index 53c1b2df37..623415d584 100644
Binary files a/creusot/tests/should_succeed/list_index_mut/why3shapes.gz and b/creusot/tests/should_succeed/list_index_mut/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/list_reversal_lasso.mlcfg b/creusot/tests/should_succeed/list_reversal_lasso.mlcfg
index e4af5ca7b0..258d82e4a4 100644
--- a/creusot/tests/should_succeed/list_reversal_lasso.mlcfg
+++ b/creusot/tests/should_succeed/list_reversal_lasso.mlcfg
@@ -17,12 +17,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -81,7 +87,8 @@ module ListReversalLasso_Impl1_Index
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self}
     ensures { result = shallow_model1 self }
     
-  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
+  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
   predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv4 (shallow_model1 self)
   val invariant3 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -179,12 +186,12 @@ module ListReversalLasso_Impl1_Index
     goto BB0
   }
   BB0 {
-    [#"../list_reversal_lasso.rs" 31 15 31 18] _6 <- ([#"../list_reversal_lasso.rs" 31 15 31 18] index0 ([#"../list_reversal_lasso.rs" 31 9 31 15] ListReversalLasso_Memory_Type.memory_0 self) ([#"../list_reversal_lasso.rs" 31 16 31 17] i));
+    [#"../list_reversal_lasso.rs" 31 15 31 18] _6 <- ([#"../list_reversal_lasso.rs" 31 15 31 18] index0 (ListReversalLasso_Memory_Type.memory_0 self) i);
     goto BB1
   }
   BB1 {
-    [#"../list_reversal_lasso.rs" 31 8 31 18] _5 <- ([#"../list_reversal_lasso.rs" 31 8 31 18] _6);
-    [#"../list_reversal_lasso.rs" 31 8 31 18] _0 <- ([#"../list_reversal_lasso.rs" 31 8 31 18] _5);
+    [#"../list_reversal_lasso.rs" 31 8 31 18] _5 <- _6;
+    [#"../list_reversal_lasso.rs" 31 8 31 18] _0 <- _5;
     return _0
   }
   
@@ -218,7 +225,8 @@ module ListReversalLasso_Impl2_IndexMut
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv4 (shallow_model0 self)
   val invariant3 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -291,7 +299,8 @@ module ListReversalLasso_Impl2_IndexMut
     
   use prelude.Slice
   predicate resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq usize) (fin : Seq.seq usize) =
-    [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i
+    [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old'
+     -> Seq.get old' i = Seq.get fin i
   val resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq usize) (fin : Seq.seq usize) : bool
     ensures { result = resolve_elswhere0 self old' fin }
     
@@ -327,7 +336,8 @@ module ListReversalLasso_Impl2_IndexMut
     ensures { [#"../list_reversal_lasso.rs" 37 14 37 47]  * result = index_logic0 ( * self) i }
     ensures { [#"../list_reversal_lasso.rs" 38 14 38 47]  ^ result = index_logic0 ( ^ self) i }
     ensures { [#"../list_reversal_lasso.rs" 39 14 39 47] Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 ( * self))) = Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 ( ^ self))) }
-    ensures { [#"../list_reversal_lasso.rs" 40 4 40 113] forall j : usize . nonnull_ptr0 ( * self) j /\ i <> j -> index_logic0 ( ^ self) j = index_logic0 ( * self) j }
+    ensures { [#"../list_reversal_lasso.rs" 40 4 40 113] forall j : usize . nonnull_ptr0 ( * self) j /\ i <> j
+     -> index_logic0 ( ^ self) j = index_logic0 ( * self) j }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : borrowed usize;
@@ -343,7 +353,7 @@ module ListReversalLasso_Impl2_IndexMut
   BB0 {
     [#"../list_reversal_lasso.rs" 42 13 42 19] _11 <- Borrow.borrow_final (ListReversalLasso_Memory_Type.memory_0 ( * self)) (Borrow.inherit_id (Borrow.get_id self) 1);
     [#"../list_reversal_lasso.rs" 42 13 42 19] self <- { self with current = (let ListReversalLasso_Memory_Type.C_Memory x0 =  * self in ListReversalLasso_Memory_Type.C_Memory ( ^ _11)) ; };
-    [#"../list_reversal_lasso.rs" 42 19 42 22] _10 <- ([#"../list_reversal_lasso.rs" 42 19 42 22] index_mut0 _11 ([#"../list_reversal_lasso.rs" 42 20 42 21] i));
+    [#"../list_reversal_lasso.rs" 42 19 42 22] _10 <- ([#"../list_reversal_lasso.rs" 42 19 42 22] index_mut0 _11 i);
     _11 <- any borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global));
     goto BB1
   }
@@ -391,7 +401,8 @@ module ListReversalLasso_Impl4_ListReversalSafe
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model0 self)
   val invariant0 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -432,7 +443,8 @@ module ListReversalLasso_Impl4_ListReversalSafe
     ensures { [#"../list_reversal_lasso.rs" 37 14 37 47]  * result = index_logic0 ( * self) i }
     ensures { [#"../list_reversal_lasso.rs" 38 14 38 47]  ^ result = index_logic0 ( ^ self) i }
     ensures { [#"../list_reversal_lasso.rs" 39 14 39 47] Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 ( * self))) = Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 ( ^ self))) }
-    ensures { [#"../list_reversal_lasso.rs" 40 4 40 113] forall j : usize . nonnull_ptr0 ( * self) j /\ i <> j -> index_logic0 ( ^ self) j = index_logic0 ( * self) j }
+    ensures { [#"../list_reversal_lasso.rs" 40 4 40 113] forall j : usize . nonnull_ptr0 ( * self) j /\ i <> j
+     -> index_logic0 ( ^ self) j = index_logic0 ( * self) j }
     
   val index0 [#"../list_reversal_lasso.rs" 30 4 30 35] (self : ListReversalLasso_Memory_Type.t_memory) (i : usize) : usize
     requires {[#"../list_reversal_lasso.rs" 28 15 28 34] nonnull_ptr0 self i}
@@ -444,11 +456,12 @@ module ListReversalLasso_Impl4_ListReversalSafe
     ensures { result = resolve0 self }
     
   let constant null0 [#"../list_reversal_lasso.rs" 13 0 13 15]  : usize = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../list_reversal_lasso.rs" 13 0 13 15] [#"../list_reversal_lasso.rs" 13 0 13 15] (18446744073709551615 : usize)
+    [#"../list_reversal_lasso.rs" 13 0 13 15] (18446744073709551615 : usize)
   predicate mem_is_well_formed0 [#"../list_reversal_lasso.rs" 55 4 55 43] (self : ListReversalLasso_Memory_Type.t_memory)
     
    =
-    [#"../list_reversal_lasso.rs" 56 8 58 9] forall i : usize . nonnull_ptr0 self i -> index_logic0 self i = null0 \/ nonnull_ptr0 self (index_logic0 self i)
+    [#"../list_reversal_lasso.rs" 56 8 58 9] forall i : usize . nonnull_ptr0 self i
+     -> index_logic0 self i = null0 \/ nonnull_ptr0 self (index_logic0 self i)
   val mem_is_well_formed0 [#"../list_reversal_lasso.rs" 55 4 55 43] (self : ListReversalLasso_Memory_Type.t_memory) : bool
     ensures { result = mem_is_well_formed0 self }
     
@@ -461,6 +474,7 @@ module ListReversalLasso_Impl4_ListReversalSafe
   var self : borrowed (ListReversalLasso_Memory_Type.t_memory) = self;
   var l : usize = l;
   var r : usize;
+  var _12 : bool;
   var tmp : usize;
   var _16 : usize;
   var _20 : borrowed usize;
@@ -469,7 +483,7 @@ module ListReversalLasso_Impl4_ListReversalSafe
     goto BB0
   }
   BB0 {
-    [#"../list_reversal_lasso.rs" 66 20 66 24] r <- ([#"../list_reversal_lasso.rs" 66 20 66 24] [#"../list_reversal_lasso.rs" 66 20 66 24] (18446744073709551615 : usize));
+    [#"../list_reversal_lasso.rs" 66 20 66 24] r <- ([#"../list_reversal_lasso.rs" 66 20 66 24] (18446744073709551615 : usize));
     goto BB1
   }
   BB1 {
@@ -479,33 +493,34 @@ module ListReversalLasso_Impl4_ListReversalSafe
     goto BB2
   }
   BB2 {
-    switch ([#"../list_reversal_lasso.rs" 71 14 71 23] ([#"../list_reversal_lasso.rs" 71 14 71 15] l) <> ([#"../list_reversal_lasso.rs" 71 19 71 23] [#"../list_reversal_lasso.rs" 71 19 71 23] (18446744073709551615 : usize)))
+    [#"../list_reversal_lasso.rs" 71 14 71 23] _12 <- l <> ([#"../list_reversal_lasso.rs" 71 19 71 23] (18446744073709551615 : usize));
+    switch (_12)
       | False -> goto BB6
       | True -> goto BB3
       end
   }
   BB3 {
-    [#"../list_reversal_lasso.rs" 72 22 72 23] tmp <- ([#"../list_reversal_lasso.rs" 72 22 72 23] l);
-    [#"../list_reversal_lasso.rs" 73 20 73 23] _16 <- ([#"../list_reversal_lasso.rs" 73 20 73 23] index0 ([#"../list_reversal_lasso.rs" 73 16 73 20]  * self) ([#"../list_reversal_lasso.rs" 73 21 73 22] l));
+    [#"../list_reversal_lasso.rs" 72 22 72 23] tmp <- l;
+    [#"../list_reversal_lasso.rs" 73 20 73 23] _16 <- ([#"../list_reversal_lasso.rs" 73 20 73 23] index0 ( * self) l);
     goto BB4
   }
   BB4 {
-    [#"../list_reversal_lasso.rs" 73 12 73 23] l <- ([#"../list_reversal_lasso.rs" 73 16 73 23] _16);
+    [#"../list_reversal_lasso.rs" 73 12 73 23] l <- _16;
     [#"../list_reversal_lasso.rs" 74 12 74 16] _21 <- Borrow.borrow_mut ( * self);
     [#"../list_reversal_lasso.rs" 74 12 74 16] self <- { self with current = ( ^ _21) ; };
-    [#"../list_reversal_lasso.rs" 74 16 74 21] _20 <- ([#"../list_reversal_lasso.rs" 74 16 74 21] index_mut0 _21 ([#"../list_reversal_lasso.rs" 74 17 74 20] tmp));
+    [#"../list_reversal_lasso.rs" 74 16 74 21] _20 <- ([#"../list_reversal_lasso.rs" 74 16 74 21] index_mut0 _21 tmp);
     _21 <- any borrowed (ListReversalLasso_Memory_Type.t_memory);
     goto BB5
   }
   BB5 {
-    [#"../list_reversal_lasso.rs" 74 12 74 25] _20 <- { _20 with current = ([#"../list_reversal_lasso.rs" 74 24 74 25] r) ; };
+    [#"../list_reversal_lasso.rs" 74 12 74 25] _20 <- { _20 with current = r ; };
     assume { resolve1 _20 };
-    [#"../list_reversal_lasso.rs" 75 12 75 19] r <- ([#"../list_reversal_lasso.rs" 75 16 75 19] tmp);
+    [#"../list_reversal_lasso.rs" 75 12 75 19] r <- tmp;
     goto BB1
   }
   BB6 {
     assume { resolve0 self };
-    [#"../list_reversal_lasso.rs" 77 15 77 16] _0 <- ([#"../list_reversal_lasso.rs" 77 15 77 16] r);
+    [#"../list_reversal_lasso.rs" 77 15 77 16] _0 <- r;
     return _0
   }
   
@@ -539,7 +554,8 @@ module ListReversalLasso_Impl4_ListReversalList
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv3 (shallow_model0 self)
   val invariant2 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -597,16 +613,18 @@ module ListReversalLasso_Impl4_ListReversalList
       last
     else
       Seq.get s l
-    ) /\ (forall i : int . l <= i /\ i < h -> nonnull_ptr0 self (Seq.get s i) /\ index_logic1 self (Seq.get s i) = (if i = h - 1 then
+    ) /\ (forall i : int . l <= i /\ i < h
+     -> nonnull_ptr0 self (Seq.get s i) /\ index_logic1 self (Seq.get s i) = (if i = h - 1 then
       last
     else
       Seq.get s (i + 1)
-    )) /\ (forall j : int . forall i : int . l <= i /\ i < h /\ l <= j /\ j < h /\ i <> j -> Seq.get s i <> Seq.get s j)
+    )) /\ (forall j : int . forall i : int . l <= i /\ i < h /\ l <= j /\ j < h /\ i <> j
+     -> Seq.get s i <> Seq.get s j)
   val list_seg0 [#"../list_reversal_lasso.rs" 81 4 81 81] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s : Seq.seq usize) (last : usize) (l : int) (h : int) : bool
     ensures { result = list_seg0 self first s last l h }
     
   let constant null0 [#"../list_reversal_lasso.rs" 13 0 13 15]  : usize = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../list_reversal_lasso.rs" 13 0 13 15] [#"../list_reversal_lasso.rs" 13 0 13 15] (18446744073709551615 : usize)
+    [#"../list_reversal_lasso.rs" 13 0 13 15] (18446744073709551615 : usize)
   predicate list0 [#"../list_reversal_lasso.rs" 91 4 91 54] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s : Seq.seq usize)
     
    =
@@ -614,7 +632,7 @@ module ListReversalLasso_Impl4_ListReversalList
   val list0 [#"../list_reversal_lasso.rs" 91 4 91 54] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s : Seq.seq usize) : bool
     ensures { result = list0 self first s }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   use prelude.Int
   predicate resolve1 (self : borrowed usize) =
     [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
@@ -633,7 +651,8 @@ module ListReversalLasso_Impl4_ListReversalList
     ensures { [#"../list_reversal_lasso.rs" 37 14 37 47]  * result = index_logic1 ( * self) i }
     ensures { [#"../list_reversal_lasso.rs" 38 14 38 47]  ^ result = index_logic1 ( ^ self) i }
     ensures { [#"../list_reversal_lasso.rs" 39 14 39 47] Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 ( * self))) = Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 ( ^ self))) }
-    ensures { [#"../list_reversal_lasso.rs" 40 4 40 113] forall j : usize . nonnull_ptr0 ( * self) j /\ i <> j -> index_logic1 ( ^ self) j = index_logic1 ( * self) j }
+    ensures { [#"../list_reversal_lasso.rs" 40 4 40 113] forall j : usize . nonnull_ptr0 ( * self) j /\ i <> j
+     -> index_logic1 ( ^ self) j = index_logic1 ( * self) j }
     
   predicate resolve0 (self : borrowed (ListReversalLasso_Memory_Type.t_memory)) =
     [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
@@ -641,20 +660,21 @@ module ListReversalLasso_Impl4_ListReversalList
     ensures { result = resolve0 self }
     
   use seq.Reverse
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  let rec cfg list_reversal_list [#"../list_reversal_lasso.rs" 99 4 99 79] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (ListReversalLasso_Memory_Type.t_memory)) (l : usize) (s : Ghost.ghost_ty (Seq.seq usize)) : usize
-    requires {[#"../list_reversal_lasso.rs" 97 15 97 31] list0 ( * self) l (Ghost.inner s)}
-    ensures { [#"../list_reversal_lasso.rs" 98 14 98 47] list0 ( ^ self) result (Reverse.reverse (Ghost.inner s)) }
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  let rec cfg list_reversal_list [#"../list_reversal_lasso.rs" 99 4 99 82] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (ListReversalLasso_Memory_Type.t_memory)) (l : usize) (s : Snapshot.snap_ty (Seq.seq usize)) : usize
+    requires {[#"../list_reversal_lasso.rs" 97 15 97 31] list0 ( * self) l (Snapshot.inner s)}
+    ensures { [#"../list_reversal_lasso.rs" 98 14 98 47] list0 ( ^ self) result (Reverse.reverse (Snapshot.inner s)) }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : usize;
   var self : borrowed (ListReversalLasso_Memory_Type.t_memory) = self;
   var l : usize = l;
-  var s : Ghost.ghost_ty (Seq.seq usize) = s;
+  var s : Snapshot.snap_ty (Seq.seq usize) = s;
   var r : usize;
-  var n : Ghost.ghost_ty int;
+  var n : Snapshot.snap_ty int;
+  var _15 : bool;
   var _17 : usize;
   var _18 : borrowed usize;
   var _19 : borrowed usize;
@@ -663,26 +683,27 @@ module ListReversalLasso_Impl4_ListReversalList
   var _23 : usize;
   var _24 : borrowed usize;
   var _25 : borrowed usize;
-  var _27 : Ghost.ghost_ty int;
+  var _27 : Snapshot.snap_ty int;
   {
     goto BB0
   }
   BB0 {
-    [#"../list_reversal_lasso.rs" 100 20 100 24] r <- ([#"../list_reversal_lasso.rs" 100 20 100 24] [#"../list_reversal_lasso.rs" 100 20 100 24] (18446744073709551615 : usize));
-    [#"../list_reversal_lasso.rs" 101 20 101 29] n <- ([#"../list_reversal_lasso.rs" 101 20 101 29] Ghost.new 0);
+    [#"../list_reversal_lasso.rs" 100 20 100 24] r <- ([#"../list_reversal_lasso.rs" 100 20 100 24] (18446744073709551615 : usize));
+    [#"../list_reversal_lasso.rs" 101 20 101 35] n <- ([#"../list_reversal_lasso.rs" 101 20 101 35] Snapshot.new 0);
     goto BB1
   }
   BB1 {
     goto BB2
   }
   BB2 {
-    invariant { [#"../list_reversal_lasso.rs" 103 20 103 44] 0 <= Ghost.inner n /\ Ghost.inner n <= Seq.length (Ghost.inner s) };
-    invariant { [#"../list_reversal_lasso.rs" 104 20 104 59] list_seg0 ( * self) l (Ghost.inner s) null0 (Ghost.inner n) (Seq.length (Ghost.inner s)) };
-    invariant { [#"../list_reversal_lasso.rs" 105 20 105 76] list_seg0 ( * self) r (Reverse.reverse (Ghost.inner s)) null0 (Seq.length (Ghost.inner s) - Ghost.inner n) (Seq.length (Ghost.inner s)) };
+    invariant { [#"../list_reversal_lasso.rs" 103 20 103 44] 0 <= Snapshot.inner n /\ Snapshot.inner n <= Seq.length (Snapshot.inner s) };
+    invariant { [#"../list_reversal_lasso.rs" 104 20 104 59] list_seg0 ( * self) l (Snapshot.inner s) null0 (Snapshot.inner n) (Seq.length (Snapshot.inner s)) };
+    invariant { [#"../list_reversal_lasso.rs" 105 20 105 76] list_seg0 ( * self) r (Reverse.reverse (Snapshot.inner s)) null0 (Seq.length (Snapshot.inner s) - Snapshot.inner n) (Seq.length (Snapshot.inner s)) };
     goto BB3
   }
   BB3 {
-    switch ([#"../list_reversal_lasso.rs" 107 14 107 23] ([#"../list_reversal_lasso.rs" 107 14 107 15] l) <> ([#"../list_reversal_lasso.rs" 107 19 107 23] [#"../list_reversal_lasso.rs" 107 19 107 23] (18446744073709551615 : usize)))
+    [#"../list_reversal_lasso.rs" 107 14 107 23] _15 <- l <> ([#"../list_reversal_lasso.rs" 107 19 107 23] (18446744073709551615 : usize));
+    switch (_15)
       | False -> goto BB9
       | True -> goto BB4
       end
@@ -690,7 +711,7 @@ module ListReversalLasso_Impl4_ListReversalList
   BB4 {
     [#"../list_reversal_lasso.rs" 108 39 108 43] _21 <- Borrow.borrow_mut ( * self);
     [#"../list_reversal_lasso.rs" 108 39 108 43] self <- { self with current = ( ^ _21) ; };
-    [#"../list_reversal_lasso.rs" 108 43 108 46] _20 <- ([#"../list_reversal_lasso.rs" 108 43 108 46] index_mut0 _21 ([#"../list_reversal_lasso.rs" 108 44 108 45] l));
+    [#"../list_reversal_lasso.rs" 108 43 108 46] _20 <- ([#"../list_reversal_lasso.rs" 108 43 108 46] index_mut0 _21 l);
     _21 <- any borrowed (ListReversalLasso_Memory_Type.t_memory);
     goto BB5
   }
@@ -703,7 +724,7 @@ module ListReversalLasso_Impl4_ListReversalList
     [#"../list_reversal_lasso.rs" 108 66 108 72] r <-  ^ _25;
     [#"../list_reversal_lasso.rs" 108 66 108 72] _24 <- Borrow.borrow_final ( * _25) (Borrow.get_id _25);
     [#"../list_reversal_lasso.rs" 108 66 108 72] _25 <- { _25 with current = ( ^ _24) ; };
-    [#"../list_reversal_lasso.rs" 108 48 108 76] _23 <- ([#"../list_reversal_lasso.rs" 108 48 108 76] replace0 _24 ([#"../list_reversal_lasso.rs" 108 74 108 75] l));
+    [#"../list_reversal_lasso.rs" 108 48 108 76] _23 <- ([#"../list_reversal_lasso.rs" 108 48 108 76] replace0 _24 l);
     _24 <- any borrowed usize;
     goto BB6
   }
@@ -717,19 +738,19 @@ module ListReversalLasso_Impl4_ListReversalList
   BB7 {
     assume { resolve1 _20 };
     assume { resolve1 _19 };
-    [#"../list_reversal_lasso.rs" 108 12 108 77] l <- ([#"../list_reversal_lasso.rs" 108 12 108 77] _17);
-    [#"../list_reversal_lasso.rs" 108 12 108 77] _17 <- any usize;
-    [#"../list_reversal_lasso.rs" 109 16 109 30] _27 <- ([#"../list_reversal_lasso.rs" 109 16 109 30] Ghost.new (Ghost.inner n + 1));
+    [#"../list_reversal_lasso.rs" 108 12 108 77] l <- _17;
+    _17 <- any usize;
+    [#"../list_reversal_lasso.rs" 109 16 109 36] _27 <- ([#"../list_reversal_lasso.rs" 109 16 109 36] Snapshot.new (Snapshot.inner n + 1));
     goto BB8
   }
   BB8 {
-    [#"../list_reversal_lasso.rs" 109 12 109 30] n <- ([#"../list_reversal_lasso.rs" 109 12 109 30] _27);
-    [#"../list_reversal_lasso.rs" 109 12 109 30] _27 <- any Ghost.ghost_ty int;
+    [#"../list_reversal_lasso.rs" 109 12 109 36] n <- _27;
+    _27 <- any Snapshot.snap_ty int;
     goto BB2
   }
   BB9 {
     assume { resolve0 self };
-    [#"../list_reversal_lasso.rs" 111 15 111 16] _0 <- ([#"../list_reversal_lasso.rs" 111 15 111 16] r);
+    [#"../list_reversal_lasso.rs" 111 15 111 16] _0 <- r;
     return _0
   }
   
@@ -763,7 +784,8 @@ module ListReversalLasso_Impl4_ListReversalLoop
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv3 (shallow_model0 self)
   val invariant2 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -821,11 +843,13 @@ module ListReversalLasso_Impl4_ListReversalLoop
       last
     else
       Seq.get s l
-    ) /\ (forall i : int . l <= i /\ i < h -> nonnull_ptr0 self (Seq.get s i) /\ index_logic1 self (Seq.get s i) = (if i = h - 1 then
+    ) /\ (forall i : int . l <= i /\ i < h
+     -> nonnull_ptr0 self (Seq.get s i) /\ index_logic1 self (Seq.get s i) = (if i = h - 1 then
       last
     else
       Seq.get s (i + 1)
-    )) /\ (forall j : int . forall i : int . l <= i /\ i < h /\ l <= j /\ j < h /\ i <> j -> Seq.get s i <> Seq.get s j)
+    )) /\ (forall j : int . forall i : int . l <= i /\ i < h /\ l <= j /\ j < h /\ i <> j
+     -> Seq.get s i <> Seq.get s j)
   val list_seg0 [#"../list_reversal_lasso.rs" 81 4 81 81] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s : Seq.seq usize) (last : usize) (l : int) (h : int) : bool
     ensures { result = list_seg0 self first s last l h }
     
@@ -836,7 +860,7 @@ module ListReversalLasso_Impl4_ListReversalLoop
   val loop0 [#"../list_reversal_lasso.rs" 116 4 116 55] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s : Seq.seq usize) : bool
     ensures { result = loop0 self first s }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   use prelude.Int
   predicate resolve1 (self : borrowed usize) =
     [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
@@ -855,7 +879,8 @@ module ListReversalLasso_Impl4_ListReversalLoop
     ensures { [#"../list_reversal_lasso.rs" 37 14 37 47]  * result = index_logic1 ( * self) i }
     ensures { [#"../list_reversal_lasso.rs" 38 14 38 47]  ^ result = index_logic1 ( ^ self) i }
     ensures { [#"../list_reversal_lasso.rs" 39 14 39 47] Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 ( * self))) = Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 ( ^ self))) }
-    ensures { [#"../list_reversal_lasso.rs" 40 4 40 113] forall j : usize . nonnull_ptr0 ( * self) j /\ i <> j -> index_logic1 ( ^ self) j = index_logic1 ( * self) j }
+    ensures { [#"../list_reversal_lasso.rs" 40 4 40 113] forall j : usize . nonnull_ptr0 ( * self) j /\ i <> j
+     -> index_logic1 ( ^ self) j = index_logic1 ( * self) j }
     
   use seq.Seq
   use seq_ext.SeqExt
@@ -866,28 +891,29 @@ module ListReversalLasso_Impl4_ListReversalLoop
     ensures { result = resolve0 self }
     
   use seq.Reverse
-  use prelude.Ghost
-  function index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq usize)) (ix : int) : usize =
-    [#"../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Ghost.inner self) ix
-  val index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq usize)) (ix : int) : usize
+  use prelude.Snapshot
+  function index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq usize)) (ix : int) : usize =
+    [#"../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Snapshot.inner self) ix
+  val index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq usize)) (ix : int) : usize
     ensures { result = index_logic0 self ix }
     
   let constant null0 [#"../list_reversal_lasso.rs" 13 0 13 15]  : usize = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../list_reversal_lasso.rs" 13 0 13 15] [#"../list_reversal_lasso.rs" 13 0 13 15] (18446744073709551615 : usize)
-  use prelude.Ghost
-  use prelude.Ghost
-  let rec cfg list_reversal_loop [#"../list_reversal_lasso.rs" 125 4 125 79] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (ListReversalLasso_Memory_Type.t_memory)) (l : usize) (s : Ghost.ghost_ty (Seq.seq usize)) : usize
-    requires {[#"../list_reversal_lasso.rs" 122 15 122 26] Seq.length (Ghost.inner s) > 0}
-    requires {[#"../list_reversal_lasso.rs" 123 15 123 32] loop0 ( * self) l (Ghost.inner s)}
-    ensures { [#"../list_reversal_lasso.rs" 124 14 124 101] loop0 ( ^ self) result (Seq.(++) (Seq.singleton (index_logic0 s 0)) (Reverse.reverse (SeqExt.subsequence (Ghost.inner s) 1 (Seq.length (Ghost.inner s))))) }
+    [#"../list_reversal_lasso.rs" 13 0 13 15] (18446744073709551615 : usize)
+  use prelude.Snapshot
+  use prelude.Snapshot
+  let rec cfg list_reversal_loop [#"../list_reversal_lasso.rs" 125 4 125 82] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (ListReversalLasso_Memory_Type.t_memory)) (l : usize) (s : Snapshot.snap_ty (Seq.seq usize)) : usize
+    requires {[#"../list_reversal_lasso.rs" 122 15 122 26] Seq.length (Snapshot.inner s) > 0}
+    requires {[#"../list_reversal_lasso.rs" 123 15 123 32] loop0 ( * self) l (Snapshot.inner s)}
+    ensures { [#"../list_reversal_lasso.rs" 124 14 124 101] loop0 ( ^ self) result (Seq.(++) (Seq.singleton (index_logic0 s 0)) (Reverse.reverse (SeqExt.subsequence (Snapshot.inner s) 1 (Seq.length (Snapshot.inner s))))) }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : usize;
   var self : borrowed (ListReversalLasso_Memory_Type.t_memory) = self;
   var l : usize = l;
-  var s : Ghost.ghost_ty (Seq.seq usize) = s;
+  var s : Snapshot.snap_ty (Seq.seq usize) = s;
   var r : usize;
-  var n : Ghost.ghost_ty int;
+  var n : Snapshot.snap_ty int;
+  var _17 : bool;
   var _21 : usize;
   var _22 : borrowed usize;
   var _23 : borrowed usize;
@@ -896,36 +922,41 @@ module ListReversalLasso_Impl4_ListReversalLoop
   var _27 : usize;
   var _28 : borrowed usize;
   var _29 : borrowed usize;
-  var _31 : Ghost.ghost_ty int;
+  var _31 : Snapshot.snap_ty int;
   {
     goto BB0
   }
   BB0 {
-    [#"../list_reversal_lasso.rs" 126 20 126 24] r <- ([#"../list_reversal_lasso.rs" 126 20 126 24] [#"../list_reversal_lasso.rs" 126 20 126 24] (18446744073709551615 : usize));
-    [#"../list_reversal_lasso.rs" 127 20 127 29] n <- ([#"../list_reversal_lasso.rs" 127 20 127 29] Ghost.new 0);
+    [#"../list_reversal_lasso.rs" 126 20 126 24] r <- ([#"../list_reversal_lasso.rs" 126 20 126 24] (18446744073709551615 : usize));
+    [#"../list_reversal_lasso.rs" 127 20 127 35] n <- ([#"../list_reversal_lasso.rs" 127 20 127 35] Snapshot.new 0);
     goto BB1
   }
   BB1 {
     goto BB2
   }
   BB2 {
-    invariant { [#"../list_reversal_lasso.rs" 129 20 129 48] 0 <= Ghost.inner n /\ Ghost.inner n <= Seq.length (Ghost.inner s) + 1 };
-    invariant { [#"../list_reversal_lasso.rs" 129 8 129 50] Ghost.inner n = Seq.length (Ghost.inner s) + 1 -> l = null0 /\ r = index_logic0 s 0 /\ nonnull_ptr0 ( * self) r /\ index_logic1 ( * self) r = index_logic0 s (Seq.length (Ghost.inner s) - 1) /\ list_seg0 ( * self) (index_logic0 s (Seq.length (Ghost.inner s) - 1)) (Reverse.reverse (Ghost.inner s)) (index_logic0 s 0) 0 (Seq.length (Ghost.inner s) - 1) };
-    invariant { [#"../list_reversal_lasso.rs" 129 8 129 50] Ghost.inner n <= Seq.length (Ghost.inner s) -> list_seg0 ( * self) l (Ghost.inner s) (index_logic0 s 0) (Ghost.inner n) (Seq.length (Ghost.inner s)) };
-    invariant { [#"../list_reversal_lasso.rs" 129 8 129 50] Ghost.inner n <= Seq.length (Ghost.inner s) -> list_seg0 ( * self) r (Reverse.reverse (Ghost.inner s)) null0 (Seq.length (Ghost.inner s) - Ghost.inner n) (Seq.length (Ghost.inner s)) };
+    invariant { [#"../list_reversal_lasso.rs" 129 20 129 48] 0 <= Snapshot.inner n /\ Snapshot.inner n <= Seq.length (Snapshot.inner s) + 1 };
+    invariant { [#"../list_reversal_lasso.rs" 129 8 129 50] Snapshot.inner n = Seq.length (Snapshot.inner s) + 1
+     -> l = null0 /\ r = index_logic0 s 0 /\ nonnull_ptr0 ( * self) r /\ index_logic1 ( * self) r = index_logic0 s (Seq.length (Snapshot.inner s) - 1) /\ list_seg0 ( * self) (index_logic0 s (Seq.length (Snapshot.inner s) - 1)) (Reverse.reverse (Snapshot.inner s)) (index_logic0 s 0) 0 (Seq.length (Snapshot.inner s) - 1) };
+    invariant { [#"../list_reversal_lasso.rs" 129 8 129 50] Snapshot.inner n <= Seq.length (Snapshot.inner s)
+     -> list_seg0 ( * self) l (Snapshot.inner s) (index_logic0 s 0) (Snapshot.inner n) (Seq.length (Snapshot.inner s)) };
+    invariant { [#"../list_reversal_lasso.rs" 129 8 129 50] Snapshot.inner n <= Seq.length (Snapshot.inner s)
+     -> list_seg0 ( * self) r (Reverse.reverse (Snapshot.inner s)) null0 (Seq.length (Snapshot.inner s) - Snapshot.inner n) (Seq.length (Snapshot.inner s)) };
     goto BB3
   }
   BB3 {
-    switch ([#"../list_reversal_lasso.rs" 137 14 137 23] ([#"../list_reversal_lasso.rs" 137 14 137 15] l) <> ([#"../list_reversal_lasso.rs" 137 19 137 23] [#"../list_reversal_lasso.rs" 137 19 137 23] (18446744073709551615 : usize)))
+    [#"../list_reversal_lasso.rs" 137 14 137 23] _17 <- l <> ([#"../list_reversal_lasso.rs" 137 19 137 23] (18446744073709551615 : usize));
+    switch (_17)
       | False -> goto BB9
       | True -> goto BB4
       end
   }
   BB4 {
-    assert { [@expl:assertion] [#"../list_reversal_lasso.rs" 138 12 138 77] Ghost.inner n = Seq.length (Ghost.inner s) -> l = Seq.get (Reverse.reverse (Ghost.inner s)) (Seq.length (Ghost.inner s) - 1) };
+    assert { [@expl:assertion] [#"../list_reversal_lasso.rs" 138 12 138 77] Snapshot.inner n = Seq.length (Snapshot.inner s)
+     -> l = Seq.get (Reverse.reverse (Snapshot.inner s)) (Seq.length (Snapshot.inner s) - 1) };
     [#"../list_reversal_lasso.rs" 139 39 139 43] _25 <- Borrow.borrow_mut ( * self);
     [#"../list_reversal_lasso.rs" 139 39 139 43] self <- { self with current = ( ^ _25) ; };
-    [#"../list_reversal_lasso.rs" 139 43 139 46] _24 <- ([#"../list_reversal_lasso.rs" 139 43 139 46] index_mut0 _25 ([#"../list_reversal_lasso.rs" 139 44 139 45] l));
+    [#"../list_reversal_lasso.rs" 139 43 139 46] _24 <- ([#"../list_reversal_lasso.rs" 139 43 139 46] index_mut0 _25 l);
     _25 <- any borrowed (ListReversalLasso_Memory_Type.t_memory);
     goto BB5
   }
@@ -938,7 +969,7 @@ module ListReversalLasso_Impl4_ListReversalLoop
     [#"../list_reversal_lasso.rs" 139 66 139 72] r <-  ^ _29;
     [#"../list_reversal_lasso.rs" 139 66 139 72] _28 <- Borrow.borrow_final ( * _29) (Borrow.get_id _29);
     [#"../list_reversal_lasso.rs" 139 66 139 72] _29 <- { _29 with current = ( ^ _28) ; };
-    [#"../list_reversal_lasso.rs" 139 48 139 76] _27 <- ([#"../list_reversal_lasso.rs" 139 48 139 76] replace0 _28 ([#"../list_reversal_lasso.rs" 139 74 139 75] l));
+    [#"../list_reversal_lasso.rs" 139 48 139 76] _27 <- ([#"../list_reversal_lasso.rs" 139 48 139 76] replace0 _28 l);
     _28 <- any borrowed usize;
     goto BB6
   }
@@ -952,24 +983,25 @@ module ListReversalLasso_Impl4_ListReversalLoop
   BB7 {
     assume { resolve1 _24 };
     assume { resolve1 _23 };
-    [#"../list_reversal_lasso.rs" 139 12 139 77] l <- ([#"../list_reversal_lasso.rs" 139 12 139 77] _21);
-    [#"../list_reversal_lasso.rs" 139 12 139 77] _21 <- any usize;
-    [#"../list_reversal_lasso.rs" 140 16 140 30] _31 <- ([#"../list_reversal_lasso.rs" 140 16 140 30] Ghost.new (Ghost.inner n + 1));
+    [#"../list_reversal_lasso.rs" 139 12 139 77] l <- _21;
+    _21 <- any usize;
+    [#"../list_reversal_lasso.rs" 140 16 140 36] _31 <- ([#"../list_reversal_lasso.rs" 140 16 140 36] Snapshot.new (Snapshot.inner n + 1));
     goto BB8
   }
   BB8 {
-    [#"../list_reversal_lasso.rs" 140 12 140 30] n <- ([#"../list_reversal_lasso.rs" 140 12 140 30] _31);
-    [#"../list_reversal_lasso.rs" 140 12 140 30] _31 <- any Ghost.ghost_ty int;
+    [#"../list_reversal_lasso.rs" 140 12 140 36] n <- _31;
+    _31 <- any Snapshot.snap_ty int;
     goto BB2
   }
   BB9 {
     assume { resolve0 self };
-    assert { [@expl:assertion] [#"../list_reversal_lasso.rs" 143 8 145 54] forall i : int . 0 <= i /\ i < Seq.length (Ghost.inner s) -> Seq.get (Seq.(++) (Seq.singleton (index_logic0 s 0)) (Reverse.reverse (SeqExt.subsequence (Ghost.inner s) 1 (Seq.length (Ghost.inner s))))) i = (if i = 0 then
+    assert { [@expl:assertion] [#"../list_reversal_lasso.rs" 143 8 145 54] forall i : int . 0 <= i /\ i < Seq.length (Snapshot.inner s)
+     -> Seq.get (Seq.(++) (Seq.singleton (index_logic0 s 0)) (Reverse.reverse (SeqExt.subsequence (Snapshot.inner s) 1 (Seq.length (Snapshot.inner s))))) i = (if i = 0 then
       index_logic0 s 0
     else
-      Seq.get (Reverse.reverse (Ghost.inner s)) (i - 1)
+      Seq.get (Reverse.reverse (Snapshot.inner s)) (i - 1)
     ) };
-    [#"../list_reversal_lasso.rs" 146 15 146 16] _0 <- ([#"../list_reversal_lasso.rs" 146 15 146 16] r);
+    [#"../list_reversal_lasso.rs" 146 15 146 16] _0 <- r;
     return _0
   }
   
@@ -1003,7 +1035,8 @@ module ListReversalLasso_Impl4_ListReversalLasso
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv3 (shallow_model0 self)
   val invariant2 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -1061,11 +1094,13 @@ module ListReversalLasso_Impl4_ListReversalLasso
       last
     else
       Seq.get s l
-    ) /\ (forall i : int . l <= i /\ i < h -> nonnull_ptr0 self (Seq.get s i) /\ index_logic2 self (Seq.get s i) = (if i = h - 1 then
+    ) /\ (forall i : int . l <= i /\ i < h
+     -> nonnull_ptr0 self (Seq.get s i) /\ index_logic2 self (Seq.get s i) = (if i = h - 1 then
       last
     else
       Seq.get s (i + 1)
-    )) /\ (forall j : int . forall i : int . l <= i /\ i < h /\ l <= j /\ j < h /\ i <> j -> Seq.get s i <> Seq.get s j)
+    )) /\ (forall j : int . forall i : int . l <= i /\ i < h /\ l <= j /\ j < h /\ i <> j
+     -> Seq.get s i <> Seq.get s j)
   val list_seg0 [#"../list_reversal_lasso.rs" 81 4 81 81] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s : Seq.seq usize) (last : usize) (l : int) (h : int) : bool
     ensures { result = list_seg0 self first s last l h }
     
@@ -1076,11 +1111,12 @@ module ListReversalLasso_Impl4_ListReversalLasso
       Seq.get s1 (Seq.length s1 - 1)
     else
       Seq.get s2 0
-     in Seq.length s1 > 0 /\ (forall j : int . forall i : int . 0 <= i /\ i < Seq.length s1 /\ 0 <= j /\ j < Seq.length s2 -> Seq.get s1 i <> Seq.get s2 j) /\ list_seg0 self first s1 mid 0 (Seq.length s1) /\ list_seg0 self mid s2 (Seq.get s1 (Seq.length s1 - 1)) 0 (Seq.length s2)
+     in Seq.length s1 > 0 /\ (forall j : int . forall i : int . 0 <= i /\ i < Seq.length s1 /\ 0 <= j /\ j < Seq.length s2
+     -> Seq.get s1 i <> Seq.get s2 j) /\ list_seg0 self first s1 mid 0 (Seq.length s1) /\ list_seg0 self mid s2 (Seq.get s1 (Seq.length s1 - 1)) 0 (Seq.length s2)
   val lasso0 [#"../list_reversal_lasso.rs" 151 4 151 70] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s1 : Seq.seq usize) (s2 : Seq.seq usize) : bool
     ensures { result = lasso0 self first s1 s2 }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   use prelude.Int
   predicate resolve1 (self : borrowed usize) =
     [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
@@ -1099,7 +1135,8 @@ module ListReversalLasso_Impl4_ListReversalLasso
     ensures { [#"../list_reversal_lasso.rs" 37 14 37 47]  * result = index_logic2 ( * self) i }
     ensures { [#"../list_reversal_lasso.rs" 38 14 38 47]  ^ result = index_logic2 ( ^ self) i }
     ensures { [#"../list_reversal_lasso.rs" 39 14 39 47] Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 ( * self))) = Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 ( ^ self))) }
-    ensures { [#"../list_reversal_lasso.rs" 40 4 40 113] forall j : usize . nonnull_ptr0 ( * self) j /\ i <> j -> index_logic2 ( ^ self) j = index_logic2 ( * self) j }
+    ensures { [#"../list_reversal_lasso.rs" 40 4 40 113] forall j : usize . nonnull_ptr0 ( * self) j /\ i <> j
+     -> index_logic2 ( ^ self) j = index_logic2 ( * self) j }
     
   predicate resolve0 (self : borrowed (ListReversalLasso_Memory_Type.t_memory)) =
     [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
@@ -1107,28 +1144,29 @@ module ListReversalLasso_Impl4_ListReversalLasso
     ensures { result = resolve0 self }
     
   let constant null0 [#"../list_reversal_lasso.rs" 13 0 13 15]  : usize = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../list_reversal_lasso.rs" 13 0 13 15] [#"../list_reversal_lasso.rs" 13 0 13 15] (18446744073709551615 : usize)
+    [#"../list_reversal_lasso.rs" 13 0 13 15] (18446744073709551615 : usize)
   use seq.Reverse
-  use prelude.Ghost
-  function index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq usize)) (ix : int) : usize =
-    [#"../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Ghost.inner self) ix
-  val index_logic0 [@inline:trivial] (self : Ghost.ghost_ty (Seq.seq usize)) (ix : int) : usize
+  use prelude.Snapshot
+  function index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq usize)) (ix : int) : usize =
+    [#"../../../../creusot-contracts/src/logic/ops.rs" 87 8 87 33] Seq.get (Snapshot.inner self) ix
+  val index_logic0 [@inline:trivial] (self : Snapshot.snap_ty (Seq.seq usize)) (ix : int) : usize
     ensures { result = index_logic0 self ix }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  let rec cfg list_reversal_lasso [#"../list_reversal_lasso.rs" 163 4 168 12] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (ListReversalLasso_Memory_Type.t_memory)) (l : usize) (s1 : Ghost.ghost_ty (Seq.seq usize)) (s2 : Ghost.ghost_ty (Seq.seq usize)) : usize
-    requires {[#"../list_reversal_lasso.rs" 161 15 161 38] lasso0 ( * self) l (Ghost.inner s1) (Ghost.inner s2)}
-    ensures { [#"../list_reversal_lasso.rs" 162 14 162 54] lasso0 ( ^ self) result (Ghost.inner s1) (Reverse.reverse (Ghost.inner s2)) }
+  use prelude.Snapshot
+  use prelude.Snapshot
+  let rec cfg list_reversal_lasso [#"../list_reversal_lasso.rs" 163 4 168 12] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (ListReversalLasso_Memory_Type.t_memory)) (l : usize) (s1 : Snapshot.snap_ty (Seq.seq usize)) (s2 : Snapshot.snap_ty (Seq.seq usize)) : usize
+    requires {[#"../list_reversal_lasso.rs" 161 15 161 38] lasso0 ( * self) l (Snapshot.inner s1) (Snapshot.inner s2)}
+    ensures { [#"../list_reversal_lasso.rs" 162 14 162 54] lasso0 ( ^ self) result (Snapshot.inner s1) (Reverse.reverse (Snapshot.inner s2)) }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : usize;
   var self : borrowed (ListReversalLasso_Memory_Type.t_memory) = self;
   var l : usize = l;
-  var s1 : Ghost.ghost_ty (Seq.seq usize) = s1;
-  var s2 : Ghost.ghost_ty (Seq.seq usize) = s2;
+  var s1 : Snapshot.snap_ty (Seq.seq usize) = s1;
+  var s2 : Snapshot.snap_ty (Seq.seq usize) = s2;
   var r : usize;
-  var n : Ghost.ghost_ty int;
+  var n : Snapshot.snap_ty int;
+  var _17 : bool;
   var _19 : usize;
   var _20 : borrowed usize;
   var _21 : borrowed usize;
@@ -1137,35 +1175,39 @@ module ListReversalLasso_Impl4_ListReversalLasso
   var _25 : usize;
   var _26 : borrowed usize;
   var _27 : borrowed usize;
-  var _29 : Ghost.ghost_ty int;
+  var _29 : Snapshot.snap_ty int;
   {
     goto BB0
   }
   BB0 {
-    [#"../list_reversal_lasso.rs" 169 20 169 24] r <- ([#"../list_reversal_lasso.rs" 169 20 169 24] [#"../list_reversal_lasso.rs" 169 20 169 24] (18446744073709551615 : usize));
-    [#"../list_reversal_lasso.rs" 170 20 170 29] n <- ([#"../list_reversal_lasso.rs" 170 20 170 29] Ghost.new 0);
+    [#"../list_reversal_lasso.rs" 169 20 169 24] r <- ([#"../list_reversal_lasso.rs" 169 20 169 24] (18446744073709551615 : usize));
+    [#"../list_reversal_lasso.rs" 170 20 170 35] n <- ([#"../list_reversal_lasso.rs" 170 20 170 35] Snapshot.new 0);
     goto BB1
   }
   BB1 {
     goto BB2
   }
   BB2 {
-    invariant { [#"../list_reversal_lasso.rs" 172 20 172 58] 0 <= Ghost.inner n /\ Ghost.inner n <= 2 * Seq.length (Ghost.inner s1) + Seq.length (Ghost.inner s2) };
-    invariant { [#"../list_reversal_lasso.rs" 172 8 172 60] let mid = if Seq.length (Ghost.inner s2) = 0 then
-      index_logic0 s1 (Seq.length (Ghost.inner s1) - 1)
+    invariant { [#"../list_reversal_lasso.rs" 172 20 172 58] 0 <= Snapshot.inner n /\ Snapshot.inner n <= 2 * Seq.length (Snapshot.inner s1) + Seq.length (Snapshot.inner s2) };
+    invariant { [#"../list_reversal_lasso.rs" 172 8 172 60] let mid = if Seq.length (Snapshot.inner s2) = 0 then
+      index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1)
     else
       index_logic0 s2 0
-     in Ghost.inner n <= Seq.length (Ghost.inner s1) -> list_seg0 ( * self) l (Ghost.inner s1) mid (Ghost.inner n) (Seq.length (Ghost.inner s1)) /\ list_seg0 ( * self) mid (Ghost.inner s2) (index_logic0 s1 (Seq.length (Ghost.inner s1) - 1)) 0 (Seq.length (Ghost.inner s2)) /\ list_seg0 ( * self) r (Reverse.reverse (Ghost.inner s1)) null0 (Seq.length (Ghost.inner s1) - Ghost.inner n) (Seq.length (Ghost.inner s1)) };
-    invariant { [#"../list_reversal_lasso.rs" 172 8 172 60] Seq.length (Ghost.inner s1) < Ghost.inner n /\ Ghost.inner n <= Seq.length (Ghost.inner s1) + Seq.length (Ghost.inner s2) -> list_seg0 ( * self) l (Ghost.inner s2) (index_logic0 s1 (Seq.length (Ghost.inner s1) - 1)) (Ghost.inner n - Seq.length (Ghost.inner s1)) (Seq.length (Ghost.inner s2)) /\ list_seg0 ( * self) r (Reverse.reverse (Ghost.inner s2)) (index_logic0 s1 (Seq.length (Ghost.inner s1) - 1)) (Seq.length (Ghost.inner s1) + Seq.length (Ghost.inner s2) - Ghost.inner n) (Seq.length (Ghost.inner s2)) /\ list_seg0 ( * self) (index_logic0 s1 (Seq.length (Ghost.inner s1) - 1)) (Reverse.reverse (Ghost.inner s1)) null0 0 (Seq.length (Ghost.inner s1)) };
-    invariant { [#"../list_reversal_lasso.rs" 172 8 172 60] let mid = if Seq.length (Ghost.inner s2) = 0 then
-      index_logic0 s1 (Seq.length (Ghost.inner s1) - 1)
+     in Snapshot.inner n <= Seq.length (Snapshot.inner s1)
+     -> list_seg0 ( * self) l (Snapshot.inner s1) mid (Snapshot.inner n) (Seq.length (Snapshot.inner s1)) /\ list_seg0 ( * self) mid (Snapshot.inner s2) (index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1)) 0 (Seq.length (Snapshot.inner s2)) /\ list_seg0 ( * self) r (Reverse.reverse (Snapshot.inner s1)) null0 (Seq.length (Snapshot.inner s1) - Snapshot.inner n) (Seq.length (Snapshot.inner s1)) };
+    invariant { [#"../list_reversal_lasso.rs" 172 8 172 60] Seq.length (Snapshot.inner s1) < Snapshot.inner n /\ Snapshot.inner n <= Seq.length (Snapshot.inner s1) + Seq.length (Snapshot.inner s2)
+     -> list_seg0 ( * self) l (Snapshot.inner s2) (index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1)) (Snapshot.inner n - Seq.length (Snapshot.inner s1)) (Seq.length (Snapshot.inner s2)) /\ list_seg0 ( * self) r (Reverse.reverse (Snapshot.inner s2)) (index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1)) (Seq.length (Snapshot.inner s1) + Seq.length (Snapshot.inner s2) - Snapshot.inner n) (Seq.length (Snapshot.inner s2)) /\ list_seg0 ( * self) (index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1)) (Reverse.reverse (Snapshot.inner s1)) null0 0 (Seq.length (Snapshot.inner s1)) };
+    invariant { [#"../list_reversal_lasso.rs" 172 8 172 60] let mid = if Seq.length (Snapshot.inner s2) = 0 then
+      index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1)
     else
-      index_logic0 s2 (Seq.length (Ghost.inner s2) - 1)
-     in Seq.length (Ghost.inner s1) + Seq.length (Ghost.inner s2) < Ghost.inner n -> list_seg0 ( * self) l (Reverse.reverse (Ghost.inner s1)) null0 (Ghost.inner n - Seq.length (Ghost.inner s1) - Seq.length (Ghost.inner s2)) (Seq.length (Ghost.inner s1)) /\ list_seg0 ( * self) r (Ghost.inner s1) mid (2 * Seq.length (Ghost.inner s1) + Seq.length (Ghost.inner s2) - Ghost.inner n) (Seq.length (Ghost.inner s1)) /\ list_seg0 ( * self) mid (Reverse.reverse (Ghost.inner s2)) (index_logic0 s1 (Seq.length (Ghost.inner s1) - 1)) 0 (Seq.length (Ghost.inner s2)) };
+      index_logic0 s2 (Seq.length (Snapshot.inner s2) - 1)
+     in Seq.length (Snapshot.inner s1) + Seq.length (Snapshot.inner s2) < Snapshot.inner n
+     -> list_seg0 ( * self) l (Reverse.reverse (Snapshot.inner s1)) null0 (Snapshot.inner n - Seq.length (Snapshot.inner s1) - Seq.length (Snapshot.inner s2)) (Seq.length (Snapshot.inner s1)) /\ list_seg0 ( * self) r (Snapshot.inner s1) mid (2 * Seq.length (Snapshot.inner s1) + Seq.length (Snapshot.inner s2) - Snapshot.inner n) (Seq.length (Snapshot.inner s1)) /\ list_seg0 ( * self) mid (Reverse.reverse (Snapshot.inner s2)) (index_logic0 s1 (Seq.length (Snapshot.inner s1) - 1)) 0 (Seq.length (Snapshot.inner s2)) };
     goto BB3
   }
   BB3 {
-    switch ([#"../list_reversal_lasso.rs" 190 14 190 23] ([#"../list_reversal_lasso.rs" 190 14 190 15] l) <> ([#"../list_reversal_lasso.rs" 190 19 190 23] [#"../list_reversal_lasso.rs" 190 19 190 23] (18446744073709551615 : usize)))
+    [#"../list_reversal_lasso.rs" 190 14 190 23] _17 <- l <> ([#"../list_reversal_lasso.rs" 190 19 190 23] (18446744073709551615 : usize));
+    switch (_17)
       | False -> goto BB9
       | True -> goto BB4
       end
@@ -1173,7 +1215,7 @@ module ListReversalLasso_Impl4_ListReversalLasso
   BB4 {
     [#"../list_reversal_lasso.rs" 191 39 191 43] _23 <- Borrow.borrow_mut ( * self);
     [#"../list_reversal_lasso.rs" 191 39 191 43] self <- { self with current = ( ^ _23) ; };
-    [#"../list_reversal_lasso.rs" 191 43 191 46] _22 <- ([#"../list_reversal_lasso.rs" 191 43 191 46] index_mut0 _23 ([#"../list_reversal_lasso.rs" 191 44 191 45] l));
+    [#"../list_reversal_lasso.rs" 191 43 191 46] _22 <- ([#"../list_reversal_lasso.rs" 191 43 191 46] index_mut0 _23 l);
     _23 <- any borrowed (ListReversalLasso_Memory_Type.t_memory);
     goto BB5
   }
@@ -1186,7 +1228,7 @@ module ListReversalLasso_Impl4_ListReversalLasso
     [#"../list_reversal_lasso.rs" 191 66 191 72] r <-  ^ _27;
     [#"../list_reversal_lasso.rs" 191 66 191 72] _26 <- Borrow.borrow_final ( * _27) (Borrow.get_id _27);
     [#"../list_reversal_lasso.rs" 191 66 191 72] _27 <- { _27 with current = ( ^ _26) ; };
-    [#"../list_reversal_lasso.rs" 191 48 191 76] _25 <- ([#"../list_reversal_lasso.rs" 191 48 191 76] replace0 _26 ([#"../list_reversal_lasso.rs" 191 74 191 75] l));
+    [#"../list_reversal_lasso.rs" 191 48 191 76] _25 <- ([#"../list_reversal_lasso.rs" 191 48 191 76] replace0 _26 l);
     _26 <- any borrowed usize;
     goto BB6
   }
@@ -1200,19 +1242,19 @@ module ListReversalLasso_Impl4_ListReversalLasso
   BB7 {
     assume { resolve1 _22 };
     assume { resolve1 _21 };
-    [#"../list_reversal_lasso.rs" 191 12 191 77] l <- ([#"../list_reversal_lasso.rs" 191 12 191 77] _19);
-    [#"../list_reversal_lasso.rs" 191 12 191 77] _19 <- any usize;
-    [#"../list_reversal_lasso.rs" 192 16 192 30] _29 <- ([#"../list_reversal_lasso.rs" 192 16 192 30] Ghost.new (Ghost.inner n + 1));
+    [#"../list_reversal_lasso.rs" 191 12 191 77] l <- _19;
+    _19 <- any usize;
+    [#"../list_reversal_lasso.rs" 192 16 192 36] _29 <- ([#"../list_reversal_lasso.rs" 192 16 192 36] Snapshot.new (Snapshot.inner n + 1));
     goto BB8
   }
   BB8 {
-    [#"../list_reversal_lasso.rs" 192 12 192 30] n <- ([#"../list_reversal_lasso.rs" 192 12 192 30] _29);
-    [#"../list_reversal_lasso.rs" 192 12 192 30] _29 <- any Ghost.ghost_ty int;
+    [#"../list_reversal_lasso.rs" 192 12 192 36] n <- _29;
+    _29 <- any Snapshot.snap_ty int;
     goto BB2
   }
   BB9 {
     assume { resolve0 self };
-    [#"../list_reversal_lasso.rs" 194 15 194 16] _0 <- ([#"../list_reversal_lasso.rs" 194 15 194 16] r);
+    [#"../list_reversal_lasso.rs" 194 15 194 16] _0 <- r;
     return _0
   }
   
@@ -1232,28 +1274,46 @@ module ListReversalLasso_Impl4_FindPtrInSeq_Impl
   use Core_Option_Option_Type as Core_Option_Option_Type
   use seq.Seq
   use prelude.Int
-  let rec ghost function find_ptr_in_seq [#"../list_reversal_lasso.rs" 204 4 204 66] (s : Seq.seq usize) (i : int) (p : int) : Core_Option_Option_Type.t_option int
-    requires {[#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s}
-    ensures { [#"../list_reversal_lasso.rs" 199 14 202 5] match result with
-      | Core_Option_Option_Type.C_None -> forall j : int . i <= j /\ j < Seq.length s -> UIntSize.to_int (Seq.get s j) <> p
+  constant s  : Seq.seq usize
+  constant i  : int
+  constant p  : int
+  function find_ptr_in_seq [#"../list_reversal_lasso.rs" 204 4 204 66] (s : Seq.seq usize) (i : int) (p : int) : Core_Option_Option_Type.t_option int
+    
+  goal vc_find_ptr_in_seq : ([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s)
+   -> match i = Seq.length s with
+    | True -> [#"../list_reversal_lasso.rs" 199 14 202 5] match Core_Option_Option_Type.C_None with
+      | Core_Option_Option_Type.C_None -> forall j : int . i <= j /\ j < Seq.length s
+       -> UIntSize.to_int (Seq.get s j) <> p
       | Core_Option_Option_Type.C_Some j -> i <= j /\ j < Seq.length s /\ UIntSize.to_int (Seq.get s j) = p
-      end }
-    variant {[#"../list_reversal_lasso.rs" 203 14 203 25] Seq.length s - i}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../list_reversal_lasso.rs" 205 8 209 9] if pure {i = Seq.length s} then
-      Core_Option_Option_Type.C_None
-    else
-      if pure {UIntSize.to_int (Seq.get s i) = p} then Core_Option_Option_Type.C_Some i else find_ptr_in_seq s (i + 1) p
-    
+      end
+    | False -> match UIntSize.to_int (Seq.get s i) = p with
+      | True -> [#"../list_reversal_lasso.rs" 199 14 202 5] match Core_Option_Option_Type.C_Some i with
+        | Core_Option_Option_Type.C_None -> forall j : int . i <= j /\ j < Seq.length s
+         -> UIntSize.to_int (Seq.get s j) <> p
+        | Core_Option_Option_Type.C_Some j -> i <= j /\ j < Seq.length s /\ UIntSize.to_int (Seq.get s j) = p
+        end
+      | False -> (([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i + 1 /\ i + 1 <= Seq.length s) /\ 0 <= ([#"../list_reversal_lasso.rs" 203 14 203 25] Seq.length s - i) /\ ([#"../list_reversal_lasso.rs" 203 14 203 25] Seq.length s - (i + 1)) < ([#"../list_reversal_lasso.rs" 203 14 203 25] Seq.length s - i)) /\ (([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq s (i + 1) p with
+        | Core_Option_Option_Type.C_None -> forall j : int . i + 1 <= j /\ j < Seq.length s
+         -> UIntSize.to_int (Seq.get s j) <> p
+        | Core_Option_Option_Type.C_Some j -> i + 1 <= j /\ j < Seq.length s /\ UIntSize.to_int (Seq.get s j) = p
+        end)
+       -> ([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq s (i + 1) p with
+        | Core_Option_Option_Type.C_None -> forall j : int . i <= j /\ j < Seq.length s
+         -> UIntSize.to_int (Seq.get s j) <> p
+        | Core_Option_Option_Type.C_Some j -> i <= j /\ j < Seq.length s /\ UIntSize.to_int (Seq.get s j) = p
+        end))
+      end
+    end
 end
 module ListReversalLasso_Impl4_Pigeon_Impl
+  use seq.Seq
+  use seq_ext.SeqExt
   use prelude.Int
+  use Core_Option_Option_Type as Core_Option_Option_Type
   use prelude.UIntSize
   use seq.Seq
   use prelude.UIntSize
   use seq.Seq
-  use Core_Option_Option_Type as Core_Option_Option_Type
   use seq.Seq
   use prelude.Int
   function find_ptr_in_seq0 [#"../list_reversal_lasso.rs" 204 4 204 66] (s : Seq.seq usize) (i : int) (p : int) : Core_Option_Option_Type.t_option int
@@ -1267,32 +1327,46 @@ module ListReversalLasso_Impl4_Pigeon_Impl
     requires {[#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s}
     ensures { result = find_ptr_in_seq0 s i p }
     
-  axiom find_ptr_in_seq0_spec : forall s : Seq.seq usize, i : int, p : int . ([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s) -> ([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq0 s i p with
-    | Core_Option_Option_Type.C_None -> forall j : int . i <= j /\ j < Seq.length s -> UIntSize.to_int (Seq.get s j) <> p
+  axiom find_ptr_in_seq0_spec : forall s : Seq.seq usize, i : int, p : int . ([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s)
+   -> ([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq0 s i p with
+    | Core_Option_Option_Type.C_None -> forall j : int . i <= j /\ j < Seq.length s
+     -> UIntSize.to_int (Seq.get s j) <> p
     | Core_Option_Option_Type.C_Some j -> i <= j /\ j < Seq.length s /\ UIntSize.to_int (Seq.get s j) = p
     end)
-  use seq.Seq
-  use seq_ext.SeqExt
-  let rec ghost function pigeon [#"../list_reversal_lasso.rs" 219 4 219 42] (s : Seq.seq usize) (n : int) : bool
-    requires {[#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n}
-    requires {[#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s -> UIntSize.to_int (Seq.get s i) < n}
-    requires {[#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j -> Seq.get s i <> Seq.get s j}
-    ensures { [#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= n }
-    ensures { [#"../list_reversal_lasso.rs" 217 14 217 20] result }
-    variant {[#"../list_reversal_lasso.rs" 218 14 218 15] n}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../list_reversal_lasso.rs" 220 8 232 9] if pure {n = 0} then
-      true
-    else
-      match find_ptr_in_seq0 s 0 (n - 1) with
-        | Core_Option_Option_Type.C_None -> pigeon s (n - 1)
-        | Core_Option_Option_Type.C_Some i -> match find_ptr_in_seq0 s (i + 1) (n - 1) with
-          | Core_Option_Option_Type.C_None -> pigeon (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) (n - 1)
-          | Core_Option_Option_Type.C_Some _ -> true
-          end
-        end
-    
+  constant s  : Seq.seq usize
+  constant n  : int
+  function pigeon [#"../list_reversal_lasso.rs" 219 4 219 42] (s : Seq.seq usize) (n : int) : bool
+  goal vc_pigeon : ([#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j
+   -> Seq.get s i <> Seq.get s j)
+   -> ([#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s
+   -> UIntSize.to_int (Seq.get s i) < n)
+   -> ([#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n)
+   -> match n = 0 with
+    | True -> ([#"../list_reversal_lasso.rs" 217 14 217 20] true) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= n)
+    | False -> ([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= 0 /\ 0 <= Seq.length s) /\ (([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq0 s 0 (n - 1) with
+      | Core_Option_Option_Type.C_None -> forall j : int . 0 <= j /\ j < Seq.length s
+       -> UIntSize.to_int (Seq.get s j) <> n - 1
+      | Core_Option_Option_Type.C_Some j -> 0 <= j /\ j < Seq.length s /\ UIntSize.to_int (Seq.get s j) = n - 1
+      end)
+     -> match find_ptr_in_seq0 s 0 (n - 1) with
+      | Core_Option_Option_Type.C_None -> ((([#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j
+       -> Seq.get s i <> Seq.get s j) && ([#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s
+       -> UIntSize.to_int (Seq.get s i) < n - 1) && ([#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n - 1)) /\ 0 <= ([#"../list_reversal_lasso.rs" 218 14 218 15] n) /\ ([#"../list_reversal_lasso.rs" 218 14 218 15] n - 1) < ([#"../list_reversal_lasso.rs" 218 14 218 15] n)) /\ (([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon s (n - 1)) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= n - 1)
+       -> ([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon s (n - 1)) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= n))
+      | Core_Option_Option_Type.C_Some i -> ([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i + 1 /\ i + 1 <= Seq.length s) /\ (([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq0 s (i + 1) (n - 1) with
+        | Core_Option_Option_Type.C_None -> forall j : int . i + 1 <= j /\ j < Seq.length s
+         -> UIntSize.to_int (Seq.get s j) <> n - 1
+        | Core_Option_Option_Type.C_Some j -> i + 1 <= j /\ j < Seq.length s /\ UIntSize.to_int (Seq.get s j) = n - 1
+        end)
+       -> match find_ptr_in_seq0 s (i + 1) (n - 1) with
+        | Core_Option_Option_Type.C_None -> ((([#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i' : int . 0 <= i' /\ i' < Seq.length (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) /\ 0 <= j /\ j < Seq.length (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) /\ i' <> j
+         -> Seq.get (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) i' <> Seq.get (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) j) && ([#"../list_reversal_lasso.rs" 214 4 214 67] forall i' : int . 0 <= i' /\ i' < Seq.length (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s)))
+         -> UIntSize.to_int (Seq.get (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) i') < n - 1) && ([#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n - 1)) /\ 0 <= ([#"../list_reversal_lasso.rs" 218 14 218 15] n) /\ ([#"../list_reversal_lasso.rs" 218 14 218 15] n - 1) < ([#"../list_reversal_lasso.rs" 218 14 218 15] n)) /\ (([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) (n - 1)) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) <= n - 1)
+         -> ([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) (n - 1)) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= n))
+        | Core_Option_Option_Type.C_Some _ -> ([#"../list_reversal_lasso.rs" 217 14 217 20] true) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= n)
+        end)
+      end)
+    end
 end
 module ListReversalLasso_Impl4_FindLassoAux_Impl
   use prelude.UIntSize
@@ -1323,15 +1397,33 @@ module ListReversalLasso_Impl4_FindLassoAux_Impl
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model0 self)
   val invariant0 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = invariant0 self }
     
   axiom inv0 : forall x : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . inv0 x = true
-  use prelude.Int
+  use seq_ext.SeqExt
+  use seq.Seq
   use seq.Seq
+  function index_logic2 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (ix : usize) : usize
+    
+   =
+    [#"../../../../creusot-contracts/src/logic/ops.rs" 31 8 31 32] Seq.get (shallow_model0 self) (UIntSize.to_int ix)
+  val index_logic2 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (ix : usize) : usize
+    ensures { result = index_logic2 self ix }
+    
+  use ListReversalLasso_Memory_Type as ListReversalLasso_Memory_Type
+  function index_logic1 [#"../list_reversal_lasso.rs" 20 4 20 39] (self : ListReversalLasso_Memory_Type.t_memory) (i : usize) : usize
+    
+   =
+    [#"../list_reversal_lasso.rs" 21 8 21 31] index_logic2 (ListReversalLasso_Memory_Type.memory_0 self) i
+  val index_logic1 [#"../list_reversal_lasso.rs" 20 4 20 39] (self : ListReversalLasso_Memory_Type.t_memory) (i : usize) : usize
+    ensures { result = index_logic1 self i }
+    
+  use prelude.Int
   use Core_Option_Option_Type as Core_Option_Option_Type
   function find_ptr_in_seq0 [#"../list_reversal_lasso.rs" 204 4 204 66] (s : Seq.seq usize) (i : int) (p : int) : Core_Option_Option_Type.t_option int
     
@@ -1344,27 +1436,12 @@ module ListReversalLasso_Impl4_FindLassoAux_Impl
     requires {[#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s}
     ensures { result = find_ptr_in_seq0 s i p }
     
-  axiom find_ptr_in_seq0_spec : forall s : Seq.seq usize, i : int, p : int . ([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s) -> ([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq0 s i p with
-    | Core_Option_Option_Type.C_None -> forall j : int . i <= j /\ j < Seq.length s -> UIntSize.to_int (Seq.get s j) <> p
+  axiom find_ptr_in_seq0_spec : forall s : Seq.seq usize, i : int, p : int . ([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s)
+   -> ([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq0 s i p with
+    | Core_Option_Option_Type.C_None -> forall j : int . i <= j /\ j < Seq.length s
+     -> UIntSize.to_int (Seq.get s j) <> p
     | Core_Option_Option_Type.C_Some j -> i <= j /\ j < Seq.length s /\ UIntSize.to_int (Seq.get s j) = p
     end)
-  use seq_ext.SeqExt
-  use seq.Seq
-  function index_logic2 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (ix : usize) : usize
-    
-   =
-    [#"../../../../creusot-contracts/src/logic/ops.rs" 31 8 31 32] Seq.get (shallow_model0 self) (UIntSize.to_int ix)
-  val index_logic2 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (ix : usize) : usize
-    ensures { result = index_logic2 self ix }
-    
-  use ListReversalLasso_Memory_Type as ListReversalLasso_Memory_Type
-  function index_logic0 [#"../list_reversal_lasso.rs" 20 4 20 39] (self : ListReversalLasso_Memory_Type.t_memory) (i : usize) : usize
-    
-   =
-    [#"../list_reversal_lasso.rs" 21 8 21 31] index_logic2 (ListReversalLasso_Memory_Type.memory_0 self) i
-  val index_logic0 [#"../list_reversal_lasso.rs" 20 4 20 39] (self : ListReversalLasso_Memory_Type.t_memory) (i : usize) : usize
-    ensures { result = index_logic0 self i }
-    
   use seq.Seq
   function pigeon0 [#"../list_reversal_lasso.rs" 219 4 219 42] (s : Seq.seq usize) (n : int) : bool
   axiom pigeon0_def : forall s : Seq.seq usize, n : int . pigeon0 s n = ([#"../list_reversal_lasso.rs" 220 8 232 9] if n = 0 then
@@ -1380,11 +1457,18 @@ module ListReversalLasso_Impl4_FindLassoAux_Impl
   )
   val pigeon0 [#"../list_reversal_lasso.rs" 219 4 219 42] (s : Seq.seq usize) (n : int) : bool
     requires {[#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n}
-    requires {[#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s -> UIntSize.to_int (Seq.get s i) < n}
-    requires {[#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j -> Seq.get s i <> Seq.get s j}
+    requires {[#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s
+     -> UIntSize.to_int (Seq.get s i) < n}
+    requires {[#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j
+     -> Seq.get s i <> Seq.get s j}
     ensures { result = pigeon0 s n }
     
-  axiom pigeon0_spec : forall s : Seq.seq usize, n : int . ([#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n) -> ([#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s -> UIntSize.to_int (Seq.get s i) < n) -> ([#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j -> Seq.get s i <> Seq.get s j) -> ([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon0 s n) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= n)
+  axiom pigeon0_spec : forall s : Seq.seq usize, n : int . ([#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n)
+   -> ([#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s
+   -> UIntSize.to_int (Seq.get s i) < n)
+   -> ([#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j
+   -> Seq.get s i <> Seq.get s j)
+   -> ([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon0 s n) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= n)
   predicate nonnull_ptr0 [#"../list_reversal_lasso.rs" 49 4 49 44] (self : ListReversalLasso_Memory_Type.t_memory) (i : usize)
     
    =
@@ -1399,11 +1483,13 @@ module ListReversalLasso_Impl4_FindLassoAux_Impl
       last
     else
       Seq.get s l
-    ) /\ (forall i : int . l <= i /\ i < h -> nonnull_ptr0 self (Seq.get s i) /\ index_logic0 self (Seq.get s i) = (if i = h - 1 then
+    ) /\ (forall i : int . l <= i /\ i < h
+     -> nonnull_ptr0 self (Seq.get s i) /\ index_logic1 self (Seq.get s i) = (if i = h - 1 then
       last
     else
       Seq.get s (i + 1)
-    )) /\ (forall j : int . forall i : int . l <= i /\ i < h /\ l <= j /\ j < h /\ i <> j -> Seq.get s i <> Seq.get s j)
+    )) /\ (forall j : int . forall i : int . l <= i /\ i < h /\ l <= j /\ j < h /\ i <> j
+     -> Seq.get s i <> Seq.get s j)
   val list_seg0 [#"../list_reversal_lasso.rs" 81 4 81 81] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s : Seq.seq usize) (last : usize) (l : int) (h : int) : bool
     ensures { result = list_seg0 self first s last l h }
     
@@ -1414,12 +1500,13 @@ module ListReversalLasso_Impl4_FindLassoAux_Impl
       Seq.get s1 (Seq.length s1 - 1)
     else
       Seq.get s2 0
-     in Seq.length s1 > 0 /\ (forall j : int . forall i : int . 0 <= i /\ i < Seq.length s1 /\ 0 <= j /\ j < Seq.length s2 -> Seq.get s1 i <> Seq.get s2 j) /\ list_seg0 self first s1 mid 0 (Seq.length s1) /\ list_seg0 self mid s2 (Seq.get s1 (Seq.length s1 - 1)) 0 (Seq.length s2)
+     in Seq.length s1 > 0 /\ (forall j : int . forall i : int . 0 <= i /\ i < Seq.length s1 /\ 0 <= j /\ j < Seq.length s2
+     -> Seq.get s1 i <> Seq.get s2 j) /\ list_seg0 self first s1 mid 0 (Seq.length s1) /\ list_seg0 self mid s2 (Seq.get s1 (Seq.length s1 - 1)) 0 (Seq.length s2)
   val lasso0 [#"../list_reversal_lasso.rs" 151 4 151 70] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s1 : Seq.seq usize) (s2 : Seq.seq usize) : bool
     ensures { result = lasso0 self first s1 s2 }
     
   let constant null0 [#"../list_reversal_lasso.rs" 13 0 13 15]  : usize = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../list_reversal_lasso.rs" 13 0 13 15] [#"../list_reversal_lasso.rs" 13 0 13 15] (18446744073709551615 : usize)
+    [#"../list_reversal_lasso.rs" 13 0 13 15] (18446744073709551615 : usize)
   predicate list0 [#"../list_reversal_lasso.rs" 91 4 91 54] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s : Seq.seq usize)
     
    =
@@ -1430,33 +1517,55 @@ module ListReversalLasso_Impl4_FindLassoAux_Impl
   predicate mem_is_well_formed0 [#"../list_reversal_lasso.rs" 55 4 55 43] (self : ListReversalLasso_Memory_Type.t_memory)
     
    =
-    [#"../list_reversal_lasso.rs" 56 8 58 9] forall i : usize . nonnull_ptr0 self i -> index_logic0 self i = null0 \/ nonnull_ptr0 self (index_logic0 self i)
+    [#"../list_reversal_lasso.rs" 56 8 58 9] forall i : usize . nonnull_ptr0 self i
+     -> index_logic1 self i = null0 \/ nonnull_ptr0 self (index_logic1 self i)
   val mem_is_well_formed0 [#"../list_reversal_lasso.rs" 55 4 55 43] (self : ListReversalLasso_Memory_Type.t_memory) : bool
     ensures { result = mem_is_well_formed0 self }
     
-  let rec ghost function find_lasso_aux [#"../list_reversal_lasso.rs" 244 4 244 95] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (last : usize) (s : Seq.seq usize) : (Seq.seq usize, Core_Option_Option_Type.t_option (Seq.seq usize))
-    requires {[#"../list_reversal_lasso.rs" 236 15 236 40] mem_is_well_formed0 self}
-    requires {[#"../list_reversal_lasso.rs" 237 15 237 53] last = null0 \/ nonnull_ptr0 self last}
-    requires {[#"../list_reversal_lasso.rs" 238 15 238 56] list_seg0 self first s last 0 (Seq.length s)}
-    ensures { [#"../list_reversal_lasso.rs" 239 14 242 5] match result with
+  constant self  : ListReversalLasso_Memory_Type.t_memory
+  constant first  : usize
+  constant last  : usize
+  constant s  : Seq.seq usize
+  function find_lasso_aux [#"../list_reversal_lasso.rs" 244 4 244 95] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (last : usize) (s : Seq.seq usize) : (Seq.seq usize, Core_Option_Option_Type.t_option (Seq.seq usize))
+    
+  goal vc_find_lasso_aux : ([#"../list_reversal_lasso.rs" 238 15 238 56] list_seg0 self first s last 0 (Seq.length s))
+   -> ([#"../list_reversal_lasso.rs" 237 15 237 53] last = null0 \/ nonnull_ptr0 self last)
+   -> ([#"../list_reversal_lasso.rs" 236 15 236 40] mem_is_well_formed0 self)
+   -> match last = null0 with
+    | True -> [#"../list_reversal_lasso.rs" 239 14 242 5] match (s, Core_Option_Option_Type.C_None) with
       | (s, Core_Option_Option_Type.C_None) -> list0 self first s
       | (s1, Core_Option_Option_Type.C_Some s2) -> lasso0 self first s1 s2
-      end }
-    variant {[#"../list_reversal_lasso.rs" 243 4 243 39] Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self)) - Seq.length s}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../list_reversal_lasso.rs" 245 8 259 9] if pure {last = null0} then
-      (s, Core_Option_Option_Type.C_None)
-    else
-      match find_ptr_in_seq0 s 0 (UIntSize.to_int last) with
-        | Core_Option_Option_Type.C_None -> if let b' = let a' = shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self) in Seq.length a' in pigeon0 s b' then
-          let c' = index_logic0 self last in find_lasso_aux self first c' (Seq.snoc s last)
-        else
-          (s, Core_Option_Option_Type.C_None)
-        
-        | Core_Option_Option_Type.C_Some i -> (SeqExt.subsequence s 0 (i + 1), Core_Option_Option_Type.C_Some (SeqExt.subsequence s (i + 1) (Seq.length s)))
+      end
+    | False -> ([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= 0 /\ 0 <= Seq.length s) /\ (([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq0 s 0 (UIntSize.to_int last) with
+      | Core_Option_Option_Type.C_None -> forall j : int . 0 <= j /\ j < Seq.length s
+       -> UIntSize.to_int (Seq.get s j) <> UIntSize.to_int last
+      | Core_Option_Option_Type.C_Some j -> 0 <= j /\ j < Seq.length s /\ UIntSize.to_int (Seq.get s j) = UIntSize.to_int last
+      end)
+     -> match find_ptr_in_seq0 s 0 (UIntSize.to_int last) with
+      | Core_Option_Option_Type.C_None -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 (ListReversalLasso_Memory_Type.memory_0 self)) /\ (([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self))) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self)) <= UIntSize.to_int max0)
+       -> (([#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j
+       -> Seq.get s i <> Seq.get s j) && ([#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s
+       -> UIntSize.to_int (Seq.get s i) < Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self))) && ([#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self)))) /\ (([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon0 s (Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self)))) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self)))
+       -> match pigeon0 s (Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self))) with
+        | True -> ((([#"../list_reversal_lasso.rs" 238 15 238 56] list_seg0 self first (Seq.snoc s last) (index_logic1 self last) 0 (Seq.length (Seq.snoc s last))) && ([#"../list_reversal_lasso.rs" 237 15 237 53] index_logic1 self last = null0 \/ nonnull_ptr0 self (index_logic1 self last)) && ([#"../list_reversal_lasso.rs" 236 15 236 40] mem_is_well_formed0 self)) /\ 0 <= ([#"../list_reversal_lasso.rs" 243 4 243 39] Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self)) - Seq.length s) /\ ([#"../list_reversal_lasso.rs" 243 4 243 39] Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self)) - Seq.length (Seq.snoc s last)) < ([#"../list_reversal_lasso.rs" 243 4 243 39] Seq.length (shallow_model0 (ListReversalLasso_Memory_Type.memory_0 self)) - Seq.length s)) /\ (([#"../list_reversal_lasso.rs" 239 14 242 5] match find_lasso_aux self first (index_logic1 self last) (Seq.snoc s last) with
+          | (s, Core_Option_Option_Type.C_None) -> list0 self first s
+          | (s1, Core_Option_Option_Type.C_Some s2) -> lasso0 self first s1 s2
+          end)
+         -> ([#"../list_reversal_lasso.rs" 239 14 242 5] match find_lasso_aux self first (index_logic1 self last) (Seq.snoc s last) with
+          | (s, Core_Option_Option_Type.C_None) -> list0 self first s
+          | (s1, Core_Option_Option_Type.C_Some s2) -> lasso0 self first s1 s2
+          end))
+        | False -> [#"../list_reversal_lasso.rs" 239 14 242 5] match (s, Core_Option_Option_Type.C_None) with
+          | (s, Core_Option_Option_Type.C_None) -> list0 self first s
+          | (s1, Core_Option_Option_Type.C_Some s2) -> lasso0 self first s1 s2
+          end
+        end))
+      | Core_Option_Option_Type.C_Some i -> [#"../list_reversal_lasso.rs" 239 14 242 5] match (SeqExt.subsequence s 0 (i + 1), Core_Option_Option_Type.C_Some (SeqExt.subsequence s (i + 1) (Seq.length s))) with
+        | (s, Core_Option_Option_Type.C_None) -> list0 self first s
+        | (s1, Core_Option_Option_Type.C_Some s2) -> lasso0 self first s1 s2
         end
-    
+      end)
+    end
 end
 module ListReversalLasso_Impl4_FindLasso_Impl
   use prelude.UIntSize
@@ -1487,32 +1596,14 @@ module ListReversalLasso_Impl4_FindLasso_Impl
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model0 self)
   val invariant0 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = invariant0 self }
     
   axiom inv0 : forall x : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . inv0 x = true
-  use prelude.Int
-  use seq.Seq
-  use Core_Option_Option_Type as Core_Option_Option_Type
-  function find_ptr_in_seq0 [#"../list_reversal_lasso.rs" 204 4 204 66] (s : Seq.seq usize) (i : int) (p : int) : Core_Option_Option_Type.t_option int
-    
-  axiom find_ptr_in_seq0_def : forall s : Seq.seq usize, i : int, p : int . find_ptr_in_seq0 s i p = ([#"../list_reversal_lasso.rs" 205 8 209 9] if i = Seq.length s then
-    Core_Option_Option_Type.C_None
-  else
-    if UIntSize.to_int (Seq.get s i) = p then Core_Option_Option_Type.C_Some i else find_ptr_in_seq0 s (i + 1) p
-  )
-  val find_ptr_in_seq0 [#"../list_reversal_lasso.rs" 204 4 204 66] (s : Seq.seq usize) (i : int) (p : int) : Core_Option_Option_Type.t_option int
-    requires {[#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s}
-    ensures { result = find_ptr_in_seq0 s i p }
-    
-  axiom find_ptr_in_seq0_spec : forall s : Seq.seq usize, i : int, p : int . ([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s) -> ([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq0 s i p with
-    | Core_Option_Option_Type.C_None -> forall j : int . i <= j /\ j < Seq.length s -> UIntSize.to_int (Seq.get s j) <> p
-    | Core_Option_Option_Type.C_Some j -> i <= j /\ j < Seq.length s /\ UIntSize.to_int (Seq.get s j) = p
-    end)
-  use seq_ext.SeqExt
   use seq.Seq
   function index_logic2 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (ix : usize) : usize
     
@@ -1529,26 +1620,6 @@ module ListReversalLasso_Impl4_FindLasso_Impl
   val index_logic0 [#"../list_reversal_lasso.rs" 20 4 20 39] (self : ListReversalLasso_Memory_Type.t_memory) (i : usize) : usize
     ensures { result = index_logic0 self i }
     
-  use seq.Seq
-  function pigeon0 [#"../list_reversal_lasso.rs" 219 4 219 42] (s : Seq.seq usize) (n : int) : bool
-  axiom pigeon0_def : forall s : Seq.seq usize, n : int . pigeon0 s n = ([#"../list_reversal_lasso.rs" 220 8 232 9] if n = 0 then
-    true
-  else
-    match find_ptr_in_seq0 s 0 (n - 1) with
-      | Core_Option_Option_Type.C_None -> pigeon0 s (n - 1)
-      | Core_Option_Option_Type.C_Some i -> match find_ptr_in_seq0 s (i + 1) (n - 1) with
-        | Core_Option_Option_Type.C_None -> pigeon0 (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) (n - 1)
-        | Core_Option_Option_Type.C_Some _ -> true
-        end
-      end
-  )
-  val pigeon0 [#"../list_reversal_lasso.rs" 219 4 219 42] (s : Seq.seq usize) (n : int) : bool
-    requires {[#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n}
-    requires {[#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s -> UIntSize.to_int (Seq.get s i) < n}
-    requires {[#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j -> Seq.get s i <> Seq.get s j}
-    ensures { result = pigeon0 s n }
-    
-  axiom pigeon0_spec : forall s : Seq.seq usize, n : int . ([#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n) -> ([#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s -> UIntSize.to_int (Seq.get s i) < n) -> ([#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j -> Seq.get s i <> Seq.get s j) -> ([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon0 s n) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= n)
   predicate nonnull_ptr0 [#"../list_reversal_lasso.rs" 49 4 49 44] (self : ListReversalLasso_Memory_Type.t_memory) (i : usize)
     
    =
@@ -1563,14 +1634,64 @@ module ListReversalLasso_Impl4_FindLasso_Impl
       last
     else
       Seq.get s l
-    ) /\ (forall i : int . l <= i /\ i < h -> nonnull_ptr0 self (Seq.get s i) /\ index_logic0 self (Seq.get s i) = (if i = h - 1 then
+    ) /\ (forall i : int . l <= i /\ i < h
+     -> nonnull_ptr0 self (Seq.get s i) /\ index_logic0 self (Seq.get s i) = (if i = h - 1 then
       last
     else
       Seq.get s (i + 1)
-    )) /\ (forall j : int . forall i : int . l <= i /\ i < h /\ l <= j /\ j < h /\ i <> j -> Seq.get s i <> Seq.get s j)
+    )) /\ (forall j : int . forall i : int . l <= i /\ i < h /\ l <= j /\ j < h /\ i <> j
+     -> Seq.get s i <> Seq.get s j)
   val list_seg0 [#"../list_reversal_lasso.rs" 81 4 81 81] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s : Seq.seq usize) (last : usize) (l : int) (h : int) : bool
     ensures { result = list_seg0 self first s last l h }
     
+  use prelude.Int
+  use Core_Option_Option_Type as Core_Option_Option_Type
+  function find_ptr_in_seq0 [#"../list_reversal_lasso.rs" 204 4 204 66] (s : Seq.seq usize) (i : int) (p : int) : Core_Option_Option_Type.t_option int
+    
+  axiom find_ptr_in_seq0_def : forall s : Seq.seq usize, i : int, p : int . find_ptr_in_seq0 s i p = ([#"../list_reversal_lasso.rs" 205 8 209 9] if i = Seq.length s then
+    Core_Option_Option_Type.C_None
+  else
+    if UIntSize.to_int (Seq.get s i) = p then Core_Option_Option_Type.C_Some i else find_ptr_in_seq0 s (i + 1) p
+  )
+  val find_ptr_in_seq0 [#"../list_reversal_lasso.rs" 204 4 204 66] (s : Seq.seq usize) (i : int) (p : int) : Core_Option_Option_Type.t_option int
+    requires {[#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s}
+    ensures { result = find_ptr_in_seq0 s i p }
+    
+  axiom find_ptr_in_seq0_spec : forall s : Seq.seq usize, i : int, p : int . ([#"../list_reversal_lasso.rs" 198 15 198 37] 0 <= i /\ i <= Seq.length s)
+   -> ([#"../list_reversal_lasso.rs" 199 14 202 5] match find_ptr_in_seq0 s i p with
+    | Core_Option_Option_Type.C_None -> forall j : int . i <= j /\ j < Seq.length s
+     -> UIntSize.to_int (Seq.get s j) <> p
+    | Core_Option_Option_Type.C_Some j -> i <= j /\ j < Seq.length s /\ UIntSize.to_int (Seq.get s j) = p
+    end)
+  use seq_ext.SeqExt
+  use seq.Seq
+  use seq.Seq
+  function pigeon0 [#"../list_reversal_lasso.rs" 219 4 219 42] (s : Seq.seq usize) (n : int) : bool
+  axiom pigeon0_def : forall s : Seq.seq usize, n : int . pigeon0 s n = ([#"../list_reversal_lasso.rs" 220 8 232 9] if n = 0 then
+    true
+  else
+    match find_ptr_in_seq0 s 0 (n - 1) with
+      | Core_Option_Option_Type.C_None -> pigeon0 s (n - 1)
+      | Core_Option_Option_Type.C_Some i -> match find_ptr_in_seq0 s (i + 1) (n - 1) with
+        | Core_Option_Option_Type.C_None -> pigeon0 (Seq.(++) (SeqExt.subsequence s 0 i) (SeqExt.subsequence s (i + 1) (Seq.length s))) (n - 1)
+        | Core_Option_Option_Type.C_Some _ -> true
+        end
+      end
+  )
+  val pigeon0 [#"../list_reversal_lasso.rs" 219 4 219 42] (s : Seq.seq usize) (n : int) : bool
+    requires {[#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n}
+    requires {[#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s
+     -> UIntSize.to_int (Seq.get s i) < n}
+    requires {[#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j
+     -> Seq.get s i <> Seq.get s j}
+    ensures { result = pigeon0 s n }
+    
+  axiom pigeon0_spec : forall s : Seq.seq usize, n : int . ([#"../list_reversal_lasso.rs" 213 15 213 21] 0 <= n)
+   -> ([#"../list_reversal_lasso.rs" 214 4 214 67] forall i : int . 0 <= i /\ i < Seq.length s
+   -> UIntSize.to_int (Seq.get s i) < n)
+   -> ([#"../list_reversal_lasso.rs" 215 4 215 113] forall j : int . forall i : int . 0 <= i /\ i < Seq.length s /\ 0 <= j /\ j < Seq.length s /\ i <> j
+   -> Seq.get s i <> Seq.get s j)
+   -> ([#"../list_reversal_lasso.rs" 217 14 217 20] pigeon0 s n) && ([#"../list_reversal_lasso.rs" 216 14 216 26] Seq.length s <= n)
   predicate lasso0 [#"../list_reversal_lasso.rs" 151 4 151 70] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s1 : Seq.seq usize) (s2 : Seq.seq usize)
     
    =
@@ -1578,12 +1699,13 @@ module ListReversalLasso_Impl4_FindLasso_Impl
       Seq.get s1 (Seq.length s1 - 1)
     else
       Seq.get s2 0
-     in Seq.length s1 > 0 /\ (forall j : int . forall i : int . 0 <= i /\ i < Seq.length s1 /\ 0 <= j /\ j < Seq.length s2 -> Seq.get s1 i <> Seq.get s2 j) /\ list_seg0 self first s1 mid 0 (Seq.length s1) /\ list_seg0 self mid s2 (Seq.get s1 (Seq.length s1 - 1)) 0 (Seq.length s2)
+     in Seq.length s1 > 0 /\ (forall j : int . forall i : int . 0 <= i /\ i < Seq.length s1 /\ 0 <= j /\ j < Seq.length s2
+     -> Seq.get s1 i <> Seq.get s2 j) /\ list_seg0 self first s1 mid 0 (Seq.length s1) /\ list_seg0 self mid s2 (Seq.get s1 (Seq.length s1 - 1)) 0 (Seq.length s2)
   val lasso0 [#"../list_reversal_lasso.rs" 151 4 151 70] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s1 : Seq.seq usize) (s2 : Seq.seq usize) : bool
     ensures { result = lasso0 self first s1 s2 }
     
   let constant null0 [#"../list_reversal_lasso.rs" 13 0 13 15]  : usize = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../list_reversal_lasso.rs" 13 0 13 15] [#"../list_reversal_lasso.rs" 13 0 13 15] (18446744073709551615 : usize)
+    [#"../list_reversal_lasso.rs" 13 0 13 15] (18446744073709551615 : usize)
   predicate list0 [#"../list_reversal_lasso.rs" 91 4 91 54] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) (s : Seq.seq usize)
     
    =
@@ -1594,7 +1716,8 @@ module ListReversalLasso_Impl4_FindLasso_Impl
   predicate mem_is_well_formed0 [#"../list_reversal_lasso.rs" 55 4 55 43] (self : ListReversalLasso_Memory_Type.t_memory)
     
    =
-    [#"../list_reversal_lasso.rs" 56 8 58 9] forall i : usize . nonnull_ptr0 self i -> index_logic0 self i = null0 \/ nonnull_ptr0 self (index_logic0 self i)
+    [#"../list_reversal_lasso.rs" 56 8 58 9] forall i : usize . nonnull_ptr0 self i
+     -> index_logic0 self i = null0 \/ nonnull_ptr0 self (index_logic0 self i)
   val mem_is_well_formed0 [#"../list_reversal_lasso.rs" 55 4 55 43] (self : ListReversalLasso_Memory_Type.t_memory) : bool
     ensures { result = mem_is_well_formed0 self }
     
@@ -1618,21 +1741,28 @@ module ListReversalLasso_Impl4_FindLasso_Impl
     requires {[#"../list_reversal_lasso.rs" 238 15 238 56] list_seg0 self first s last 0 (Seq.length s)}
     ensures { result = find_lasso_aux0 self first last s }
     
-  axiom find_lasso_aux0_spec : forall self : ListReversalLasso_Memory_Type.t_memory, first : usize, last : usize, s : Seq.seq usize . ([#"../list_reversal_lasso.rs" 236 15 236 40] mem_is_well_formed0 self) -> ([#"../list_reversal_lasso.rs" 237 15 237 53] last = null0 \/ nonnull_ptr0 self last) -> ([#"../list_reversal_lasso.rs" 238 15 238 56] list_seg0 self first s last 0 (Seq.length s)) -> ([#"../list_reversal_lasso.rs" 239 14 242 5] match find_lasso_aux0 self first last s with
+  axiom find_lasso_aux0_spec : forall self : ListReversalLasso_Memory_Type.t_memory, first : usize, last : usize, s : Seq.seq usize . ([#"../list_reversal_lasso.rs" 236 15 236 40] mem_is_well_formed0 self)
+   -> ([#"../list_reversal_lasso.rs" 237 15 237 53] last = null0 \/ nonnull_ptr0 self last)
+   -> ([#"../list_reversal_lasso.rs" 238 15 238 56] list_seg0 self first s last 0 (Seq.length s))
+   -> ([#"../list_reversal_lasso.rs" 239 14 242 5] match find_lasso_aux0 self first last s with
     | (s, Core_Option_Option_Type.C_None) -> list0 self first s
     | (s1, Core_Option_Option_Type.C_Some s2) -> lasso0 self first s1 s2
     end)
   use seq.Seq
-  let rec ghost function find_lasso [#"../list_reversal_lasso.rs" 270 4 270 71] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) : (Seq.seq usize, Core_Option_Option_Type.t_option (Seq.seq usize))
-    requires {[#"../list_reversal_lasso.rs" 264 15 264 40] mem_is_well_formed0 self}
-    requires {[#"../list_reversal_lasso.rs" 265 15 265 55] first = null0 \/ nonnull_ptr0 self first}
-    ensures { [#"../list_reversal_lasso.rs" 266 14 269 5] match result with
-      | (s, Core_Option_Option_Type.C_None) -> list0 self first s
-      | (s1, Core_Option_Option_Type.C_Some s2) -> lasso0 self first s1 s2
-      end }
+  constant self  : ListReversalLasso_Memory_Type.t_memory
+  constant first  : usize
+  function find_lasso [#"../list_reversal_lasso.rs" 270 4 270 71] (self : ListReversalLasso_Memory_Type.t_memory) (first : usize) : (Seq.seq usize, Core_Option_Option_Type.t_option (Seq.seq usize))
     
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../list_reversal_lasso.rs" 272 13 272 65] find_lasso_aux0 self first first (Seq.empty )
+  goal vc_find_lasso : ([#"../list_reversal_lasso.rs" 265 15 265 55] first = null0 \/ nonnull_ptr0 self first)
+   -> ([#"../list_reversal_lasso.rs" 264 15 264 40] mem_is_well_formed0 self)
+   -> (([#"../list_reversal_lasso.rs" 238 15 238 56] list_seg0 self first (Seq.empty : Seq.seq usize) first 0 (Seq.length (Seq.empty : Seq.seq usize))) && ([#"../list_reversal_lasso.rs" 237 15 237 53] first = null0 \/ nonnull_ptr0 self first) && ([#"../list_reversal_lasso.rs" 236 15 236 40] mem_is_well_formed0 self)) /\ (([#"../list_reversal_lasso.rs" 239 14 242 5] match find_lasso_aux0 self first first (Seq.empty : Seq.seq usize) with
+    | (s, Core_Option_Option_Type.C_None) -> list0 self first s
+    | (s1, Core_Option_Option_Type.C_Some s2) -> lasso0 self first s1 s2
+    end)
+   -> ([#"../list_reversal_lasso.rs" 266 14 269 5] match find_lasso_aux0 self first first (Seq.empty : Seq.seq usize) with
+    | (s, Core_Option_Option_Type.C_None) -> list0 self first s
+    | (s1, Core_Option_Option_Type.C_Some s2) -> lasso0 self first s1 s2
+    end))
 end
 module ListReversalLasso_Impl0
   
diff --git a/creusot/tests/should_succeed/list_reversal_lasso.rs b/creusot/tests/should_succeed/list_reversal_lasso.rs
index 023e3d7dbc..c293c69ee0 100644
--- a/creusot/tests/should_succeed/list_reversal_lasso.rs
+++ b/creusot/tests/should_succeed/list_reversal_lasso.rs
@@ -16,7 +16,7 @@ impl IndexLogic<Ptr> for Memory {
     type Item = Ptr;
 
     #[open(self)]
-    #[ghost]
+    #[logic]
     fn index_logic(self, i: Ptr) -> Ptr {
         pearlite! { self.0[i] }
     }
@@ -96,9 +96,9 @@ impl Memory {
 
     #[requires(self.list(l, *s))]
     #[ensures((^self).list(result, s.reverse()))]
-    pub fn list_reversal_list(&mut self, mut l: Ptr, s: Ghost<Seq<Ptr>>) -> Ptr {
+    pub fn list_reversal_list(&mut self, mut l: Ptr, s: Snapshot<Seq<Ptr>>) -> Ptr {
         let mut r = NULL;
-        let mut n = gh! { 0 };
+        let mut n = snapshot! { 0 };
 
         #[invariant(0 <= *n && *n <= s.len())]
         #[invariant(self.list_seg(l, *s, NULL, *n, s.len()))]
@@ -106,7 +106,7 @@ impl Memory {
         // #[variant(s.len() - *n)]
         while l != NULL {
             l = std::mem::replace(&mut self[l], std::mem::replace(&mut r, l));
-            n = gh! { *n + 1 }
+            n = snapshot! { *n + 1 }
         }
         return r;
     }
@@ -122,9 +122,9 @@ impl Memory {
     #[requires(s.len() > 0)]
     #[requires(self.loop_(l, *s))]
     #[ensures((^self).loop_(result, Seq::singleton(s[0]).concat(s.subsequence(1, s.len()).reverse())))]
-    pub fn list_reversal_loop(&mut self, mut l: Ptr, s: Ghost<Seq<Ptr>>) -> Ptr {
+    pub fn list_reversal_loop(&mut self, mut l: Ptr, s: Snapshot<Seq<Ptr>>) -> Ptr {
         let mut r = NULL;
-        let mut n = gh! { 0 };
+        let mut n = snapshot! { 0 };
 
         #[invariant(0 <= *n && *n <= s.len() + 1)]
         #[invariant(*n == s.len() + 1 ==>
@@ -137,7 +137,7 @@ impl Memory {
         while l != NULL {
             proof_assert! { *n == s.len() ==> l == s.reverse()[s.len() - 1] }
             l = std::mem::replace(&mut self[l], std::mem::replace(&mut r, l));
-            n = gh! { *n + 1 }
+            n = snapshot! { *n + 1 }
         }
 
         proof_assert! { forall<i:Int> 0 <= i && i < s.len() ==>
@@ -163,11 +163,11 @@ impl Memory {
     pub fn list_reversal_lasso(
         &mut self,
         mut l: Ptr,
-        s1: Ghost<Seq<Ptr>>,
-        s2: Ghost<Seq<Ptr>>,
+        s1: Snapshot<Seq<Ptr>>,
+        s2: Snapshot<Seq<Ptr>>,
     ) -> Ptr {
         let mut r = NULL;
-        let mut n = gh! { 0 };
+        let mut n = snapshot! { 0 };
 
         #[invariant(0 <= *n && *n <= 2*s1.len() + s2.len())]
         #[invariant({
@@ -189,12 +189,12 @@ impl Memory {
         // #[variant(2*s1.len() + s2.len() - *n)]
         while l != NULL {
             l = std::mem::replace(&mut self[l], std::mem::replace(&mut r, l));
-            n = gh! { *n + 1 }
+            n = snapshot! { *n + 1 }
         }
         return r;
     }
 
-    #[ghost]
+    #[logic]
     #[requires(0 <= i && i <= s.len())]
     #[ensures(match result {
         None => forall<j: Int> i <= j && j < s.len() ==> s[j]@ != p,
@@ -209,7 +209,7 @@ impl Memory {
         }
     }
 
-    #[ghost]
+    #[logic]
     #[requires(0 <= n)]
     #[requires(forall<i: Int> 0 <= i && i < s.len() ==> s[i]@ < n)]
     #[requires(forall<i: Int, j: Int> 0 <= i && i < s.len() && 0 <= j && j < s.len() && i != j ==> s[i] != s[j])]
@@ -232,7 +232,7 @@ impl Memory {
         }
     }
 
-    #[ghost]
+    #[logic]
     #[requires(self.mem_is_well_formed())]
     #[requires(last == NULL || self.nonnull_ptr(last))]
     #[requires(self.list_seg(first, s, last, 0, s.len()))]
@@ -259,7 +259,7 @@ impl Memory {
         }
     }
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[requires(self.mem_is_well_formed())]
     #[requires(first == NULL || self.nonnull_ptr(first))]
diff --git a/creusot/tests/should_succeed/list_reversal_lasso/why3session.xml b/creusot/tests/should_succeed/list_reversal_lasso/why3session.xml
index 0d10576edc..64db59eac9 100644
--- a/creusot/tests/should_succeed/list_reversal_lasso/why3session.xml
+++ b/creusot/tests/should_succeed/list_reversal_lasso/why3session.xml
@@ -10,42 +10,42 @@
 <path name=".."/><path name="list_reversal_lasso.mlcfg"/>
 <theory name="ListReversalLasso_Impl1_Index" proved="true">
  <goal name="index&#39;vc" expl="VC for index" proved="true">
- <proof prover="4"><result status="valid" time="0.100000" steps="9466"/></proof>
+ <proof prover="4"><result status="valid" time="0.100000" steps="9648"/></proof>
  </goal>
 </theory>
 <theory name="ListReversalLasso_Impl2_IndexMut" proved="true">
  <goal name="index_mut&#39;vc" expl="VC for index_mut" proved="true">
- <proof prover="4"><result status="valid" time="0.130000" steps="16821"/></proof>
+ <proof prover="4"><result status="valid" time="0.130000" steps="17003"/></proof>
  </goal>
 </theory>
 <theory name="ListReversalLasso_Impl4_ListReversalSafe" proved="true">
  <goal name="list_reversal_safe&#39;vc" expl="VC for list_reversal_safe" proved="true">
- <proof prover="4" timelimit="5"><result status="valid" time="0.433615" steps="50475"/></proof>
+ <proof prover="4" timelimit="5"><result status="valid" time="0.212017" steps="57328"/></proof>
  </goal>
 </theory>
 <theory name="ListReversalLasso_Impl4_ListReversalList" proved="true">
  <goal name="list_reversal_list&#39;vc" expl="VC for list_reversal_list" proved="true">
  <transf name="split_vc" proved="true" >
   <goal name="list_reversal_list&#39;vc.0" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.090000" steps="9657"/></proof>
+  <proof prover="4"><result status="valid" time="0.090000" steps="9839"/></proof>
   </goal>
   <goal name="list_reversal_list&#39;vc.1" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.080000" steps="9317"/></proof>
+  <proof prover="4"><result status="valid" time="0.080000" steps="9499"/></proof>
   </goal>
   <goal name="list_reversal_list&#39;vc.2" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.100000" steps="11257"/></proof>
+  <proof prover="4"><result status="valid" time="0.100000" steps="11439"/></proof>
   </goal>
   <goal name="list_reversal_list&#39;vc.3" expl="postcondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.070000" steps="697"/></proof>
+  <proof prover="6"><result status="valid" time="0.070000" steps="1767"/></proof>
   </goal>
   <goal name="list_reversal_list&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.110000" steps="13076"/></proof>
+  <proof prover="4"><result status="valid" time="0.110000" steps="13273"/></proof>
   </goal>
   <goal name="list_reversal_list&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.019600" steps="76"/></proof>
+  <proof prover="6"><result status="valid" time="0.019600" steps="77"/></proof>
   </goal>
   <goal name="list_reversal_list&#39;vc.6" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.014740" steps="76"/></proof>
+  <proof prover="6"><result status="valid" time="0.014740" steps="78"/></proof>
   </goal>
   <goal name="list_reversal_list&#39;vc.7" expl="precondition" proved="true">
   <proof prover="6"><result status="valid" time="0.016210" steps="84"/></proof>
@@ -54,7 +54,7 @@
   <proof prover="6"><result status="valid" time="0.020939" steps="74"/></proof>
   </goal>
   <goal name="list_reversal_list&#39;vc.9" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.110000" steps="12801"/></proof>
+  <proof prover="4"><result status="valid" time="0.110000" steps="12996"/></proof>
   </goal>
   <goal name="list_reversal_list&#39;vc.10" expl="loop invariant preservation" proved="true">
   <transf name="split_vc" proved="true" >
@@ -63,13 +63,13 @@
     <goal name="list_reversal_list&#39;vc.10.0.0" expl="loop invariant preservation" proved="true">
     <transf name="split_all_full" proved="true" >
      <goal name="list_reversal_list&#39;vc.10.0.0.0" expl="VC for list_reversal_list" proved="true">
-     <proof prover="6"><result status="valid" time="0.070918" steps="368"/></proof>
+     <proof prover="6"><result status="valid" time="0.070918" steps="369"/></proof>
      </goal>
      <goal name="list_reversal_list&#39;vc.10.0.0.1" expl="VC for list_reversal_list" proved="true">
-     <proof prover="6"><result status="valid" time="0.100356" steps="821"/></proof>
+     <proof prover="6"><result status="valid" time="0.100356" steps="823"/></proof>
      </goal>
      <goal name="list_reversal_list&#39;vc.10.0.0.2" expl="VC for list_reversal_list" proved="true">
-     <proof prover="6"><result status="valid" time="0.083977" steps="522"/></proof>
+     <proof prover="6"><result status="valid" time="0.083977" steps="523"/></proof>
      </goal>
      <goal name="list_reversal_list&#39;vc.10.0.0.3" expl="VC for list_reversal_list" proved="true">
      <proof prover="6"><result status="valid" time="0.099827" steps="206"/></proof>
@@ -81,7 +81,7 @@
   </transf>
   </goal>
   <goal name="list_reversal_list&#39;vc.11" expl="loop invariant preservation" proved="true">
-  <proof prover="6" timelimit="5"><result status="valid" time="0.727557" steps="3838"/></proof>
+  <proof prover="6" timelimit="5"><result status="valid" time="0.360444" steps="4482"/></proof>
   </goal>
  </transf>
  </goal>
@@ -90,19 +90,19 @@
  <goal name="list_reversal_loop&#39;vc" expl="VC for list_reversal_loop" proved="true">
  <transf name="split_vc" proved="true" >
   <goal name="list_reversal_loop&#39;vc.0" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.080000" steps="9309"/></proof>
+  <proof prover="4"><result status="valid" time="0.080000" steps="9491"/></proof>
   </goal>
   <goal name="list_reversal_loop&#39;vc.1" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.110000" steps="10131"/></proof>
+  <proof prover="4"><result status="valid" time="0.110000" steps="10313"/></proof>
   </goal>
   <goal name="list_reversal_loop&#39;vc.2" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.080000" steps="10209"/></proof>
+  <proof prover="4"><result status="valid" time="0.080000" steps="10391"/></proof>
   </goal>
   <goal name="list_reversal_loop&#39;vc.3" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.140000" steps="12391"/></proof>
+  <proof prover="4"><result status="valid" time="0.140000" steps="12573"/></proof>
   </goal>
   <goal name="list_reversal_loop&#39;vc.4" expl="assertion" proved="true">
-  <proof prover="6"><result status="valid" time="0.916711" steps="5484"/></proof>
+  <proof prover="6"><result status="valid" time="0.135870" steps="2144"/></proof>
   </goal>
   <goal name="list_reversal_loop&#39;vc.5" expl="postcondition" proved="true">
   <transf name="use_th" proved="true" arg1="seq.FreeMonoid">
@@ -115,7 +115,7 @@
       <goal name="list_reversal_loop&#39;vc.5.0.0.0.0" expl="postcondition" proved="true">
       <transf name="split_all_full" proved="true" >
        <goal name="list_reversal_loop&#39;vc.5.0.0.0.0.0" expl="VC for list_reversal_loop" proved="true">
-       <proof prover="0" timelimit="30" memlimit="4000"><result status="valid" time="0.903253" steps="98955"/></proof>
+       <proof prover="0" timelimit="30" memlimit="4000"><result status="valid" time="0.621148" steps="100836"/></proof>
        </goal>
        <goal name="list_reversal_loop&#39;vc.5.0.0.0.0.1" expl="VC for list_reversal_loop" proved="true">
        <transf name="split_vc" proved="true" >
@@ -124,10 +124,10 @@
          <goal name="list_reversal_loop&#39;vc.5.0.0.0.0.1.0.0" expl="VC for list_reversal_loop" proved="true">
          <transf name="split_all_full" proved="true" >
           <goal name="list_reversal_loop&#39;vc.5.0.0.0.0.1.0.0.0" expl="VC for list_reversal_loop" proved="true">
-          <proof prover="6"><result status="valid" time="0.065729" steps="238"/></proof>
+          <proof prover="6"><result status="valid" time="0.065729" steps="245"/></proof>
           </goal>
           <goal name="list_reversal_loop&#39;vc.5.0.0.0.0.1.0.0.1" expl="VC for list_reversal_loop" proved="true">
-          <proof prover="0" timelimit="30" memlimit="4000"><result status="valid" time="1.170496" steps="111201"/></proof>
+          <proof prover="0" timelimit="30" memlimit="4000"><result status="valid" time="0.715400" steps="112865"/></proof>
           </goal>
          </transf>
          </goal>
@@ -140,7 +140,7 @@
         <goal name="list_reversal_loop&#39;vc.5.0.0.0.0.2.0" expl="VC for list_reversal_loop" proved="true">
         <transf name="inline_goal" proved="true" >
          <goal name="list_reversal_loop&#39;vc.5.0.0.0.0.2.0.0" expl="VC for list_reversal_loop" proved="true">
-         <proof prover="0" timelimit="30" memlimit="4000"><result status="valid" time="0.934149" steps="98300"/></proof>
+         <proof prover="0" timelimit="30" memlimit="4000"><result status="valid" time="0.612459" steps="97401"/></proof>
          </goal>
         </transf>
         </goal>
@@ -149,7 +149,7 @@
        <goal name="list_reversal_loop&#39;vc.5.0.0.0.0.3" expl="VC for list_reversal_loop" proved="true">
        <transf name="split_vc" proved="true" >
         <goal name="list_reversal_loop&#39;vc.5.0.0.0.0.3.0" expl="VC for list_reversal_loop" proved="true">
-        <proof prover="6" timelimit="30" memlimit="4000"><result status="valid" time="5.336607" steps="30438"/></proof>
+        <proof prover="6" timelimit="30" memlimit="4000"><result status="valid" time="1.849704" steps="40839"/></proof>
         </goal>
        </transf>
        </goal>
@@ -164,36 +164,36 @@
   </transf>
   </goal>
   <goal name="list_reversal_loop&#39;vc.6" expl="assertion" proved="true">
-  <proof prover="6"><result status="valid" time="0.020000" steps="235"/></proof>
+  <proof prover="6"><result status="valid" time="0.020000" steps="236"/></proof>
   </goal>
   <goal name="list_reversal_loop&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.150000" steps="17801"/></proof>
+  <proof prover="4"><result status="valid" time="0.150000" steps="17994"/></proof>
   </goal>
   <goal name="list_reversal_loop&#39;vc.8" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.033165" steps="83"/></proof>
+  <proof prover="6"><result status="valid" time="0.033165" steps="85"/></proof>
   </goal>
   <goal name="list_reversal_loop&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.037369" steps="85"/></proof>
+  <proof prover="6"><result status="valid" time="0.037369" steps="86"/></proof>
   </goal>
   <goal name="list_reversal_loop&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.023187" steps="91"/></proof>
+  <proof prover="6"><result status="valid" time="0.023187" steps="93"/></proof>
   </goal>
   <goal name="list_reversal_loop&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.038181" steps="78"/></proof>
+  <proof prover="6"><result status="valid" time="0.038181" steps="79"/></proof>
   </goal>
   <goal name="list_reversal_loop&#39;vc.12" expl="loop invariant preservation" proved="true">
-  <proof prover="4" timelimit="5"><result status="valid" time="0.080000" steps="11516"/></proof>
+  <proof prover="4" timelimit="5"><result status="valid" time="0.080000" steps="11712"/></proof>
   </goal>
   <goal name="list_reversal_loop&#39;vc.13" expl="loop invariant preservation" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="list_reversal_loop&#39;vc.13.0" expl="loop invariant preservation" proved="true">
-   <proof prover="6"><result status="valid" time="0.022487" steps="288"/></proof>
+   <proof prover="6"><result status="valid" time="0.022487" steps="290"/></proof>
    </goal>
    <goal name="list_reversal_loop&#39;vc.13.1" expl="loop invariant preservation" proved="true">
-   <proof prover="1"><result status="valid" time="0.028169" steps="91888"/></proof>
+   <proof prover="1"><result status="valid" time="0.028169" steps="92031"/></proof>
    </goal>
    <goal name="list_reversal_loop&#39;vc.13.2" expl="loop invariant preservation" proved="true">
-   <proof prover="6"><result status="valid" time="0.032291" steps="500"/></proof>
+   <proof prover="6"><result status="valid" time="0.032291" steps="503"/></proof>
    </goal>
    <goal name="list_reversal_loop&#39;vc.13.3" expl="loop invariant preservation" proved="true">
    <proof prover="6"><result status="valid" time="0.043839" steps="706"/></proof>
@@ -203,16 +203,16 @@
     <goal name="list_reversal_loop&#39;vc.13.4.0" expl="loop invariant preservation" proved="true">
     <transf name="split_all_full" proved="true" >
      <goal name="list_reversal_loop&#39;vc.13.4.0.0" expl="VC for list_reversal_loop" proved="true">
-     <proof prover="6"><result status="valid" time="0.119170" steps="682"/></proof>
+     <proof prover="6"><result status="valid" time="0.119170" steps="665"/></proof>
      </goal>
      <goal name="list_reversal_loop&#39;vc.13.4.0.1" expl="VC for list_reversal_loop" proved="true">
-     <proof prover="6"><result status="valid" time="0.465517" steps="2107"/></proof>
+     <proof prover="6"><result status="valid" time="0.156515" steps="2107"/></proof>
      </goal>
      <goal name="list_reversal_loop&#39;vc.13.4.0.2" expl="VC for list_reversal_loop" proved="true">
      <proof prover="6"><result status="valid" time="0.041175" steps="506"/></proof>
      </goal>
      <goal name="list_reversal_loop&#39;vc.13.4.0.3" expl="VC for list_reversal_loop" proved="true">
-     <proof prover="6"><result status="valid" time="0.130458" steps="298"/></proof>
+     <proof prover="6"><result status="valid" time="0.130458" steps="300"/></proof>
      </goal>
     </transf>
     </goal>
@@ -221,10 +221,10 @@
   </transf>
   </goal>
   <goal name="list_reversal_loop&#39;vc.14" expl="loop invariant preservation" proved="true">
-  <proof prover="6"><result status="valid" time="0.605750" steps="2658"/></proof>
+  <proof prover="6"><result status="valid" time="0.324983" steps="4859"/></proof>
   </goal>
   <goal name="list_reversal_loop&#39;vc.15" expl="loop invariant preservation" proved="true">
-  <proof prover="6" timelimit="5"><result status="valid" time="1.857280" steps="8062"/></proof>
+  <proof prover="6" timelimit="5"><result status="valid" time="1.128802" steps="15625"/></proof>
   </goal>
  </transf>
  </goal>
@@ -233,34 +233,34 @@
  <goal name="list_reversal_lasso&#39;vc" expl="VC for list_reversal_lasso" proved="true">
  <transf name="split_vc" proved="true" >
   <goal name="list_reversal_lasso&#39;vc.0" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.144436" steps="10640"/></proof>
+  <proof prover="4"><result status="valid" time="0.144436" steps="10825"/></proof>
   </goal>
   <goal name="list_reversal_lasso&#39;vc.1" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.175411" steps="13364"/></proof>
+  <proof prover="4"><result status="valid" time="0.054545" steps="13549"/></proof>
   </goal>
   <goal name="list_reversal_lasso&#39;vc.2" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.191540" steps="14251"/></proof>
+  <proof prover="4"><result status="valid" time="0.059630" steps="14436"/></proof>
   </goal>
   <goal name="list_reversal_lasso&#39;vc.3" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.150000" steps="15798"/></proof>
+  <proof prover="4"><result status="valid" time="0.150000" steps="15983"/></proof>
   </goal>
   <goal name="list_reversal_lasso&#39;vc.4" expl="postcondition" proved="true">
   <transf name="unfold" proved="true" arg1="lasso0">
    <goal name="list_reversal_lasso&#39;vc.4.0" expl="VC for list_reversal_lasso" proved="true">
    <transf name="split_vc" proved="true" >
     <goal name="list_reversal_lasso&#39;vc.4.0.0" expl="VC for list_reversal_lasso" proved="true">
-    <proof prover="4"><result status="valid" time="0.131381" steps="16038"/></proof>
+    <proof prover="4"><result status="valid" time="0.131381" steps="16323"/></proof>
     </goal>
     <goal name="list_reversal_lasso&#39;vc.4.0.1" expl="VC for list_reversal_lasso" proved="true">
-    <proof prover="6"><result status="valid" time="0.040167" steps="400"/></proof>
+    <proof prover="6"><result status="valid" time="0.040167" steps="405"/></proof>
     </goal>
     <goal name="list_reversal_lasso&#39;vc.4.0.2" expl="VC for list_reversal_lasso" proved="true">
     <transf name="replace" proved="true" arg1="mid" arg2="mid1">
      <goal name="list_reversal_lasso&#39;vc.4.0.2.0" expl="VC for list_reversal_lasso" proved="true">
-     <proof prover="0" timelimit="5"><result status="valid" time="0.354144" steps="43248"/></proof>
+     <proof prover="0" timelimit="5"><result status="valid" time="0.215518" steps="43451"/></proof>
      </goal>
      <goal name="list_reversal_lasso&#39;vc.4.0.2.1" expl="equality hypothesis" proved="true">
-     <proof prover="6"><result status="valid" time="0.038061" steps="463"/></proof>
+     <proof prover="6"><result status="valid" time="0.038061" steps="469"/></proof>
      </goal>
     </transf>
     </goal>
@@ -271,31 +271,31 @@
       <goal name="list_reversal_lasso&#39;vc.4.0.3.0.0" expl="VC for list_reversal_lasso" proved="true">
       <transf name="split_all_full" proved="true" >
        <goal name="list_reversal_lasso&#39;vc.4.0.3.0.0.0" expl="VC for list_reversal_lasso" proved="true">
-       <proof prover="6"><result status="valid" time="0.043054" steps="513"/></proof>
+       <proof prover="6"><result status="valid" time="0.043054" steps="538"/></proof>
        </goal>
        <goal name="list_reversal_lasso&#39;vc.4.0.3.0.0.1" expl="VC for list_reversal_lasso" proved="true">
-       <proof prover="6"><result status="valid" time="0.210164" steps="786"/></proof>
+       <proof prover="6"><result status="valid" time="0.061661" steps="712"/></proof>
        </goal>
        <goal name="list_reversal_lasso&#39;vc.4.0.3.0.0.2" expl="VC for list_reversal_lasso" proved="true">
        <transf name="split_vc" proved="true" >
         <goal name="list_reversal_lasso&#39;vc.4.0.3.0.0.2.0" expl="VC for list_reversal_lasso" proved="true">
         <transf name="inline_goal" proved="true" >
          <goal name="list_reversal_lasso&#39;vc.4.0.3.0.0.2.0.0" expl="VC for list_reversal_lasso" proved="true">
-         <proof prover="4" timelimit="30" memlimit="4000"><result status="valid" time="2.479375" steps="177669"/></proof>
+         <proof prover="4" timelimit="30" memlimit="4000"><result status="valid" time="0.932647" steps="201871"/></proof>
          </goal>
         </transf>
         </goal>
        </transf>
        </goal>
        <goal name="list_reversal_lasso&#39;vc.4.0.3.0.0.3" expl="VC for list_reversal_lasso" proved="true">
-       <proof prover="6"><result status="valid" time="0.041484" steps="408"/></proof>
+       <proof prover="6"><result status="valid" time="0.041484" steps="411"/></proof>
        </goal>
       </transf>
       </goal>
      </transf>
      </goal>
      <goal name="list_reversal_lasso&#39;vc.4.0.3.1" expl="equality hypothesis" proved="true">
-     <proof prover="6"><result status="valid" time="0.037707" steps="463"/></proof>
+     <proof prover="6"><result status="valid" time="0.037707" steps="469"/></proof>
      </goal>
     </transf>
     </goal>
@@ -304,22 +304,22 @@
   </transf>
   </goal>
   <goal name="list_reversal_lasso&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="6" timelimit="5"><result status="valid" time="0.253628" steps="1064"/></proof>
+  <proof prover="6" timelimit="5"><result status="valid" time="0.085851" steps="1066"/></proof>
   </goal>
   <goal name="list_reversal_lasso&#39;vc.6" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.038848" steps="90"/></proof>
+  <proof prover="6"><result status="valid" time="0.038848" steps="91"/></proof>
   </goal>
   <goal name="list_reversal_lasso&#39;vc.7" expl="precondition" proved="true">
   <proof prover="6"><result status="valid" time="0.036739" steps="91"/></proof>
   </goal>
   <goal name="list_reversal_lasso&#39;vc.8" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.028086" steps="97"/></proof>
+  <proof prover="6"><result status="valid" time="0.028086" steps="99"/></proof>
   </goal>
   <goal name="list_reversal_lasso&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.038466" steps="77"/></proof>
+  <proof prover="6"><result status="valid" time="0.038466" steps="78"/></proof>
   </goal>
   <goal name="list_reversal_lasso&#39;vc.10" expl="loop invariant preservation" proved="true">
-  <proof prover="4" timelimit="5"><result status="valid" time="0.231123" steps="17684"/></proof>
+  <proof prover="4" timelimit="5"><result status="valid" time="0.064603" steps="17883"/></proof>
   </goal>
   <goal name="list_reversal_lasso&#39;vc.11" expl="loop invariant preservation" proved="true">
   <transf name="inline_goal" proved="true" >
@@ -335,10 +335,10 @@
       <goal name="list_reversal_lasso&#39;vc.11.0.1.0.0" expl="VC for list_reversal_lasso" proved="true">
       <transf name="split_all_full" proved="true" >
        <goal name="list_reversal_lasso&#39;vc.11.0.1.0.0.0" expl="VC for list_reversal_lasso" proved="true">
-       <proof prover="6"><result status="valid" time="0.118556" steps="345"/></proof>
+       <proof prover="6"><result status="valid" time="0.118556" steps="346"/></proof>
        </goal>
        <goal name="list_reversal_lasso&#39;vc.11.0.1.0.0.1" expl="VC for list_reversal_lasso" proved="true">
-       <proof prover="6" timelimit="30" memlimit="4000"><result status="valid" time="0.293811" steps="1183"/></proof>
+       <proof prover="6" timelimit="30" memlimit="4000"><result status="valid" time="0.098632" steps="1107"/></proof>
        </goal>
       </transf>
       </goal>
@@ -347,38 +347,38 @@
     </transf>
     </goal>
     <goal name="list_reversal_lasso&#39;vc.11.0.2" expl="VC for list_reversal_lasso" proved="true">
-    <proof prover="6"><result status="valid" time="0.225510" steps="1049"/></proof>
+    <proof prover="6"><result status="valid" time="0.058259" steps="771"/></proof>
     </goal>
     <goal name="list_reversal_lasso&#39;vc.11.0.3" expl="VC for list_reversal_lasso" proved="true">
-    <proof prover="6"><result status="valid" time="0.086437" steps="350"/></proof>
+    <proof prover="6"><result status="valid" time="0.086437" steps="351"/></proof>
     </goal>
     <goal name="list_reversal_lasso&#39;vc.11.0.4" expl="VC for list_reversal_lasso" proved="true">
-    <proof prover="6"><result status="valid" time="0.084219" steps="97"/></proof>
+    <proof prover="6"><result status="valid" time="0.084219" steps="99"/></proof>
     </goal>
     <goal name="list_reversal_lasso&#39;vc.11.0.5" expl="VC for list_reversal_lasso" proved="true">
-    <proof prover="0"><result status="valid" time="1.356591" steps="104398"/></proof>
+    <proof prover="0"><result status="valid" time="1.036602" steps="146545"/></proof>
     </goal>
     <goal name="list_reversal_lasso&#39;vc.11.0.6" expl="VC for list_reversal_lasso" proved="true">
-    <proof prover="6"><result status="valid" time="0.167591" steps="675"/></proof>
+    <proof prover="6"><result status="valid" time="0.167591" steps="679"/></proof>
     </goal>
     <goal name="list_reversal_lasso&#39;vc.11.0.7" expl="VC for list_reversal_lasso" proved="true">
-    <proof prover="6"><result status="valid" time="0.030601" steps="301"/></proof>
+    <proof prover="6"><result status="valid" time="0.030601" steps="303"/></proof>
     </goal>
     <goal name="list_reversal_lasso&#39;vc.11.0.8" expl="VC for list_reversal_lasso" proved="true">
-    <proof prover="6"><result status="valid" time="0.131043" steps="622"/></proof>
+    <proof prover="6"><result status="valid" time="0.131043" steps="626"/></proof>
     </goal>
     <goal name="list_reversal_lasso&#39;vc.11.0.9" expl="VC for list_reversal_lasso" proved="true">
     <transf name="split_vc" proved="true" >
      <goal name="list_reversal_lasso&#39;vc.11.0.9.0" expl="VC for list_reversal_lasso" proved="true">
-     <proof prover="6"><result status="valid" time="0.627702" steps="2363"/></proof>
+     <proof prover="6"><result status="valid" time="0.162694" steps="2363"/></proof>
      </goal>
     </transf>
     </goal>
     <goal name="list_reversal_lasso&#39;vc.11.0.10" expl="VC for list_reversal_lasso" proved="true">
-    <proof prover="6"><result status="valid" time="0.550858" steps="2475"/></proof>
+    <proof prover="6"><result status="valid" time="0.155330" steps="2095"/></proof>
     </goal>
     <goal name="list_reversal_lasso&#39;vc.11.0.11" expl="VC for list_reversal_lasso" proved="true">
-    <proof prover="6"><result status="valid" time="0.139036" steps="685"/></proof>
+    <proof prover="6"><result status="valid" time="0.139036" steps="688"/></proof>
     </goal>
    </transf>
    </goal>
@@ -391,13 +391,13 @@
     <goal name="list_reversal_lasso&#39;vc.12.0.0" expl="loop invariant preservation" proved="true">
     <transf name="split_all_full" proved="true" >
      <goal name="list_reversal_lasso&#39;vc.12.0.0.0" expl="VC for list_reversal_lasso" proved="true">
-     <proof prover="6"><result status="valid" time="0.253328" steps="1127"/></proof>
+     <proof prover="6"><result status="valid" time="0.086807" steps="1209"/></proof>
      </goal>
      <goal name="list_reversal_lasso&#39;vc.12.0.0.1" expl="VC for list_reversal_lasso" proved="true">
-     <proof prover="0" timelimit="5"><result status="valid" time="3.902302" steps="240302"/></proof>
+     <proof prover="0" timelimit="5"><result status="valid" time="2.511568" steps="305830"/></proof>
      </goal>
      <goal name="list_reversal_lasso&#39;vc.12.0.0.2" expl="VC for list_reversal_lasso" proved="true">
-     <proof prover="6"><result status="valid" time="0.215982" steps="1008"/></proof>
+     <proof prover="6"><result status="valid" time="0.075475" steps="1193"/></proof>
      </goal>
      <goal name="list_reversal_lasso&#39;vc.12.0.0.3" expl="VC for list_reversal_lasso" proved="true">
      <proof prover="6"><result status="valid" time="0.023413" steps="331"/></proof>
@@ -411,24 +411,24 @@
     <goal name="list_reversal_lasso&#39;vc.12.1.0" expl="loop invariant preservation" proved="true">
     <transf name="split_all_full" proved="true" >
      <goal name="list_reversal_lasso&#39;vc.12.1.0.0" expl="VC for list_reversal_lasso" proved="true">
-     <proof prover="6"><result status="valid" time="0.120000" steps="981"/></proof>
+     <proof prover="6"><result status="valid" time="0.120000" steps="973"/></proof>
      </goal>
      <goal name="list_reversal_lasso&#39;vc.12.1.0.1" expl="VC for list_reversal_lasso" proved="true">
-     <proof prover="6" timelimit="5"><result status="valid" time="2.502654" steps="9650"/></proof>
+     <proof prover="6" timelimit="5"><result status="valid" time="0.464352" steps="6695"/></proof>
      </goal>
      <goal name="list_reversal_lasso&#39;vc.12.1.0.2" expl="VC for list_reversal_lasso" proved="true">
      <transf name="split_vc" proved="true" >
       <goal name="list_reversal_lasso&#39;vc.12.1.0.2.0" expl="VC for list_reversal_lasso" proved="true">
       <transf name="inline_goal" proved="true" >
        <goal name="list_reversal_lasso&#39;vc.12.1.0.2.0.0" expl="VC for list_reversal_lasso" proved="true">
-       <proof prover="6" timelimit="30" memlimit="4000"><result status="valid" time="1.041367" steps="4793"/></proof>
+       <proof prover="6" timelimit="30" memlimit="4000"><result status="valid" time="0.334367" steps="5509"/></proof>
        </goal>
       </transf>
       </goal>
      </transf>
      </goal>
      <goal name="list_reversal_lasso&#39;vc.12.1.0.3" expl="VC for list_reversal_lasso" proved="true">
-     <proof prover="6"><result status="valid" time="0.227164" steps="895"/></proof>
+     <proof prover="6"><result status="valid" time="0.084522" steps="896"/></proof>
      </goal>
     </transf>
     </goal>
@@ -439,13 +439,13 @@
     <goal name="list_reversal_lasso&#39;vc.12.2.0" expl="loop invariant preservation" proved="true">
     <transf name="split_all_full" proved="true" >
      <goal name="list_reversal_lasso&#39;vc.12.2.0.0" expl="VC for list_reversal_lasso" proved="true">
-     <proof prover="6"><result status="valid" time="0.273683" steps="1210"/></proof>
+     <proof prover="6"><result status="valid" time="0.088090" steps="1217"/></proof>
      </goal>
      <goal name="list_reversal_lasso&#39;vc.12.2.0.1" expl="VC for list_reversal_lasso" proved="true">
-     <proof prover="0" timelimit="5"><result status="valid" time="0.463162" steps="54929"/></proof>
+     <proof prover="0" timelimit="5"><result status="valid" time="0.293937" steps="56172"/></proof>
      </goal>
      <goal name="list_reversal_lasso&#39;vc.12.2.0.2" expl="VC for list_reversal_lasso" proved="true">
-     <proof prover="6"><result status="valid" time="0.463076" steps="2119"/></proof>
+     <proof prover="6"><result status="valid" time="0.182226" steps="2571"/></proof>
      </goal>
      <goal name="list_reversal_lasso&#39;vc.12.2.0.3" expl="VC for list_reversal_lasso" proved="true">
      <proof prover="6"><result status="valid" time="0.147772" steps="418"/></proof>
@@ -463,7 +463,7 @@
     <goal name="list_reversal_lasso&#39;vc.13.0.0" expl="loop invariant preservation" proved="true">
     <transf name="split_all_full" proved="true" >
      <goal name="list_reversal_lasso&#39;vc.13.0.0.0" expl="VC for list_reversal_lasso" proved="true">
-     <proof prover="6" timelimit="5" memlimit="2000"><result status="valid" time="1.848996" steps="8656"/></proof>
+     <proof prover="6" timelimit="5" memlimit="2000"><result status="valid" time="0.577339" steps="8447"/></proof>
      </goal>
      <goal name="list_reversal_lasso&#39;vc.13.0.0.1" expl="VC for list_reversal_lasso" proved="true">
      <transf name="split_vc" proved="true" >
@@ -475,7 +475,7 @@
         <proof prover="6"><result status="valid" time="0.045678" steps="341"/></proof>
         </goal>
         <goal name="list_reversal_lasso&#39;vc.13.0.0.1.0.0.1" expl="VC for list_reversal_lasso" proved="true">
-        <proof prover="6" timelimit="30" memlimit="4000"><result status="valid" time="6.317379" steps="61847"/></proof>
+        <proof prover="6" timelimit="30" memlimit="4000"><result status="valid" time="2.544750" steps="47178"/></proof>
         </goal>
        </transf>
        </goal>
@@ -484,10 +484,10 @@
      </transf>
      </goal>
      <goal name="list_reversal_lasso&#39;vc.13.0.0.2" expl="VC for list_reversal_lasso" proved="true">
-     <proof prover="6"><result status="valid" time="0.449253" steps="2050"/></proof>
+     <proof prover="6"><result status="valid" time="0.147455" steps="2046"/></proof>
      </goal>
      <goal name="list_reversal_lasso&#39;vc.13.0.0.3" expl="VC for list_reversal_lasso" proved="true">
-     <proof prover="0"><result status="valid" time="0.424193" steps="49546"/></proof>
+     <proof prover="0"><result status="valid" time="0.267606" steps="49646"/></proof>
      </goal>
     </transf>
     </goal>
@@ -498,7 +498,7 @@
     <goal name="list_reversal_lasso&#39;vc.13.1.0" expl="loop invariant preservation" proved="true">
     <transf name="split_all_full" proved="true" >
      <goal name="list_reversal_lasso&#39;vc.13.1.0.0" expl="VC for list_reversal_lasso" proved="true">
-     <proof prover="6" timelimit="30" memlimit="4000"><result status="valid" time="0.277745" steps="1143"/></proof>
+     <proof prover="6" timelimit="30" memlimit="4000"><result status="valid" time="0.088310" steps="1141"/></proof>
      </goal>
      <goal name="list_reversal_lasso&#39;vc.13.1.0.1" expl="VC for list_reversal_lasso" proved="true">
      <transf name="split_vc" proved="true" >
@@ -510,7 +510,7 @@
         <proof prover="6"><result status="valid" time="0.060000" steps="346"/></proof>
         </goal>
         <goal name="list_reversal_lasso&#39;vc.13.1.0.1.0.0.1" expl="VC for list_reversal_lasso" proved="true">
-        <proof prover="6" timelimit="30" memlimit="4000"><result status="valid" time="2.549601" steps="14134"/></proof>
+        <proof prover="6" timelimit="30" memlimit="4000"><result status="valid" time="0.750985" steps="10298"/></proof>
         </goal>
        </transf>
        </goal>
@@ -523,14 +523,14 @@
       <goal name="list_reversal_lasso&#39;vc.13.1.0.2.0" expl="VC for list_reversal_lasso" proved="true">
       <transf name="inline_goal" proved="true" >
        <goal name="list_reversal_lasso&#39;vc.13.1.0.2.0.0" expl="VC for list_reversal_lasso" proved="true">
-       <proof prover="6" timelimit="30" memlimit="4000"><result status="valid" time="1.677275" steps="7266"/></proof>
+       <proof prover="6" timelimit="30" memlimit="4000"><result status="valid" time="0.542984" steps="6696"/></proof>
        </goal>
       </transf>
       </goal>
      </transf>
      </goal>
      <goal name="list_reversal_lasso&#39;vc.13.1.0.3" expl="VC for list_reversal_lasso" proved="true">
-     <proof prover="6"><result status="valid" time="0.206932" steps="723"/></proof>
+     <proof prover="6"><result status="valid" time="0.062914" steps="728"/></proof>
      </goal>
     </transf>
     </goal>
@@ -541,16 +541,16 @@
     <goal name="list_reversal_lasso&#39;vc.13.2.0" expl="loop invariant preservation" proved="true">
     <transf name="split_all_full" proved="true" >
      <goal name="list_reversal_lasso&#39;vc.13.2.0.0" expl="VC for list_reversal_lasso" proved="true">
-     <proof prover="6"><result status="valid" time="0.193332" steps="863"/></proof>
+     <proof prover="6"><result status="valid" time="0.066484" steps="862"/></proof>
      </goal>
      <goal name="list_reversal_lasso&#39;vc.13.2.0.1" expl="VC for list_reversal_lasso" proved="true">
-     <proof prover="0"><result status="valid" time="0.526618" steps="59178"/></proof>
+     <proof prover="0"><result status="valid" time="0.322550" steps="60438"/></proof>
      </goal>
      <goal name="list_reversal_lasso&#39;vc.13.2.0.2" expl="VC for list_reversal_lasso" proved="true">
-     <proof prover="6"><result status="valid" time="1.201159" steps="5413"/></proof>
+     <proof prover="6"><result status="valid" time="0.268209" steps="3095"/></proof>
      </goal>
      <goal name="list_reversal_lasso&#39;vc.13.2.0.3" expl="VC for list_reversal_lasso" proved="true">
-     <proof prover="0"><result status="valid" time="0.261809" steps="31506"/></proof>
+     <proof prover="0"><result status="valid" time="0.261809" steps="31606"/></proof>
      </goal>
     </transf>
     </goal>
@@ -562,59 +562,91 @@
  </goal>
 </theory>
 <theory name="ListReversalLasso_Impl4_FindPtrInSeq_Impl" proved="true">
- <goal name="find_ptr_in_seq&#39;vc" expl="VC for find_ptr_in_seq" proved="true">
- <proof prover="4" timelimit="5"><result status="valid" time="0.070000" steps="9280"/></proof>
+ <goal name="vc_find_ptr_in_seq" proved="true">
+ <proof prover="4" timelimit="5"><result status="valid" time="0.070000" steps="8546"/></proof>
  </goal>
 </theory>
 <theory name="ListReversalLasso_Impl4_Pigeon_Impl" proved="true">
- <goal name="pigeon&#39;vc" expl="VC for pigeon" proved="true">
- <proof prover="1" timelimit="5"><result status="valid" time="0.679743" steps="894866"/></proof>
+ <goal name="vc_pigeon" proved="true">
+ <proof prover="1" timelimit="5"><result status="valid" time="0.137332" steps="684420"/></proof>
  </goal>
 </theory>
 <theory name="ListReversalLasso_Impl4_FindLassoAux_Impl" proved="true">
- <goal name="find_lasso_aux&#39;vc" expl="VC for find_lasso_aux" proved="true">
+ <goal name="vc_find_lasso_aux" proved="true">
  <transf name="split_vc" proved="true" >
-  <goal name="find_lasso_aux&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.010000" steps="16"/></proof>
+  <goal name="vc_find_lasso_aux.0" proved="true">
+  <proof prover="6"><result status="valid" time="0.029977" steps="14"/></proof>
   </goal>
-  <goal name="find_lasso_aux&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.029977" steps="25"/></proof>
+  <goal name="vc_find_lasso_aux.1" proved="true">
+  <proof prover="6"><result status="valid" time="0.009872" steps="12"/></proof>
   </goal>
-  <goal name="find_lasso_aux&#39;vc.2" expl="precondition" proved="true">
+  <goal name="vc_find_lasso_aux.2" proved="true">
+  <proof prover="6"><result status="valid" time="0.010671" steps="14"/></proof>
+  </goal>
+  <goal name="vc_find_lasso_aux.3" proved="true">
   <proof prover="6"><result status="valid" time="0.010000" steps="25"/></proof>
   </goal>
-  <goal name="find_lasso_aux&#39;vc.3" expl="precondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.062282" steps="71481"/></proof>
+  <goal name="vc_find_lasso_aux.4" proved="true">
+  <proof prover="6"><result status="valid" time="0.015015" steps="112"/></proof>
   </goal>
-  <goal name="find_lasso_aux&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.010000" steps="105"/></proof>
+  <goal name="vc_find_lasso_aux.5" proved="true">
+  <proof prover="1"><result status="valid" time="0.044759" steps="73689"/></proof>
   </goal>
-  <goal name="find_lasso_aux&#39;vc.5" expl="variant decrease" proved="true">
-  <proof prover="1"><result status="valid" time="0.044759" steps="164444"/></proof>
+  <goal name="vc_find_lasso_aux.6" proved="true">
+  <proof prover="6"><result status="valid" time="0.009561" steps="26"/></proof>
   </goal>
-  <goal name="find_lasso_aux&#39;vc.6" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.000000" steps="20"/></proof>
+  <goal name="vc_find_lasso_aux.7" proved="true">
+  <transf name="inline_goal" proved="true" >
+   <goal name="vc_find_lasso_aux.7.0" proved="true">
+   <transf name="split_all_full" proved="true" >
+    <goal name="vc_find_lasso_aux.7.0.0" proved="true">
+    <proof prover="6"><result status="valid" time="0.011559" steps="92"/></proof>
+    </goal>
+    <goal name="vc_find_lasso_aux.7.0.1" proved="true">
+    <proof prover="6"><result status="valid" time="0.015396" steps="136"/></proof>
+    </goal>
+    <goal name="vc_find_lasso_aux.7.0.2" proved="true">
+    <proof prover="6"><result status="valid" time="0.025817" steps="305"/></proof>
+    </goal>
+    <goal name="vc_find_lasso_aux.7.0.3" proved="true">
+    <proof prover="6"><result status="valid" time="0.025164" steps="261"/></proof>
+    </goal>
+   </transf>
+   </goal>
+  </transf>
+  </goal>
+  <goal name="vc_find_lasso_aux.8" proved="true">
+  <proof prover="1"><result status="valid" time="0.021420" steps="76248"/></proof>
+  </goal>
+  <goal name="vc_find_lasso_aux.9" proved="true">
+  <proof prover="6"><result status="valid" time="0.010000" steps="26"/></proof>
   </goal>
-  <goal name="find_lasso_aux&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.010000" steps="121"/></proof>
+  <goal name="vc_find_lasso_aux.10" proved="true">
+  <proof prover="6"><result status="valid" time="0.008602" steps="24"/></proof>
   </goal>
-  <goal name="find_lasso_aux&#39;vc.8" expl="precondition" proved="true">
+  <goal name="vc_find_lasso_aux.11" proved="true">
+  <proof prover="6"><result status="valid" time="0.010158" steps="35"/></proof>
+  </goal>
+  <goal name="vc_find_lasso_aux.12" proved="true">
+  <proof prover="6"><result status="valid" time="0.010000" steps="35"/></proof>
+  </goal>
+  <goal name="vc_find_lasso_aux.13" proved="true">
   <transf name="split_vc" proved="true" >
-   <goal name="find_lasso_aux&#39;vc.8.0" expl="precondition" proved="true">
+   <goal name="vc_find_lasso_aux.13.0" proved="true">
    <transf name="inline_goal" proved="true" >
-    <goal name="find_lasso_aux&#39;vc.8.0.0" expl="precondition" proved="true">
+    <goal name="vc_find_lasso_aux.13.0.0" proved="true">
     <transf name="split_all_full" proved="true" >
-     <goal name="find_lasso_aux&#39;vc.8.0.0.0" expl="VC for find_lasso_aux" proved="true">
-     <proof prover="6"><result status="valid" time="0.035975" steps="113"/></proof>
+     <goal name="vc_find_lasso_aux.13.0.0.0" proved="true">
+     <proof prover="6"><result status="valid" time="0.081749" steps="416"/></proof>
      </goal>
-     <goal name="find_lasso_aux&#39;vc.8.0.0.1" expl="VC for find_lasso_aux" proved="true">
-     <proof prover="6"><result status="valid" time="0.040206" steps="148"/></proof>
+     <goal name="vc_find_lasso_aux.13.0.0.1" proved="true">
+     <proof prover="6"><result status="valid" time="0.148050" steps="1669"/></proof>
      </goal>
-     <goal name="find_lasso_aux&#39;vc.8.0.0.2" expl="VC for find_lasso_aux" proved="true">
-     <proof prover="6"><result status="valid" time="0.081749" steps="325"/></proof>
+     <goal name="vc_find_lasso_aux.13.0.0.2" proved="true">
+     <proof prover="6"><result status="valid" time="0.069856" steps="1101"/></proof>
      </goal>
-     <goal name="find_lasso_aux&#39;vc.8.0.0.3" expl="VC for find_lasso_aux" proved="true">
-     <proof prover="6"><result status="valid" time="0.069856" steps="270"/></proof>
+     <goal name="vc_find_lasso_aux.13.0.0.3" proved="true">
+     <proof prover="6"><result status="valid" time="0.035975" steps="1660"/></proof>
      </goal>
     </transf>
     </goal>
@@ -622,15 +654,18 @@
    </goal>
   </transf>
   </goal>
-  <goal name="find_lasso_aux&#39;vc.9" expl="postcondition" proved="true">
-  <proof prover="1"><result status="valid" time="0.336196" steps="466907"/></proof>
+  <goal name="vc_find_lasso_aux.14" proved="true">
+  <proof prover="1"><result status="valid" time="0.062282" steps="6224"/></proof>
+  </goal>
+  <goal name="vc_find_lasso_aux.15" proved="true">
+  <proof prover="1"><result status="valid" time="0.050405" steps="226516"/></proof>
   </goal>
  </transf>
  </goal>
 </theory>
 <theory name="ListReversalLasso_Impl4_FindLasso_Impl" proved="true">
- <goal name="find_lasso&#39;vc" expl="VC for find_lasso" proved="true">
- <proof prover="4" timelimit="5"><result status="valid" time="0.156412" steps="12772"/></proof>
+ <goal name="vc_find_lasso" proved="true">
+ <proof prover="4" timelimit="5"><result status="valid" time="0.038509" steps="12572"/></proof>
  </goal>
 </theory>
 <theory name="ListReversalLasso_Impl1" proved="true">
diff --git a/creusot/tests/should_succeed/list_reversal_lasso/why3shapes.gz b/creusot/tests/should_succeed/list_reversal_lasso/why3shapes.gz
index 4a7b1a8df3..1797cf0409 100644
Binary files a/creusot/tests/should_succeed/list_reversal_lasso/why3shapes.gz and b/creusot/tests/should_succeed/list_reversal_lasso/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/loop.mlcfg b/creusot/tests/should_succeed/loop.mlcfg
index 2c3f2745bd..4881bd187a 100644
--- a/creusot/tests/should_succeed/loop.mlcfg
+++ b/creusot/tests/should_succeed/loop.mlcfg
@@ -17,10 +17,10 @@ module Loop_F
     goto BB0
   }
   BB0 {
-    [#"../loop.rs" 4 16 4 18] a <- ([#"../loop.rs" 4 16 4 18] [#"../loop.rs" 4 16 4 18] (10 : int32));
+    [#"../loop.rs" 4 16 4 18] a <- ([#"../loop.rs" 4 16 4 18] (10 : int32));
     [#"../loop.rs" 5 12 5 18] b <- Borrow.borrow_mut a;
     [#"../loop.rs" 5 12 5 18] a <-  ^ b;
-    [#"../loop.rs" 6 4 6 10] b <- { b with current = ([#"../loop.rs" 6 4 6 10] [#"../loop.rs" 6 9 6 10] (5 : int32)) ; };
+    [#"../loop.rs" 6 4 6 10] b <- { b with current = ([#"../loop.rs" 6 9 6 10] (5 : int32)) ; };
     assume { resolve0 b };
     goto BB1
   }
@@ -28,7 +28,7 @@ module Loop_F
     goto BB2
   }
   BB2 {
-    switch ([#"../loop.rs" 8 11 8 15] [#"../loop.rs" 8 11 8 15] true)
+    switch ([#"../loop.rs" 8 11 8 15] true)
       | False -> goto BB4
       | True -> goto BB3
       end
diff --git a/creusot/tests/should_succeed/mapping_test.mlcfg b/creusot/tests/should_succeed/mapping_test.mlcfg
index f3ea956b5c..823c1cfe77 100644
--- a/creusot/tests/should_succeed/mapping_test.mlcfg
+++ b/creusot/tests/should_succeed/mapping_test.mlcfg
@@ -32,17 +32,17 @@ module MappingTest_Incr
   val shallow_model3 (self : borrowed (MappingTest_T_Type.t_t)) : Map.map int int
     ensures { result = shallow_model3 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   use map.Map
-  use prelude.Ghost
+  use prelude.Snapshot
   function shallow_model4 (self : borrowed (MappingTest_T_Type.t_t)) : Map.map int int =
     [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model3 self
   val shallow_model4 (self : borrowed (MappingTest_T_Type.t_t)) : Map.map int int
     ensures { result = shallow_model4 self }
     
-  function shallow_model1 (self : Ghost.ghost_ty (borrowed (MappingTest_T_Type.t_t))) : Map.map int int =
-    [#"../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model4 (Ghost.inner self)
-  val shallow_model1 (self : Ghost.ghost_ty (borrowed (MappingTest_T_Type.t_t))) : Map.map int int
+  function shallow_model1 (self : Snapshot.snap_ty (borrowed (MappingTest_T_Type.t_t))) : Map.map int int =
+    [#"../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model4 (Snapshot.inner self)
+  val shallow_model1 (self : Snapshot.snap_ty (borrowed (MappingTest_T_Type.t_t))) : Map.map int int
     ensures { result = shallow_model1 self }
     
   predicate resolve0 (self : borrowed (MappingTest_T_Type.t_t)) =
@@ -51,7 +51,7 @@ module MappingTest_Incr
     ensures { result = resolve0 self }
     
   use prelude.Int32
-  use prelude.Ghost
+  use prelude.Snapshot
   let rec cfg incr [#"../mapping_test.rs" 30 0 30 18] [@cfg:stackify] [@cfg:subregion_analysis] (t : borrowed (MappingTest_T_Type.t_t)) : ()
     requires {[#"../mapping_test.rs" 27 12 27 24] 0 <= Int32.to_int (MappingTest_T_Type.t_a ( * t))}
     requires {[#"../mapping_test.rs" 28 12 28 26] Int32.to_int (MappingTest_T_Type.t_a ( * t)) < 1000}
@@ -60,18 +60,18 @@ module MappingTest_Incr
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var t : borrowed (MappingTest_T_Type.t_t) = t;
-  var old_t : Ghost.ghost_ty (borrowed (MappingTest_T_Type.t_t));
+  var old_t : Snapshot.snap_ty (borrowed (MappingTest_T_Type.t_t));
   {
     goto BB0
   }
   BB0 {
-    [#"../mapping_test.rs" 31 16 31 25] old_t <- ([#"../mapping_test.rs" 31 16 31 25] Ghost.new t);
+    [#"../mapping_test.rs" 31 16 31 31] old_t <- ([#"../mapping_test.rs" 31 16 31 31] Snapshot.new t);
     goto BB1
   }
   BB1 {
-    [#"../mapping_test.rs" 32 4 32 15] t <- { t with current = (let MappingTest_T_Type.C_T x0 =  * t in MappingTest_T_Type.C_T ([#"../mapping_test.rs" 32 4 32 15] MappingTest_T_Type.t_a ( * t) + ([#"../mapping_test.rs" 32 14 32 15] [#"../mapping_test.rs" 32 14 32 15] (1 : int32)))) ; };
+    [#"../mapping_test.rs" 32 4 32 15] t <- { t with current = (let MappingTest_T_Type.C_T x0 =  * t in MappingTest_T_Type.C_T (MappingTest_T_Type.t_a ( * t) + ([#"../mapping_test.rs" 32 14 32 15] (1 : int32)))) ; };
     assume { resolve0 t };
-    assert { [@expl:assertion] [#"../mapping_test.rs" 35 19 35 50] shallow_model0 ( ^ t) = Map.set (shallow_model1 old_t) (Int32.to_int (MappingTest_T_Type.t_a ( * Ghost.inner old_t))) 1 };
+    assert { [@expl:assertion] [#"../mapping_test.rs" 35 19 35 50] shallow_model0 ( ^ t) = Map.set (shallow_model1 old_t) (Int32.to_int (MappingTest_T_Type.t_a ( * Snapshot.inner old_t))) 1 };
     [#"../mapping_test.rs" 30 19 36 1] _0 <- ([#"../mapping_test.rs" 30 19 36 1] ());
     return _0
   }
@@ -122,7 +122,7 @@ module MappingTest_F
     goto BB0
   }
   BB0 {
-    [#"../mapping_test.rs" 39 16 39 27] x <- ([#"../mapping_test.rs" 39 16 39 27] MappingTest_T_Type.C_T ([#"../mapping_test.rs" 39 23 39 25] [#"../mapping_test.rs" 39 23 39 25] (42 : int32)));
+    [#"../mapping_test.rs" 39 16 39 27] x <- MappingTest_T_Type.C_T ([#"../mapping_test.rs" 39 23 39 25] (42 : int32));
     assert { [@expl:assertion] [#"../mapping_test.rs" 40 19 40 34] Map.get (shallow_model0 x) 13 = 1 };
     assert { [@expl:assertion] [#"../mapping_test.rs" 41 19 41 34] Map.get (shallow_model0 x) 42 = 0 };
     [#"../mapping_test.rs" 42 9 42 15] _8 <- Borrow.borrow_mut x;
diff --git a/creusot/tests/should_succeed/mapping_test.rs b/creusot/tests/should_succeed/mapping_test.rs
index 021c5084bf..a2481d3955 100644
--- a/creusot/tests/should_succeed/mapping_test.rs
+++ b/creusot/tests/should_succeed/mapping_test.rs
@@ -13,7 +13,7 @@ struct T {
 impl ShallowModel for T {
     type ShallowModelTy = Mapping<Int, Int>;
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     #[trusted]
     #[ensures(
@@ -28,7 +28,7 @@ impl ShallowModel for T {
 #[requires( (*t).a@ < 1000 )] // to prevent overflow
 #[ensures( (^t)@ == t@.set((*t).a@,1) )]
 fn incr(t: &mut T) {
-    let old_t = gh! { t };
+    let old_t = snapshot! { t };
     (*t).a += 1;
     // proving the post-consition via extensional equality of mappings
     // (notice `==` versus `==`)
diff --git a/creusot/tests/should_succeed/match_int.mlcfg b/creusot/tests/should_succeed/match_int.mlcfg
index 7454523f38..ed99f9c1a2 100644
--- a/creusot/tests/should_succeed/match_int.mlcfg
+++ b/creusot/tests/should_succeed/match_int.mlcfg
@@ -6,48 +6,52 @@ module MatchInt_F
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var _1 : int32;
+  var _2 : bool;
+  var _3 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../match_int.rs" 8 10 8 11] _1 <- ([#"../match_int.rs" 8 10 8 11] [#"../match_int.rs" 8 10 8 11] (1 : int32));
-    switch ([#"../match_int.rs" 9 8 9 13] ([#"../match_int.rs" 9 8 9 13] [#"../match_int.rs" 9 8 9 13] (0 : int32)) <= _1)
-      | False -> goto BB3
-      | True -> goto BB1
+    [#"../match_int.rs" 8 10 8 11] _1 <- ([#"../match_int.rs" 8 10 8 11] (1 : int32));
+    [#"../match_int.rs" 9 8 9 13] _2 <- ([#"../match_int.rs" 9 8 9 13] (0 : int32)) <= _1;
+    switch (_2)
+      | False -> goto BB2
+      | True -> goto BB6
       end
   }
   BB1 {
-    switch ([#"../match_int.rs" 9 8 9 13] _1 < ([#"../match_int.rs" 9 8 9 13] [#"../match_int.rs" 9 8 9 13] (10 : int32)))
-      | False -> goto BB3
-      | True -> goto BB2
-      end
-  }
-  BB2 {
     goto BB7
   }
-  BB3 {
+  BB2 {
     switch (_1 = 5)
-      | True -> goto BB4
+      | True -> goto BB3
       | False -> switch (_1 = 6)
-        | True -> goto BB5
+        | True -> goto BB4
         | False -> goto BB19
         end
       end
   }
-  BB4 {
+  BB3 {
     goto BB10
   }
-  BB5 {
+  BB4 {
     goto BB10
   }
-  BB6 {
-    switch ([#"../match_int.rs" 16 20 16 25] [#"../match_int.rs" 16 20 16 25] false)
+  BB5 {
+    switch ([#"../match_int.rs" 16 20 16 25] false)
       | False -> goto BB13
       | True -> goto BB14
       end
   }
+  BB6 {
+    [#"../match_int.rs" 9 8 9 13] _3 <- _1 < ([#"../match_int.rs" 9 8 9 13] (10 : int32));
+    switch (_3)
+      | False -> goto BB2
+      | True -> goto BB1
+      end
+  }
   BB7 {
-    switch ([#"../match_int.rs" 10 20 10 24] [#"../match_int.rs" 10 20 10 24] true)
+    switch ([#"../match_int.rs" 10 20 10 24] true)
       | False -> goto BB8
       | True -> goto BB9
       end
@@ -61,7 +65,7 @@ module MatchInt_F
     goto BB15
   }
   BB10 {
-    switch ([#"../match_int.rs" 13 20 13 25] [#"../match_int.rs" 13 20 13 25] false)
+    switch ([#"../match_int.rs" 13 20 13 25] false)
       | False -> goto BB11
       | True -> goto BB12
       end
@@ -86,13 +90,13 @@ module MatchInt_F
     return _0
   }
   BB17 {
-    goto BB4
+    goto BB3
   }
   BB18 {
-    goto BB5
+    goto BB4
   }
   BB19 {
-    goto BB6
+    goto BB5
   }
   
 end
diff --git a/creusot/tests/should_succeed/match_int/why3session.xml b/creusot/tests/should_succeed/match_int/why3session.xml
index 029b3bfa46..da3aef9e74 100644
--- a/creusot/tests/should_succeed/match_int/why3session.xml
+++ b/creusot/tests/should_succeed/match_int/why3session.xml
@@ -7,7 +7,7 @@
 <path name=".."/><path name="match_int.mlcfg"/>
 <theory name="MatchInt_F" proved="true">
  <goal name="f&#39;vc" expl="VC for f" proved="true">
- <proof prover="0"><result status="valid" time="0.005815" steps="9"/></proof>
+ <proof prover="0"><result status="valid" time="0.005815" steps="30"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/match_int/why3shapes.gz b/creusot/tests/should_succeed/match_int/why3shapes.gz
index 9bda644fe1..a6d77063db 100644
Binary files a/creusot/tests/should_succeed/match_int/why3shapes.gz and b/creusot/tests/should_succeed/match_int/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/mc91.mlcfg b/creusot/tests/should_succeed/mc91.mlcfg
index d9c36fda93..13921832a6 100644
--- a/creusot/tests/should_succeed/mc91.mlcfg
+++ b/creusot/tests/should_succeed/mc91.mlcfg
@@ -3,27 +3,33 @@ module Mc91_Mc91
   use prelude.UInt32
   use prelude.Int
   let rec cfg mc91 [#"../mc91.rs" 7 0 7 26] [@cfg:stackify] [@cfg:subregion_analysis] (x : uint32) : uint32
-    ensures { [#"../mc91.rs" 5 0 6 40] x <= (100 : uint32) -> result = (91 : uint32) /\ x > (100 : uint32) -> result = x - (10 : uint32) }
+    ensures { [#"../mc91.rs" 5 0 6 40] x <= (100 : uint32)
+     -> result = (91 : uint32) /\ x > (100 : uint32)  -> result = x - (10 : uint32) }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : uint32;
   var x : uint32 = x;
+  var _3 : bool;
   var _6 : uint32;
+  var _7 : uint32;
   {
     goto BB0
   }
   BB0 {
-    switch ([#"../mc91.rs" 8 7 8 14] ([#"../mc91.rs" 8 7 8 8] x) > ([#"../mc91.rs" 8 11 8 14] [#"../mc91.rs" 8 11 8 14] (100 : uint32)))
+    [#"../mc91.rs" 8 7 8 14] _3 <- x > ([#"../mc91.rs" 8 11 8 14] (100 : uint32));
+    switch (_3)
       | False -> goto BB2
       | True -> goto BB1
       end
   }
   BB1 {
-    [#"../mc91.rs" 9 8 9 14] _0 <- ([#"../mc91.rs" 9 8 9 14] ([#"../mc91.rs" 9 8 9 9] x) - ([#"../mc91.rs" 9 12 9 14] [#"../mc91.rs" 9 12 9 14] (10 : uint32)));
+    [#"../mc91.rs" 9 8 9 14] _0 <- x - ([#"../mc91.rs" 9 12 9 14] (10 : uint32));
     goto BB5
   }
   BB2 {
-    [#"../mc91.rs" 11 13 11 25] _6 <- ([#"../mc91.rs" 11 13 11 25] mc91 ([#"../mc91.rs" 11 18 11 24] ([#"../mc91.rs" 11 18 11 19] x) + ([#"../mc91.rs" 11 22 11 24] [#"../mc91.rs" 11 22 11 24] (11 : uint32))));
+    [#"../mc91.rs" 11 18 11 24] _7 <- x + ([#"../mc91.rs" 11 22 11 24] (11 : uint32));
+    [#"../mc91.rs" 11 13 11 25] _6 <- ([#"../mc91.rs" 11 13 11 25] mc91 _7);
+    _7 <- any uint32;
     goto BB3
   }
   BB3 {
diff --git a/creusot/tests/should_succeed/mc91/why3session.xml b/creusot/tests/should_succeed/mc91/why3session.xml
index bfb5658fb7..55e9bbc6ef 100644
--- a/creusot/tests/should_succeed/mc91/why3session.xml
+++ b/creusot/tests/should_succeed/mc91/why3session.xml
@@ -7,7 +7,7 @@
 <path name=".."/><path name="mc91.mlcfg"/>
 <theory name="Mc91_Mc91" proved="true">
  <goal name="mc91&#39;vc" expl="VC for mc91" proved="true">
- <proof prover="0"><result status="valid" time="0.007568" steps="85"/></proof>
+ <proof prover="0"><result status="valid" time="0.007568" steps="62"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/mc91/why3shapes.gz b/creusot/tests/should_succeed/mc91/why3shapes.gz
index e949776719..6ebd1aec4c 100644
Binary files a/creusot/tests/should_succeed/mc91/why3shapes.gz and b/creusot/tests/should_succeed/mc91/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/mutex.mlcfg b/creusot/tests/should_succeed/mutex.mlcfg
index e20af8f968..8fd93341bc 100644
--- a/creusot/tests/should_succeed/mutex.mlcfg
+++ b/creusot/tests/should_succeed/mutex.mlcfg
@@ -16,12 +16,12 @@ module Mutex_GuardInner_Type
   type t_guardinner 't
 end
 module Mutex_MutexGuard_Type
-  use prelude.Ghost
+  use prelude.Snapshot
   use Mutex_GuardInner_Type as Mutex_GuardInner_Type
   type t_mutexguard 't 'i =
-    | C_MutexGuard (Mutex_GuardInner_Type.t_guardinner 't) (Ghost.ghost_ty 'i)
+    | C_MutexGuard (Mutex_GuardInner_Type.t_guardinner 't) (Snapshot.snap_ty 'i)
     
-  let function mutexguard_1 (self : t_mutexguard 't 'i) : Ghost.ghost_ty 'i = [@vc:do_not_keep_trace] [@vc:sp]
+  let function mutexguard_1 (self : t_mutexguard 't 'i) : Snapshot.snap_ty 'i = [@vc:do_not_keep_trace] [@vc:sp]
     match self with
       | C_MutexGuard _ a -> a
       end
@@ -118,20 +118,20 @@ module Mutex_Impl3_Call
   val inv3 [#"../mutex.rs" 66 4 66 33] (self : Mutex_Even_Type.t_even) (x : uint32) : bool
     ensures { result = inv3 self x }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   val set0 [#"../mutex.rs" 56 4 56 27] (self : borrowed (Mutex_MutexGuard_Type.t_mutexguard uint32 (Mutex_Even_Type.t_even))) (v : uint32) : ()
-    requires {[#"../mutex.rs" 55 4 55 30] inv3 (Ghost.inner (Mutex_MutexGuard_Type.mutexguard_1 ( * self))) v}
+    requires {[#"../mutex.rs" 55 4 55 30] inv3 (Snapshot.inner (Mutex_MutexGuard_Type.mutexguard_1 ( * self))) v}
     requires {[#"../mutex.rs" 56 16 56 20] inv5 self}
     requires {[#"../mutex.rs" 56 22 56 23] inv6 v}
     
   val deref0 [#"../mutex.rs" 50 4 50 25] (self : Mutex_MutexGuard_Type.t_mutexguard uint32 (Mutex_Even_Type.t_even)) : uint32
     requires {[#"../mutex.rs" 50 14 50 18] inv2 self}
-    ensures { [#"../mutex.rs" 49 4 49 35] inv3 (Ghost.inner (Mutex_MutexGuard_Type.mutexguard_1 self)) result }
+    ensures { [#"../mutex.rs" 49 4 49 35] inv3 (Snapshot.inner (Mutex_MutexGuard_Type.mutexguard_1 self)) result }
     ensures { [#"../mutex.rs" 50 23 50 25] inv4 result }
     
   val lock0 [#"../mutex.rs" 37 4 37 46] (self : Mutex_Mutex_Type.t_mutex uint32 (Mutex_Even_Type.t_even)) : Mutex_MutexGuard_Type.t_mutexguard uint32 (Mutex_Even_Type.t_even)
     requires {[#"../mutex.rs" 37 17 37 21] inv0 self}
-    ensures { [#"../mutex.rs" 36 14 36 33] Mutex_Mutex_Type.mutex_1 self = Ghost.inner (Mutex_MutexGuard_Type.mutexguard_1 result) }
+    ensures { [#"../mutex.rs" 36 14 36 33] Mutex_Mutex_Type.mutex_1 self = Snapshot.inner (Mutex_MutexGuard_Type.mutexguard_1 result) }
     ensures { [#"../mutex.rs" 37 26 37 46] inv1 result }
     
   use Mutex_AddsTwo_Type as Mutex_AddsTwo_Type
@@ -143,24 +143,27 @@ module Mutex_Impl3_Call
   var v : Mutex_MutexGuard_Type.t_mutexguard uint32 (Mutex_Even_Type.t_even);
   var val' : uint32;
   var _5 : uint32;
+  var _7 : bool;
   var _9 : ();
   var _10 : borrowed (Mutex_MutexGuard_Type.t_mutexguard uint32 (Mutex_Even_Type.t_even));
+  var _11 : uint32;
   var _13 : ();
   var _14 : borrowed (Mutex_MutexGuard_Type.t_mutexguard uint32 (Mutex_Even_Type.t_even));
   {
     goto BB0
   }
   BB0 {
-    [#"../mutex.rs" 101 20 101 37] v <- ([#"../mutex.rs" 101 20 101 37] lock0 ([#"../mutex.rs" 101 20 101 30] Mutex_AddsTwo_Type.addstwo_mutex self));
+    [#"../mutex.rs" 101 20 101 37] v <- ([#"../mutex.rs" 101 20 101 37] lock0 (Mutex_AddsTwo_Type.addstwo_mutex self));
     goto BB1
   }
   BB1 {
-    [#"../mutex.rs" 102 19 102 28] _5 <- ([#"../mutex.rs" 102 19 102 28] deref0 ([#"../mutex.rs" 102 19 102 20] v));
+    [#"../mutex.rs" 102 19 102 28] _5 <- ([#"../mutex.rs" 102 19 102 28] deref0 v);
     goto BB2
   }
   BB2 {
-    [#"../mutex.rs" 102 18 102 28] val' <- ([#"../mutex.rs" 102 18 102 28] _5);
-    switch ([#"../mutex.rs" 103 11 103 23] ([#"../mutex.rs" 103 11 103 14] val') < ([#"../mutex.rs" 103 17 103 23] [#"../mutex.rs" 103 17 103 23] (100000 : uint32)))
+    [#"../mutex.rs" 102 18 102 28] val' <- _5;
+    [#"../mutex.rs" 103 11 103 23] _7 <- val' < ([#"../mutex.rs" 103 17 103 23] (100000 : uint32));
+    switch (_7)
       | False -> goto BB5
       | True -> goto BB3
       end
@@ -168,8 +171,10 @@ module Mutex_Impl3_Call
   BB3 {
     [#"../mutex.rs" 104 12 104 13] _10 <- Borrow.borrow_mut v;
     [#"../mutex.rs" 104 12 104 13] v <-  ^ _10;
-    [#"../mutex.rs" 104 12 104 26] _9 <- ([#"../mutex.rs" 104 12 104 26] set0 _10 ([#"../mutex.rs" 104 18 104 25] ([#"../mutex.rs" 104 18 104 21] val') + ([#"../mutex.rs" 104 24 104 25] [#"../mutex.rs" 104 24 104 25] (2 : uint32))));
+    [#"../mutex.rs" 104 18 104 25] _11 <- val' + ([#"../mutex.rs" 104 24 104 25] (2 : uint32));
+    [#"../mutex.rs" 104 12 104 26] _9 <- ([#"../mutex.rs" 104 12 104 26] set0 _10 _11);
     _10 <- any borrowed (Mutex_MutexGuard_Type.t_mutexguard uint32 (Mutex_Even_Type.t_even));
+    _11 <- any uint32;
     goto BB4
   }
   BB4 {
@@ -179,7 +184,7 @@ module Mutex_Impl3_Call
   BB5 {
     [#"../mutex.rs" 106 12 106 13] _14 <- Borrow.borrow_mut v;
     [#"../mutex.rs" 106 12 106 13] v <-  ^ _14;
-    [#"../mutex.rs" 106 12 106 20] _13 <- ([#"../mutex.rs" 106 12 106 20] set0 _14 ([#"../mutex.rs" 106 18 106 19] [#"../mutex.rs" 106 18 106 19] (0 : uint32)));
+    [#"../mutex.rs" 106 12 106 20] _13 <- ([#"../mutex.rs" 106 12 106 20] set0 _14 ([#"../mutex.rs" 106 18 106 19] (0 : uint32)));
     _14 <- any borrowed (Mutex_MutexGuard_Type.t_mutexguard uint32 (Mutex_Even_Type.t_even));
     goto BB6
   }
@@ -205,12 +210,12 @@ module Mutex_JoinHandleInner_Type
   type t_joinhandleinner 't
 end
 module Mutex_JoinHandle_Type
-  use prelude.Ghost
+  use prelude.Snapshot
   use Mutex_JoinHandleInner_Type as Mutex_JoinHandleInner_Type
   type t_joinhandle 't 'i =
-    | C_JoinHandle (Mutex_JoinHandleInner_Type.t_joinhandleinner 't) (Ghost.ghost_ty 'i)
+    | C_JoinHandle (Mutex_JoinHandleInner_Type.t_joinhandleinner 't) (Snapshot.snap_ty 'i)
     
-  let function joinhandle_1 (self : t_joinhandle 't 'i) : Ghost.ghost_ty 'i = [@vc:do_not_keep_trace] [@vc:sp]
+  let function joinhandle_1 (self : t_joinhandle 't 'i) : Snapshot.snap_ty 'i = [@vc:do_not_keep_trace] [@vc:sp]
     match self with
       | C_JoinHandle _ a -> a
       end
@@ -358,11 +363,11 @@ module Mutex_Concurrent
   val inv8 [#"../mutex.rs" 150 4 150 39] (self : Mutex_SpawnPostCond_Type.t_spawnpostcond (Mutex_AddsTwo_Type.t_addstwo)) (v : ()) : bool
     ensures { result = inv8 self v }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   val join0 [#"../mutex.rs" 121 4 121 34] (self : Mutex_JoinHandle_Type.t_joinhandle () (Mutex_SpawnPostCond_Type.t_spawnpostcond (Mutex_AddsTwo_Type.t_addstwo))) : Core_Result_Result_Type.t_result () ()
     requires {[#"../mutex.rs" 121 12 121 16] inv7 self}
     ensures { [#"../mutex.rs" 117 14 120 5] match result with
-      | Core_Result_Result_Type.C_Ok v -> inv8 (Ghost.inner (Mutex_JoinHandle_Type.joinhandle_1 self)) v
+      | Core_Result_Result_Type.C_Ok v -> inv8 (Snapshot.inner (Mutex_JoinHandle_Type.joinhandle_1 self)) v
       | _ -> true
       end }
     ensures { [#"../mutex.rs" 121 21 121 34] inv9 result }
@@ -405,6 +410,7 @@ module Mutex_Concurrent
   var m : Mutex_Mutex_Type.t_mutex uint32 (Mutex_Even_Type.t_even);
   var _2 : borrowed (Mutex_Mutex_Type.t_mutex uint32 (Mutex_Even_Type.t_even));
   var _4 : Mutex_Mutex_Type.t_mutex uint32 (Mutex_Even_Type.t_even);
+  var _5 : Mutex_Even_Type.t_even;
   var t1 : Mutex_AddsTwo_Type.t_addstwo;
   var _8 : Mutex_Mutex_Type.t_mutex uint32 (Mutex_Even_Type.t_even);
   var j1 : Mutex_JoinHandle_Type.t_joinhandle () (Mutex_SpawnPostCond_Type.t_spawnpostcond (Mutex_AddsTwo_Type.t_addstwo));
@@ -417,7 +423,9 @@ module Mutex_Concurrent
     goto BB0
   }
   BB0 {
-    [#"../mutex.rs" 164 38 164 57] _4 <- ([#"../mutex.rs" 164 38 164 57] new0 ([#"../mutex.rs" 164 49 164 50] [#"../mutex.rs" 164 49 164 50] (0 : uint32)) ([#"../mutex.rs" 164 52 164 56] Mutex_Even_Type.C_Even));
+    [#"../mutex.rs" 164 52 164 56] _5 <- Mutex_Even_Type.C_Even;
+    [#"../mutex.rs" 164 38 164 57] _4 <- ([#"../mutex.rs" 164 38 164 57] new0 ([#"../mutex.rs" 164 49 164 50] (0 : uint32)) _5);
+    _5 <- any Mutex_Even_Type.t_even;
     goto BB1
   }
   BB1 {
@@ -429,29 +437,29 @@ module Mutex_Concurrent
     goto BB3
   }
   BB3 {
-    [#"../mutex.rs" 164 24 164 59] m <- ([#"../mutex.rs" 164 24 164 59]  * _2);
+    [#"../mutex.rs" 164 24 164 59] m <-  * _2;
     assume { resolve0 _2 };
-    [#"../mutex.rs" 165 30 165 32] _8 <- ([#"../mutex.rs" 165 30 165 32] m);
-    [#"../mutex.rs" 165 13 165 34] t1 <- ([#"../mutex.rs" 165 13 165 34] Mutex_AddsTwo_Type.C_AddsTwo ([#"../mutex.rs" 165 30 165 32] _8));
-    [#"../mutex.rs" 166 13 166 22] j1 <- ([#"../mutex.rs" 166 13 166 22] spawn0 ([#"../mutex.rs" 166 19 166 21] t1));
-    [#"../mutex.rs" 166 19 166 21] t1 <- any Mutex_AddsTwo_Type.t_addstwo;
+    [#"../mutex.rs" 165 30 165 32] _8 <- m;
+    [#"../mutex.rs" 165 13 165 34] t1 <- Mutex_AddsTwo_Type.C_AddsTwo _8;
+    [#"../mutex.rs" 166 13 166 22] j1 <- ([#"../mutex.rs" 166 13 166 22] spawn0 t1);
+    t1 <- any Mutex_AddsTwo_Type.t_addstwo;
     goto BB4
   }
   BB4 {
-    [#"../mutex.rs" 167 30 167 32] _13 <- ([#"../mutex.rs" 167 30 167 32] m);
-    [#"../mutex.rs" 167 13 167 34] t2 <- ([#"../mutex.rs" 167 13 167 34] Mutex_AddsTwo_Type.C_AddsTwo ([#"../mutex.rs" 167 30 167 32] _13));
-    [#"../mutex.rs" 168 13 168 22] j2 <- ([#"../mutex.rs" 168 13 168 22] spawn0 ([#"../mutex.rs" 168 19 168 21] t2));
-    [#"../mutex.rs" 168 19 168 21] t2 <- any Mutex_AddsTwo_Type.t_addstwo;
+    [#"../mutex.rs" 167 30 167 32] _13 <- m;
+    [#"../mutex.rs" 167 13 167 34] t2 <- Mutex_AddsTwo_Type.C_AddsTwo _13;
+    [#"../mutex.rs" 168 13 168 22] j2 <- ([#"../mutex.rs" 168 13 168 22] spawn0 t2);
+    t2 <- any Mutex_AddsTwo_Type.t_addstwo;
     goto BB5
   }
   BB5 {
-    [#"../mutex.rs" 171 12 171 21] _16 <- ([#"../mutex.rs" 171 12 171 21] join0 ([#"../mutex.rs" 171 12 171 14] j1));
-    [#"../mutex.rs" 171 12 171 14] j1 <- any Mutex_JoinHandle_Type.t_joinhandle () (Mutex_SpawnPostCond_Type.t_spawnpostcond (Mutex_AddsTwo_Type.t_addstwo));
+    [#"../mutex.rs" 171 12 171 21] _16 <- ([#"../mutex.rs" 171 12 171 21] join0 j1);
+    j1 <- any Mutex_JoinHandle_Type.t_joinhandle () (Mutex_SpawnPostCond_Type.t_spawnpostcond (Mutex_AddsTwo_Type.t_addstwo));
     goto BB6
   }
   BB6 {
-    [#"../mutex.rs" 172 12 172 21] _18 <- ([#"../mutex.rs" 172 12 172 21] join0 ([#"../mutex.rs" 172 12 172 14] j2));
-    [#"../mutex.rs" 172 12 172 14] j2 <- any Mutex_JoinHandle_Type.t_joinhandle () (Mutex_SpawnPostCond_Type.t_spawnpostcond (Mutex_AddsTwo_Type.t_addstwo));
+    [#"../mutex.rs" 172 12 172 21] _18 <- ([#"../mutex.rs" 172 12 172 21] join0 j2);
+    j2 <- any Mutex_JoinHandle_Type.t_joinhandle () (Mutex_SpawnPostCond_Type.t_spawnpostcond (Mutex_AddsTwo_Type.t_addstwo));
     goto BB7
   }
   BB7 {
@@ -504,5 +512,6 @@ module Mutex_Impl3
   val precondition0 [#"../mutex.rs" 91 4 91 33] (self : Mutex_AddsTwo_Type.t_addstwo) : bool
     ensures { result = precondition0 self }
     
-  goal call_refn : [#"../mutex.rs" 100 4 100 23] forall self : Mutex_AddsTwo_Type.t_addstwo . inv0 self /\ precondition0 self -> (forall result : () . inv1 result /\ postcondition0 self result)
+  goal call_refn : [#"../mutex.rs" 100 4 100 23] forall self : Mutex_AddsTwo_Type.t_addstwo . inv0 self /\ precondition0 self
+   -> (forall result : () . inv1 result /\ postcondition0 self result)
 end
diff --git a/creusot/tests/should_succeed/mutex.rs b/creusot/tests/should_succeed/mutex.rs
index cafe5e1924..afea3c3895 100644
--- a/creusot/tests/should_succeed/mutex.rs
+++ b/creusot/tests/should_succeed/mutex.rs
@@ -35,14 +35,14 @@ impl<T, I: Inv<T>> Mutex<T, I> {
     #[trusted]
     #[ensures(self.1 == *result.1)]
     pub fn lock(&self) -> MutexGuard<'_, T, I> {
-        MutexGuard(GuardInner(self.0 .0.lock().unwrap()), gh! { self.1 })
+        MutexGuard(GuardInner(self.0 .0.lock().unwrap()), snapshot! { self.1 })
     }
 }
 
 #[trusted]
 struct GuardInner<'a, T: ?Sized + 'a>(std::sync::MutexGuard<'a, T>);
 
-pub struct MutexGuard<'a, T: ?Sized + 'a, I>(GuardInner<'a, T>, Ghost<I>);
+pub struct MutexGuard<'a, T: ?Sized + 'a, I>(GuardInner<'a, T>, Snapshot<I>);
 
 impl<'a, T, I: Inv<T>> MutexGuard<'a, T, I> {
     #[trusted]
@@ -110,7 +110,7 @@ impl<'a> FakeFnOnce for AddsTwo<'a> {
 
 #[trusted]
 struct JoinHandleInner<T>(std::thread::JoinHandle<T>);
-struct JoinHandle<T, I>(JoinHandleInner<T>, Ghost<I>);
+struct JoinHandle<T, I>(JoinHandleInner<T>, Snapshot<I>);
 
 impl<T, I: Inv<T>> JoinHandle<T, I> {
     #[trusted]
@@ -136,7 +136,7 @@ fn spawn<T: Send + 'static, F: Send + 'static + FakeFnOnce<Return = T>>(
             #[creusot::no_translate]
             || f.call(),
         )),
-        gh! { SpawnPostCond { f } },
+        snapshot! { SpawnPostCond { f } },
     )
 }
 
diff --git a/creusot/tests/should_succeed/mutex/why3session.xml b/creusot/tests/should_succeed/mutex/why3session.xml
index 559a6ed8d4..d91e9c0791 100644
--- a/creusot/tests/should_succeed/mutex/why3session.xml
+++ b/creusot/tests/should_succeed/mutex/why3session.xml
@@ -9,12 +9,12 @@
 <path name=".."/><path name="mutex.mlcfg"/>
 <theory name="Mutex_Impl3_Call" proved="true">
  <goal name="call&#39;vc" expl="VC for call" proved="true">
- <proof prover="1"><result status="valid" time="0.017331" steps="30618"/></proof>
+ <proof prover="1"><result status="valid" time="0.017331" steps="30906"/></proof>
  </goal>
 </theory>
 <theory name="Mutex_Concurrent" proved="true">
  <goal name="concurrent&#39;vc" expl="VC for concurrent" proved="true">
- <proof prover="3"><result status="valid" time="0.010000" steps="314"/></proof>
+ <proof prover="3"><result status="valid" time="0.010000" steps="316"/></proof>
  </goal>
 </theory>
 <theory name="Mutex_Impl3" proved="true">
diff --git a/creusot/tests/should_succeed/mutex/why3shapes.gz b/creusot/tests/should_succeed/mutex/why3shapes.gz
index 3db86a94df..b1886030a6 100644
Binary files a/creusot/tests/should_succeed/mutex/why3shapes.gz and b/creusot/tests/should_succeed/mutex/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/one_side_update.mlcfg b/creusot/tests/should_succeed/one_side_update.mlcfg
index 0779765610..733293cd9d 100644
--- a/creusot/tests/should_succeed/one_side_update.mlcfg
+++ b/creusot/tests/should_succeed/one_side_update.mlcfg
@@ -21,14 +21,15 @@ module OneSideUpdate_F
   var _0 : ();
   var a : OneSideUpdate_MyInt_Type.t_myint;
   var b : borrowed (OneSideUpdate_MyInt_Type.t_myint);
+  var _6 : OneSideUpdate_MyInt_Type.t_myint;
   {
     goto BB0
   }
   BB0 {
-    [#"../one_side_update.rs" 6 16 6 25] a <- ([#"../one_side_update.rs" 6 16 6 25] OneSideUpdate_MyInt_Type.C_MyInt ([#"../one_side_update.rs" 6 22 6 24] [#"../one_side_update.rs" 6 22 6 24] (10 : usize)));
+    [#"../one_side_update.rs" 6 16 6 25] a <- OneSideUpdate_MyInt_Type.C_MyInt ([#"../one_side_update.rs" 6 22 6 24] (10 : usize));
     [#"../one_side_update.rs" 7 12 7 18] b <- Borrow.borrow_mut a;
     [#"../one_side_update.rs" 7 12 7 18] a <-  ^ b;
-    switch ([#"../one_side_update.rs" 8 7 8 11] [#"../one_side_update.rs" 8 7 8 11] true)
+    switch ([#"../one_side_update.rs" 8 7 8 11] true)
       | False -> goto BB2
       | True -> goto BB1
       end
@@ -39,7 +40,9 @@ module OneSideUpdate_F
     goto BB3
   }
   BB2 {
-    [#"../one_side_update.rs" 11 8 11 21] b <- { b with current = ([#"../one_side_update.rs" 11 13 11 21] OneSideUpdate_MyInt_Type.C_MyInt ([#"../one_side_update.rs" 11 19 11 20] [#"../one_side_update.rs" 11 19 11 20] (5 : usize))) ; };
+    [#"../one_side_update.rs" 11 13 11 21] _6 <- OneSideUpdate_MyInt_Type.C_MyInt ([#"../one_side_update.rs" 11 19 11 20] (5 : usize));
+    [#"../one_side_update.rs" 11 8 11 21] b <- { b with current = _6 ; };
+    _6 <- any OneSideUpdate_MyInt_Type.t_myint;
     assume { resolve0 b };
     [#"../one_side_update.rs" 10 11 12 5] _0 <- ([#"../one_side_update.rs" 10 11 12 5] ());
     goto BB3
diff --git a/creusot/tests/should_succeed/option.mlcfg b/creusot/tests/should_succeed/option.mlcfg
index cf18957973..e8bcd243af 100644
--- a/creusot/tests/should_succeed/option.mlcfg
+++ b/creusot/tests/should_succeed/option.mlcfg
@@ -110,7 +110,8 @@ module Option_TestOption
     
   axiom inv0 : forall x : Core_Option_Option_Type.t_option int32 . inv0 x = true
   val flatten0 (self : Core_Option_Option_Type.t_option (Core_Option_Option_Type.t_option int32)) : Core_Option_Option_Type.t_option int32
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 120 16 120 59] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 120 16 120 59] self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self = Core_Option_Option_Type.C_None \/ self = Core_Option_Option_Type.C_Some result }
     ensures { inv1 result }
     
@@ -121,25 +122,29 @@ module Option_TestOption
     
   val cloned1 (self : Core_Option_Option_Type.t_option (borrowed int32)) : Core_Option_Option_Type.t_option int32
     requires {inv5 self}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 109 16 109 59] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 109 16 109 59] self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self = Core_Option_Option_Type.C_None \/ (exists t : borrowed int32 . inv4 t /\ self = Core_Option_Option_Type.C_Some t /\ result = Core_Option_Option_Type.C_Some ( * t) /\ resolve0 t) }
     ensures { inv1 result }
     
   val cloned0 (self : Core_Option_Option_Type.t_option int32) : Core_Option_Option_Type.t_option int32
     requires {inv8 self}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 92 16 92 59] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 92 16 92 59] self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self = Core_Option_Option_Type.C_None \/ (exists t : int32 . inv7 t /\ self = Core_Option_Option_Type.C_Some t /\ result = Core_Option_Option_Type.C_Some t) }
     ensures { inv1 result }
     
   val copied1 (self : Core_Option_Option_Type.t_option (borrowed int32)) : Core_Option_Option_Type.t_option int32
     requires {inv5 self}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 100 16 100 59] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 100 16 100 59] self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self = Core_Option_Option_Type.C_None \/ (exists t : borrowed int32 . inv4 t /\ self = Core_Option_Option_Type.C_Some t /\ result = Core_Option_Option_Type.C_Some ( * t) /\ resolve0 t) }
     ensures { inv1 result }
     
   val copied0 (self : Core_Option_Option_Type.t_option int32) : Core_Option_Option_Type.t_option int32
     requires {inv8 self}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 86 16 86 59] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 86 16 86 59] self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self = Core_Option_Option_Type.C_None \/ (exists t : int32 . inv7 t /\ self = Core_Option_Option_Type.C_Some t /\ result = Core_Option_Option_Type.C_Some t) }
     ensures { inv1 result }
     
@@ -151,7 +156,8 @@ module Option_TestOption
     
   val unwrap_or_default0 (self : Core_Option_Option_Type.t_option int32) : int32
     requires {inv1 self}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 78 16 78 64] self = Core_Option_Option_Type.C_None -> is_default0 result }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 78 16 78 64] self = Core_Option_Option_Type.C_None
+     -> is_default0 result }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self = Core_Option_Option_Type.C_None \/ self = Core_Option_Option_Type.C_Some result }
     ensures { inv2 result }
     
@@ -169,14 +175,16 @@ module Option_TestOption
   val or0 (self : Core_Option_Option_Type.t_option int32) (optb : Core_Option_Option_Type.t_option int32) : Core_Option_Option_Type.t_option int32
     requires {inv1 self}
     requires {inv1 optb}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 68 16 68 59] self = Core_Option_Option_Type.C_None -> result = optb }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 68 16 68 59] self = Core_Option_Option_Type.C_None
+     -> result = optb }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self = Core_Option_Option_Type.C_None \/ result = self }
     ensures { inv1 result }
     
   val and0 (self : Core_Option_Option_Type.t_option int32) (optb : Core_Option_Option_Type.t_option int32) : Core_Option_Option_Type.t_option int32
     requires {inv1 self}
     requires {inv1 optb}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 64 16 64 59] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 64 16 64 59] self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self = Core_Option_Option_Type.C_None \/ result = optb }
     ensures { inv1 result }
     
@@ -192,7 +200,8 @@ module Option_TestOption
     
   val as_ref0 (self : Core_Option_Option_Type.t_option int32) : Core_Option_Option_Type.t_option int32
     requires {inv0 self}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 58 16 58 60] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 58 16 58 60] self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 59 16 61 18] self = Core_Option_Option_Type.C_None \/ (exists r : int32 . inv7 r /\ result = Core_Option_Option_Type.C_Some r /\ self = Core_Option_Option_Type.C_Some r) }
     ensures { inv8 result }
     
@@ -208,14 +217,16 @@ module Option_TestOption
     
   val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option int32)) : Core_Option_Option_Type.t_option (borrowed int32)
     requires {inv3 self}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18]  * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed int32 . inv4 r /\ result = Core_Option_Option_Type.C_Some r /\  * self = Core_Option_Option_Type.C_Some ( * r) /\  ^ self = Core_Option_Option_Type.C_Some ( ^ r)) }
     ensures { inv5 result }
     
   val unwrap_or0 (self : Core_Option_Option_Type.t_option int32) (default : int32) : int32
     requires {inv1 self}
     requires {inv2 default}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 47 16 47 62] self = Core_Option_Option_Type.C_None -> result = default }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 47 16 47 62] self = Core_Option_Option_Type.C_None
+     -> result = default }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self = Core_Option_Option_Type.C_None \/ self = Core_Option_Option_Type.C_Some result }
     ensures { inv2 result }
     
@@ -242,8 +253,11 @@ module Option_TestOption
   var _6 : bool;
   var _10 : bool;
   var _12 : bool;
+  var _16 : bool;
   var _17 : int32;
+  var _21 : bool;
   var _22 : int32;
+  var _26 : bool;
   var _27 : int32;
   var _31 : bool;
   var _33 : Core_Option_Option_Type.t_option (borrowed int32);
@@ -251,56 +265,78 @@ module Option_TestOption
   var _36 : borrowed int32;
   var _37 : Core_Option_Option_Type.t_option (borrowed int32);
   var _38 : borrowed (Core_Option_Option_Type.t_option int32);
+  var _40 : bool;
   var _41 : int32;
   var _44 : borrowed int32;
   var _45 : Core_Option_Option_Type.t_option (borrowed int32);
   var _46 : borrowed (Core_Option_Option_Type.t_option int32);
+  var _48 : bool;
   var _49 : int32;
   var _53 : bool;
   var _55 : Core_Option_Option_Type.t_option int32;
+  var _59 : bool;
   var _61 : int32;
   var _62 : Core_Option_Option_Type.t_option int32;
   var _66 : bool;
   var _68 : Core_Option_Option_Type.t_option int32;
   var _73 : bool;
   var _75 : Core_Option_Option_Type.t_option int32;
+  var _77 : Core_Option_Option_Type.t_option int32;
   var _80 : bool;
   var _82 : Core_Option_Option_Type.t_option int32;
+  var _87 : bool;
   var _88 : int32;
   var _89 : Core_Option_Option_Type.t_option int32;
+  var _91 : Core_Option_Option_Type.t_option int32;
   var _94 : bool;
   var _96 : Core_Option_Option_Type.t_option int32;
+  var _101 : bool;
   var _102 : int32;
   var _103 : Core_Option_Option_Type.t_option int32;
+  var _105 : Core_Option_Option_Type.t_option int32;
+  var _108 : bool;
   var _109 : int32;
   var _110 : Core_Option_Option_Type.t_option int32;
+  var _115 : bool;
   var _116 : int32;
   var _117 : Core_Option_Option_Type.t_option int32;
+  var _119 : Core_Option_Option_Type.t_option int32;
   var _122 : bool;
   var _124 : Core_Option_Option_Type.t_option int32;
   var _125 : borrowed (Core_Option_Option_Type.t_option int32);
   var _128 : bool;
+  var _132 : bool;
   var _133 : int32;
   var _134 : Core_Option_Option_Type.t_option int32;
   var _135 : borrowed (Core_Option_Option_Type.t_option int32);
   var _138 : bool;
+  var _141 : Core_Option_Option_Type.t_option int32;
   var _143 : bool;
   var _145 : Core_Option_Option_Type.t_option int32;
   var _146 : borrowed (Core_Option_Option_Type.t_option int32);
+  var _149 : bool;
   var _150 : int32;
+  var _153 : Core_Option_Option_Type.t_option int32;
+  var _155 : bool;
   var _156 : int32;
   var _157 : Core_Option_Option_Type.t_option int32;
   var _158 : borrowed (Core_Option_Option_Type.t_option int32);
+  var _161 : bool;
   var _162 : int32;
+  var _166 : bool;
   var _167 : int32;
   var _168 : Core_Option_Option_Type.t_option int32;
   var _169 : borrowed (Core_Option_Option_Type.t_option int32);
+  var _172 : bool;
   var _173 : int32;
+  var _177 : bool;
   var _178 : int32;
+  var _182 : bool;
   var _183 : int32;
   var _187 : bool;
   var _189 : Core_Option_Option_Type.t_option int32;
   var _190 : Core_Option_Option_Type.t_option int32;
+  var _194 : bool;
   var _195 : int32;
   var _196 : Core_Option_Option_Type.t_option int32;
   var _197 : Core_Option_Option_Type.t_option int32;
@@ -308,6 +344,7 @@ module Option_TestOption
   var _203 : Core_Option_Option_Type.t_option int32;
   var _204 : Core_Option_Option_Type.t_option (borrowed int32);
   var _205 : borrowed (Core_Option_Option_Type.t_option int32);
+  var _208 : bool;
   var _209 : int32;
   var _210 : Core_Option_Option_Type.t_option int32;
   var _211 : Core_Option_Option_Type.t_option (borrowed int32);
@@ -315,6 +352,7 @@ module Option_TestOption
   var _215 : bool;
   var _217 : Core_Option_Option_Type.t_option int32;
   var _218 : Core_Option_Option_Type.t_option int32;
+  var _222 : bool;
   var _223 : int32;
   var _224 : Core_Option_Option_Type.t_option int32;
   var _225 : Core_Option_Option_Type.t_option int32;
@@ -322,6 +360,7 @@ module Option_TestOption
   var _231 : Core_Option_Option_Type.t_option int32;
   var _232 : Core_Option_Option_Type.t_option (borrowed int32);
   var _233 : borrowed (Core_Option_Option_Type.t_option int32);
+  var _236 : bool;
   var _237 : int32;
   var _238 : Core_Option_Option_Type.t_option int32;
   var _239 : Core_Option_Option_Type.t_option (borrowed int32);
@@ -330,18 +369,21 @@ module Option_TestOption
   var _244 : bool;
   var _246 : Core_Option_Option_Type.t_option int32;
   var opt1 : Core_Option_Option_Type.t_option (Core_Option_Option_Type.t_option int32);
+  var _250 : Core_Option_Option_Type.t_option int32;
   var _252 : bool;
   var _254 : Core_Option_Option_Type.t_option int32;
   var opt2 : Core_Option_Option_Type.t_option (Core_Option_Option_Type.t_option int32);
+  var _258 : Core_Option_Option_Type.t_option int32;
+  var _260 : bool;
   var _261 : int32;
   var _262 : Core_Option_Option_Type.t_option int32;
   {
     goto BB0
   }
   BB0 {
-    [#"../option.rs" 5 32 5 36] none <- ([#"../option.rs" 5 32 5 36] Core_Option_Option_Type.C_None);
-    [#"../option.rs" 6 32 6 39] some <- ([#"../option.rs" 6 32 6 39] Core_Option_Option_Type.C_Some ([#"../option.rs" 6 37 6 38] [#"../option.rs" 6 37 6 38] (1 : int32)));
-    [#"../option.rs" 9 12 9 26] _4 <- ([#"../option.rs" 9 12 9 26] is_some0 ([#"../option.rs" 9 12 9 16] some));
+    [#"../option.rs" 5 32 5 36] none <- Core_Option_Option_Type.C_None;
+    [#"../option.rs" 6 32 6 39] some <- Core_Option_Option_Type.C_Some ([#"../option.rs" 6 37 6 38] (1 : int32));
+    [#"../option.rs" 9 12 9 26] _4 <- ([#"../option.rs" 9 12 9 26] is_some0 some);
     goto BB1
   }
   BB1 {
@@ -351,7 +393,7 @@ module Option_TestOption
       end
   }
   BB2 {
-    [#"../option.rs" 9 31 9 45] _6 <- ([#"../option.rs" 9 31 9 45] is_some0 ([#"../option.rs" 9 31 9 35] none));
+    [#"../option.rs" 9 31 9 45] _6 <- ([#"../option.rs" 9 31 9 45] is_some0 none);
     goto BB3
   }
   BB3 {
@@ -364,7 +406,7 @@ module Option_TestOption
     goto BB7
   }
   BB5 {
-    [#"../option.rs" 11 12 11 26] _10 <- ([#"../option.rs" 11 12 11 26] is_none0 ([#"../option.rs" 11 12 11 16] none));
+    [#"../option.rs" 11 12 11 26] _10 <- ([#"../option.rs" 11 12 11 26] is_none0 none);
     goto BB8
   }
   BB6 {
@@ -381,7 +423,7 @@ module Option_TestOption
       end
   }
   BB9 {
-    [#"../option.rs" 11 31 11 45] _12 <- ([#"../option.rs" 11 31 11 45] is_none0 ([#"../option.rs" 11 31 11 35] some));
+    [#"../option.rs" 11 31 11 45] _12 <- ([#"../option.rs" 11 31 11 45] is_none0 some);
     goto BB10
   }
   BB10 {
@@ -394,7 +436,7 @@ module Option_TestOption
     goto BB14
   }
   BB12 {
-    [#"../option.rs" 14 12 14 25] _17 <- ([#"../option.rs" 14 12 14 25] unwrap0 ([#"../option.rs" 14 12 14 16] some));
+    [#"../option.rs" 14 12 14 25] _17 <- ([#"../option.rs" 14 12 14 25] unwrap0 some);
     goto BB15
   }
   BB13 {
@@ -405,13 +447,15 @@ module Option_TestOption
     absurd
   }
   BB15 {
-    switch ([#"../option.rs" 14 12 14 30] _17 = ([#"../option.rs" 14 29 14 30] [#"../option.rs" 14 29 14 30] (1 : int32)))
+    [#"../option.rs" 14 12 14 30] _16 <- _17 = ([#"../option.rs" 14 29 14 30] (1 : int32));
+    _17 <- any int32;
+    switch (_16)
       | False -> goto BB17
       | True -> goto BB16
       end
   }
   BB16 {
-    [#"../option.rs" 19 12 19 29] _22 <- ([#"../option.rs" 19 12 19 29] unwrap_or0 ([#"../option.rs" 19 12 19 16] some) ([#"../option.rs" 19 27 19 28] [#"../option.rs" 19 27 19 28] (2 : int32)));
+    [#"../option.rs" 19 12 19 29] _22 <- ([#"../option.rs" 19 12 19 29] unwrap_or0 some ([#"../option.rs" 19 27 19 28] (2 : int32)));
     goto BB18
   }
   BB17 {
@@ -419,13 +463,15 @@ module Option_TestOption
     absurd
   }
   BB18 {
-    switch ([#"../option.rs" 19 12 19 34] _22 = ([#"../option.rs" 19 33 19 34] [#"../option.rs" 19 33 19 34] (1 : int32)))
+    [#"../option.rs" 19 12 19 34] _21 <- _22 = ([#"../option.rs" 19 33 19 34] (1 : int32));
+    _22 <- any int32;
+    switch (_21)
       | False -> goto BB20
       | True -> goto BB19
       end
   }
   BB19 {
-    [#"../option.rs" 20 12 20 29] _27 <- ([#"../option.rs" 20 12 20 29] unwrap_or0 ([#"../option.rs" 20 12 20 16] none) ([#"../option.rs" 20 27 20 28] [#"../option.rs" 20 27 20 28] (2 : int32)));
+    [#"../option.rs" 20 12 20 29] _27 <- ([#"../option.rs" 20 12 20 29] unwrap_or0 none ([#"../option.rs" 20 27 20 28] (2 : int32)));
     goto BB21
   }
   BB20 {
@@ -433,7 +479,9 @@ module Option_TestOption
     absurd
   }
   BB21 {
-    switch ([#"../option.rs" 20 12 20 34] _27 = ([#"../option.rs" 20 33 20 34] [#"../option.rs" 20 33 20 34] (2 : int32)))
+    [#"../option.rs" 20 12 20 34] _26 <- _27 = ([#"../option.rs" 20 33 20 34] (2 : int32));
+    _27 <- any int32;
+    switch (_26)
       | False -> goto BB23
       | True -> goto BB22
       end
@@ -450,7 +498,7 @@ module Option_TestOption
     absurd
   }
   BB24 {
-    [#"../option.rs" 23 12 23 35] _31 <- ([#"../option.rs" 23 12 23 35] is_none1 ([#"../option.rs" 23 12 23 25] _33));
+    [#"../option.rs" 23 12 23 35] _31 <- ([#"../option.rs" 23 12 23 35] is_none1 _33);
     goto BB25
   }
   BB25 {
@@ -476,13 +524,15 @@ module Option_TestOption
     goto BB29
   }
   BB29 {
-    [#"../option.rs" 24 4 24 31] _36 <- { _36 with current = ([#"../option.rs" 24 4 24 31] [#"../option.rs" 24 30 24 31] (2 : int32)) ; };
+    [#"../option.rs" 24 4 24 31] _36 <- { _36 with current = ([#"../option.rs" 24 30 24 31] (2 : int32)) ; };
     assume { resolve0 _36 };
-    [#"../option.rs" 25 12 25 25] _41 <- ([#"../option.rs" 25 12 25 25] unwrap0 ([#"../option.rs" 25 12 25 16] some));
+    [#"../option.rs" 25 12 25 25] _41 <- ([#"../option.rs" 25 12 25 25] unwrap0 some);
     goto BB30
   }
   BB30 {
-    switch ([#"../option.rs" 25 12 25 30] _41 = ([#"../option.rs" 25 29 25 30] [#"../option.rs" 25 29 25 30] (2 : int32)))
+    [#"../option.rs" 25 12 25 30] _40 <- _41 = ([#"../option.rs" 25 29 25 30] (2 : int32));
+    _41 <- any int32;
+    switch (_40)
       | False -> goto BB32
       | True -> goto BB31
       end
@@ -504,19 +554,21 @@ module Option_TestOption
     goto BB34
   }
   BB34 {
-    [#"../option.rs" 26 4 26 31] _44 <- { _44 with current = ([#"../option.rs" 26 4 26 31] [#"../option.rs" 26 30 26 31] (1 : int32)) ; };
+    [#"../option.rs" 26 4 26 31] _44 <- { _44 with current = ([#"../option.rs" 26 30 26 31] (1 : int32)) ; };
     assume { resolve0 _44 };
-    [#"../option.rs" 27 12 27 25] _49 <- ([#"../option.rs" 27 12 27 25] unwrap0 ([#"../option.rs" 27 12 27 16] some));
+    [#"../option.rs" 27 12 27 25] _49 <- ([#"../option.rs" 27 12 27 25] unwrap0 some);
     goto BB35
   }
   BB35 {
-    switch ([#"../option.rs" 27 12 27 30] _49 = ([#"../option.rs" 27 29 27 30] [#"../option.rs" 27 29 27 30] (1 : int32)))
+    [#"../option.rs" 27 12 27 30] _48 <- _49 = ([#"../option.rs" 27 29 27 30] (1 : int32));
+    _49 <- any int32;
+    switch (_48)
       | False -> goto BB37
       | True -> goto BB36
       end
   }
   BB36 {
-    [#"../option.rs" 29 12 29 25] _55 <- ([#"../option.rs" 29 12 29 25] as_ref0 ([#"../option.rs" 29 12 29 16] none));
+    [#"../option.rs" 29 12 29 25] _55 <- ([#"../option.rs" 29 12 29 25] as_ref0 none);
     goto BB38
   }
   BB37 {
@@ -524,7 +576,7 @@ module Option_TestOption
     absurd
   }
   BB38 {
-    [#"../option.rs" 29 12 29 35] _53 <- ([#"../option.rs" 29 12 29 35] is_none2 ([#"../option.rs" 29 12 29 25] _55));
+    [#"../option.rs" 29 12 29 35] _53 <- ([#"../option.rs" 29 12 29 35] is_none2 _55);
     goto BB39
   }
   BB39 {
@@ -534,7 +586,7 @@ module Option_TestOption
       end
   }
   BB40 {
-    [#"../option.rs" 30 13 30 26] _62 <- ([#"../option.rs" 30 13 30 26] as_ref0 ([#"../option.rs" 30 13 30 17] some));
+    [#"../option.rs" 30 13 30 26] _62 <- ([#"../option.rs" 30 13 30 26] as_ref0 some);
     goto BB42
   }
   BB41 {
@@ -547,13 +599,14 @@ module Option_TestOption
     goto BB43
   }
   BB43 {
-    switch ([#"../option.rs" 30 12 30 40] ([#"../option.rs" 30 12 30 35] _61) = ([#"../option.rs" 30 39 30 40] [#"../option.rs" 30 39 30 40] (1 : int32)))
+    [#"../option.rs" 30 12 30 40] _59 <- _61 = ([#"../option.rs" 30 39 30 40] (1 : int32));
+    switch (_59)
       | False -> goto BB45
       | True -> goto BB44
       end
   }
   BB44 {
-    [#"../option.rs" 33 12 33 26] _68 <- ([#"../option.rs" 33 12 33 26] and0 ([#"../option.rs" 33 12 33 16] none) ([#"../option.rs" 33 21 33 25] none));
+    [#"../option.rs" 33 12 33 26] _68 <- ([#"../option.rs" 33 12 33 26] and0 none none);
     goto BB46
   }
   BB45 {
@@ -561,7 +614,7 @@ module Option_TestOption
     absurd
   }
   BB46 {
-    [#"../option.rs" 33 12 33 36] _66 <- ([#"../option.rs" 33 12 33 36] is_none0 ([#"../option.rs" 33 12 33 26] _68));
+    [#"../option.rs" 33 12 33 36] _66 <- ([#"../option.rs" 33 12 33 36] is_none0 _68);
     goto BB47
   }
   BB47 {
@@ -571,7 +624,9 @@ module Option_TestOption
       end
   }
   BB48 {
-    [#"../option.rs" 34 12 34 29] _75 <- ([#"../option.rs" 34 12 34 29] and0 ([#"../option.rs" 34 12 34 16] none) ([#"../option.rs" 34 21 34 28] Core_Option_Option_Type.C_Some ([#"../option.rs" 34 26 34 27] [#"../option.rs" 34 26 34 27] (2 : int32))));
+    [#"../option.rs" 34 21 34 28] _77 <- Core_Option_Option_Type.C_Some ([#"../option.rs" 34 26 34 27] (2 : int32));
+    [#"../option.rs" 34 12 34 29] _75 <- ([#"../option.rs" 34 12 34 29] and0 none _77);
+    _77 <- any Core_Option_Option_Type.t_option int32;
     goto BB50
   }
   BB49 {
@@ -579,7 +634,7 @@ module Option_TestOption
     absurd
   }
   BB50 {
-    [#"../option.rs" 34 12 34 39] _73 <- ([#"../option.rs" 34 12 34 39] is_none0 ([#"../option.rs" 34 12 34 29] _75));
+    [#"../option.rs" 34 12 34 39] _73 <- ([#"../option.rs" 34 12 34 39] is_none0 _75);
     goto BB51
   }
   BB51 {
@@ -589,7 +644,7 @@ module Option_TestOption
       end
   }
   BB52 {
-    [#"../option.rs" 35 12 35 26] _82 <- ([#"../option.rs" 35 12 35 26] and0 ([#"../option.rs" 35 12 35 16] some) ([#"../option.rs" 35 21 35 25] none));
+    [#"../option.rs" 35 12 35 26] _82 <- ([#"../option.rs" 35 12 35 26] and0 some none);
     goto BB54
   }
   BB53 {
@@ -597,7 +652,7 @@ module Option_TestOption
     absurd
   }
   BB54 {
-    [#"../option.rs" 35 12 35 36] _80 <- ([#"../option.rs" 35 12 35 36] is_none0 ([#"../option.rs" 35 12 35 26] _82));
+    [#"../option.rs" 35 12 35 36] _80 <- ([#"../option.rs" 35 12 35 36] is_none0 _82);
     goto BB55
   }
   BB55 {
@@ -607,7 +662,9 @@ module Option_TestOption
       end
   }
   BB56 {
-    [#"../option.rs" 36 12 36 29] _89 <- ([#"../option.rs" 36 12 36 29] and0 ([#"../option.rs" 36 12 36 16] some) ([#"../option.rs" 36 21 36 28] Core_Option_Option_Type.C_Some ([#"../option.rs" 36 26 36 27] [#"../option.rs" 36 26 36 27] (2 : int32))));
+    [#"../option.rs" 36 21 36 28] _91 <- Core_Option_Option_Type.C_Some ([#"../option.rs" 36 26 36 27] (2 : int32));
+    [#"../option.rs" 36 12 36 29] _89 <- ([#"../option.rs" 36 12 36 29] and0 some _91);
+    _91 <- any Core_Option_Option_Type.t_option int32;
     goto BB58
   }
   BB57 {
@@ -620,13 +677,15 @@ module Option_TestOption
     goto BB59
   }
   BB59 {
-    switch ([#"../option.rs" 36 12 36 43] _88 = ([#"../option.rs" 36 42 36 43] [#"../option.rs" 36 42 36 43] (2 : int32)))
+    [#"../option.rs" 36 12 36 43] _87 <- _88 = ([#"../option.rs" 36 42 36 43] (2 : int32));
+    _88 <- any int32;
+    switch (_87)
       | False -> goto BB61
       | True -> goto BB60
       end
   }
   BB60 {
-    [#"../option.rs" 38 12 38 25] _96 <- ([#"../option.rs" 38 12 38 25] or0 ([#"../option.rs" 38 12 38 16] none) ([#"../option.rs" 38 20 38 24] none));
+    [#"../option.rs" 38 12 38 25] _96 <- ([#"../option.rs" 38 12 38 25] or0 none none);
     goto BB62
   }
   BB61 {
@@ -634,7 +693,7 @@ module Option_TestOption
     absurd
   }
   BB62 {
-    [#"../option.rs" 38 12 38 35] _94 <- ([#"../option.rs" 38 12 38 35] is_none0 ([#"../option.rs" 38 12 38 25] _96));
+    [#"../option.rs" 38 12 38 35] _94 <- ([#"../option.rs" 38 12 38 35] is_none0 _96);
     goto BB63
   }
   BB63 {
@@ -644,7 +703,9 @@ module Option_TestOption
       end
   }
   BB64 {
-    [#"../option.rs" 39 12 39 28] _103 <- ([#"../option.rs" 39 12 39 28] or0 ([#"../option.rs" 39 12 39 16] none) ([#"../option.rs" 39 20 39 27] Core_Option_Option_Type.C_Some ([#"../option.rs" 39 25 39 26] [#"../option.rs" 39 25 39 26] (2 : int32))));
+    [#"../option.rs" 39 20 39 27] _105 <- Core_Option_Option_Type.C_Some ([#"../option.rs" 39 25 39 26] (2 : int32));
+    [#"../option.rs" 39 12 39 28] _103 <- ([#"../option.rs" 39 12 39 28] or0 none _105);
+    _105 <- any Core_Option_Option_Type.t_option int32;
     goto BB66
   }
   BB65 {
@@ -657,13 +718,15 @@ module Option_TestOption
     goto BB67
   }
   BB67 {
-    switch ([#"../option.rs" 39 12 39 42] _102 = ([#"../option.rs" 39 41 39 42] [#"../option.rs" 39 41 39 42] (2 : int32)))
+    [#"../option.rs" 39 12 39 42] _101 <- _102 = ([#"../option.rs" 39 41 39 42] (2 : int32));
+    _102 <- any int32;
+    switch (_101)
       | False -> goto BB69
       | True -> goto BB68
       end
   }
   BB68 {
-    [#"../option.rs" 40 12 40 25] _110 <- ([#"../option.rs" 40 12 40 25] or0 ([#"../option.rs" 40 12 40 16] some) ([#"../option.rs" 40 20 40 24] none));
+    [#"../option.rs" 40 12 40 25] _110 <- ([#"../option.rs" 40 12 40 25] or0 some none);
     goto BB70
   }
   BB69 {
@@ -676,13 +739,17 @@ module Option_TestOption
     goto BB71
   }
   BB71 {
-    switch ([#"../option.rs" 40 12 40 39] _109 = ([#"../option.rs" 40 38 40 39] [#"../option.rs" 40 38 40 39] (1 : int32)))
+    [#"../option.rs" 40 12 40 39] _108 <- _109 = ([#"../option.rs" 40 38 40 39] (1 : int32));
+    _109 <- any int32;
+    switch (_108)
       | False -> goto BB73
       | True -> goto BB72
       end
   }
   BB72 {
-    [#"../option.rs" 41 12 41 28] _117 <- ([#"../option.rs" 41 12 41 28] or0 ([#"../option.rs" 41 12 41 16] some) ([#"../option.rs" 41 20 41 27] Core_Option_Option_Type.C_Some ([#"../option.rs" 41 25 41 26] [#"../option.rs" 41 25 41 26] (2 : int32))));
+    [#"../option.rs" 41 20 41 27] _119 <- Core_Option_Option_Type.C_Some ([#"../option.rs" 41 25 41 26] (2 : int32));
+    [#"../option.rs" 41 12 41 28] _117 <- ([#"../option.rs" 41 12 41 28] or0 some _119);
+    _119 <- any Core_Option_Option_Type.t_option int32;
     goto BB74
   }
   BB73 {
@@ -695,7 +762,9 @@ module Option_TestOption
     goto BB75
   }
   BB75 {
-    switch ([#"../option.rs" 41 12 41 42] _116 = ([#"../option.rs" 41 41 41 42] [#"../option.rs" 41 41 41 42] (1 : int32)))
+    [#"../option.rs" 41 12 41 42] _115 <- _116 = ([#"../option.rs" 41 41 41 42] (1 : int32));
+    _116 <- any int32;
+    switch (_115)
       | False -> goto BB77
       | True -> goto BB76
       end
@@ -712,7 +781,7 @@ module Option_TestOption
     absurd
   }
   BB78 {
-    [#"../option.rs" 44 12 44 33] _122 <- ([#"../option.rs" 44 12 44 33] is_none0 ([#"../option.rs" 44 12 44 23] _124));
+    [#"../option.rs" 44 12 44 33] _122 <- ([#"../option.rs" 44 12 44 33] is_none0 _124);
     goto BB79
   }
   BB79 {
@@ -722,7 +791,7 @@ module Option_TestOption
       end
   }
   BB80 {
-    [#"../option.rs" 45 12 45 26] _128 <- ([#"../option.rs" 45 12 45 26] is_none0 ([#"../option.rs" 45 12 45 16] none));
+    [#"../option.rs" 45 12 45 26] _128 <- ([#"../option.rs" 45 12 45 26] is_none0 none);
     goto BB82
   }
   BB81 {
@@ -752,13 +821,15 @@ module Option_TestOption
     goto BB86
   }
   BB86 {
-    switch ([#"../option.rs" 46 12 46 37] _133 = ([#"../option.rs" 46 36 46 37] [#"../option.rs" 46 36 46 37] (1 : int32)))
+    [#"../option.rs" 46 12 46 37] _132 <- _133 = ([#"../option.rs" 46 36 46 37] (1 : int32));
+    _133 <- any int32;
+    switch (_132)
       | False -> goto BB88
       | True -> goto BB87
       end
   }
   BB87 {
-    [#"../option.rs" 47 12 47 26] _138 <- ([#"../option.rs" 47 12 47 26] is_none0 ([#"../option.rs" 47 12 47 16] some));
+    [#"../option.rs" 47 12 47 26] _138 <- ([#"../option.rs" 47 12 47 26] is_none0 some);
     goto BB89
   }
   BB88 {
@@ -772,10 +843,12 @@ module Option_TestOption
       end
   }
   BB90 {
-    [#"../option.rs" 48 4 48 18] some <- ([#"../option.rs" 48 11 48 18] Core_Option_Option_Type.C_Some ([#"../option.rs" 48 16 48 17] [#"../option.rs" 48 16 48 17] (1 : int32)));
+    [#"../option.rs" 48 11 48 18] _141 <- Core_Option_Option_Type.C_Some ([#"../option.rs" 48 16 48 17] (1 : int32));
+    [#"../option.rs" 48 4 48 18] some <- _141;
+    _141 <- any Core_Option_Option_Type.t_option int32;
     [#"../option.rs" 50 12 50 16] _146 <- Borrow.borrow_mut none;
     [#"../option.rs" 50 12 50 16] none <-  ^ _146;
-    [#"../option.rs" 50 12 50 27] _145 <- ([#"../option.rs" 50 12 50 27] replace0 _146 ([#"../option.rs" 50 25 50 26] [#"../option.rs" 50 25 50 26] (2 : int32)));
+    [#"../option.rs" 50 12 50 27] _145 <- ([#"../option.rs" 50 12 50 27] replace0 _146 ([#"../option.rs" 50 25 50 26] (2 : int32)));
     _146 <- any borrowed (Core_Option_Option_Type.t_option int32);
     goto BB92
   }
@@ -784,7 +857,7 @@ module Option_TestOption
     absurd
   }
   BB92 {
-    [#"../option.rs" 50 12 50 37] _143 <- ([#"../option.rs" 50 12 50 37] is_none0 ([#"../option.rs" 50 12 50 27] _145));
+    [#"../option.rs" 50 12 50 37] _143 <- ([#"../option.rs" 50 12 50 37] is_none0 _145);
     goto BB93
   }
   BB93 {
@@ -794,7 +867,7 @@ module Option_TestOption
       end
   }
   BB94 {
-    [#"../option.rs" 51 12 51 25] _150 <- ([#"../option.rs" 51 12 51 25] unwrap0 ([#"../option.rs" 51 12 51 16] none));
+    [#"../option.rs" 51 12 51 25] _150 <- ([#"../option.rs" 51 12 51 25] unwrap0 none);
     goto BB96
   }
   BB95 {
@@ -802,16 +875,20 @@ module Option_TestOption
     absurd
   }
   BB96 {
-    switch ([#"../option.rs" 51 12 51 30] _150 = ([#"../option.rs" 51 29 51 30] [#"../option.rs" 51 29 51 30] (2 : int32)))
+    [#"../option.rs" 51 12 51 30] _149 <- _150 = ([#"../option.rs" 51 29 51 30] (2 : int32));
+    _150 <- any int32;
+    switch (_149)
       | False -> goto BB98
       | True -> goto BB97
       end
   }
   BB97 {
-    [#"../option.rs" 52 4 52 15] none <- ([#"../option.rs" 52 11 52 15] Core_Option_Option_Type.C_None);
+    [#"../option.rs" 52 11 52 15] _153 <- Core_Option_Option_Type.C_None;
+    [#"../option.rs" 52 4 52 15] none <- _153;
+    _153 <- any Core_Option_Option_Type.t_option int32;
     [#"../option.rs" 53 12 53 16] _158 <- Borrow.borrow_mut some;
     [#"../option.rs" 53 12 53 16] some <-  ^ _158;
-    [#"../option.rs" 53 12 53 27] _157 <- ([#"../option.rs" 53 12 53 27] replace0 _158 ([#"../option.rs" 53 25 53 26] [#"../option.rs" 53 25 53 26] (2 : int32)));
+    [#"../option.rs" 53 12 53 27] _157 <- ([#"../option.rs" 53 12 53 27] replace0 _158 ([#"../option.rs" 53 25 53 26] (2 : int32)));
     _158 <- any borrowed (Core_Option_Option_Type.t_option int32);
     goto BB99
   }
@@ -825,13 +902,15 @@ module Option_TestOption
     goto BB100
   }
   BB100 {
-    switch ([#"../option.rs" 53 12 53 41] _156 = ([#"../option.rs" 53 40 53 41] [#"../option.rs" 53 40 53 41] (1 : int32)))
+    [#"../option.rs" 53 12 53 41] _155 <- _156 = ([#"../option.rs" 53 40 53 41] (1 : int32));
+    _156 <- any int32;
+    switch (_155)
       | False -> goto BB102
       | True -> goto BB101
       end
   }
   BB101 {
-    [#"../option.rs" 54 12 54 25] _162 <- ([#"../option.rs" 54 12 54 25] unwrap0 ([#"../option.rs" 54 12 54 16] some));
+    [#"../option.rs" 54 12 54 25] _162 <- ([#"../option.rs" 54 12 54 25] unwrap0 some);
     goto BB103
   }
   BB102 {
@@ -839,7 +918,9 @@ module Option_TestOption
     absurd
   }
   BB103 {
-    switch ([#"../option.rs" 54 12 54 30] _162 = ([#"../option.rs" 54 29 54 30] [#"../option.rs" 54 29 54 30] (2 : int32)))
+    [#"../option.rs" 54 12 54 30] _161 <- _162 = ([#"../option.rs" 54 29 54 30] (2 : int32));
+    _162 <- any int32;
+    switch (_161)
       | False -> goto BB105
       | True -> goto BB104
       end
@@ -847,7 +928,7 @@ module Option_TestOption
   BB104 {
     [#"../option.rs" 55 12 55 16] _169 <- Borrow.borrow_mut some;
     [#"../option.rs" 55 12 55 16] some <-  ^ _169;
-    [#"../option.rs" 55 12 55 27] _168 <- ([#"../option.rs" 55 12 55 27] replace0 _169 ([#"../option.rs" 55 25 55 26] [#"../option.rs" 55 25 55 26] (1 : int32)));
+    [#"../option.rs" 55 12 55 27] _168 <- ([#"../option.rs" 55 12 55 27] replace0 _169 ([#"../option.rs" 55 25 55 26] (1 : int32)));
     _169 <- any borrowed (Core_Option_Option_Type.t_option int32);
     goto BB106
   }
@@ -861,13 +942,15 @@ module Option_TestOption
     goto BB107
   }
   BB107 {
-    switch ([#"../option.rs" 55 12 55 41] _167 = ([#"../option.rs" 55 40 55 41] [#"../option.rs" 55 40 55 41] (2 : int32)))
+    [#"../option.rs" 55 12 55 41] _166 <- _167 = ([#"../option.rs" 55 40 55 41] (2 : int32));
+    _167 <- any int32;
+    switch (_166)
       | False -> goto BB109
       | True -> goto BB108
       end
   }
   BB108 {
-    [#"../option.rs" 56 12 56 25] _173 <- ([#"../option.rs" 56 12 56 25] unwrap0 ([#"../option.rs" 56 12 56 16] some));
+    [#"../option.rs" 56 12 56 25] _173 <- ([#"../option.rs" 56 12 56 25] unwrap0 some);
     goto BB110
   }
   BB109 {
@@ -875,13 +958,15 @@ module Option_TestOption
     absurd
   }
   BB110 {
-    switch ([#"../option.rs" 56 12 56 30] _173 = ([#"../option.rs" 56 29 56 30] [#"../option.rs" 56 29 56 30] (1 : int32)))
+    [#"../option.rs" 56 12 56 30] _172 <- _173 = ([#"../option.rs" 56 29 56 30] (1 : int32));
+    _173 <- any int32;
+    switch (_172)
       | False -> goto BB112
       | True -> goto BB111
       end
   }
   BB111 {
-    [#"../option.rs" 59 12 59 36] _178 <- ([#"../option.rs" 59 12 59 36] unwrap_or_default0 ([#"../option.rs" 59 12 59 16] none));
+    [#"../option.rs" 59 12 59 36] _178 <- ([#"../option.rs" 59 12 59 36] unwrap_or_default0 none);
     goto BB113
   }
   BB112 {
@@ -889,13 +974,15 @@ module Option_TestOption
     absurd
   }
   BB113 {
-    switch ([#"../option.rs" 59 12 59 41] _178 = ([#"../option.rs" 59 40 59 41] [#"../option.rs" 59 40 59 41] (0 : int32)))
+    [#"../option.rs" 59 12 59 41] _177 <- _178 = ([#"../option.rs" 59 40 59 41] (0 : int32));
+    _178 <- any int32;
+    switch (_177)
       | False -> goto BB115
       | True -> goto BB114
       end
   }
   BB114 {
-    [#"../option.rs" 60 12 60 36] _183 <- ([#"../option.rs" 60 12 60 36] unwrap_or_default0 ([#"../option.rs" 60 12 60 16] some));
+    [#"../option.rs" 60 12 60 36] _183 <- ([#"../option.rs" 60 12 60 36] unwrap_or_default0 some);
     goto BB116
   }
   BB115 {
@@ -903,13 +990,15 @@ module Option_TestOption
     absurd
   }
   BB116 {
-    switch ([#"../option.rs" 60 12 60 41] _183 = ([#"../option.rs" 60 40 60 41] [#"../option.rs" 60 40 60 41] (1 : int32)))
+    [#"../option.rs" 60 12 60 41] _182 <- _183 = ([#"../option.rs" 60 40 60 41] (1 : int32));
+    _183 <- any int32;
+    switch (_182)
       | False -> goto BB118
       | True -> goto BB117
       end
   }
   BB117 {
-    [#"../option.rs" 63 12 63 25] _190 <- ([#"../option.rs" 63 12 63 25] as_ref0 ([#"../option.rs" 63 12 63 16] none));
+    [#"../option.rs" 63 12 63 25] _190 <- ([#"../option.rs" 63 12 63 25] as_ref0 none);
     goto BB119
   }
   BB118 {
@@ -922,7 +1011,7 @@ module Option_TestOption
     goto BB120
   }
   BB120 {
-    [#"../option.rs" 63 12 63 44] _187 <- ([#"../option.rs" 63 12 63 44] is_none0 ([#"../option.rs" 63 12 63 34] _189));
+    [#"../option.rs" 63 12 63 44] _187 <- ([#"../option.rs" 63 12 63 44] is_none0 _189);
     goto BB121
   }
   BB121 {
@@ -932,7 +1021,7 @@ module Option_TestOption
       end
   }
   BB122 {
-    [#"../option.rs" 64 12 64 25] _197 <- ([#"../option.rs" 64 12 64 25] as_ref0 ([#"../option.rs" 64 12 64 16] some));
+    [#"../option.rs" 64 12 64 25] _197 <- ([#"../option.rs" 64 12 64 25] as_ref0 some);
     goto BB124
   }
   BB123 {
@@ -950,7 +1039,9 @@ module Option_TestOption
     goto BB126
   }
   BB126 {
-    switch ([#"../option.rs" 64 12 64 48] _195 = ([#"../option.rs" 64 47 64 48] [#"../option.rs" 64 47 64 48] (1 : int32)))
+    [#"../option.rs" 64 12 64 48] _194 <- _195 = ([#"../option.rs" 64 47 64 48] (1 : int32));
+    _195 <- any int32;
+    switch (_194)
       | False -> goto BB128
       | True -> goto BB127
       end
@@ -972,7 +1063,7 @@ module Option_TestOption
     goto BB130
   }
   BB130 {
-    [#"../option.rs" 65 12 65 44] _201 <- ([#"../option.rs" 65 12 65 44] is_none0 ([#"../option.rs" 65 12 65 34] _203));
+    [#"../option.rs" 65 12 65 44] _201 <- ([#"../option.rs" 65 12 65 44] is_none0 _203);
     goto BB131
   }
   BB131 {
@@ -1003,13 +1094,15 @@ module Option_TestOption
     goto BB136
   }
   BB136 {
-    switch ([#"../option.rs" 66 12 66 48] _209 = ([#"../option.rs" 66 47 66 48] [#"../option.rs" 66 47 66 48] (1 : int32)))
+    [#"../option.rs" 66 12 66 48] _208 <- _209 = ([#"../option.rs" 66 47 66 48] (1 : int32));
+    _209 <- any int32;
+    switch (_208)
       | False -> goto BB138
       | True -> goto BB137
       end
   }
   BB137 {
-    [#"../option.rs" 68 12 68 25] _218 <- ([#"../option.rs" 68 12 68 25] as_ref0 ([#"../option.rs" 68 12 68 16] none));
+    [#"../option.rs" 68 12 68 25] _218 <- ([#"../option.rs" 68 12 68 25] as_ref0 none);
     goto BB139
   }
   BB138 {
@@ -1022,7 +1115,7 @@ module Option_TestOption
     goto BB140
   }
   BB140 {
-    [#"../option.rs" 68 12 68 44] _215 <- ([#"../option.rs" 68 12 68 44] is_none0 ([#"../option.rs" 68 12 68 34] _217));
+    [#"../option.rs" 68 12 68 44] _215 <- ([#"../option.rs" 68 12 68 44] is_none0 _217);
     goto BB141
   }
   BB141 {
@@ -1032,7 +1125,7 @@ module Option_TestOption
       end
   }
   BB142 {
-    [#"../option.rs" 69 12 69 25] _225 <- ([#"../option.rs" 69 12 69 25] as_ref0 ([#"../option.rs" 69 12 69 16] some));
+    [#"../option.rs" 69 12 69 25] _225 <- ([#"../option.rs" 69 12 69 25] as_ref0 some);
     goto BB144
   }
   BB143 {
@@ -1050,7 +1143,9 @@ module Option_TestOption
     goto BB146
   }
   BB146 {
-    switch ([#"../option.rs" 69 12 69 48] _223 = ([#"../option.rs" 69 47 69 48] [#"../option.rs" 69 47 69 48] (1 : int32)))
+    [#"../option.rs" 69 12 69 48] _222 <- _223 = ([#"../option.rs" 69 47 69 48] (1 : int32));
+    _223 <- any int32;
+    switch (_222)
       | False -> goto BB148
       | True -> goto BB147
       end
@@ -1072,7 +1167,7 @@ module Option_TestOption
     goto BB150
   }
   BB150 {
-    [#"../option.rs" 70 12 70 44] _229 <- ([#"../option.rs" 70 12 70 44] is_none0 ([#"../option.rs" 70 12 70 34] _231));
+    [#"../option.rs" 70 12 70 44] _229 <- ([#"../option.rs" 70 12 70 44] is_none0 _231);
     goto BB151
   }
   BB151 {
@@ -1103,14 +1198,16 @@ module Option_TestOption
     goto BB156
   }
   BB156 {
-    switch ([#"../option.rs" 71 12 71 48] _237 = ([#"../option.rs" 71 47 71 48] [#"../option.rs" 71 47 71 48] (1 : int32)))
+    [#"../option.rs" 71 12 71 48] _236 <- _237 = ([#"../option.rs" 71 47 71 48] (1 : int32));
+    _237 <- any int32;
+    switch (_236)
       | False -> goto BB158
       | True -> goto BB157
       end
   }
   BB157 {
-    [#"../option.rs" 74 35 74 39] opt <- ([#"../option.rs" 74 35 74 39] Core_Option_Option_Type.C_None);
-    [#"../option.rs" 75 12 75 25] _246 <- ([#"../option.rs" 75 12 75 25] flatten0 ([#"../option.rs" 75 12 75 15] opt));
+    [#"../option.rs" 74 35 74 39] opt <- Core_Option_Option_Type.C_None;
+    [#"../option.rs" 75 12 75 25] _246 <- ([#"../option.rs" 75 12 75 25] flatten0 opt);
     goto BB159
   }
   BB158 {
@@ -1118,7 +1215,7 @@ module Option_TestOption
     absurd
   }
   BB159 {
-    [#"../option.rs" 75 12 75 35] _244 <- ([#"../option.rs" 75 12 75 35] is_none0 ([#"../option.rs" 75 12 75 25] _246));
+    [#"../option.rs" 75 12 75 35] _244 <- ([#"../option.rs" 75 12 75 35] is_none0 _246);
     goto BB160
   }
   BB160 {
@@ -1128,8 +1225,10 @@ module Option_TestOption
       end
   }
   BB161 {
-    [#"../option.rs" 76 35 76 45] opt1 <- ([#"../option.rs" 76 35 76 45] Core_Option_Option_Type.C_Some ([#"../option.rs" 76 40 76 44] Core_Option_Option_Type.C_None));
-    [#"../option.rs" 77 12 77 25] _254 <- ([#"../option.rs" 77 12 77 25] flatten0 ([#"../option.rs" 77 12 77 15] opt1));
+    [#"../option.rs" 76 40 76 44] _250 <- Core_Option_Option_Type.C_None;
+    [#"../option.rs" 76 35 76 45] opt1 <- Core_Option_Option_Type.C_Some _250;
+    _250 <- any Core_Option_Option_Type.t_option int32;
+    [#"../option.rs" 77 12 77 25] _254 <- ([#"../option.rs" 77 12 77 25] flatten0 opt1);
     goto BB163
   }
   BB162 {
@@ -1137,7 +1236,7 @@ module Option_TestOption
     absurd
   }
   BB163 {
-    [#"../option.rs" 77 12 77 35] _252 <- ([#"../option.rs" 77 12 77 35] is_none0 ([#"../option.rs" 77 12 77 25] _254));
+    [#"../option.rs" 77 12 77 35] _252 <- ([#"../option.rs" 77 12 77 35] is_none0 _254);
     goto BB164
   }
   BB164 {
@@ -1147,8 +1246,10 @@ module Option_TestOption
       end
   }
   BB165 {
-    [#"../option.rs" 78 35 78 48] opt2 <- ([#"../option.rs" 78 35 78 48] Core_Option_Option_Type.C_Some ([#"../option.rs" 78 40 78 47] Core_Option_Option_Type.C_Some ([#"../option.rs" 78 45 78 46] [#"../option.rs" 78 45 78 46] (1 : int32))));
-    [#"../option.rs" 79 12 79 25] _262 <- ([#"../option.rs" 79 12 79 25] flatten0 ([#"../option.rs" 79 12 79 15] opt2));
+    [#"../option.rs" 78 40 78 47] _258 <- Core_Option_Option_Type.C_Some ([#"../option.rs" 78 45 78 46] (1 : int32));
+    [#"../option.rs" 78 35 78 48] opt2 <- Core_Option_Option_Type.C_Some _258;
+    _258 <- any Core_Option_Option_Type.t_option int32;
+    [#"../option.rs" 79 12 79 25] _262 <- ([#"../option.rs" 79 12 79 25] flatten0 opt2);
     goto BB167
   }
   BB166 {
@@ -1161,7 +1262,9 @@ module Option_TestOption
     goto BB168
   }
   BB168 {
-    switch ([#"../option.rs" 79 12 79 39] _261 = ([#"../option.rs" 79 38 79 39] [#"../option.rs" 79 38 79 39] (1 : int32)))
+    [#"../option.rs" 79 12 79 39] _260 <- _261 = ([#"../option.rs" 79 38 79 39] (1 : int32));
+    _261 <- any int32;
+    switch (_260)
       | False -> goto BB170
       | True -> goto BB169
       end
diff --git a/creusot/tests/should_succeed/option/why3session.xml b/creusot/tests/should_succeed/option/why3session.xml
index bf75572f37..f9f1151e66 100644
--- a/creusot/tests/should_succeed/option/why3session.xml
+++ b/creusot/tests/should_succeed/option/why3session.xml
@@ -7,7 +7,7 @@
 <path name=".."/><path name="option.mlcfg"/>
 <theory name="Option_TestOption" proved="true">
  <goal name="test_option&#39;vc" expl="VC for test_option" proved="true">
- <proof prover="1"><result status="valid" time="0.111139" steps="318979"/></proof>
+ <proof prover="1"><result status="valid" time="0.111139" steps="397626"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/option/why3shapes.gz b/creusot/tests/should_succeed/option/why3shapes.gz
index 367c3c03ee..9ba0082fdc 100644
Binary files a/creusot/tests/should_succeed/option/why3shapes.gz and b/creusot/tests/should_succeed/option/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/ord_trait.mlcfg b/creusot/tests/should_succeed/ord_trait.mlcfg
index b6c2367d43..8a7abd4ed0 100644
--- a/creusot/tests/should_succeed/ord_trait.mlcfg
+++ b/creusot/tests/should_succeed/ord_trait.mlcfg
@@ -29,7 +29,9 @@ module OrdTrait_X
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -37,7 +39,10 @@ module OrdTrait_X
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -45,7 +50,10 @@ module OrdTrait_X
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -56,13 +64,19 @@ module OrdTrait_X
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -73,7 +87,9 @@ module OrdTrait_X
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -84,7 +100,9 @@ module OrdTrait_X
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -95,7 +113,9 @@ module OrdTrait_X
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -106,7 +126,9 @@ module OrdTrait_X
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   predicate invariant1 (self : t)
   val invariant1 (self : t) : bool
     ensures { result = invariant1 self }
@@ -161,8 +183,8 @@ module OrdTrait_X
     goto BB0
   }
   BB0 {
-    [#"../ord_trait.rs" 9 9 9 10] _5 <- ([#"../ord_trait.rs" 9 9 9 10] x);
-    [#"../ord_trait.rs" 9 4 9 10] _0 <- ([#"../ord_trait.rs" 9 4 9 10] le0 ([#"../ord_trait.rs" 9 4 9 5] x) ([#"../ord_trait.rs" 9 9 9 10] _5));
+    [#"../ord_trait.rs" 9 9 9 10] _5 <- x;
+    [#"../ord_trait.rs" 9 4 9 10] _0 <- ([#"../ord_trait.rs" 9 4 9 10] le0 x _5);
     goto BB1
   }
   BB1 {
@@ -206,7 +228,9 @@ module OrdTrait_GtOrLe
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -214,7 +238,10 @@ module OrdTrait_GtOrLe
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -222,7 +249,10 @@ module OrdTrait_GtOrLe
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -233,13 +263,19 @@ module OrdTrait_GtOrLe
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -250,7 +286,9 @@ module OrdTrait_GtOrLe
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -261,7 +299,9 @@ module OrdTrait_GtOrLe
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -272,7 +312,9 @@ module OrdTrait_GtOrLe
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -283,7 +325,9 @@ module OrdTrait_GtOrLe
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   predicate invariant0 (self : t)
   val invariant0 (self : t) : bool
     ensures { result = invariant0 self }
@@ -331,10 +375,10 @@ module OrdTrait_GtOrLe
     goto BB0
   }
   BB0 {
-    [#"../ord_trait.rs" 17 9 17 10] _6 <- ([#"../ord_trait.rs" 17 9 17 10] y);
+    [#"../ord_trait.rs" 17 9 17 10] _6 <- y;
     assert { [@expl:type invariant] inv0 y };
     assume { resolve0 y };
-    [#"../ord_trait.rs" 17 4 17 10] _0 <- ([#"../ord_trait.rs" 17 4 17 10] ge0 ([#"../ord_trait.rs" 17 4 17 5] x) ([#"../ord_trait.rs" 17 9 17 10] _6));
+    [#"../ord_trait.rs" 17 4 17 10] _0 <- ([#"../ord_trait.rs" 17 4 17 10] ge0 x _6);
     goto BB1
   }
   BB1 {
@@ -361,7 +405,7 @@ module OrdTrait_GtOrLeInt
     goto BB0
   }
   BB0 {
-    [#"../ord_trait.rs" 22 4 22 10] _0 <- ([#"../ord_trait.rs" 22 4 22 10] ([#"../ord_trait.rs" 22 4 22 5] x) <= ([#"../ord_trait.rs" 22 9 22 10] y));
+    [#"../ord_trait.rs" 22 4 22 10] _0 <- x <= y;
     return _0
   }
   
diff --git a/creusot/tests/should_succeed/projection_toggle.mlcfg b/creusot/tests/should_succeed/projection_toggle.mlcfg
index 2291ba29c0..8757469f81 100644
--- a/creusot/tests/should_succeed/projection_toggle.mlcfg
+++ b/creusot/tests/should_succeed/projection_toggle.mlcfg
@@ -47,7 +47,7 @@ module ProjectionToggle_ProjToggle
     goto BB0
   }
   BB0 {
-    switch ([#"../projection_toggle.rs" 6 7 6 13] toggle)
+    switch (toggle)
       | False -> goto BB2
       | True -> goto BB1
       end
@@ -131,12 +131,13 @@ module ProjectionToggle_F
   var _5 : borrowed int32;
   var _6 : borrowed int32;
   var _7 : borrowed int32;
+  var _9 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../projection_toggle.rs" 14 16 14 18] a <- ([#"../projection_toggle.rs" 14 16 14 18] [#"../projection_toggle.rs" 14 16 14 18] (10 : int32));
-    [#"../projection_toggle.rs" 15 16 15 17] b <- ([#"../projection_toggle.rs" 15 16 15 17] [#"../projection_toggle.rs" 15 16 15 17] (5 : int32));
+    [#"../projection_toggle.rs" 14 16 14 18] a <- ([#"../projection_toggle.rs" 14 16 14 18] (10 : int32));
+    [#"../projection_toggle.rs" 15 16 15 17] b <- ([#"../projection_toggle.rs" 15 16 15 17] (5 : int32));
     [#"../projection_toggle.rs" 17 30 17 36] _5 <- Borrow.borrow_mut a;
     [#"../projection_toggle.rs" 17 30 17 36] a <-  ^ _5;
     [#"../projection_toggle.rs" 17 30 17 36] _4 <- Borrow.borrow_final ( * _5) (Borrow.get_id _5);
@@ -145,7 +146,7 @@ module ProjectionToggle_F
     [#"../projection_toggle.rs" 17 38 17 44] b <-  ^ _7;
     [#"../projection_toggle.rs" 17 38 17 44] _6 <- Borrow.borrow_final ( * _7) (Borrow.get_id _7);
     [#"../projection_toggle.rs" 17 38 17 44] _7 <- { _7 with current = ( ^ _6) ; };
-    [#"../projection_toggle.rs" 17 12 17 45] x <- ([#"../projection_toggle.rs" 17 12 17 45] proj_toggle0 ([#"../projection_toggle.rs" 17 24 17 28] [#"../projection_toggle.rs" 17 24 17 28] true) _4 _6);
+    [#"../projection_toggle.rs" 17 12 17 45] x <- ([#"../projection_toggle.rs" 17 12 17 45] proj_toggle0 ([#"../projection_toggle.rs" 17 24 17 28] true) _4 _6);
     _4 <- any borrowed int32;
     _6 <- any borrowed int32;
     goto BB1
@@ -153,9 +154,10 @@ module ProjectionToggle_F
   BB1 {
     assume { resolve0 _7 };
     assume { resolve0 _5 };
-    [#"../projection_toggle.rs" 19 4 19 11] x <- { x with current = ([#"../projection_toggle.rs" 19 4 19 11]  * x + ([#"../projection_toggle.rs" 19 10 19 11] [#"../projection_toggle.rs" 19 10 19 11] (5 : int32))) ; };
+    [#"../projection_toggle.rs" 19 4 19 11] x <- { x with current = ( * x + ([#"../projection_toggle.rs" 19 10 19 11] (5 : int32))) ; };
     assume { resolve0 x };
-    switch ([#"../projection_toggle.rs" 20 12 20 19] ([#"../projection_toggle.rs" 20 12 20 13] a) = ([#"../projection_toggle.rs" 20 17 20 19] [#"../projection_toggle.rs" 20 17 20 19] (15 : int32)))
+    [#"../projection_toggle.rs" 20 12 20 19] _9 <- a = ([#"../projection_toggle.rs" 20 17 20 19] (15 : int32));
+    switch (_9)
       | False -> goto BB3
       | True -> goto BB2
       end
diff --git a/creusot/tests/should_succeed/projection_toggle/why3shapes.gz b/creusot/tests/should_succeed/projection_toggle/why3shapes.gz
index 8e63fe1598..b71a8e4fd4 100644
Binary files a/creusot/tests/should_succeed/projection_toggle/why3shapes.gz and b/creusot/tests/should_succeed/projection_toggle/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/projections.mlcfg b/creusot/tests/should_succeed/projections.mlcfg
index 1894842ac4..3a369c56c3 100644
--- a/creusot/tests/should_succeed/projections.mlcfg
+++ b/creusot/tests/should_succeed/projections.mlcfg
@@ -12,7 +12,7 @@ module Projections_CopyOutOfRef
     goto BB0
   }
   BB0 {
-    [#"../projections.rs" 6 4 6 6] _0 <- ([#"../projections.rs" 6 4 6 6] x);
+    [#"../projections.rs" 6 4 6 6] _0 <- x;
     return _0
   }
   
@@ -63,9 +63,9 @@ module Projections_CopyOutOfSum
     goto BB4
   }
   BB2 {
-    [#"../projections.rs" 12 12 12 13] y <- ([#"../projections.rs" 12 12 12 13] Core_Result_Result_Type.err_0 x);
-    [#"../projections.rs" 12 12 12 13] x <- (let Core_Result_Result_Type.C_Err x0 = x in Core_Result_Result_Type.C_Err (any borrowed uint32));
-    [#"../projections.rs" 12 18 12 20] _0 <- ([#"../projections.rs" 12 18 12 20]  * y);
+    [#"../projections.rs" 12 12 12 13] y <- Core_Result_Result_Type.err_0 x;
+    x <- (let Core_Result_Result_Type.C_Err x0 = x in Core_Result_Result_Type.C_Err (any borrowed uint32));
+    [#"../projections.rs" 12 18 12 20] _0 <-  * y;
     assume { resolve0 y };
     goto BB5
   }
@@ -74,9 +74,9 @@ module Projections_CopyOutOfSum
     absurd
   }
   BB4 {
-    [#"../projections.rs" 11 11 11 12] x1 <- ([#"../projections.rs" 11 11 11 12] Core_Result_Result_Type.ok_0 x);
-    [#"../projections.rs" 11 11 11 12] x <- (let Core_Result_Result_Type.C_Ok x0 = x in Core_Result_Result_Type.C_Ok (any borrowed uint32));
-    [#"../projections.rs" 11 17 11 19] _0 <- ([#"../projections.rs" 11 17 11 19]  * x1);
+    [#"../projections.rs" 11 11 11 12] x1 <- Core_Result_Result_Type.ok_0 x;
+    x <- (let Core_Result_Result_Type.C_Ok x0 = x in Core_Result_Result_Type.C_Ok (any borrowed uint32));
+    [#"../projections.rs" 11 17 11 19] _0 <-  * x1;
     assume { resolve0 x1 };
     goto BB5
   }
@@ -128,7 +128,7 @@ module Projections_WriteIntoSum
   }
   BB1 {
     assume { resolve1 x };
-    [#"../projections.rs" 19 16 19 18] _0 <- ([#"../projections.rs" 19 16 19 18] ());
+    [#"../projections.rs" 19 16 19 18] _0 <- ();
     goto BB5
   }
   BB2 {
@@ -142,7 +142,7 @@ module Projections_WriteIntoSum
   BB4 {
     [#"../projections.rs" 18 13 18 14] y <- Borrow.borrow_final (Core_Option_Option_Type.some_0 ( * x)) (Borrow.inherit_id (Borrow.get_id x) 1);
     [#"../projections.rs" 18 13 18 14] x <- { x with current = (let Core_Option_Option_Type.C_Some x0 =  * x in Core_Option_Option_Type.C_Some ( ^ y)) ; };
-    [#"../projections.rs" 18 19 18 26] y <- { y with current = ([#"../projections.rs" 18 19 18 26] [#"../projections.rs" 18 24 18 26] (10 : uint32)) ; };
+    [#"../projections.rs" 18 19 18 26] y <- { y with current = ([#"../projections.rs" 18 24 18 26] (10 : uint32)) ; };
     assume { resolve0 y };
     [#"../projections.rs" 18 19 18 26] _0 <- ([#"../projections.rs" 18 19 18 26] ());
     assume { resolve1 x };
@@ -167,14 +167,14 @@ module Projections_F
     goto BB0
   }
   BB0 {
-    [#"../projections.rs" 24 10 24 18] _2 <- ([#"../projections.rs" 24 10 24 18] Core_Option_Option_Type.C_Some ([#"../projections.rs" 24 15 24 17] [#"../projections.rs" 24 15 24 17] (10 : int32)));
+    [#"../projections.rs" 24 10 24 18] _2 <- Core_Option_Option_Type.C_Some ([#"../projections.rs" 24 15 24 17] (10 : int32));
     switch (_2)
       | Core_Option_Option_Type.C_None -> goto BB1
       | Core_Option_Option_Type.C_Some _ -> goto BB2
       end
   }
   BB1 {
-    [#"../projections.rs" 26 16 26 21] _1 <- ([#"../projections.rs" 26 16 26 21] [#"../projections.rs" 26 16 26 21] false);
+    [#"../projections.rs" 26 16 26 21] _1 <- ([#"../projections.rs" 26 16 26 21] false);
     goto BB5
   }
   BB2 {
@@ -185,8 +185,8 @@ module Projections_F
     absurd
   }
   BB4 {
-    [#"../projections.rs" 25 13 25 14] x <- ([#"../projections.rs" 25 13 25 14] Core_Option_Option_Type.some_0 _2);
-    [#"../projections.rs" 25 19 25 25] _1 <- ([#"../projections.rs" 25 19 25 25] ([#"../projections.rs" 25 19 25 20] x) = ([#"../projections.rs" 25 24 25 25] [#"../projections.rs" 25 24 25 25] (0 : int32)));
+    [#"../projections.rs" 25 13 25 14] x <- Core_Option_Option_Type.some_0 _2;
+    [#"../projections.rs" 25 19 25 25] _1 <- x = ([#"../projections.rs" 25 24 25 25] (0 : int32));
     goto BB5
   }
   BB5 {
diff --git a/creusot/tests/should_succeed/prophecy.mlcfg b/creusot/tests/should_succeed/prophecy.mlcfg
index 8edf01db66..0811970523 100644
--- a/creusot/tests/should_succeed/prophecy.mlcfg
+++ b/creusot/tests/should_succeed/prophecy.mlcfg
@@ -17,10 +17,10 @@ module Prophecy_F
     goto BB0
   }
   BB0 {
-    [#"../prophecy.rs" 4 16 4 17] x <- ([#"../prophecy.rs" 4 16 4 17] [#"../prophecy.rs" 4 16 4 17] (0 : int32));
+    [#"../prophecy.rs" 4 16 4 17] x <- ([#"../prophecy.rs" 4 16 4 17] (0 : int32));
     [#"../prophecy.rs" 5 12 5 18] y <- Borrow.borrow_mut x;
     [#"../prophecy.rs" 5 12 5 18] x <-  ^ y;
-    [#"../prophecy.rs" 9 4 9 10] y <- { y with current = ([#"../prophecy.rs" 9 4 9 10] [#"../prophecy.rs" 9 9 9 10] (5 : int32)) ; };
+    [#"../prophecy.rs" 9 4 9 10] y <- { y with current = ([#"../prophecy.rs" 9 9 9 10] (5 : int32)) ; };
     assume { resolve0 y };
     [#"../prophecy.rs" 3 11 10 1] _0 <- ([#"../prophecy.rs" 3 11 10 1] ());
     return _0
diff --git a/creusot/tests/should_succeed/red_black_tree.mlcfg b/creusot/tests/should_succeed/red_black_tree.mlcfg
index abdf78dfb1..142e11e904 100644
--- a/creusot/tests/should_succeed/red_black_tree.mlcfg
+++ b/creusot/tests/should_succeed/red_black_tree.mlcfg
@@ -27,7 +27,7 @@ module RedBlackTree_Impl16_Clone
     goto BB4
   }
   BB2 {
-    [#"../red_black_tree.rs" 9 5 11 9] _0 <- ([#"../red_black_tree.rs" 9 5 11 9] RedBlackTree_Color_Type.C_Black);
+    [#"../red_black_tree.rs" 9 5 11 9] _0 <- RedBlackTree_Color_Type.C_Black;
     goto BB5
   }
   BB3 {
@@ -35,12 +35,15 @@ module RedBlackTree_Impl16_Clone
     absurd
   }
   BB4 {
-    [#"../red_black_tree.rs" 9 5 10 7] _0 <- ([#"../red_black_tree.rs" 9 5 10 7] RedBlackTree_Color_Type.C_Red);
+    [#"../red_black_tree.rs" 9 5 10 7] _0 <- RedBlackTree_Color_Type.C_Red;
     goto BB5
   }
   BB5 {
     return _0
   }
+  BB6 {
+    goto BB2
+  }
   
 end
 module Core_Option_Option_Type
@@ -161,17 +164,20 @@ module RedBlackTree_Impl0_ModelAccHasMapping_Impl
   val model_acc0 [#"../red_black_tree.rs" 49 4 52 47] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)
     ensures { result = model_acc0 self accu }
     
-  let rec ghost function model_acc_has_mapping [#"../red_black_tree.rs" 68 4 72 5] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : ()
-    requires {[#"../red_black_tree.rs" 69 8 69 12] inv0 self}
-    requires {[#"../red_black_tree.rs" 70 8 70 12] inv1 accu}
-    requires {[#"../red_black_tree.rs" 71 8 71 9] inv2 k}
-    ensures { [#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv3 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v) }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../red_black_tree.rs" 74 12 82 13] match self with
-      | RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_None) -> ()
-      | RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some (RedBlackTree_Node_Type.C_Node left _ key val' right)) -> let _ = model_acc_has_mapping left accu k in let accu1 = model_acc0 left accu in let accu2 = let b' = deep_model0 key in Map.set accu1 b' (Core_Option_Option_Type.C_Some val') in model_acc_has_mapping right accu2 k
-      end
+  constant self  : RedBlackTree_Tree_Type.t_tree k v
+  constant accu  : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)
+  constant k  : deep_model_ty0
+  function model_acc_has_mapping [#"../red_black_tree.rs" 68 4 72 5] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : ()
+    
+  goal vc_model_acc_has_mapping : ([#"../red_black_tree.rs" 71 8 71 9] inv2 k)
+   -> ([#"../red_black_tree.rs" 70 8 70 12] inv1 accu)
+   -> ([#"../red_black_tree.rs" 69 8 69 12] inv0 self)
+   -> match self with
+    | RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_None) -> [#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv3 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)
+    | RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some (RedBlackTree_Node_Type.C_Node left _ key val' right)) -> (([#"../red_black_tree.rs" 71 8 71 9] inv2 k) && ([#"../red_black_tree.rs" 70 8 70 12] inv1 accu) && ([#"../red_black_tree.rs" 69 8 69 12] inv0 left)) /\ (([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 left accu) k = Map.get accu k \/ (exists v : v . inv3 v /\ Map.get (model_acc0 left accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 left k v))
+     -> (let _ = model_acc_has_mapping left accu k in let accu1 = model_acc0 left accu in let accu2 = Map.set accu1 (deep_model0 key) (Core_Option_Option_Type.C_Some val') in (([#"../red_black_tree.rs" 71 8 71 9] inv2 k) && ([#"../red_black_tree.rs" 70 8 70 12] inv1 accu2) && ([#"../red_black_tree.rs" 69 8 69 12] inv0 right)) /\ (([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 right accu2) k = Map.get accu2 k \/ (exists v : v . inv3 v /\ Map.get (model_acc0 right accu2) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 right k v))
+     -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv3 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v)))))
+    end
 end
 module Core_Cmp_Ordering_Type
   type t_ordering  =
@@ -199,7 +205,9 @@ module RedBlackTree_Impl0_HasMappingModelAcc_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -207,7 +215,10 @@ module RedBlackTree_Impl0_HasMappingModelAcc_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -215,7 +226,10 @@ module RedBlackTree_Impl0_HasMappingModelAcc_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -226,13 +240,19 @@ module RedBlackTree_Impl0_HasMappingModelAcc_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -243,7 +263,9 @@ module RedBlackTree_Impl0_HasMappingModelAcc_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -254,7 +276,9 @@ module RedBlackTree_Impl0_HasMappingModelAcc_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -265,7 +289,9 @@ module RedBlackTree_Impl0_HasMappingModelAcc_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -276,7 +302,9 @@ module RedBlackTree_Impl0_HasMappingModelAcc_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   predicate invariant3 (self : v)
   val invariant3 (self : v) : bool
     ensures { result = invariant3 self }
@@ -352,9 +380,18 @@ module RedBlackTree_Impl0_HasMappingModelAcc_Impl
     requires {[#"../red_black_tree.rs" 71 8 71 9] inv2 k}
     ensures { result = model_acc_has_mapping0 self accu k }
     
-  axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv0 self) -> ([#"../red_black_tree.rs" 70 8 70 12] inv1 accu) -> ([#"../red_black_tree.rs" 71 8 71 9] inv2 k) -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv3 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))
+  axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv0 self)
+   -> ([#"../red_black_tree.rs" 70 8 70 12] inv1 accu)
+   -> ([#"../red_black_tree.rs" 71 8 71 9] inv2 k)
+   -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv3 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))
   predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) =
-    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv3 v -> inv2 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv3 v -> inv2 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
+    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv3 v
+     -> inv2 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v
+     -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv3 v
+     -> inv2 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v
+     -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
   val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = bst_invariant_here0 self }
     
@@ -366,18 +403,26 @@ module RedBlackTree_Impl0_HasMappingModelAcc_Impl
   val bst_invariant0 [#"../red_black_tree.rs" 204 4 204 34] (self : RedBlackTree_Tree_Type.t_tree k v) : bool
     ensures { result = bst_invariant0 self }
     
-  let rec ghost function has_mapping_model_acc [#"../red_black_tree.rs" 89 4 91 33] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : ()
-    requires {[#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self}
-    requires {[#"../red_black_tree.rs" 89 29 89 33] inv0 self}
-    requires {[#"../red_black_tree.rs" 89 35 89 39] inv1 accu}
-    requires {[#"../red_black_tree.rs" 89 81 89 82] inv2 k}
-    ensures { [#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv3 v -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../red_black_tree.rs" 94 12 103 13] match self with
-      | RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_None) -> ()
-      | RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some (RedBlackTree_Node_Type.C_Node left _ key val' right)) -> let _ = has_mapping_model_acc left accu k in let accu1 = model_acc0 left accu in let accu2 = let b' = deep_model0 key in Map.set accu1 b' (Core_Option_Option_Type.C_Some val') in let _ = has_mapping_model_acc right accu2 k in model_acc_has_mapping0 right accu2 k
-      end
+  constant self  : RedBlackTree_Tree_Type.t_tree k v
+  constant accu  : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)
+  constant k  : deep_model_ty0
+  function has_mapping_model_acc [#"../red_black_tree.rs" 89 4 91 33] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : ()
+    
+  goal vc_has_mapping_model_acc : ([#"../red_black_tree.rs" 89 81 89 82] inv2 k)
+   -> ([#"../red_black_tree.rs" 89 35 89 39] inv1 accu)
+   -> ([#"../red_black_tree.rs" 89 29 89 33] inv0 self)
+   -> ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self)
+   -> match self with
+    | RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_None) -> [#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv3 v
+     -> has_mapping0 self k v  -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v
+    | RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some (RedBlackTree_Node_Type.C_Node left _ key val' right)) -> (([#"../red_black_tree.rs" 89 81 89 82] inv2 k) && ([#"../red_black_tree.rs" 89 35 89 39] inv1 accu) && ([#"../red_black_tree.rs" 89 29 89 33] inv0 left) && ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 left)) /\ (([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv3 v
+     -> has_mapping0 left k v  -> Map.get (model_acc0 left accu) k = Core_Option_Option_Type.C_Some v)
+     -> (let _ = has_mapping_model_acc left accu k in let accu1 = model_acc0 left accu in let accu2 = Map.set accu1 (deep_model0 key) (Core_Option_Option_Type.C_Some val') in (([#"../red_black_tree.rs" 89 81 89 82] inv2 k) && ([#"../red_black_tree.rs" 89 35 89 39] inv1 accu2) && ([#"../red_black_tree.rs" 89 29 89 33] inv0 right) && ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 right)) /\ (([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv3 v
+     -> has_mapping0 right k v  -> Map.get (model_acc0 right accu2) k = Core_Option_Option_Type.C_Some v)
+     -> (let _ = has_mapping_model_acc right accu2 k in (([#"../red_black_tree.rs" 71 8 71 9] inv2 k) && ([#"../red_black_tree.rs" 70 8 70 12] inv1 accu2) && ([#"../red_black_tree.rs" 69 8 69 12] inv0 right)) /\ (([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 right accu2) k = Map.get accu2 k \/ (exists v : v . inv3 v /\ Map.get (model_acc0 right accu2) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 right k v))
+     -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv3 v
+     -> has_mapping0 self k v  -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v))))))
+    end
 end
 module RedBlackTree_Impl0_HasMappingModel_Impl
   type k
@@ -398,7 +443,9 @@ module RedBlackTree_Impl0_HasMappingModel_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -406,7 +453,10 @@ module RedBlackTree_Impl0_HasMappingModel_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -414,7 +464,10 @@ module RedBlackTree_Impl0_HasMappingModel_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -425,13 +478,19 @@ module RedBlackTree_Impl0_HasMappingModel_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -442,7 +501,9 @@ module RedBlackTree_Impl0_HasMappingModel_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -453,7 +514,9 @@ module RedBlackTree_Impl0_HasMappingModel_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -464,7 +527,9 @@ module RedBlackTree_Impl0_HasMappingModel_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -475,7 +540,9 @@ module RedBlackTree_Impl0_HasMappingModel_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   use Core_Option_Option_Type as Core_Option_Option_Type
   use map.Map
   predicate invariant3 (self : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v))
@@ -551,9 +618,18 @@ module RedBlackTree_Impl0_HasMappingModel_Impl
     requires {[#"../red_black_tree.rs" 71 8 71 9] inv1 k}
     ensures { result = model_acc_has_mapping0 self accu k }
     
-  axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv0 self) -> ([#"../red_black_tree.rs" 70 8 70 12] inv3 accu) -> ([#"../red_black_tree.rs" 71 8 71 9] inv1 k) -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv2 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))
+  axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv0 self)
+   -> ([#"../red_black_tree.rs" 70 8 70 12] inv3 accu)
+   -> ([#"../red_black_tree.rs" 71 8 71 9] inv1 k)
+   -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv2 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))
   predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) =
-    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv2 v -> inv1 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv2 v -> inv1 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
+    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv2 v
+     -> inv1 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v
+     -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv2 v
+     -> inv1 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v
+     -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
   val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = bst_invariant_here0 self }
     
@@ -579,7 +655,12 @@ module RedBlackTree_Impl0_HasMappingModel_Impl
     requires {[#"../red_black_tree.rs" 89 81 89 82] inv1 k}
     ensures { result = has_mapping_model_acc0 self accu k }
     
-  axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 89 29 89 33] inv0 self) -> ([#"../red_black_tree.rs" 89 35 89 39] inv3 accu) -> ([#"../red_black_tree.rs" 89 81 89 82] inv1 k) -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv2 v -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v)
+  axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self)
+   -> ([#"../red_black_tree.rs" 89 29 89 33] inv0 self)
+   -> ([#"../red_black_tree.rs" 89 35 89 39] inv3 accu)
+   -> ([#"../red_black_tree.rs" 89 81 89 82] inv1 k)
+   -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv2 v
+   -> has_mapping0 self k v  -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v)
   use map.Const
   function shallow_model0 [#"../red_black_tree.rs" 172 4 172 50] (self : RedBlackTree_Tree_Type.t_tree k v) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)
     
@@ -588,14 +669,19 @@ module RedBlackTree_Impl0_HasMappingModel_Impl
   val shallow_model0 [#"../red_black_tree.rs" 172 4 172 50] (self : RedBlackTree_Tree_Type.t_tree k v) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)
     ensures { result = shallow_model0 self }
     
-  let rec ghost function has_mapping_model [#"../red_black_tree.rs" 110 4 112 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) : ()
-    requires {[#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self}
-    requires {[#"../red_black_tree.rs" 110 25 110 29] inv0 self}
-    requires {[#"../red_black_tree.rs" 110 31 110 32] inv1 k}
-    ensures { [#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv2 v -> has_mapping0 self k v = (Map.get (shallow_model0 self) k = Core_Option_Option_Type.C_Some v) }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../red_black_tree.rs" 115 12 115 61] let _ = model_acc_has_mapping0 self (Const.const (Core_Option_Option_Type.C_None)) k in has_mapping_model_acc0 self (Const.const (Core_Option_Option_Type.C_None)) k
+  constant self  : RedBlackTree_Tree_Type.t_tree k v
+  constant k  : deep_model_ty0
+  function has_mapping_model [#"../red_black_tree.rs" 110 4 112 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) : ()
+    
+  goal vc_has_mapping_model : ([#"../red_black_tree.rs" 110 31 110 32] inv1 k)
+   -> ([#"../red_black_tree.rs" 110 25 110 29] inv0 self)
+   -> ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self)
+   -> (([#"../red_black_tree.rs" 71 8 71 9] inv1 k) && ([#"../red_black_tree.rs" 70 8 70 12] inv3 (Const.const (Core_Option_Option_Type.C_None))) && ([#"../red_black_tree.rs" 69 8 69 12] inv0 self)) /\ (([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self (Const.const (Core_Option_Option_Type.C_None))) k = Map.get (Const.const (Core_Option_Option_Type.C_None)) k \/ (exists v : v . inv2 v /\ Map.get (model_acc0 self (Const.const (Core_Option_Option_Type.C_None))) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))
+   -> (let _ = model_acc_has_mapping0 self (Const.const (Core_Option_Option_Type.C_None)) k in (([#"../red_black_tree.rs" 89 81 89 82] inv1 k) && ([#"../red_black_tree.rs" 89 35 89 39] inv3 (Const.const (Core_Option_Option_Type.C_None))) && ([#"../red_black_tree.rs" 89 29 89 33] inv0 self) && ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self)) /\ (([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv2 v
+   -> has_mapping0 self k v
+   -> Map.get (model_acc0 self (Const.const (Core_Option_Option_Type.C_None))) k = Core_Option_Option_Type.C_Some v)
+   -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv2 v
+   -> has_mapping0 self k v = (Map.get (shallow_model0 self) k = Core_Option_Option_Type.C_Some v)))))
 end
 module RedBlackTree_Impl0_HasMappingInj_Impl
   type k
@@ -627,7 +713,9 @@ module RedBlackTree_Impl0_HasMappingInj_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -635,7 +723,10 @@ module RedBlackTree_Impl0_HasMappingInj_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -643,7 +734,10 @@ module RedBlackTree_Impl0_HasMappingInj_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -654,13 +748,19 @@ module RedBlackTree_Impl0_HasMappingInj_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv1 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -671,7 +771,9 @@ module RedBlackTree_Impl0_HasMappingInj_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -682,7 +784,9 @@ module RedBlackTree_Impl0_HasMappingInj_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -693,7 +797,9 @@ module RedBlackTree_Impl0_HasMappingInj_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -704,7 +810,9 @@ module RedBlackTree_Impl0_HasMappingInj_Impl
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv1 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv1 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv1 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   predicate invariant2 (self : v)
   val invariant2 (self : v) : bool
     ensures { result = invariant2 self }
@@ -777,9 +885,18 @@ module RedBlackTree_Impl0_HasMappingInj_Impl
     requires {[#"../red_black_tree.rs" 71 8 71 9] inv1 k}
     ensures { result = model_acc_has_mapping0 self accu k }
     
-  axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv0 self) -> ([#"../red_black_tree.rs" 70 8 70 12] inv3 accu) -> ([#"../red_black_tree.rs" 71 8 71 9] inv1 k) -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv2 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))
+  axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv0 self)
+   -> ([#"../red_black_tree.rs" 70 8 70 12] inv3 accu)
+   -> ([#"../red_black_tree.rs" 71 8 71 9] inv1 k)
+   -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv2 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))
   predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) =
-    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv2 v -> inv1 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv2 v -> inv1 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
+    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv2 v
+     -> inv1 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v
+     -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv2 v
+     -> inv1 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v
+     -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
   val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = bst_invariant_here0 self }
     
@@ -805,7 +922,12 @@ module RedBlackTree_Impl0_HasMappingInj_Impl
     requires {[#"../red_black_tree.rs" 89 81 89 82] inv1 k}
     ensures { result = has_mapping_model_acc0 self accu k }
     
-  axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 89 29 89 33] inv0 self) -> ([#"../red_black_tree.rs" 89 35 89 39] inv3 accu) -> ([#"../red_black_tree.rs" 89 81 89 82] inv1 k) -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv2 v -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v)
+  axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self)
+   -> ([#"../red_black_tree.rs" 89 29 89 33] inv0 self)
+   -> ([#"../red_black_tree.rs" 89 35 89 39] inv3 accu)
+   -> ([#"../red_black_tree.rs" 89 81 89 82] inv1 k)
+   -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv2 v
+   -> has_mapping0 self k v  -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v)
   function has_mapping_model0 [#"../red_black_tree.rs" 110 4 112 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) : ()
     
    =
@@ -816,22 +938,30 @@ module RedBlackTree_Impl0_HasMappingInj_Impl
     requires {[#"../red_black_tree.rs" 110 31 110 32] inv1 k}
     ensures { result = has_mapping_model0 self k }
     
-  axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 110 25 110 29] inv0 self) -> ([#"../red_black_tree.rs" 110 31 110 32] inv1 k) -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv2 v -> has_mapping0 self k v = (Map.get (shallow_model0 self) k = Core_Option_Option_Type.C_Some v))
-  let rec ghost function has_mapping_inj [#"../red_black_tree.rs" 125 4 127 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) (v1 : v) (v2 : v) : ()
-    requires {[#"../red_black_tree.rs" 121 15 121 35] bst_invariant0 self}
-    requires {[#"../red_black_tree.rs" 122 15 122 38] has_mapping0 self k v1}
-    requires {[#"../red_black_tree.rs" 123 15 123 38] has_mapping0 self k v2}
-    requires {[#"../red_black_tree.rs" 125 23 125 27] inv0 self}
-    requires {[#"../red_black_tree.rs" 125 29 125 30] inv1 k}
-    requires {[#"../red_black_tree.rs" 125 48 125 50] inv2 v1}
-    requires {[#"../red_black_tree.rs" 125 55 125 57] inv2 v2}
-    ensures { [#"../red_black_tree.rs" 124 14 124 22] v1 = v2 }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../red_black_tree.rs" 130 12 130 37] let _ = has_mapping_model0 self k in match let a' = shallow_model0 self in Map.get a' k with
-      | Core_Option_Option_Type.C_None -> ()
-      | Core_Option_Option_Type.C_Some _v -> ()
-      end
+  axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self)
+   -> ([#"../red_black_tree.rs" 110 25 110 29] inv0 self)
+   -> ([#"../red_black_tree.rs" 110 31 110 32] inv1 k)
+   -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv2 v
+   -> has_mapping0 self k v = (Map.get (shallow_model0 self) k = Core_Option_Option_Type.C_Some v))
+  constant self  : RedBlackTree_Tree_Type.t_tree k v
+  constant k  : deep_model_ty0
+  constant v1  : v
+  constant v2  : v
+  function has_mapping_inj [#"../red_black_tree.rs" 125 4 127 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) (v1 : v) (v2 : v) : ()
+    
+  goal vc_has_mapping_inj : ([#"../red_black_tree.rs" 125 55 125 57] inv2 v2)
+   -> ([#"../red_black_tree.rs" 125 48 125 50] inv2 v1)
+   -> ([#"../red_black_tree.rs" 125 29 125 30] inv1 k)
+   -> ([#"../red_black_tree.rs" 125 23 125 27] inv0 self)
+   -> ([#"../red_black_tree.rs" 123 15 123 38] has_mapping0 self k v2)
+   -> ([#"../red_black_tree.rs" 122 15 122 38] has_mapping0 self k v1)
+   -> ([#"../red_black_tree.rs" 121 15 121 35] bst_invariant0 self)
+   -> (([#"../red_black_tree.rs" 110 31 110 32] inv1 k) && ([#"../red_black_tree.rs" 110 25 110 29] inv0 self) && ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self)) /\ (([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv2 v
+   -> has_mapping0 self k v = (Map.get (shallow_model0 self) k = Core_Option_Option_Type.C_Some v))
+   -> (let _ = has_mapping_model0 self k in match Map.get (shallow_model0 self) k with
+    | Core_Option_Option_Type.C_None -> [#"../red_black_tree.rs" 124 14 124 22] v1 = v2
+    | Core_Option_Option_Type.C_Some _v -> [#"../red_black_tree.rs" 124 14 124 22] v1 = v2
+    end))
 end
 module Core_Ptr_NonNull_NonNull_Type
   use prelude.Opaque
@@ -920,14 +1050,23 @@ module RedBlackTree_Impl1_HasMapping_Impl
   val has_mapping0 [#"../red_black_tree.rs" 31 4 31 57] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) (v : v) : bool
     ensures { result = has_mapping0 self k v }
     
-  let rec ghost predicate has_mapping [#"../red_black_tree.rs" 140 4 140 57] (self : RedBlackTree_Node_Type.t_node k v) (k : deep_model_ty0) (v : v)
-    requires {[#"../red_black_tree.rs" 140 19 140 23] inv0 self}
-    requires {[#"../red_black_tree.rs" 140 25 140 26] inv1 k}
-    requires {[#"../red_black_tree.rs" 140 44 140 45] inv2 v}
-    ensures { [#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv3 node -> self = node -> result = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../red_black_tree.rs" 141 8 144 9] has_mapping0 (RedBlackTree_Node_Type.node_left self) k v || has_mapping0 (RedBlackTree_Node_Type.node_right self) k v || (let x0 = deep_model0 (RedBlackTree_Node_Type.node_key self) in pure {k = x0}) && pure {v = RedBlackTree_Node_Type.node_val self}
+  constant self  : RedBlackTree_Node_Type.t_node k v
+  constant k  : deep_model_ty0
+  constant v  : v
+  predicate has_mapping [#"../red_black_tree.rs" 140 4 140 57] (self : RedBlackTree_Node_Type.t_node k v) (k : deep_model_ty0) (v : v)
+    
+  goal vc_has_mapping : ([#"../red_black_tree.rs" 140 44 140 45] inv2 v)
+   -> ([#"../red_black_tree.rs" 140 25 140 26] inv1 k)
+   -> ([#"../red_black_tree.rs" 140 19 140 23] inv0 self)
+   -> (if k = deep_model0 (RedBlackTree_Node_Type.node_key self) then
+    [#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv3 node
+     -> self = node
+     -> ((has_mapping0 (RedBlackTree_Node_Type.node_left self) k v \/ has_mapping0 (RedBlackTree_Node_Type.node_right self) k v) \/ v = RedBlackTree_Node_Type.node_val self) = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v
+  else
+    [#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv3 node
+     -> self = node
+     -> ((has_mapping0 (RedBlackTree_Node_Type.node_left self) k v \/ has_mapping0 (RedBlackTree_Node_Type.node_right self) k v) \/ false) = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v
+  )
 end
 module RedBlackTree_Cp_Type
   use RedBlackTree_Color_Type as RedBlackTree_Color_Type
@@ -953,18 +1092,18 @@ module RedBlackTree_Impl9_Height_Impl
   use RedBlackTree_Node_Type as RedBlackTree_Node_Type
   use Core_Option_Option_Type as Core_Option_Option_Type
   use prelude.Int
-  let rec ghost function height [#"../red_black_tree.rs" 296 4 296 26] (self : RedBlackTree_Tree_Type.t_tree k v) : int
-    requires {[#"../red_black_tree.rs" 296 14 296 18] inv0 self}
-    ensures { [#"../red_black_tree.rs" 295 14 295 25] result >= 0 }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../red_black_tree.rs" 298 12 306 13] match self with
-      | RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_None) -> 0
-      | RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some (RedBlackTree_Node_Type.C_Node left color _ _ _)) -> match color with
-        | RedBlackTree_Color_Type.C_Red -> height left
-        | RedBlackTree_Color_Type.C_Black -> height left + 1
-        end
-      end
+  constant self  : RedBlackTree_Tree_Type.t_tree k v
+  function height [#"../red_black_tree.rs" 296 4 296 26] (self : RedBlackTree_Tree_Type.t_tree k v) : int
+  goal vc_height : ([#"../red_black_tree.rs" 296 14 296 18] inv0 self)
+   -> match self with
+    | RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_None) -> [#"../red_black_tree.rs" 295 14 295 25] 0 >= 0
+    | RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some (RedBlackTree_Node_Type.C_Node left color _ _ _)) -> match color with
+      | RedBlackTree_Color_Type.C_Red -> ([#"../red_black_tree.rs" 296 14 296 18] inv0 left) /\ (([#"../red_black_tree.rs" 295 14 295 25] height left >= 0)
+       -> ([#"../red_black_tree.rs" 295 14 295 25] height left >= 0))
+      | RedBlackTree_Color_Type.C_Black -> ([#"../red_black_tree.rs" 296 14 296 18] inv0 left) /\ (([#"../red_black_tree.rs" 295 14 295 25] height left >= 0)
+       -> ([#"../red_black_tree.rs" 295 14 295 25] height left + 1 >= 0))
+      end
+    end
 end
 module RedBlackTree_Impl10_Height_Impl
   type k
@@ -1014,16 +1153,21 @@ module RedBlackTree_Impl10_Height_Impl
     requires {[#"../red_black_tree.rs" 296 14 296 18] inv2 self}
     ensures { result = height0 self }
     
-  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv2 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
-  let rec ghost function height [#"../red_black_tree.rs" 328 4 328 26] (self : RedBlackTree_Node_Type.t_node k v) : int
-    requires {[#"../red_black_tree.rs" 328 14 328 18] inv0 self}
-    ensures { [#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node -> self = node -> result = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../red_black_tree.rs" 330 12 333 13] match RedBlackTree_Node_Type.node_color self with
-      | RedBlackTree_Color_Type.C_Red -> height0 (RedBlackTree_Node_Type.node_left self)
-      | RedBlackTree_Color_Type.C_Black -> height0 (RedBlackTree_Node_Type.node_left self) + 1
-      end
+  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv2 self)
+   -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
+  constant self  : RedBlackTree_Node_Type.t_node k v
+  function height [#"../red_black_tree.rs" 328 4 328 26] (self : RedBlackTree_Node_Type.t_node k v) : int
+  goal vc_height : ([#"../red_black_tree.rs" 328 14 328 18] inv0 self)
+   -> match RedBlackTree_Node_Type.node_color self with
+    | RedBlackTree_Color_Type.C_Red -> ([#"../red_black_tree.rs" 296 14 296 18] inv2 (RedBlackTree_Node_Type.node_left self)) /\ (([#"../red_black_tree.rs" 295 14 295 25] height0 (RedBlackTree_Node_Type.node_left self) >= 0)
+     -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node
+     -> self = node
+     -> height0 (RedBlackTree_Node_Type.node_left self) = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node))))
+    | RedBlackTree_Color_Type.C_Black -> ([#"../red_black_tree.rs" 296 14 296 18] inv2 (RedBlackTree_Node_Type.node_left self)) /\ (([#"../red_black_tree.rs" 295 14 295 25] height0 (RedBlackTree_Node_Type.node_left self) >= 0)
+     -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node
+     -> self = node
+     -> height0 (RedBlackTree_Node_Type.node_left self) + 1 = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node))))
+    end
 end
 module RedBlackTree_Impl13_IsRed
   type k
@@ -1073,7 +1217,7 @@ module RedBlackTree_Impl13_IsRed
       end
   }
   BB1 {
-    [#"../red_black_tree.rs" 391 17 391 22] _0 <- ([#"../red_black_tree.rs" 391 17 391 22] [#"../red_black_tree.rs" 391 17 391 22] false);
+    [#"../red_black_tree.rs" 391 17 391 22] _0 <- ([#"../red_black_tree.rs" 391 17 391 22] false);
     goto BB5
   }
   BB2 {
@@ -1088,7 +1232,7 @@ module RedBlackTree_Impl13_IsRed
     goto BB4
   }
   BB4 {
-    [#"../red_black_tree.rs" 390 49 390 53] _0 <- ([#"../red_black_tree.rs" 390 49 390 53] [#"../red_black_tree.rs" 390 49 390 53] true);
+    [#"../red_black_tree.rs" 390 49 390 53] _0 <- ([#"../red_black_tree.rs" 390 49 390 53] true);
     goto BB5
   }
   BB5 {
@@ -1146,7 +1290,9 @@ module RedBlackTree_Impl14_RotateRight
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv11 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv11 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv11 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -1154,7 +1300,10 @@ module RedBlackTree_Impl14_RotateRight
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv11 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv11 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv11 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -1162,7 +1311,10 @@ module RedBlackTree_Impl14_RotateRight
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv11 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv11 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv11 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -1173,13 +1325,19 @@ module RedBlackTree_Impl14_RotateRight
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv11 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv11 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv11 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv11 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv11 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv11 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv11 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -1190,7 +1348,9 @@ module RedBlackTree_Impl14_RotateRight
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv11 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv11 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv11 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -1201,7 +1361,9 @@ module RedBlackTree_Impl14_RotateRight
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv11 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv11 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv11 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -1212,7 +1374,9 @@ module RedBlackTree_Impl14_RotateRight
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv11 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv11 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv11 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -1223,7 +1387,9 @@ module RedBlackTree_Impl14_RotateRight
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv11 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv11 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv11 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   use RedBlackTree_Node_Type as RedBlackTree_Node_Type
   predicate invariant8 (self : borrowed (RedBlackTree_Node_Type.t_node k v))
   val invariant8 (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : bool
@@ -1300,16 +1466,16 @@ module RedBlackTree_Impl14_RotateRight
     ensures { result = inv1 _x }
     
   axiom inv1 : forall x : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v) . inv1 x = true
-  use prelude.Ghost
-  predicate invariant0 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v)))
-  val invariant0 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool
+  use prelude.Snapshot
+  predicate invariant0 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v)))
+  val invariant0 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool
     ensures { result = invariant0 self }
     
-  predicate inv0 (_x : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v)))
-  val inv0 (_x : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool
+  predicate inv0 (_x : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v)))
+  val inv0 (_x : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v)) . inv0 x = true
+  axiom inv0 : forall x : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v)) . inv0 x = true
   use prelude.Int
   function height1 [#"../red_black_tree.rs" 296 4 296 26] (self : RedBlackTree_Tree_Type.t_tree k v) : int =
     [#"../red_black_tree.rs" 298 12 306 13] match self with
@@ -1323,7 +1489,8 @@ module RedBlackTree_Impl14_RotateRight
     requires {[#"../red_black_tree.rs" 296 14 296 18] inv3 self}
     ensures { result = height1 self }
     
-  axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv3 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0)
+  axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv3 self)
+   -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0)
   function height0 [#"../red_black_tree.rs" 328 4 328 26] (self : RedBlackTree_Node_Type.t_node k v) : int =
     [#"../red_black_tree.rs" 330 12 333 13] match RedBlackTree_Node_Type.node_color self with
       | RedBlackTree_Color_Type.C_Red -> height1 (RedBlackTree_Node_Type.node_left self)
@@ -1333,7 +1500,9 @@ module RedBlackTree_Impl14_RotateRight
     requires {[#"../red_black_tree.rs" 328 14 328 18] inv5 self}
     ensures { result = height0 self }
     
-  axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv5 self) -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node -> self = node -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))
+  axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv5 self)
+   -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node
+   -> self = node  -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))
   function deep_model0 (self : k) : deep_model_ty0
   val deep_model0 (self : k) : deep_model_ty0
     ensures { result = deep_model0 self }
@@ -1358,11 +1527,17 @@ module RedBlackTree_Impl14_RotateRight
     requires {[#"../red_black_tree.rs" 140 44 140 45] inv10 v}
     ensures { result = has_mapping1 self k v }
     
-  axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv5 self) -> ([#"../red_black_tree.rs" 140 25 140 26] inv11 k) -> ([#"../red_black_tree.rs" 140 44 140 45] inv10 v) -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node -> self = node -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v)
+  axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv5 self)
+   -> ([#"../red_black_tree.rs" 140 25 140 26] inv11 k)
+   -> ([#"../red_black_tree.rs" 140 44 140 45] inv10 v)
+   -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node
+   -> self = node
+   -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v)
   predicate same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v)
     
    =
-    [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv10 v -> inv11 k -> has_mapping1 self k v = has_mapping1 o k v
+    [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv10 v
+     -> inv11 k  -> has_mapping1 self k v = has_mapping1 o k v
   val same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = same_mappings0 self o }
     
@@ -1395,7 +1570,13 @@ module RedBlackTree_Impl14_RotateRight
     ensures { result = height_invariant0 self }
     
   predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) =
-    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv10 v -> inv11 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv10 v -> inv11 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
+    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv10 v
+     -> inv11 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v
+     -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv10 v
+     -> inv11 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v
+     -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
   val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = bst_invariant_here0 self }
     
@@ -1426,7 +1607,7 @@ module RedBlackTree_Impl14_RotateRight
   val resolve5 (self : RedBlackTree_Tree_Type.t_tree k v) : bool
     ensures { result = resolve5 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate resolve4 (self : borrowed (RedBlackTree_Color_Type.t_color)) =
     [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve4 (self : borrowed (RedBlackTree_Color_Type.t_color)) : bool
@@ -1482,11 +1663,11 @@ module RedBlackTree_Impl14_RotateRight
     ensures { [#"../../../../creusot-contracts/src/std/mem.rs" 16 22 16 42] is_default0 ( ^ dest) }
     ensures { inv1 result }
     
-  predicate resolve0 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v)))
-  val resolve0 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool
+  predicate resolve0 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v)))
+  val resolve0 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   let rec cfg rotate_right [#"../red_black_tree.rs" 412 4 412 30] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : ()
     requires {[#"../red_black_tree.rs" 400 15 400 43] internal_invariant0 ( * self)}
     requires {[#"../red_black_tree.rs" 401 15 401 42] color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red}
@@ -1502,7 +1683,7 @@ module RedBlackTree_Impl14_RotateRight
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var self : borrowed (RedBlackTree_Node_Type.t_node k v) = self;
-  var old_self : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v));
+  var old_self : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v));
   var x : RedBlackTree_Node_Type.t_node k v;
   var _14 : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v);
   var _15 : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v));
@@ -1521,11 +1702,13 @@ module RedBlackTree_Impl14_RotateRight
   var _28 : borrowed (RedBlackTree_Color_Type.t_color);
   var _29 : borrowed (RedBlackTree_Color_Type.t_color);
   var _30 : borrowed (RedBlackTree_Color_Type.t_color);
+  var _33 : RedBlackTree_Tree_Type.t_tree k v;
+  var _34 : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v);
   {
     goto BB0
   }
   BB0 {
-    [#"../red_black_tree.rs" 413 23 413 35] old_self <- ([#"../red_black_tree.rs" 413 23 413 35] Ghost.new self);
+    [#"../red_black_tree.rs" 413 23 413 41] old_self <- ([#"../red_black_tree.rs" 413 23 413 41] Snapshot.new self);
     goto BB1
   }
   BB1 {
@@ -1604,18 +1787,22 @@ module RedBlackTree_Impl14_RotateRight
   BB6 {
     assume { resolve4 _30 };
     assume { resolve4 _28 };
-    assert { [@expl:assertion] [#"../red_black_tree.rs" 441 8 441 90] has_mapping0 (RedBlackTree_Node_Type.node_left ( * Ghost.inner old_self)) (deep_model0 (RedBlackTree_Node_Type.node_key ( * self))) (RedBlackTree_Node_Type.node_val ( * self)) };
+    assert { [@expl:assertion] [#"../red_black_tree.rs" 441 8 441 90] has_mapping0 (RedBlackTree_Node_Type.node_left ( * Snapshot.inner old_self)) (deep_model0 (RedBlackTree_Node_Type.node_key ( * self))) (RedBlackTree_Node_Type.node_val ( * self)) };
+    [#"../red_black_tree.rs" 442 34 442 41] _34 <- Core_Option_Option_Type.C_Some x;
+    x <- any RedBlackTree_Node_Type.t_node k v;
     goto BB7
   }
   BB7 {
+    [#"../red_black_tree.rs" 442 21 442 43] _33 <- RedBlackTree_Tree_Type.C_Tree _34;
+    _34 <- any Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v);
     goto BB8
   }
   BB8 {
     goto BB9
   }
   BB9 {
-    [#"../red_black_tree.rs" 442 8 442 18] self <- { self with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * self in RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 ([#"../red_black_tree.rs" 442 21 442 43] RedBlackTree_Tree_Type.C_Tree ([#"../red_black_tree.rs" 442 34 442 41] Core_Option_Option_Type.C_Some ([#"../red_black_tree.rs" 442 39 442 40] x)))) ; };
-    [#"../red_black_tree.rs" 442 39 442 40] x <- any RedBlackTree_Node_Type.t_node k v;
+    [#"../red_black_tree.rs" 442 8 442 18] self <- { self with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * self in RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 _33) ; };
+    _33 <- any RedBlackTree_Tree_Type.t_tree k v;
     assert { [@expl:type invariant] inv3 (RedBlackTree_Node_Type.node_right ( * self)) };
     assume { resolve5 (RedBlackTree_Node_Type.node_right ( * self)) };
     assert { [@expl:type invariant] inv8 self };
@@ -1676,7 +1863,9 @@ module RedBlackTree_Impl14_RotateLeft
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv11 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv11 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv11 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -1684,7 +1873,10 @@ module RedBlackTree_Impl14_RotateLeft
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv11 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv11 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv11 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -1692,7 +1884,10 @@ module RedBlackTree_Impl14_RotateLeft
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv11 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv11 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv11 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -1703,13 +1898,19 @@ module RedBlackTree_Impl14_RotateLeft
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv11 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv11 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv11 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv11 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv11 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv11 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv11 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -1720,7 +1921,9 @@ module RedBlackTree_Impl14_RotateLeft
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv11 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv11 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv11 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -1731,7 +1934,9 @@ module RedBlackTree_Impl14_RotateLeft
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv11 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv11 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv11 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -1742,7 +1947,9 @@ module RedBlackTree_Impl14_RotateLeft
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv11 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv11 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv11 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -1753,7 +1960,9 @@ module RedBlackTree_Impl14_RotateLeft
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv11 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv11 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv11 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv11 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv11 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   use RedBlackTree_Node_Type as RedBlackTree_Node_Type
   predicate invariant8 (self : borrowed (RedBlackTree_Node_Type.t_node k v))
   val invariant8 (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : bool
@@ -1830,16 +2039,16 @@ module RedBlackTree_Impl14_RotateLeft
     ensures { result = inv1 _x }
     
   axiom inv1 : forall x : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v) . inv1 x = true
-  use prelude.Ghost
-  predicate invariant0 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v)))
-  val invariant0 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool
+  use prelude.Snapshot
+  predicate invariant0 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v)))
+  val invariant0 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool
     ensures { result = invariant0 self }
     
-  predicate inv0 (_x : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v)))
-  val inv0 (_x : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool
+  predicate inv0 (_x : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v)))
+  val inv0 (_x : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v)) . inv0 x = true
+  axiom inv0 : forall x : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v)) . inv0 x = true
   use prelude.Int
   function height1 [#"../red_black_tree.rs" 296 4 296 26] (self : RedBlackTree_Tree_Type.t_tree k v) : int =
     [#"../red_black_tree.rs" 298 12 306 13] match self with
@@ -1853,7 +2062,8 @@ module RedBlackTree_Impl14_RotateLeft
     requires {[#"../red_black_tree.rs" 296 14 296 18] inv3 self}
     ensures { result = height1 self }
     
-  axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv3 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0)
+  axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv3 self)
+   -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0)
   function height0 [#"../red_black_tree.rs" 328 4 328 26] (self : RedBlackTree_Node_Type.t_node k v) : int =
     [#"../red_black_tree.rs" 330 12 333 13] match RedBlackTree_Node_Type.node_color self with
       | RedBlackTree_Color_Type.C_Red -> height1 (RedBlackTree_Node_Type.node_left self)
@@ -1863,7 +2073,9 @@ module RedBlackTree_Impl14_RotateLeft
     requires {[#"../red_black_tree.rs" 328 14 328 18] inv5 self}
     ensures { result = height0 self }
     
-  axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv5 self) -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node -> self = node -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))
+  axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv5 self)
+   -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node
+   -> self = node  -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))
   function deep_model0 (self : k) : deep_model_ty0
   val deep_model0 (self : k) : deep_model_ty0
     ensures { result = deep_model0 self }
@@ -1888,11 +2100,17 @@ module RedBlackTree_Impl14_RotateLeft
     requires {[#"../red_black_tree.rs" 140 44 140 45] inv10 v}
     ensures { result = has_mapping1 self k v }
     
-  axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv5 self) -> ([#"../red_black_tree.rs" 140 25 140 26] inv11 k) -> ([#"../red_black_tree.rs" 140 44 140 45] inv10 v) -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node -> self = node -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v)
+  axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv5 self)
+   -> ([#"../red_black_tree.rs" 140 25 140 26] inv11 k)
+   -> ([#"../red_black_tree.rs" 140 44 140 45] inv10 v)
+   -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node
+   -> self = node
+   -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v)
   predicate same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v)
     
    =
-    [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv10 v -> inv11 k -> has_mapping1 self k v = has_mapping1 o k v
+    [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv10 v
+     -> inv11 k  -> has_mapping1 self k v = has_mapping1 o k v
   val same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = same_mappings0 self o }
     
@@ -1925,7 +2143,13 @@ module RedBlackTree_Impl14_RotateLeft
     ensures { result = height_invariant0 self }
     
   predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) =
-    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv10 v -> inv11 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv10 v -> inv11 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
+    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv10 v
+     -> inv11 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v
+     -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv10 v
+     -> inv11 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v
+     -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
   val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = bst_invariant_here0 self }
     
@@ -1956,7 +2180,7 @@ module RedBlackTree_Impl14_RotateLeft
   val resolve5 (self : RedBlackTree_Tree_Type.t_tree k v) : bool
     ensures { result = resolve5 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate resolve4 (self : borrowed (RedBlackTree_Color_Type.t_color)) =
     [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve4 (self : borrowed (RedBlackTree_Color_Type.t_color)) : bool
@@ -2012,11 +2236,11 @@ module RedBlackTree_Impl14_RotateLeft
     ensures { [#"../../../../creusot-contracts/src/std/mem.rs" 16 22 16 42] is_default0 ( ^ dest) }
     ensures { inv1 result }
     
-  predicate resolve0 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v)))
-  val resolve0 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool
+  predicate resolve0 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v)))
+  val resolve0 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   let rec cfg rotate_left [#"../red_black_tree.rs" 462 4 462 29] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : ()
     requires {[#"../red_black_tree.rs" 450 15 450 43] internal_invariant0 ( * self)}
     requires {[#"../red_black_tree.rs" 451 15 451 43] color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red}
@@ -2032,7 +2256,7 @@ module RedBlackTree_Impl14_RotateLeft
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var self : borrowed (RedBlackTree_Node_Type.t_node k v) = self;
-  var old_self : Ghost.ghost_ty (borrowed (RedBlackTree_Node_Type.t_node k v));
+  var old_self : Snapshot.snap_ty (borrowed (RedBlackTree_Node_Type.t_node k v));
   var x : RedBlackTree_Node_Type.t_node k v;
   var _14 : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v);
   var _15 : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v));
@@ -2051,11 +2275,13 @@ module RedBlackTree_Impl14_RotateLeft
   var _28 : borrowed (RedBlackTree_Color_Type.t_color);
   var _29 : borrowed (RedBlackTree_Color_Type.t_color);
   var _30 : borrowed (RedBlackTree_Color_Type.t_color);
+  var _33 : RedBlackTree_Tree_Type.t_tree k v;
+  var _34 : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v);
   {
     goto BB0
   }
   BB0 {
-    [#"../red_black_tree.rs" 463 23 463 35] old_self <- ([#"../red_black_tree.rs" 463 23 463 35] Ghost.new self);
+    [#"../red_black_tree.rs" 463 23 463 41] old_self <- ([#"../red_black_tree.rs" 463 23 463 41] Snapshot.new self);
     goto BB1
   }
   BB1 {
@@ -2134,18 +2360,22 @@ module RedBlackTree_Impl14_RotateLeft
   BB6 {
     assume { resolve4 _30 };
     assume { resolve4 _28 };
-    assert { [@expl:assertion] [#"../red_black_tree.rs" 468 8 468 91] has_mapping0 (RedBlackTree_Node_Type.node_right ( * Ghost.inner old_self)) (deep_model0 (RedBlackTree_Node_Type.node_key ( * self))) (RedBlackTree_Node_Type.node_val ( * self)) };
+    assert { [@expl:assertion] [#"../red_black_tree.rs" 468 8 468 91] has_mapping0 (RedBlackTree_Node_Type.node_right ( * Snapshot.inner old_self)) (deep_model0 (RedBlackTree_Node_Type.node_key ( * self))) (RedBlackTree_Node_Type.node_val ( * self)) };
+    [#"../red_black_tree.rs" 469 33 469 40] _34 <- Core_Option_Option_Type.C_Some x;
+    x <- any RedBlackTree_Node_Type.t_node k v;
     goto BB7
   }
   BB7 {
+    [#"../red_black_tree.rs" 469 20 469 42] _33 <- RedBlackTree_Tree_Type.C_Tree _34;
+    _34 <- any Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v);
     goto BB8
   }
   BB8 {
     goto BB9
   }
   BB9 {
-    [#"../red_black_tree.rs" 469 8 469 17] self <- { self with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * self in RedBlackTree_Node_Type.C_Node ([#"../red_black_tree.rs" 469 20 469 42] RedBlackTree_Tree_Type.C_Tree ([#"../red_black_tree.rs" 469 33 469 40] Core_Option_Option_Type.C_Some ([#"../red_black_tree.rs" 469 38 469 39] x))) x1 x2 x3 x4) ; };
-    [#"../red_black_tree.rs" 469 38 469 39] x <- any RedBlackTree_Node_Type.t_node k v;
+    [#"../red_black_tree.rs" 469 8 469 17] self <- { self with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * self in RedBlackTree_Node_Type.C_Node _33 x1 x2 x3 x4) ; };
+    _33 <- any RedBlackTree_Tree_Type.t_tree k v;
     assert { [@expl:type invariant] inv3 (RedBlackTree_Node_Type.node_left ( * self)) };
     assume { resolve5 (RedBlackTree_Node_Type.node_left ( * self)) };
     assert { [@expl:type invariant] inv8 self };
@@ -2180,7 +2410,9 @@ module RedBlackTree_Impl14_FlipColors
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv9 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv9 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv9 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv9 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv9 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -2188,7 +2420,10 @@ module RedBlackTree_Impl14_FlipColors
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv9 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv9 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv9 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv9 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv9 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -2196,7 +2431,10 @@ module RedBlackTree_Impl14_FlipColors
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv9 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv9 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv9 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv9 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv9 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -2207,13 +2445,19 @@ module RedBlackTree_Impl14_FlipColors
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv9 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv9 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv9 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv9 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv9 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv9 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv9 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv9 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv9 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv9 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -2224,7 +2468,9 @@ module RedBlackTree_Impl14_FlipColors
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv9 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv9 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv9 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv9 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv9 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -2235,7 +2481,9 @@ module RedBlackTree_Impl14_FlipColors
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv9 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv9 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv9 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv9 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv9 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -2246,7 +2494,9 @@ module RedBlackTree_Impl14_FlipColors
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv9 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv9 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv9 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv9 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv9 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -2257,7 +2507,9 @@ module RedBlackTree_Impl14_FlipColors
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv9 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv9 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv9 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv9 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv9 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   use RedBlackTree_Tree_Type as RedBlackTree_Tree_Type
   predicate invariant10 (self : RedBlackTree_Tree_Type.t_tree k v)
   val invariant10 (self : RedBlackTree_Tree_Type.t_tree k v) : bool
@@ -2384,11 +2636,17 @@ module RedBlackTree_Impl14_FlipColors
     requires {[#"../red_black_tree.rs" 140 44 140 45] inv8 v}
     ensures { result = has_mapping0 self k v }
     
-  axiom has_mapping0_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv7 self) -> ([#"../red_black_tree.rs" 140 25 140 26] inv9 k) -> ([#"../red_black_tree.rs" 140 44 140 45] inv8 v) -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv3 node -> self = node -> has_mapping0 self k v = has_mapping1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v)
+  axiom has_mapping0_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv7 self)
+   -> ([#"../red_black_tree.rs" 140 25 140 26] inv9 k)
+   -> ([#"../red_black_tree.rs" 140 44 140 45] inv8 v)
+   -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv3 node
+   -> self = node
+   -> has_mapping0 self k v = has_mapping1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v)
   predicate same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v)
     
    =
-    [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv8 v -> inv9 k -> has_mapping0 self k v = has_mapping0 o k v
+    [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv8 v
+     -> inv9 k  -> has_mapping0 self k v = has_mapping0 o k v
   val same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = same_mappings0 self o }
     
@@ -2405,7 +2663,8 @@ module RedBlackTree_Impl14_FlipColors
     requires {[#"../red_black_tree.rs" 296 14 296 18] inv10 self}
     ensures { result = height1 self }
     
-  axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv10 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0)
+  axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv10 self)
+   -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0)
   function height0 [#"../red_black_tree.rs" 328 4 328 26] (self : RedBlackTree_Node_Type.t_node k v) : int =
     [#"../red_black_tree.rs" 330 12 333 13] match RedBlackTree_Node_Type.node_color self with
       | RedBlackTree_Color_Type.C_Red -> height1 (RedBlackTree_Node_Type.node_left self)
@@ -2415,7 +2674,9 @@ module RedBlackTree_Impl14_FlipColors
     requires {[#"../red_black_tree.rs" 328 14 328 18] inv7 self}
     ensures { result = height0 self }
     
-  axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv7 self) -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv3 node -> self = node -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))
+  axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv7 self)
+   -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv3 node
+   -> self = node  -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))
   function color0 [#"../red_black_tree.rs" 256 4 256 27] (self : RedBlackTree_Tree_Type.t_tree k v) : RedBlackTree_Color_Type.t_color
     
    =
@@ -2445,7 +2706,13 @@ module RedBlackTree_Impl14_FlipColors
     ensures { result = height_invariant0 self }
     
   predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) =
-    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv8 v -> inv9 k -> has_mapping1 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv8 v -> inv9 k -> has_mapping1 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
+    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv8 v
+     -> inv9 k
+     -> has_mapping1 (RedBlackTree_Node_Type.node_left self) k v
+     -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv8 v
+     -> inv9 k
+     -> has_mapping1 (RedBlackTree_Node_Type.node_right self) k v
+     -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
   val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = bst_invariant_here0 self }
     
@@ -2496,7 +2763,8 @@ module RedBlackTree_Impl14_FlipColors
     
   val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v))
     requires {inv4 self}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18]  * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed (RedBlackTree_Node_Type.t_node k v) . inv1 r /\ result = Core_Option_Option_Type.C_Some r /\  * self = Core_Option_Option_Type.C_Some ( * r) /\  ^ self = Core_Option_Option_Type.C_Some ( ^ r)) }
     ensures { inv5 result }
     
@@ -2544,7 +2812,7 @@ module RedBlackTree_Impl14_FlipColors
     goto BB2
   }
   BB2 {
-    [#"../red_black_tree.rs" 487 8 487 59] _13 <- { _13 with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * _13 in RedBlackTree_Node_Type.C_Node x0 ([#"../red_black_tree.rs" 487 49 487 59] RedBlackTree_Node_Type.node_color ( * self)) x2 x3 x4) ; };
+    [#"../red_black_tree.rs" 487 8 487 59] _13 <- { _13 with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * _13 in RedBlackTree_Node_Type.C_Node x0 (RedBlackTree_Node_Type.node_color ( * self)) x2 x3 x4) ; };
     assert { [@expl:type invariant] inv1 _13 };
     assume { resolve0 _13 };
     [#"../red_black_tree.rs" 488 23 488 38] _18 <- Borrow.borrow_final (RedBlackTree_Node_Type.node_color ( * self)) (Borrow.inherit_id (Borrow.get_id self) 2);
@@ -2658,7 +2926,9 @@ module RedBlackTree_Impl14_Balance
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv8 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -2666,7 +2936,10 @@ module RedBlackTree_Impl14_Balance
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv8 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -2674,7 +2947,10 @@ module RedBlackTree_Impl14_Balance
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv8 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -2685,13 +2961,19 @@ module RedBlackTree_Impl14_Balance
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv8 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv8 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv8 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv8 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -2702,7 +2984,9 @@ module RedBlackTree_Impl14_Balance
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv8 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -2713,7 +2997,9 @@ module RedBlackTree_Impl14_Balance
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv8 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -2724,7 +3010,9 @@ module RedBlackTree_Impl14_Balance
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv8 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -2735,7 +3023,9 @@ module RedBlackTree_Impl14_Balance
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv8 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   predicate invariant3 (self : RedBlackTree_Tree_Type.t_tree k v)
   val invariant3 (self : RedBlackTree_Tree_Type.t_tree k v) : bool
     ensures { result = invariant3 self }
@@ -2843,7 +3133,8 @@ module RedBlackTree_Impl14_Balance
     requires {[#"../red_black_tree.rs" 296 14 296 18] inv9 self}
     ensures { result = height1 self }
     
-  axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv9 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0)
+  axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv9 self)
+   -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0)
   function height0 [#"../red_black_tree.rs" 328 4 328 26] (self : RedBlackTree_Node_Type.t_node k v) : int =
     [#"../red_black_tree.rs" 330 12 333 13] match RedBlackTree_Node_Type.node_color self with
       | RedBlackTree_Color_Type.C_Red -> height1 (RedBlackTree_Node_Type.node_left self)
@@ -2853,7 +3144,9 @@ module RedBlackTree_Impl14_Balance
     requires {[#"../red_black_tree.rs" 328 14 328 18] inv0 self}
     ensures { result = height0 self }
     
-  axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv0 self) -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv4 node -> self = node -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))
+  axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv0 self)
+   -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv4 node
+   -> self = node  -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))
   function deep_model0 (self : k) : deep_model_ty0
   val deep_model0 (self : k) : deep_model_ty0
     ensures { result = deep_model0 self }
@@ -2878,11 +3171,17 @@ module RedBlackTree_Impl14_Balance
     requires {[#"../red_black_tree.rs" 140 44 140 45] inv7 v}
     ensures { result = has_mapping0 self k v }
     
-  axiom has_mapping0_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv0 self) -> ([#"../red_black_tree.rs" 140 25 140 26] inv8 k) -> ([#"../red_black_tree.rs" 140 44 140 45] inv7 v) -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv4 node -> self = node -> has_mapping0 self k v = has_mapping1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v)
+  axiom has_mapping0_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv0 self)
+   -> ([#"../red_black_tree.rs" 140 25 140 26] inv8 k)
+   -> ([#"../red_black_tree.rs" 140 44 140 45] inv7 v)
+   -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv4 node
+   -> self = node
+   -> has_mapping0 self k v = has_mapping1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v)
   predicate same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v)
     
    =
-    [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv7 v -> inv8 k -> has_mapping0 self k v = has_mapping0 o k v
+    [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv7 v
+     -> inv8 k  -> has_mapping0 self k v = has_mapping0 o k v
   val same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = same_mappings0 self o }
     
@@ -2905,7 +3204,13 @@ module RedBlackTree_Impl14_Balance
     ensures { result = height_invariant0 self }
     
   predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) =
-    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv7 v -> inv8 k -> has_mapping1 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv7 v -> inv8 k -> has_mapping1 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
+    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv7 v
+     -> inv8 k
+     -> has_mapping1 (RedBlackTree_Node_Type.node_left self) k v
+     -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv7 v
+     -> inv8 k
+     -> has_mapping1 (RedBlackTree_Node_Type.node_right self) k v
+     -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
   val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = bst_invariant_here0 self }
     
@@ -2969,7 +3274,8 @@ module RedBlackTree_Impl14_Balance
     
   val as_ref0 (self : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v)) : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v)
     requires {inv5 self}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 58 16 58 60] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 58 16 58 60] self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 59 16 61 18] self = Core_Option_Option_Type.C_None \/ (exists r : RedBlackTree_Node_Type.t_node k v . inv1 r /\ result = Core_Option_Option_Type.C_Some r /\ self = Core_Option_Option_Type.C_Some r) }
     ensures { inv6 result }
     
@@ -2991,18 +3297,26 @@ module RedBlackTree_Impl14_Balance
     
   let rec cfg balance [#"../red_black_tree.rs" 510 4 510 25] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : ()
     requires {[#"../red_black_tree.rs" 491 15 491 43] internal_invariant0 ( * self)}
-    requires {[#"../red_black_tree.rs" 492 4 493 47] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red -> color_invariant0 (RedBlackTree_Node_Type.node_left ( * self))}
-    requires {[#"../red_black_tree.rs" 494 4 495 48] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red -> color_invariant0 (RedBlackTree_Node_Type.node_right ( * self))}
-    requires {[#"../red_black_tree.rs" 496 4 496 110] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red -> false}
+    requires {[#"../red_black_tree.rs" 492 4 493 47] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red
+     -> color_invariant0 (RedBlackTree_Node_Type.node_left ( * self))}
+    requires {[#"../red_black_tree.rs" 494 4 495 48] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red
+     -> color_invariant0 (RedBlackTree_Node_Type.node_right ( * self))}
+    requires {[#"../red_black_tree.rs" 496 4 496 110] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red
+     -> false}
     requires {[#"../red_black_tree.rs" 510 20 510 24] inv2 self}
     ensures { [#"../red_black_tree.rs" 497 14 497 42] same_mappings0 ( * self) ( ^ self) }
     ensures { [#"../red_black_tree.rs" 498 14 498 42] internal_invariant0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 499 14 499 50] height0 ( * self) = height0 ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 500 4 501 34] color_invariant0 (RedBlackTree_Node_Type.node_left ( * self)) /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Black ->  * self =  ^ self }
-    ensures { [#"../red_black_tree.rs" 502 4 503 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self) -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 504 4 505 63] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 506 4 507 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 508 4 509 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 500 4 501 34] color_invariant0 (RedBlackTree_Node_Type.node_left ( * self)) /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Black
+     ->  * self =  ^ self }
+    ensures { [#"../red_black_tree.rs" 502 4 503 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self)
+     -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 504 4 505 63] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self)
+     -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 506 4 507 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self)
+     -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 508 4 509 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self)
+     -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
@@ -3027,7 +3341,7 @@ module RedBlackTree_Impl14_Balance
     goto BB0
   }
   BB0 {
-    [#"../red_black_tree.rs" 511 11 511 30] _15 <- ([#"../red_black_tree.rs" 511 11 511 30] is_red0 ([#"../red_black_tree.rs" 511 11 511 21] RedBlackTree_Node_Type.node_right ( * self)));
+    [#"../red_black_tree.rs" 511 11 511 30] _15 <- ([#"../red_black_tree.rs" 511 11 511 30] is_red0 (RedBlackTree_Node_Type.node_right ( * self)));
     goto BB1
   }
   BB1 {
@@ -3037,7 +3351,7 @@ module RedBlackTree_Impl14_Balance
       end
   }
   BB2 {
-    [#"../red_black_tree.rs" 511 35 511 53] _17 <- ([#"../red_black_tree.rs" 511 35 511 53] is_red0 ([#"../red_black_tree.rs" 511 35 511 44] RedBlackTree_Node_Type.node_left ( * self)));
+    [#"../red_black_tree.rs" 511 35 511 53] _17 <- ([#"../red_black_tree.rs" 511 35 511 53] is_red0 (RedBlackTree_Node_Type.node_left ( * self)));
     goto BB3
   }
   BB3 {
@@ -3069,7 +3383,7 @@ module RedBlackTree_Impl14_Balance
     goto BB9
   }
   BB9 {
-    [#"../red_black_tree.rs" 515 11 515 29] _22 <- ([#"../red_black_tree.rs" 515 11 515 29] is_red0 ([#"../red_black_tree.rs" 515 11 515 20] RedBlackTree_Node_Type.node_left ( * self)));
+    [#"../red_black_tree.rs" 515 11 515 29] _22 <- ([#"../red_black_tree.rs" 515 11 515 29] is_red0 (RedBlackTree_Node_Type.node_left ( * self)));
     goto BB10
   }
   BB10 {
@@ -3079,7 +3393,7 @@ module RedBlackTree_Impl14_Balance
       end
   }
   BB11 {
-    [#"../red_black_tree.rs" 515 33 515 56] _27 <- ([#"../red_black_tree.rs" 515 33 515 56] as_ref0 ([#"../red_black_tree.rs" 515 33 515 47] RedBlackTree_Tree_Type.tree_node (RedBlackTree_Node_Type.node_left ( * self))));
+    [#"../red_black_tree.rs" 515 33 515 56] _27 <- ([#"../red_black_tree.rs" 515 33 515 56] as_ref0 (RedBlackTree_Tree_Type.tree_node (RedBlackTree_Node_Type.node_left ( * self))));
     goto BB12
   }
   BB12 {
@@ -3090,7 +3404,7 @@ module RedBlackTree_Impl14_Balance
   BB13 {
     assert { [@expl:type invariant] inv1 _26 };
     assume { resolve0 _26 };
-    [#"../red_black_tree.rs" 515 33 515 79] _24 <- ([#"../red_black_tree.rs" 515 33 515 79] is_red0 ([#"../red_black_tree.rs" 515 33 515 70] RedBlackTree_Node_Type.node_left _26));
+    [#"../red_black_tree.rs" 515 33 515 79] _24 <- ([#"../red_black_tree.rs" 515 33 515 79] is_red0 (RedBlackTree_Node_Type.node_left _26));
     goto BB14
   }
   BB14 {
@@ -3122,7 +3436,7 @@ module RedBlackTree_Impl14_Balance
     goto BB20
   }
   BB20 {
-    [#"../red_black_tree.rs" 519 11 519 29] _31 <- ([#"../red_black_tree.rs" 519 11 519 29] is_red0 ([#"../red_black_tree.rs" 519 11 519 20] RedBlackTree_Node_Type.node_left ( * self)));
+    [#"../red_black_tree.rs" 519 11 519 29] _31 <- ([#"../red_black_tree.rs" 519 11 519 29] is_red0 (RedBlackTree_Node_Type.node_left ( * self)));
     goto BB21
   }
   BB21 {
@@ -3132,7 +3446,7 @@ module RedBlackTree_Impl14_Balance
       end
   }
   BB22 {
-    [#"../red_black_tree.rs" 519 33 519 52] _33 <- ([#"../red_black_tree.rs" 519 33 519 52] is_red0 ([#"../red_black_tree.rs" 519 33 519 43] RedBlackTree_Node_Type.node_right ( * self)));
+    [#"../red_black_tree.rs" 519 33 519 52] _33 <- ([#"../red_black_tree.rs" 519 33 519 52] is_red0 (RedBlackTree_Node_Type.node_right ( * self)));
     goto BB23
   }
   BB23 {
@@ -3243,7 +3557,9 @@ module RedBlackTree_Impl14_MoveRedLeft
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv5 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv5 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv5 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -3251,7 +3567,10 @@ module RedBlackTree_Impl14_MoveRedLeft
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv5 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv5 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv5 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -3259,7 +3578,10 @@ module RedBlackTree_Impl14_MoveRedLeft
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv5 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv5 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv5 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -3270,13 +3592,19 @@ module RedBlackTree_Impl14_MoveRedLeft
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv5 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv5 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv5 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv5 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv5 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv5 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv5 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -3287,7 +3615,9 @@ module RedBlackTree_Impl14_MoveRedLeft
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv5 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv5 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv5 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -3298,7 +3628,9 @@ module RedBlackTree_Impl14_MoveRedLeft
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv5 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv5 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv5 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -3309,7 +3641,9 @@ module RedBlackTree_Impl14_MoveRedLeft
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv5 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv5 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv5 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -3320,7 +3654,9 @@ module RedBlackTree_Impl14_MoveRedLeft
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv5 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv5 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv5 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   predicate invariant5 (self : deep_model_ty0)
   val invariant5 (self : deep_model_ty0) : bool
     ensures { result = invariant5 self }
@@ -3424,7 +3760,12 @@ module RedBlackTree_Impl14_MoveRedLeft
     requires {[#"../red_black_tree.rs" 140 44 140 45] inv4 v}
     ensures { result = has_mapping0 self k v }
     
-  axiom has_mapping0_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv0 self) -> ([#"../red_black_tree.rs" 140 25 140 26] inv5 k) -> ([#"../red_black_tree.rs" 140 44 140 45] inv4 v) -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node -> self = node -> has_mapping0 self k v = has_mapping1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v)
+  axiom has_mapping0_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv0 self)
+   -> ([#"../red_black_tree.rs" 140 25 140 26] inv5 k)
+   -> ([#"../red_black_tree.rs" 140 44 140 45] inv4 v)
+   -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node
+   -> self = node
+   -> has_mapping0 self k v = has_mapping1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v)
   use prelude.Int
   function height1 [#"../red_black_tree.rs" 296 4 296 26] (self : RedBlackTree_Tree_Type.t_tree k v) : int =
     [#"../red_black_tree.rs" 298 12 306 13] match self with
@@ -3438,7 +3779,8 @@ module RedBlackTree_Impl14_MoveRedLeft
     requires {[#"../red_black_tree.rs" 296 14 296 18] inv10 self}
     ensures { result = height1 self }
     
-  axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv10 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0)
+  axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv10 self)
+   -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0)
   function height0 [#"../red_black_tree.rs" 328 4 328 26] (self : RedBlackTree_Node_Type.t_node k v) : int =
     [#"../red_black_tree.rs" 330 12 333 13] match RedBlackTree_Node_Type.node_color self with
       | RedBlackTree_Color_Type.C_Red -> height1 (RedBlackTree_Node_Type.node_left self)
@@ -3448,7 +3790,9 @@ module RedBlackTree_Impl14_MoveRedLeft
     requires {[#"../red_black_tree.rs" 328 14 328 18] inv0 self}
     ensures { result = height0 self }
     
-  axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv0 self) -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node -> self = node -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))
+  axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv0 self)
+   -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node
+   -> self = node  -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))
   use RedBlackTree_Cp_Type as RedBlackTree_Cp_Type
   predicate match_t0 [#"../red_black_tree.rs" 232 4 232 52] (self : RedBlackTree_Cp_Type.t_cp) (tree : RedBlackTree_Tree_Type.t_tree k v)
     
@@ -3496,7 +3840,13 @@ module RedBlackTree_Impl14_MoveRedLeft
     ensures { result = height_invariant0 self }
     
   predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) =
-    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping1 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping1 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
+    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv4 v
+     -> inv5 k
+     -> has_mapping1 (RedBlackTree_Node_Type.node_left self) k v
+     -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv4 v
+     -> inv5 k
+     -> has_mapping1 (RedBlackTree_Node_Type.node_right self) k v
+     -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
   val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = bst_invariant_here0 self }
     
@@ -3526,7 +3876,8 @@ module RedBlackTree_Impl14_MoveRedLeft
   predicate same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v)
     
    =
-    [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping0 self k v = has_mapping0 o k v
+    [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv4 v
+     -> inv5 k  -> has_mapping0 self k v = has_mapping0 o k v
   val same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = same_mappings0 self o }
     
@@ -3571,7 +3922,8 @@ module RedBlackTree_Impl14_MoveRedLeft
     
   val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v))
     requires {inv7 self}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18]  * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed (RedBlackTree_Node_Type.t_node k v) . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\  * self = Core_Option_Option_Type.C_Some ( * r) /\  ^ self = Core_Option_Option_Type.C_Some ( ^ r)) }
     ensures { inv8 result }
     
@@ -3594,14 +3946,24 @@ module RedBlackTree_Impl14_MoveRedLeft
     requires {[#"../red_black_tree.rs" 526 15 526 86] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self)}
     requires {[#"../red_black_tree.rs" 542 26 542 30] inv3 self}
     ensures { [#"../red_black_tree.rs" 527 14 527 44] internal_invariant0 ( * result) }
-    ensures { [#"../red_black_tree.rs" 528 4 530 48] internal_invariant0 ( ^ result) /\ height0 ( * result) = height0 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping0 ( ^ result) k v -> has_mapping0 ( * result) k v) -> internal_invariant0 ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 531 4 531 97] height0 ( * result) = height0 ( ^ result) -> height0 ( * self) = height0 ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 528 4 530 48] internal_invariant0 ( ^ result) /\ height0 ( * result) = height0 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv4 v
+     -> inv5 k  -> has_mapping0 ( ^ result) k v  -> has_mapping0 ( * result) k v)  -> internal_invariant0 ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 531 4 531 97] height0 ( * result) = height0 ( ^ result)
+     -> height0 ( * self) = height0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 532 14 532 42] RedBlackTree_Node_Type.node_key ( * self) = RedBlackTree_Node_Type.node_key ( * result) }
-    ensures { [#"../red_black_tree.rs" 533 4 533 105] forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping0 ( * result) k v -> has_mapping0 ( * self) k v }
-    ensures { [#"../red_black_tree.rs" 534 4 535 47] forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping0 ( * self) k v /\ le_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key ( * self))) -> has_mapping0 ( * result) k v }
-    ensures { [#"../red_black_tree.rs" 536 4 537 108] forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping0 ( ^ self) k v = (has_mapping0 ( ^ result) k v \/ has_mapping0 ( * self) k v /\ not has_mapping0 ( * result) k v) }
+    ensures { [#"../red_black_tree.rs" 533 4 533 105] forall v : v . forall k : deep_model_ty0 . inv4 v
+     -> inv5 k  -> has_mapping0 ( * result) k v  -> has_mapping0 ( * self) k v }
+    ensures { [#"../red_black_tree.rs" 534 4 535 47] forall v : v . forall k : deep_model_ty0 . inv4 v
+     -> inv5 k
+     -> has_mapping0 ( * self) k v /\ le_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key ( * self)))
+     -> has_mapping0 ( * result) k v }
+    ensures { [#"../red_black_tree.rs" 536 4 537 108] forall v : v . forall k : deep_model_ty0 . inv4 v
+     -> inv5 k
+     -> has_mapping0 ( ^ self) k v = (has_mapping0 ( ^ result) k v \/ has_mapping0 ( * self) k v /\ not has_mapping0 ( * result) k v) }
     ensures { [#"../red_black_tree.rs" 538 14 539 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * result) \/ match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * result) }
-    ensures { [#"../red_black_tree.rs" 540 4 541 45] color_invariant0 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_right ( * result)) = RedBlackTree_Color_Type.C_Black -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black) -> color_invariant0 ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 540 4 541 45] color_invariant0 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_right ( * result)) = RedBlackTree_Color_Type.C_Black
+     -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black)
+     -> color_invariant0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 542 35 542 44] inv3 result }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -3650,7 +4012,7 @@ module RedBlackTree_Impl14_MoveRedLeft
     goto BB3
   }
   BB3 {
-    [#"../red_black_tree.rs" 544 11 544 58] _18 <- ([#"../red_black_tree.rs" 544 11 544 58] is_red0 ([#"../red_black_tree.rs" 544 11 544 49] RedBlackTree_Node_Type.node_left ( * _20)));
+    [#"../red_black_tree.rs" 544 11 544 58] _18 <- ([#"../red_black_tree.rs" 544 11 544 58] is_red0 (RedBlackTree_Node_Type.node_left ( * _20)));
     goto BB4
   }
   BB4 {
@@ -3724,8 +4086,8 @@ module RedBlackTree_Impl14_MoveRedLeft
   BB13 {
     assert { [@expl:type invariant] inv2 _20 };
     assume { resolve0 _20 };
-    [#"../red_black_tree.rs" 550 15 550 19] _0 <- ([#"../red_black_tree.rs" 550 15 550 19] self);
-    [#"../red_black_tree.rs" 550 15 550 19] self <- any borrowed (RedBlackTree_Node_Type.t_node k v);
+    [#"../red_black_tree.rs" 550 15 550 19] _0 <- self;
+    self <- any borrowed (RedBlackTree_Node_Type.t_node k v);
     goto BB14
   }
   BB14 {
@@ -3807,7 +4169,9 @@ module RedBlackTree_Impl14_MoveRedRight
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv5 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv5 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv5 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -3815,7 +4179,10 @@ module RedBlackTree_Impl14_MoveRedRight
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv5 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv5 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv5 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -3823,7 +4190,10 @@ module RedBlackTree_Impl14_MoveRedRight
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv5 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv5 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv5 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -3834,13 +4204,19 @@ module RedBlackTree_Impl14_MoveRedRight
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv5 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv5 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv5 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv5 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv5 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv5 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv5 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -3851,7 +4227,9 @@ module RedBlackTree_Impl14_MoveRedRight
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv5 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv5 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv5 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -3862,7 +4240,9 @@ module RedBlackTree_Impl14_MoveRedRight
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv5 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv5 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv5 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -3873,7 +4253,9 @@ module RedBlackTree_Impl14_MoveRedRight
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv5 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv5 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv5 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -3884,7 +4266,9 @@ module RedBlackTree_Impl14_MoveRedRight
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv5 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv5 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv5 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv5 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv5 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   predicate invariant5 (self : deep_model_ty0)
   val invariant5 (self : deep_model_ty0) : bool
     ensures { result = invariant5 self }
@@ -3988,7 +4372,12 @@ module RedBlackTree_Impl14_MoveRedRight
     requires {[#"../red_black_tree.rs" 140 44 140 45] inv4 v}
     ensures { result = has_mapping0 self k v }
     
-  axiom has_mapping0_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv0 self) -> ([#"../red_black_tree.rs" 140 25 140 26] inv5 k) -> ([#"../red_black_tree.rs" 140 44 140 45] inv4 v) -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node -> self = node -> has_mapping0 self k v = has_mapping1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v)
+  axiom has_mapping0_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv0 self)
+   -> ([#"../red_black_tree.rs" 140 25 140 26] inv5 k)
+   -> ([#"../red_black_tree.rs" 140 44 140 45] inv4 v)
+   -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node
+   -> self = node
+   -> has_mapping0 self k v = has_mapping1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v)
   use prelude.Int
   function height1 [#"../red_black_tree.rs" 296 4 296 26] (self : RedBlackTree_Tree_Type.t_tree k v) : int =
     [#"../red_black_tree.rs" 298 12 306 13] match self with
@@ -4002,7 +4391,8 @@ module RedBlackTree_Impl14_MoveRedRight
     requires {[#"../red_black_tree.rs" 296 14 296 18] inv10 self}
     ensures { result = height1 self }
     
-  axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv10 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0)
+  axiom height1_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv10 self)
+   -> ([#"../red_black_tree.rs" 295 14 295 25] height1 self >= 0)
   function height0 [#"../red_black_tree.rs" 328 4 328 26] (self : RedBlackTree_Node_Type.t_node k v) : int =
     [#"../red_black_tree.rs" 330 12 333 13] match RedBlackTree_Node_Type.node_color self with
       | RedBlackTree_Color_Type.C_Red -> height1 (RedBlackTree_Node_Type.node_left self)
@@ -4012,7 +4402,9 @@ module RedBlackTree_Impl14_MoveRedRight
     requires {[#"../red_black_tree.rs" 328 14 328 18] inv0 self}
     ensures { result = height0 self }
     
-  axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv0 self) -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node -> self = node -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))
+  axiom height0_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv0 self)
+   -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv6 node
+   -> self = node  -> height0 self = height1 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))
   use RedBlackTree_Cp_Type as RedBlackTree_Cp_Type
   predicate match_t0 [#"../red_black_tree.rs" 232 4 232 52] (self : RedBlackTree_Cp_Type.t_cp) (tree : RedBlackTree_Tree_Type.t_tree k v)
     
@@ -4060,7 +4452,13 @@ module RedBlackTree_Impl14_MoveRedRight
     ensures { result = height_invariant0 self }
     
   predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) =
-    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping1 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping1 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
+    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv4 v
+     -> inv5 k
+     -> has_mapping1 (RedBlackTree_Node_Type.node_left self) k v
+     -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv4 v
+     -> inv5 k
+     -> has_mapping1 (RedBlackTree_Node_Type.node_right self) k v
+     -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
   val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = bst_invariant_here0 self }
     
@@ -4090,7 +4488,8 @@ module RedBlackTree_Impl14_MoveRedRight
   predicate same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v)
     
    =
-    [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping0 self k v = has_mapping0 o k v
+    [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv4 v
+     -> inv5 k  -> has_mapping0 self k v = has_mapping0 o k v
   val same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = same_mappings0 self o }
     
@@ -4123,7 +4522,8 @@ module RedBlackTree_Impl14_MoveRedRight
     
   val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v))
     requires {inv7 self}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18]  * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed (RedBlackTree_Node_Type.t_node k v) . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\  * self = Core_Option_Option_Type.C_Some ( * r) /\  ^ self = Core_Option_Option_Type.C_Some ( ^ r)) }
     ensures { inv8 result }
     
@@ -4146,14 +4546,24 @@ module RedBlackTree_Impl14_MoveRedRight
     requires {[#"../red_black_tree.rs" 555 15 555 86] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)))) ( * self)}
     requires {[#"../red_black_tree.rs" 571 27 571 31] inv3 self}
     ensures { [#"../red_black_tree.rs" 556 14 556 44] internal_invariant0 ( * result) }
-    ensures { [#"../red_black_tree.rs" 557 4 559 48] internal_invariant0 ( ^ result) /\ height0 ( * result) = height0 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping0 ( ^ result) k v -> has_mapping0 ( * result) k v) -> internal_invariant0 ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 560 4 560 97] height0 ( * result) = height0 ( ^ result) -> height0 ( * self) = height0 ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 557 4 559 48] internal_invariant0 ( ^ result) /\ height0 ( * result) = height0 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv4 v
+     -> inv5 k  -> has_mapping0 ( ^ result) k v  -> has_mapping0 ( * result) k v)  -> internal_invariant0 ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 560 4 560 97] height0 ( * result) = height0 ( ^ result)
+     -> height0 ( * self) = height0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 561 14 561 42] RedBlackTree_Node_Type.node_key ( * result) = RedBlackTree_Node_Type.node_key ( * self) }
-    ensures { [#"../red_black_tree.rs" 562 4 562 105] forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping0 ( * result) k v -> has_mapping0 ( * self) k v }
-    ensures { [#"../red_black_tree.rs" 563 4 564 47] forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping0 ( * self) k v /\ le_log0 (deep_model0 (RedBlackTree_Node_Type.node_key ( * self))) k -> has_mapping0 ( * result) k v }
-    ensures { [#"../red_black_tree.rs" 565 4 566 108] forall v : v . forall k : deep_model_ty0 . inv4 v -> inv5 k -> has_mapping0 ( ^ self) k v = (has_mapping0 ( ^ result) k v \/ has_mapping0 ( * self) k v /\ not has_mapping0 ( * result) k v) }
+    ensures { [#"../red_black_tree.rs" 562 4 562 105] forall v : v . forall k : deep_model_ty0 . inv4 v
+     -> inv5 k  -> has_mapping0 ( * result) k v  -> has_mapping0 ( * self) k v }
+    ensures { [#"../red_black_tree.rs" 563 4 564 47] forall v : v . forall k : deep_model_ty0 . inv4 v
+     -> inv5 k
+     -> has_mapping0 ( * self) k v /\ le_log0 (deep_model0 (RedBlackTree_Node_Type.node_key ( * self))) k
+     -> has_mapping0 ( * result) k v }
+    ensures { [#"../red_black_tree.rs" 565 4 566 108] forall v : v . forall k : deep_model_ty0 . inv4 v
+     -> inv5 k
+     -> has_mapping0 ( ^ self) k v = (has_mapping0 ( ^ result) k v \/ has_mapping0 ( * self) k v /\ not has_mapping0 ( * result) k v) }
     ensures { [#"../red_black_tree.rs" 567 14 568 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * result) \/ match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * result) }
-    ensures { [#"../red_black_tree.rs" 569 4 570 45] color_invariant0 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_left ( * result)) = RedBlackTree_Color_Type.C_Black -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black) -> color_invariant0 ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 569 4 570 45] color_invariant0 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_left ( * result)) = RedBlackTree_Color_Type.C_Black
+     -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black)
+     -> color_invariant0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 571 36 571 45] inv3 result }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -4197,7 +4607,7 @@ module RedBlackTree_Impl14_MoveRedRight
     goto BB3
   }
   BB3 {
-    [#"../red_black_tree.rs" 573 11 573 57] _18 <- ([#"../red_black_tree.rs" 573 11 573 57] is_red0 ([#"../red_black_tree.rs" 573 11 573 48] RedBlackTree_Node_Type.node_left ( * _20)));
+    [#"../red_black_tree.rs" 573 11 573 57] _18 <- ([#"../red_black_tree.rs" 573 11 573 57] is_red0 (RedBlackTree_Node_Type.node_left ( * _20)));
     goto BB4
   }
   BB4 {
@@ -4248,8 +4658,8 @@ module RedBlackTree_Impl14_MoveRedRight
   BB10 {
     assert { [@expl:type invariant] inv2 _20 };
     assume { resolve0 _20 };
-    [#"../red_black_tree.rs" 578 15 578 19] _0 <- ([#"../red_black_tree.rs" 578 15 578 19] self);
-    [#"../red_black_tree.rs" 578 15 578 19] self <- any borrowed (RedBlackTree_Node_Type.t_node k v);
+    [#"../red_black_tree.rs" 578 15 578 19] _0 <- self;
+    self <- any borrowed (RedBlackTree_Node_Type.t_node k v);
     goto BB11
   }
   BB11 {
@@ -4281,7 +4691,9 @@ module RedBlackTree_Impl15_New
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -4289,7 +4701,10 @@ module RedBlackTree_Impl15_New
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -4297,7 +4712,10 @@ module RedBlackTree_Impl15_New
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -4308,13 +4726,19 @@ module RedBlackTree_Impl15_New
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -4325,7 +4749,9 @@ module RedBlackTree_Impl15_New
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -4336,7 +4762,9 @@ module RedBlackTree_Impl15_New
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -4347,7 +4775,9 @@ module RedBlackTree_Impl15_New
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -4358,7 +4788,9 @@ module RedBlackTree_Impl15_New
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   predicate invariant3 (self : deep_model_ty0)
   val invariant3 (self : deep_model_ty0) : bool
     ensures { result = invariant3 self }
@@ -4422,7 +4854,8 @@ module RedBlackTree_Impl15_New
     requires {[#"../red_black_tree.rs" 296 14 296 18] inv0 self}
     ensures { result = height0 self }
     
-  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv0 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
+  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv0 self)
+   -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
   predicate height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) =
     [#"../red_black_tree.rs" 339 20 339 61] height0 (RedBlackTree_Node_Type.node_left self) = height0 (RedBlackTree_Node_Type.node_right self)
   val height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) : bool
@@ -4451,7 +4884,13 @@ module RedBlackTree_Impl15_New
     ensures { result = has_mapping0 self k v }
     
   predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) =
-    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv1 v -> inv2 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv1 v -> inv2 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
+    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv1 v
+     -> inv2 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v
+     -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv1 v
+     -> inv2 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v
+     -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
   val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = bst_invariant_here0 self }
     
@@ -4500,11 +4939,14 @@ module RedBlackTree_Impl15_New
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : RedBlackTree_Tree_Type.t_tree k v;
+  var _3 : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v);
   {
     goto BB0
   }
   BB0 {
-    [#"../red_black_tree.rs" 589 8 589 27] _0 <- ([#"../red_black_tree.rs" 589 8 589 27] RedBlackTree_Tree_Type.C_Tree ([#"../red_black_tree.rs" 589 21 589 25] Core_Option_Option_Type.C_None));
+    [#"../red_black_tree.rs" 589 21 589 25] _3 <- Core_Option_Option_Type.C_None;
+    [#"../red_black_tree.rs" 589 8 589 27] _0 <- RedBlackTree_Tree_Type.C_Tree _3;
+    _3 <- any Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v);
     goto BB1
   }
   BB1 {
@@ -4542,7 +4984,9 @@ module RedBlackTree_Impl15_InsertRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -4550,7 +4994,10 @@ module RedBlackTree_Impl15_InsertRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -4558,7 +5005,10 @@ module RedBlackTree_Impl15_InsertRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -4569,13 +5019,19 @@ module RedBlackTree_Impl15_InsertRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -4586,7 +5042,9 @@ module RedBlackTree_Impl15_InsertRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -4597,7 +5055,9 @@ module RedBlackTree_Impl15_InsertRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -4608,7 +5068,9 @@ module RedBlackTree_Impl15_InsertRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -4619,7 +5081,9 @@ module RedBlackTree_Impl15_InsertRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   predicate invariant10 (self : deep_model_ty0)
   val invariant10 (self : deep_model_ty0) : bool
     ensures { result = invariant10 self }
@@ -4787,7 +5251,8 @@ module RedBlackTree_Impl15_InsertRec
     requires {[#"../red_black_tree.rs" 296 14 296 18] inv3 self}
     ensures { result = height0 self }
     
-  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv3 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
+  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv3 self)
+   -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
   predicate height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) =
     [#"../red_black_tree.rs" 339 20 339 61] height0 (RedBlackTree_Node_Type.node_left self) = height0 (RedBlackTree_Node_Type.node_right self)
   val height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) : bool
@@ -4802,7 +5267,13 @@ module RedBlackTree_Impl15_InsertRec
     ensures { result = height_invariant0 self }
     
   predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) =
-    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv5 v -> inv10 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv5 v -> inv10 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
+    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv5 v
+     -> inv10 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v
+     -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv5 v
+     -> inv10 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v
+     -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
   val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = bst_invariant_here0 self }
     
@@ -4847,7 +5318,9 @@ module RedBlackTree_Impl15_InsertRec
     requires {[#"../red_black_tree.rs" 328 14 328 18] inv9 self}
     ensures { result = height1 self }
     
-  axiom height1_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv9 self) -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node -> self = node -> height1 self = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))
+  axiom height1_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv9 self)
+   -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node
+   -> self = node  -> height1 self = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))
   predicate has_mapping1 [#"../red_black_tree.rs" 140 4 140 57] (self : RedBlackTree_Node_Type.t_node k v) (k : deep_model_ty0) (v : v)
     
    =
@@ -4858,11 +5331,17 @@ module RedBlackTree_Impl15_InsertRec
     requires {[#"../red_black_tree.rs" 140 44 140 45] inv5 v}
     ensures { result = has_mapping1 self k v }
     
-  axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv9 self) -> ([#"../red_black_tree.rs" 140 25 140 26] inv10 k) -> ([#"../red_black_tree.rs" 140 44 140 45] inv5 v) -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node -> self = node -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v)
+  axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv9 self)
+   -> ([#"../red_black_tree.rs" 140 25 140 26] inv10 k)
+   -> ([#"../red_black_tree.rs" 140 44 140 45] inv5 v)
+   -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node
+   -> self = node
+   -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v)
   predicate same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v)
     
    =
-    [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv5 v -> inv10 k -> has_mapping1 self k v = has_mapping1 o k v
+    [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv5 v
+     -> inv10 k  -> has_mapping1 self k v = has_mapping1 o k v
   val same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = same_mappings0 self o }
     
@@ -4883,18 +5362,26 @@ module RedBlackTree_Impl15_InsertRec
     
   val balance0 [#"../red_black_tree.rs" 510 4 510 25] (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : ()
     requires {[#"../red_black_tree.rs" 491 15 491 43] internal_invariant1 ( * self)}
-    requires {[#"../red_black_tree.rs" 492 4 493 47] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red -> color_invariant0 (RedBlackTree_Node_Type.node_left ( * self))}
-    requires {[#"../red_black_tree.rs" 494 4 495 48] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red -> color_invariant0 (RedBlackTree_Node_Type.node_right ( * self))}
-    requires {[#"../red_black_tree.rs" 496 4 496 110] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red -> false}
+    requires {[#"../red_black_tree.rs" 492 4 493 47] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red
+     -> color_invariant0 (RedBlackTree_Node_Type.node_left ( * self))}
+    requires {[#"../red_black_tree.rs" 494 4 495 48] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red
+     -> color_invariant0 (RedBlackTree_Node_Type.node_right ( * self))}
+    requires {[#"../red_black_tree.rs" 496 4 496 110] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red
+     -> false}
     requires {[#"../red_black_tree.rs" 510 20 510 24] inv11 self}
     ensures { [#"../red_black_tree.rs" 497 14 497 42] same_mappings0 ( * self) ( ^ self) }
     ensures { [#"../red_black_tree.rs" 498 14 498 42] internal_invariant1 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 499 14 499 50] height1 ( * self) = height1 ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 500 4 501 34] color_invariant0 (RedBlackTree_Node_Type.node_left ( * self)) /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Black ->  * self =  ^ self }
-    ensures { [#"../red_black_tree.rs" 502 4 503 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self) -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 504 4 505 63] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 506 4 507 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 508 4 509 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 500 4 501 34] color_invariant0 (RedBlackTree_Node_Type.node_left ( * self)) /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Black
+     ->  * self =  ^ self }
+    ensures { [#"../red_black_tree.rs" 502 4 503 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self)
+     -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 504 4 505 63] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self)
+     -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 506 4 507 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self)
+     -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 508 4 509 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self)
+     -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) }
     
   predicate resolve5 (self : borrowed (RedBlackTree_Tree_Type.t_tree k v)) =
     [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
@@ -4938,7 +5425,8 @@ module RedBlackTree_Impl15_InsertRec
     ensures { [#"../red_black_tree.rs" 595 14 595 50] height0 ( * self) = height0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 596 14 597 39] match_t0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) /\ color0 ( * self) = RedBlackTree_Color_Type.C_Red \/ color_invariant0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 598 14 598 56] has_mapping0 ( ^ self) (deep_model0 key) val' }
-    ensures { [#"../red_black_tree.rs" 599 4 599 127] forall v : v . forall k : deep_model_ty0 . inv5 v -> inv10 k -> k = deep_model0 key \/ has_mapping0 ( * self) k v = has_mapping0 ( ^ self) k v }
+    ensures { [#"../red_black_tree.rs" 599 4 599 127] forall v : v . forall k : deep_model_ty0 . inv5 v
+     -> inv10 k  -> k = deep_model0 key \/ has_mapping0 ( * self) k v = has_mapping0 ( ^ self) k v }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
@@ -4954,6 +5442,13 @@ module RedBlackTree_Impl15_InsertRec
   var _25 : borrowed (RedBlackTree_Tree_Type.t_tree k v);
   var _28 : ();
   var _29 : borrowed (RedBlackTree_Node_Type.t_node k v);
+  var _31 : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v);
+  var _33 : RedBlackTree_Node_Type.t_node k v;
+  var _34 : RedBlackTree_Tree_Type.t_tree k v;
+  var _35 : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v);
+  var _36 : RedBlackTree_Color_Type.t_color;
+  var _39 : RedBlackTree_Tree_Type.t_tree k v;
+  var _40 : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v);
   {
     goto BB0
   }
@@ -4979,10 +5474,10 @@ module RedBlackTree_Impl15_InsertRec
     [#"../red_black_tree.rs" 601 20 601 24] node <- Borrow.borrow_final (Core_Option_Option_Type.some_0 ( * _11)) (Borrow.inherit_id (Borrow.get_id _11) 1);
     [#"../red_black_tree.rs" 601 20 601 24] _11 <- { _11 with current = (let Core_Option_Option_Type.C_Some x0 =  * _11 in Core_Option_Option_Type.C_Some ( ^ node)) ; };
     assume { inv1 ( ^ node) };
-    [#"../red_black_tree.rs" 602 26 602 35] _18 <- ([#"../red_black_tree.rs" 602 26 602 35] RedBlackTree_Node_Type.node_key ( * node));
+    [#"../red_black_tree.rs" 602 26 602 35] _18 <- RedBlackTree_Node_Type.node_key ( * node);
     assert { [@expl:type invariant] inv2 _18 };
     assume { resolve0 _18 };
-    [#"../red_black_tree.rs" 602 18 602 36] _15 <- ([#"../red_black_tree.rs" 602 18 602 36] cmp0 ([#"../red_black_tree.rs" 602 18 602 21] key) ([#"../red_black_tree.rs" 602 26 602 35] _18));
+    [#"../red_black_tree.rs" 602 18 602 36] _15 <- ([#"../red_black_tree.rs" 602 18 602 36] cmp0 key _18);
     goto BB5
   }
   BB5 {
@@ -5002,10 +5497,10 @@ module RedBlackTree_Impl15_InsertRec
     [#"../red_black_tree.rs" 608 27 608 37] _25 <- Borrow.borrow_mut (RedBlackTree_Node_Type.node_right ( * node));
     [#"../red_black_tree.rs" 608 27 608 37] node <- { node with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * node in RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 ( ^ _25)) ; };
     assume { inv3 ( ^ _25) };
-    [#"../red_black_tree.rs" 608 27 608 58] _14 <- ([#"../red_black_tree.rs" 608 27 608 58] insert_rec _25 ([#"../red_black_tree.rs" 608 49 608 52] key) ([#"../red_black_tree.rs" 608 54 608 57] val'));
+    [#"../red_black_tree.rs" 608 27 608 58] _14 <- ([#"../red_black_tree.rs" 608 27 608 58] insert_rec _25 key val');
     _25 <- any borrowed (RedBlackTree_Tree_Type.t_tree k v);
-    [#"../red_black_tree.rs" 608 49 608 52] key <- any k;
-    [#"../red_black_tree.rs" 608 54 608 57] val' <- any v;
+    key <- any k;
+    val' <- any v;
     goto BB16
   }
   BB9 {
@@ -5026,10 +5521,10 @@ module RedBlackTree_Impl15_InsertRec
     [#"../red_black_tree.rs" 603 24 603 33] _20 <- Borrow.borrow_mut (RedBlackTree_Node_Type.node_left ( * node));
     [#"../red_black_tree.rs" 603 24 603 33] node <- { node with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * node in RedBlackTree_Node_Type.C_Node ( ^ _20) x1 x2 x3 x4) ; };
     assume { inv3 ( ^ _20) };
-    [#"../red_black_tree.rs" 603 24 603 54] _14 <- ([#"../red_black_tree.rs" 603 24 603 54] insert_rec _20 ([#"../red_black_tree.rs" 603 45 603 48] key) ([#"../red_black_tree.rs" 603 50 603 53] val'));
+    [#"../red_black_tree.rs" 603 24 603 54] _14 <- ([#"../red_black_tree.rs" 603 24 603 54] insert_rec _20 key val');
     _20 <- any borrowed (RedBlackTree_Tree_Type.t_tree k v);
-    [#"../red_black_tree.rs" 603 45 603 48] key <- any k;
-    [#"../red_black_tree.rs" 603 50 603 53] val' <- any v;
+    key <- any k;
+    val' <- any v;
     goto BB11
   }
   BB11 {
@@ -5041,8 +5536,8 @@ module RedBlackTree_Impl15_InsertRec
     goto BB13
   }
   BB13 {
-    [#"../red_black_tree.rs" 605 20 605 28] node <- { node with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * node in RedBlackTree_Node_Type.C_Node x0 x1 x2 ([#"../red_black_tree.rs" 605 31 605 34] val') x4) ; };
-    [#"../red_black_tree.rs" 605 31 605 34] val' <- any v;
+    [#"../red_black_tree.rs" 605 20 605 28] node <- { node with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * node in RedBlackTree_Node_Type.C_Node x0 x1 x2 val' x4) ; };
+    val' <- any v;
     assert { [@expl:type invariant] inv5 (RedBlackTree_Node_Type.node_val ( * node)) };
     assume { resolve2 (RedBlackTree_Node_Type.node_val ( * node)) };
     assert { [@expl:type invariant] inv6 node };
@@ -5081,12 +5576,25 @@ module RedBlackTree_Impl15_InsertRec
   BB19 {
     assert { [@expl:type invariant] inv7 _11 };
     assume { resolve4 _11 };
+    [#"../red_black_tree.rs" 613 35 613 39] _35 <- Core_Option_Option_Type.C_None;
+    [#"../red_black_tree.rs" 613 22 613 41] _34 <- RedBlackTree_Tree_Type.C_Tree _35;
+    _35 <- any Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v);
     goto BB20
   }
   BB20 {
+    [#"../red_black_tree.rs" 614 23 614 26] _36 <- RedBlackTree_Color_Type.C_Red;
+    [#"../red_black_tree.rs" 617 36 617 40] _40 <- Core_Option_Option_Type.C_None;
+    [#"../red_black_tree.rs" 617 23 617 42] _39 <- RedBlackTree_Tree_Type.C_Tree _40;
+    _40 <- any Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v);
     goto BB21
   }
   BB21 {
+    [#"../red_black_tree.rs" 612 38 618 13] _33 <- RedBlackTree_Node_Type.C_Node _34 _36 key val' _39;
+    _34 <- any RedBlackTree_Tree_Type.t_tree k v;
+    _36 <- any RedBlackTree_Color_Type.t_color;
+    key <- any k;
+    val' <- any v;
+    _39 <- any RedBlackTree_Tree_Type.t_tree k v;
     goto BB22
   }
   BB22 {
@@ -5102,15 +5610,16 @@ module RedBlackTree_Impl15_InsertRec
     goto BB26
   }
   BB26 {
+    [#"../red_black_tree.rs" 612 24 618 15] _31 <- Core_Option_Option_Type.C_Some _33;
+    _33 <- any RedBlackTree_Node_Type.t_node k v;
     goto BB27
   }
   BB27 {
     goto BB28
   }
   BB28 {
-    [#"../red_black_tree.rs" 612 12 612 21] self <- { self with current = (let RedBlackTree_Tree_Type.C_Tree x0 =  * self in RedBlackTree_Tree_Type.C_Tree ([#"../red_black_tree.rs" 612 24 618 15] Core_Option_Option_Type.C_Some ([#"../red_black_tree.rs" 612 38 618 13] RedBlackTree_Node_Type.C_Node ([#"../red_black_tree.rs" 613 22 613 41] RedBlackTree_Tree_Type.C_Tree ([#"../red_black_tree.rs" 613 35 613 39] Core_Option_Option_Type.C_None)) ([#"../red_black_tree.rs" 614 23 614 26] RedBlackTree_Color_Type.C_Red) ([#"../red_black_tree.rs" 615 16 615 19] key) ([#"../red_black_tree.rs" 616 16 616 19] val') ([#"../red_black_tree.rs" 617 23 617 42] RedBlackTree_Tree_Type.C_Tree ([#"../red_black_tree.rs" 617 36 617 40] Core_Option_Option_Type.C_None))))) ; };
-    [#"../red_black_tree.rs" 615 16 615 19] key <- any k;
-    [#"../red_black_tree.rs" 616 16 616 19] val' <- any v;
+    [#"../red_black_tree.rs" 612 12 612 21] self <- { self with current = (let RedBlackTree_Tree_Type.C_Tree x0 =  * self in RedBlackTree_Tree_Type.C_Tree _31) ; };
+    _31 <- any Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v);
     assert { [@expl:type invariant] inv0 (RedBlackTree_Tree_Type.tree_node ( * self)) };
     assume { resolve6 (RedBlackTree_Tree_Type.tree_node ( * self)) };
     assert { [@expl:type invariant] inv8 self };
@@ -5133,6 +5642,12 @@ module RedBlackTree_Impl15_InsertRec
   BB34 {
     return _0
   }
+  BB51 {
+    goto BB7
+  }
+  BB52 {
+    goto BB8
+  }
   
 end
 module RedBlackTree_Impl15_Insert
@@ -5154,7 +5669,9 @@ module RedBlackTree_Impl15_Insert
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv6 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv6 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv6 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -5162,7 +5679,10 @@ module RedBlackTree_Impl15_Insert
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv6 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv6 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv6 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -5170,7 +5690,10 @@ module RedBlackTree_Impl15_Insert
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv6 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv6 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv6 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -5181,13 +5704,19 @@ module RedBlackTree_Impl15_Insert
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv6 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv6 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv6 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv6 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv6 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv6 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv6 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -5198,7 +5727,9 @@ module RedBlackTree_Impl15_Insert
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv6 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv6 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv6 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -5209,7 +5740,9 @@ module RedBlackTree_Impl15_Insert
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv6 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv6 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv6 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -5220,7 +5753,9 @@ module RedBlackTree_Impl15_Insert
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv6 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv6 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv6 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -5231,7 +5766,9 @@ module RedBlackTree_Impl15_Insert
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv6 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv6 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv6 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   use Core_Option_Option_Type as Core_Option_Option_Type
   use map.Map
   predicate invariant11 (self : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v))
@@ -5400,7 +5937,8 @@ module RedBlackTree_Impl15_Insert
     requires {[#"../red_black_tree.rs" 296 14 296 18] inv0 self}
     ensures { result = height0 self }
     
-  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv0 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
+  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv0 self)
+   -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
   predicate height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) =
     [#"../red_black_tree.rs" 339 20 339 61] height0 (RedBlackTree_Node_Type.node_left self) = height0 (RedBlackTree_Node_Type.node_right self)
   val height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) : bool
@@ -5425,7 +5963,13 @@ module RedBlackTree_Impl15_Insert
     ensures { result = has_mapping0 self k v }
     
   predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) =
-    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv5 v -> inv6 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv5 v -> inv6 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
+    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv5 v
+     -> inv6 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v
+     -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv5 v
+     -> inv6 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v
+     -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
   val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = bst_invariant_here0 self }
     
@@ -5447,12 +5991,12 @@ module RedBlackTree_Impl15_Insert
   val invariant0 [#"../red_black_tree.rs" 364 4 364 34] (self : RedBlackTree_Tree_Type.t_tree k v) : bool
     ensures { result = invariant0 self }
     
-  use prelude.Ghost
-  predicate resolve2 (self : Ghost.ghost_ty ())
-  val resolve2 (self : Ghost.ghost_ty ()) : bool
+  use prelude.Snapshot
+  predicate resolve2 (self : Snapshot.snap_ty ())
+  val resolve2 (self : Snapshot.snap_ty ()) : bool
     ensures { result = resolve2 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   use map.Map
   function model_acc_has_mapping0 [#"../red_black_tree.rs" 68 4 72 5] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : ()
     
@@ -5467,7 +6011,10 @@ module RedBlackTree_Impl15_Insert
     requires {[#"../red_black_tree.rs" 71 8 71 9] inv6 k}
     ensures { result = model_acc_has_mapping0 self accu k }
     
-  axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv0 self) -> ([#"../red_black_tree.rs" 70 8 70 12] inv10 accu) -> ([#"../red_black_tree.rs" 71 8 71 9] inv6 k) -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv5 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))
+  axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv0 self)
+   -> ([#"../red_black_tree.rs" 70 8 70 12] inv10 accu)
+   -> ([#"../red_black_tree.rs" 71 8 71 9] inv6 k)
+   -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv5 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))
   function has_mapping_model_acc0 [#"../red_black_tree.rs" 89 4 91 33] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : ()
     
    =
@@ -5482,7 +6029,12 @@ module RedBlackTree_Impl15_Insert
     requires {[#"../red_black_tree.rs" 89 81 89 82] inv6 k}
     ensures { result = has_mapping_model_acc0 self accu k }
     
-  axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 89 29 89 33] inv0 self) -> ([#"../red_black_tree.rs" 89 35 89 39] inv10 accu) -> ([#"../red_black_tree.rs" 89 81 89 82] inv6 k) -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv5 v -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v)
+  axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self)
+   -> ([#"../red_black_tree.rs" 89 29 89 33] inv0 self)
+   -> ([#"../red_black_tree.rs" 89 35 89 39] inv10 accu)
+   -> ([#"../red_black_tree.rs" 89 81 89 82] inv6 k)
+   -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv5 v
+   -> has_mapping0 self k v  -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v)
   function has_mapping_model0 [#"../red_black_tree.rs" 110 4 112 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) : ()
     
    =
@@ -5493,7 +6045,11 @@ module RedBlackTree_Impl15_Insert
     requires {[#"../red_black_tree.rs" 110 31 110 32] inv6 k}
     ensures { result = has_mapping_model0 self k }
     
-  axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 110 25 110 29] inv0 self) -> ([#"../red_black_tree.rs" 110 31 110 32] inv6 k) -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv5 v -> has_mapping0 self k v = (Map.get (shallow_model0 self) k = Core_Option_Option_Type.C_Some v))
+  axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self)
+   -> ([#"../red_black_tree.rs" 110 25 110 29] inv0 self)
+   -> ([#"../red_black_tree.rs" 110 31 110 32] inv6 k)
+   -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv5 v
+   -> has_mapping0 self k v = (Map.get (shallow_model0 self) k = Core_Option_Option_Type.C_Some v))
   predicate resolve1 (self : borrowed (RedBlackTree_Tree_Type.t_tree k v)) =
     [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve1 (self : borrowed (RedBlackTree_Tree_Type.t_tree k v)) : bool
@@ -5512,7 +6068,8 @@ module RedBlackTree_Impl15_Insert
     
   val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v))
     requires {inv7 self}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18]  * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed (RedBlackTree_Node_Type.t_node k v) . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\  * self = Core_Option_Option_Type.C_Some ( * r) /\  ^ self = Core_Option_Option_Type.C_Some ( ^ r)) }
     ensures { inv8 result }
     
@@ -5544,7 +6101,8 @@ module RedBlackTree_Impl15_Insert
     ensures { [#"../red_black_tree.rs" 595 14 595 50] height0 ( * self) = height0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 596 14 597 39] match_t0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) /\ color0 ( * self) = RedBlackTree_Color_Type.C_Red \/ color_invariant0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 598 14 598 56] has_mapping0 ( ^ self) (deep_model0 key) val' }
-    ensures { [#"../red_black_tree.rs" 599 4 599 127] forall v : v . forall k : deep_model_ty0 . inv5 v -> inv6 k -> k = deep_model0 key \/ has_mapping0 ( * self) k v = has_mapping0 ( ^ self) k v }
+    ensures { [#"../red_black_tree.rs" 599 4 599 127] forall v : v . forall k : deep_model_ty0 . inv5 v
+     -> inv6 k  -> k = deep_model0 key \/ has_mapping0 ( * self) k v = has_mapping0 ( ^ self) k v }
     
   let rec cfg insert [#"../red_black_tree.rs" 626 4 626 44] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (RedBlackTree_Tree_Type.t_tree k v)) (key : k) (val' : v) : ()
     requires {[#"../red_black_tree.rs" 623 15 623 34] invariant0 ( * self)}
@@ -5561,10 +6119,11 @@ module RedBlackTree_Impl15_Insert
   var val' : v = val';
   var _7 : ();
   var _8 : borrowed (RedBlackTree_Tree_Type.t_tree k v);
+  var _11 : RedBlackTree_Color_Type.t_color;
   var _12 : borrowed (RedBlackTree_Node_Type.t_node k v);
   var _13 : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v));
   var _14 : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v));
-  var _15 : Ghost.ghost_ty ();
+  var _15 : Snapshot.snap_ty ();
   {
     goto BB0
   }
@@ -5575,13 +6134,14 @@ module RedBlackTree_Impl15_Insert
     [#"../red_black_tree.rs" 627 8 627 12] _8 <- Borrow.borrow_mut ( * self);
     [#"../red_black_tree.rs" 627 8 627 12] self <- { self with current = ( ^ _8) ; };
     assume { inv0 ( ^ _8) };
-    [#"../red_black_tree.rs" 627 8 627 33] _7 <- ([#"../red_black_tree.rs" 627 8 627 33] insert_rec0 _8 ([#"../red_black_tree.rs" 627 24 627 27] key) ([#"../red_black_tree.rs" 627 29 627 32] val'));
+    [#"../red_black_tree.rs" 627 8 627 33] _7 <- ([#"../red_black_tree.rs" 627 8 627 33] insert_rec0 _8 key val');
     _8 <- any borrowed (RedBlackTree_Tree_Type.t_tree k v);
-    [#"../red_black_tree.rs" 627 24 627 27] key <- any k;
-    [#"../red_black_tree.rs" 627 29 627 32] val' <- any v;
+    key <- any k;
+    val' <- any v;
     goto BB2
   }
   BB2 {
+    [#"../red_black_tree.rs" 628 44 628 49] _11 <- RedBlackTree_Color_Type.C_Black;
     [#"../red_black_tree.rs" 628 8 628 17] _14 <- Borrow.borrow_final (RedBlackTree_Tree_Type.tree_node ( * self)) (Borrow.inherit_id (Borrow.get_id self) 1);
     [#"../red_black_tree.rs" 628 8 628 17] self <- { self with current = (let RedBlackTree_Tree_Type.C_Tree x0 =  * self in RedBlackTree_Tree_Type.C_Tree ( ^ _14)) ; };
     assume { inv1 ( ^ _14) };
@@ -5595,12 +6155,13 @@ module RedBlackTree_Impl15_Insert
     goto BB4
   }
   BB4 {
-    [#"../red_black_tree.rs" 628 8 628 49] _12 <- { _12 with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * _12 in RedBlackTree_Node_Type.C_Node x0 ([#"../red_black_tree.rs" 628 44 628 49] RedBlackTree_Color_Type.C_Black) x2 x3 x4) ; };
+    [#"../red_black_tree.rs" 628 8 628 49] _12 <- { _12 with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * _12 in RedBlackTree_Node_Type.C_Node x0 _11 x2 x3 x4) ; };
+    _11 <- any RedBlackTree_Color_Type.t_color;
     assert { [@expl:type invariant] inv2 _12 };
     assume { resolve0 _12 };
     assert { [@expl:type invariant] inv3 self };
     assume { resolve1 self };
-    [#"../red_black_tree.rs" 629 8 629 39] _15 <- ([#"../red_black_tree.rs" 629 8 629 39] Ghost.new ());
+    [#"../red_black_tree.rs" 629 8 629 45] _15 <- ([#"../red_black_tree.rs" 629 8 629 45] Snapshot.new ());
     goto BB5
   }
   BB5 {
@@ -5684,7 +6245,9 @@ module RedBlackTree_Impl15_DeleteMaxRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -5692,7 +6255,10 @@ module RedBlackTree_Impl15_DeleteMaxRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -5700,7 +6266,10 @@ module RedBlackTree_Impl15_DeleteMaxRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -5711,13 +6280,19 @@ module RedBlackTree_Impl15_DeleteMaxRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -5728,7 +6303,9 @@ module RedBlackTree_Impl15_DeleteMaxRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -5739,7 +6316,9 @@ module RedBlackTree_Impl15_DeleteMaxRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -5750,7 +6329,9 @@ module RedBlackTree_Impl15_DeleteMaxRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -5761,7 +6342,9 @@ module RedBlackTree_Impl15_DeleteMaxRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   predicate invariant10 (self : deep_model_ty0)
   val invariant10 (self : deep_model_ty0) : bool
     ensures { result = invariant10 self }
@@ -5909,7 +6492,8 @@ module RedBlackTree_Impl15_DeleteMaxRec
     requires {[#"../red_black_tree.rs" 296 14 296 18] inv8 self}
     ensures { result = height0 self }
     
-  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv8 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
+  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv8 self)
+   -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
   use RedBlackTree_Cp_Type as RedBlackTree_Cp_Type
   function cpn0 [#"../red_black_tree.rs" 226 0 226 36] (c : RedBlackTree_Color_Type.t_color) (l : RedBlackTree_Cp_Type.t_cp) (r : RedBlackTree_Cp_Type.t_cp) : RedBlackTree_Cp_Type.t_cp
     
@@ -5942,7 +6526,13 @@ module RedBlackTree_Impl15_DeleteMaxRec
     ensures { result = height_invariant0 self }
     
   predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) =
-    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
+    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv9 v
+     -> inv10 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v
+     -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv9 v
+     -> inv10 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v
+     -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
   val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = bst_invariant_here0 self }
     
@@ -5983,7 +6573,9 @@ module RedBlackTree_Impl15_DeleteMaxRec
     requires {[#"../red_black_tree.rs" 328 14 328 18] inv3 self}
     ensures { result = height1 self }
     
-  axiom height1_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv3 self) -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node -> self = node -> height1 self = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))
+  axiom height1_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv3 self)
+   -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node
+   -> self = node  -> height1 self = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))
   predicate has_mapping1 [#"../red_black_tree.rs" 140 4 140 57] (self : RedBlackTree_Node_Type.t_node k v) (k : deep_model_ty0) (v : v)
     
    =
@@ -5994,11 +6586,17 @@ module RedBlackTree_Impl15_DeleteMaxRec
     requires {[#"../red_black_tree.rs" 140 44 140 45] inv9 v}
     ensures { result = has_mapping1 self k v }
     
-  axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv3 self) -> ([#"../red_black_tree.rs" 140 25 140 26] inv10 k) -> ([#"../red_black_tree.rs" 140 44 140 45] inv9 v) -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node -> self = node -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v)
+  axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv3 self)
+   -> ([#"../red_black_tree.rs" 140 25 140 26] inv10 k)
+   -> ([#"../red_black_tree.rs" 140 44 140 45] inv9 v)
+   -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node
+   -> self = node
+   -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v)
   predicate same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v)
     
    =
-    [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping1 self k v = has_mapping1 o k v
+    [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv9 v
+     -> inv10 k  -> has_mapping1 self k v = has_mapping1 o k v
   val same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = same_mappings0 self o }
     
@@ -6019,18 +6617,26 @@ module RedBlackTree_Impl15_DeleteMaxRec
     
   val balance0 [#"../red_black_tree.rs" 510 4 510 25] (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : ()
     requires {[#"../red_black_tree.rs" 491 15 491 43] internal_invariant1 ( * self)}
-    requires {[#"../red_black_tree.rs" 492 4 493 47] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red -> color_invariant0 (RedBlackTree_Node_Type.node_left ( * self))}
-    requires {[#"../red_black_tree.rs" 494 4 495 48] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red -> color_invariant0 (RedBlackTree_Node_Type.node_right ( * self))}
-    requires {[#"../red_black_tree.rs" 496 4 496 110] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red -> false}
+    requires {[#"../red_black_tree.rs" 492 4 493 47] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red
+     -> color_invariant0 (RedBlackTree_Node_Type.node_left ( * self))}
+    requires {[#"../red_black_tree.rs" 494 4 495 48] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red
+     -> color_invariant0 (RedBlackTree_Node_Type.node_right ( * self))}
+    requires {[#"../red_black_tree.rs" 496 4 496 110] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red
+     -> false}
     requires {[#"../red_black_tree.rs" 510 20 510 24] inv4 self}
     ensures { [#"../red_black_tree.rs" 497 14 497 42] same_mappings0 ( * self) ( ^ self) }
     ensures { [#"../red_black_tree.rs" 498 14 498 42] internal_invariant1 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 499 14 499 50] height1 ( * self) = height1 ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 500 4 501 34] color_invariant0 (RedBlackTree_Node_Type.node_left ( * self)) /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Black ->  * self =  ^ self }
-    ensures { [#"../red_black_tree.rs" 502 4 503 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self) -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 504 4 505 63] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 506 4 507 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 508 4 509 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 500 4 501 34] color_invariant0 (RedBlackTree_Node_Type.node_left ( * self)) /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Black
+     ->  * self =  ^ self }
+    ensures { [#"../red_black_tree.rs" 502 4 503 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self)
+     -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 504 4 505 63] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self)
+     -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 506 4 507 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self)
+     -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 508 4 509 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self)
+     -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) }
     
   val move_red_right0 [#"../red_black_tree.rs" 571 4 571 45] (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : borrowed (RedBlackTree_Node_Type.t_node k v)
     requires {[#"../red_black_tree.rs" 553 15 553 40] RedBlackTree_Tree_Type.tree_node (RedBlackTree_Node_Type.node_left ( * self)) <> Core_Option_Option_Type.C_None}
@@ -6038,14 +6644,24 @@ module RedBlackTree_Impl15_DeleteMaxRec
     requires {[#"../red_black_tree.rs" 555 15 555 86] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)))) ( * self)}
     requires {[#"../red_black_tree.rs" 571 27 571 31] inv4 self}
     ensures { [#"../red_black_tree.rs" 556 14 556 44] internal_invariant1 ( * result) }
-    ensures { [#"../red_black_tree.rs" 557 4 559 48] internal_invariant1 ( ^ result) /\ height1 ( * result) = height1 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping1 ( ^ result) k v -> has_mapping1 ( * result) k v) -> internal_invariant1 ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 560 4 560 97] height1 ( * result) = height1 ( ^ result) -> height1 ( * self) = height1 ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 557 4 559 48] internal_invariant1 ( ^ result) /\ height1 ( * result) = height1 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv9 v
+     -> inv10 k  -> has_mapping1 ( ^ result) k v  -> has_mapping1 ( * result) k v)  -> internal_invariant1 ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 560 4 560 97] height1 ( * result) = height1 ( ^ result)
+     -> height1 ( * self) = height1 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 561 14 561 42] RedBlackTree_Node_Type.node_key ( * result) = RedBlackTree_Node_Type.node_key ( * self) }
-    ensures { [#"../red_black_tree.rs" 562 4 562 105] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping1 ( * result) k v -> has_mapping1 ( * self) k v }
-    ensures { [#"../red_black_tree.rs" 563 4 564 47] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping1 ( * self) k v /\ le_log0 (deep_model0 (RedBlackTree_Node_Type.node_key ( * self))) k -> has_mapping1 ( * result) k v }
-    ensures { [#"../red_black_tree.rs" 565 4 566 108] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping1 ( ^ self) k v = (has_mapping1 ( ^ result) k v \/ has_mapping1 ( * self) k v /\ not has_mapping1 ( * result) k v) }
+    ensures { [#"../red_black_tree.rs" 562 4 562 105] forall v : v . forall k : deep_model_ty0 . inv9 v
+     -> inv10 k  -> has_mapping1 ( * result) k v  -> has_mapping1 ( * self) k v }
+    ensures { [#"../red_black_tree.rs" 563 4 564 47] forall v : v . forall k : deep_model_ty0 . inv9 v
+     -> inv10 k
+     -> has_mapping1 ( * self) k v /\ le_log0 (deep_model0 (RedBlackTree_Node_Type.node_key ( * self))) k
+     -> has_mapping1 ( * result) k v }
+    ensures { [#"../red_black_tree.rs" 565 4 566 108] forall v : v . forall k : deep_model_ty0 . inv9 v
+     -> inv10 k
+     -> has_mapping1 ( ^ self) k v = (has_mapping1 ( ^ result) k v \/ has_mapping1 ( * self) k v /\ not has_mapping1 ( * result) k v) }
     ensures { [#"../red_black_tree.rs" 567 14 568 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * result) \/ match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * result) }
-    ensures { [#"../red_black_tree.rs" 569 4 570 45] color_invariant1 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_left ( * result)) = RedBlackTree_Color_Type.C_Black -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black) -> color_invariant1 ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 569 4 570 45] color_invariant1 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_left ( * result)) = RedBlackTree_Color_Type.C_Black
+     -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black)
+     -> color_invariant1 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 571 36 571 45] inv4 result }
     
   predicate resolve5 (self : RedBlackTree_Node_Type.t_node k v)
@@ -6060,7 +6676,8 @@ module RedBlackTree_Impl15_DeleteMaxRec
     
   val as_ref0 (self : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v)) : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v)
     requires {inv14 self}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 58 16 58 60] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 58 16 58 60] self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 59 16 61 18] self = Core_Option_Option_Type.C_None \/ (exists r : RedBlackTree_Node_Type.t_node k v . inv7 r /\ result = Core_Option_Option_Type.C_Some r /\ self = Core_Option_Option_Type.C_Some r) }
     ensures { inv15 result }
     
@@ -6140,7 +6757,8 @@ module RedBlackTree_Impl15_DeleteMaxRec
     
   val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v))
     requires {inv5 self}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18]  * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed (RedBlackTree_Node_Type.t_node k v) . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\  * self = Core_Option_Option_Type.C_Some ( * r) /\  ^ self = Core_Option_Option_Type.C_Some ( ^ r)) }
     ensures { inv12 result }
     
@@ -6151,10 +6769,14 @@ module RedBlackTree_Impl15_DeleteMaxRec
     ensures { [#"../red_black_tree.rs" 635 14 635 42] internal_invariant0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 636 14 636 50] height0 ( * self) = height0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 637 14 637 66] has_mapping0 ( * self) (deep_model0 (let (a, _) = result in a)) (let (_, a) = result in a) }
-    ensures { [#"../red_black_tree.rs" 638 4 638 104] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping0 ( * self) k v -> le_log0 k (deep_model0 (let (a, _) = result in a)) }
-    ensures { [#"../red_black_tree.rs" 639 4 640 73] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping0 ( ^ self) k v = (deep_model0 (let (a, _) = result in a) <> k /\ has_mapping0 ( * self) k v) }
+    ensures { [#"../red_black_tree.rs" 638 4 638 104] forall v : v . forall k : deep_model_ty0 . inv9 v
+     -> inv10 k  -> has_mapping0 ( * self) k v  -> le_log0 k (deep_model0 (let (a, _) = result in a)) }
+    ensures { [#"../red_black_tree.rs" 639 4 640 73] forall v : v . forall k : deep_model_ty0 . inv9 v
+     -> inv10 k
+     -> has_mapping0 ( ^ self) k v = (deep_model0 (let (a, _) = result in a) <> k /\ has_mapping0 ( * self) k v) }
     ensures { [#"../red_black_tree.rs" 641 14 641 39] color_invariant0 ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 642 4 642 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black }
+    ensures { [#"../red_black_tree.rs" 642 4 642 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black
+     -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black }
     ensures { [#"../red_black_tree.rs" 643 36 643 42] inv11 result }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -6211,7 +6833,7 @@ module RedBlackTree_Impl15_DeleteMaxRec
   BB3 {
     assert { [@expl:type invariant] inv2 _13 };
     assume { resolve0 _13 };
-    [#"../red_black_tree.rs" 645 11 645 29] _17 <- ([#"../red_black_tree.rs" 645 11 645 29] is_red0 ([#"../red_black_tree.rs" 645 11 645 20] RedBlackTree_Node_Type.node_left ( * node)));
+    [#"../red_black_tree.rs" 645 11 645 29] _17 <- ([#"../red_black_tree.rs" 645 11 645 29] is_red0 (RedBlackTree_Node_Type.node_left ( * node)));
     goto BB4
   }
   BB4 {
@@ -6269,9 +6891,9 @@ module RedBlackTree_Impl15_DeleteMaxRec
   BB12 {
     assert { [@expl:type invariant] inv1 node1 };
     assume { resolve4 node1 };
-    [#"../red_black_tree.rs" 650 19 650 39] _0 <- ([#"../red_black_tree.rs" 650 19 650 39] (([#"../red_black_tree.rs" 650 20 650 28] RedBlackTree_Node_Type.node_key node1), ([#"../red_black_tree.rs" 650 30 650 38] RedBlackTree_Node_Type.node_val node1)));
-    [#"../red_black_tree.rs" 650 20 650 28] node1 <- (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 = node1 in RedBlackTree_Node_Type.C_Node x0 x1 (any k) x3 x4);
-    [#"../red_black_tree.rs" 650 30 650 38] node1 <- (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 = node1 in RedBlackTree_Node_Type.C_Node x0 x1 x2 (any v) x4);
+    [#"../red_black_tree.rs" 650 19 650 39] _0 <- (RedBlackTree_Node_Type.node_key node1, RedBlackTree_Node_Type.node_val node1);
+    node1 <- (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 = node1 in RedBlackTree_Node_Type.C_Node x0 x1 (any k) x3 x4);
+    node1 <- (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 = node1 in RedBlackTree_Node_Type.C_Node x0 x1 x2 (any v) x4);
     goto BB13
   }
   BB13 {
@@ -6281,7 +6903,7 @@ module RedBlackTree_Impl15_DeleteMaxRec
     goto BB30
   }
   BB15 {
-    [#"../red_black_tree.rs" 652 12 652 31] _30 <- ([#"../red_black_tree.rs" 652 12 652 31] is_red0 ([#"../red_black_tree.rs" 652 12 652 22] RedBlackTree_Node_Type.node_right ( * node)));
+    [#"../red_black_tree.rs" 652 12 652 31] _30 <- ([#"../red_black_tree.rs" 652 12 652 31] is_red0 (RedBlackTree_Node_Type.node_right ( * node)));
     goto BB16
   }
   BB16 {
@@ -6294,7 +6916,7 @@ module RedBlackTree_Impl15_DeleteMaxRec
     goto BB25
   }
   BB18 {
-    [#"../red_black_tree.rs" 652 36 652 60] _35 <- ([#"../red_black_tree.rs" 652 36 652 60] as_ref0 ([#"../red_black_tree.rs" 652 36 652 51] RedBlackTree_Tree_Type.tree_node (RedBlackTree_Node_Type.node_right ( * node))));
+    [#"../red_black_tree.rs" 652 36 652 60] _35 <- ([#"../red_black_tree.rs" 652 36 652 60] as_ref0 (RedBlackTree_Tree_Type.tree_node (RedBlackTree_Node_Type.node_right ( * node))));
     goto BB19
   }
   BB19 {
@@ -6305,7 +6927,7 @@ module RedBlackTree_Impl15_DeleteMaxRec
   BB20 {
     assert { [@expl:type invariant] inv7 _34 };
     assume { resolve5 _34 };
-    [#"../red_black_tree.rs" 652 36 652 83] _32 <- ([#"../red_black_tree.rs" 652 36 652 83] is_red0 ([#"../red_black_tree.rs" 652 36 652 74] RedBlackTree_Node_Type.node_left _34));
+    [#"../red_black_tree.rs" 652 36 652 83] _32 <- ([#"../red_black_tree.rs" 652 36 652 83] is_red0 (RedBlackTree_Node_Type.node_left _34));
     goto BB21
   }
   BB21 {
@@ -6331,8 +6953,8 @@ module RedBlackTree_Impl15_DeleteMaxRec
     assume { inv3 ( ^ _37) };
     assert { [@expl:type invariant] inv4 node };
     assume { resolve1 node };
-    [#"../red_black_tree.rs" 653 12 653 40] node <- ([#"../red_black_tree.rs" 653 12 653 40] _37);
-    [#"../red_black_tree.rs" 653 12 653 40] _37 <- any borrowed (RedBlackTree_Node_Type.t_node k v);
+    [#"../red_black_tree.rs" 653 12 653 40] node <- _37;
+    _37 <- any borrowed (RedBlackTree_Node_Type.t_node k v);
     assert { [@expl:type invariant] inv4 _38 };
     assume { resolve1 _38 };
     [#"../red_black_tree.rs" 652 84 654 9] _29 <- ([#"../red_black_tree.rs" 652 84 654 9] ());
@@ -6363,8 +6985,8 @@ module RedBlackTree_Impl15_DeleteMaxRec
     assume { resolve1 node };
     assert { [@expl:type invariant] inv6 self };
     assume { resolve3 self };
-    [#"../red_black_tree.rs" 657 8 657 9] _0 <- ([#"../red_black_tree.rs" 657 8 657 9] r);
-    [#"../red_black_tree.rs" 657 8 657 9] r <- any (k, v);
+    [#"../red_black_tree.rs" 657 8 657 9] _0 <- r;
+    r <- any (k, v);
     goto BB29
   }
   BB29 {
@@ -6456,7 +7078,9 @@ module RedBlackTree_Impl15_DeleteMax
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv7 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv7 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv7 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -6464,7 +7088,10 @@ module RedBlackTree_Impl15_DeleteMax
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv7 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv7 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv7 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -6472,7 +7099,10 @@ module RedBlackTree_Impl15_DeleteMax
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv7 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv7 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv7 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -6483,13 +7113,19 @@ module RedBlackTree_Impl15_DeleteMax
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv7 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv7 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv7 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv7 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv7 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv7 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv7 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -6500,7 +7136,9 @@ module RedBlackTree_Impl15_DeleteMax
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv7 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv7 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv7 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -6511,7 +7149,9 @@ module RedBlackTree_Impl15_DeleteMax
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv7 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv7 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv7 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -6522,7 +7162,9 @@ module RedBlackTree_Impl15_DeleteMax
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv7 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv7 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv7 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -6533,7 +7175,9 @@ module RedBlackTree_Impl15_DeleteMax
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv7 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv7 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv7 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv7 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv7 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   predicate invariant8 (self : deep_model_ty0)
   val invariant8 (self : deep_model_ty0) : bool
     ensures { result = invariant8 self }
@@ -6594,16 +7238,16 @@ module RedBlackTree_Impl15_DeleteMax
     ensures { result = inv1 _x }
     
   axiom inv1 : forall x : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v) . inv1 x = true
-  use prelude.Ghost
-  predicate invariant1 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)))
-  val invariant1 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool
+  use prelude.Snapshot
+  predicate invariant1 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)))
+  val invariant1 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool
     ensures { result = invariant1 self }
     
-  predicate inv0 (_x : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)))
-  val inv0 (_x : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool
+  predicate inv0 (_x : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)))
+  val inv0 (_x : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)) . inv0 x = true
+  axiom inv0 : forall x : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)) . inv0 x = true
   use map.Const
   use map.Map
   function deep_model0 (self : k) : deep_model_ty0
@@ -6672,7 +7316,8 @@ module RedBlackTree_Impl15_DeleteMax
     requires {[#"../red_black_tree.rs" 296 14 296 18] inv5 self}
     ensures { result = height0 self }
     
-  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv5 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
+  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv5 self)
+   -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
   predicate height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) =
     [#"../red_black_tree.rs" 339 20 339 61] height0 (RedBlackTree_Node_Type.node_left self) = height0 (RedBlackTree_Node_Type.node_right self)
   val height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) : bool
@@ -6697,7 +7342,13 @@ module RedBlackTree_Impl15_DeleteMax
     ensures { result = has_mapping0 self k v }
     
   predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) =
-    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv10 v -> inv7 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv10 v -> inv7 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
+    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv10 v
+     -> inv7 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v
+     -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv10 v
+     -> inv7 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v
+     -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
   val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = bst_invariant_here0 self }
     
@@ -6719,11 +7370,11 @@ module RedBlackTree_Impl15_DeleteMax
   val invariant0 [#"../red_black_tree.rs" 364 4 364 34] (self : RedBlackTree_Tree_Type.t_tree k v) : bool
     ensures { result = invariant0 self }
     
-  predicate resolve4 (self : Ghost.ghost_ty ())
-  val resolve4 (self : Ghost.ghost_ty ()) : bool
+  predicate resolve4 (self : Snapshot.snap_ty ())
+  val resolve4 (self : Snapshot.snap_ty ()) : bool
     ensures { result = resolve4 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   function model_acc_has_mapping0 [#"../red_black_tree.rs" 68 4 72 5] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : ()
     
    =
@@ -6737,7 +7388,10 @@ module RedBlackTree_Impl15_DeleteMax
     requires {[#"../red_black_tree.rs" 71 8 71 9] inv7 k}
     ensures { result = model_acc_has_mapping0 self accu k }
     
-  axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv5 self) -> ([#"../red_black_tree.rs" 70 8 70 12] inv13 accu) -> ([#"../red_black_tree.rs" 71 8 71 9] inv7 k) -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv10 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))
+  axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv5 self)
+   -> ([#"../red_black_tree.rs" 70 8 70 12] inv13 accu)
+   -> ([#"../red_black_tree.rs" 71 8 71 9] inv7 k)
+   -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv10 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))
   function has_mapping_model_acc0 [#"../red_black_tree.rs" 89 4 91 33] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : ()
     
    =
@@ -6752,7 +7406,12 @@ module RedBlackTree_Impl15_DeleteMax
     requires {[#"../red_black_tree.rs" 89 81 89 82] inv7 k}
     ensures { result = has_mapping_model_acc0 self accu k }
     
-  axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 89 29 89 33] inv5 self) -> ([#"../red_black_tree.rs" 89 35 89 39] inv13 accu) -> ([#"../red_black_tree.rs" 89 81 89 82] inv7 k) -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv10 v -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v)
+  axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self)
+   -> ([#"../red_black_tree.rs" 89 29 89 33] inv5 self)
+   -> ([#"../red_black_tree.rs" 89 35 89 39] inv13 accu)
+   -> ([#"../red_black_tree.rs" 89 81 89 82] inv7 k)
+   -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv10 v
+   -> has_mapping0 self k v  -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v)
   function has_mapping_model0 [#"../red_black_tree.rs" 110 4 112 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) : ()
     
    =
@@ -6763,7 +7422,11 @@ module RedBlackTree_Impl15_DeleteMax
     requires {[#"../red_black_tree.rs" 110 31 110 32] inv7 k}
     ensures { result = has_mapping_model0 self k }
     
-  axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 110 25 110 29] inv5 self) -> ([#"../red_black_tree.rs" 110 31 110 32] inv7 k) -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv10 v -> has_mapping0 self k v = (Map.get (shallow_model1 self) k = Core_Option_Option_Type.C_Some v))
+  axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self)
+   -> ([#"../red_black_tree.rs" 110 25 110 29] inv5 self)
+   -> ([#"../red_black_tree.rs" 110 31 110 32] inv7 k)
+   -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv10 v
+   -> has_mapping0 self k v = (Map.get (shallow_model1 self) k = Core_Option_Option_Type.C_Some v))
   val unwrap0 (self : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v))) : borrowed (RedBlackTree_Node_Type.t_node k v)
     requires {[#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self <> Core_Option_Option_Type.C_None}
     requires {inv12 self}
@@ -6772,7 +7435,8 @@ module RedBlackTree_Impl15_DeleteMax
     
   val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v))
     requires {inv4 self}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18]  * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed (RedBlackTree_Node_Type.t_node k v) . inv3 r /\ result = Core_Option_Option_Type.C_Some r /\  * self = Core_Option_Option_Type.C_Some ( * r) /\  ^ self = Core_Option_Option_Type.C_Some ( ^ r)) }
     ensures { inv12 result }
     
@@ -6806,20 +7470,25 @@ module RedBlackTree_Impl15_DeleteMax
     ensures { [#"../red_black_tree.rs" 635 14 635 42] internal_invariant0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 636 14 636 50] height0 ( * self) = height0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 637 14 637 66] has_mapping0 ( * self) (deep_model0 (let (a, _) = result in a)) (let (_, a) = result in a) }
-    ensures { [#"../red_black_tree.rs" 638 4 638 104] forall v : v . forall k : deep_model_ty0 . inv10 v -> inv7 k -> has_mapping0 ( * self) k v -> le_log0 k (deep_model0 (let (a, _) = result in a)) }
-    ensures { [#"../red_black_tree.rs" 639 4 640 73] forall v : v . forall k : deep_model_ty0 . inv10 v -> inv7 k -> has_mapping0 ( ^ self) k v = (deep_model0 (let (a, _) = result in a) <> k /\ has_mapping0 ( * self) k v) }
+    ensures { [#"../red_black_tree.rs" 638 4 638 104] forall v : v . forall k : deep_model_ty0 . inv10 v
+     -> inv7 k  -> has_mapping0 ( * self) k v  -> le_log0 k (deep_model0 (let (a, _) = result in a)) }
+    ensures { [#"../red_black_tree.rs" 639 4 640 73] forall v : v . forall k : deep_model_ty0 . inv10 v
+     -> inv7 k
+     -> has_mapping0 ( ^ self) k v = (deep_model0 (let (a, _) = result in a) <> k /\ has_mapping0 ( * self) k v) }
     ensures { [#"../red_black_tree.rs" 641 14 641 39] color_invariant0 ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 642 4 642 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black }
+    ensures { [#"../red_black_tree.rs" 642 4 642 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black
+     -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black }
     ensures { [#"../red_black_tree.rs" 643 36 643 42] inv11 result }
     
   predicate same_mappings0 [#"../red_black_tree.rs" 42 4 42 43] (self : RedBlackTree_Tree_Type.t_tree k v) (o : RedBlackTree_Tree_Type.t_tree k v)
     
    =
-    [#"../red_black_tree.rs" 43 8 45 9] forall v : v . forall k : deep_model_ty0 . inv10 v -> inv7 k -> has_mapping0 self k v = has_mapping0 o k v
+    [#"../red_black_tree.rs" 43 8 45 9] forall v : v . forall k : deep_model_ty0 . inv10 v
+     -> inv7 k  -> has_mapping0 self k v = has_mapping0 o k v
   val same_mappings0 [#"../red_black_tree.rs" 42 4 42 43] (self : RedBlackTree_Tree_Type.t_tree k v) (o : RedBlackTree_Tree_Type.t_tree k v) : bool
     ensures { result = same_mappings0 self o }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate resolve2 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) =
     [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve2 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) : bool
@@ -6834,17 +7503,18 @@ module RedBlackTree_Impl15_DeleteMax
     requires {[#"../red_black_tree.rs" 388 15 388 19] inv9 self}
     ensures { [#"../red_black_tree.rs" 387 14 387 45] result = (color0 self = RedBlackTree_Color_Type.C_Red) }
     
-  predicate resolve0 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)))
-  val resolve0 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool
+  predicate resolve0 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)))
+  val resolve0 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   let rec cfg delete_max [#"../red_black_tree.rs" 667 4 667 50] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (RedBlackTree_Tree_Type.t_tree k v)) : Core_Option_Option_Type.t_option (k, v)
     requires {[#"../red_black_tree.rs" 660 15 660 34] invariant0 ( * self)}
     requires {[#"../red_black_tree.rs" 667 27 667 31] inv6 self}
     ensures { [#"../red_black_tree.rs" 661 14 661 33] invariant0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 662 14 666 65] match result with
-      | Core_Option_Option_Type.C_Some (k, v) -> Map.get (shallow_model0 self) (deep_model0 k) = Core_Option_Option_Type.C_Some v /\ (forall k2 : deep_model_ty0 . inv7 k2 -> Map.get (shallow_model0 self) k2 = Core_Option_Option_Type.C_None \/ le_log0 k2 (deep_model0 k)) /\ shallow_model1 ( ^ self) = Map.set (shallow_model0 self) (deep_model0 k) (Core_Option_Option_Type.C_None)
+      | Core_Option_Option_Type.C_Some (k, v) -> Map.get (shallow_model0 self) (deep_model0 k) = Core_Option_Option_Type.C_Some v /\ (forall k2 : deep_model_ty0 . inv7 k2
+       -> Map.get (shallow_model0 self) k2 = Core_Option_Option_Type.C_None \/ le_log0 k2 (deep_model0 k)) /\ shallow_model1 ( ^ self) = Map.set (shallow_model0 self) (deep_model0 k) (Core_Option_Option_Type.C_None)
       | Core_Option_Option_Type.C_None -> shallow_model1 ( ^ self) = shallow_model0 self /\ shallow_model0 self = Const.const (Core_Option_Option_Type.C_None)
       end }
     ensures { [#"../red_black_tree.rs" 667 36 667 50] inv8 result }
@@ -6852,24 +7522,26 @@ module RedBlackTree_Impl15_DeleteMax
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : Core_Option_Option_Type.t_option (k, v);
   var self : borrowed (RedBlackTree_Tree_Type.t_tree k v) = self;
-  var old_self : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v));
+  var old_self : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v));
   var _7 : ();
   var _8 : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v));
   var node : borrowed (RedBlackTree_Node_Type.t_node k v);
   var _11 : bool;
+  var _13 : RedBlackTree_Color_Type.t_color;
   var r : (k, v);
   var _18 : borrowed (RedBlackTree_Tree_Type.t_tree k v);
   var _19 : ();
   var _20 : bool;
+  var _22 : RedBlackTree_Color_Type.t_color;
   var _23 : borrowed (RedBlackTree_Node_Type.t_node k v);
   var _24 : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v));
   var _25 : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v));
-  var _26 : Ghost.ghost_ty ();
+  var _26 : Snapshot.snap_ty ();
   {
     goto BB0
   }
   BB0 {
-    [#"../red_black_tree.rs" 668 23 668 35] old_self <- ([#"../red_black_tree.rs" 668 23 668 35] Ghost.new self);
+    [#"../red_black_tree.rs" 668 23 668 41] old_self <- ([#"../red_black_tree.rs" 668 23 668 41] Snapshot.new self);
     goto BB1
   }
   BB1 {
@@ -6890,7 +7562,7 @@ module RedBlackTree_Impl15_DeleteMax
     [#"../red_black_tree.rs" 669 20 669 24] node <- Borrow.borrow_final (Core_Option_Option_Type.some_0 ( * _8)) (Borrow.inherit_id (Borrow.get_id _8) 1);
     [#"../red_black_tree.rs" 669 20 669 24] _8 <- { _8 with current = (let Core_Option_Option_Type.C_Some x0 =  * _8 in Core_Option_Option_Type.C_Some ( ^ node)) ; };
     assume { inv2 ( ^ node) };
-    [#"../red_black_tree.rs" 670 16 670 34] _11 <- ([#"../red_black_tree.rs" 670 16 670 34] is_red0 ([#"../red_black_tree.rs" 670 16 670 25] RedBlackTree_Node_Type.node_left ( * node)));
+    [#"../red_black_tree.rs" 670 16 670 34] _11 <- ([#"../red_black_tree.rs" 670 16 670 34] is_red0 (RedBlackTree_Node_Type.node_left ( * node)));
     goto BB4
   }
   BB4 {
@@ -6908,7 +7580,9 @@ module RedBlackTree_Impl15_DeleteMax
     goto BB7
   }
   BB6 {
-    [#"../red_black_tree.rs" 671 16 671 32] node <- { node with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * node in RedBlackTree_Node_Type.C_Node x0 ([#"../red_black_tree.rs" 671 29 671 32] RedBlackTree_Color_Type.C_Red) x2 x3 x4) ; };
+    [#"../red_black_tree.rs" 671 29 671 32] _13 <- RedBlackTree_Color_Type.C_Red;
+    [#"../red_black_tree.rs" 671 16 671 32] node <- { node with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * node in RedBlackTree_Node_Type.C_Node x0 _13 x2 x3 x4) ; };
+    _13 <- any RedBlackTree_Color_Type.t_color;
     assert { [@expl:type invariant] inv3 node };
     assume { resolve1 node };
     assert { [@expl:type invariant] inv4 _8 };
@@ -6917,7 +7591,7 @@ module RedBlackTree_Impl15_DeleteMax
     goto BB7
   }
   BB7 {
-    assert { [@expl:assertion] [#"../red_black_tree.rs" 676 24 676 53] same_mappings0 ( * Ghost.inner old_self) ( * self) };
+    assert { [@expl:assertion] [#"../red_black_tree.rs" 676 24 676 53] same_mappings0 ( * Snapshot.inner old_self) ( * self) };
     [#"../red_black_tree.rs" 677 16 677 20] _18 <- Borrow.borrow_mut ( * self);
     [#"../red_black_tree.rs" 677 16 677 20] self <- { self with current = ( ^ _18) ; };
     assume { inv5 ( ^ _18) };
@@ -6928,13 +7602,13 @@ module RedBlackTree_Impl15_DeleteMax
   BB8 {
     assert { [@expl:type invariant] inv4 _8 };
     assume { resolve2 _8 };
-    [#"../red_black_tree.rs" 674 19 674 23] _0 <- ([#"../red_black_tree.rs" 674 19 674 23] Core_Option_Option_Type.C_None);
+    [#"../red_black_tree.rs" 674 19 674 23] _0 <- Core_Option_Option_Type.C_None;
     assert { [@expl:type invariant] inv6 self };
     assume { resolve3 self };
     goto BB19
   }
   BB9 {
-    [#"../red_black_tree.rs" 678 11 678 24] _20 <- ([#"../red_black_tree.rs" 678 11 678 24] is_red0 ([#"../red_black_tree.rs" 678 11 678 15]  * self));
+    [#"../red_black_tree.rs" 678 11 678 24] _20 <- ([#"../red_black_tree.rs" 678 11 678 24] is_red0 ( * self));
     goto BB10
   }
   BB10 {
@@ -6944,6 +7618,7 @@ module RedBlackTree_Impl15_DeleteMax
       end
   }
   BB11 {
+    [#"../red_black_tree.rs" 679 48 679 53] _22 <- RedBlackTree_Color_Type.C_Black;
     [#"../red_black_tree.rs" 679 12 679 21] _25 <- Borrow.borrow_final (RedBlackTree_Tree_Type.tree_node ( * self)) (Borrow.inherit_id (Borrow.get_id self) 1);
     [#"../red_black_tree.rs" 679 12 679 21] self <- { self with current = (let RedBlackTree_Tree_Type.C_Tree x0 =  * self in RedBlackTree_Tree_Type.C_Tree ( ^ _25)) ; };
     assume { inv1 ( ^ _25) };
@@ -6957,7 +7632,8 @@ module RedBlackTree_Impl15_DeleteMax
     goto BB13
   }
   BB13 {
-    [#"../red_black_tree.rs" 679 12 679 53] _23 <- { _23 with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * _23 in RedBlackTree_Node_Type.C_Node x0 ([#"../red_black_tree.rs" 679 48 679 53] RedBlackTree_Color_Type.C_Black) x2 x3 x4) ; };
+    [#"../red_black_tree.rs" 679 12 679 53] _23 <- { _23 with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * _23 in RedBlackTree_Node_Type.C_Node x0 _22 x2 x3 x4) ; };
+    _22 <- any RedBlackTree_Color_Type.t_color;
     assert { [@expl:type invariant] inv3 _23 };
     assume { resolve1 _23 };
     assert { [@expl:type invariant] inv6 self };
@@ -6972,13 +7648,13 @@ module RedBlackTree_Impl15_DeleteMax
     goto BB15
   }
   BB15 {
-    [#"../red_black_tree.rs" 681 8 681 39] _26 <- ([#"../red_black_tree.rs" 681 8 681 39] Ghost.new ());
+    [#"../red_black_tree.rs" 681 8 681 45] _26 <- ([#"../red_black_tree.rs" 681 8 681 45] Snapshot.new ());
     goto BB16
   }
   BB16 {
     assume { resolve4 _26 };
-    [#"../red_black_tree.rs" 682 8 682 15] _0 <- ([#"../red_black_tree.rs" 682 8 682 15] Core_Option_Option_Type.C_Some ([#"../red_black_tree.rs" 682 13 682 14] r));
-    [#"../red_black_tree.rs" 682 13 682 14] r <- any (k, v);
+    [#"../red_black_tree.rs" 682 8 682 15] _0 <- Core_Option_Option_Type.C_Some r;
+    r <- any (k, v);
     goto BB17
   }
   BB17 {
@@ -7060,7 +7736,9 @@ module RedBlackTree_Impl15_DeleteMinRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -7068,7 +7746,10 @@ module RedBlackTree_Impl15_DeleteMinRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -7076,7 +7757,10 @@ module RedBlackTree_Impl15_DeleteMinRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -7087,13 +7771,19 @@ module RedBlackTree_Impl15_DeleteMinRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -7104,7 +7794,9 @@ module RedBlackTree_Impl15_DeleteMinRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -7115,7 +7807,9 @@ module RedBlackTree_Impl15_DeleteMinRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -7126,7 +7820,9 @@ module RedBlackTree_Impl15_DeleteMinRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -7137,7 +7833,9 @@ module RedBlackTree_Impl15_DeleteMinRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv10 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv10 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   predicate invariant10 (self : deep_model_ty0)
   val invariant10 (self : deep_model_ty0) : bool
     ensures { result = invariant10 self }
@@ -7285,7 +7983,8 @@ module RedBlackTree_Impl15_DeleteMinRec
     requires {[#"../red_black_tree.rs" 296 14 296 18] inv8 self}
     ensures { result = height0 self }
     
-  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv8 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
+  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv8 self)
+   -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
   use RedBlackTree_Cp_Type as RedBlackTree_Cp_Type
   function cpn0 [#"../red_black_tree.rs" 226 0 226 36] (c : RedBlackTree_Color_Type.t_color) (l : RedBlackTree_Cp_Type.t_cp) (r : RedBlackTree_Cp_Type.t_cp) : RedBlackTree_Cp_Type.t_cp
     
@@ -7318,7 +8017,13 @@ module RedBlackTree_Impl15_DeleteMinRec
     ensures { result = height_invariant0 self }
     
   predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) =
-    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
+    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv9 v
+     -> inv10 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v
+     -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv9 v
+     -> inv10 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v
+     -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
   val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = bst_invariant_here0 self }
     
@@ -7359,7 +8064,9 @@ module RedBlackTree_Impl15_DeleteMinRec
     requires {[#"../red_black_tree.rs" 328 14 328 18] inv7 self}
     ensures { result = height1 self }
     
-  axiom height1_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv7 self) -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node -> self = node -> height1 self = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))
+  axiom height1_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv7 self)
+   -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node
+   -> self = node  -> height1 self = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))
   predicate has_mapping1 [#"../red_black_tree.rs" 140 4 140 57] (self : RedBlackTree_Node_Type.t_node k v) (k : deep_model_ty0) (v : v)
     
    =
@@ -7370,11 +8077,17 @@ module RedBlackTree_Impl15_DeleteMinRec
     requires {[#"../red_black_tree.rs" 140 44 140 45] inv9 v}
     ensures { result = has_mapping1 self k v }
     
-  axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv7 self) -> ([#"../red_black_tree.rs" 140 25 140 26] inv10 k) -> ([#"../red_black_tree.rs" 140 44 140 45] inv9 v) -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node -> self = node -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v)
+  axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv7 self)
+   -> ([#"../red_black_tree.rs" 140 25 140 26] inv10 k)
+   -> ([#"../red_black_tree.rs" 140 44 140 45] inv9 v)
+   -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node
+   -> self = node
+   -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v)
   predicate same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v)
     
    =
-    [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping1 self k v = has_mapping1 o k v
+    [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv9 v
+     -> inv10 k  -> has_mapping1 self k v = has_mapping1 o k v
   val same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = same_mappings0 self o }
     
@@ -7395,18 +8108,26 @@ module RedBlackTree_Impl15_DeleteMinRec
     
   val balance0 [#"../red_black_tree.rs" 510 4 510 25] (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : ()
     requires {[#"../red_black_tree.rs" 491 15 491 43] internal_invariant1 ( * self)}
-    requires {[#"../red_black_tree.rs" 492 4 493 47] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red -> color_invariant0 (RedBlackTree_Node_Type.node_left ( * self))}
-    requires {[#"../red_black_tree.rs" 494 4 495 48] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red -> color_invariant0 (RedBlackTree_Node_Type.node_right ( * self))}
-    requires {[#"../red_black_tree.rs" 496 4 496 110] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red -> false}
+    requires {[#"../red_black_tree.rs" 492 4 493 47] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red
+     -> color_invariant0 (RedBlackTree_Node_Type.node_left ( * self))}
+    requires {[#"../red_black_tree.rs" 494 4 495 48] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red
+     -> color_invariant0 (RedBlackTree_Node_Type.node_right ( * self))}
+    requires {[#"../red_black_tree.rs" 496 4 496 110] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red
+     -> false}
     requires {[#"../red_black_tree.rs" 510 20 510 24] inv3 self}
     ensures { [#"../red_black_tree.rs" 497 14 497 42] same_mappings0 ( * self) ( ^ self) }
     ensures { [#"../red_black_tree.rs" 498 14 498 42] internal_invariant1 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 499 14 499 50] height1 ( * self) = height1 ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 500 4 501 34] color_invariant0 (RedBlackTree_Node_Type.node_left ( * self)) /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Black ->  * self =  ^ self }
-    ensures { [#"../red_black_tree.rs" 502 4 503 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self) -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 504 4 505 63] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 506 4 507 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 508 4 509 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 500 4 501 34] color_invariant0 (RedBlackTree_Node_Type.node_left ( * self)) /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Black
+     ->  * self =  ^ self }
+    ensures { [#"../red_black_tree.rs" 502 4 503 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self)
+     -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 504 4 505 63] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self)
+     -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 506 4 507 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self)
+     -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 508 4 509 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self)
+     -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) }
     
   val move_red_left0 [#"../red_black_tree.rs" 542 4 542 44] (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : borrowed (RedBlackTree_Node_Type.t_node k v)
     requires {[#"../red_black_tree.rs" 524 15 524 41] RedBlackTree_Tree_Type.tree_node (RedBlackTree_Node_Type.node_right ( * self)) <> Core_Option_Option_Type.C_None}
@@ -7414,14 +8135,24 @@ module RedBlackTree_Impl15_DeleteMinRec
     requires {[#"../red_black_tree.rs" 526 15 526 86] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self)}
     requires {[#"../red_black_tree.rs" 542 26 542 30] inv3 self}
     ensures { [#"../red_black_tree.rs" 527 14 527 44] internal_invariant1 ( * result) }
-    ensures { [#"../red_black_tree.rs" 528 4 530 48] internal_invariant1 ( ^ result) /\ height1 ( * result) = height1 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping1 ( ^ result) k v -> has_mapping1 ( * result) k v) -> internal_invariant1 ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 531 4 531 97] height1 ( * result) = height1 ( ^ result) -> height1 ( * self) = height1 ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 528 4 530 48] internal_invariant1 ( ^ result) /\ height1 ( * result) = height1 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv9 v
+     -> inv10 k  -> has_mapping1 ( ^ result) k v  -> has_mapping1 ( * result) k v)  -> internal_invariant1 ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 531 4 531 97] height1 ( * result) = height1 ( ^ result)
+     -> height1 ( * self) = height1 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 532 14 532 42] RedBlackTree_Node_Type.node_key ( * self) = RedBlackTree_Node_Type.node_key ( * result) }
-    ensures { [#"../red_black_tree.rs" 533 4 533 105] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping1 ( * result) k v -> has_mapping1 ( * self) k v }
-    ensures { [#"../red_black_tree.rs" 534 4 535 47] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping1 ( * self) k v /\ le_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key ( * self))) -> has_mapping1 ( * result) k v }
-    ensures { [#"../red_black_tree.rs" 536 4 537 108] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping1 ( ^ self) k v = (has_mapping1 ( ^ result) k v \/ has_mapping1 ( * self) k v /\ not has_mapping1 ( * result) k v) }
+    ensures { [#"../red_black_tree.rs" 533 4 533 105] forall v : v . forall k : deep_model_ty0 . inv9 v
+     -> inv10 k  -> has_mapping1 ( * result) k v  -> has_mapping1 ( * self) k v }
+    ensures { [#"../red_black_tree.rs" 534 4 535 47] forall v : v . forall k : deep_model_ty0 . inv9 v
+     -> inv10 k
+     -> has_mapping1 ( * self) k v /\ le_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key ( * self)))
+     -> has_mapping1 ( * result) k v }
+    ensures { [#"../red_black_tree.rs" 536 4 537 108] forall v : v . forall k : deep_model_ty0 . inv9 v
+     -> inv10 k
+     -> has_mapping1 ( ^ self) k v = (has_mapping1 ( ^ result) k v \/ has_mapping1 ( * self) k v /\ not has_mapping1 ( * result) k v) }
     ensures { [#"../red_black_tree.rs" 538 14 539 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * result) \/ match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * result) }
-    ensures { [#"../red_black_tree.rs" 540 4 541 45] color_invariant1 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_right ( * result)) = RedBlackTree_Color_Type.C_Black -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black) -> color_invariant1 ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 540 4 541 45] color_invariant1 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_right ( * result)) = RedBlackTree_Color_Type.C_Black
+     -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black)
+     -> color_invariant1 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 542 35 542 44] inv3 result }
     
   predicate resolve5 (self : RedBlackTree_Node_Type.t_node k v)
@@ -7436,7 +8167,8 @@ module RedBlackTree_Impl15_DeleteMinRec
     
   val as_ref0 (self : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v)) : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v)
     requires {inv14 self}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 58 16 58 60] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 58 16 58 60] self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 59 16 61 18] self = Core_Option_Option_Type.C_None \/ (exists r : RedBlackTree_Node_Type.t_node k v . inv6 r /\ result = Core_Option_Option_Type.C_Some r /\ self = Core_Option_Option_Type.C_Some r) }
     ensures { inv15 result }
     
@@ -7504,7 +8236,8 @@ module RedBlackTree_Impl15_DeleteMinRec
     
   val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v))
     requires {inv4 self}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18]  * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed (RedBlackTree_Node_Type.t_node k v) . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\  * self = Core_Option_Option_Type.C_Some ( * r) /\  ^ self = Core_Option_Option_Type.C_Some ( ^ r)) }
     ensures { inv12 result }
     
@@ -7515,10 +8248,14 @@ module RedBlackTree_Impl15_DeleteMinRec
     ensures { [#"../red_black_tree.rs" 688 14 688 42] internal_invariant0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 689 14 689 50] height0 ( * self) = height0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 690 14 690 66] has_mapping0 ( * self) (deep_model0 (let (a, _) = result in a)) (let (_, a) = result in a) }
-    ensures { [#"../red_black_tree.rs" 691 4 691 104] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping0 ( * self) k v -> le_log0 (deep_model0 (let (a, _) = result in a)) k }
-    ensures { [#"../red_black_tree.rs" 692 4 693 73] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv10 k -> has_mapping0 ( ^ self) k v = (deep_model0 (let (a, _) = result in a) <> k /\ has_mapping0 ( * self) k v) }
+    ensures { [#"../red_black_tree.rs" 691 4 691 104] forall v : v . forall k : deep_model_ty0 . inv9 v
+     -> inv10 k  -> has_mapping0 ( * self) k v  -> le_log0 (deep_model0 (let (a, _) = result in a)) k }
+    ensures { [#"../red_black_tree.rs" 692 4 693 73] forall v : v . forall k : deep_model_ty0 . inv9 v
+     -> inv10 k
+     -> has_mapping0 ( ^ self) k v = (deep_model0 (let (a, _) = result in a) <> k /\ has_mapping0 ( * self) k v) }
     ensures { [#"../red_black_tree.rs" 694 14 694 39] color_invariant0 ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 695 4 695 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black }
+    ensures { [#"../red_black_tree.rs" 695 4 695 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black
+     -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black }
     ensures { [#"../red_black_tree.rs" 696 36 696 42] inv11 result }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -7605,9 +8342,9 @@ module RedBlackTree_Impl15_DeleteMinRec
   BB7 {
     assert { [@expl:type invariant] inv1 node1 };
     assume { resolve4 node1 };
-    [#"../red_black_tree.rs" 700 19 700 39] _0 <- ([#"../red_black_tree.rs" 700 19 700 39] (([#"../red_black_tree.rs" 700 20 700 28] RedBlackTree_Node_Type.node_key node1), ([#"../red_black_tree.rs" 700 30 700 38] RedBlackTree_Node_Type.node_val node1)));
-    [#"../red_black_tree.rs" 700 20 700 28] node1 <- (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 = node1 in RedBlackTree_Node_Type.C_Node x0 x1 (any k) x3 x4);
-    [#"../red_black_tree.rs" 700 30 700 38] node1 <- (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 = node1 in RedBlackTree_Node_Type.C_Node x0 x1 x2 (any v) x4);
+    [#"../red_black_tree.rs" 700 19 700 39] _0 <- (RedBlackTree_Node_Type.node_key node1, RedBlackTree_Node_Type.node_val node1);
+    node1 <- (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 = node1 in RedBlackTree_Node_Type.C_Node x0 x1 (any k) x3 x4);
+    node1 <- (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 = node1 in RedBlackTree_Node_Type.C_Node x0 x1 x2 (any v) x4);
     goto BB8
   }
   BB8 {
@@ -7617,7 +8354,7 @@ module RedBlackTree_Impl15_DeleteMinRec
     goto BB25
   }
   BB10 {
-    [#"../red_black_tree.rs" 702 12 702 30] _26 <- ([#"../red_black_tree.rs" 702 12 702 30] is_red0 ([#"../red_black_tree.rs" 702 12 702 21] RedBlackTree_Node_Type.node_left ( * node)));
+    [#"../red_black_tree.rs" 702 12 702 30] _26 <- ([#"../red_black_tree.rs" 702 12 702 30] is_red0 (RedBlackTree_Node_Type.node_left ( * node)));
     goto BB11
   }
   BB11 {
@@ -7630,7 +8367,7 @@ module RedBlackTree_Impl15_DeleteMinRec
     goto BB20
   }
   BB13 {
-    [#"../red_black_tree.rs" 702 35 702 58] _31 <- ([#"../red_black_tree.rs" 702 35 702 58] as_ref0 ([#"../red_black_tree.rs" 702 35 702 49] RedBlackTree_Tree_Type.tree_node (RedBlackTree_Node_Type.node_left ( * node))));
+    [#"../red_black_tree.rs" 702 35 702 58] _31 <- ([#"../red_black_tree.rs" 702 35 702 58] as_ref0 (RedBlackTree_Tree_Type.tree_node (RedBlackTree_Node_Type.node_left ( * node))));
     goto BB14
   }
   BB14 {
@@ -7641,7 +8378,7 @@ module RedBlackTree_Impl15_DeleteMinRec
   BB15 {
     assert { [@expl:type invariant] inv6 _30 };
     assume { resolve5 _30 };
-    [#"../red_black_tree.rs" 702 35 702 81] _28 <- ([#"../red_black_tree.rs" 702 35 702 81] is_red0 ([#"../red_black_tree.rs" 702 35 702 72] RedBlackTree_Node_Type.node_left _30));
+    [#"../red_black_tree.rs" 702 35 702 81] _28 <- ([#"../red_black_tree.rs" 702 35 702 81] is_red0 (RedBlackTree_Node_Type.node_left _30));
     goto BB16
   }
   BB16 {
@@ -7667,8 +8404,8 @@ module RedBlackTree_Impl15_DeleteMinRec
     assume { inv7 ( ^ _33) };
     assert { [@expl:type invariant] inv3 node };
     assume { resolve1 node };
-    [#"../red_black_tree.rs" 703 12 703 39] node <- ([#"../red_black_tree.rs" 703 12 703 39] _33);
-    [#"../red_black_tree.rs" 703 12 703 39] _33 <- any borrowed (RedBlackTree_Node_Type.t_node k v);
+    [#"../red_black_tree.rs" 703 12 703 39] node <- _33;
+    _33 <- any borrowed (RedBlackTree_Node_Type.t_node k v);
     assert { [@expl:type invariant] inv3 _34 };
     assume { resolve1 _34 };
     [#"../red_black_tree.rs" 702 82 704 9] _25 <- ([#"../red_black_tree.rs" 702 82 704 9] ());
@@ -7699,8 +8436,8 @@ module RedBlackTree_Impl15_DeleteMinRec
     assume { resolve1 node };
     assert { [@expl:type invariant] inv5 self };
     assume { resolve3 self };
-    [#"../red_black_tree.rs" 707 8 707 9] _0 <- ([#"../red_black_tree.rs" 707 8 707 9] r);
-    [#"../red_black_tree.rs" 707 8 707 9] r <- any (k, v);
+    [#"../red_black_tree.rs" 707 8 707 9] _0 <- r;
+    r <- any (k, v);
     goto BB24
   }
   BB24 {
@@ -7792,7 +8529,9 @@ module RedBlackTree_Impl15_DeleteMin
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv6 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv6 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv6 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -7800,7 +8539,10 @@ module RedBlackTree_Impl15_DeleteMin
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv6 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv6 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv6 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -7808,7 +8550,10 @@ module RedBlackTree_Impl15_DeleteMin
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv6 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv6 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv6 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -7819,13 +8564,19 @@ module RedBlackTree_Impl15_DeleteMin
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv6 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv6 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv6 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv6 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv6 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv6 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv6 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -7836,7 +8587,9 @@ module RedBlackTree_Impl15_DeleteMin
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv6 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv6 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv6 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -7847,7 +8600,9 @@ module RedBlackTree_Impl15_DeleteMin
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv6 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv6 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv6 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -7858,7 +8613,9 @@ module RedBlackTree_Impl15_DeleteMin
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv6 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv6 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv6 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -7869,7 +8626,9 @@ module RedBlackTree_Impl15_DeleteMin
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv6 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv6 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv6 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv6 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv6 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   predicate invariant7 (self : deep_model_ty0)
   val invariant7 (self : deep_model_ty0) : bool
     ensures { result = invariant7 self }
@@ -7998,7 +8757,8 @@ module RedBlackTree_Impl15_DeleteMin
     requires {[#"../red_black_tree.rs" 296 14 296 18] inv4 self}
     ensures { result = height0 self }
     
-  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv4 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
+  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv4 self)
+   -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
   predicate height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) =
     [#"../red_black_tree.rs" 339 20 339 61] height0 (RedBlackTree_Node_Type.node_left self) = height0 (RedBlackTree_Node_Type.node_right self)
   val height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) : bool
@@ -8023,7 +8783,13 @@ module RedBlackTree_Impl15_DeleteMin
     ensures { result = has_mapping0 self k v }
     
   predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) =
-    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv8 v -> inv6 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv8 v -> inv6 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
+    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv8 v
+     -> inv6 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v
+     -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv8 v
+     -> inv6 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v
+     -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
   val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = bst_invariant_here0 self }
     
@@ -8045,7 +8811,7 @@ module RedBlackTree_Impl15_DeleteMin
   val invariant0 [#"../red_black_tree.rs" 364 4 364 34] (self : RedBlackTree_Tree_Type.t_tree k v) : bool
     ensures { result = invariant0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   val unwrap0 (self : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v))) : borrowed (RedBlackTree_Node_Type.t_node k v)
     requires {[#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self <> Core_Option_Option_Type.C_None}
     requires {inv11 self}
@@ -8054,7 +8820,8 @@ module RedBlackTree_Impl15_DeleteMin
     
   val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v))
     requires {inv3 self}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18]  * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed (RedBlackTree_Node_Type.t_node k v) . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\  * self = Core_Option_Option_Type.C_Some ( * r) /\  ^ self = Core_Option_Option_Type.C_Some ( ^ r)) }
     ensures { inv11 result }
     
@@ -8088,10 +8855,14 @@ module RedBlackTree_Impl15_DeleteMin
     ensures { [#"../red_black_tree.rs" 688 14 688 42] internal_invariant0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 689 14 689 50] height0 ( * self) = height0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 690 14 690 66] has_mapping0 ( * self) (deep_model0 (let (a, _) = result in a)) (let (_, a) = result in a) }
-    ensures { [#"../red_black_tree.rs" 691 4 691 104] forall v : v . forall k : deep_model_ty0 . inv8 v -> inv6 k -> has_mapping0 ( * self) k v -> le_log0 (deep_model0 (let (a, _) = result in a)) k }
-    ensures { [#"../red_black_tree.rs" 692 4 693 73] forall v : v . forall k : deep_model_ty0 . inv8 v -> inv6 k -> has_mapping0 ( ^ self) k v = (deep_model0 (let (a, _) = result in a) <> k /\ has_mapping0 ( * self) k v) }
+    ensures { [#"../red_black_tree.rs" 691 4 691 104] forall v : v . forall k : deep_model_ty0 . inv8 v
+     -> inv6 k  -> has_mapping0 ( * self) k v  -> le_log0 (deep_model0 (let (a, _) = result in a)) k }
+    ensures { [#"../red_black_tree.rs" 692 4 693 73] forall v : v . forall k : deep_model_ty0 . inv8 v
+     -> inv6 k
+     -> has_mapping0 ( ^ self) k v = (deep_model0 (let (a, _) = result in a) <> k /\ has_mapping0 ( * self) k v) }
     ensures { [#"../red_black_tree.rs" 694 14 694 39] color_invariant0 ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 695 4 695 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black }
+    ensures { [#"../red_black_tree.rs" 695 4 695 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black
+     -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black }
     ensures { [#"../red_black_tree.rs" 696 36 696 42] inv10 result }
     
   predicate resolve2 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) =
@@ -8108,11 +8879,11 @@ module RedBlackTree_Impl15_DeleteMin
     requires {[#"../red_black_tree.rs" 388 15 388 19] inv9 self}
     ensures { [#"../red_black_tree.rs" 387 14 387 45] result = (color0 self = RedBlackTree_Color_Type.C_Red) }
     
-  predicate resolve0 (self : Ghost.ghost_ty ())
-  val resolve0 (self : Ghost.ghost_ty ()) : bool
+  predicate resolve0 (self : Snapshot.snap_ty ())
+  val resolve0 (self : Snapshot.snap_ty ()) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   function model_acc_has_mapping0 [#"../red_black_tree.rs" 68 4 72 5] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : ()
     
    =
@@ -8126,7 +8897,10 @@ module RedBlackTree_Impl15_DeleteMin
     requires {[#"../red_black_tree.rs" 71 8 71 9] inv6 k}
     ensures { result = model_acc_has_mapping0 self accu k }
     
-  axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv4 self) -> ([#"../red_black_tree.rs" 70 8 70 12] inv12 accu) -> ([#"../red_black_tree.rs" 71 8 71 9] inv6 k) -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv8 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))
+  axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv4 self)
+   -> ([#"../red_black_tree.rs" 70 8 70 12] inv12 accu)
+   -> ([#"../red_black_tree.rs" 71 8 71 9] inv6 k)
+   -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv8 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))
   function has_mapping_model_acc0 [#"../red_black_tree.rs" 89 4 91 33] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : ()
     
    =
@@ -8141,7 +8915,12 @@ module RedBlackTree_Impl15_DeleteMin
     requires {[#"../red_black_tree.rs" 89 81 89 82] inv6 k}
     ensures { result = has_mapping_model_acc0 self accu k }
     
-  axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 89 29 89 33] inv4 self) -> ([#"../red_black_tree.rs" 89 35 89 39] inv12 accu) -> ([#"../red_black_tree.rs" 89 81 89 82] inv6 k) -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv8 v -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v)
+  axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self)
+   -> ([#"../red_black_tree.rs" 89 29 89 33] inv4 self)
+   -> ([#"../red_black_tree.rs" 89 35 89 39] inv12 accu)
+   -> ([#"../red_black_tree.rs" 89 81 89 82] inv6 k)
+   -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv8 v
+   -> has_mapping0 self k v  -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v)
   function has_mapping_model0 [#"../red_black_tree.rs" 110 4 112 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) : ()
     
    =
@@ -8152,13 +8931,18 @@ module RedBlackTree_Impl15_DeleteMin
     requires {[#"../red_black_tree.rs" 110 31 110 32] inv6 k}
     ensures { result = has_mapping_model0 self k }
     
-  axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 110 25 110 29] inv4 self) -> ([#"../red_black_tree.rs" 110 31 110 32] inv6 k) -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv8 v -> has_mapping0 self k v = (Map.get (shallow_model1 self) k = Core_Option_Option_Type.C_Some v))
+  axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self)
+   -> ([#"../red_black_tree.rs" 110 25 110 29] inv4 self)
+   -> ([#"../red_black_tree.rs" 110 31 110 32] inv6 k)
+   -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv8 v
+   -> has_mapping0 self k v = (Map.get (shallow_model1 self) k = Core_Option_Option_Type.C_Some v))
   let rec cfg delete_min [#"../red_black_tree.rs" 719 4 719 50] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (RedBlackTree_Tree_Type.t_tree k v)) : Core_Option_Option_Type.t_option (k, v)
     requires {[#"../red_black_tree.rs" 710 15 710 34] invariant0 ( * self)}
     requires {[#"../red_black_tree.rs" 719 27 719 31] inv5 self}
     ensures { [#"../red_black_tree.rs" 711 14 711 33] invariant0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 712 14 718 5] match result with
-      | Core_Option_Option_Type.C_Some (k, v) -> Map.get (shallow_model0 self) (deep_model0 k) = Core_Option_Option_Type.C_Some v /\ (forall k2 : deep_model_ty0 . inv6 k2 -> Map.get (shallow_model0 self) k2 = Core_Option_Option_Type.C_None \/ le_log0 (deep_model0 k) k2) /\ shallow_model1 ( ^ self) = Map.set (shallow_model0 self) (deep_model0 k) (Core_Option_Option_Type.C_None)
+      | Core_Option_Option_Type.C_Some (k, v) -> Map.get (shallow_model0 self) (deep_model0 k) = Core_Option_Option_Type.C_Some v /\ (forall k2 : deep_model_ty0 . inv6 k2
+       -> Map.get (shallow_model0 self) k2 = Core_Option_Option_Type.C_None \/ le_log0 (deep_model0 k) k2) /\ shallow_model1 ( ^ self) = Map.set (shallow_model0 self) (deep_model0 k) (Core_Option_Option_Type.C_None)
       | Core_Option_Option_Type.C_None -> shallow_model1 ( ^ self) = shallow_model0 self /\ shallow_model0 self = Const.const (Core_Option_Option_Type.C_None)
       end }
     ensures { [#"../red_black_tree.rs" 719 36 719 50] inv7 result }
@@ -8166,15 +8950,17 @@ module RedBlackTree_Impl15_DeleteMin
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : Core_Option_Option_Type.t_option (k, v);
   var self : borrowed (RedBlackTree_Tree_Type.t_tree k v) = self;
-  var _5 : Ghost.ghost_ty ();
+  var _5 : Snapshot.snap_ty ();
   var _7 : ();
   var _8 : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v));
   var node : borrowed (RedBlackTree_Node_Type.t_node k v);
   var _11 : bool;
+  var _13 : RedBlackTree_Color_Type.t_color;
   var r : (k, v);
   var _16 : borrowed (RedBlackTree_Tree_Type.t_tree k v);
   var _17 : ();
   var _18 : bool;
+  var _20 : RedBlackTree_Color_Type.t_color;
   var _21 : borrowed (RedBlackTree_Node_Type.t_node k v);
   var _22 : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v));
   var _23 : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v));
@@ -8182,7 +8968,7 @@ module RedBlackTree_Impl15_DeleteMin
     goto BB0
   }
   BB0 {
-    [#"../red_black_tree.rs" 720 8 720 39] _5 <- ([#"../red_black_tree.rs" 720 8 720 39] Ghost.new ());
+    [#"../red_black_tree.rs" 720 8 720 45] _5 <- ([#"../red_black_tree.rs" 720 8 720 45] Snapshot.new ());
     goto BB1
   }
   BB1 {
@@ -8202,7 +8988,7 @@ module RedBlackTree_Impl15_DeleteMin
     [#"../red_black_tree.rs" 722 20 722 24] node <- Borrow.borrow_final (Core_Option_Option_Type.some_0 ( * _8)) (Borrow.inherit_id (Borrow.get_id _8) 1);
     [#"../red_black_tree.rs" 722 20 722 24] _8 <- { _8 with current = (let Core_Option_Option_Type.C_Some x0 =  * _8 in Core_Option_Option_Type.C_Some ( ^ node)) ; };
     assume { inv1 ( ^ node) };
-    [#"../red_black_tree.rs" 723 16 723 34] _11 <- ([#"../red_black_tree.rs" 723 16 723 34] is_red0 ([#"../red_black_tree.rs" 723 16 723 25] RedBlackTree_Node_Type.node_left ( * node)));
+    [#"../red_black_tree.rs" 723 16 723 34] _11 <- ([#"../red_black_tree.rs" 723 16 723 34] is_red0 (RedBlackTree_Node_Type.node_left ( * node)));
     goto BB4
   }
   BB4 {
@@ -8220,7 +9006,9 @@ module RedBlackTree_Impl15_DeleteMin
     goto BB7
   }
   BB6 {
-    [#"../red_black_tree.rs" 724 16 724 32] node <- { node with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * node in RedBlackTree_Node_Type.C_Node x0 ([#"../red_black_tree.rs" 724 29 724 32] RedBlackTree_Color_Type.C_Red) x2 x3 x4) ; };
+    [#"../red_black_tree.rs" 724 29 724 32] _13 <- RedBlackTree_Color_Type.C_Red;
+    [#"../red_black_tree.rs" 724 16 724 32] node <- { node with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * node in RedBlackTree_Node_Type.C_Node x0 _13 x2 x3 x4) ; };
+    _13 <- any RedBlackTree_Color_Type.t_color;
     assert { [@expl:type invariant] inv2 node };
     assume { resolve1 node };
     assert { [@expl:type invariant] inv3 _8 };
@@ -8239,13 +9027,13 @@ module RedBlackTree_Impl15_DeleteMin
   BB8 {
     assert { [@expl:type invariant] inv3 _8 };
     assume { resolve2 _8 };
-    [#"../red_black_tree.rs" 727 19 727 23] _0 <- ([#"../red_black_tree.rs" 727 19 727 23] Core_Option_Option_Type.C_None);
+    [#"../red_black_tree.rs" 727 19 727 23] _0 <- Core_Option_Option_Type.C_None;
     assert { [@expl:type invariant] inv5 self };
     assume { resolve3 self };
     goto BB18
   }
   BB9 {
-    [#"../red_black_tree.rs" 730 11 730 24] _18 <- ([#"../red_black_tree.rs" 730 11 730 24] is_red0 ([#"../red_black_tree.rs" 730 11 730 15]  * self));
+    [#"../red_black_tree.rs" 730 11 730 24] _18 <- ([#"../red_black_tree.rs" 730 11 730 24] is_red0 ( * self));
     goto BB10
   }
   BB10 {
@@ -8255,6 +9043,7 @@ module RedBlackTree_Impl15_DeleteMin
       end
   }
   BB11 {
+    [#"../red_black_tree.rs" 731 48 731 53] _20 <- RedBlackTree_Color_Type.C_Black;
     [#"../red_black_tree.rs" 731 12 731 21] _23 <- Borrow.borrow_final (RedBlackTree_Tree_Type.tree_node ( * self)) (Borrow.inherit_id (Borrow.get_id self) 1);
     [#"../red_black_tree.rs" 731 12 731 21] self <- { self with current = (let RedBlackTree_Tree_Type.C_Tree x0 =  * self in RedBlackTree_Tree_Type.C_Tree ( ^ _23)) ; };
     assume { inv0 ( ^ _23) };
@@ -8268,7 +9057,8 @@ module RedBlackTree_Impl15_DeleteMin
     goto BB13
   }
   BB13 {
-    [#"../red_black_tree.rs" 731 12 731 53] _21 <- { _21 with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * _21 in RedBlackTree_Node_Type.C_Node x0 ([#"../red_black_tree.rs" 731 48 731 53] RedBlackTree_Color_Type.C_Black) x2 x3 x4) ; };
+    [#"../red_black_tree.rs" 731 12 731 53] _21 <- { _21 with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * _21 in RedBlackTree_Node_Type.C_Node x0 _20 x2 x3 x4) ; };
+    _20 <- any RedBlackTree_Color_Type.t_color;
     assert { [@expl:type invariant] inv2 _21 };
     assume { resolve1 _21 };
     assert { [@expl:type invariant] inv5 self };
@@ -8283,8 +9073,8 @@ module RedBlackTree_Impl15_DeleteMin
     goto BB15
   }
   BB15 {
-    [#"../red_black_tree.rs" 733 8 733 15] _0 <- ([#"../red_black_tree.rs" 733 8 733 15] Core_Option_Option_Type.C_Some ([#"../red_black_tree.rs" 733 13 733 14] r));
-    [#"../red_black_tree.rs" 733 13 733 14] r <- any (k, v);
+    [#"../red_black_tree.rs" 733 8 733 15] _0 <- Core_Option_Option_Type.C_Some r;
+    r <- any (k, v);
     goto BB16
   }
   BB16 {
@@ -8366,7 +9156,9 @@ module RedBlackTree_Impl15_DeleteRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv14 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv14 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv14 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -8374,7 +9166,10 @@ module RedBlackTree_Impl15_DeleteRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv14 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv14 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv14 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -8382,7 +9177,10 @@ module RedBlackTree_Impl15_DeleteRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv14 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv14 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv14 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -8393,13 +9191,19 @@ module RedBlackTree_Impl15_DeleteRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv14 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv14 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv14 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv14 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv14 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv14 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv14 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -8410,7 +9214,9 @@ module RedBlackTree_Impl15_DeleteRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv14 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv14 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv14 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -8421,7 +9227,9 @@ module RedBlackTree_Impl15_DeleteRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv14 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv14 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv14 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -8432,7 +9240,9 @@ module RedBlackTree_Impl15_DeleteRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv14 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv14 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv14 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -8443,7 +9253,9 @@ module RedBlackTree_Impl15_DeleteRec
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv14 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv14 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv14 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   use prelude.Borrow
   predicate invariant16 (self : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v)))
   val invariant16 (self : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v))) : bool
@@ -8651,7 +9463,8 @@ module RedBlackTree_Impl15_DeleteRec
     requires {[#"../red_black_tree.rs" 296 14 296 18] inv7 self}
     ensures { result = height0 self }
     
-  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv7 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
+  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv7 self)
+   -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
   use RedBlackTree_Cp_Type as RedBlackTree_Cp_Type
   function cpn0 [#"../red_black_tree.rs" 226 0 226 36] (c : RedBlackTree_Color_Type.t_color) (l : RedBlackTree_Cp_Type.t_cp) (r : RedBlackTree_Cp_Type.t_cp) : RedBlackTree_Cp_Type.t_cp
     
@@ -8684,7 +9497,13 @@ module RedBlackTree_Impl15_DeleteRec
     ensures { result = height_invariant0 self }
     
   predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) =
-    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model1 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model1 (RedBlackTree_Node_Type.node_key self)) k)
+    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv11 v
+     -> inv14 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v
+     -> lt_log0 k (deep_model1 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv11 v
+     -> inv14 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v
+     -> lt_log0 (deep_model1 (RedBlackTree_Node_Type.node_key self)) k)
   val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = bst_invariant_here0 self }
     
@@ -8701,7 +9520,7 @@ module RedBlackTree_Impl15_DeleteRec
   val internal_invariant0 [#"../red_black_tree.rs" 356 4 356 43] (self : RedBlackTree_Tree_Type.t_tree k v) : bool
     ensures { result = internal_invariant0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate color_invariant1 [#"../red_black_tree.rs" 286 4 286 36] (self : RedBlackTree_Node_Type.t_node k v) =
     [#"../red_black_tree.rs" 287 8 287 112] color_invariant_here0 self /\ color_invariant0 (RedBlackTree_Node_Type.node_left self) /\ color_invariant0 (RedBlackTree_Node_Type.node_right self)
   val color_invariant1 [#"../red_black_tree.rs" 286 4 286 36] (self : RedBlackTree_Node_Type.t_node k v) : bool
@@ -8726,7 +9545,9 @@ module RedBlackTree_Impl15_DeleteRec
     requires {[#"../red_black_tree.rs" 328 14 328 18] inv5 self}
     ensures { result = height1 self }
     
-  axiom height1_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv5 self) -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node -> self = node -> height1 self = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))
+  axiom height1_spec : forall self : RedBlackTree_Node_Type.t_node k v . ([#"../red_black_tree.rs" 328 14 328 18] inv5 self)
+   -> ([#"../red_black_tree.rs" 326 4 327 77] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node
+   -> self = node  -> height1 self = height0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)))
   predicate has_mapping1 [#"../red_black_tree.rs" 140 4 140 57] (self : RedBlackTree_Node_Type.t_node k v) (k : deep_model_ty0) (v : v)
     
    =
@@ -8737,11 +9558,17 @@ module RedBlackTree_Impl15_DeleteRec
     requires {[#"../red_black_tree.rs" 140 44 140 45] inv11 v}
     ensures { result = has_mapping1 self k v }
     
-  axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv5 self) -> ([#"../red_black_tree.rs" 140 25 140 26] inv14 k) -> ([#"../red_black_tree.rs" 140 44 140 45] inv11 v) -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node -> self = node -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v)
+  axiom has_mapping1_spec : forall self : RedBlackTree_Node_Type.t_node k v, k : deep_model_ty0, v : v . ([#"../red_black_tree.rs" 140 19 140 23] inv5 self)
+   -> ([#"../red_black_tree.rs" 140 25 140 26] inv14 k)
+   -> ([#"../red_black_tree.rs" 140 44 140 45] inv11 v)
+   -> ([#"../red_black_tree.rs" 138 4 139 86] forall node : RedBlackTree_Node_Type.t_node k v . inv1 node
+   -> self = node
+   -> has_mapping1 self k v = has_mapping0 (RedBlackTree_Tree_Type.C_Tree (Core_Option_Option_Type.C_Some node)) k v)
   predicate same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v)
     
    =
-    [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping1 self k v = has_mapping1 o k v
+    [#"../red_black_tree.rs" 149 8 151 9] forall v : v . forall k : deep_model_ty0 . inv11 v
+     -> inv14 k  -> has_mapping1 self k v = has_mapping1 o k v
   val same_mappings0 [#"../red_black_tree.rs" 148 4 148 43] (self : RedBlackTree_Node_Type.t_node k v) (o : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = same_mappings0 self o }
     
@@ -8762,18 +9589,26 @@ module RedBlackTree_Impl15_DeleteRec
     
   val balance0 [#"../red_black_tree.rs" 510 4 510 25] (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : ()
     requires {[#"../red_black_tree.rs" 491 15 491 43] internal_invariant1 ( * self)}
-    requires {[#"../red_black_tree.rs" 492 4 493 47] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red -> color_invariant0 (RedBlackTree_Node_Type.node_left ( * self))}
-    requires {[#"../red_black_tree.rs" 494 4 495 48] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red -> color_invariant0 (RedBlackTree_Node_Type.node_right ( * self))}
-    requires {[#"../red_black_tree.rs" 496 4 496 110] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red -> false}
+    requires {[#"../red_black_tree.rs" 492 4 493 47] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red
+     -> color_invariant0 (RedBlackTree_Node_Type.node_left ( * self))}
+    requires {[#"../red_black_tree.rs" 494 4 495 48] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red
+     -> color_invariant0 (RedBlackTree_Node_Type.node_right ( * self))}
+    requires {[#"../red_black_tree.rs" 496 4 496 110] RedBlackTree_Node_Type.node_color ( * self) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Red /\ color0 (RedBlackTree_Node_Type.node_left ( * self)) = RedBlackTree_Color_Type.C_Red
+     -> false}
     requires {[#"../red_black_tree.rs" 510 20 510 24] inv6 self}
     ensures { [#"../red_black_tree.rs" 497 14 497 42] same_mappings0 ( * self) ( ^ self) }
     ensures { [#"../red_black_tree.rs" 498 14 498 42] internal_invariant1 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 499 14 499 50] height1 ( * self) = height1 ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 500 4 501 34] color_invariant0 (RedBlackTree_Node_Type.node_left ( * self)) /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Black ->  * self =  ^ self }
-    ensures { [#"../red_black_tree.rs" 502 4 503 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self) -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 504 4 505 63] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 506 4 507 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 508 4 509 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self) -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 500 4 501 34] color_invariant0 (RedBlackTree_Node_Type.node_left ( * self)) /\ color0 (RedBlackTree_Node_Type.node_right ( * self)) = RedBlackTree_Color_Type.C_Black
+     ->  * self =  ^ self }
+    ensures { [#"../red_black_tree.rs" 502 4 503 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self)
+     -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 504 4 505 63] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self)
+     -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 506 4 507 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self)
+     -> match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 508 4 509 39] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * self)
+     -> match_n0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( ^ self) }
     
   val rotate_right0 [#"../red_black_tree.rs" 412 4 412 30] (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : ()
     requires {[#"../red_black_tree.rs" 400 15 400 43] internal_invariant1 ( * self)}
@@ -8840,11 +9675,11 @@ module RedBlackTree_Impl15_DeleteRec
     ensures { [#"../../../../creusot-contracts/src/std/mem.rs" 11 22 11 30]  ^ x =  * y }
     ensures { [#"../../../../creusot-contracts/src/std/mem.rs" 12 22 12 30]  ^ y =  * x }
     
-  predicate resolve5 (self : Ghost.ghost_ty ())
-  val resolve5 (self : Ghost.ghost_ty ()) : bool
+  predicate resolve5 (self : Snapshot.snap_ty ())
+  val resolve5 (self : Snapshot.snap_ty ()) : bool
     ensures { result = resolve5 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   use map.Map
   use map.Map
   function model_acc0 [#"../red_black_tree.rs" 49 4 52 47] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)
@@ -8878,7 +9713,10 @@ module RedBlackTree_Impl15_DeleteRec
     requires {[#"../red_black_tree.rs" 71 8 71 9] inv14 k}
     ensures { result = model_acc_has_mapping0 self accu k }
     
-  axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv7 self) -> ([#"../red_black_tree.rs" 70 8 70 12] inv21 accu) -> ([#"../red_black_tree.rs" 71 8 71 9] inv14 k) -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv11 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))
+  axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv7 self)
+   -> ([#"../red_black_tree.rs" 70 8 70 12] inv21 accu)
+   -> ([#"../red_black_tree.rs" 71 8 71 9] inv14 k)
+   -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv11 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))
   function has_mapping_model_acc0 [#"../red_black_tree.rs" 89 4 91 33] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : ()
     
    =
@@ -8893,7 +9731,12 @@ module RedBlackTree_Impl15_DeleteRec
     requires {[#"../red_black_tree.rs" 89 81 89 82] inv14 k}
     ensures { result = has_mapping_model_acc0 self accu k }
     
-  axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 89 29 89 33] inv7 self) -> ([#"../red_black_tree.rs" 89 35 89 39] inv21 accu) -> ([#"../red_black_tree.rs" 89 81 89 82] inv14 k) -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv11 v -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v)
+  axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self)
+   -> ([#"../red_black_tree.rs" 89 29 89 33] inv7 self)
+   -> ([#"../red_black_tree.rs" 89 35 89 39] inv21 accu)
+   -> ([#"../red_black_tree.rs" 89 81 89 82] inv14 k)
+   -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv11 v
+   -> has_mapping0 self k v  -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v)
   function has_mapping_model0 [#"../red_black_tree.rs" 110 4 112 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) : ()
     
    =
@@ -8904,7 +9747,11 @@ module RedBlackTree_Impl15_DeleteRec
     requires {[#"../red_black_tree.rs" 110 31 110 32] inv14 k}
     ensures { result = has_mapping_model0 self k }
     
-  axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 110 25 110 29] inv7 self) -> ([#"../red_black_tree.rs" 110 31 110 32] inv14 k) -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv11 v -> has_mapping0 self k v = (Map.get (shallow_model0 self) k = Core_Option_Option_Type.C_Some v))
+  axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self)
+   -> ([#"../red_black_tree.rs" 110 25 110 29] inv7 self)
+   -> ([#"../red_black_tree.rs" 110 31 110 32] inv14 k)
+   -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv11 v
+   -> has_mapping0 self k v = (Map.get (shallow_model0 self) k = Core_Option_Option_Type.C_Some v))
   function has_mapping_inj0 [#"../red_black_tree.rs" 125 4 127 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) (v1 : v) (v2 : v) : ()
     
    =
@@ -8922,7 +9769,13 @@ module RedBlackTree_Impl15_DeleteRec
     requires {[#"../red_black_tree.rs" 125 55 125 57] inv11 v2}
     ensures { result = has_mapping_inj0 self k v1 v2 }
     
-  axiom has_mapping_inj0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0, v1 : v, v2 : v . ([#"../red_black_tree.rs" 121 15 121 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 122 15 122 38] has_mapping0 self k v1) -> ([#"../red_black_tree.rs" 123 15 123 38] has_mapping0 self k v2) -> ([#"../red_black_tree.rs" 125 23 125 27] inv7 self) -> ([#"../red_black_tree.rs" 125 29 125 30] inv14 k) -> ([#"../red_black_tree.rs" 125 48 125 50] inv11 v1) -> ([#"../red_black_tree.rs" 125 55 125 57] inv11 v2) -> ([#"../red_black_tree.rs" 124 14 124 22] v1 = v2)
+  axiom has_mapping_inj0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0, v1 : v, v2 : v . ([#"../red_black_tree.rs" 121 15 121 35] bst_invariant0 self)
+   -> ([#"../red_black_tree.rs" 122 15 122 38] has_mapping0 self k v1)
+   -> ([#"../red_black_tree.rs" 123 15 123 38] has_mapping0 self k v2)
+   -> ([#"../red_black_tree.rs" 125 23 125 27] inv7 self)
+   -> ([#"../red_black_tree.rs" 125 29 125 30] inv14 k)
+   -> ([#"../red_black_tree.rs" 125 48 125 50] inv11 v1)
+   -> ([#"../red_black_tree.rs" 125 55 125 57] inv11 v2)  -> ([#"../red_black_tree.rs" 124 14 124 22] v1 = v2)
   val delete_min_rec0 [#"../red_black_tree.rs" 696 4 696 42] (self : borrowed (RedBlackTree_Tree_Type.t_tree k v)) : (k, v)
     requires {[#"../red_black_tree.rs" 685 15 685 43] internal_invariant0 ( * self)}
     requires {[#"../red_black_tree.rs" 686 15 687 62] match_t0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) ( * self) \/ match_t0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self)}
@@ -8930,10 +9783,14 @@ module RedBlackTree_Impl15_DeleteRec
     ensures { [#"../red_black_tree.rs" 688 14 688 42] internal_invariant0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 689 14 689 50] height0 ( * self) = height0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 690 14 690 66] has_mapping0 ( * self) (deep_model1 (let (a, _) = result in a)) (let (_, a) = result in a) }
-    ensures { [#"../red_black_tree.rs" 691 4 691 104] forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping0 ( * self) k v -> le_log0 (deep_model1 (let (a, _) = result in a)) k }
-    ensures { [#"../red_black_tree.rs" 692 4 693 73] forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping0 ( ^ self) k v = (deep_model1 (let (a, _) = result in a) <> k /\ has_mapping0 ( * self) k v) }
+    ensures { [#"../red_black_tree.rs" 691 4 691 104] forall v : v . forall k : deep_model_ty0 . inv11 v
+     -> inv14 k  -> has_mapping0 ( * self) k v  -> le_log0 (deep_model1 (let (a, _) = result in a)) k }
+    ensures { [#"../red_black_tree.rs" 692 4 693 73] forall v : v . forall k : deep_model_ty0 . inv11 v
+     -> inv14 k
+     -> has_mapping0 ( ^ self) k v = (deep_model1 (let (a, _) = result in a) <> k /\ has_mapping0 ( * self) k v) }
     ensures { [#"../red_black_tree.rs" 694 14 694 39] color_invariant0 ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 695 4 695 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black }
+    ensures { [#"../red_black_tree.rs" 695 4 695 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black
+     -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black }
     ensures { [#"../red_black_tree.rs" 696 36 696 42] inv20 result }
     
   val move_red_right0 [#"../red_black_tree.rs" 571 4 571 45] (self : borrowed (RedBlackTree_Node_Type.t_node k v)) : borrowed (RedBlackTree_Node_Type.t_node k v)
@@ -8942,14 +9799,24 @@ module RedBlackTree_Impl15_DeleteRec
     requires {[#"../red_black_tree.rs" 555 15 555 86] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)))) ( * self)}
     requires {[#"../red_black_tree.rs" 571 27 571 31] inv6 self}
     ensures { [#"../red_black_tree.rs" 556 14 556 44] internal_invariant1 ( * result) }
-    ensures { [#"../red_black_tree.rs" 557 4 559 48] internal_invariant1 ( ^ result) /\ height1 ( * result) = height1 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping1 ( ^ result) k v -> has_mapping1 ( * result) k v) -> internal_invariant1 ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 560 4 560 97] height1 ( * result) = height1 ( ^ result) -> height1 ( * self) = height1 ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 557 4 559 48] internal_invariant1 ( ^ result) /\ height1 ( * result) = height1 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv11 v
+     -> inv14 k  -> has_mapping1 ( ^ result) k v  -> has_mapping1 ( * result) k v)  -> internal_invariant1 ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 560 4 560 97] height1 ( * result) = height1 ( ^ result)
+     -> height1 ( * self) = height1 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 561 14 561 42] RedBlackTree_Node_Type.node_key ( * result) = RedBlackTree_Node_Type.node_key ( * self) }
-    ensures { [#"../red_black_tree.rs" 562 4 562 105] forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping1 ( * result) k v -> has_mapping1 ( * self) k v }
-    ensures { [#"../red_black_tree.rs" 563 4 564 47] forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping1 ( * self) k v /\ le_log0 (deep_model1 (RedBlackTree_Node_Type.node_key ( * self))) k -> has_mapping1 ( * result) k v }
-    ensures { [#"../red_black_tree.rs" 565 4 566 108] forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping1 ( ^ self) k v = (has_mapping1 ( ^ result) k v \/ has_mapping1 ( * self) k v /\ not has_mapping1 ( * result) k v) }
+    ensures { [#"../red_black_tree.rs" 562 4 562 105] forall v : v . forall k : deep_model_ty0 . inv11 v
+     -> inv14 k  -> has_mapping1 ( * result) k v  -> has_mapping1 ( * self) k v }
+    ensures { [#"../red_black_tree.rs" 563 4 564 47] forall v : v . forall k : deep_model_ty0 . inv11 v
+     -> inv14 k
+     -> has_mapping1 ( * self) k v /\ le_log0 (deep_model1 (RedBlackTree_Node_Type.node_key ( * self))) k
+     -> has_mapping1 ( * result) k v }
+    ensures { [#"../red_black_tree.rs" 565 4 566 108] forall v : v . forall k : deep_model_ty0 . inv11 v
+     -> inv14 k
+     -> has_mapping1 ( ^ self) k v = (has_mapping1 ( ^ result) k v \/ has_mapping1 ( * self) k v /\ not has_mapping1 ( * result) k v) }
     ensures { [#"../red_black_tree.rs" 567 14 568 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * result) \/ match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * result) }
-    ensures { [#"../red_black_tree.rs" 569 4 570 45] color_invariant1 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_left ( * result)) = RedBlackTree_Color_Type.C_Black -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black) -> color_invariant1 ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 569 4 570 45] color_invariant1 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_left ( * result)) = RedBlackTree_Color_Type.C_Black
+     -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black)
+     -> color_invariant1 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 571 36 571 45] inv6 result }
     
   predicate resolve4 (self : borrowed (RedBlackTree_Tree_Type.t_tree k v)) =
@@ -8968,14 +9835,24 @@ module RedBlackTree_Impl15_DeleteRec
     requires {[#"../red_black_tree.rs" 526 15 526 86] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Red) (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * self)}
     requires {[#"../red_black_tree.rs" 542 26 542 30] inv6 self}
     ensures { [#"../red_black_tree.rs" 527 14 527 44] internal_invariant1 ( * result) }
-    ensures { [#"../red_black_tree.rs" 528 4 530 48] internal_invariant1 ( ^ result) /\ height1 ( * result) = height1 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping1 ( ^ result) k v -> has_mapping1 ( * result) k v) -> internal_invariant1 ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 531 4 531 97] height1 ( * result) = height1 ( ^ result) -> height1 ( * self) = height1 ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 528 4 530 48] internal_invariant1 ( ^ result) /\ height1 ( * result) = height1 ( ^ result) /\ (forall v : v . forall k : deep_model_ty0 . inv11 v
+     -> inv14 k  -> has_mapping1 ( ^ result) k v  -> has_mapping1 ( * result) k v)  -> internal_invariant1 ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 531 4 531 97] height1 ( * result) = height1 ( ^ result)
+     -> height1 ( * self) = height1 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 532 14 532 42] RedBlackTree_Node_Type.node_key ( * self) = RedBlackTree_Node_Type.node_key ( * result) }
-    ensures { [#"../red_black_tree.rs" 533 4 533 105] forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping1 ( * result) k v -> has_mapping1 ( * self) k v }
-    ensures { [#"../red_black_tree.rs" 534 4 535 47] forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping1 ( * self) k v /\ le_log0 k (deep_model1 (RedBlackTree_Node_Type.node_key ( * self))) -> has_mapping1 ( * result) k v }
-    ensures { [#"../red_black_tree.rs" 536 4 537 108] forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping1 ( ^ self) k v = (has_mapping1 ( ^ result) k v \/ has_mapping1 ( * self) k v /\ not has_mapping1 ( * result) k v) }
+    ensures { [#"../red_black_tree.rs" 533 4 533 105] forall v : v . forall k : deep_model_ty0 . inv11 v
+     -> inv14 k  -> has_mapping1 ( * result) k v  -> has_mapping1 ( * self) k v }
+    ensures { [#"../red_black_tree.rs" 534 4 535 47] forall v : v . forall k : deep_model_ty0 . inv11 v
+     -> inv14 k
+     -> has_mapping1 ( * self) k v /\ le_log0 k (deep_model1 (RedBlackTree_Node_Type.node_key ( * self)))
+     -> has_mapping1 ( * result) k v }
+    ensures { [#"../red_black_tree.rs" 536 4 537 108] forall v : v . forall k : deep_model_ty0 . inv11 v
+     -> inv14 k
+     -> has_mapping1 ( ^ self) k v = (has_mapping1 ( ^ result) k v \/ has_mapping1 ( * self) k v /\ not has_mapping1 ( * result) k v) }
     ensures { [#"../red_black_tree.rs" 538 14 539 61] match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black))) ( * result) \/ match_n0 (cpn0 (RedBlackTree_Color_Type.C_Black) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red)) (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Red))) ( * result) }
-    ensures { [#"../red_black_tree.rs" 540 4 541 45] color_invariant1 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_right ( * result)) = RedBlackTree_Color_Type.C_Black -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black) -> color_invariant1 ( ^ self) }
+    ensures { [#"../red_black_tree.rs" 540 4 541 45] color_invariant1 ( ^ result) /\ (color0 (RedBlackTree_Node_Type.node_right ( * result)) = RedBlackTree_Color_Type.C_Black
+     -> RedBlackTree_Node_Type.node_color ( ^ result) = RedBlackTree_Color_Type.C_Black)
+     -> color_invariant1 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 542 35 542 44] inv6 result }
     
   predicate resolve2 (self : RedBlackTree_Node_Type.t_node k v)
@@ -8990,7 +9867,8 @@ module RedBlackTree_Impl15_DeleteRec
     
   val as_ref0 (self : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v)) : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v)
     requires {inv17 self}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 58 16 58 60] self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 58 16 58 60] self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 59 16 61 18] self = Core_Option_Option_Type.C_None \/ (exists r : RedBlackTree_Node_Type.t_node k v . inv4 r /\ result = Core_Option_Option_Type.C_Some r /\ self = Core_Option_Option_Type.C_Some r) }
     ensures { inv19 result }
     
@@ -9030,7 +9908,8 @@ module RedBlackTree_Impl15_DeleteRec
     
   val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v))
     requires {inv13 self}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18]  * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed (RedBlackTree_Node_Type.t_node k v) . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\  * self = Core_Option_Option_Type.C_Some ( * r) /\  ^ self = Core_Option_Option_Type.C_Some ( ^ r)) }
     ensures { inv16 result }
     
@@ -9042,12 +9921,14 @@ module RedBlackTree_Impl15_DeleteRec
     ensures { [#"../red_black_tree.rs" 739 14 739 42] internal_invariant0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 740 14 740 50] height0 ( * self) = height0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 741 14 744 5] match result with
-      | Core_Option_Option_Type.C_None -> forall v : v . inv11 v -> not has_mapping0 ( * self) (deep_model0 key) v
+      | Core_Option_Option_Type.C_None -> forall v : v . inv11 v  -> not has_mapping0 ( * self) (deep_model0 key) v
       | Core_Option_Option_Type.C_Some (k, v) -> deep_model0 key = deep_model1 k /\ has_mapping0 ( * self) (deep_model1 k) v
       end }
-    ensures { [#"../red_black_tree.rs" 745 4 745 129] forall v : v . forall k : deep_model_ty0 . inv11 v -> inv14 k -> has_mapping0 ( ^ self) k v = (deep_model0 key <> k /\ has_mapping0 ( * self) k v) }
+    ensures { [#"../red_black_tree.rs" 745 4 745 129] forall v : v . forall k : deep_model_ty0 . inv11 v
+     -> inv14 k  -> has_mapping0 ( ^ self) k v = (deep_model0 key <> k /\ has_mapping0 ( * self) k v) }
     ensures { [#"../red_black_tree.rs" 746 14 746 39] color_invariant0 ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 747 4 747 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black }
+    ensures { [#"../red_black_tree.rs" 747 4 747 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black
+     -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black }
     ensures { [#"../red_black_tree.rs" 748 41 748 55] inv15 result }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -9085,6 +9966,7 @@ module RedBlackTree_Impl15_DeleteRec
   var _57 : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v);
   var _58 : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v));
   var _59 : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v));
+  var _60 : (k, v);
   var _63 : ();
   var _64 : bool;
   var _66 : RedBlackTree_Node_Type.t_node k v;
@@ -9094,7 +9976,7 @@ module RedBlackTree_Impl15_DeleteRec
   var _71 : borrowed (RedBlackTree_Node_Type.t_node k v);
   var kv : (k, v);
   var _74 : borrowed (RedBlackTree_Tree_Type.t_tree k v);
-  var _75 : Ghost.ghost_ty ();
+  var _75 : Snapshot.snap_ty ();
   var _77 : ();
   var _78 : borrowed k;
   var _79 : borrowed k;
@@ -9105,6 +9987,7 @@ module RedBlackTree_Impl15_DeleteRec
   var _84 : borrowed v;
   var _85 : borrowed v;
   var _86 : borrowed v;
+  var _87 : Core_Option_Option_Type.t_option (k, v);
   var _89 : Core_Option_Option_Type.t_option (k, v);
   var _90 : borrowed (RedBlackTree_Tree_Type.t_tree k v);
   var _92 : ();
@@ -9136,10 +10019,10 @@ module RedBlackTree_Impl15_DeleteRec
   BB3 {
     assert { [@expl:type invariant] inv2 _14 };
     assume { resolve0 _14 };
-    [#"../red_black_tree.rs" 751 22 751 31] _21 <- ([#"../red_black_tree.rs" 751 22 751 31] RedBlackTree_Node_Type.node_key ( * node));
+    [#"../red_black_tree.rs" 751 22 751 31] _21 <- RedBlackTree_Node_Type.node_key ( * node);
     assert { [@expl:type invariant] inv3 _21 };
     assume { resolve1 _21 };
-    [#"../red_black_tree.rs" 751 14 751 32] _18 <- ([#"../red_black_tree.rs" 751 14 751 32] cmp0 ([#"../red_black_tree.rs" 751 14 751 17] key) ([#"../red_black_tree.rs" 751 22 751 31] _21));
+    [#"../red_black_tree.rs" 751 14 751 32] _18 <- ([#"../red_black_tree.rs" 751 14 751 32] cmp0 key _21);
     goto BB4
   }
   BB4 {
@@ -9152,12 +10035,12 @@ module RedBlackTree_Impl15_DeleteRec
     goto BB7
   }
   BB6 {
-    [#"../red_black_tree.rs" 761 12 761 15] ord <- ([#"../red_black_tree.rs" 761 12 761 15] _18);
-    [#"../red_black_tree.rs" 762 19 762 37] _42 <- ([#"../red_black_tree.rs" 762 19 762 37] is_red0 ([#"../red_black_tree.rs" 762 19 762 28] RedBlackTree_Node_Type.node_left ( * node)));
+    [#"../red_black_tree.rs" 761 12 761 15] ord <- _18;
+    [#"../red_black_tree.rs" 762 19 762 37] _42 <- ([#"../red_black_tree.rs" 762 19 762 37] is_red0 (RedBlackTree_Node_Type.node_left ( * node)));
     goto BB26
   }
   BB7 {
-    [#"../red_black_tree.rs" 753 19 753 43] _24 <- ([#"../red_black_tree.rs" 753 19 753 43] is_none0 ([#"../red_black_tree.rs" 753 19 753 33] RedBlackTree_Tree_Type.tree_node (RedBlackTree_Node_Type.node_left ( * node))));
+    [#"../red_black_tree.rs" 753 19 753 43] _24 <- ([#"../red_black_tree.rs" 753 19 753 43] is_none0 (RedBlackTree_Tree_Type.tree_node (RedBlackTree_Node_Type.node_left ( * node))));
     goto BB8
   }
   BB8 {
@@ -9173,11 +10056,11 @@ module RedBlackTree_Impl15_DeleteRec
     assume { resolve1 key };
     assert { [@expl:type invariant] inv8 self };
     assume { resolve4 self };
-    [#"../red_black_tree.rs" 754 27 754 31] _0 <- ([#"../red_black_tree.rs" 754 27 754 31] Core_Option_Option_Type.C_None);
+    [#"../red_black_tree.rs" 754 27 754 31] _0 <- Core_Option_Option_Type.C_None;
     goto BB74
   }
   BB10 {
-    [#"../red_black_tree.rs" 756 20 756 38] _28 <- ([#"../red_black_tree.rs" 756 20 756 38] is_red0 ([#"../red_black_tree.rs" 756 20 756 29] RedBlackTree_Node_Type.node_left ( * node)));
+    [#"../red_black_tree.rs" 756 20 756 38] _28 <- ([#"../red_black_tree.rs" 756 20 756 38] is_red0 (RedBlackTree_Node_Type.node_left ( * node)));
     goto BB11
   }
   BB11 {
@@ -9190,7 +10073,7 @@ module RedBlackTree_Impl15_DeleteRec
     goto BB20
   }
   BB13 {
-    [#"../red_black_tree.rs" 756 43 756 66] _33 <- ([#"../red_black_tree.rs" 756 43 756 66] as_ref0 ([#"../red_black_tree.rs" 756 43 756 57] RedBlackTree_Tree_Type.tree_node (RedBlackTree_Node_Type.node_left ( * node))));
+    [#"../red_black_tree.rs" 756 43 756 66] _33 <- ([#"../red_black_tree.rs" 756 43 756 66] as_ref0 (RedBlackTree_Tree_Type.tree_node (RedBlackTree_Node_Type.node_left ( * node))));
     goto BB14
   }
   BB14 {
@@ -9201,7 +10084,7 @@ module RedBlackTree_Impl15_DeleteRec
   BB15 {
     assert { [@expl:type invariant] inv4 _32 };
     assume { resolve2 _32 };
-    [#"../red_black_tree.rs" 756 43 756 89] _30 <- ([#"../red_black_tree.rs" 756 43 756 89] is_red0 ([#"../red_black_tree.rs" 756 43 756 80] RedBlackTree_Node_Type.node_left _32));
+    [#"../red_black_tree.rs" 756 43 756 89] _30 <- ([#"../red_black_tree.rs" 756 43 756 89] is_red0 (RedBlackTree_Node_Type.node_left _32));
     goto BB16
   }
   BB16 {
@@ -9227,8 +10110,8 @@ module RedBlackTree_Impl15_DeleteRec
     assume { inv5 ( ^ _35) };
     assert { [@expl:type invariant] inv6 node };
     assume { resolve3 node };
-    [#"../red_black_tree.rs" 757 20 757 47] node <- ([#"../red_black_tree.rs" 757 20 757 47] _35);
-    [#"../red_black_tree.rs" 757 20 757 47] _35 <- any borrowed (RedBlackTree_Node_Type.t_node k v);
+    [#"../red_black_tree.rs" 757 20 757 47] node <- _35;
+    _35 <- any borrowed (RedBlackTree_Node_Type.t_node k v);
     assert { [@expl:type invariant] inv6 _36 };
     assume { resolve3 _36 };
     [#"../red_black_tree.rs" 756 90 758 17] _27 <- ([#"../red_black_tree.rs" 756 90 758 17] ());
@@ -9244,7 +10127,7 @@ module RedBlackTree_Impl15_DeleteRec
     assume { inv7 ( ^ _39) };
     assert { [@expl:type invariant] inv3 key };
     assume { resolve1 key };
-    [#"../red_black_tree.rs" 759 20 759 45] _38 <- ([#"../red_black_tree.rs" 759 20 759 45] delete_rec _39 ([#"../red_black_tree.rs" 759 41 759 44] key));
+    [#"../red_black_tree.rs" 759 20 759 45] _38 <- ([#"../red_black_tree.rs" 759 20 759 45] delete_rec _39 key);
     _39 <- any borrowed (RedBlackTree_Tree_Type.t_tree k v);
     goto BB22
   }
@@ -9252,8 +10135,8 @@ module RedBlackTree_Impl15_DeleteRec
     goto BB23
   }
   BB23 {
-    [#"../red_black_tree.rs" 759 16 759 17] r <- ([#"../red_black_tree.rs" 759 16 759 17] _38);
-    [#"../red_black_tree.rs" 759 16 759 17] _38 <- any Core_Option_Option_Type.t_option (k, v);
+    [#"../red_black_tree.rs" 759 16 759 17] r <- _38;
+    _38 <- any Core_Option_Option_Type.t_option (k, v);
     [#"../red_black_tree.rs" 759 16 759 45] _17 <- ([#"../red_black_tree.rs" 759 16 759 45] ());
     goto BB25
   }
@@ -9280,7 +10163,7 @@ module RedBlackTree_Impl15_DeleteRec
     assume { inv7 ( ^ _47) };
     assert { [@expl:type invariant] inv3 key };
     assume { resolve1 key };
-    [#"../red_black_tree.rs" 764 24 764 50] _46 <- ([#"../red_black_tree.rs" 764 24 764 50] delete_rec _47 ([#"../red_black_tree.rs" 764 46 764 49] key));
+    [#"../red_black_tree.rs" 764 24 764 50] _46 <- ([#"../red_black_tree.rs" 764 24 764 50] delete_rec _47 key);
     _47 <- any borrowed (RedBlackTree_Tree_Type.t_tree k v);
     goto BB29
   }
@@ -9288,8 +10171,8 @@ module RedBlackTree_Impl15_DeleteRec
     goto BB30
   }
   BB30 {
-    [#"../red_black_tree.rs" 764 20 764 21] r <- ([#"../red_black_tree.rs" 764 20 764 21] _46);
-    [#"../red_black_tree.rs" 764 20 764 21] _46 <- any Core_Option_Option_Type.t_option (k, v);
+    [#"../red_black_tree.rs" 764 20 764 21] r <- _46;
+    _46 <- any Core_Option_Option_Type.t_option (k, v);
     [#"../red_black_tree.rs" 764 20 764 50] _17 <- ([#"../red_black_tree.rs" 764 20 764 50] ());
     goto BB32
   }
@@ -9297,7 +10180,7 @@ module RedBlackTree_Impl15_DeleteRec
     goto BB68
   }
   BB33 {
-    [#"../red_black_tree.rs" 766 23 766 48] _50 <- ([#"../red_black_tree.rs" 766 23 766 48] is_none0 ([#"../red_black_tree.rs" 766 23 766 38] RedBlackTree_Tree_Type.tree_node (RedBlackTree_Node_Type.node_right ( * node))));
+    [#"../red_black_tree.rs" 766 23 766 48] _50 <- ([#"../red_black_tree.rs" 766 23 766 48] is_none0 (RedBlackTree_Tree_Type.tree_node (RedBlackTree_Node_Type.node_right ( * node))));
     goto BB34
   }
   BB34 {
@@ -9322,7 +10205,7 @@ module RedBlackTree_Impl15_DeleteRec
   BB37 {
     assert { [@expl:type invariant] inv8 self };
     assume { resolve4 self };
-    [#"../red_black_tree.rs" 768 35 768 39] _0 <- ([#"../red_black_tree.rs" 768 35 768 39] Core_Option_Option_Type.C_None);
+    [#"../red_black_tree.rs" 768 35 768 39] _0 <- Core_Option_Option_Type.C_None;
     goto BB73
   }
   BB38 {
@@ -9348,22 +10231,24 @@ module RedBlackTree_Impl15_DeleteRec
   BB40 {
     assert { [@expl:type invariant] inv1 node1 };
     assume { resolve9 node1 };
+    [#"../red_black_tree.rs" 771 36 771 56] _60 <- (RedBlackTree_Node_Type.node_key node1, RedBlackTree_Node_Type.node_val node1);
+    node1 <- (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 = node1 in RedBlackTree_Node_Type.C_Node x0 x1 (any k) x3 x4);
+    node1 <- (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 = node1 in RedBlackTree_Node_Type.C_Node x0 x1 x2 (any v) x4);
     goto BB41
   }
   BB41 {
     goto BB42
   }
   BB42 {
-    [#"../red_black_tree.rs" 771 31 771 57] _0 <- ([#"../red_black_tree.rs" 771 31 771 57] Core_Option_Option_Type.C_Some ([#"../red_black_tree.rs" 771 36 771 56] (([#"../red_black_tree.rs" 771 37 771 45] RedBlackTree_Node_Type.node_key node1), ([#"../red_black_tree.rs" 771 47 771 55] RedBlackTree_Node_Type.node_val node1))));
-    [#"../red_black_tree.rs" 771 37 771 45] node1 <- (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 = node1 in RedBlackTree_Node_Type.C_Node x0 x1 (any k) x3 x4);
-    [#"../red_black_tree.rs" 771 47 771 55] node1 <- (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 = node1 in RedBlackTree_Node_Type.C_Node x0 x1 x2 (any v) x4);
+    [#"../red_black_tree.rs" 771 31 771 57] _0 <- Core_Option_Option_Type.C_Some _60;
+    _60 <- any (k, v);
     goto BB43
   }
   BB43 {
     goto BB72
   }
   BB44 {
-    [#"../red_black_tree.rs" 773 24 773 48] _67 <- ([#"../red_black_tree.rs" 773 24 773 48] as_ref0 ([#"../red_black_tree.rs" 773 24 773 39] RedBlackTree_Tree_Type.tree_node (RedBlackTree_Node_Type.node_right ( * node))));
+    [#"../red_black_tree.rs" 773 24 773 48] _67 <- ([#"../red_black_tree.rs" 773 24 773 48] as_ref0 (RedBlackTree_Tree_Type.tree_node (RedBlackTree_Node_Type.node_right ( * node))));
     goto BB45
   }
   BB45 {
@@ -9374,7 +10259,7 @@ module RedBlackTree_Impl15_DeleteRec
   BB46 {
     assert { [@expl:type invariant] inv4 _66 };
     assume { resolve2 _66 };
-    [#"../red_black_tree.rs" 773 24 773 71] _64 <- ([#"../red_black_tree.rs" 773 24 773 71] is_red0 ([#"../red_black_tree.rs" 773 24 773 62] RedBlackTree_Node_Type.node_left _66));
+    [#"../red_black_tree.rs" 773 24 773 71] _64 <- ([#"../red_black_tree.rs" 773 24 773 71] is_red0 (RedBlackTree_Node_Type.node_left _66));
     goto BB47
   }
   BB47 {
@@ -9401,8 +10286,8 @@ module RedBlackTree_Impl15_DeleteRec
     assume { inv5 ( ^ _69) };
     assert { [@expl:type invariant] inv6 node };
     assume { resolve3 node };
-    [#"../red_black_tree.rs" 774 24 774 52] node <- ([#"../red_black_tree.rs" 774 24 774 52] _69);
-    [#"../red_black_tree.rs" 774 24 774 52] _69 <- any borrowed (RedBlackTree_Node_Type.t_node k v);
+    [#"../red_black_tree.rs" 774 24 774 52] node <- _69;
+    _69 <- any borrowed (RedBlackTree_Node_Type.t_node k v);
     assert { [@expl:type invariant] inv6 _70 };
     assume { resolve3 _70 };
     [#"../red_black_tree.rs" 773 72 775 21] _63 <- ([#"../red_black_tree.rs" 773 72 775 21] ());
@@ -9428,7 +10313,7 @@ module RedBlackTree_Impl15_DeleteRec
     goto BB54
   }
   BB54 {
-    [#"../red_black_tree.rs" 778 24 778 53] _75 <- ([#"../red_black_tree.rs" 778 24 778 53] Ghost.new ());
+    [#"../red_black_tree.rs" 778 24 778 59] _75 <- ([#"../red_black_tree.rs" 778 24 778 59] Snapshot.new ());
     goto BB55
   }
   BB55 {
@@ -9477,14 +10362,16 @@ module RedBlackTree_Impl15_DeleteRec
     assume { resolve7 _86 };
     assert { [@expl:type invariant] inv12 _84 };
     assume { resolve7 _84 };
+    [#"../red_black_tree.rs" 781 28 781 36] _87 <- Core_Option_Option_Type.C_Some kv;
+    kv <- any (k, v);
     goto BB58
   }
   BB58 {
     goto BB59
   }
   BB59 {
-    [#"../red_black_tree.rs" 781 24 781 25] r <- ([#"../red_black_tree.rs" 781 28 781 36] Core_Option_Option_Type.C_Some ([#"../red_black_tree.rs" 781 33 781 35] kv));
-    [#"../red_black_tree.rs" 781 33 781 35] kv <- any (k, v);
+    [#"../red_black_tree.rs" 781 24 781 25] r <- _87;
+    _87 <- any Core_Option_Option_Type.t_option (k, v);
     [#"../red_black_tree.rs" 781 24 781 36] _17 <- ([#"../red_black_tree.rs" 781 24 781 36] ());
     goto BB61
   }
@@ -9500,7 +10387,7 @@ module RedBlackTree_Impl15_DeleteRec
     assume { inv7 ( ^ _90) };
     assert { [@expl:type invariant] inv3 key };
     assume { resolve1 key };
-    [#"../red_black_tree.rs" 783 28 783 54] _89 <- ([#"../red_black_tree.rs" 783 28 783 54] delete_rec _90 ([#"../red_black_tree.rs" 783 50 783 53] key));
+    [#"../red_black_tree.rs" 783 28 783 54] _89 <- ([#"../red_black_tree.rs" 783 28 783 54] delete_rec _90 key);
     _90 <- any borrowed (RedBlackTree_Tree_Type.t_tree k v);
     goto BB64
   }
@@ -9508,8 +10395,8 @@ module RedBlackTree_Impl15_DeleteRec
     goto BB65
   }
   BB65 {
-    [#"../red_black_tree.rs" 783 24 783 25] r <- ([#"../red_black_tree.rs" 783 24 783 25] _89);
-    [#"../red_black_tree.rs" 783 24 783 25] _89 <- any Core_Option_Option_Type.t_option (k, v);
+    [#"../red_black_tree.rs" 783 24 783 25] r <- _89;
+    _89 <- any Core_Option_Option_Type.t_option (k, v);
     [#"../red_black_tree.rs" 783 24 783 54] _17 <- ([#"../red_black_tree.rs" 783 24 783 54] ());
     goto BB67
   }
@@ -9532,8 +10419,8 @@ module RedBlackTree_Impl15_DeleteRec
     assume { resolve3 node };
     assert { [@expl:type invariant] inv8 self };
     assume { resolve4 self };
-    [#"../red_black_tree.rs" 789 8 789 9] _0 <- ([#"../red_black_tree.rs" 789 8 789 9] r);
-    [#"../red_black_tree.rs" 789 8 789 9] r <- any Core_Option_Option_Type.t_option (k, v);
+    [#"../red_black_tree.rs" 789 8 789 9] _0 <- r;
+    r <- any Core_Option_Option_Type.t_option (k, v);
     goto BB71
   }
   BB71 {
@@ -9575,7 +10462,9 @@ module RedBlackTree_Impl15_Delete
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv8 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -9583,7 +10472,10 @@ module RedBlackTree_Impl15_Delete
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv8 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -9591,7 +10483,10 @@ module RedBlackTree_Impl15_Delete
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv8 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -9602,13 +10497,19 @@ module RedBlackTree_Impl15_Delete
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv8 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv8 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv8 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv8 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -9619,7 +10520,9 @@ module RedBlackTree_Impl15_Delete
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv8 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -9630,7 +10533,9 @@ module RedBlackTree_Impl15_Delete
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv8 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -9641,7 +10546,9 @@ module RedBlackTree_Impl15_Delete
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv8 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -9652,7 +10559,9 @@ module RedBlackTree_Impl15_Delete
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv8 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   use Core_Option_Option_Type as Core_Option_Option_Type
   use map.Map
   predicate invariant13 (self : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v))
@@ -9845,7 +10754,8 @@ module RedBlackTree_Impl15_Delete
     requires {[#"../red_black_tree.rs" 296 14 296 18] inv4 self}
     ensures { result = height0 self }
     
-  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv4 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
+  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv4 self)
+   -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
   predicate height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) =
     [#"../red_black_tree.rs" 339 20 339 61] height0 (RedBlackTree_Node_Type.node_left self) = height0 (RedBlackTree_Node_Type.node_right self)
   val height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) : bool
@@ -9870,7 +10780,13 @@ module RedBlackTree_Impl15_Delete
     ensures { result = has_mapping0 self k v }
     
   predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) =
-    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv9 v -> inv8 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv9 v -> inv8 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
+    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv9 v
+     -> inv8 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v
+     -> lt_log0 k (deep_model0 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv9 v
+     -> inv8 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v
+     -> lt_log0 (deep_model0 (RedBlackTree_Node_Type.node_key self)) k)
   val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = bst_invariant_here0 self }
     
@@ -9892,7 +10808,7 @@ module RedBlackTree_Impl15_Delete
   val invariant0 [#"../red_black_tree.rs" 364 4 364 34] (self : RedBlackTree_Tree_Type.t_tree k v) : bool
     ensures { result = invariant0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   val unwrap0 (self : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v))) : borrowed (RedBlackTree_Node_Type.t_node k v)
     requires {[#"../../../../creusot-contracts/src/std/option.rs" 29 0 126 1] self <> Core_Option_Option_Type.C_None}
     requires {inv11 self}
@@ -9901,7 +10817,8 @@ module RedBlackTree_Impl15_Delete
     
   val as_mut0 (self : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v))) : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v))
     requires {inv3 self}
-    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../creusot-contracts/src/std/option.rs" 51 16 51 77]  * self = Core_Option_Option_Type.C_None
+     -> result = Core_Option_Option_Type.C_None /\  ^ self = Core_Option_Option_Type.C_None }
     ensures { [#"../../../../creusot-contracts/src/std/option.rs" 52 16 55 18]  * self = Core_Option_Option_Type.C_None \/ (exists r : borrowed (RedBlackTree_Node_Type.t_node k v) . inv2 r /\ result = Core_Option_Option_Type.C_Some r /\  * self = Core_Option_Option_Type.C_Some ( * r) /\  ^ self = Core_Option_Option_Type.C_Some ( ^ r)) }
     ensures { inv11 result }
     
@@ -9936,12 +10853,14 @@ module RedBlackTree_Impl15_Delete
     ensures { [#"../red_black_tree.rs" 739 14 739 42] internal_invariant0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 740 14 740 50] height0 ( * self) = height0 ( ^ self) }
     ensures { [#"../red_black_tree.rs" 741 14 744 5] match result with
-      | Core_Option_Option_Type.C_None -> forall v : v . inv9 v -> not has_mapping0 ( * self) (deep_model1 key) v
+      | Core_Option_Option_Type.C_None -> forall v : v . inv9 v  -> not has_mapping0 ( * self) (deep_model1 key) v
       | Core_Option_Option_Type.C_Some (k, v) -> deep_model1 key = deep_model0 k /\ has_mapping0 ( * self) (deep_model0 k) v
       end }
-    ensures { [#"../red_black_tree.rs" 745 4 745 129] forall v : v . forall k : deep_model_ty0 . inv9 v -> inv8 k -> has_mapping0 ( ^ self) k v = (deep_model1 key <> k /\ has_mapping0 ( * self) k v) }
+    ensures { [#"../red_black_tree.rs" 745 4 745 129] forall v : v . forall k : deep_model_ty0 . inv9 v
+     -> inv8 k  -> has_mapping0 ( ^ self) k v = (deep_model1 key <> k /\ has_mapping0 ( * self) k v) }
     ensures { [#"../red_black_tree.rs" 746 14 746 39] color_invariant0 ( ^ self) }
-    ensures { [#"../red_black_tree.rs" 747 4 747 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black }
+    ensures { [#"../red_black_tree.rs" 747 4 747 69] color0 ( * self) = RedBlackTree_Color_Type.C_Black
+     -> color0 ( ^ self) = RedBlackTree_Color_Type.C_Black }
     ensures { [#"../red_black_tree.rs" 748 41 748 55] inv7 result }
     
   predicate resolve3 (self : k)
@@ -9962,11 +10881,11 @@ module RedBlackTree_Impl15_Delete
     requires {[#"../red_black_tree.rs" 388 15 388 19] inv10 self}
     ensures { [#"../red_black_tree.rs" 387 14 387 45] result = (color0 self = RedBlackTree_Color_Type.C_Red) }
     
-  predicate resolve0 (self : Ghost.ghost_ty ())
-  val resolve0 (self : Ghost.ghost_ty ()) : bool
+  predicate resolve0 (self : Snapshot.snap_ty ())
+  val resolve0 (self : Snapshot.snap_ty ()) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   function model_acc_has_mapping0 [#"../red_black_tree.rs" 68 4 72 5] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : ()
     
    =
@@ -9980,7 +10899,10 @@ module RedBlackTree_Impl15_Delete
     requires {[#"../red_black_tree.rs" 71 8 71 9] inv8 k}
     ensures { result = model_acc_has_mapping0 self accu k }
     
-  axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv4 self) -> ([#"../red_black_tree.rs" 70 8 70 12] inv12 accu) -> ([#"../red_black_tree.rs" 71 8 71 9] inv8 k) -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv9 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))
+  axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv4 self)
+   -> ([#"../red_black_tree.rs" 70 8 70 12] inv12 accu)
+   -> ([#"../red_black_tree.rs" 71 8 71 9] inv8 k)
+   -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv9 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))
   function has_mapping_model_acc0 [#"../red_black_tree.rs" 89 4 91 33] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : ()
     
    =
@@ -9995,7 +10917,12 @@ module RedBlackTree_Impl15_Delete
     requires {[#"../red_black_tree.rs" 89 81 89 82] inv8 k}
     ensures { result = has_mapping_model_acc0 self accu k }
     
-  axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 89 29 89 33] inv4 self) -> ([#"../red_black_tree.rs" 89 35 89 39] inv12 accu) -> ([#"../red_black_tree.rs" 89 81 89 82] inv8 k) -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv9 v -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v)
+  axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self)
+   -> ([#"../red_black_tree.rs" 89 29 89 33] inv4 self)
+   -> ([#"../red_black_tree.rs" 89 35 89 39] inv12 accu)
+   -> ([#"../red_black_tree.rs" 89 81 89 82] inv8 k)
+   -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv9 v
+   -> has_mapping0 self k v  -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v)
   function has_mapping_model0 [#"../red_black_tree.rs" 110 4 112 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) : ()
     
    =
@@ -10006,7 +10933,11 @@ module RedBlackTree_Impl15_Delete
     requires {[#"../red_black_tree.rs" 110 31 110 32] inv8 k}
     ensures { result = has_mapping_model0 self k }
     
-  axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 110 25 110 29] inv4 self) -> ([#"../red_black_tree.rs" 110 31 110 32] inv8 k) -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv9 v -> has_mapping0 self k v = (Map.get (shallow_model1 self) k = Core_Option_Option_Type.C_Some v))
+  axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self)
+   -> ([#"../red_black_tree.rs" 110 25 110 29] inv4 self)
+   -> ([#"../red_black_tree.rs" 110 31 110 32] inv8 k)
+   -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv9 v
+   -> has_mapping0 self k v = (Map.get (shallow_model1 self) k = Core_Option_Option_Type.C_Some v))
   let rec cfg delete [#"../red_black_tree.rs" 800 4 800 55] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (RedBlackTree_Tree_Type.t_tree k v)) (key : k) : Core_Option_Option_Type.t_option (k, v)
     requires {[#"../red_black_tree.rs" 792 15 792 34] invariant0 ( * self)}
     requires {[#"../red_black_tree.rs" 800 23 800 27] inv6 self}
@@ -10023,15 +10954,17 @@ module RedBlackTree_Impl15_Delete
   var _0 : Core_Option_Option_Type.t_option (k, v);
   var self : borrowed (RedBlackTree_Tree_Type.t_tree k v) = self;
   var key : k = key;
-  var _7 : Ghost.ghost_ty ();
+  var _7 : Snapshot.snap_ty ();
   var _9 : ();
   var _10 : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v));
   var node : borrowed (RedBlackTree_Node_Type.t_node k v);
   var _13 : bool;
+  var _15 : RedBlackTree_Color_Type.t_color;
   var r : Core_Option_Option_Type.t_option (k, v);
   var _18 : borrowed (RedBlackTree_Tree_Type.t_tree k v);
   var _20 : ();
   var _21 : bool;
+  var _23 : RedBlackTree_Color_Type.t_color;
   var _24 : borrowed (RedBlackTree_Node_Type.t_node k v);
   var _25 : Core_Option_Option_Type.t_option (borrowed (RedBlackTree_Node_Type.t_node k v));
   var _26 : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v));
@@ -10039,7 +10972,7 @@ module RedBlackTree_Impl15_Delete
     goto BB0
   }
   BB0 {
-    [#"../red_black_tree.rs" 801 8 801 39] _7 <- ([#"../red_black_tree.rs" 801 8 801 39] Ghost.new ());
+    [#"../red_black_tree.rs" 801 8 801 45] _7 <- ([#"../red_black_tree.rs" 801 8 801 45] Snapshot.new ());
     goto BB1
   }
   BB1 {
@@ -10059,7 +10992,7 @@ module RedBlackTree_Impl15_Delete
     [#"../red_black_tree.rs" 803 20 803 24] node <- Borrow.borrow_final (Core_Option_Option_Type.some_0 ( * _10)) (Borrow.inherit_id (Borrow.get_id _10) 1);
     [#"../red_black_tree.rs" 803 20 803 24] _10 <- { _10 with current = (let Core_Option_Option_Type.C_Some x0 =  * _10 in Core_Option_Option_Type.C_Some ( ^ node)) ; };
     assume { inv1 ( ^ node) };
-    [#"../red_black_tree.rs" 804 16 804 34] _13 <- ([#"../red_black_tree.rs" 804 16 804 34] is_red0 ([#"../red_black_tree.rs" 804 16 804 25] RedBlackTree_Node_Type.node_left ( * node)));
+    [#"../red_black_tree.rs" 804 16 804 34] _13 <- ([#"../red_black_tree.rs" 804 16 804 34] is_red0 (RedBlackTree_Node_Type.node_left ( * node)));
     goto BB4
   }
   BB4 {
@@ -10077,7 +11010,9 @@ module RedBlackTree_Impl15_Delete
     goto BB7
   }
   BB6 {
-    [#"../red_black_tree.rs" 805 16 805 32] node <- { node with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * node in RedBlackTree_Node_Type.C_Node x0 ([#"../red_black_tree.rs" 805 29 805 32] RedBlackTree_Color_Type.C_Red) x2 x3 x4) ; };
+    [#"../red_black_tree.rs" 805 29 805 32] _15 <- RedBlackTree_Color_Type.C_Red;
+    [#"../red_black_tree.rs" 805 16 805 32] node <- { node with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * node in RedBlackTree_Node_Type.C_Node x0 _15 x2 x3 x4) ; };
+    _15 <- any RedBlackTree_Color_Type.t_color;
     assert { [@expl:type invariant] inv2 node };
     assume { resolve1 node };
     assert { [@expl:type invariant] inv3 _10 };
@@ -10091,7 +11026,7 @@ module RedBlackTree_Impl15_Delete
     assume { inv4 ( ^ _18) };
     assert { [@expl:type invariant] inv5 key };
     assume { resolve3 key };
-    [#"../red_black_tree.rs" 810 16 810 36] r <- ([#"../red_black_tree.rs" 810 16 810 36] delete_rec0 _18 ([#"../red_black_tree.rs" 810 32 810 35] key));
+    [#"../red_black_tree.rs" 810 16 810 36] r <- ([#"../red_black_tree.rs" 810 16 810 36] delete_rec0 _18 key);
     _18 <- any borrowed (RedBlackTree_Tree_Type.t_tree k v);
     goto BB9
   }
@@ -10100,13 +11035,13 @@ module RedBlackTree_Impl15_Delete
     assume { resolve2 _10 };
     assert { [@expl:type invariant] inv5 key };
     assume { resolve3 key };
-    [#"../red_black_tree.rs" 808 19 808 23] _0 <- ([#"../red_black_tree.rs" 808 19 808 23] Core_Option_Option_Type.C_None);
+    [#"../red_black_tree.rs" 808 19 808 23] _0 <- Core_Option_Option_Type.C_None;
     assert { [@expl:type invariant] inv6 self };
     assume { resolve4 self };
     goto BB17
   }
   BB9 {
-    [#"../red_black_tree.rs" 811 11 811 24] _21 <- ([#"../red_black_tree.rs" 811 11 811 24] is_red0 ([#"../red_black_tree.rs" 811 11 811 15]  * self));
+    [#"../red_black_tree.rs" 811 11 811 24] _21 <- ([#"../red_black_tree.rs" 811 11 811 24] is_red0 ( * self));
     goto BB10
   }
   BB10 {
@@ -10116,6 +11051,7 @@ module RedBlackTree_Impl15_Delete
       end
   }
   BB11 {
+    [#"../red_black_tree.rs" 812 48 812 53] _23 <- RedBlackTree_Color_Type.C_Black;
     [#"../red_black_tree.rs" 812 12 812 21] _26 <- Borrow.borrow_final (RedBlackTree_Tree_Type.tree_node ( * self)) (Borrow.inherit_id (Borrow.get_id self) 1);
     [#"../red_black_tree.rs" 812 12 812 21] self <- { self with current = (let RedBlackTree_Tree_Type.C_Tree x0 =  * self in RedBlackTree_Tree_Type.C_Tree ( ^ _26)) ; };
     assume { inv0 ( ^ _26) };
@@ -10129,7 +11065,8 @@ module RedBlackTree_Impl15_Delete
     goto BB13
   }
   BB13 {
-    [#"../red_black_tree.rs" 812 12 812 53] _24 <- { _24 with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * _24 in RedBlackTree_Node_Type.C_Node x0 ([#"../red_black_tree.rs" 812 48 812 53] RedBlackTree_Color_Type.C_Black) x2 x3 x4) ; };
+    [#"../red_black_tree.rs" 812 12 812 53] _24 <- { _24 with current = (let RedBlackTree_Node_Type.C_Node x0 x1 x2 x3 x4 =  * _24 in RedBlackTree_Node_Type.C_Node x0 _23 x2 x3 x4) ; };
+    _23 <- any RedBlackTree_Color_Type.t_color;
     assert { [@expl:type invariant] inv2 _24 };
     assume { resolve1 _24 };
     assert { [@expl:type invariant] inv6 self };
@@ -10144,8 +11081,8 @@ module RedBlackTree_Impl15_Delete
     goto BB15
   }
   BB15 {
-    [#"../red_black_tree.rs" 814 8 814 9] _0 <- ([#"../red_black_tree.rs" 814 8 814 9] r);
-    [#"../red_black_tree.rs" 814 8 814 9] r <- any Core_Option_Option_Type.t_option (k, v);
+    [#"../red_black_tree.rs" 814 8 814 9] _0 <- r;
+    r <- any Core_Option_Option_Type.t_option (k, v);
     goto BB16
   }
   BB16 {
@@ -10186,7 +11123,9 @@ module RedBlackTree_Impl15_Get
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv8 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -10194,7 +11133,10 @@ module RedBlackTree_Impl15_Get
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv8 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -10202,7 +11144,10 @@ module RedBlackTree_Impl15_Get
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv8 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -10213,13 +11158,19 @@ module RedBlackTree_Impl15_Get
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv8 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv8 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv8 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv8 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -10230,7 +11181,9 @@ module RedBlackTree_Impl15_Get
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv8 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -10241,7 +11194,9 @@ module RedBlackTree_Impl15_Get
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv8 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -10252,7 +11207,9 @@ module RedBlackTree_Impl15_Get
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv8 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -10263,7 +11220,9 @@ module RedBlackTree_Impl15_Get
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv8 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv8 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv8 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv8 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv8 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   predicate invariant9 (self : deep_model_ty0)
   val invariant9 (self : deep_model_ty0) : bool
     ensures { result = invariant9 self }
@@ -10412,7 +11371,8 @@ module RedBlackTree_Impl15_Get
     requires {[#"../red_black_tree.rs" 296 14 296 18] inv7 self}
     ensures { result = height0 self }
     
-  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv7 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
+  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv7 self)
+   -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
   predicate height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) =
     [#"../red_black_tree.rs" 339 20 339 61] height0 (RedBlackTree_Node_Type.node_left self) = height0 (RedBlackTree_Node_Type.node_right self)
   val height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) : bool
@@ -10437,7 +11397,13 @@ module RedBlackTree_Impl15_Get
     ensures { result = has_mapping0 self k v }
     
   predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) =
-    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv1 v -> inv8 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model1 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv1 v -> inv8 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model1 (RedBlackTree_Node_Type.node_key self)) k)
+    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv1 v
+     -> inv8 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v
+     -> lt_log0 k (deep_model1 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv1 v
+     -> inv8 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v
+     -> lt_log0 (deep_model1 (RedBlackTree_Node_Type.node_key self)) k)
   val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = bst_invariant_here0 self }
     
@@ -10459,7 +11425,7 @@ module RedBlackTree_Impl15_Get
   val invariant0 [#"../red_black_tree.rs" 364 4 364 34] (self : RedBlackTree_Tree_Type.t_tree k v) : bool
     ensures { result = invariant0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate resolve5 (self : v)
   val resolve5 (self : v) : bool
     ensures { result = resolve5 self }
@@ -10490,11 +11456,11 @@ module RedBlackTree_Impl15_Get
   val resolve1 (self : RedBlackTree_Tree_Type.t_tree k v) : bool
     ensures { result = resolve1 self }
     
-  predicate resolve0 (self : Ghost.ghost_ty ())
-  val resolve0 (self : Ghost.ghost_ty ()) : bool
+  predicate resolve0 (self : Snapshot.snap_ty ())
+  val resolve0 (self : Snapshot.snap_ty ()) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   function model_acc_has_mapping0 [#"../red_black_tree.rs" 68 4 72 5] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : ()
     
    =
@@ -10508,7 +11474,10 @@ module RedBlackTree_Impl15_Get
     requires {[#"../red_black_tree.rs" 71 8 71 9] inv8 k}
     ensures { result = model_acc_has_mapping0 self accu k }
     
-  axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv7 self) -> ([#"../red_black_tree.rs" 70 8 70 12] inv9 accu) -> ([#"../red_black_tree.rs" 71 8 71 9] inv8 k) -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv1 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))
+  axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv7 self)
+   -> ([#"../red_black_tree.rs" 70 8 70 12] inv9 accu)
+   -> ([#"../red_black_tree.rs" 71 8 71 9] inv8 k)
+   -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv1 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))
   function has_mapping_model_acc0 [#"../red_black_tree.rs" 89 4 91 33] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : ()
     
    =
@@ -10523,7 +11492,12 @@ module RedBlackTree_Impl15_Get
     requires {[#"../red_black_tree.rs" 89 81 89 82] inv8 k}
     ensures { result = has_mapping_model_acc0 self accu k }
     
-  axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 89 29 89 33] inv7 self) -> ([#"../red_black_tree.rs" 89 35 89 39] inv9 accu) -> ([#"../red_black_tree.rs" 89 81 89 82] inv8 k) -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv1 v -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v)
+  axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self)
+   -> ([#"../red_black_tree.rs" 89 29 89 33] inv7 self)
+   -> ([#"../red_black_tree.rs" 89 35 89 39] inv9 accu)
+   -> ([#"../red_black_tree.rs" 89 81 89 82] inv8 k)
+   -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv1 v
+   -> has_mapping0 self k v  -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v)
   function has_mapping_model0 [#"../red_black_tree.rs" 110 4 112 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) : ()
     
    =
@@ -10534,7 +11508,11 @@ module RedBlackTree_Impl15_Get
     requires {[#"../red_black_tree.rs" 110 31 110 32] inv8 k}
     ensures { result = has_mapping_model0 self k }
     
-  axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 110 25 110 29] inv7 self) -> ([#"../red_black_tree.rs" 110 31 110 32] inv8 k) -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv1 v -> has_mapping0 self k v = (Map.get (shallow_model1 self) k = Core_Option_Option_Type.C_Some v))
+  axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self)
+   -> ([#"../red_black_tree.rs" 110 25 110 29] inv7 self)
+   -> ([#"../red_black_tree.rs" 110 31 110 32] inv8 k)
+   -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv1 v
+   -> has_mapping0 self k v = (Map.get (shallow_model1 self) k = Core_Option_Option_Type.C_Some v))
   let rec cfg get [#"../red_black_tree.rs" 822 4 822 44] [@cfg:stackify] [@cfg:subregion_analysis] (self : RedBlackTree_Tree_Type.t_tree k v) (key : k) : Core_Option_Option_Type.t_option v
     requires {[#"../red_black_tree.rs" 817 15 817 34] invariant0 self}
     requires {[#"../red_black_tree.rs" 822 16 822 20] inv0 self}
@@ -10549,7 +11527,7 @@ module RedBlackTree_Impl15_Get
   var _0 : Core_Option_Option_Type.t_option v;
   var self : RedBlackTree_Tree_Type.t_tree k v = self;
   var key : k = key;
-  var _6 : Ghost.ghost_ty ();
+  var _6 : Snapshot.snap_ty ();
   var tree : RedBlackTree_Tree_Type.t_tree k v;
   var _12 : ();
   var _13 : Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v);
@@ -10563,23 +11541,24 @@ module RedBlackTree_Impl15_Get
     goto BB0
   }
   BB0 {
-    [#"../red_black_tree.rs" 823 8 823 39] _6 <- ([#"../red_black_tree.rs" 823 8 823 39] Ghost.new ());
+    [#"../red_black_tree.rs" 823 8 823 45] _6 <- ([#"../red_black_tree.rs" 823 8 823 45] Snapshot.new ());
     goto BB1
   }
   BB1 {
     assume { resolve0 _6 };
-    [#"../red_black_tree.rs" 825 23 825 27] tree <- ([#"../red_black_tree.rs" 825 23 825 27] self);
+    [#"../red_black_tree.rs" 825 23 825 27] tree <- self;
     assert { [@expl:type invariant] inv0 self };
     assume { resolve1 self };
     goto BB2
   }
   BB2 {
     invariant { [#"../red_black_tree.rs" 826 20 826 43] bst_invariant0 tree };
-    invariant { [#"../red_black_tree.rs" 826 8 826 45] forall v : v . inv1 v -> has_mapping0 self (deep_model0 key) v = has_mapping0 tree (deep_model0 key) v };
+    invariant { [#"../red_black_tree.rs" 826 8 826 45] forall v : v . inv1 v
+     -> has_mapping0 self (deep_model0 key) v = has_mapping0 tree (deep_model0 key) v };
     goto BB3
   }
   BB3 {
-    [#"../red_black_tree.rs" 828 31 828 41] _13 <- ([#"../red_black_tree.rs" 828 31 828 41] RedBlackTree_Tree_Type.tree_node tree);
+    [#"../red_black_tree.rs" 828 31 828 41] _13 <- RedBlackTree_Tree_Type.tree_node tree;
     assert { [@expl:type invariant] inv0 tree };
     assume { resolve1 tree };
     switch (_13)
@@ -10591,13 +11570,13 @@ module RedBlackTree_Impl15_Get
     goto BB5
   }
   BB5 {
-    [#"../red_black_tree.rs" 828 23 828 27] node <- ([#"../red_black_tree.rs" 828 23 828 27] Core_Option_Option_Type.some_0 _13);
+    [#"../red_black_tree.rs" 828 23 828 27] node <- Core_Option_Option_Type.some_0 _13;
     assert { [@expl:type invariant] inv2 _13 };
     assume { resolve2 _13 };
-    [#"../red_black_tree.rs" 829 26 829 35] _19 <- ([#"../red_black_tree.rs" 829 26 829 35] RedBlackTree_Node_Type.node_key node);
+    [#"../red_black_tree.rs" 829 26 829 35] _19 <- RedBlackTree_Node_Type.node_key node;
     assert { [@expl:type invariant] inv3 _19 };
     assume { resolve3 _19 };
-    [#"../red_black_tree.rs" 829 18 829 36] _16 <- ([#"../red_black_tree.rs" 829 18 829 36] cmp0 ([#"../red_black_tree.rs" 829 18 829 21] key) ([#"../red_black_tree.rs" 829 26 829 35] _19));
+    [#"../red_black_tree.rs" 829 18 829 36] _16 <- ([#"../red_black_tree.rs" 829 18 829 36] cmp0 key _19);
     goto BB6
   }
   BB6 {
@@ -10614,12 +11593,12 @@ module RedBlackTree_Impl15_Get
     goto BB12
   }
   BB9 {
-    [#"../red_black_tree.rs" 832 34 832 45] _27 <- ([#"../red_black_tree.rs" 832 34 832 45] RedBlackTree_Node_Type.node_right node);
+    [#"../red_black_tree.rs" 832 34 832 45] _27 <- RedBlackTree_Node_Type.node_right node;
     assert { [@expl:type invariant] inv4 node };
     assume { resolve4 node };
     assert { [@expl:type invariant] inv0 _27 };
     assume { resolve1 _27 };
-    [#"../red_black_tree.rs" 832 27 832 45] tree <- ([#"../red_black_tree.rs" 832 34 832 45] _27);
+    [#"../red_black_tree.rs" 832 27 832 45] tree <- _27;
     [#"../red_black_tree.rs" 832 27 832 45] _12 <- ([#"../red_black_tree.rs" 832 27 832 45] ());
     goto BB13
   }
@@ -10632,24 +11611,24 @@ module RedBlackTree_Impl15_Get
     absurd
   }
   BB11 {
-    [#"../red_black_tree.rs" 830 31 830 41] _22 <- ([#"../red_black_tree.rs" 830 31 830 41] RedBlackTree_Node_Type.node_left node);
+    [#"../red_black_tree.rs" 830 31 830 41] _22 <- RedBlackTree_Node_Type.node_left node;
     assert { [@expl:type invariant] inv4 node };
     assume { resolve4 node };
     assert { [@expl:type invariant] inv0 _22 };
     assume { resolve1 _22 };
-    [#"../red_black_tree.rs" 830 24 830 41] tree <- ([#"../red_black_tree.rs" 830 31 830 41] _22);
+    [#"../red_black_tree.rs" 830 24 830 41] tree <- _22;
     [#"../red_black_tree.rs" 830 24 830 41] _12 <- ([#"../red_black_tree.rs" 830 24 830 41] ());
     goto BB13
   }
   BB12 {
     assert { [@expl:type invariant] inv3 key };
     assume { resolve3 key };
-    [#"../red_black_tree.rs" 831 37 831 46] _25 <- ([#"../red_black_tree.rs" 831 37 831 46] RedBlackTree_Node_Type.node_val node);
+    [#"../red_black_tree.rs" 831 37 831 46] _25 <- RedBlackTree_Node_Type.node_val node;
     assert { [@expl:type invariant] inv4 node };
     assume { resolve4 node };
     assert { [@expl:type invariant] inv5 _25 };
     assume { resolve5 _25 };
-    [#"../red_black_tree.rs" 831 32 831 47] _0 <- ([#"../red_black_tree.rs" 831 32 831 47] Core_Option_Option_Type.C_Some ([#"../red_black_tree.rs" 831 37 831 46] _25));
+    [#"../red_black_tree.rs" 831 32 831 47] _0 <- Core_Option_Option_Type.C_Some _25;
     goto BB15
   }
   BB13 {
@@ -10660,12 +11639,18 @@ module RedBlackTree_Impl15_Get
     assume { resolve2 _13 };
     assert { [@expl:type invariant] inv3 key };
     assume { resolve3 key };
-    [#"../red_black_tree.rs" 835 15 835 19] _0 <- ([#"../red_black_tree.rs" 835 15 835 19] Core_Option_Option_Type.C_None);
+    [#"../red_black_tree.rs" 835 15 835 19] _0 <- Core_Option_Option_Type.C_None;
     goto BB15
   }
   BB15 {
     return _0
   }
+  BB17 {
+    goto BB8
+  }
+  BB18 {
+    goto BB9
+  }
   
 end
 module RedBlackTree_Impl15_GetMut
@@ -10698,7 +11683,9 @@ module RedBlackTree_Impl15_GetMut
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -10706,7 +11693,10 @@ module RedBlackTree_Impl15_GetMut
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -10714,7 +11704,10 @@ module RedBlackTree_Impl15_GetMut
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -10725,13 +11718,19 @@ module RedBlackTree_Impl15_GetMut
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv2 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -10742,7 +11741,9 @@ module RedBlackTree_Impl15_GetMut
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -10753,7 +11754,9 @@ module RedBlackTree_Impl15_GetMut
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -10764,7 +11767,9 @@ module RedBlackTree_Impl15_GetMut
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -10775,7 +11780,9 @@ module RedBlackTree_Impl15_GetMut
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv2 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv2 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv2 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   use prelude.Borrow
   predicate invariant12 (self : Core_Option_Option_Type.t_option (borrowed v))
   val invariant12 (self : Core_Option_Option_Type.t_option (borrowed v)) : bool
@@ -10875,16 +11882,16 @@ module RedBlackTree_Impl15_GetMut
     ensures { result = inv1 _x }
     
   axiom inv1 : forall x : v . inv1 x = true
-  use prelude.Ghost
-  predicate invariant1 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)))
-  val invariant1 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool
+  use prelude.Snapshot
+  predicate invariant1 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)))
+  val invariant1 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool
     ensures { result = invariant1 self }
     
-  predicate inv0 (_x : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)))
-  val inv0 (_x : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool
+  predicate inv0 (_x : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)))
+  val inv0 (_x : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)) . inv0 x = true
+  axiom inv0 : forall x : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)) . inv0 x = true
   use map.Map
   function deep_model1 (self : k) : deep_model_ty0
   val deep_model1 (self : k) : deep_model_ty0
@@ -10953,7 +11960,8 @@ module RedBlackTree_Impl15_GetMut
     requires {[#"../red_black_tree.rs" 296 14 296 18] inv6 self}
     ensures { result = height0 self }
     
-  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv6 self) -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
+  axiom height0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v . ([#"../red_black_tree.rs" 296 14 296 18] inv6 self)
+   -> ([#"../red_black_tree.rs" 295 14 295 25] height0 self >= 0)
   predicate height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) =
     [#"../red_black_tree.rs" 339 20 339 61] height0 (RedBlackTree_Node_Type.node_left self) = height0 (RedBlackTree_Node_Type.node_right self)
   val height_invariant_here0 [#"../red_black_tree.rs" 338 4 338 42] (self : RedBlackTree_Node_Type.t_node k v) : bool
@@ -10978,7 +11986,13 @@ module RedBlackTree_Impl15_GetMut
     ensures { result = has_mapping0 self k v }
     
   predicate bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) =
-    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv1 v -> inv2 k -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v -> lt_log0 k (deep_model1 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv1 v -> inv2 k -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v -> lt_log0 (deep_model1 (RedBlackTree_Node_Type.node_key self)) k)
+    [#"../red_black_tree.rs" 186 12 187 104] (forall v : v . forall k : deep_model_ty0 . inv1 v
+     -> inv2 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_left self) k v
+     -> lt_log0 k (deep_model1 (RedBlackTree_Node_Type.node_key self))) /\ (forall v : v . forall k : deep_model_ty0 . inv1 v
+     -> inv2 k
+     -> has_mapping0 (RedBlackTree_Node_Type.node_right self) k v
+     -> lt_log0 (deep_model1 (RedBlackTree_Node_Type.node_key self)) k)
   val bst_invariant_here0 [#"../red_black_tree.rs" 184 4 184 39] (self : RedBlackTree_Node_Type.t_node k v) : bool
     ensures { result = bst_invariant_here0 self }
     
@@ -11040,22 +12054,22 @@ module RedBlackTree_Impl15_GetMut
   val match_t0 [#"../red_black_tree.rs" 232 4 232 52] (self : RedBlackTree_Cp_Type.t_cp) (tree : RedBlackTree_Tree_Type.t_tree k v) : bool
     ensures { result = match_t0 self tree }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   function deep_model0 (self : k) : deep_model_ty0 =
     [#"../../../../creusot-contracts/src/model.rs" 70 8 70 28] deep_model1 self
   val deep_model0 (self : k) : deep_model_ty0
     ensures { result = deep_model0 self }
     
-  predicate resolve1 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)))
-  val resolve1 (self : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool
+  predicate resolve1 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v)))
+  val resolve1 (self : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v))) : bool
     ensures { result = resolve1 self }
     
-  use prelude.Ghost
-  predicate resolve0 (self : Ghost.ghost_ty ())
-  val resolve0 (self : Ghost.ghost_ty ()) : bool
+  use prelude.Snapshot
+  predicate resolve0 (self : Snapshot.snap_ty ())
+  val resolve0 (self : Snapshot.snap_ty ()) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   function model_acc_has_mapping0 [#"../red_black_tree.rs" 68 4 72 5] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : ()
     
    =
@@ -11069,7 +12083,10 @@ module RedBlackTree_Impl15_GetMut
     requires {[#"../red_black_tree.rs" 71 8 71 9] inv2 k}
     ensures { result = model_acc_has_mapping0 self accu k }
     
-  axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv6 self) -> ([#"../red_black_tree.rs" 70 8 70 12] inv12 accu) -> ([#"../red_black_tree.rs" 71 8 71 9] inv2 k) -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv1 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))
+  axiom model_acc_has_mapping0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 69 8 69 12] inv6 self)
+   -> ([#"../red_black_tree.rs" 70 8 70 12] inv12 accu)
+   -> ([#"../red_black_tree.rs" 71 8 71 9] inv2 k)
+   -> ([#"../red_black_tree.rs" 66 4 67 93] Map.get (model_acc0 self accu) k = Map.get accu k \/ (exists v : v . inv1 v /\ Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v /\ has_mapping0 self k v))
   function has_mapping_model_acc0 [#"../red_black_tree.rs" 89 4 91 33] (self : RedBlackTree_Tree_Type.t_tree k v) (accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v)) (k : deep_model_ty0) : ()
     
    =
@@ -11084,7 +12101,12 @@ module RedBlackTree_Impl15_GetMut
     requires {[#"../red_black_tree.rs" 89 81 89 82] inv2 k}
     ensures { result = has_mapping_model_acc0 self accu k }
     
-  axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 89 29 89 33] inv6 self) -> ([#"../red_black_tree.rs" 89 35 89 39] inv12 accu) -> ([#"../red_black_tree.rs" 89 81 89 82] inv2 k) -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv1 v -> has_mapping0 self k v -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v)
+  axiom has_mapping_model_acc0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, accu : Map.map deep_model_ty0 (Core_Option_Option_Type.t_option v), k : deep_model_ty0 . ([#"../red_black_tree.rs" 87 15 87 35] bst_invariant0 self)
+   -> ([#"../red_black_tree.rs" 89 29 89 33] inv6 self)
+   -> ([#"../red_black_tree.rs" 89 35 89 39] inv12 accu)
+   -> ([#"../red_black_tree.rs" 89 81 89 82] inv2 k)
+   -> ([#"../red_black_tree.rs" 88 4 88 94] forall v : v . inv1 v
+   -> has_mapping0 self k v  -> Map.get (model_acc0 self accu) k = Core_Option_Option_Type.C_Some v)
   function has_mapping_model0 [#"../red_black_tree.rs" 110 4 112 33] (self : RedBlackTree_Tree_Type.t_tree k v) (k : deep_model_ty0) : ()
     
    =
@@ -11095,7 +12117,11 @@ module RedBlackTree_Impl15_GetMut
     requires {[#"../red_black_tree.rs" 110 31 110 32] inv2 k}
     ensures { result = has_mapping_model0 self k }
     
-  axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self) -> ([#"../red_black_tree.rs" 110 25 110 29] inv6 self) -> ([#"../red_black_tree.rs" 110 31 110 32] inv2 k) -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv1 v -> has_mapping0 self k v = (Map.get (shallow_model1 self) k = Core_Option_Option_Type.C_Some v))
+  axiom has_mapping_model0_spec : forall self : RedBlackTree_Tree_Type.t_tree k v, k : deep_model_ty0 . ([#"../red_black_tree.rs" 108 15 108 35] bst_invariant0 self)
+   -> ([#"../red_black_tree.rs" 110 25 110 29] inv6 self)
+   -> ([#"../red_black_tree.rs" 110 31 110 32] inv2 k)
+   -> ([#"../red_black_tree.rs" 109 4 109 80] forall v : v . inv1 v
+   -> has_mapping0 self k v = (Map.get (shallow_model1 self) k = Core_Option_Option_Type.C_Some v))
   let rec cfg get_mut [#"../red_black_tree.rs" 844 4 844 56] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (RedBlackTree_Tree_Type.t_tree k v)) (key : k) : Core_Option_Option_Type.t_option (borrowed v)
     requires {[#"../red_black_tree.rs" 838 15 838 34] invariant0 ( * self)}
     requires {[#"../red_black_tree.rs" 844 24 844 28] inv7 self}
@@ -11111,8 +12137,8 @@ module RedBlackTree_Impl15_GetMut
   var _0 : Core_Option_Option_Type.t_option (borrowed v);
   var self : borrowed (RedBlackTree_Tree_Type.t_tree k v) = self;
   var key : k = key;
-  var _7 : Ghost.ghost_ty ();
-  var old_self : Ghost.ghost_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v));
+  var _7 : Snapshot.snap_ty ();
+  var old_self : Snapshot.snap_ty (borrowed (RedBlackTree_Tree_Type.t_tree k v));
   var tree : borrowed (RedBlackTree_Tree_Type.t_tree k v);
   var _22 : ();
   var _23 : borrowed (Core_Option_Option_Type.t_option (RedBlackTree_Node_Type.t_node k v));
@@ -11129,31 +12155,40 @@ module RedBlackTree_Impl15_GetMut
     goto BB0
   }
   BB0 {
-    [#"../red_black_tree.rs" 845 8 845 39] _7 <- ([#"../red_black_tree.rs" 845 8 845 39] Ghost.new ());
+    [#"../red_black_tree.rs" 845 8 845 45] _7 <- ([#"../red_black_tree.rs" 845 8 845 45] Snapshot.new ());
     goto BB1
   }
   BB1 {
     assume { resolve0 _7 };
-    [#"../red_black_tree.rs" 847 23 847 35] old_self <- ([#"../red_black_tree.rs" 847 23 847 35] Ghost.new self);
+    [#"../red_black_tree.rs" 847 23 847 41] old_self <- ([#"../red_black_tree.rs" 847 23 847 41] Snapshot.new self);
     goto BB2
   }
   BB2 {
     assert { [@expl:type invariant] inv0 old_self };
     assume { resolve1 old_self };
-    [#"../red_black_tree.rs" 848 23 848 27] tree <- ([#"../red_black_tree.rs" 848 23 848 27] self);
-    [#"../red_black_tree.rs" 848 23 848 27] self <- any borrowed (RedBlackTree_Tree_Type.t_tree k v);
+    [#"../red_black_tree.rs" 848 23 848 27] tree <- self;
+    self <- any borrowed (RedBlackTree_Tree_Type.t_tree k v);
     goto BB3
   }
   BB3 {
     invariant { [#"../red_black_tree.rs" 850 20 850 43] bst_invariant0 ( * tree) };
     invariant { [#"../red_black_tree.rs" 851 20 851 46] height_invariant0 ( * tree) };
     invariant { [#"../red_black_tree.rs" 852 20 852 45] color_invariant0 ( * tree) };
-    invariant { [#"../red_black_tree.rs" 850 8 850 45] forall v : v . inv1 v -> has_mapping0 ( ^ tree) (deep_model0 key) v = has_mapping0 ( ^ Ghost.inner old_self) (deep_model0 key) v };
-    invariant { [#"../red_black_tree.rs" 850 8 850 45] forall v : v . inv1 v -> has_mapping0 ( * tree) (deep_model0 key) v = has_mapping0 ( * Ghost.inner old_self) (deep_model0 key) v };
-    invariant { [#"../red_black_tree.rs" 850 8 850 45] (forall v : v . forall k : deep_model_ty0 . inv1 v -> inv2 k -> k = deep_model0 key \/ has_mapping0 ( * tree) k v = has_mapping0 ( ^ tree) k v) -> bst_invariant0 ( ^ tree) -> bst_invariant0 ( ^ Ghost.inner old_self) };
-    invariant { [#"../red_black_tree.rs" 850 8 850 45] height0 ( * tree) = height0 ( ^ tree) /\ height_invariant0 ( ^ tree) -> height_invariant0 ( ^ Ghost.inner old_self) };
-    invariant { [#"../red_black_tree.rs" 850 8 850 45] match_t0 (RedBlackTree_Cp_Type.C_CPL (color0 ( * tree))) ( ^ tree) -> match_t0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) ( ^ Ghost.inner old_self) };
-    invariant { [#"../red_black_tree.rs" 850 8 850 45] forall v : v . forall k : deep_model_ty0 . inv1 v -> inv2 k -> has_mapping0 ( * tree) k v = has_mapping0 ( ^ tree) k v -> has_mapping0 ( * Ghost.inner old_self) k v = has_mapping0 ( ^ Ghost.inner old_self) k v };
+    invariant { [#"../red_black_tree.rs" 850 8 850 45] forall v : v . inv1 v
+     -> has_mapping0 ( ^ tree) (deep_model0 key) v = has_mapping0 ( ^ Snapshot.inner old_self) (deep_model0 key) v };
+    invariant { [#"../red_black_tree.rs" 850 8 850 45] forall v : v . inv1 v
+     -> has_mapping0 ( * tree) (deep_model0 key) v = has_mapping0 ( * Snapshot.inner old_self) (deep_model0 key) v };
+    invariant { [#"../red_black_tree.rs" 850 8 850 45] (forall v : v . forall k : deep_model_ty0 . inv1 v
+     -> inv2 k  -> k = deep_model0 key \/ has_mapping0 ( * tree) k v = has_mapping0 ( ^ tree) k v)
+     -> bst_invariant0 ( ^ tree)  -> bst_invariant0 ( ^ Snapshot.inner old_self) };
+    invariant { [#"../red_black_tree.rs" 850 8 850 45] height0 ( * tree) = height0 ( ^ tree) /\ height_invariant0 ( ^ tree)
+     -> height_invariant0 ( ^ Snapshot.inner old_self) };
+    invariant { [#"../red_black_tree.rs" 850 8 850 45] match_t0 (RedBlackTree_Cp_Type.C_CPL (color0 ( * tree))) ( ^ tree)
+     -> match_t0 (RedBlackTree_Cp_Type.C_CPL (RedBlackTree_Color_Type.C_Black)) ( ^ Snapshot.inner old_self) };
+    invariant { [#"../red_black_tree.rs" 850 8 850 45] forall v : v . forall k : deep_model_ty0 . inv1 v
+     -> inv2 k
+     -> has_mapping0 ( * tree) k v = has_mapping0 ( ^ tree) k v
+     -> has_mapping0 ( * Snapshot.inner old_self) k v = has_mapping0 ( ^ Snapshot.inner old_self) k v };
     goto BB4
   }
   BB4 {
@@ -11172,10 +12207,10 @@ module RedBlackTree_Impl15_GetMut
     [#"../red_black_tree.rs" 862 23 862 27] node <- Borrow.borrow_final (Core_Option_Option_Type.some_0 ( * _23)) (Borrow.inherit_id (Borrow.get_id _23) 1);
     [#"../red_black_tree.rs" 862 23 862 27] _23 <- { _23 with current = (let Core_Option_Option_Type.C_Some x0 =  * _23 in Core_Option_Option_Type.C_Some ( ^ node)) ; };
     assume { inv4 ( ^ node) };
-    [#"../red_black_tree.rs" 863 26 863 35] _29 <- ([#"../red_black_tree.rs" 863 26 863 35] RedBlackTree_Node_Type.node_key ( * node));
+    [#"../red_black_tree.rs" 863 26 863 35] _29 <- RedBlackTree_Node_Type.node_key ( * node);
     assert { [@expl:type invariant] inv5 _29 };
     assume { resolve2 _29 };
-    [#"../red_black_tree.rs" 863 18 863 36] _26 <- ([#"../red_black_tree.rs" 863 18 863 36] cmp0 ([#"../red_black_tree.rs" 863 18 863 21] key) ([#"../red_black_tree.rs" 863 26 863 35] _29));
+    [#"../red_black_tree.rs" 863 18 863 36] _26 <- ([#"../red_black_tree.rs" 863 18 863 36] cmp0 key _29);
     goto BB7
   }
   BB7 {
@@ -11200,8 +12235,8 @@ module RedBlackTree_Impl15_GetMut
     assume { inv6 ( ^ _36) };
     assert { [@expl:type invariant] inv7 tree };
     assume { resolve3 tree };
-    [#"../red_black_tree.rs" 866 27 866 49] tree <- ([#"../red_black_tree.rs" 866 27 866 49] _36);
-    [#"../red_black_tree.rs" 866 27 866 49] _36 <- any borrowed (RedBlackTree_Tree_Type.t_tree k v);
+    [#"../red_black_tree.rs" 866 27 866 49] tree <- _36;
+    _36 <- any borrowed (RedBlackTree_Tree_Type.t_tree k v);
     [#"../red_black_tree.rs" 866 27 866 49] _22 <- ([#"../red_black_tree.rs" 866 27 866 49] ());
     assert { [@expl:type invariant] inv7 _37 };
     assume { resolve3 _37 };
@@ -11228,8 +12263,8 @@ module RedBlackTree_Impl15_GetMut
     assume { inv6 ( ^ _31) };
     assert { [@expl:type invariant] inv7 tree };
     assume { resolve3 tree };
-    [#"../red_black_tree.rs" 864 24 864 45] tree <- ([#"../red_black_tree.rs" 864 24 864 45] _31);
-    [#"../red_black_tree.rs" 864 24 864 45] _31 <- any borrowed (RedBlackTree_Tree_Type.t_tree k v);
+    [#"../red_black_tree.rs" 864 24 864 45] tree <- _31;
+    _31 <- any borrowed (RedBlackTree_Tree_Type.t_tree k v);
     [#"../red_black_tree.rs" 864 24 864 45] _22 <- ([#"../red_black_tree.rs" 864 24 864 45] ());
     assert { [@expl:type invariant] inv7 _32 };
     assume { resolve3 _32 };
@@ -11244,7 +12279,7 @@ module RedBlackTree_Impl15_GetMut
     [#"../red_black_tree.rs" 865 37 865 50] _34 <- Borrow.borrow_final ( * _35) (Borrow.get_id _35);
     [#"../red_black_tree.rs" 865 37 865 50] _35 <- { _35 with current = ( ^ _34) ; };
     assume { inv1 ( ^ _34) };
-    [#"../red_black_tree.rs" 865 32 865 51] _0 <- ([#"../red_black_tree.rs" 865 32 865 51] Core_Option_Option_Type.C_Some _34);
+    [#"../red_black_tree.rs" 865 32 865 51] _0 <- Core_Option_Option_Type.C_Some _34;
     _34 <- any borrowed v;
     assert { [@expl:type invariant] inv8 _35 };
     assume { resolve4 _35 };
@@ -11266,7 +12301,7 @@ module RedBlackTree_Impl15_GetMut
     assume { resolve6 _23 };
     assert { [@expl:type invariant] inv5 key };
     assume { resolve2 key };
-    [#"../red_black_tree.rs" 869 15 869 19] _0 <- ([#"../red_black_tree.rs" 869 15 869 19] Core_Option_Option_Type.C_None);
+    [#"../red_black_tree.rs" 869 15 869 19] _0 <- Core_Option_Option_Type.C_None;
     goto BB16
   }
   BB16 {
@@ -11274,6 +12309,12 @@ module RedBlackTree_Impl15_GetMut
     assume { resolve3 tree };
     return _0
   }
+  BB18 {
+    goto BB9
+  }
+  BB19 {
+    goto BB10
+  }
   
 end
 module RedBlackTree_Impl16
@@ -11299,7 +12340,8 @@ module RedBlackTree_Impl16
     
   axiom inv0 : forall x : RedBlackTree_Color_Type.t_color . inv0 x = true
   use prelude.Borrow
-  goal clone'_refn : [#"../red_black_tree.rs" 8 9 8 14] forall self : RedBlackTree_Color_Type.t_color . inv0 self -> (forall result : RedBlackTree_Color_Type.t_color . result = self -> inv1 result /\ result = self)
+  goal clone'_refn : [#"../red_black_tree.rs" 8 9 8 14] forall self : RedBlackTree_Color_Type.t_color . inv0 self
+   -> (forall result : RedBlackTree_Color_Type.t_color . result = self  -> inv1 result /\ result = self)
 end
 module RedBlackTree_Impl17
   
diff --git a/creusot/tests/should_succeed/red_black_tree.rs b/creusot/tests/should_succeed/red_black_tree.rs
index cf67597fd2..9fb3f15fd7 100644
--- a/creusot/tests/should_succeed/red_black_tree.rs
+++ b/creusot/tests/should_succeed/red_black_tree.rs
@@ -45,7 +45,7 @@ impl<K: DeepModel, V> Tree<K, V> {
         }
     }
 
-    #[ghost]
+    #[logic]
     fn model_acc(
         self,
         accu: <Self as ShallowModel>::ShallowModelTy,
@@ -62,7 +62,7 @@ impl<K: DeepModel, V> Tree<K, V> {
         }
     }
 
-    #[ghost]
+    #[logic]
     #[ensures(self.model_acc(accu).get(k) == accu.get(k) ||
               exists<v: V> self.model_acc(accu).get(k) == Some(v) && self.has_mapping(k, v))]
     fn model_acc_has_mapping(
@@ -83,7 +83,7 @@ impl<K: DeepModel, V> Tree<K, V> {
         }
     }
 
-    #[ghost]
+    #[logic]
     #[requires(self.bst_invariant())]
     #[ensures(forall<v: V> self.has_mapping(k, v) ==> self.model_acc(accu).get(k) == Some(v))]
     fn has_mapping_model_acc(self, accu: <Self as ShallowModel>::ShallowModelTy, k: K::DeepModelTy)
@@ -104,7 +104,7 @@ impl<K: DeepModel, V> Tree<K, V> {
         }
     }
 
-    #[ghost]
+    #[logic]
     #[requires(self.bst_invariant())]
     #[ensures(forall<v: V> self.has_mapping(k, v) == (self@.get(k) == Some(v)))]
     fn has_mapping_model(self, k: K::DeepModelTy)
@@ -117,7 +117,7 @@ impl<K: DeepModel, V> Tree<K, V> {
         } }
     }
 
-    #[ghost]
+    #[logic]
     #[requires(self.bst_invariant())]
     #[requires(self.has_mapping(k, v1))]
     #[requires(self.has_mapping(k, v2))]
@@ -155,7 +155,7 @@ impl<K: DeepModel, V> Node<K, V> {
 impl<K: DeepModel, V> ShallowModel for Node<K, V> {
     type ShallowModelTy = Mapping<K::DeepModelTy, Option<V>>;
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     fn shallow_model(self) -> Self::ShallowModelTy {
         pearlite! {
@@ -167,7 +167,7 @@ impl<K: DeepModel, V> ShallowModel for Node<K, V> {
 impl<K: DeepModel, V> ShallowModel for Tree<K, V> {
     type ShallowModelTy = Mapping<K::DeepModelTy, Option<V>>;
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     fn shallow_model(self) -> Self::ShallowModelTy {
         pearlite! { self.model_acc(Mapping::cst(None)) }
@@ -222,7 +222,7 @@ enum CP {
 }
 use CP::*;
 
-#[ghost]
+#[logic]
 fn cpn(c: Color, l: CP, r: CP) -> CP {
     pearlite! { CPN(c, Box::new(l), Box::new(r)) }
 }
@@ -252,7 +252,7 @@ impl CP {
 }
 
 impl<K, V> Tree<K, V> {
-    #[ghost]
+    #[logic]
     fn color(self) -> Color {
         pearlite! {
             match self.node {
@@ -291,7 +291,7 @@ impl<K, V> Node<K, V> {
 /*****************************  The height invariant  *************************/
 
 impl<K, V> Tree<K, V> {
-    #[ghost]
+    #[logic]
     #[ensures(result >= 0)]
     fn height(self) -> Int {
         pearlite! {
@@ -322,7 +322,7 @@ impl<K, V> Tree<K, V> {
 }
 
 impl<K, V> Node<K, V> {
-    #[ghost]
+    #[logic]
     #[ensures(forall<node: Box<Node<K, V>>>
               self == *node ==> result == Tree{ node: Some(node) }.height())]
     fn height(self) -> Int {
@@ -410,7 +410,7 @@ where
               ((^self).left, r.left, r.right) == (l.left, l.right, (*self).right) &&
               r.key == (*self).key)]
     fn rotate_right(&mut self) {
-        let old_self = gh! { self };
+        let old_self = snapshot! { self };
 
         //     self
         //    /    \
@@ -460,7 +460,7 @@ where
               (l.left, l.right, (^self).right) == ((*self).left, r.left, r.right) &&
               l.key == (*self).key)]
     fn rotate_left(&mut self) {
-        let old_self = gh! { self };
+        let old_self = snapshot! { self };
         let mut x = std::mem::take(&mut self.right.node).unwrap();
         std::mem::swap(&mut self.right, &mut x.left);
         std::mem::swap(self, &mut x);
@@ -626,7 +626,7 @@ where
     pub fn insert(&mut self, key: K, val: V) {
         self.insert_rec(key, val);
         self.node.as_mut().unwrap().color = Black;
-        gh! { Self::has_mapping_model };
+        snapshot! { Self::has_mapping_model };
     }
 
     #[requires((*self).internal_invariant())]
@@ -665,7 +665,7 @@ where
             (^self)@ == self@.set(k.deep_model(), None),
         None => (^self)@ == self@ && self@ == Mapping::cst(None)})]
     pub fn delete_max(&mut self) -> Option<(K, V)> {
-        let old_self = gh! { self };
+        let old_self = snapshot! { self };
         if let Some(node) = &mut self.node {
             if !node.left.is_red() {
                 node.color = Red;
@@ -678,7 +678,7 @@ where
         if self.is_red() {
             self.node.as_mut().unwrap().color = Black;
         }
-        gh! { Self::has_mapping_model };
+        snapshot! { Self::has_mapping_model };
         Some(r)
     }
 
@@ -717,7 +717,7 @@ where
         None => (^self)@ == self@ && self@ == Mapping::cst(None)
     })]
     pub fn delete_min(&mut self) -> Option<(K, V)> {
-        gh! { Self::has_mapping_model };
+        snapshot! { Self::has_mapping_model };
 
         if let Some(node) = &mut self.node {
             if !node.left.is_red() {
@@ -775,7 +775,7 @@ where
                     }
                     if let Equal = ord {
                         let mut kv = node.right.delete_min_rec();
-                        gh! { Self::has_mapping_inj };
+                        snapshot! { Self::has_mapping_inj };
                         std::mem::swap(&mut node.key, &mut kv.0);
                         std::mem::swap(&mut node.val, &mut kv.1);
                         r = Some(kv)
@@ -798,7 +798,7 @@ where
     })]
     #[ensures((^self)@ == self@.set(key.deep_model(), None))]
     pub fn delete(&mut self, key: &K) -> Option<(K, V)> {
-        gh! { Self::has_mapping_model };
+        snapshot! { Self::has_mapping_model };
 
         if let Some(node) = &mut self.node {
             if !node.left.is_red() {
@@ -820,7 +820,7 @@ where
         None => self@.get(key.deep_model()) == None
     })]
     pub fn get(&self, key: &K) -> Option<&V> {
-        gh! { Self::has_mapping_model };
+        snapshot! { Self::has_mapping_model };
 
         let mut tree = self;
         #[invariant((*tree).bst_invariant())]
@@ -842,9 +842,9 @@ where
         None => self@.get(key.deep_model()) == None && (^self)@ == self@
     })]
     pub fn get_mut(&mut self, key: &K) -> Option<&mut V> {
-        gh! { Self::has_mapping_model };
+        snapshot! { Self::has_mapping_model };
 
-        let old_self = gh! { self };
+        let old_self = snapshot! { self };
         let mut tree = self;
 
         #[invariant((*tree).bst_invariant())]
diff --git a/creusot/tests/should_succeed/red_black_tree/why3session.xml b/creusot/tests/should_succeed/red_black_tree/why3session.xml
index 4cac005cfb..e647279fbd 100644
--- a/creusot/tests/should_succeed/red_black_tree/why3session.xml
+++ b/creusot/tests/should_succeed/red_black_tree/why3session.xml
@@ -14,54 +14,54 @@
  </goal>
 </theory>
 <theory name="RedBlackTree_Impl0_ModelAccHasMapping_Impl" proved="true">
- <goal name="model_acc_has_mapping&#39;vc" expl="VC for model_acc_has_mapping" proved="true">
- <proof prover="6"><result status="valid" time="0.010000" steps="23890"/></proof>
+ <goal name="vc_model_acc_has_mapping" proved="true">
+ <proof prover="6"><result status="valid" time="0.010000" steps="25123"/></proof>
  </goal>
 </theory>
 <theory name="RedBlackTree_Impl0_HasMappingModelAcc_Impl" proved="true">
- <goal name="has_mapping_model_acc&#39;vc" expl="VC for has_mapping_model_acc" proved="true">
- <proof prover="7"><result status="valid" time="0.186913" steps="1486"/></proof>
+ <goal name="vc_has_mapping_model_acc" proved="true">
+ <proof prover="7"><result status="valid" time="0.062067" steps="1365"/></proof>
  </goal>
 </theory>
 <theory name="RedBlackTree_Impl0_HasMappingModel_Impl" proved="true">
- <goal name="has_mapping_model&#39;vc" expl="VC for has_mapping_model" proved="true">
- <proof prover="7"><result status="valid" time="0.000000" steps="79"/></proof>
+ <goal name="vc_has_mapping_model" proved="true">
+ <proof prover="7"><result status="valid" time="0.000000" steps="94"/></proof>
  </goal>
 </theory>
 <theory name="RedBlackTree_Impl0_HasMappingInj_Impl" proved="true">
- <goal name="has_mapping_inj&#39;vc" expl="VC for has_mapping_inj" proved="true">
- <proof prover="7"><result status="valid" time="0.010000" steps="71"/></proof>
+ <goal name="vc_has_mapping_inj" proved="true">
+ <proof prover="7"><result status="valid" time="0.010000" steps="57"/></proof>
  </goal>
 </theory>
 <theory name="RedBlackTree_Impl1_HasMapping_Impl" proved="true">
- <goal name="has_mapping&#39;vc" expl="VC for has_mapping" proved="true">
- <proof prover="7"><result status="valid" time="0.010000" steps="160"/></proof>
+ <goal name="vc_has_mapping" proved="true">
+ <proof prover="7"><result status="valid" time="0.010000" steps="169"/></proof>
  </goal>
 </theory>
 <theory name="RedBlackTree_Impl9_Height_Impl" proved="true">
- <goal name="height&#39;vc" expl="VC for height" proved="true">
- <proof prover="2"><result status="valid" time="0.010000" steps="2148"/></proof>
+ <goal name="vc_height" proved="true">
+ <proof prover="2"><result status="valid" time="0.010000" steps="1931"/></proof>
  </goal>
 </theory>
 <theory name="RedBlackTree_Impl10_Height_Impl" proved="true">
- <goal name="height&#39;vc" expl="VC for height" proved="true">
+ <goal name="vc_height" proved="true">
  <transf name="split_vc" proved="true" >
-  <goal name="height&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="7" timelimit="5"><result status="valid" time="0.009842" steps="8"/></proof>
-  </goal>
-  <goal name="height&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="7"><result status="valid" time="0.030000" steps="8"/></proof>
-  </goal>
-  <goal name="height&#39;vc.2" expl="postcondition" proved="true">
+  <goal name="vc_height.0" proved="true">
   <transf name="split_vc" proved="true" >
-   <goal name="height&#39;vc.2.0" expl="postcondition" proved="true">
-   <proof prover="7"><result status="valid" time="0.085166" steps="770"/></proof>
-   </goal>
-   <goal name="height&#39;vc.2.1" expl="postcondition" proved="true">
-   <proof prover="7"><result status="valid" time="0.057583" steps="1097"/></proof>
+   <goal name="vc_height.0.0" proved="true">
+   <proof prover="7"><result status="valid" time="0.085166" steps="8"/></proof>
    </goal>
   </transf>
   </goal>
+  <goal name="vc_height.1" proved="true">
+  <proof prover="7"><result status="valid" time="0.048667" steps="1342"/></proof>
+  </goal>
+  <goal name="vc_height.2" proved="true">
+  <proof prover="7" timelimit="5"><result status="valid" time="0.009842" steps="8"/></proof>
+  </goal>
+  <goal name="vc_height.3" proved="true">
+  <proof prover="7"><result status="valid" time="0.030000" steps="2028"/></proof>
+  </goal>
  </transf>
  </goal>
 </theory>
@@ -119,31 +119,31 @@
   <proof prover="7"><result status="valid" time="0.030000" steps="851"/></proof>
   </goal>
   <goal name="rotate_right&#39;vc.15" expl="type invariant" proved="true">
-  <proof prover="7" timelimit="5"><result status="valid" time="0.031326" steps="264"/></proof>
+  <proof prover="7" timelimit="5"><result status="valid" time="0.031326" steps="268"/></proof>
   </goal>
   <goal name="rotate_right&#39;vc.16" expl="type invariant" proved="true">
-  <proof prover="7" timelimit="5"><result status="valid" time="0.019309" steps="265"/></proof>
+  <proof prover="7" timelimit="5"><result status="valid" time="0.019309" steps="268"/></proof>
   </goal>
   <goal name="rotate_right&#39;vc.17" expl="postcondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.020000" steps="162816"/></proof>
+  <proof prover="6"><result status="valid" time="0.020000" steps="162882"/></proof>
   </goal>
   <goal name="rotate_right&#39;vc.18" expl="postcondition" proved="true">
-  <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="0.998239" steps="193668"/></proof>
+  <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="2.222259" steps="212871"/></proof>
   </goal>
   <goal name="rotate_right&#39;vc.19" expl="postcondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.094220" steps="208626"/></proof>
+  <proof prover="6"><result status="valid" time="0.094220" steps="193257"/></proof>
   </goal>
   <goal name="rotate_right&#39;vc.20" expl="postcondition" proved="true">
-  <proof prover="7"><result status="valid" time="0.128232" steps="2421"/></proof>
+  <proof prover="7"><result status="valid" time="0.128232" steps="2447"/></proof>
   </goal>
   <goal name="rotate_right&#39;vc.21" expl="postcondition" proved="true">
-  <proof prover="7"><result status="valid" time="0.078283" steps="1681"/></proof>
+  <proof prover="7"><result status="valid" time="0.078283" steps="1703"/></proof>
   </goal>
   <goal name="rotate_right&#39;vc.22" expl="postcondition" proved="true">
-  <proof prover="7"><result status="valid" time="0.010000" steps="293"/></proof>
+  <proof prover="7"><result status="valid" time="0.010000" steps="297"/></proof>
   </goal>
   <goal name="rotate_right&#39;vc.23" expl="postcondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.077800" steps="289460"/></proof>
+  <proof prover="6"><result status="valid" time="0.077800" steps="310120"/></proof>
   </goal>
  </transf>
  </goal>
@@ -197,31 +197,31 @@
   <proof prover="6"><result status="valid" time="0.020000" steps="63723"/></proof>
   </goal>
   <goal name="rotate_left&#39;vc.15" expl="type invariant" proved="true">
-  <proof prover="7" timelimit="5"><result status="valid" time="0.066892" steps="264"/></proof>
+  <proof prover="7" timelimit="5"><result status="valid" time="0.066892" steps="268"/></proof>
   </goal>
   <goal name="rotate_left&#39;vc.16" expl="type invariant" proved="true">
-  <proof prover="7" timelimit="5"><result status="valid" time="0.029148" steps="265"/></proof>
+  <proof prover="7" timelimit="5"><result status="valid" time="0.029148" steps="268"/></proof>
   </goal>
   <goal name="rotate_left&#39;vc.17" expl="postcondition" proved="true">
-  <proof prover="7"><result status="valid" time="0.206098" steps="3501"/></proof>
+  <proof prover="7"><result status="valid" time="0.206098" steps="3771"/></proof>
   </goal>
   <goal name="rotate_left&#39;vc.18" expl="postcondition" proved="true">
-  <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="1.140278" steps="492781"/></proof>
+  <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="1.963037" steps="491330"/></proof>
   </goal>
   <goal name="rotate_left&#39;vc.19" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.057817" steps="18512"/></proof>
+  <proof prover="2"><result status="valid" time="0.057817" steps="18536"/></proof>
   </goal>
   <goal name="rotate_left&#39;vc.20" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.130726" steps="19230"/></proof>
+  <proof prover="2"><result status="valid" time="0.130726" steps="19254"/></proof>
   </goal>
   <goal name="rotate_left&#39;vc.21" expl="postcondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.020000" steps="134748"/></proof>
+  <proof prover="6"><result status="valid" time="0.020000" steps="134815"/></proof>
   </goal>
   <goal name="rotate_left&#39;vc.22" expl="postcondition" proved="true">
-  <proof prover="7"><result status="valid" time="0.020000" steps="293"/></proof>
+  <proof prover="7"><result status="valid" time="0.020000" steps="297"/></proof>
   </goal>
   <goal name="rotate_left&#39;vc.23" expl="postcondition" proved="true">
-  <proof prover="7"><result status="valid" time="0.179551" steps="1219"/></proof>
+  <proof prover="7"><result status="valid" time="0.179551" steps="1237"/></proof>
   </goal>
  </transf>
  </goal>
@@ -1576,7 +1576,7 @@
 </theory>
 <theory name="RedBlackTree_Impl15_New" proved="true">
  <goal name="new&#39;vc" expl="VC for new" proved="true">
- <proof prover="7"><result status="valid" time="0.010000" steps="67"/></proof>
+ <proof prover="7"><result status="valid" time="0.010000" steps="68"/></proof>
  </goal>
 </theory>
 <theory name="RedBlackTree_Impl15_InsertRec" proved="true">
@@ -1643,10 +1643,10 @@
   <proof prover="7" timelimit="5"><result status="valid" time="0.031313" steps="32"/></proof>
   </goal>
   <goal name="insert_rec&#39;vc.20" expl="type invariant" proved="true">
-  <proof prover="7" timelimit="5"><result status="valid" time="0.025833" steps="45"/></proof>
+  <proof prover="7" timelimit="5"><result status="valid" time="0.025833" steps="58"/></proof>
   </goal>
   <goal name="insert_rec&#39;vc.21" expl="type invariant" proved="true">
-  <proof prover="7" timelimit="5"><result status="valid" time="0.028730" steps="46"/></proof>
+  <proof prover="7" timelimit="5"><result status="valid" time="0.028730" steps="59"/></proof>
   </goal>
   <goal name="insert_rec&#39;vc.22" expl="precondition" proved="true">
   <transf name="split_vc" proved="true" >
@@ -1693,7 +1693,7 @@
    <proof prover="2"><result status="valid" time="0.250926" steps="40183"/></proof>
    </goal>
    <goal name="insert_rec&#39;vc.30.1" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.146306" steps="22486"/></proof>
+   <proof prover="2"><result status="valid" time="0.146306" steps="30705"/></proof>
    </goal>
   </transf>
   </goal>
@@ -1707,7 +1707,7 @@
    </transf>
    </goal>
    <goal name="insert_rec&#39;vc.31.1" expl="postcondition" proved="true">
-   <proof prover="0"><result status="valid" time="0.411899" steps="36814"/></proof>
+   <proof prover="0"><result status="valid" time="0.411899" steps="45403"/></proof>
    </goal>
   </transf>
   </goal>
@@ -1717,7 +1717,7 @@
    <proof prover="2"><result status="valid" time="0.391047" steps="35357"/></proof>
    </goal>
    <goal name="insert_rec&#39;vc.32.1" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.148772" steps="21960"/></proof>
+   <proof prover="2"><result status="valid" time="0.148772" steps="27384"/></proof>
    </goal>
   </transf>
   </goal>
@@ -1736,7 +1736,7 @@
     <proof prover="2"><result status="valid" time="0.090963" steps="13469"/></proof>
     </goal>
     <goal name="insert_rec&#39;vc.33.1.1" expl="postcondition" proved="true">
-    <proof prover="7"><result status="valid" time="0.102847" steps="338"/></proof>
+    <proof prover="7"><result status="valid" time="0.102847" steps="535"/></proof>
     </goal>
    </transf>
    </goal>
@@ -1748,7 +1748,7 @@
    <proof prover="6" timelimit="5"><result status="valid" time="1.860423" steps="1765632"/></proof>
    </goal>
    <goal name="insert_rec&#39;vc.34.1" expl="postcondition" proved="true">
-   <proof prover="6" timelimit="5"><result status="valid" time="0.168717" steps="188860"/></proof>
+   <proof prover="6" timelimit="5"><result status="valid" time="0.168717" steps="263100"/></proof>
    </goal>
   </transf>
   </goal>
@@ -1780,19 +1780,19 @@
   <proof prover="7"><result status="valid" time="0.037219" steps="224"/></proof>
   </goal>
   <goal name="insert&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="7" timelimit="5"><result status="valid" time="0.023588" steps="46"/></proof>
+  <proof prover="7" timelimit="5"><result status="valid" time="0.023588" steps="48"/></proof>
   </goal>
   <goal name="insert&#39;vc.8" expl="type invariant" proved="true">
-  <proof prover="7" timelimit="5"><result status="valid" time="0.046859" steps="62"/></proof>
+  <proof prover="7" timelimit="5"><result status="valid" time="0.046859" steps="63"/></proof>
   </goal>
   <goal name="insert&#39;vc.9" expl="type invariant" proved="true">
-  <proof prover="7" timelimit="5"><result status="valid" time="0.044609" steps="65"/></proof>
+  <proof prover="7" timelimit="5"><result status="valid" time="0.044609" steps="66"/></proof>
   </goal>
   <goal name="insert&#39;vc.10" expl="postcondition" proved="true">
-  <proof prover="7"><result status="valid" time="0.189515" steps="3716"/></proof>
+  <proof prover="7"><result status="valid" time="0.189515" steps="3361"/></proof>
   </goal>
   <goal name="insert&#39;vc.11" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.209764" steps="69884"/></proof>
+  <proof prover="0"><result status="valid" time="0.409455" steps="79299"/></proof>
   </goal>
  </transf>
  </goal>
@@ -2327,10 +2327,10 @@
   <proof prover="6"><result status="valid" time="0.021546" steps="56484"/></proof>
   </goal>
   <goal name="delete_max&#39;vc.2" expl="type invariant" proved="true">
-  <proof prover="7"><result status="valid" time="0.016625" steps="53"/></proof>
+  <proof prover="7"><result status="valid" time="0.016625" steps="55"/></proof>
   </goal>
   <goal name="delete_max&#39;vc.3" expl="type invariant" proved="true">
-  <proof prover="7"><result status="valid" time="0.017658" steps="56"/></proof>
+  <proof prover="7"><result status="valid" time="0.017658" steps="57"/></proof>
   </goal>
   <goal name="delete_max&#39;vc.4" expl="type invariant" proved="true">
   <proof prover="6"><result status="valid" time="0.024939" steps="58839"/></proof>
@@ -2348,40 +2348,40 @@
   <proof prover="7"><result status="valid" time="0.018721" steps="36"/></proof>
   </goal>
   <goal name="delete_max&#39;vc.9" expl="assertion" proved="true">
-  <proof prover="2"><result status="valid" time="0.127202" steps="18519"/></proof>
+  <proof prover="2"><result status="valid" time="0.127202" steps="18616"/></proof>
   </goal>
   <goal name="delete_max&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.111564" steps="17009"/></proof>
+  <proof prover="2"><result status="valid" time="0.111564" steps="17190"/></proof>
   </goal>
   <goal name="delete_max&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.166850" steps="21402"/></proof>
+  <proof prover="2"><result status="valid" time="0.166850" steps="21478"/></proof>
   </goal>
   <goal name="delete_max&#39;vc.12" expl="precondition" proved="true">
   <proof prover="7"><result status="valid" time="0.018237" steps="38"/></proof>
   </goal>
   <goal name="delete_max&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.023703" steps="51323"/></proof>
+  <proof prover="6"><result status="valid" time="0.023703" steps="51383"/></proof>
   </goal>
   <goal name="delete_max&#39;vc.14" expl="type invariant" proved="true">
   <proof prover="7"><result status="valid" time="0.017592" steps="47"/></proof>
   </goal>
   <goal name="delete_max&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="7"><result status="valid" time="0.017356" steps="60"/></proof>
+  <proof prover="7"><result status="valid" time="0.017356" steps="61"/></proof>
   </goal>
   <goal name="delete_max&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.081002" steps="14193"/></proof>
+  <proof prover="2"><result status="valid" time="0.081002" steps="14108"/></proof>
   </goal>
   <goal name="delete_max&#39;vc.17" expl="precondition" proved="true">
-  <proof prover="7"><result status="valid" time="0.017135" steps="60"/></proof>
+  <proof prover="7"><result status="valid" time="0.017135" steps="62"/></proof>
   </goal>
   <goal name="delete_max&#39;vc.18" expl="type invariant" proved="true">
-  <proof prover="7"><result status="valid" time="0.014061" steps="78"/></proof>
+  <proof prover="7"><result status="valid" time="0.014061" steps="79"/></proof>
   </goal>
   <goal name="delete_max&#39;vc.19" expl="type invariant" proved="true">
-  <proof prover="7"><result status="valid" time="0.014030" steps="81"/></proof>
+  <proof prover="7"><result status="valid" time="0.014030" steps="82"/></proof>
   </goal>
   <goal name="delete_max&#39;vc.20" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.391129" steps="53215"/></proof>
+  <proof prover="2"><result status="valid" time="0.391129" steps="56920"/></proof>
   </goal>
   <goal name="delete_max&#39;vc.21" expl="postcondition" proved="true">
   <transf name="split_vc" proved="true" >
@@ -2389,7 +2389,7 @@
    <proof prover="7"><result status="valid" time="0.074298" steps="913"/></proof>
    </goal>
    <goal name="delete_max&#39;vc.21.1" expl="postcondition" proved="true">
-   <proof prover="7"><result status="valid" time="0.080045" steps="1108"/></proof>
+   <proof prover="7"><result status="valid" time="0.080045" steps="1107"/></proof>
    </goal>
    <goal name="delete_max&#39;vc.21.2" expl="postcondition" proved="true">
    <transf name="split_vc" proved="true" >
@@ -2403,7 +2403,7 @@
     <goal name="delete_max&#39;vc.21.2.1" expl="postcondition" proved="true">
     <transf name="split_vc" proved="true" >
      <goal name="delete_max&#39;vc.21.2.1.0" expl="postcondition" proved="true">
-     <proof prover="7"><result status="valid" time="0.121642" steps="1808"/></proof>
+     <proof prover="7"><result status="valid" time="0.121642" steps="1770"/></proof>
      </goal>
      <goal name="delete_max&#39;vc.21.2.1.1" expl="postcondition" proved="true">
      <transf name="split_vc" proved="true" >
@@ -2412,10 +2412,10 @@
        <goal name="delete_max&#39;vc.21.2.1.1.0.0" expl="postcondition" proved="true">
        <transf name="split_vc" proved="true" >
         <goal name="delete_max&#39;vc.21.2.1.1.0.0.0" expl="postcondition" proved="true">
-        <proof prover="0" timelimit="5"><result status="valid" time="0.845339" steps="199724"/></proof>
+        <proof prover="0" timelimit="5"><result status="valid" time="0.421254" steps="62388"/></proof>
         </goal>
         <goal name="delete_max&#39;vc.21.2.1.1.0.0.1" expl="postcondition" proved="true">
-        <proof prover="7"><result status="valid" time="0.021413" steps="185"/></proof>
+        <proof prover="7"><result status="valid" time="0.021413" steps="187"/></proof>
         </goal>
        </transf>
        </goal>
@@ -2428,7 +2428,7 @@
    </transf>
    </goal>
    <goal name="delete_max&#39;vc.21.3" expl="postcondition" proved="true">
-   <proof prover="7"><result status="valid" time="0.040269" steps="506"/></proof>
+   <proof prover="7"><result status="valid" time="0.040269" steps="505"/></proof>
    </goal>
    <goal name="delete_max&#39;vc.21.4" expl="postcondition" proved="true">
    <proof prover="7"><result status="valid" time="0.051160" steps="459"/></proof>
@@ -2778,10 +2778,10 @@
   <proof prover="7"><result status="valid" time="0.016985" steps="40"/></proof>
   </goal>
   <goal name="delete_min&#39;vc.1" expl="type invariant" proved="true">
-  <proof prover="7"><result status="valid" time="0.017777" steps="52"/></proof>
+  <proof prover="7"><result status="valid" time="0.017777" steps="53"/></proof>
   </goal>
   <goal name="delete_min&#39;vc.2" expl="type invariant" proved="true">
-  <proof prover="7"><result status="valid" time="0.017496" steps="55"/></proof>
+  <proof prover="7"><result status="valid" time="0.017496" steps="56"/></proof>
   </goal>
   <goal name="delete_min&#39;vc.3" expl="type invariant" proved="true">
   <proof prover="2"><result status="valid" time="0.045194" steps="8486"/></proof>
@@ -2799,10 +2799,10 @@
   <proof prover="2"><result status="valid" time="0.044931" steps="8710"/></proof>
   </goal>
   <goal name="delete_min&#39;vc.8" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.118313" steps="16977"/></proof>
+  <proof prover="2"><result status="valid" time="0.118313" steps="17154"/></proof>
   </goal>
   <goal name="delete_min&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.158684" steps="21463"/></proof>
+  <proof prover="2"><result status="valid" time="0.158684" steps="21574"/></proof>
   </goal>
   <goal name="delete_min&#39;vc.10" expl="precondition" proved="true">
   <proof prover="7"><result status="valid" time="0.019111" steps="35"/></proof>
@@ -2811,30 +2811,30 @@
   <proof prover="7"><result status="valid" time="0.017313" steps="40"/></proof>
   </goal>
   <goal name="delete_min&#39;vc.12" expl="type invariant" proved="true">
-  <proof prover="6"><result status="valid" time="0.022225" steps="53656"/></proof>
+  <proof prover="6"><result status="valid" time="0.022225" steps="53718"/></proof>
   </goal>
   <goal name="delete_min&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.044646" steps="9526"/></proof>
+  <proof prover="2"><result status="valid" time="0.044646" steps="9567"/></proof>
   </goal>
   <goal name="delete_min&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="7"><result status="valid" time="0.030989" steps="344"/></proof>
+  <proof prover="7"><result status="valid" time="0.030989" steps="351"/></proof>
   </goal>
   <goal name="delete_min&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="7"><result status="valid" time="0.017949" steps="56"/></proof>
+  <proof prover="7"><result status="valid" time="0.017949" steps="58"/></proof>
   </goal>
   <goal name="delete_min&#39;vc.16" expl="type invariant" proved="true">
-  <proof prover="2"><result status="valid" time="0.039853" steps="10205"/></proof>
+  <proof prover="2"><result status="valid" time="0.039853" steps="10267"/></proof>
   </goal>
   <goal name="delete_min&#39;vc.17" expl="type invariant" proved="true">
-  <proof prover="6"><result status="valid" time="0.022003" steps="64146"/></proof>
+  <proof prover="6"><result status="valid" time="0.022003" steps="64244"/></proof>
   </goal>
   <goal name="delete_min&#39;vc.18" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.141429" steps="36099"/></proof>
+  <proof prover="2"><result status="valid" time="0.141429" steps="36080"/></proof>
   </goal>
   <goal name="delete_min&#39;vc.19" expl="postcondition" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="delete_min&#39;vc.19.0" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.299450" steps="63327"/></proof>
+   <proof prover="2"><result status="valid" time="0.299450" steps="63819"/></proof>
    </goal>
    <goal name="delete_min&#39;vc.19.1" expl="postcondition" proved="true">
    <transf name="split_vc" proved="true" >
@@ -2846,14 +2846,14 @@
      <goal name="delete_min&#39;vc.19.1.1.0" expl="postcondition" proved="true">
      <transf name="split_vc" proved="true" >
       <goal name="delete_min&#39;vc.19.1.1.0.0" expl="postcondition" proved="true">
-      <proof prover="0"><result status="valid" time="0.372882" steps="57120"/></proof>
+      <proof prover="0"><result status="valid" time="0.372882" steps="56963"/></proof>
       </goal>
      </transf>
      </goal>
      <goal name="delete_min&#39;vc.19.1.1.1" expl="postcondition" proved="true">
      <transf name="split_vc" proved="true" >
       <goal name="delete_min&#39;vc.19.1.1.1.0" expl="postcondition" proved="true">
-      <proof prover="0"><result status="valid" time="0.554940" steps="93455"/></proof>
+      <proof prover="0"><result status="valid" time="0.554940" steps="92528"/></proof>
       </goal>
      </transf>
      </goal>
@@ -2891,10 +2891,10 @@
        <goal name="delete_min&#39;vc.19.2.1.0.0.0" expl="postcondition" proved="true">
        <transf name="split_vc" proved="true" >
         <goal name="delete_min&#39;vc.19.2.1.0.0.0.0" expl="postcondition" proved="true">
-        <proof prover="0" timelimit="5"><result status="valid" time="0.592981" steps="130413"/></proof>
+        <proof prover="0" timelimit="5"><result status="valid" time="0.592981" steps="66639"/></proof>
         </goal>
         <goal name="delete_min&#39;vc.19.2.1.0.0.0.1" expl="postcondition" proved="true">
-        <proof prover="7"><result status="valid" time="0.064117" steps="885"/></proof>
+        <proof prover="7"><result status="valid" time="0.064117" steps="887"/></proof>
         </goal>
        </transf>
        </goal>
@@ -2913,14 +2913,14 @@
          <goal name="delete_min&#39;vc.19.2.1.1.0.0.0.0" expl="postcondition" proved="true">
          <transf name="split_all_full" proved="true" >
           <goal name="delete_min&#39;vc.19.2.1.1.0.0.0.0.0" expl="postcondition" proved="true">
-          <proof prover="0" timelimit="5"><result status="valid" time="1.294616" steps="387348"/></proof>
+          <proof prover="0" timelimit="5"><result status="valid" time="2.700850" steps="783469"/></proof>
           </goal>
          </transf>
          </goal>
         </transf>
         </goal>
         <goal name="delete_min&#39;vc.19.2.1.1.0.0.1" expl="postcondition" proved="true">
-        <proof prover="7"><result status="valid" time="0.020224" steps="176"/></proof>
+        <proof prover="7"><result status="valid" time="0.020224" steps="177"/></proof>
         </goal>
        </transf>
        </goal>
@@ -2933,10 +2933,10 @@
    </transf>
    </goal>
    <goal name="delete_min&#39;vc.19.3" expl="postcondition" proved="true">
-   <proof prover="7"><result status="valid" time="0.042274" steps="500"/></proof>
+   <proof prover="7"><result status="valid" time="0.042274" steps="499"/></proof>
    </goal>
    <goal name="delete_min&#39;vc.19.4" expl="postcondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.064530" steps="18862"/></proof>
+   <proof prover="2"><result status="valid" time="0.064530" steps="19258"/></proof>
    </goal>
   </transf>
   </goal>
@@ -3256,10 +3256,10 @@
        <goal name="delete_rec&#39;vc.76.1.0.0.0.0" expl="precondition" proved="true">
        <transf name="split_vc" proved="true" >
         <goal name="delete_rec&#39;vc.76.1.0.0.0.0.0" expl="precondition" proved="true">
-        <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="1.010212" steps="175840"/></proof>
+        <proof prover="2" timelimit="5" memlimit="2000"><result status="valid" time="1.010212" steps="175838"/></proof>
         </goal>
         <goal name="delete_rec&#39;vc.76.1.0.0.0.0.1" expl="precondition" proved="true">
-        <proof prover="2"><result status="valid" time="0.798638" steps="131922"/></proof>
+        <proof prover="2"><result status="valid" time="0.798638" steps="132072"/></proof>
         </goal>
        </transf>
        </goal>
@@ -3276,7 +3276,7 @@
       <goal name="delete_rec&#39;vc.76.1.1.0.0" expl="precondition" proved="true">
       <transf name="split_vc" proved="true" >
        <goal name="delete_rec&#39;vc.76.1.1.0.0.0" expl="precondition" proved="true">
-       <proof prover="0"><result status="valid" time="0.614255" steps="92541"/></proof>
+       <proof prover="0"><result status="valid" time="0.614255" steps="92549"/></proof>
        </goal>
       </transf>
       </goal>
@@ -3343,7 +3343,7 @@
    </transf>
    </goal>
    <goal name="delete_rec&#39;vc.77.1" expl="precondition" proved="true">
-   <proof prover="2"><result status="valid" time="0.841945" steps="76181"/></proof>
+   <proof prover="2"><result status="valid" time="0.841945" steps="76195"/></proof>
    </goal>
    <goal name="delete_rec&#39;vc.77.2" expl="precondition" proved="true">
    <transf name="split_vc" proved="true" >
@@ -3367,7 +3367,7 @@
    <proof prover="2"><result status="valid" time="0.268388" steps="39146"/></proof>
    </goal>
    <goal name="delete_rec&#39;vc.78.1" expl="precondition" proved="true">
-   <proof prover="6" timelimit="5"><result status="valid" time="0.329463" steps="1130243"/></proof>
+   <proof prover="6" timelimit="5"><result status="valid" time="0.329463" steps="1130298"/></proof>
    </goal>
    <goal name="delete_rec&#39;vc.78.2" expl="precondition" proved="true">
    <transf name="split_vc" proved="true" >
@@ -3397,10 +3397,10 @@
    <goal name="delete_rec&#39;vc.79.1" expl="precondition" proved="true">
    <transf name="split_vc" proved="true" >
     <goal name="delete_rec&#39;vc.79.1.0" expl="precondition" proved="true">
-    <proof prover="2"><result status="valid" time="0.570707" steps="60225"/></proof>
+    <proof prover="2"><result status="valid" time="0.570707" steps="60244"/></proof>
     </goal>
     <goal name="delete_rec&#39;vc.79.1.1" expl="precondition" proved="true">
-    <proof prover="7"><result status="valid" time="0.473737" steps="6039"/></proof>
+    <proof prover="7"><result status="valid" time="0.473737" steps="6047"/></proof>
     </goal>
    </transf>
    </goal>
@@ -3427,7 +3427,7 @@
   <proof prover="7"><result status="valid" time="0.029252" steps="48"/></proof>
   </goal>
   <goal name="delete_rec&#39;vc.82" expl="type invariant" proved="true">
-  <proof prover="6"><result status="valid" time="0.025332" steps="159869"/></proof>
+  <proof prover="6"><result status="valid" time="0.025332" steps="159811"/></proof>
   </goal>
   <goal name="delete_rec&#39;vc.83" expl="postcondition" proved="true">
   <transf name="split_vc" proved="true" >
@@ -3439,7 +3439,7 @@
    </transf>
    </goal>
    <goal name="delete_rec&#39;vc.83.1" expl="postcondition" proved="true">
-   <proof prover="7"><result status="valid" time="0.183154" steps="2206"/></proof>
+   <proof prover="7"><result status="valid" time="0.183154" steps="1914"/></proof>
    </goal>
    <goal name="delete_rec&#39;vc.83.2" expl="postcondition" proved="true">
    <transf name="split_vc" proved="true" >
@@ -3449,12 +3449,12 @@
     <goal name="delete_rec&#39;vc.83.2.1" expl="postcondition" proved="true">
     <transf name="split_vc" proved="true" >
      <goal name="delete_rec&#39;vc.83.2.1.0" expl="postcondition" proved="true">
-     <proof prover="6"><result status="valid" time="0.570278" steps="1941071"/></proof>
+     <proof prover="6"><result status="valid" time="0.570278" steps="1941099"/></proof>
      </goal>
      <goal name="delete_rec&#39;vc.83.2.1.1" expl="postcondition" proved="true">
      <transf name="split_vc" proved="true" >
       <goal name="delete_rec&#39;vc.83.2.1.1.0" expl="postcondition" proved="true">
-      <proof prover="6"><result status="valid" time="0.630143" steps="1950911"/></proof>
+      <proof prover="6"><result status="valid" time="0.630143" steps="1950901"/></proof>
       </goal>
      </transf>
      </goal>
@@ -3492,7 +3492,7 @@
    </transf>
    </goal>
    <goal name="delete_rec&#39;vc.84.1" expl="postcondition" proved="true">
-   <proof prover="7"><result status="valid" time="0.367097" steps="4503"/></proof>
+   <proof prover="7"><result status="valid" time="0.367097" steps="4456"/></proof>
    </goal>
    <goal name="delete_rec&#39;vc.84.2" expl="postcondition" proved="true">
    <transf name="split_vc" proved="true" >
@@ -3502,7 +3502,7 @@
     <goal name="delete_rec&#39;vc.84.2.1" expl="postcondition" proved="true">
     <transf name="split_vc" proved="true" >
      <goal name="delete_rec&#39;vc.84.2.1.0" expl="postcondition" proved="true">
-     <proof prover="2"><result status="valid" time="0.788647" steps="73219"/></proof>
+     <proof prover="2"><result status="valid" time="0.788647" steps="73238"/></proof>
      </goal>
      <goal name="delete_rec&#39;vc.84.2.1.1" expl="postcondition" proved="true">
      <proof prover="2"><result status="valid" time="0.699481" steps="69150"/></proof>
@@ -3535,7 +3535,7 @@
     <proof prover="7"><result status="valid" time="0.391631" steps="6241"/></proof>
     </goal>
     <goal name="delete_rec&#39;vc.85.0.1" expl="postcondition" proved="true">
-    <proof prover="7"><result status="valid" time="0.372675" steps="4897"/></proof>
+    <proof prover="7"><result status="valid" time="0.775448" steps="8155"/></proof>
     </goal>
     <goal name="delete_rec&#39;vc.85.0.2" expl="postcondition" proved="true">
     <transf name="split_vc" proved="true" >
@@ -3549,7 +3549,7 @@
      <goal name="delete_rec&#39;vc.85.0.2.1" expl="postcondition" proved="true">
      <transf name="split_vc" proved="true" >
       <goal name="delete_rec&#39;vc.85.0.2.1.0" expl="postcondition" proved="true">
-      <proof prover="2"><result status="valid" time="0.037432" steps="12737"/></proof>
+      <proof prover="2"><result status="valid" time="0.037432" steps="12754"/></proof>
       </goal>
       <goal name="delete_rec&#39;vc.85.0.2.1.1" expl="postcondition" proved="true">
       <transf name="split_vc" proved="true" >
@@ -3588,7 +3588,7 @@
     <proof prover="7"><result status="valid" time="0.027596" steps="251"/></proof>
     </goal>
     <goal name="delete_rec&#39;vc.85.1.1" expl="postcondition" proved="true">
-    <proof prover="2"><result status="valid" time="0.160846" steps="34753"/></proof>
+    <proof prover="2"><result status="valid" time="0.160846" steps="34797"/></proof>
     </goal>
     <goal name="delete_rec&#39;vc.85.1.2" expl="postcondition" proved="true">
     <transf name="split_vc" proved="true" >
@@ -3596,7 +3596,7 @@
      <proof prover="2"><result status="valid" time="0.302603" steps="41051"/></proof>
      </goal>
      <goal name="delete_rec&#39;vc.85.1.2.1" expl="postcondition" proved="true">
-     <proof prover="2"><result status="valid" time="0.868974" steps="81406"/></proof>
+     <proof prover="2"><result status="valid" time="0.868974" steps="81397"/></proof>
      </goal>
      <goal name="delete_rec&#39;vc.85.1.2.2" expl="postcondition" proved="true">
      <transf name="split_vc" proved="true" >
@@ -3630,7 +3630,7 @@
     </transf>
     </goal>
     <goal name="delete_rec&#39;vc.85.2.1" expl="postcondition" proved="true">
-    <proof prover="7"><result status="valid" time="0.232968" steps="3179"/></proof>
+    <proof prover="7"><result status="valid" time="0.687332" steps="7276"/></proof>
     </goal>
     <goal name="delete_rec&#39;vc.85.2.2" expl="postcondition" proved="true">
     <transf name="split_vc" proved="true" >
@@ -3642,7 +3642,7 @@
       <goal name="delete_rec&#39;vc.85.2.2.1.0" expl="postcondition" proved="true">
       <transf name="split_vc" proved="true" >
        <goal name="delete_rec&#39;vc.85.2.2.1.0.0" expl="postcondition" proved="true">
-       <proof prover="2"><result status="valid" time="0.779626" steps="73364"/></proof>
+       <proof prover="2"><result status="valid" time="0.779626" steps="73366"/></proof>
        </goal>
       </transf>
       </goal>
@@ -3691,7 +3691,7 @@
     <proof prover="7"><result status="valid" time="0.053734" steps="557"/></proof>
     </goal>
     <goal name="delete_rec&#39;vc.86.0.1" expl="postcondition" proved="true">
-    <proof prover="7"><result status="valid" time="0.277749" steps="1965"/></proof>
+    <proof prover="7"><result status="valid" time="0.277749" steps="2245"/></proof>
     </goal>
     <goal name="delete_rec&#39;vc.86.0.2" expl="postcondition" proved="true">
     <transf name="split_vc" proved="true" >
@@ -3735,7 +3735,7 @@
             <goal name="delete_rec&#39;vc.86.0.2.1.0.0.0.0.0.0.0" expl="postcondition" proved="true">
             <transf name="split_vc" proved="true" >
              <goal name="delete_rec&#39;vc.86.0.2.1.0.0.0.0.0.0.0.0" expl="postcondition" proved="true">
-             <proof prover="2" timelimit="10" memlimit="4000"><result status="valid" time="5.583858" steps="559113"/></proof>
+             <proof prover="2" timelimit="10" memlimit="4000"><result status="valid" time="5.583858" steps="559142"/></proof>
              </goal>
             </transf>
             </goal>
@@ -3744,7 +3744,7 @@
           </transf>
           </goal>
           <goal name="delete_rec&#39;vc.86.0.2.1.0.0.0.0.1" expl="postcondition" proved="true">
-          <proof prover="2"><result status="valid" time="0.237532" steps="31308"/></proof>
+          <proof prover="2"><result status="valid" time="0.237532" steps="31320"/></proof>
           </goal>
          </transf>
          </goal>
@@ -3846,7 +3846,7 @@
     </transf>
     </goal>
     <goal name="delete_rec&#39;vc.86.1.1" expl="postcondition" proved="true">
-    <proof prover="2"><result status="valid" time="0.194190" steps="39622"/></proof>
+    <proof prover="2"><result status="valid" time="0.194190" steps="39675"/></proof>
     </goal>
     <goal name="delete_rec&#39;vc.86.1.2" expl="postcondition" proved="true">
     <transf name="split_vc" proved="true" >
@@ -3864,10 +3864,10 @@
          <goal name="delete_rec&#39;vc.86.1.2.1.0.0.0.0" expl="postcondition" proved="true">
          <transf name="split_vc" proved="true" >
           <goal name="delete_rec&#39;vc.86.1.2.1.0.0.0.0.0" expl="postcondition" proved="true">
-          <proof prover="6"><result status="valid" time="0.436120" steps="1536382"/></proof>
+          <proof prover="6"><result status="valid" time="0.436120" steps="1536407"/></proof>
           </goal>
           <goal name="delete_rec&#39;vc.86.1.2.1.0.0.0.0.1" expl="postcondition" proved="true">
-          <proof prover="6"><result status="valid" time="0.037503" steps="133414"/></proof>
+          <proof prover="6"><result status="valid" time="0.037503" steps="133449"/></proof>
           </goal>
          </transf>
          </goal>
@@ -3880,7 +3880,7 @@
       <goal name="delete_rec&#39;vc.86.1.2.1.1" expl="postcondition" proved="true">
       <transf name="split_vc" proved="true" >
        <goal name="delete_rec&#39;vc.86.1.2.1.1.0" expl="postcondition" proved="true">
-       <proof prover="0" timelimit="5"><result status="valid" time="0.930262" steps="139853"/></proof>
+       <proof prover="0" timelimit="5"><result status="valid" time="0.930262" steps="139310"/></proof>
        </goal>
       </transf>
       </goal>
@@ -3930,7 +3930,7 @@
     </transf>
     </goal>
     <goal name="delete_rec&#39;vc.86.2.1" expl="postcondition" proved="true">
-    <proof prover="7" timelimit="5"><result status="valid" time="1.077057" steps="15480"/></proof>
+    <proof prover="7" timelimit="5"><result status="valid" time="1.077057" steps="9990"/></proof>
     </goal>
     <goal name="delete_rec&#39;vc.86.2.2" expl="postcondition" proved="true">
     <transf name="split_vc" proved="true" >
@@ -3946,14 +3946,14 @@
       <goal name="delete_rec&#39;vc.86.2.2.1.0" expl="postcondition" proved="true">
       <transf name="split_vc" proved="true" >
        <goal name="delete_rec&#39;vc.86.2.2.1.0.0" expl="postcondition" proved="true">
-       <proof prover="6"><result status="valid" time="0.462647" steps="1517726"/></proof>
+       <proof prover="6"><result status="valid" time="0.462647" steps="1517735"/></proof>
        </goal>
       </transf>
       </goal>
       <goal name="delete_rec&#39;vc.86.2.2.1.1" expl="postcondition" proved="true">
       <transf name="split_vc" proved="true" >
        <goal name="delete_rec&#39;vc.86.2.2.1.1.0" expl="postcondition" proved="true">
-       <proof prover="0"><result status="valid" time="0.900198" steps="138944"/></proof>
+       <proof prover="0"><result status="valid" time="0.900198" steps="138945"/></proof>
        </goal>
       </transf>
       </goal>
@@ -4001,7 +4001,7 @@
    </transf>
    </goal>
    <goal name="delete_rec&#39;vc.87.1" expl="postcondition" proved="true">
-   <proof prover="7"><result status="valid" time="0.067054" steps="1551"/></proof>
+   <proof prover="7"><result status="valid" time="0.067054" steps="1536"/></proof>
    </goal>
    <goal name="delete_rec&#39;vc.87.2" expl="postcondition" proved="true">
    <transf name="split_vc" proved="true" >
@@ -4025,7 +4025,7 @@
      <goal name="delete_rec&#39;vc.87.2.1.0" expl="postcondition" proved="true">
      <transf name="split_vc" proved="true" >
       <goal name="delete_rec&#39;vc.87.2.1.0.0" expl="postcondition" proved="true">
-      <proof prover="2"><result status="valid" time="0.508643" steps="47856"/></proof>
+      <proof prover="2"><result status="valid" time="0.508643" steps="47868"/></proof>
       </goal>
      </transf>
      </goal>
@@ -4070,7 +4070,7 @@
    </transf>
    </goal>
    <goal name="delete_rec&#39;vc.88.1" expl="postcondition" proved="true">
-   <proof prover="7"><result status="valid" time="0.187924" steps="2780"/></proof>
+   <proof prover="7"><result status="valid" time="0.187924" steps="2666"/></proof>
    </goal>
    <goal name="delete_rec&#39;vc.88.2" expl="postcondition" proved="true">
    <transf name="split_vc" proved="true" >
@@ -4094,7 +4094,7 @@
     </transf>
     </goal>
     <goal name="delete_rec&#39;vc.88.2.1" expl="postcondition" proved="true">
-    <proof prover="2"><result status="valid" time="1.083711" steps="94403"/></proof>
+    <proof prover="2"><result status="valid" time="1.083711" steps="94423"/></proof>
     </goal>
     <goal name="delete_rec&#39;vc.88.2.2" expl="postcondition" proved="true">
     <proof prover="2"><result status="valid" time="0.561668" steps="90793"/></proof>
@@ -4104,7 +4104,7 @@
   </transf>
   </goal>
   <goal name="delete_rec&#39;vc.89" expl="postcondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.061827" steps="167827"/></proof>
+  <proof prover="6"><result status="valid" time="0.061827" steps="167979"/></proof>
   </goal>
  </transf>
  </goal>
@@ -4116,10 +4116,10 @@
   <proof prover="7"><result status="valid" time="0.012813" steps="41"/></proof>
   </goal>
   <goal name="delete&#39;vc.1" expl="type invariant" proved="true">
-  <proof prover="6"><result status="valid" time="0.022679" steps="54348"/></proof>
+  <proof prover="6"><result status="valid" time="0.022679" steps="54376"/></proof>
   </goal>
   <goal name="delete&#39;vc.2" expl="type invariant" proved="true">
-  <proof prover="7"><result status="valid" time="0.013648" steps="56"/></proof>
+  <proof prover="7"><result status="valid" time="0.013648" steps="57"/></proof>
   </goal>
   <goal name="delete&#39;vc.3" expl="type invariant" proved="true">
   <proof prover="7"><result status="valid" time="0.013108" steps="44"/></proof>
@@ -4143,45 +4143,45 @@
   <proof prover="7"><result status="valid" time="0.012626" steps="26"/></proof>
   </goal>
   <goal name="delete&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="6" timelimit="5"><result status="valid" time="0.392310" steps="1272161"/></proof>
+  <proof prover="6" timelimit="5"><result status="valid" time="0.392310" steps="1641312"/></proof>
   </goal>
   <goal name="delete&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.139879" steps="21410"/></proof>
+  <proof prover="2"><result status="valid" time="0.139879" steps="21798"/></proof>
   </goal>
   <goal name="delete&#39;vc.12" expl="precondition" proved="true">
   <proof prover="7"><result status="valid" time="0.017876" steps="37"/></proof>
   </goal>
   <goal name="delete&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="6"><result status="valid" time="0.012670" steps="4982"/></proof>
+  <proof prover="6"><result status="valid" time="0.012670" steps="4990"/></proof>
   </goal>
   <goal name="delete&#39;vc.14" expl="precondition" proved="true">
   <proof prover="7"><result status="valid" time="0.016168" steps="40"/></proof>
   </goal>
   <goal name="delete&#39;vc.15" expl="type invariant" proved="true">
-  <proof prover="2"><result status="valid" time="0.042472" steps="9774"/></proof>
+  <proof prover="2"><result status="valid" time="0.042472" steps="9798"/></proof>
   </goal>
   <goal name="delete&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="7"><result status="valid" time="0.014771" steps="57"/></proof>
+  <proof prover="7"><result status="valid" time="0.014771" steps="58"/></proof>
   </goal>
   <goal name="delete&#39;vc.17" expl="precondition" proved="true">
-  <proof prover="7"><result status="valid" time="0.029061" steps="342"/></proof>
+  <proof prover="7"><result status="valid" time="0.029061" steps="349"/></proof>
   </goal>
   <goal name="delete&#39;vc.18" expl="precondition" proved="true">
-  <proof prover="7"><result status="valid" time="0.014046" steps="58"/></proof>
+  <proof prover="7"><result status="valid" time="0.014046" steps="60"/></proof>
   </goal>
   <goal name="delete&#39;vc.19" expl="type invariant" proved="true">
-  <proof prover="2"><result status="valid" time="0.037429" steps="10609"/></proof>
+  <proof prover="2"><result status="valid" time="0.037429" steps="10671"/></proof>
   </goal>
   <goal name="delete&#39;vc.20" expl="type invariant" proved="true">
-  <proof prover="7"><result status="valid" time="0.017467" steps="77"/></proof>
+  <proof prover="7"><result status="valid" time="0.017467" steps="78"/></proof>
   </goal>
   <goal name="delete&#39;vc.21" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.142745" steps="36725"/></proof>
+  <proof prover="2"><result status="valid" time="0.142745" steps="36690"/></proof>
   </goal>
   <goal name="delete&#39;vc.22" expl="postcondition" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="delete&#39;vc.22.0" expl="postcondition" proved="true">
-   <proof prover="6"><result status="valid" time="0.201149" steps="392142"/></proof>
+   <proof prover="6"><result status="valid" time="0.201149" steps="394410"/></proof>
    </goal>
    <goal name="delete&#39;vc.22.1" expl="postcondition" proved="true">
    <transf name="split_vc" proved="true" >
@@ -4193,14 +4193,14 @@
      <goal name="delete&#39;vc.22.1.1.0" expl="postcondition" proved="true">
      <transf name="split_vc" proved="true" >
       <goal name="delete&#39;vc.22.1.1.0.0" expl="postcondition" proved="true">
-      <proof prover="0"><result status="valid" time="0.313123" steps="30499"/></proof>
+      <proof prover="0"><result status="valid" time="0.313123" steps="30570"/></proof>
       </goal>
      </transf>
      </goal>
      <goal name="delete&#39;vc.22.1.1.1" expl="postcondition" proved="true">
      <transf name="split_vc" proved="true" >
       <goal name="delete&#39;vc.22.1.1.1.0" expl="postcondition" proved="true">
-      <proof prover="0"><result status="valid" time="0.331690" steps="44319"/></proof>
+      <proof prover="0"><result status="valid" time="0.331690" steps="44517"/></proof>
       </goal>
      </transf>
      </goal>
@@ -4218,14 +4218,14 @@
      <goal name="delete&#39;vc.22.2.1.0" expl="postcondition" proved="true">
      <transf name="split_vc" proved="true" >
       <goal name="delete&#39;vc.22.2.1.0.0" expl="postcondition" proved="true">
-      <proof prover="0"><result status="valid" time="0.178093" steps="24917"/></proof>
+      <proof prover="0"><result status="valid" time="0.178093" steps="24963"/></proof>
       </goal>
      </transf>
      </goal>
      <goal name="delete&#39;vc.22.2.1.1" expl="postcondition" proved="true">
      <transf name="split_vc" proved="true" >
       <goal name="delete&#39;vc.22.2.1.1.0" expl="postcondition" proved="true">
-      <proof prover="0"><result status="valid" time="0.233699" steps="33516"/></proof>
+      <proof prover="0"><result status="valid" time="0.233699" steps="33854"/></proof>
       </goal>
      </transf>
      </goal>
@@ -4265,10 +4265,10 @@
       <goal name="delete&#39;vc.23.1.0.0.0" expl="postcondition" proved="true">
       <transf name="split_vc" proved="true" >
        <goal name="delete&#39;vc.23.1.0.0.0.0" expl="postcondition" proved="true">
-       <proof prover="0" timelimit="5"><result status="valid" time="0.527717" steps="113539"/></proof>
+       <proof prover="0" timelimit="5"><result status="valid" time="0.527717" steps="65268"/></proof>
        </goal>
        <goal name="delete&#39;vc.23.1.0.0.0.1" expl="postcondition" proved="true">
-       <proof prover="0"><result status="valid" time="0.487536" steps="35617"/></proof>
+       <proof prover="0"><result status="valid" time="0.187400" steps="35445"/></proof>
        </goal>
       </transf>
       </goal>
@@ -4287,14 +4287,14 @@
         <goal name="delete&#39;vc.23.1.1.0.0.0.0" expl="postcondition" proved="true">
         <transf name="split_all_full" proved="true" >
          <goal name="delete&#39;vc.23.1.1.0.0.0.0.0" expl="postcondition" proved="true">
-         <proof prover="0" timelimit="5"><result status="valid" time="0.893944" steps="260782"/></proof>
+         <proof prover="0" timelimit="5"><result status="valid" time="0.893944" steps="244905"/></proof>
          </goal>
         </transf>
         </goal>
        </transf>
        </goal>
        <goal name="delete&#39;vc.23.1.1.0.0.1" expl="postcondition" proved="true">
-       <proof prover="7"><result status="valid" time="0.028349" steps="166"/></proof>
+       <proof prover="7"><result status="valid" time="0.028349" steps="168"/></proof>
        </goal>
       </transf>
       </goal>
diff --git a/creusot/tests/should_succeed/red_black_tree/why3shapes.gz b/creusot/tests/should_succeed/red_black_tree/why3shapes.gz
index a8000c348a..c6bad50f97 100644
Binary files a/creusot/tests/should_succeed/red_black_tree/why3shapes.gz and b/creusot/tests/should_succeed/red_black_tree/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/replace.mlcfg b/creusot/tests/should_succeed/replace.mlcfg
index c634fc596a..99b9806c9b 100644
--- a/creusot/tests/should_succeed/replace.mlcfg
+++ b/creusot/tests/should_succeed/replace.mlcfg
@@ -28,8 +28,8 @@ module Replace_Test
     goto BB1
   }
   BB1 {
-    [#"../replace.rs" 9 4 9 6] _a <- ([#"../replace.rs" 9 9 9 10] b);
-    [#"../replace.rs" 9 9 9 10] b <- any Replace_Something_Type.t_something;
+    [#"../replace.rs" 9 4 9 6] _a <- b;
+    b <- any Replace_Something_Type.t_something;
     goto BB3
   }
   BB3 {
diff --git a/creusot/tests/should_succeed/resolve_uninit.mlcfg b/creusot/tests/should_succeed/resolve_uninit.mlcfg
index 59272d62ab..133ca4155e 100644
--- a/creusot/tests/should_succeed/resolve_uninit.mlcfg
+++ b/creusot/tests/should_succeed/resolve_uninit.mlcfg
@@ -37,21 +37,21 @@ module ResolveUninit_MaybeUninit
     goto BB0
   }
   BB0 {
-    switch ([#"../resolve_uninit.rs" 7 7 7 8] b)
+    switch (b)
       | False -> goto BB6
       | True -> goto BB1
       end
   }
   BB1 {
-    [#"../resolve_uninit.rs" 8 12 8 24] _6 <- ([#"../resolve_uninit.rs" 8 12 8 24] default0 ());
+    [#"../resolve_uninit.rs" 8 12 8 24] _6 <- ([#"../resolve_uninit.rs" 8 12 8 24] default0 ([#"../resolve_uninit.rs" 8 12 8 24] ()));
     goto BB2
   }
   BB2 {
     goto BB3
   }
   BB3 {
-    [#"../resolve_uninit.rs" 8 8 8 9] x <- ([#"../resolve_uninit.rs" 8 8 8 9] _6);
-    [#"../resolve_uninit.rs" 8 8 8 9] _6 <- any t;
+    [#"../resolve_uninit.rs" 8 8 8 9] x <- _6;
+    _6 <- any t;
     assert { [@expl:type invariant] inv0 x };
     assume { resolve0 x };
     goto BB5
@@ -68,13 +68,13 @@ module ResolveUninit_MaybeUninit
     goto BB8
   }
   BB8 {
-    [#"../resolve_uninit.rs" 11 4 11 5] x <- ([#"../resolve_uninit.rs" 11 8 11 9] y);
-    [#"../resolve_uninit.rs" 11 8 11 9] y <- any t;
+    [#"../resolve_uninit.rs" 11 4 11 5] x <- y;
+    y <- any t;
     goto BB10
   }
   BB10 {
-    [#"../resolve_uninit.rs" 12 4 12 5] _0 <- ([#"../resolve_uninit.rs" 12 4 12 5] x);
-    [#"../resolve_uninit.rs" 12 4 12 5] x <- any t;
+    [#"../resolve_uninit.rs" 12 4 12 5] _0 <- x;
+    x <- any t;
     goto BB11
   }
   BB11 {
@@ -109,11 +109,12 @@ module ResolveUninit_InitJoin
   var _10 : borrowed int32;
   var _11 : borrowed int32;
   var _12 : borrowed int32;
+  var _14 : bool;
   {
     goto BB0
   }
   BB0 {
-    switch ([#"../resolve_uninit.rs" 19 7 19 8] b)
+    switch (b)
       | False -> goto BB2
       | True -> goto BB1
       end
@@ -123,15 +124,15 @@ module ResolveUninit_InitJoin
     [#"../resolve_uninit.rs" 20 12 20 18] x <-  ^ _8;
     [#"../resolve_uninit.rs" 20 12 20 18] _7 <- Borrow.borrow_final ( * _8) (Borrow.get_id _8);
     [#"../resolve_uninit.rs" 20 12 20 18] _8 <- { _8 with current = ( ^ _7) ; };
-    [#"../resolve_uninit.rs" 20 8 20 18] z <- ([#"../resolve_uninit.rs" 20 8 20 18] _7);
-    [#"../resolve_uninit.rs" 20 8 20 18] _7 <- any borrowed int32;
+    [#"../resolve_uninit.rs" 20 8 20 18] z <- _7;
+    _7 <- any borrowed int32;
     assume { resolve0 _8 };
     [#"../resolve_uninit.rs" 21 12 21 19] _10 <- Borrow.borrow_final ( * z) (Borrow.get_id z);
     [#"../resolve_uninit.rs" 21 12 21 19] z <- { z with current = ( ^ _10) ; };
     [#"../resolve_uninit.rs" 21 12 21 19] _9 <- Borrow.borrow_final ( * _10) (Borrow.get_id _10);
     [#"../resolve_uninit.rs" 21 12 21 19] _10 <- { _10 with current = ( ^ _9) ; };
-    [#"../resolve_uninit.rs" 21 8 21 19] y <- ([#"../resolve_uninit.rs" 21 8 21 19] _9);
-    [#"../resolve_uninit.rs" 21 8 21 19] _9 <- any borrowed int32;
+    [#"../resolve_uninit.rs" 21 8 21 19] y <- _9;
+    _9 <- any borrowed int32;
     assume { resolve0 _10 };
     [#"../resolve_uninit.rs" 19 9 23 5] _5 <- ([#"../resolve_uninit.rs" 19 9 23 5] ());
     goto BB7
@@ -141,16 +142,17 @@ module ResolveUninit_InitJoin
     [#"../resolve_uninit.rs" 24 12 24 18] x <-  ^ _12;
     [#"../resolve_uninit.rs" 24 12 24 18] _11 <- Borrow.borrow_final ( * _12) (Borrow.get_id _12);
     [#"../resolve_uninit.rs" 24 12 24 18] _12 <- { _12 with current = ( ^ _11) ; };
-    [#"../resolve_uninit.rs" 24 8 24 18] y <- ([#"../resolve_uninit.rs" 24 8 24 18] _11);
-    [#"../resolve_uninit.rs" 24 8 24 18] _11 <- any borrowed int32;
+    [#"../resolve_uninit.rs" 24 8 24 18] y <- _11;
+    _11 <- any borrowed int32;
     assume { resolve0 _12 };
     [#"../resolve_uninit.rs" 23 11 25 5] _5 <- ([#"../resolve_uninit.rs" 23 11 25 5] ());
     goto BB3
   }
   BB3 {
-    [#"../resolve_uninit.rs" 27 4 27 10] y <- { y with current = ([#"../resolve_uninit.rs" 27 4 27 10] [#"../resolve_uninit.rs" 27 9 27 10] (5 : int32)) ; };
+    [#"../resolve_uninit.rs" 27 4 27 10] y <- { y with current = ([#"../resolve_uninit.rs" 27 9 27 10] (5 : int32)) ; };
     assume { resolve0 y };
-    switch ([#"../resolve_uninit.rs" 28 12 28 18] ([#"../resolve_uninit.rs" 28 12 28 13] x) = ([#"../resolve_uninit.rs" 28 17 28 18] [#"../resolve_uninit.rs" 28 17 28 18] (5 : int32)))
+    [#"../resolve_uninit.rs" 28 12 28 18] _14 <- x = ([#"../resolve_uninit.rs" 28 17 28 18] (5 : int32));
+    switch (_14)
       | False -> goto BB5
       | True -> goto BB4
       end
diff --git a/creusot/tests/should_succeed/resolve_uninit/why3session.xml b/creusot/tests/should_succeed/resolve_uninit/why3session.xml
index 6bf9ef09dc..84f5e9d973 100644
--- a/creusot/tests/should_succeed/resolve_uninit/why3session.xml
+++ b/creusot/tests/should_succeed/resolve_uninit/why3session.xml
@@ -12,7 +12,7 @@
 </theory>
 <theory name="ResolveUninit_InitJoin" proved="true">
  <goal name="init_join&#39;vc" expl="VC for init_join" proved="true">
- <proof prover="1"><result status="valid" time="0.009232" steps="97"/></proof>
+ <proof prover="1"><result status="valid" time="0.009232" steps="98"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/resolve_uninit/why3shapes.gz b/creusot/tests/should_succeed/resolve_uninit/why3shapes.gz
index ae1eecd641..bc8d20db12 100644
Binary files a/creusot/tests/should_succeed/resolve_uninit/why3shapes.gz and b/creusot/tests/should_succeed/resolve_uninit/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/result/own.mlcfg b/creusot/tests/should_succeed/result/own.mlcfg
index e7a6537b29..243fd1b928 100644
--- a/creusot/tests/should_succeed/result/own.mlcfg
+++ b/creusot/tests/should_succeed/result/own.mlcfg
@@ -130,11 +130,11 @@ module Own_Impl0_IsErr
   BB0 {
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../own.rs" 31 9 31 21] _3 <- ([#"../own.rs" 31 9 31 21] is_ok0 ([#"../own.rs" 31 9 31 13] self));
+    [#"../own.rs" 31 9 31 21] _3 <- ([#"../own.rs" 31 9 31 21] is_ok0 self);
     goto BB1
   }
   BB1 {
-    [#"../own.rs" 31 8 31 21] _0 <- ([#"../own.rs" 31 8 31 21] not _3);
+    [#"../own.rs" 31 8 31 21] _0 <- not _3;
     _3 <- any bool;
     return _0
   }
@@ -210,8 +210,10 @@ module Own_Impl0_Ok
     
   let rec cfg ok [#"../own.rs" 36 4 36 32] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult t e) : Core_Option_Option_Type.t_option t
     requires {[#"../own.rs" 36 14 36 18] inv0 self}
-    ensures { [#"../own.rs" 34 4 34 75] forall t : t . inv2 t -> self = Own_OwnResult_Type.C_Ok t -> result = Core_Option_Option_Type.C_Some t }
-    ensures { [#"../own.rs" 35 4 35 75] (exists e : e . inv1 e /\ self = Own_OwnResult_Type.C_Err e) -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../own.rs" 34 4 34 75] forall t : t . inv2 t
+     -> self = Own_OwnResult_Type.C_Ok t  -> result = Core_Option_Option_Type.C_Some t }
+    ensures { [#"../own.rs" 35 4 35 75] (exists e : e . inv1 e /\ self = Own_OwnResult_Type.C_Err e)
+     -> result = Core_Option_Option_Type.C_None }
     ensures { [#"../own.rs" 36 23 36 32] inv3 result }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -238,13 +240,13 @@ module Own_Impl0_Ok
     goto BB6
   }
   BB4 {
-    [#"../own.rs" 40 27 40 28] x1 <- ([#"../own.rs" 40 27 40 28] Own_OwnResult_Type.err_0 self);
-    [#"../own.rs" 40 27 40 28] self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
+    [#"../own.rs" 40 27 40 28] x1 <- Own_OwnResult_Type.err_0 self;
+    self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
     assert { [@expl:type invariant] inv1 x1 };
     assume { resolve1 x1 };
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../own.rs" 40 33 40 37] _0 <- ([#"../own.rs" 40 33 40 37] Core_Option_Option_Type.C_None);
+    [#"../own.rs" 40 33 40 37] _0 <- Core_Option_Option_Type.C_None;
     goto BB9
   }
   BB5 {
@@ -254,12 +256,12 @@ module Own_Impl0_Ok
     absurd
   }
   BB6 {
-    [#"../own.rs" 38 26 38 27] x <- ([#"../own.rs" 38 26 38 27] Own_OwnResult_Type.ok_0 self);
-    [#"../own.rs" 38 26 38 27] self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (any t));
+    [#"../own.rs" 38 26 38 27] x <- Own_OwnResult_Type.ok_0 self;
+    self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (any t));
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../own.rs" 38 32 38 39] _0 <- ([#"../own.rs" 38 32 38 39] Core_Option_Option_Type.C_Some ([#"../own.rs" 38 37 38 38] x));
-    [#"../own.rs" 38 37 38 38] x <- any t;
+    [#"../own.rs" 38 32 38 39] _0 <- Core_Option_Option_Type.C_Some x;
+    x <- any t;
     goto BB7
   }
   BB7 {
@@ -338,8 +340,10 @@ module Own_Impl0_Err
     
   let rec cfg err [#"../own.rs" 46 4 46 33] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult t e) : Core_Option_Option_Type.t_option e
     requires {[#"../own.rs" 46 15 46 19] inv1 self}
-    ensures { [#"../own.rs" 44 4 44 74] (exists t : t . inv0 t /\ self = Own_OwnResult_Type.C_Ok t) -> result = Core_Option_Option_Type.C_None }
-    ensures { [#"../own.rs" 45 4 45 76] forall e : e . inv2 e -> self = Own_OwnResult_Type.C_Err e -> result = Core_Option_Option_Type.C_Some e }
+    ensures { [#"../own.rs" 44 4 44 74] (exists t : t . inv0 t /\ self = Own_OwnResult_Type.C_Ok t)
+     -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../own.rs" 45 4 45 76] forall e : e . inv2 e
+     -> self = Own_OwnResult_Type.C_Err e  -> result = Core_Option_Option_Type.C_Some e }
     ensures { [#"../own.rs" 46 24 46 33] inv3 result }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -366,12 +370,12 @@ module Own_Impl0_Err
     goto BB6
   }
   BB4 {
-    [#"../own.rs" 50 27 50 28] x1 <- ([#"../own.rs" 50 27 50 28] Own_OwnResult_Type.err_0 self);
-    [#"../own.rs" 50 27 50 28] self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
+    [#"../own.rs" 50 27 50 28] x1 <- Own_OwnResult_Type.err_0 self;
+    self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
     assert { [@expl:type invariant] inv1 self };
     assume { resolve1 self };
-    [#"../own.rs" 50 33 50 40] _0 <- ([#"../own.rs" 50 33 50 40] Core_Option_Option_Type.C_Some ([#"../own.rs" 50 38 50 39] x1));
-    [#"../own.rs" 50 38 50 39] x1 <- any e;
+    [#"../own.rs" 50 33 50 40] _0 <- Core_Option_Option_Type.C_Some x1;
+    x1 <- any e;
     goto BB8
   }
   BB5 {
@@ -381,13 +385,13 @@ module Own_Impl0_Err
     absurd
   }
   BB6 {
-    [#"../own.rs" 49 26 49 27] x <- ([#"../own.rs" 49 26 49 27] Own_OwnResult_Type.ok_0 self);
-    [#"../own.rs" 49 26 49 27] self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (any t));
+    [#"../own.rs" 49 26 49 27] x <- Own_OwnResult_Type.ok_0 self;
+    self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (any t));
     assert { [@expl:type invariant] inv0 x };
     assume { resolve0 x };
     assert { [@expl:type invariant] inv1 self };
     assume { resolve1 self };
-    [#"../own.rs" 49 32 49 36] _0 <- ([#"../own.rs" 49 32 49 36] Core_Option_Option_Type.C_None);
+    [#"../own.rs" 49 32 49 36] _0 <- Core_Option_Option_Type.C_None;
     goto BB7
   }
   BB7 {
@@ -462,8 +466,10 @@ module Own_Impl0_AsRef
     
   let rec cfg as_ref [#"../own.rs" 56 4 56 45] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult t e) : Own_OwnResult_Type.t_ownresult t e
     requires {[#"../own.rs" 56 19 56 23] inv0 self}
-    ensures { [#"../own.rs" 54 4 54 87] forall t : t . inv1 t -> self = Own_OwnResult_Type.C_Ok t -> result = Own_OwnResult_Type.C_Ok t }
-    ensures { [#"../own.rs" 55 4 55 89] forall e : e . inv2 e -> self = Own_OwnResult_Type.C_Err e -> result = Own_OwnResult_Type.C_Err e }
+    ensures { [#"../own.rs" 54 4 54 87] forall t : t . inv1 t
+     -> self = Own_OwnResult_Type.C_Ok t  -> result = Own_OwnResult_Type.C_Ok t }
+    ensures { [#"../own.rs" 55 4 55 89] forall e : e . inv2 e
+     -> self = Own_OwnResult_Type.C_Err e  -> result = Own_OwnResult_Type.C_Err e }
     ensures { [#"../own.rs" 56 28 56 45] inv3 result }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -484,12 +490,12 @@ module Own_Impl0_AsRef
     goto BB4
   }
   BB2 {
-    [#"../own.rs" 59 27 59 32] x1 <- ([#"../own.rs" 59 27 59 32] Own_OwnResult_Type.err_0 self);
+    [#"../own.rs" 59 27 59 32] x1 <- Own_OwnResult_Type.err_0 self;
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
     assert { [@expl:type invariant] inv2 x1 };
     assume { resolve2 x1 };
-    [#"../own.rs" 59 37 59 54] _0 <- ([#"../own.rs" 59 37 59 54] Own_OwnResult_Type.C_Err ([#"../own.rs" 59 52 59 53] x1));
+    [#"../own.rs" 59 37 59 54] _0 <- Own_OwnResult_Type.C_Err x1;
     goto BB5
   }
   BB3 {
@@ -499,12 +505,12 @@ module Own_Impl0_AsRef
     absurd
   }
   BB4 {
-    [#"../own.rs" 58 26 58 31] x <- ([#"../own.rs" 58 26 58 31] Own_OwnResult_Type.ok_0 self);
+    [#"../own.rs" 58 26 58 31] x <- Own_OwnResult_Type.ok_0 self;
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
     assert { [@expl:type invariant] inv1 x };
     assume { resolve1 x };
-    [#"../own.rs" 58 36 58 52] _0 <- ([#"../own.rs" 58 36 58 52] Own_OwnResult_Type.C_Ok ([#"../own.rs" 58 50 58 51] x));
+    [#"../own.rs" 58 36 58 52] _0 <- Own_OwnResult_Type.C_Ok x;
     goto BB5
   }
   BB5 {
@@ -617,7 +623,7 @@ module Own_Impl0_AsMut
     [#"../own.rs" 74 56 74 57] _7 <- Borrow.borrow_final ( * x1) (Borrow.get_id x1);
     [#"../own.rs" 74 56 74 57] x1 <- { x1 with current = ( ^ _7) ; };
     assume { inv2 ( ^ _7) };
-    [#"../own.rs" 74 41 74 58] _0 <- ([#"../own.rs" 74 41 74 58] Own_OwnResult_Type.C_Err _7);
+    [#"../own.rs" 74 41 74 58] _0 <- Own_OwnResult_Type.C_Err _7;
     _7 <- any borrowed e;
     assert { [@expl:type invariant] inv3 x1 };
     assume { resolve1 x1 };
@@ -636,7 +642,7 @@ module Own_Impl0_AsMut
     [#"../own.rs" 73 54 73 55] _5 <- Borrow.borrow_final ( * x) (Borrow.get_id x);
     [#"../own.rs" 73 54 73 55] x <- { x with current = ( ^ _5) ; };
     assume { inv0 ( ^ _5) };
-    [#"../own.rs" 73 40 73 56] _0 <- ([#"../own.rs" 73 40 73 56] Own_OwnResult_Type.C_Ok _5);
+    [#"../own.rs" 73 40 73 56] _0 <- Own_OwnResult_Type.C_Ok _5;
     _5 <- any borrowed t;
     assert { [@expl:type invariant] inv1 x };
     assume { resolve0 x };
@@ -726,8 +732,8 @@ module Own_Impl0_Unwrap
     goto BB6
   }
   BB4 {
-    [#"../own.rs" 86 27 86 29] _e <- ([#"../own.rs" 86 27 86 29] Own_OwnResult_Type.err_0 self);
-    [#"../own.rs" 86 27 86 29] self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
+    [#"../own.rs" 86 27 86 29] _e <- Own_OwnResult_Type.err_0 self;
+    self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
     assert { [@expl:type invariant] inv1 _e };
     assume { resolve1 _e };
     assert { [@expl:type invariant] inv0 self };
@@ -742,12 +748,12 @@ module Own_Impl0_Unwrap
     absurd
   }
   BB6 {
-    [#"../own.rs" 85 26 85 27] t <- ([#"../own.rs" 85 26 85 27] Own_OwnResult_Type.ok_0 self);
-    [#"../own.rs" 85 26 85 27] self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (any t));
+    [#"../own.rs" 85 26 85 27] t <- Own_OwnResult_Type.ok_0 self;
+    self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (any t));
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../own.rs" 85 32 85 33] _0 <- ([#"../own.rs" 85 32 85 33] t);
-    [#"../own.rs" 85 32 85 33] t <- any t;
+    [#"../own.rs" 85 32 85 33] _0 <- t;
+    t <- any t;
     goto BB7
   }
   BB7 {
@@ -836,8 +842,8 @@ module Own_Impl0_Expect
     goto BB6
   }
   BB4 {
-    [#"../own.rs" 98 27 98 29] _e <- ([#"../own.rs" 98 27 98 29] Own_OwnResult_Type.err_0 self);
-    [#"../own.rs" 98 27 98 29] self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
+    [#"../own.rs" 98 27 98 29] _e <- Own_OwnResult_Type.err_0 self;
+    self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
     assert { [@expl:type invariant] inv1 _e };
     assume { resolve1 _e };
     assert { [@expl:type invariant] inv0 self };
@@ -852,12 +858,12 @@ module Own_Impl0_Expect
     absurd
   }
   BB6 {
-    [#"../own.rs" 97 26 97 27] t <- ([#"../own.rs" 97 26 97 27] Own_OwnResult_Type.ok_0 self);
-    [#"../own.rs" 97 26 97 27] self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (any t));
+    [#"../own.rs" 97 26 97 27] t <- Own_OwnResult_Type.ok_0 self;
+    self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (any t));
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../own.rs" 97 32 97 33] _0 <- ([#"../own.rs" 97 32 97 33] t);
-    [#"../own.rs" 97 32 97 33] t <- any t;
+    [#"../own.rs" 97 32 97 33] _0 <- t;
+    t <- any t;
     goto BB7
   }
   BB7 {
@@ -945,12 +951,12 @@ module Own_Impl0_UnwrapErr
     goto BB6
   }
   BB4 {
-    [#"../own.rs" 110 27 110 28] e <- ([#"../own.rs" 110 27 110 28] Own_OwnResult_Type.err_0 self);
-    [#"../own.rs" 110 27 110 28] self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
+    [#"../own.rs" 110 27 110 28] e <- Own_OwnResult_Type.err_0 self;
+    self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
     assert { [@expl:type invariant] inv1 self };
     assume { resolve1 self };
-    [#"../own.rs" 110 33 110 34] _0 <- ([#"../own.rs" 110 33 110 34] e);
-    [#"../own.rs" 110 33 110 34] e <- any e;
+    [#"../own.rs" 110 33 110 34] _0 <- e;
+    e <- any e;
     goto BB7
   }
   BB5 {
@@ -960,8 +966,8 @@ module Own_Impl0_UnwrapErr
     absurd
   }
   BB6 {
-    [#"../own.rs" 109 26 109 28] _t <- ([#"../own.rs" 109 26 109 28] Own_OwnResult_Type.ok_0 self);
-    [#"../own.rs" 109 26 109 28] self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (any t));
+    [#"../own.rs" 109 26 109 28] _t <- Own_OwnResult_Type.ok_0 self;
+    self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (any t));
     assert { [@expl:type invariant] inv0 _t };
     assume { resolve0 _t };
     assert { [@expl:type invariant] inv1 self };
@@ -1027,8 +1033,9 @@ module Own_Impl0_UnwrapOr
   let rec cfg unwrap_or [#"../own.rs" 116 4 116 43] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult t e) (default : t) : t
     requires {[#"../own.rs" 116 21 116 25] inv1 self}
     requires {[#"../own.rs" 116 27 116 34] inv0 default}
-    ensures { [#"../own.rs" 114 4 114 69] forall t : t . inv0 t -> self = Own_OwnResult_Type.C_Ok t -> result = t }
-    ensures { [#"../own.rs" 115 4 115 78] (exists e : e . inv2 e /\ self = Own_OwnResult_Type.C_Err e) -> result = default }
+    ensures { [#"../own.rs" 114 4 114 69] forall t : t . inv0 t  -> self = Own_OwnResult_Type.C_Ok t  -> result = t }
+    ensures { [#"../own.rs" 115 4 115 78] (exists e : e . inv2 e /\ self = Own_OwnResult_Type.C_Err e)
+     -> result = default }
     ensures { [#"../own.rs" 116 42 116 43] inv0 result }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -1056,14 +1063,14 @@ module Own_Impl0_UnwrapOr
     goto BB6
   }
   BB4 {
-    [#"../own.rs" 120 27 120 28] e <- ([#"../own.rs" 120 27 120 28] Own_OwnResult_Type.err_0 self);
-    [#"../own.rs" 120 27 120 28] self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
+    [#"../own.rs" 120 27 120 28] e <- Own_OwnResult_Type.err_0 self;
+    self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
     assert { [@expl:type invariant] inv2 e };
     assume { resolve2 e };
     assert { [@expl:type invariant] inv1 self };
     assume { resolve1 self };
-    [#"../own.rs" 120 33 120 40] _0 <- ([#"../own.rs" 120 33 120 40] default);
-    [#"../own.rs" 120 33 120 40] default <- any t;
+    [#"../own.rs" 120 33 120 40] _0 <- default;
+    default <- any t;
     goto BB8
   }
   BB5 {
@@ -1077,12 +1084,12 @@ module Own_Impl0_UnwrapOr
   BB6 {
     assert { [@expl:type invariant] inv0 default };
     assume { resolve0 default };
-    [#"../own.rs" 118 26 118 27] t <- ([#"../own.rs" 118 26 118 27] Own_OwnResult_Type.ok_0 self);
-    [#"../own.rs" 118 26 118 27] self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (any t));
+    [#"../own.rs" 118 26 118 27] t <- Own_OwnResult_Type.ok_0 self;
+    self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (any t));
     assert { [@expl:type invariant] inv1 self };
     assume { resolve1 self };
-    [#"../own.rs" 118 32 118 33] _0 <- ([#"../own.rs" 118 32 118 33] t);
-    [#"../own.rs" 118 32 118 33] t <- any t;
+    [#"../own.rs" 118 32 118 33] _0 <- t;
+    t <- any t;
     goto BB7
   }
   BB7 {
@@ -1159,8 +1166,9 @@ module Own_Impl0_UnwrapOrDefault
     
   let rec cfg unwrap_or_default [#"../own.rs" 126 4 128 19] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult t e) : t
     requires {[#"../own.rs" 126 29 126 33] inv0 self}
-    ensures { [#"../own.rs" 124 4 124 69] forall t : t . inv1 t -> self = Own_OwnResult_Type.C_Ok t -> result = t }
-    ensures { [#"../own.rs" 125 4 125 80] (exists e : e . inv2 e /\ self = Own_OwnResult_Type.C_Err e) -> is_default0 result }
+    ensures { [#"../own.rs" 124 4 124 69] forall t : t . inv1 t  -> self = Own_OwnResult_Type.C_Ok t  -> result = t }
+    ensures { [#"../own.rs" 125 4 125 80] (exists e : e . inv2 e /\ self = Own_OwnResult_Type.C_Err e)
+     -> is_default0 result }
     ensures { [#"../own.rs" 126 38 126 39] inv1 result }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -1188,7 +1196,7 @@ module Own_Impl0_UnwrapOrDefault
   BB4 {
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../own.rs" 132 33 132 45] _0 <- ([#"../own.rs" 132 33 132 45] default0 ());
+    [#"../own.rs" 132 33 132 45] _0 <- ([#"../own.rs" 132 33 132 45] default0 ([#"../own.rs" 132 33 132 45] ()));
     goto BB8
   }
   BB5 {
@@ -1198,12 +1206,12 @@ module Own_Impl0_UnwrapOrDefault
     absurd
   }
   BB6 {
-    [#"../own.rs" 131 26 131 27] x <- ([#"../own.rs" 131 26 131 27] Own_OwnResult_Type.ok_0 self);
-    [#"../own.rs" 131 26 131 27] self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (any t));
+    [#"../own.rs" 131 26 131 27] x <- Own_OwnResult_Type.ok_0 self;
+    self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (any t));
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../own.rs" 131 32 131 33] _0 <- ([#"../own.rs" 131 32 131 33] x);
-    [#"../own.rs" 131 32 131 33] x <- any t;
+    [#"../own.rs" 131 32 131 33] _0 <- x;
+    x <- any t;
     goto BB7
   }
   BB7 {
@@ -1289,8 +1297,9 @@ module Own_Impl0_And
   let rec cfg and [#"../own.rs" 138 4 138 64] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult t e) (res : Own_OwnResult_Type.t_ownresult u e) : Own_OwnResult_Type.t_ownresult u e
     requires {[#"../own.rs" 138 18 138 22] inv1 self}
     requires {[#"../own.rs" 138 24 138 27] inv2 res}
-    ensures { [#"../own.rs" 136 4 136 73] (exists t : t . inv0 t /\ self = Own_OwnResult_Type.C_Ok t) -> result = res }
-    ensures { [#"../own.rs" 137 4 137 86] forall e : e . inv3 e -> self = Own_OwnResult_Type.C_Err e -> result = Own_OwnResult_Type.C_Err e }
+    ensures { [#"../own.rs" 136 4 136 73] (exists t : t . inv0 t /\ self = Own_OwnResult_Type.C_Ok t)  -> result = res }
+    ensures { [#"../own.rs" 137 4 137 86] forall e : e . inv3 e
+     -> self = Own_OwnResult_Type.C_Err e  -> result = Own_OwnResult_Type.C_Err e }
     ensures { [#"../own.rs" 138 49 138 64] inv2 result }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -1320,12 +1329,12 @@ module Own_Impl0_And
   BB4 {
     assert { [@expl:type invariant] inv2 res };
     assume { resolve2 res };
-    [#"../own.rs" 142 27 142 28] e <- ([#"../own.rs" 142 27 142 28] Own_OwnResult_Type.err_0 self);
-    [#"../own.rs" 142 27 142 28] self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
+    [#"../own.rs" 142 27 142 28] e <- Own_OwnResult_Type.err_0 self;
+    self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
     assert { [@expl:type invariant] inv1 self };
     assume { resolve1 self };
-    [#"../own.rs" 142 33 142 50] _0 <- ([#"../own.rs" 142 33 142 50] Own_OwnResult_Type.C_Err ([#"../own.rs" 142 48 142 49] e));
-    [#"../own.rs" 142 48 142 49] e <- any e;
+    [#"../own.rs" 142 33 142 50] _0 <- Own_OwnResult_Type.C_Err e;
+    e <- any e;
     goto BB8
   }
   BB5 {
@@ -1337,14 +1346,14 @@ module Own_Impl0_And
     absurd
   }
   BB6 {
-    [#"../own.rs" 141 26 141 27] x <- ([#"../own.rs" 141 26 141 27] Own_OwnResult_Type.ok_0 self);
-    [#"../own.rs" 141 26 141 27] self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (any t));
+    [#"../own.rs" 141 26 141 27] x <- Own_OwnResult_Type.ok_0 self;
+    self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (any t));
     assert { [@expl:type invariant] inv0 x };
     assume { resolve0 x };
     assert { [@expl:type invariant] inv1 self };
     assume { resolve1 self };
-    [#"../own.rs" 141 32 141 35] _0 <- ([#"../own.rs" 141 32 141 35] res);
-    [#"../own.rs" 141 32 141 35] res <- any Own_OwnResult_Type.t_ownresult u e;
+    [#"../own.rs" 141 32 141 35] _0 <- res;
+    res <- any Own_OwnResult_Type.t_ownresult u e;
     goto BB7
   }
   BB7 {
@@ -1439,8 +1448,10 @@ module Own_Impl0_Or
   let rec cfg or [#"../own.rs" 148 4 148 63] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult t e) (res : Own_OwnResult_Type.t_ownresult t f) : Own_OwnResult_Type.t_ownresult t f
     requires {[#"../own.rs" 148 17 148 21] inv1 self}
     requires {[#"../own.rs" 148 23 148 26] inv0 res}
-    ensures { [#"../own.rs" 146 4 146 84] forall t : t . inv3 t -> self = Own_OwnResult_Type.C_Ok t -> result = Own_OwnResult_Type.C_Ok t }
-    ensures { [#"../own.rs" 147 4 147 74] (exists e : e . inv2 e /\ self = Own_OwnResult_Type.C_Err e) -> result = res }
+    ensures { [#"../own.rs" 146 4 146 84] forall t : t . inv3 t
+     -> self = Own_OwnResult_Type.C_Ok t  -> result = Own_OwnResult_Type.C_Ok t }
+    ensures { [#"../own.rs" 147 4 147 74] (exists e : e . inv2 e /\ self = Own_OwnResult_Type.C_Err e)
+     -> result = res }
     ensures { [#"../own.rs" 148 48 148 63] inv0 result }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -1468,14 +1479,14 @@ module Own_Impl0_Or
     goto BB6
   }
   BB4 {
-    [#"../own.rs" 152 27 152 28] e <- ([#"../own.rs" 152 27 152 28] Own_OwnResult_Type.err_0 self);
-    [#"../own.rs" 152 27 152 28] self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
+    [#"../own.rs" 152 27 152 28] e <- Own_OwnResult_Type.err_0 self;
+    self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
     assert { [@expl:type invariant] inv2 e };
     assume { resolve2 e };
     assert { [@expl:type invariant] inv1 self };
     assume { resolve1 self };
-    [#"../own.rs" 152 33 152 36] _0 <- ([#"../own.rs" 152 33 152 36] res);
-    [#"../own.rs" 152 33 152 36] res <- any Own_OwnResult_Type.t_ownresult t f;
+    [#"../own.rs" 152 33 152 36] _0 <- res;
+    res <- any Own_OwnResult_Type.t_ownresult t f;
     goto BB9
   }
   BB5 {
@@ -1489,12 +1500,12 @@ module Own_Impl0_Or
   BB6 {
     assert { [@expl:type invariant] inv0 res };
     assume { resolve0 res };
-    [#"../own.rs" 150 26 150 27] v <- ([#"../own.rs" 150 26 150 27] Own_OwnResult_Type.ok_0 self);
-    [#"../own.rs" 150 26 150 27] self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (any t));
+    [#"../own.rs" 150 26 150 27] v <- Own_OwnResult_Type.ok_0 self;
+    self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (any t));
     assert { [@expl:type invariant] inv1 self };
     assume { resolve1 self };
-    [#"../own.rs" 150 32 150 48] _0 <- ([#"../own.rs" 150 32 150 48] Own_OwnResult_Type.C_Ok ([#"../own.rs" 150 46 150 47] v));
-    [#"../own.rs" 150 46 150 47] v <- any t;
+    [#"../own.rs" 150 32 150 48] _0 <- Own_OwnResult_Type.C_Ok v;
+    v <- any t;
     goto BB7
   }
   BB7 {
@@ -1576,8 +1587,10 @@ module Own_Impl1_Copied
     
   let rec cfg copied [#"../own.rs" 160 4 162 16] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult t e) : Own_OwnResult_Type.t_ownresult t e
     requires {[#"../own.rs" 160 18 160 22] inv0 self}
-    ensures { [#"../own.rs" 158 4 158 86] forall t : t . inv1 t -> self = Own_OwnResult_Type.C_Ok t -> result = Own_OwnResult_Type.C_Ok t }
-    ensures { [#"../own.rs" 159 4 159 86] forall e : e . inv2 e -> self = Own_OwnResult_Type.C_Err e -> result = Own_OwnResult_Type.C_Err e }
+    ensures { [#"../own.rs" 158 4 158 86] forall t : t . inv1 t
+     -> self = Own_OwnResult_Type.C_Ok t  -> result = Own_OwnResult_Type.C_Ok t }
+    ensures { [#"../own.rs" 159 4 159 86] forall e : e . inv2 e
+     -> self = Own_OwnResult_Type.C_Err e  -> result = Own_OwnResult_Type.C_Err e }
     ensures { [#"../own.rs" 160 27 160 42] inv3 result }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -1604,12 +1617,12 @@ module Own_Impl1_Copied
     goto BB6
   }
   BB4 {
-    [#"../own.rs" 167 27 167 28] e <- ([#"../own.rs" 167 27 167 28] Own_OwnResult_Type.err_0 self);
-    [#"../own.rs" 167 27 167 28] self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
+    [#"../own.rs" 167 27 167 28] e <- Own_OwnResult_Type.err_0 self;
+    self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../own.rs" 167 33 167 50] _0 <- ([#"../own.rs" 167 33 167 50] Own_OwnResult_Type.C_Err ([#"../own.rs" 167 48 167 49] e));
-    [#"../own.rs" 167 48 167 49] e <- any e;
+    [#"../own.rs" 167 33 167 50] _0 <- Own_OwnResult_Type.C_Err e;
+    e <- any e;
     goto BB7
   }
   BB5 {
@@ -1619,12 +1632,12 @@ module Own_Impl1_Copied
     absurd
   }
   BB6 {
-    [#"../own.rs" 166 26 166 27] t <- ([#"../own.rs" 166 26 166 27] Own_OwnResult_Type.ok_0 self);
+    [#"../own.rs" 166 26 166 27] t <- Own_OwnResult_Type.ok_0 self;
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
     assert { [@expl:type invariant] inv1 t };
     assume { resolve1 t };
-    [#"../own.rs" 166 32 166 49] _0 <- ([#"../own.rs" 166 32 166 49] Own_OwnResult_Type.C_Ok ([#"../own.rs" 166 46 166 48] t));
+    [#"../own.rs" 166 32 166 49] _0 <- Own_OwnResult_Type.C_Ok t;
     goto BB9
   }
   BB7 {
@@ -1714,8 +1727,10 @@ module Own_Impl1_Cloned
     
   let rec cfg cloned [#"../own.rs" 173 4 175 17] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult t e) : Own_OwnResult_Type.t_ownresult t e
     requires {[#"../own.rs" 173 18 173 22] inv0 self}
-    ensures { [#"../own.rs" 171 4 171 86] forall t : t . inv1 t -> self = Own_OwnResult_Type.C_Ok t -> result = Own_OwnResult_Type.C_Ok t }
-    ensures { [#"../own.rs" 172 4 172 86] forall e : e . inv2 e -> self = Own_OwnResult_Type.C_Err e -> result = Own_OwnResult_Type.C_Err e }
+    ensures { [#"../own.rs" 171 4 171 86] forall t : t . inv1 t
+     -> self = Own_OwnResult_Type.C_Ok t  -> result = Own_OwnResult_Type.C_Ok t }
+    ensures { [#"../own.rs" 172 4 172 86] forall e : e . inv2 e
+     -> self = Own_OwnResult_Type.C_Err e  -> result = Own_OwnResult_Type.C_Err e }
     ensures { [#"../own.rs" 173 27 173 42] inv3 result }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -1743,12 +1758,12 @@ module Own_Impl1_Cloned
     goto BB6
   }
   BB4 {
-    [#"../own.rs" 180 27 180 28] e <- ([#"../own.rs" 180 27 180 28] Own_OwnResult_Type.err_0 self);
-    [#"../own.rs" 180 27 180 28] self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
+    [#"../own.rs" 180 27 180 28] e <- Own_OwnResult_Type.err_0 self;
+    self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../own.rs" 180 33 180 50] _0 <- ([#"../own.rs" 180 33 180 50] Own_OwnResult_Type.C_Err ([#"../own.rs" 180 48 180 49] e));
-    [#"../own.rs" 180 48 180 49] e <- any e;
+    [#"../own.rs" 180 33 180 50] _0 <- Own_OwnResult_Type.C_Err e;
+    e <- any e;
     goto BB9
   }
   BB5 {
@@ -1758,16 +1773,16 @@ module Own_Impl1_Cloned
     absurd
   }
   BB6 {
-    [#"../own.rs" 179 26 179 27] t <- ([#"../own.rs" 179 26 179 27] Own_OwnResult_Type.ok_0 self);
+    [#"../own.rs" 179 26 179 27] t <- Own_OwnResult_Type.ok_0 self;
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
     assert { [@expl:type invariant] inv1 t };
     assume { resolve1 t };
-    [#"../own.rs" 179 46 179 55] _6 <- ([#"../own.rs" 179 46 179 55] clone0 ([#"../own.rs" 179 46 179 47] t));
+    [#"../own.rs" 179 46 179 55] _6 <- ([#"../own.rs" 179 46 179 55] clone0 t);
     goto BB7
   }
   BB7 {
-    [#"../own.rs" 179 32 179 56] _0 <- ([#"../own.rs" 179 32 179 56] Own_OwnResult_Type.C_Ok _6);
+    [#"../own.rs" 179 32 179 56] _0 <- Own_OwnResult_Type.C_Ok _6;
     _6 <- any t;
     goto BB8
   }
@@ -1848,8 +1863,10 @@ module Own_Impl2_Copied
     
   let rec cfg copied [#"../own.rs" 188 4 190 16] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult (borrowed t) e) : Own_OwnResult_Type.t_ownresult t e
     requires {[#"../own.rs" 188 18 188 22] inv0 self}
-    ensures { [#"../own.rs" 186 4 186 105] forall t : borrowed t . inv1 t -> self = Own_OwnResult_Type.C_Ok t -> result = Own_OwnResult_Type.C_Ok ( * t) /\ resolve1 t }
-    ensures { [#"../own.rs" 187 4 187 86] forall e : e . inv2 e -> self = Own_OwnResult_Type.C_Err e -> result = Own_OwnResult_Type.C_Err e }
+    ensures { [#"../own.rs" 186 4 186 105] forall t : borrowed t . inv1 t
+     -> self = Own_OwnResult_Type.C_Ok t  -> result = Own_OwnResult_Type.C_Ok ( * t) /\ resolve1 t }
+    ensures { [#"../own.rs" 187 4 187 86] forall e : e . inv2 e
+     -> self = Own_OwnResult_Type.C_Err e  -> result = Own_OwnResult_Type.C_Err e }
     ensures { [#"../own.rs" 188 27 188 42] inv3 result }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -1876,12 +1893,12 @@ module Own_Impl2_Copied
     goto BB6
   }
   BB4 {
-    [#"../own.rs" 195 27 195 28] e <- ([#"../own.rs" 195 27 195 28] Own_OwnResult_Type.err_0 self);
-    [#"../own.rs" 195 27 195 28] self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
+    [#"../own.rs" 195 27 195 28] e <- Own_OwnResult_Type.err_0 self;
+    self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../own.rs" 195 33 195 50] _0 <- ([#"../own.rs" 195 33 195 50] Own_OwnResult_Type.C_Err ([#"../own.rs" 195 48 195 49] e));
-    [#"../own.rs" 195 48 195 49] e <- any e;
+    [#"../own.rs" 195 33 195 50] _0 <- Own_OwnResult_Type.C_Err e;
+    e <- any e;
     goto BB7
   }
   BB5 {
@@ -1891,13 +1908,13 @@ module Own_Impl2_Copied
     absurd
   }
   BB6 {
-    [#"../own.rs" 194 26 194 27] t <- ([#"../own.rs" 194 26 194 27] Own_OwnResult_Type.ok_0 self);
-    [#"../own.rs" 194 26 194 27] self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (any borrowed t));
+    [#"../own.rs" 194 26 194 27] t <- Own_OwnResult_Type.ok_0 self;
+    self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (any borrowed t));
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
     assert { [@expl:type invariant] inv1 t };
     assume { resolve1 t };
-    [#"../own.rs" 194 32 194 49] _0 <- ([#"../own.rs" 194 32 194 49] Own_OwnResult_Type.C_Ok ([#"../own.rs" 194 46 194 48]  * t));
+    [#"../own.rs" 194 32 194 49] _0 <- Own_OwnResult_Type.C_Ok ( * t);
     goto BB9
   }
   BB7 {
@@ -1997,8 +2014,10 @@ module Own_Impl2_Cloned
     
   let rec cfg cloned [#"../own.rs" 201 4 203 17] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult (borrowed t) e) : Own_OwnResult_Type.t_ownresult t e
     requires {[#"../own.rs" 201 18 201 22] inv0 self}
-    ensures { [#"../own.rs" 199 4 199 105] forall t : borrowed t . inv1 t -> self = Own_OwnResult_Type.C_Ok t -> result = Own_OwnResult_Type.C_Ok ( * t) /\ resolve1 t }
-    ensures { [#"../own.rs" 200 4 200 86] forall e : e . inv2 e -> self = Own_OwnResult_Type.C_Err e -> result = Own_OwnResult_Type.C_Err e }
+    ensures { [#"../own.rs" 199 4 199 105] forall t : borrowed t . inv1 t
+     -> self = Own_OwnResult_Type.C_Ok t  -> result = Own_OwnResult_Type.C_Ok ( * t) /\ resolve1 t }
+    ensures { [#"../own.rs" 200 4 200 86] forall e : e . inv2 e
+     -> self = Own_OwnResult_Type.C_Err e  -> result = Own_OwnResult_Type.C_Err e }
     ensures { [#"../own.rs" 201 27 201 42] inv3 result }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -2026,12 +2045,12 @@ module Own_Impl2_Cloned
     goto BB6
   }
   BB4 {
-    [#"../own.rs" 208 27 208 28] e <- ([#"../own.rs" 208 27 208 28] Own_OwnResult_Type.err_0 self);
-    [#"../own.rs" 208 27 208 28] self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
+    [#"../own.rs" 208 27 208 28] e <- Own_OwnResult_Type.err_0 self;
+    self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../own.rs" 208 33 208 50] _0 <- ([#"../own.rs" 208 33 208 50] Own_OwnResult_Type.C_Err ([#"../own.rs" 208 48 208 49] e));
-    [#"../own.rs" 208 48 208 49] e <- any e;
+    [#"../own.rs" 208 33 208 50] _0 <- Own_OwnResult_Type.C_Err e;
+    e <- any e;
     goto BB9
   }
   BB5 {
@@ -2041,17 +2060,17 @@ module Own_Impl2_Cloned
     absurd
   }
   BB6 {
-    [#"../own.rs" 207 26 207 27] t <- ([#"../own.rs" 207 26 207 27] Own_OwnResult_Type.ok_0 self);
-    [#"../own.rs" 207 26 207 27] self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (any borrowed t));
+    [#"../own.rs" 207 26 207 27] t <- Own_OwnResult_Type.ok_0 self;
+    self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (any borrowed t));
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../own.rs" 207 46 207 55] _6 <- ([#"../own.rs" 207 46 207 55] clone0 ([#"../own.rs" 207 46 207 47]  * t));
+    [#"../own.rs" 207 46 207 55] _6 <- ([#"../own.rs" 207 46 207 55] clone0 ( * t));
     goto BB7
   }
   BB7 {
     assert { [@expl:type invariant] inv1 t };
     assume { resolve1 t };
-    [#"../own.rs" 207 32 207 56] _0 <- ([#"../own.rs" 207 32 207 56] Own_OwnResult_Type.C_Ok _6);
+    [#"../own.rs" 207 32 207 56] _0 <- Own_OwnResult_Type.C_Ok _6;
     _6 <- any t;
     goto BB8
   }
@@ -2133,16 +2152,22 @@ module Own_Impl3_Transpose
     
   let rec cfg transpose [#"../own.rs" 217 4 217 53] [@cfg:stackify] [@cfg:subregion_analysis] (self : Own_OwnResult_Type.t_ownresult (Core_Option_Option_Type.t_option t) e) : Core_Option_Option_Type.t_option (Own_OwnResult_Type.t_ownresult t e)
     requires {[#"../own.rs" 217 21 217 25] inv0 self}
-    ensures { [#"../own.rs" 214 4 214 62] self = Own_OwnResult_Type.C_Ok (Core_Option_Option_Type.C_None) -> result = Core_Option_Option_Type.C_None }
-    ensures { [#"../own.rs" 215 4 215 96] forall t : t . inv1 t -> self = Own_OwnResult_Type.C_Ok (Core_Option_Option_Type.C_Some t) -> result = Core_Option_Option_Type.C_Some (Own_OwnResult_Type.C_Ok t) }
-    ensures { [#"../own.rs" 216 4 216 92] forall e : e . inv2 e -> self = Own_OwnResult_Type.C_Err e -> result = Core_Option_Option_Type.C_Some (Own_OwnResult_Type.C_Err e) }
+    ensures { [#"../own.rs" 214 4 214 62] self = Own_OwnResult_Type.C_Ok (Core_Option_Option_Type.C_None)
+     -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../own.rs" 215 4 215 96] forall t : t . inv1 t
+     -> self = Own_OwnResult_Type.C_Ok (Core_Option_Option_Type.C_Some t)
+     -> result = Core_Option_Option_Type.C_Some (Own_OwnResult_Type.C_Ok t) }
+    ensures { [#"../own.rs" 216 4 216 92] forall e : e . inv2 e
+     -> self = Own_OwnResult_Type.C_Err e  -> result = Core_Option_Option_Type.C_Some (Own_OwnResult_Type.C_Err e) }
     ensures { [#"../own.rs" 217 30 217 53] inv3 result }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : Core_Option_Option_Type.t_option (Own_OwnResult_Type.t_ownresult t e);
   var self : Own_OwnResult_Type.t_ownresult (Core_Option_Option_Type.t_option t) e = self;
   var x : t;
+  var _8 : Own_OwnResult_Type.t_ownresult t e;
   var e : e;
+  var _11 : Own_OwnResult_Type.t_ownresult t e;
   {
     goto BB0
   }
@@ -2180,22 +2205,26 @@ module Own_Impl3_Transpose
     absurd
   }
   BB8 {
-    [#"../own.rs" 221 27 221 28] e <- ([#"../own.rs" 221 27 221 28] Own_OwnResult_Type.err_0 self);
-    [#"../own.rs" 221 27 221 28] self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
+    [#"../own.rs" 221 27 221 28] e <- Own_OwnResult_Type.err_0 self;
+    self <- (let Own_OwnResult_Type.C_Err x0 = self in Own_OwnResult_Type.C_Err (any e));
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
+    [#"../own.rs" 221 38 221 55] _11 <- Own_OwnResult_Type.C_Err e;
+    e <- any e;
     goto BB14
   }
   BB9 {
-    [#"../own.rs" 219 31 219 32] x <- ([#"../own.rs" 219 31 219 32] Core_Option_Option_Type.some_0 (Own_OwnResult_Type.ok_0 self));
-    [#"../own.rs" 219 31 219 32] self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (let Core_Option_Option_Type.C_Some x0 = Own_OwnResult_Type.ok_0 self in Core_Option_Option_Type.C_Some (any t)));
+    [#"../own.rs" 219 31 219 32] x <- Core_Option_Option_Type.some_0 (Own_OwnResult_Type.ok_0 self);
+    self <- (let Own_OwnResult_Type.C_Ok x0 = self in Own_OwnResult_Type.C_Ok (let Core_Option_Option_Type.C_Some x0 = Own_OwnResult_Type.ok_0 self in Core_Option_Option_Type.C_Some (any t)));
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
+    [#"../own.rs" 219 43 219 59] _8 <- Own_OwnResult_Type.C_Ok x;
+    x <- any t;
     goto BB10
   }
   BB10 {
-    [#"../own.rs" 219 38 219 60] _0 <- ([#"../own.rs" 219 38 219 60] Core_Option_Option_Type.C_Some ([#"../own.rs" 219 43 219 59] Own_OwnResult_Type.C_Ok ([#"../own.rs" 219 57 219 58] x)));
-    [#"../own.rs" 219 57 219 58] x <- any t;
+    [#"../own.rs" 219 38 219 60] _0 <- Core_Option_Option_Type.C_Some _8;
+    _8 <- any Own_OwnResult_Type.t_ownresult t e;
     goto BB11
   }
   BB11 {
@@ -2207,12 +2236,12 @@ module Own_Impl3_Transpose
   BB13 {
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../own.rs" 220 35 220 39] _0 <- ([#"../own.rs" 220 35 220 39] Core_Option_Option_Type.C_None);
+    [#"../own.rs" 220 35 220 39] _0 <- Core_Option_Option_Type.C_None;
     goto BB17
   }
   BB14 {
-    [#"../own.rs" 221 33 221 56] _0 <- ([#"../own.rs" 221 33 221 56] Core_Option_Option_Type.C_Some ([#"../own.rs" 221 38 221 55] Own_OwnResult_Type.C_Err ([#"../own.rs" 221 53 221 54] e)));
-    [#"../own.rs" 221 53 221 54] e <- any e;
+    [#"../own.rs" 221 33 221 56] _0 <- Core_Option_Option_Type.C_Some _11;
+    _11 <- any Own_OwnResult_Type.t_ownresult t e;
     goto BB15
   }
   BB15 {
diff --git a/creusot/tests/should_succeed/result/own.rs b/creusot/tests/should_succeed/result/own.rs
index 9d3b333910..a4ca0bf952 100644
--- a/creusot/tests/should_succeed/result/own.rs
+++ b/creusot/tests/should_succeed/result/own.rs
@@ -11,7 +11,7 @@ pub enum OwnResult<T, E> {
 #[trusted]
 impl<T, E> Resolve for OwnResult<T, E> {
     #[open]
-    #[predicate]
+    #[predicate(prophetic)]
     fn resolve(self) -> bool {
         match self {
             OwnResult::Ok(t) => t.resolve(),
diff --git a/creusot/tests/should_succeed/result/result.mlcfg b/creusot/tests/should_succeed/result/result.mlcfg
index 7b891359b4..68fa7984dc 100644
--- a/creusot/tests/should_succeed/result/result.mlcfg
+++ b/creusot/tests/should_succeed/result/result.mlcfg
@@ -178,9 +178,14 @@ module Result_TestResult
     
   val transpose0 (self : Core_Result_Result_Type.t_result (Core_Option_Option_Type.t_option int32) int32) : Core_Option_Option_Type.t_option (Core_Result_Result_Type.t_result int32 int32)
     requires {inv12 self}
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 112 16 112 63] self = Core_Result_Result_Type.C_Ok (Core_Option_Option_Type.C_None) -> result = Core_Option_Option_Type.C_None }
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 113 16 113 86] forall t : int32 . inv1 t -> self = Core_Result_Result_Type.C_Ok (Core_Option_Option_Type.C_Some t) -> result = Core_Option_Option_Type.C_Some (Core_Result_Result_Type.C_Ok t) }
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 114 16 114 82] forall e : int32 . inv1 e -> self = Core_Result_Result_Type.C_Err e -> result = Core_Option_Option_Type.C_Some (Core_Result_Result_Type.C_Err e) }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 112 16 112 63] self = Core_Result_Result_Type.C_Ok (Core_Option_Option_Type.C_None)
+     -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 113 16 113 86] forall t : int32 . inv1 t
+     -> self = Core_Result_Result_Type.C_Ok (Core_Option_Option_Type.C_Some t)
+     -> result = Core_Option_Option_Type.C_Some (Core_Result_Result_Type.C_Ok t) }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 114 16 114 82] forall e : int32 . inv1 e
+     -> self = Core_Result_Result_Type.C_Err e
+     -> result = Core_Option_Option_Type.C_Some (Core_Result_Result_Type.C_Err e) }
     ensures { inv13 result }
     
   predicate resolve0 (self : borrowed int32) =
@@ -190,14 +195,18 @@ module Result_TestResult
     
   val cloned1 (self : Core_Result_Result_Type.t_result (borrowed int32) (borrowed int32)) : Core_Result_Result_Type.t_result int32 (borrowed int32)
     requires {inv9 self}
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 104 16 104 95] forall t : borrowed int32 . inv8 t -> self = Core_Result_Result_Type.C_Ok t -> result = Core_Result_Result_Type.C_Ok ( * t) /\ resolve0 t }
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 105 16 105 76] forall e : borrowed int32 . inv8 e -> self = Core_Result_Result_Type.C_Err e -> result = Core_Result_Result_Type.C_Err e }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 104 16 104 95] forall t : borrowed int32 . inv8 t
+     -> self = Core_Result_Result_Type.C_Ok t  -> result = Core_Result_Result_Type.C_Ok ( * t) /\ resolve0 t }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 105 16 105 76] forall e : borrowed int32 . inv8 e
+     -> self = Core_Result_Result_Type.C_Err e  -> result = Core_Result_Result_Type.C_Err e }
     ensures { inv11 result }
     
   val cloned0 (self : Core_Result_Result_Type.t_result int32 int32) : Core_Result_Result_Type.t_result int32 int32
     requires {inv6 self}
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 90 16 90 76] forall t : int32 . inv5 t -> self = Core_Result_Result_Type.C_Ok t -> result = Core_Result_Result_Type.C_Ok t }
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 91 16 91 76] forall e : int32 . inv5 e -> self = Core_Result_Result_Type.C_Err e -> result = Core_Result_Result_Type.C_Err e }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 90 16 90 76] forall t : int32 . inv5 t
+     -> self = Core_Result_Result_Type.C_Ok t  -> result = Core_Result_Result_Type.C_Ok t }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 91 16 91 76] forall e : int32 . inv5 e
+     -> self = Core_Result_Result_Type.C_Err e  -> result = Core_Result_Result_Type.C_Err e }
     ensures { inv10 result }
     
   val unwrap_err4 (self : Core_Result_Result_Type.t_result int32 (borrowed int32)) : borrowed int32
@@ -214,8 +223,10 @@ module Result_TestResult
     
   val copied1 (self : Core_Result_Result_Type.t_result (borrowed int32) (borrowed int32)) : Core_Result_Result_Type.t_result int32 (borrowed int32)
     requires {inv9 self}
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 98 16 98 95] forall t : borrowed int32 . inv8 t -> self = Core_Result_Result_Type.C_Ok t -> result = Core_Result_Result_Type.C_Ok ( * t) /\ resolve0 t }
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 99 16 99 76] forall e : borrowed int32 . inv8 e -> self = Core_Result_Result_Type.C_Err e -> result = Core_Result_Result_Type.C_Err e }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 98 16 98 95] forall t : borrowed int32 . inv8 t
+     -> self = Core_Result_Result_Type.C_Ok t  -> result = Core_Result_Result_Type.C_Ok ( * t) /\ resolve0 t }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 99 16 99 76] forall e : borrowed int32 . inv8 e
+     -> self = Core_Result_Result_Type.C_Err e  -> result = Core_Result_Result_Type.C_Err e }
     ensures { inv11 result }
     
   val unwrap_err3 (self : Core_Result_Result_Type.t_result int32 int32) : int32
@@ -232,22 +243,28 @@ module Result_TestResult
     
   val copied0 (self : Core_Result_Result_Type.t_result int32 int32) : Core_Result_Result_Type.t_result int32 int32
     requires {inv6 self}
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 84 16 84 76] forall t : int32 . inv5 t -> self = Core_Result_Result_Type.C_Ok t -> result = Core_Result_Result_Type.C_Ok t }
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 85 16 85 76] forall e : int32 . inv5 e -> self = Core_Result_Result_Type.C_Err e -> result = Core_Result_Result_Type.C_Err e }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 84 16 84 76] forall t : int32 . inv5 t
+     -> self = Core_Result_Result_Type.C_Ok t  -> result = Core_Result_Result_Type.C_Ok t }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 85 16 85 76] forall e : int32 . inv5 e
+     -> self = Core_Result_Result_Type.C_Err e  -> result = Core_Result_Result_Type.C_Err e }
     ensures { inv10 result }
     
   val or0 (self : Core_Result_Result_Type.t_result int32 int32) (res : Core_Result_Result_Type.t_result int32 int32) : Core_Result_Result_Type.t_result int32 int32
     requires {inv2 self}
     requires {inv2 res}
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 78 16 78 74] forall t : int32 . inv1 t -> self = Core_Result_Result_Type.C_Ok t -> result = Core_Result_Result_Type.C_Ok t }
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 79 16 79 75] (exists e : int32 . inv1 e /\ self = Core_Result_Result_Type.C_Err e) -> result = res }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 78 16 78 74] forall t : int32 . inv1 t
+     -> self = Core_Result_Result_Type.C_Ok t  -> result = Core_Result_Result_Type.C_Ok t }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 79 16 79 75] (exists e : int32 . inv1 e /\ self = Core_Result_Result_Type.C_Err e)
+     -> result = res }
     ensures { inv2 result }
     
   val and0 (self : Core_Result_Result_Type.t_result int32 int32) (res : Core_Result_Result_Type.t_result int32 int32) : Core_Result_Result_Type.t_result int32 int32
     requires {inv2 self}
     requires {inv2 res}
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 74 16 74 74] (exists t : int32 . inv1 t /\ self = Core_Result_Result_Type.C_Ok t) -> result = res }
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 75 16 75 76] forall e : int32 . inv1 e -> self = Core_Result_Result_Type.C_Err e -> result = Core_Result_Result_Type.C_Err e }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 74 16 74 74] (exists t : int32 . inv1 t /\ self = Core_Result_Result_Type.C_Ok t)
+     -> result = res }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 75 16 75 76] forall e : int32 . inv1 e
+     -> self = Core_Result_Result_Type.C_Err e  -> result = Core_Result_Result_Type.C_Err e }
     ensures { inv2 result }
     
   use prelude.Int
@@ -258,15 +275,19 @@ module Result_TestResult
     
   val unwrap_or_default0 (self : Core_Result_Result_Type.t_result int32 int32) : int32
     requires {inv2 self}
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 68 16 68 70] forall t : int32 . inv1 t -> self = Core_Result_Result_Type.C_Ok t -> result = t }
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 69 16 69 81] (exists e : int32 . inv1 e /\ self = Core_Result_Result_Type.C_Err e) -> is_default0 result }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 68 16 68 70] forall t : int32 . inv1 t
+     -> self = Core_Result_Result_Type.C_Ok t  -> result = t }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 69 16 69 81] (exists e : int32 . inv1 e /\ self = Core_Result_Result_Type.C_Err e)
+     -> is_default0 result }
     ensures { inv1 result }
     
   val unwrap_or0 (self : Core_Result_Result_Type.t_result int32 int32) (default : int32) : int32
     requires {inv2 self}
     requires {inv1 default}
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 64 16 64 70] forall t : int32 . inv1 t -> self = Core_Result_Result_Type.C_Ok t -> result = t }
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 65 16 65 79] (exists e : int32 . inv1 e /\ self = Core_Result_Result_Type.C_Err e) -> result = default }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 64 16 64 70] forall t : int32 . inv1 t
+     -> self = Core_Result_Result_Type.C_Ok t  -> result = t }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 65 16 65 79] (exists e : int32 . inv1 e /\ self = Core_Result_Result_Type.C_Err e)
+     -> result = default }
     ensures { inv1 result }
     
   val unwrap_err2 (self : Core_Result_Result_Type.t_result int32 int32) : int32
@@ -312,14 +333,18 @@ module Result_TestResult
     
   val as_ref0 (self : Core_Result_Result_Type.t_result int32 int32) : Core_Result_Result_Type.t_result int32 int32
     requires {inv0 self}
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 36 16 36 77] forall t : int32 . inv5 t -> self = Core_Result_Result_Type.C_Ok t -> result = Core_Result_Result_Type.C_Ok t }
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 37 16 37 79] forall e : int32 . inv5 e -> self = Core_Result_Result_Type.C_Err e -> result = Core_Result_Result_Type.C_Err e }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 36 16 36 77] forall t : int32 . inv5 t
+     -> self = Core_Result_Result_Type.C_Ok t  -> result = Core_Result_Result_Type.C_Ok t }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 37 16 37 79] forall e : int32 . inv5 e
+     -> self = Core_Result_Result_Type.C_Err e  -> result = Core_Result_Result_Type.C_Err e }
     ensures { inv6 result }
     
   val err0 (self : Core_Result_Result_Type.t_result int32 int32) : Core_Option_Option_Type.t_option int32
     requires {inv2 self}
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 32 16 32 75] (exists t : int32 . inv1 t /\ self = Core_Result_Result_Type.C_Ok t) -> result = Core_Option_Option_Type.C_None }
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 33 16 33 77] forall e : int32 . inv1 e -> self = Core_Result_Result_Type.C_Err e -> result = Core_Option_Option_Type.C_Some e }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 32 16 32 75] (exists t : int32 . inv1 t /\ self = Core_Result_Result_Type.C_Ok t)
+     -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 33 16 33 77] forall e : int32 . inv1 e
+     -> self = Core_Result_Result_Type.C_Err e  -> result = Core_Option_Option_Type.C_Some e }
     ensures { inv3 result }
     
   val is_none0 (self : Core_Option_Option_Type.t_option int32) : bool
@@ -334,8 +359,10 @@ module Result_TestResult
     
   val ok0 (self : Core_Result_Result_Type.t_result int32 int32) : Core_Option_Option_Type.t_option int32
     requires {inv2 self}
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 28 16 28 76] forall t : int32 . inv1 t -> self = Core_Result_Result_Type.C_Ok t -> result = Core_Option_Option_Type.C_Some t }
-    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 29 16 29 76] (exists e : int32 . inv1 e /\ self = Core_Result_Result_Type.C_Err e) -> result = Core_Option_Option_Type.C_None }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 28 16 28 76] forall t : int32 . inv1 t
+     -> self = Core_Result_Result_Type.C_Ok t  -> result = Core_Option_Option_Type.C_Some t }
+    ensures { [#"../../../../../creusot-contracts/src/std/result.rs" 29 16 29 76] (exists e : int32 . inv1 e /\ self = Core_Result_Result_Type.C_Err e)
+     -> result = Core_Option_Option_Type.C_None }
     ensures { inv3 result }
     
   val is_err0 (self : Core_Result_Result_Type.t_result int32 int32) : bool
@@ -355,92 +382,134 @@ module Result_TestResult
   var _6 : bool;
   var _10 : bool;
   var _12 : bool;
+  var _16 : bool;
   var _17 : int32;
   var _18 : Core_Option_Option_Type.t_option int32;
   var _22 : bool;
   var _24 : Core_Option_Option_Type.t_option int32;
   var _28 : bool;
   var _30 : Core_Option_Option_Type.t_option int32;
+  var _34 : bool;
   var _35 : int32;
   var _36 : Core_Option_Option_Type.t_option int32;
+  var _40 : bool;
   var _42 : int32;
   var _43 : Core_Result_Result_Type.t_result int32 int32;
+  var _47 : bool;
   var _49 : int32;
   var _50 : Core_Result_Result_Type.t_result int32 int32;
   var _53 : borrowed int32;
   var _54 : Core_Result_Result_Type.t_result (borrowed int32) (borrowed int32);
   var _55 : borrowed (Core_Result_Result_Type.t_result int32 int32);
+  var _57 : bool;
   var _58 : int32;
   var _61 : borrowed int32;
   var _62 : Core_Result_Result_Type.t_result (borrowed int32) (borrowed int32);
   var _63 : borrowed (Core_Result_Result_Type.t_result int32 int32);
+  var _65 : bool;
   var _66 : int32;
   var _69 : borrowed int32;
   var _70 : Core_Result_Result_Type.t_result (borrowed int32) (borrowed int32);
   var _71 : borrowed (Core_Result_Result_Type.t_result int32 int32);
+  var _73 : bool;
   var _74 : int32;
   var _77 : borrowed int32;
   var _78 : Core_Result_Result_Type.t_result (borrowed int32) (borrowed int32);
   var _79 : borrowed (Core_Result_Result_Type.t_result int32 int32);
+  var _81 : bool;
   var _82 : int32;
+  var _86 : bool;
   var _87 : int32;
+  var _91 : bool;
   var _92 : int32;
+  var _96 : bool;
   var _97 : int32;
+  var _101 : bool;
   var _102 : int32;
+  var _106 : bool;
   var _107 : int32;
+  var _111 : bool;
   var _112 : int32;
+  var _116 : bool;
   var _117 : int32;
   var _118 : Core_Result_Result_Type.t_result int32 int32;
+  var _120 : Core_Result_Result_Type.t_result int32 int32;
+  var _123 : bool;
   var _124 : int32;
   var _125 : Core_Result_Result_Type.t_result int32 int32;
+  var _127 : Core_Result_Result_Type.t_result int32 int32;
+  var _130 : bool;
   var _131 : int32;
   var _132 : Core_Result_Result_Type.t_result int32 int32;
+  var _134 : Core_Result_Result_Type.t_result int32 int32;
+  var _137 : bool;
   var _138 : int32;
   var _139 : Core_Result_Result_Type.t_result int32 int32;
+  var _141 : Core_Result_Result_Type.t_result int32 int32;
+  var _144 : bool;
   var _145 : int32;
   var _146 : Core_Result_Result_Type.t_result int32 int32;
+  var _148 : Core_Result_Result_Type.t_result int32 int32;
+  var _151 : bool;
   var _152 : int32;
   var _153 : Core_Result_Result_Type.t_result int32 int32;
+  var _155 : Core_Result_Result_Type.t_result int32 int32;
+  var _158 : bool;
   var _159 : int32;
   var _160 : Core_Result_Result_Type.t_result int32 int32;
+  var _162 : Core_Result_Result_Type.t_result int32 int32;
+  var _165 : bool;
   var _166 : int32;
   var _167 : Core_Result_Result_Type.t_result int32 int32;
+  var _169 : Core_Result_Result_Type.t_result int32 int32;
+  var _172 : bool;
   var _173 : int32;
   var _174 : Core_Result_Result_Type.t_result int32 int32;
   var _175 : Core_Result_Result_Type.t_result int32 int32;
+  var _179 : bool;
   var _181 : int32;
   var _182 : Core_Result_Result_Type.t_result int32 int32;
   var _183 : Core_Result_Result_Type.t_result int32 int32;
+  var _187 : bool;
   var _188 : int32;
   var _189 : Core_Result_Result_Type.t_result int32 (borrowed int32);
   var _190 : Core_Result_Result_Type.t_result (borrowed int32) (borrowed int32);
   var _191 : borrowed (Core_Result_Result_Type.t_result int32 int32);
+  var _194 : bool;
   var _196 : borrowed int32;
   var _197 : Core_Result_Result_Type.t_result int32 (borrowed int32);
   var _198 : Core_Result_Result_Type.t_result (borrowed int32) (borrowed int32);
   var _199 : borrowed (Core_Result_Result_Type.t_result int32 int32);
+  var _202 : bool;
   var _203 : int32;
   var _204 : Core_Result_Result_Type.t_result int32 int32;
   var _205 : Core_Result_Result_Type.t_result int32 int32;
+  var _209 : bool;
   var _211 : int32;
   var _212 : Core_Result_Result_Type.t_result int32 int32;
   var _213 : Core_Result_Result_Type.t_result int32 int32;
+  var _217 : bool;
   var _218 : int32;
   var _219 : Core_Result_Result_Type.t_result int32 (borrowed int32);
   var _220 : Core_Result_Result_Type.t_result (borrowed int32) (borrowed int32);
   var _221 : borrowed (Core_Result_Result_Type.t_result int32 int32);
+  var _224 : bool;
   var _226 : borrowed int32;
   var _227 : Core_Result_Result_Type.t_result int32 (borrowed int32);
   var _228 : Core_Result_Result_Type.t_result (borrowed int32) (borrowed int32);
   var _229 : borrowed (Core_Result_Result_Type.t_result int32 int32);
   var res : Core_Result_Result_Type.t_result (Core_Option_Option_Type.t_option int32) int32;
+  var _232 : Core_Option_Option_Type.t_option int32;
   var _234 : bool;
   var _236 : Core_Option_Option_Type.t_option (Core_Result_Result_Type.t_result int32 int32);
   var res1 : Core_Result_Result_Type.t_result (Core_Option_Option_Type.t_option int32) int32;
+  var _240 : Core_Option_Option_Type.t_option int32;
+  var _242 : bool;
   var _243 : int32;
   var _244 : Core_Result_Result_Type.t_result int32 int32;
   var _245 : Core_Option_Option_Type.t_option (Core_Result_Result_Type.t_result int32 int32);
   var res2 : Core_Result_Result_Type.t_result (Core_Option_Option_Type.t_option int32) int32;
+  var _250 : bool;
   var _251 : int32;
   var _252 : Core_Result_Result_Type.t_result int32 int32;
   var _253 : Core_Option_Option_Type.t_option (Core_Result_Result_Type.t_result int32 int32);
@@ -448,9 +517,9 @@ module Result_TestResult
     goto BB0
   }
   BB0 {
-    [#"../result.rs" 4 35 4 40] ok <- ([#"../result.rs" 4 35 4 40] Core_Result_Result_Type.C_Ok ([#"../result.rs" 4 38 4 39] [#"../result.rs" 4 38 4 39] (1 : int32)));
-    [#"../result.rs" 5 36 5 43] err <- ([#"../result.rs" 5 36 5 43] Core_Result_Result_Type.C_Err ([#"../result.rs" 5 40 5 42] [#"../result.rs" 5 40 5 42] (-1 : int32)));
-    [#"../result.rs" 8 12 8 22] _4 <- ([#"../result.rs" 8 12 8 22] is_ok0 ([#"../result.rs" 8 12 8 14] ok));
+    [#"../result.rs" 4 35 4 40] ok <- Core_Result_Result_Type.C_Ok ([#"../result.rs" 4 38 4 39] (1 : int32));
+    [#"../result.rs" 5 36 5 43] err <- Core_Result_Result_Type.C_Err ([#"../result.rs" 5 40 5 42] (-1 : int32));
+    [#"../result.rs" 8 12 8 22] _4 <- ([#"../result.rs" 8 12 8 22] is_ok0 ok);
     goto BB1
   }
   BB1 {
@@ -460,7 +529,7 @@ module Result_TestResult
       end
   }
   BB2 {
-    [#"../result.rs" 8 27 8 38] _6 <- ([#"../result.rs" 8 27 8 38] is_ok0 ([#"../result.rs" 8 27 8 30] err));
+    [#"../result.rs" 8 27 8 38] _6 <- ([#"../result.rs" 8 27 8 38] is_ok0 err);
     goto BB3
   }
   BB3 {
@@ -473,7 +542,7 @@ module Result_TestResult
     goto BB7
   }
   BB5 {
-    [#"../result.rs" 10 12 10 24] _10 <- ([#"../result.rs" 10 12 10 24] is_err0 ([#"../result.rs" 10 12 10 15] err));
+    [#"../result.rs" 10 12 10 24] _10 <- ([#"../result.rs" 10 12 10 24] is_err0 err);
     goto BB8
   }
   BB6 {
@@ -490,7 +559,7 @@ module Result_TestResult
       end
   }
   BB9 {
-    [#"../result.rs" 10 29 10 40] _12 <- ([#"../result.rs" 10 29 10 40] is_err0 ([#"../result.rs" 10 29 10 31] ok));
+    [#"../result.rs" 10 29 10 40] _12 <- ([#"../result.rs" 10 29 10 40] is_err0 ok);
     goto BB10
   }
   BB10 {
@@ -503,7 +572,7 @@ module Result_TestResult
     goto BB14
   }
   BB12 {
-    [#"../result.rs" 13 12 13 19] _18 <- ([#"../result.rs" 13 12 13 19] ok0 ([#"../result.rs" 13 12 13 14] ok));
+    [#"../result.rs" 13 12 13 19] _18 <- ([#"../result.rs" 13 12 13 19] ok0 ok);
     goto BB15
   }
   BB13 {
@@ -519,13 +588,15 @@ module Result_TestResult
     goto BB16
   }
   BB16 {
-    switch ([#"../result.rs" 13 12 13 33] _17 = ([#"../result.rs" 13 32 13 33] [#"../result.rs" 13 32 13 33] (1 : int32)))
+    [#"../result.rs" 13 12 13 33] _16 <- _17 = ([#"../result.rs" 13 32 13 33] (1 : int32));
+    _17 <- any int32;
+    switch (_16)
       | False -> goto BB18
       | True -> goto BB17
       end
   }
   BB17 {
-    [#"../result.rs" 14 12 14 20] _24 <- ([#"../result.rs" 14 12 14 20] ok0 ([#"../result.rs" 14 12 14 15] err));
+    [#"../result.rs" 14 12 14 20] _24 <- ([#"../result.rs" 14 12 14 20] ok0 err);
     goto BB19
   }
   BB18 {
@@ -533,7 +604,7 @@ module Result_TestResult
     absurd
   }
   BB19 {
-    [#"../result.rs" 14 12 14 30] _22 <- ([#"../result.rs" 14 12 14 30] is_none0 ([#"../result.rs" 14 12 14 20] _24));
+    [#"../result.rs" 14 12 14 30] _22 <- ([#"../result.rs" 14 12 14 30] is_none0 _24);
     goto BB20
   }
   BB20 {
@@ -543,7 +614,7 @@ module Result_TestResult
       end
   }
   BB21 {
-    [#"../result.rs" 16 12 16 20] _30 <- ([#"../result.rs" 16 12 16 20] err0 ([#"../result.rs" 16 12 16 14] ok));
+    [#"../result.rs" 16 12 16 20] _30 <- ([#"../result.rs" 16 12 16 20] err0 ok);
     goto BB23
   }
   BB22 {
@@ -551,7 +622,7 @@ module Result_TestResult
     absurd
   }
   BB23 {
-    [#"../result.rs" 16 12 16 30] _28 <- ([#"../result.rs" 16 12 16 30] is_none0 ([#"../result.rs" 16 12 16 20] _30));
+    [#"../result.rs" 16 12 16 30] _28 <- ([#"../result.rs" 16 12 16 30] is_none0 _30);
     goto BB24
   }
   BB24 {
@@ -561,7 +632,7 @@ module Result_TestResult
       end
   }
   BB25 {
-    [#"../result.rs" 17 12 17 21] _36 <- ([#"../result.rs" 17 12 17 21] err0 ([#"../result.rs" 17 12 17 15] err));
+    [#"../result.rs" 17 12 17 21] _36 <- ([#"../result.rs" 17 12 17 21] err0 err);
     goto BB27
   }
   BB26 {
@@ -574,13 +645,15 @@ module Result_TestResult
     goto BB28
   }
   BB28 {
-    switch ([#"../result.rs" 17 12 17 36] _35 = ([#"../result.rs" 17 34 17 36] [#"../result.rs" 17 34 17 36] (-1 : int32)))
+    [#"../result.rs" 17 12 17 36] _34 <- _35 = ([#"../result.rs" 17 34 17 36] (-1 : int32));
+    _35 <- any int32;
+    switch (_34)
       | False -> goto BB30
       | True -> goto BB29
       end
   }
   BB29 {
-    [#"../result.rs" 20 13 20 24] _43 <- ([#"../result.rs" 20 13 20 24] as_ref0 ([#"../result.rs" 20 13 20 15] ok));
+    [#"../result.rs" 20 13 20 24] _43 <- ([#"../result.rs" 20 13 20 24] as_ref0 ok);
     goto BB31
   }
   BB30 {
@@ -593,13 +666,14 @@ module Result_TestResult
     goto BB32
   }
   BB32 {
-    switch ([#"../result.rs" 20 12 20 38] ([#"../result.rs" 20 12 20 33] _42) = ([#"../result.rs" 20 37 20 38] [#"../result.rs" 20 37 20 38] (1 : int32)))
+    [#"../result.rs" 20 12 20 38] _40 <- _42 = ([#"../result.rs" 20 37 20 38] (1 : int32));
+    switch (_40)
       | False -> goto BB34
       | True -> goto BB33
       end
   }
   BB33 {
-    [#"../result.rs" 21 13 21 25] _50 <- ([#"../result.rs" 21 13 21 25] as_ref0 ([#"../result.rs" 21 13 21 16] err));
+    [#"../result.rs" 21 13 21 25] _50 <- ([#"../result.rs" 21 13 21 25] as_ref0 err);
     goto BB35
   }
   BB34 {
@@ -612,7 +686,8 @@ module Result_TestResult
     goto BB36
   }
   BB36 {
-    switch ([#"../result.rs" 21 12 21 44] ([#"../result.rs" 21 12 21 38] _49) = ([#"../result.rs" 21 42 21 44] [#"../result.rs" 21 42 21 44] (-1 : int32)))
+    [#"../result.rs" 21 12 21 44] _47 <- _49 = ([#"../result.rs" 21 42 21 44] (-1 : int32));
+    switch (_47)
       | False -> goto BB38
       | True -> goto BB37
       end
@@ -634,13 +709,15 @@ module Result_TestResult
     goto BB40
   }
   BB40 {
-    [#"../result.rs" 23 4 23 29] _53 <- { _53 with current = ([#"../result.rs" 23 4 23 29] [#"../result.rs" 23 28 23 29] (0 : int32)) ; };
+    [#"../result.rs" 23 4 23 29] _53 <- { _53 with current = ([#"../result.rs" 23 28 23 29] (0 : int32)) ; };
     assume { resolve0 _53 };
-    [#"../result.rs" 24 12 24 23] _58 <- ([#"../result.rs" 24 12 24 23] unwrap3 ([#"../result.rs" 24 12 24 14] ok));
+    [#"../result.rs" 24 12 24 23] _58 <- ([#"../result.rs" 24 12 24 23] unwrap3 ok);
     goto BB41
   }
   BB41 {
-    switch ([#"../result.rs" 24 12 24 28] _58 = ([#"../result.rs" 24 27 24 28] [#"../result.rs" 24 27 24 28] (0 : int32)))
+    [#"../result.rs" 24 12 24 28] _57 <- _58 = ([#"../result.rs" 24 27 24 28] (0 : int32));
+    _58 <- any int32;
+    switch (_57)
       | False -> goto BB43
       | True -> goto BB42
       end
@@ -662,13 +739,15 @@ module Result_TestResult
     goto BB45
   }
   BB45 {
-    [#"../result.rs" 25 4 25 29] _61 <- { _61 with current = ([#"../result.rs" 25 4 25 29] [#"../result.rs" 25 28 25 29] (1 : int32)) ; };
+    [#"../result.rs" 25 4 25 29] _61 <- { _61 with current = ([#"../result.rs" 25 28 25 29] (1 : int32)) ; };
     assume { resolve0 _61 };
-    [#"../result.rs" 26 12 26 23] _66 <- ([#"../result.rs" 26 12 26 23] unwrap3 ([#"../result.rs" 26 12 26 14] ok));
+    [#"../result.rs" 26 12 26 23] _66 <- ([#"../result.rs" 26 12 26 23] unwrap3 ok);
     goto BB46
   }
   BB46 {
-    switch ([#"../result.rs" 26 12 26 28] _66 = ([#"../result.rs" 26 27 26 28] [#"../result.rs" 26 27 26 28] (1 : int32)))
+    [#"../result.rs" 26 12 26 28] _65 <- _66 = ([#"../result.rs" 26 27 26 28] (1 : int32));
+    _66 <- any int32;
+    switch (_65)
       | False -> goto BB48
       | True -> goto BB47
       end
@@ -690,13 +769,15 @@ module Result_TestResult
     goto BB50
   }
   BB50 {
-    [#"../result.rs" 27 4 27 34] _69 <- { _69 with current = ([#"../result.rs" 27 4 27 34] [#"../result.rs" 27 33 27 34] (0 : int32)) ; };
+    [#"../result.rs" 27 4 27 34] _69 <- { _69 with current = ([#"../result.rs" 27 33 27 34] (0 : int32)) ; };
     assume { resolve0 _69 };
-    [#"../result.rs" 28 12 28 28] _74 <- ([#"../result.rs" 28 12 28 28] unwrap_err2 ([#"../result.rs" 28 12 28 15] err));
+    [#"../result.rs" 28 12 28 28] _74 <- ([#"../result.rs" 28 12 28 28] unwrap_err2 err);
     goto BB51
   }
   BB51 {
-    switch ([#"../result.rs" 28 12 28 33] _74 = ([#"../result.rs" 28 32 28 33] [#"../result.rs" 28 32 28 33] (0 : int32)))
+    [#"../result.rs" 28 12 28 33] _73 <- _74 = ([#"../result.rs" 28 32 28 33] (0 : int32));
+    _74 <- any int32;
+    switch (_73)
       | False -> goto BB53
       | True -> goto BB52
       end
@@ -718,19 +799,21 @@ module Result_TestResult
     goto BB55
   }
   BB55 {
-    [#"../result.rs" 29 4 29 35] _77 <- { _77 with current = ([#"../result.rs" 29 4 29 35] [#"../result.rs" 29 33 29 35] (-1 : int32)) ; };
+    [#"../result.rs" 29 4 29 35] _77 <- { _77 with current = ([#"../result.rs" 29 33 29 35] (-1 : int32)) ; };
     assume { resolve0 _77 };
-    [#"../result.rs" 30 12 30 28] _82 <- ([#"../result.rs" 30 12 30 28] unwrap_err2 ([#"../result.rs" 30 12 30 15] err));
+    [#"../result.rs" 30 12 30 28] _82 <- ([#"../result.rs" 30 12 30 28] unwrap_err2 err);
     goto BB56
   }
   BB56 {
-    switch ([#"../result.rs" 30 12 30 34] _82 = ([#"../result.rs" 30 32 30 34] [#"../result.rs" 30 32 30 34] (-1 : int32)))
+    [#"../result.rs" 30 12 30 34] _81 <- _82 = ([#"../result.rs" 30 32 30 34] (-1 : int32));
+    _82 <- any int32;
+    switch (_81)
       | False -> goto BB58
       | True -> goto BB57
       end
   }
   BB57 {
-    [#"../result.rs" 33 12 33 23] _87 <- ([#"../result.rs" 33 12 33 23] unwrap3 ([#"../result.rs" 33 12 33 14] ok));
+    [#"../result.rs" 33 12 33 23] _87 <- ([#"../result.rs" 33 12 33 23] unwrap3 ok);
     goto BB59
   }
   BB58 {
@@ -738,13 +821,15 @@ module Result_TestResult
     absurd
   }
   BB59 {
-    switch ([#"../result.rs" 33 12 33 28] _87 = ([#"../result.rs" 33 27 33 28] [#"../result.rs" 33 27 33 28] (1 : int32)))
+    [#"../result.rs" 33 12 33 28] _86 <- _87 = ([#"../result.rs" 33 27 33 28] (1 : int32));
+    _87 <- any int32;
+    switch (_86)
       | False -> goto BB61
       | True -> goto BB60
       end
   }
   BB60 {
-    [#"../result.rs" 37 12 37 28] _92 <- ([#"../result.rs" 37 12 37 28] unwrap_err2 ([#"../result.rs" 37 12 37 15] err));
+    [#"../result.rs" 37 12 37 28] _92 <- ([#"../result.rs" 37 12 37 28] unwrap_err2 err);
     goto BB62
   }
   BB61 {
@@ -752,13 +837,15 @@ module Result_TestResult
     absurd
   }
   BB62 {
-    switch ([#"../result.rs" 37 12 37 34] _92 = ([#"../result.rs" 37 32 37 34] [#"../result.rs" 37 32 37 34] (-1 : int32)))
+    [#"../result.rs" 37 12 37 34] _91 <- _92 = ([#"../result.rs" 37 32 37 34] (-1 : int32));
+    _92 <- any int32;
+    switch (_91)
       | False -> goto BB64
       | True -> goto BB63
       end
   }
   BB63 {
-    [#"../result.rs" 40 12 40 27] _97 <- ([#"../result.rs" 40 12 40 27] unwrap_or0 ([#"../result.rs" 40 12 40 14] ok) ([#"../result.rs" 40 25 40 26] [#"../result.rs" 40 25 40 26] (0 : int32)));
+    [#"../result.rs" 40 12 40 27] _97 <- ([#"../result.rs" 40 12 40 27] unwrap_or0 ok ([#"../result.rs" 40 25 40 26] (0 : int32)));
     goto BB65
   }
   BB64 {
@@ -766,13 +853,15 @@ module Result_TestResult
     absurd
   }
   BB65 {
-    switch ([#"../result.rs" 40 12 40 32] _97 = ([#"../result.rs" 40 31 40 32] [#"../result.rs" 40 31 40 32] (1 : int32)))
+    [#"../result.rs" 40 12 40 32] _96 <- _97 = ([#"../result.rs" 40 31 40 32] (1 : int32));
+    _97 <- any int32;
+    switch (_96)
       | False -> goto BB67
       | True -> goto BB66
       end
   }
   BB66 {
-    [#"../result.rs" 41 12 41 28] _102 <- ([#"../result.rs" 41 12 41 28] unwrap_or0 ([#"../result.rs" 41 12 41 15] err) ([#"../result.rs" 41 26 41 27] [#"../result.rs" 41 26 41 27] (0 : int32)));
+    [#"../result.rs" 41 12 41 28] _102 <- ([#"../result.rs" 41 12 41 28] unwrap_or0 err ([#"../result.rs" 41 26 41 27] (0 : int32)));
     goto BB68
   }
   BB67 {
@@ -780,13 +869,15 @@ module Result_TestResult
     absurd
   }
   BB68 {
-    switch ([#"../result.rs" 41 12 41 33] _102 = ([#"../result.rs" 41 32 41 33] [#"../result.rs" 41 32 41 33] (0 : int32)))
+    [#"../result.rs" 41 12 41 33] _101 <- _102 = ([#"../result.rs" 41 32 41 33] (0 : int32));
+    _102 <- any int32;
+    switch (_101)
       | False -> goto BB70
       | True -> goto BB69
       end
   }
   BB69 {
-    [#"../result.rs" 43 12 43 34] _107 <- ([#"../result.rs" 43 12 43 34] unwrap_or_default0 ([#"../result.rs" 43 12 43 14] ok));
+    [#"../result.rs" 43 12 43 34] _107 <- ([#"../result.rs" 43 12 43 34] unwrap_or_default0 ok);
     goto BB71
   }
   BB70 {
@@ -794,13 +885,15 @@ module Result_TestResult
     absurd
   }
   BB71 {
-    switch ([#"../result.rs" 43 12 43 39] _107 = ([#"../result.rs" 43 38 43 39] [#"../result.rs" 43 38 43 39] (1 : int32)))
+    [#"../result.rs" 43 12 43 39] _106 <- _107 = ([#"../result.rs" 43 38 43 39] (1 : int32));
+    _107 <- any int32;
+    switch (_106)
       | False -> goto BB73
       | True -> goto BB72
       end
   }
   BB72 {
-    [#"../result.rs" 44 12 44 35] _112 <- ([#"../result.rs" 44 12 44 35] unwrap_or_default0 ([#"../result.rs" 44 12 44 15] err));
+    [#"../result.rs" 44 12 44 35] _112 <- ([#"../result.rs" 44 12 44 35] unwrap_or_default0 err);
     goto BB74
   }
   BB73 {
@@ -808,13 +901,17 @@ module Result_TestResult
     absurd
   }
   BB74 {
-    switch ([#"../result.rs" 44 12 44 40] _112 = ([#"../result.rs" 44 39 44 40] [#"../result.rs" 44 39 44 40] (0 : int32)))
+    [#"../result.rs" 44 12 44 40] _111 <- _112 = ([#"../result.rs" 44 39 44 40] (0 : int32));
+    _112 <- any int32;
+    switch (_111)
       | False -> goto BB76
       | True -> goto BB75
       end
   }
   BB75 {
-    [#"../result.rs" 47 12 47 34] _118 <- ([#"../result.rs" 47 12 47 34] and0 ([#"../result.rs" 47 12 47 14] ok) ([#"../result.rs" 47 26 47 33] Core_Result_Result_Type.C_Err ([#"../result.rs" 47 30 47 32] [#"../result.rs" 47 30 47 32] (-2 : int32))));
+    [#"../result.rs" 47 26 47 33] _120 <- Core_Result_Result_Type.C_Err ([#"../result.rs" 47 30 47 32] (-2 : int32));
+    [#"../result.rs" 47 12 47 34] _118 <- ([#"../result.rs" 47 12 47 34] and0 ok _120);
+    _120 <- any Core_Result_Result_Type.t_result int32 int32;
     goto BB77
   }
   BB76 {
@@ -827,13 +924,17 @@ module Result_TestResult
     goto BB78
   }
   BB78 {
-    switch ([#"../result.rs" 47 12 47 53] _117 = ([#"../result.rs" 47 51 47 53] [#"../result.rs" 47 51 47 53] (-2 : int32)))
+    [#"../result.rs" 47 12 47 53] _116 <- _117 = ([#"../result.rs" 47 51 47 53] (-2 : int32));
+    _117 <- any int32;
+    switch (_116)
       | False -> goto BB80
       | True -> goto BB79
       end
   }
   BB79 {
-    [#"../result.rs" 48 12 48 25] _125 <- ([#"../result.rs" 48 12 48 25] and0 ([#"../result.rs" 48 12 48 14] ok) ([#"../result.rs" 48 19 48 24] Core_Result_Result_Type.C_Ok ([#"../result.rs" 48 22 48 23] [#"../result.rs" 48 22 48 23] (2 : int32))));
+    [#"../result.rs" 48 19 48 24] _127 <- Core_Result_Result_Type.C_Ok ([#"../result.rs" 48 22 48 23] (2 : int32));
+    [#"../result.rs" 48 12 48 25] _125 <- ([#"../result.rs" 48 12 48 25] and0 ok _127);
+    _127 <- any Core_Result_Result_Type.t_result int32 int32;
     goto BB81
   }
   BB80 {
@@ -846,13 +947,17 @@ module Result_TestResult
     goto BB82
   }
   BB82 {
-    switch ([#"../result.rs" 48 12 48 39] _124 = ([#"../result.rs" 48 38 48 39] [#"../result.rs" 48 38 48 39] (2 : int32)))
+    [#"../result.rs" 48 12 48 39] _123 <- _124 = ([#"../result.rs" 48 38 48 39] (2 : int32));
+    _124 <- any int32;
+    switch (_123)
       | False -> goto BB84
       | True -> goto BB83
       end
   }
   BB83 {
-    [#"../result.rs" 49 12 49 35] _132 <- ([#"../result.rs" 49 12 49 35] and0 ([#"../result.rs" 49 12 49 15] err) ([#"../result.rs" 49 27 49 34] Core_Result_Result_Type.C_Err ([#"../result.rs" 49 31 49 33] [#"../result.rs" 49 31 49 33] (-2 : int32))));
+    [#"../result.rs" 49 27 49 34] _134 <- Core_Result_Result_Type.C_Err ([#"../result.rs" 49 31 49 33] (-2 : int32));
+    [#"../result.rs" 49 12 49 35] _132 <- ([#"../result.rs" 49 12 49 35] and0 err _134);
+    _134 <- any Core_Result_Result_Type.t_result int32 int32;
     goto BB85
   }
   BB84 {
@@ -865,13 +970,17 @@ module Result_TestResult
     goto BB86
   }
   BB86 {
-    switch ([#"../result.rs" 49 12 49 54] _131 = ([#"../result.rs" 49 52 49 54] [#"../result.rs" 49 52 49 54] (-1 : int32)))
+    [#"../result.rs" 49 12 49 54] _130 <- _131 = ([#"../result.rs" 49 52 49 54] (-1 : int32));
+    _131 <- any int32;
+    switch (_130)
       | False -> goto BB88
       | True -> goto BB87
       end
   }
   BB87 {
-    [#"../result.rs" 50 12 50 26] _139 <- ([#"../result.rs" 50 12 50 26] and0 ([#"../result.rs" 50 12 50 15] err) ([#"../result.rs" 50 20 50 25] Core_Result_Result_Type.C_Ok ([#"../result.rs" 50 23 50 24] [#"../result.rs" 50 23 50 24] (2 : int32))));
+    [#"../result.rs" 50 20 50 25] _141 <- Core_Result_Result_Type.C_Ok ([#"../result.rs" 50 23 50 24] (2 : int32));
+    [#"../result.rs" 50 12 50 26] _139 <- ([#"../result.rs" 50 12 50 26] and0 err _141);
+    _141 <- any Core_Result_Result_Type.t_result int32 int32;
     goto BB89
   }
   BB88 {
@@ -884,13 +993,17 @@ module Result_TestResult
     goto BB90
   }
   BB90 {
-    switch ([#"../result.rs" 50 12 50 45] _138 = ([#"../result.rs" 50 43 50 45] [#"../result.rs" 50 43 50 45] (-1 : int32)))
+    [#"../result.rs" 50 12 50 45] _137 <- _138 = ([#"../result.rs" 50 43 50 45] (-1 : int32));
+    _138 <- any int32;
+    switch (_137)
       | False -> goto BB92
       | True -> goto BB91
       end
   }
   BB91 {
-    [#"../result.rs" 53 12 53 26] _146 <- ([#"../result.rs" 53 12 53 26] or0 ([#"../result.rs" 53 12 53 14] ok) ([#"../result.rs" 53 18 53 25] Core_Result_Result_Type.C_Err ([#"../result.rs" 53 22 53 24] [#"../result.rs" 53 22 53 24] (-2 : int32))));
+    [#"../result.rs" 53 18 53 25] _148 <- Core_Result_Result_Type.C_Err ([#"../result.rs" 53 22 53 24] (-2 : int32));
+    [#"../result.rs" 53 12 53 26] _146 <- ([#"../result.rs" 53 12 53 26] or0 ok _148);
+    _148 <- any Core_Result_Result_Type.t_result int32 int32;
     goto BB93
   }
   BB92 {
@@ -903,13 +1016,17 @@ module Result_TestResult
     goto BB94
   }
   BB94 {
-    switch ([#"../result.rs" 53 12 53 40] _145 = ([#"../result.rs" 53 39 53 40] [#"../result.rs" 53 39 53 40] (1 : int32)))
+    [#"../result.rs" 53 12 53 40] _144 <- _145 = ([#"../result.rs" 53 39 53 40] (1 : int32));
+    _145 <- any int32;
+    switch (_144)
       | False -> goto BB96
       | True -> goto BB95
       end
   }
   BB95 {
-    [#"../result.rs" 54 12 54 31] _153 <- ([#"../result.rs" 54 12 54 31] or0 ([#"../result.rs" 54 12 54 14] ok) ([#"../result.rs" 54 25 54 30] Core_Result_Result_Type.C_Ok ([#"../result.rs" 54 28 54 29] [#"../result.rs" 54 28 54 29] (2 : int32))));
+    [#"../result.rs" 54 25 54 30] _155 <- Core_Result_Result_Type.C_Ok ([#"../result.rs" 54 28 54 29] (2 : int32));
+    [#"../result.rs" 54 12 54 31] _153 <- ([#"../result.rs" 54 12 54 31] or0 ok _155);
+    _155 <- any Core_Result_Result_Type.t_result int32 int32;
     goto BB97
   }
   BB96 {
@@ -922,13 +1039,17 @@ module Result_TestResult
     goto BB98
   }
   BB98 {
-    switch ([#"../result.rs" 54 12 54 45] _152 = ([#"../result.rs" 54 44 54 45] [#"../result.rs" 54 44 54 45] (1 : int32)))
+    [#"../result.rs" 54 12 54 45] _151 <- _152 = ([#"../result.rs" 54 44 54 45] (1 : int32));
+    _152 <- any int32;
+    switch (_151)
       | False -> goto BB100
       | True -> goto BB99
       end
   }
   BB99 {
-    [#"../result.rs" 55 12 55 27] _160 <- ([#"../result.rs" 55 12 55 27] or0 ([#"../result.rs" 55 12 55 15] err) ([#"../result.rs" 55 19 55 26] Core_Result_Result_Type.C_Err ([#"../result.rs" 55 23 55 25] [#"../result.rs" 55 23 55 25] (-2 : int32))));
+    [#"../result.rs" 55 19 55 26] _162 <- Core_Result_Result_Type.C_Err ([#"../result.rs" 55 23 55 25] (-2 : int32));
+    [#"../result.rs" 55 12 55 27] _160 <- ([#"../result.rs" 55 12 55 27] or0 err _162);
+    _162 <- any Core_Result_Result_Type.t_result int32 int32;
     goto BB101
   }
   BB100 {
@@ -941,13 +1062,17 @@ module Result_TestResult
     goto BB102
   }
   BB102 {
-    switch ([#"../result.rs" 55 12 55 46] _159 = ([#"../result.rs" 55 44 55 46] [#"../result.rs" 55 44 55 46] (-2 : int32)))
+    [#"../result.rs" 55 12 55 46] _158 <- _159 = ([#"../result.rs" 55 44 55 46] (-2 : int32));
+    _159 <- any int32;
+    switch (_158)
       | False -> goto BB104
       | True -> goto BB103
       end
   }
   BB103 {
-    [#"../result.rs" 56 12 56 32] _167 <- ([#"../result.rs" 56 12 56 32] or0 ([#"../result.rs" 56 12 56 15] err) ([#"../result.rs" 56 26 56 31] Core_Result_Result_Type.C_Ok ([#"../result.rs" 56 29 56 30] [#"../result.rs" 56 29 56 30] (2 : int32))));
+    [#"../result.rs" 56 26 56 31] _169 <- Core_Result_Result_Type.C_Ok ([#"../result.rs" 56 29 56 30] (2 : int32));
+    [#"../result.rs" 56 12 56 32] _167 <- ([#"../result.rs" 56 12 56 32] or0 err _169);
+    _169 <- any Core_Result_Result_Type.t_result int32 int32;
     goto BB105
   }
   BB104 {
@@ -960,13 +1085,15 @@ module Result_TestResult
     goto BB106
   }
   BB106 {
-    switch ([#"../result.rs" 56 12 56 46] _166 = ([#"../result.rs" 56 45 56 46] [#"../result.rs" 56 45 56 46] (2 : int32)))
+    [#"../result.rs" 56 12 56 46] _165 <- _166 = ([#"../result.rs" 56 45 56 46] (2 : int32));
+    _166 <- any int32;
+    switch (_165)
       | False -> goto BB108
       | True -> goto BB107
       end
   }
   BB107 {
-    [#"../result.rs" 59 12 59 23] _175 <- ([#"../result.rs" 59 12 59 23] as_ref0 ([#"../result.rs" 59 12 59 14] ok));
+    [#"../result.rs" 59 12 59 23] _175 <- ([#"../result.rs" 59 12 59 23] as_ref0 ok);
     goto BB109
   }
   BB108 {
@@ -984,13 +1111,15 @@ module Result_TestResult
     goto BB111
   }
   BB111 {
-    switch ([#"../result.rs" 59 12 59 46] _173 = ([#"../result.rs" 59 45 59 46] [#"../result.rs" 59 45 59 46] (1 : int32)))
+    [#"../result.rs" 59 12 59 46] _172 <- _173 = ([#"../result.rs" 59 45 59 46] (1 : int32));
+    _173 <- any int32;
+    switch (_172)
       | False -> goto BB113
       | True -> goto BB112
       end
   }
   BB112 {
-    [#"../result.rs" 60 13 60 25] _183 <- ([#"../result.rs" 60 13 60 25] as_ref0 ([#"../result.rs" 60 13 60 16] err));
+    [#"../result.rs" 60 13 60 25] _183 <- ([#"../result.rs" 60 13 60 25] as_ref0 err);
     goto BB114
   }
   BB113 {
@@ -1008,7 +1137,8 @@ module Result_TestResult
     goto BB116
   }
   BB116 {
-    switch ([#"../result.rs" 60 12 60 53] ([#"../result.rs" 60 12 60 47] _181) = ([#"../result.rs" 60 51 60 53] [#"../result.rs" 60 51 60 53] (-1 : int32)))
+    [#"../result.rs" 60 12 60 53] _179 <- _181 = ([#"../result.rs" 60 51 60 53] (-1 : int32));
+    switch (_179)
       | False -> goto BB118
       | True -> goto BB117
       end
@@ -1035,7 +1165,9 @@ module Result_TestResult
     goto BB121
   }
   BB121 {
-    switch ([#"../result.rs" 61 12 61 46] _188 = ([#"../result.rs" 61 45 61 46] [#"../result.rs" 61 45 61 46] (1 : int32)))
+    [#"../result.rs" 61 12 61 46] _187 <- _188 = ([#"../result.rs" 61 45 61 46] (1 : int32));
+    _188 <- any int32;
+    switch (_187)
       | False -> goto BB123
       | True -> goto BB122
       end
@@ -1063,13 +1195,14 @@ module Result_TestResult
   }
   BB126 {
     assume { resolve0 _196 };
-    switch ([#"../result.rs" 62 12 62 53] ([#"../result.rs" 62 12 62 47]  * _196) = ([#"../result.rs" 62 51 62 53] [#"../result.rs" 62 51 62 53] (-1 : int32)))
+    [#"../result.rs" 62 12 62 53] _194 <-  * _196 = ([#"../result.rs" 62 51 62 53] (-1 : int32));
+    switch (_194)
       | False -> goto BB128
       | True -> goto BB127
       end
   }
   BB127 {
-    [#"../result.rs" 64 12 64 23] _205 <- ([#"../result.rs" 64 12 64 23] as_ref0 ([#"../result.rs" 64 12 64 14] ok));
+    [#"../result.rs" 64 12 64 23] _205 <- ([#"../result.rs" 64 12 64 23] as_ref0 ok);
     goto BB129
   }
   BB128 {
@@ -1087,13 +1220,15 @@ module Result_TestResult
     goto BB131
   }
   BB131 {
-    switch ([#"../result.rs" 64 12 64 46] _203 = ([#"../result.rs" 64 45 64 46] [#"../result.rs" 64 45 64 46] (1 : int32)))
+    [#"../result.rs" 64 12 64 46] _202 <- _203 = ([#"../result.rs" 64 45 64 46] (1 : int32));
+    _203 <- any int32;
+    switch (_202)
       | False -> goto BB133
       | True -> goto BB132
       end
   }
   BB132 {
-    [#"../result.rs" 65 13 65 25] _213 <- ([#"../result.rs" 65 13 65 25] as_ref0 ([#"../result.rs" 65 13 65 16] err));
+    [#"../result.rs" 65 13 65 25] _213 <- ([#"../result.rs" 65 13 65 25] as_ref0 err);
     goto BB134
   }
   BB133 {
@@ -1111,7 +1246,8 @@ module Result_TestResult
     goto BB136
   }
   BB136 {
-    switch ([#"../result.rs" 65 12 65 53] ([#"../result.rs" 65 12 65 47] _211) = ([#"../result.rs" 65 51 65 53] [#"../result.rs" 65 51 65 53] (-1 : int32)))
+    [#"../result.rs" 65 12 65 53] _209 <- _211 = ([#"../result.rs" 65 51 65 53] (-1 : int32));
+    switch (_209)
       | False -> goto BB138
       | True -> goto BB137
       end
@@ -1138,7 +1274,9 @@ module Result_TestResult
     goto BB141
   }
   BB141 {
-    switch ([#"../result.rs" 66 12 66 46] _218 = ([#"../result.rs" 66 45 66 46] [#"../result.rs" 66 45 66 46] (1 : int32)))
+    [#"../result.rs" 66 12 66 46] _217 <- _218 = ([#"../result.rs" 66 45 66 46] (1 : int32));
+    _218 <- any int32;
+    switch (_217)
       | False -> goto BB143
       | True -> goto BB142
       end
@@ -1166,14 +1304,17 @@ module Result_TestResult
   }
   BB146 {
     assume { resolve0 _226 };
-    switch ([#"../result.rs" 67 12 67 53] ([#"../result.rs" 67 12 67 47]  * _226) = ([#"../result.rs" 67 51 67 53] [#"../result.rs" 67 51 67 53] (-1 : int32)))
+    [#"../result.rs" 67 12 67 53] _224 <-  * _226 = ([#"../result.rs" 67 51 67 53] (-1 : int32));
+    switch (_224)
       | False -> goto BB148
       | True -> goto BB147
       end
   }
   BB147 {
-    [#"../result.rs" 70 40 70 48] res <- ([#"../result.rs" 70 40 70 48] Core_Result_Result_Type.C_Ok ([#"../result.rs" 70 43 70 47] Core_Option_Option_Type.C_None));
-    [#"../result.rs" 71 12 71 27] _236 <- ([#"../result.rs" 71 12 71 27] transpose0 ([#"../result.rs" 71 12 71 15] res));
+    [#"../result.rs" 70 43 70 47] _232 <- Core_Option_Option_Type.C_None;
+    [#"../result.rs" 70 40 70 48] res <- Core_Result_Result_Type.C_Ok _232;
+    _232 <- any Core_Option_Option_Type.t_option int32;
+    [#"../result.rs" 71 12 71 27] _236 <- ([#"../result.rs" 71 12 71 27] transpose0 res);
     goto BB149
   }
   BB148 {
@@ -1181,7 +1322,7 @@ module Result_TestResult
     absurd
   }
   BB149 {
-    [#"../result.rs" 71 12 71 37] _234 <- ([#"../result.rs" 71 12 71 37] is_none1 ([#"../result.rs" 71 12 71 27] _236));
+    [#"../result.rs" 71 12 71 37] _234 <- ([#"../result.rs" 71 12 71 37] is_none1 _236);
     goto BB150
   }
   BB150 {
@@ -1191,8 +1332,10 @@ module Result_TestResult
       end
   }
   BB151 {
-    [#"../result.rs" 72 40 72 51] res1 <- ([#"../result.rs" 72 40 72 51] Core_Result_Result_Type.C_Ok ([#"../result.rs" 72 43 72 50] Core_Option_Option_Type.C_Some ([#"../result.rs" 72 48 72 49] [#"../result.rs" 72 48 72 49] (1 : int32))));
-    [#"../result.rs" 73 12 73 27] _245 <- ([#"../result.rs" 73 12 73 27] transpose0 ([#"../result.rs" 73 12 73 15] res1));
+    [#"../result.rs" 72 43 72 50] _240 <- Core_Option_Option_Type.C_Some ([#"../result.rs" 72 48 72 49] (1 : int32));
+    [#"../result.rs" 72 40 72 51] res1 <- Core_Result_Result_Type.C_Ok _240;
+    _240 <- any Core_Option_Option_Type.t_option int32;
+    [#"../result.rs" 73 12 73 27] _245 <- ([#"../result.rs" 73 12 73 27] transpose0 res1);
     goto BB153
   }
   BB152 {
@@ -1210,14 +1353,16 @@ module Result_TestResult
     goto BB155
   }
   BB155 {
-    switch ([#"../result.rs" 73 12 73 50] _243 = ([#"../result.rs" 73 49 73 50] [#"../result.rs" 73 49 73 50] (1 : int32)))
+    [#"../result.rs" 73 12 73 50] _242 <- _243 = ([#"../result.rs" 73 49 73 50] (1 : int32));
+    _243 <- any int32;
+    switch (_242)
       | False -> goto BB157
       | True -> goto BB156
       end
   }
   BB156 {
-    [#"../result.rs" 74 40 74 47] res2 <- ([#"../result.rs" 74 40 74 47] Core_Result_Result_Type.C_Err ([#"../result.rs" 74 44 74 46] [#"../result.rs" 74 44 74 46] (-1 : int32)));
-    [#"../result.rs" 75 12 75 27] _253 <- ([#"../result.rs" 75 12 75 27] transpose0 ([#"../result.rs" 75 12 75 15] res2));
+    [#"../result.rs" 74 40 74 47] res2 <- Core_Result_Result_Type.C_Err ([#"../result.rs" 74 44 74 46] (-1 : int32));
+    [#"../result.rs" 75 12 75 27] _253 <- ([#"../result.rs" 75 12 75 27] transpose0 res2);
     goto BB158
   }
   BB157 {
@@ -1235,7 +1380,9 @@ module Result_TestResult
     goto BB160
   }
   BB160 {
-    switch ([#"../result.rs" 75 12 75 55] _251 = ([#"../result.rs" 75 53 75 55] [#"../result.rs" 75 53 75 55] (-1 : int32)))
+    [#"../result.rs" 75 12 75 55] _250 <- _251 = ([#"../result.rs" 75 53 75 55] (-1 : int32));
+    _251 <- any int32;
+    switch (_250)
       | False -> goto BB162
       | True -> goto BB161
       end
diff --git a/creusot/tests/should_succeed/rusthorn/inc_max.mlcfg b/creusot/tests/should_succeed/rusthorn/inc_max.mlcfg
index d2346593d0..e35ee4e9fa 100644
--- a/creusot/tests/should_succeed/rusthorn/inc_max.mlcfg
+++ b/creusot/tests/should_succeed/rusthorn/inc_max.mlcfg
@@ -21,12 +21,14 @@ module IncMax_TakeMax
   var mb : borrowed uint32 = mb;
   var _3 : borrowed uint32;
   var _5 : borrowed uint32;
+  var _6 : bool;
   var _9 : borrowed uint32;
   {
     goto BB0
   }
   BB0 {
-    switch ([#"../inc_max.rs" 7 7 7 17] ([#"../inc_max.rs" 7 7 7 10]  * ma) >= ([#"../inc_max.rs" 7 14 7 17]  * mb))
+    [#"../inc_max.rs" 7 7 7 17] _6 <-  * ma >=  * mb;
+    switch (_6)
       | False -> goto BB2
       | True -> goto BB1
       end
@@ -87,6 +89,7 @@ module IncMax_IncMax
   var _6 : borrowed uint32;
   var _7 : borrowed uint32;
   var _8 : borrowed uint32;
+  var _10 : bool;
   {
     goto BB0
   }
@@ -107,9 +110,10 @@ module IncMax_IncMax
   BB1 {
     assume { resolve0 _8 };
     assume { resolve0 _6 };
-    [#"../inc_max.rs" 17 4 17 12] mc <- { mc with current = ([#"../inc_max.rs" 17 4 17 12]  * mc + ([#"../inc_max.rs" 17 11 17 12] [#"../inc_max.rs" 17 11 17 12] (1 : uint32))) ; };
+    [#"../inc_max.rs" 17 4 17 12] mc <- { mc with current = ( * mc + ([#"../inc_max.rs" 17 11 17 12] (1 : uint32))) ; };
     assume { resolve0 mc };
-    switch ([#"../inc_max.rs" 18 12 18 18] ([#"../inc_max.rs" 18 12 18 13] a) <> ([#"../inc_max.rs" 18 17 18 18] b))
+    [#"../inc_max.rs" 18 12 18 18] _10 <- a <> b;
+    switch (_10)
       | False -> goto BB3
       | True -> goto BB2
       end
diff --git a/creusot/tests/should_succeed/rusthorn/inc_max/why3session.xml b/creusot/tests/should_succeed/rusthorn/inc_max/why3session.xml
index 15b2561ce5..d1ad93ed1a 100644
--- a/creusot/tests/should_succeed/rusthorn/inc_max/why3session.xml
+++ b/creusot/tests/should_succeed/rusthorn/inc_max/why3session.xml
@@ -7,12 +7,12 @@
 <path name=".."/><path name="inc_max.mlcfg"/>
 <theory name="IncMax_TakeMax" proved="true">
  <goal name="take_max&#39;vc" expl="VC for take_max" proved="true">
- <proof prover="0"><result status="valid" time="0.116806" steps="164"/></proof>
+ <proof prover="0"><result status="valid" time="0.116806" steps="171"/></proof>
  </goal>
 </theory>
 <theory name="IncMax_IncMax" proved="true">
  <goal name="inc_max&#39;vc" expl="VC for inc_max" proved="true">
- <proof prover="0"><result status="valid" time="0.024030" steps="526"/></proof>
+ <proof prover="0"><result status="valid" time="0.024030" steps="528"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/rusthorn/inc_max/why3shapes.gz b/creusot/tests/should_succeed/rusthorn/inc_max/why3shapes.gz
index 106d2706f0..51a9ac3bf2 100644
Binary files a/creusot/tests/should_succeed/rusthorn/inc_max/why3shapes.gz and b/creusot/tests/should_succeed/rusthorn/inc_max/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/rusthorn/inc_max_3.mlcfg b/creusot/tests/should_succeed/rusthorn/inc_max_3.mlcfg
index 5d13c23898..1681670526 100644
--- a/creusot/tests/should_succeed/rusthorn/inc_max_3.mlcfg
+++ b/creusot/tests/should_succeed/rusthorn/inc_max_3.mlcfg
@@ -26,18 +26,21 @@ module IncMax3_IncMax3
   var mb : borrowed uint32 = mb;
   var mc : borrowed uint32 = mc;
   var _6 : ();
+  var _7 : bool;
   var _10 : ();
   var _11 : borrowed (borrowed uint32);
   var _12 : borrowed (borrowed uint32);
   var _13 : borrowed (borrowed uint32);
   var _14 : borrowed (borrowed uint32);
   var _15 : ();
+  var _16 : bool;
   var _19 : ();
   var _20 : borrowed (borrowed uint32);
   var _21 : borrowed (borrowed uint32);
   var _22 : borrowed (borrowed uint32);
   var _23 : borrowed (borrowed uint32);
   var _24 : ();
+  var _25 : bool;
   var _28 : ();
   var _29 : borrowed (borrowed uint32);
   var _30 : borrowed (borrowed uint32);
@@ -47,7 +50,8 @@ module IncMax3_IncMax3
     goto BB0
   }
   BB0 {
-    switch ([#"../inc_max_3.rs" 13 7 13 16] ([#"../inc_max_3.rs" 13 7 13 10]  * ma) < ([#"../inc_max_3.rs" 13 13 13 16]  * mb))
+    [#"../inc_max_3.rs" 13 7 13 16] _7 <-  * ma <  * mb;
+    switch (_7)
       | False -> goto BB3
       | True -> goto BB1
       end
@@ -77,7 +81,8 @@ module IncMax3_IncMax3
     goto BB4
   }
   BB4 {
-    switch ([#"../inc_max_3.rs" 16 7 16 16] ([#"../inc_max_3.rs" 16 7 16 10]  * mb) < ([#"../inc_max_3.rs" 16 13 16 16]  * mc))
+    [#"../inc_max_3.rs" 16 7 16 16] _16 <-  * mb <  * mc;
+    switch (_16)
       | False -> goto BB7
       | True -> goto BB5
       end
@@ -109,7 +114,8 @@ module IncMax3_IncMax3
     goto BB8
   }
   BB8 {
-    switch ([#"../inc_max_3.rs" 19 7 19 16] ([#"../inc_max_3.rs" 19 7 19 10]  * ma) < ([#"../inc_max_3.rs" 19 13 19 16]  * mb))
+    [#"../inc_max_3.rs" 19 7 19 16] _25 <-  * ma <  * mb;
+    switch (_25)
       | False -> goto BB11
       | True -> goto BB9
       end
@@ -139,9 +145,9 @@ module IncMax3_IncMax3
     goto BB12
   }
   BB12 {
-    [#"../inc_max_3.rs" 22 4 22 12] ma <- { ma with current = ([#"../inc_max_3.rs" 22 4 22 12]  * ma + ([#"../inc_max_3.rs" 22 11 22 12] [#"../inc_max_3.rs" 22 11 22 12] (2 : uint32))) ; };
+    [#"../inc_max_3.rs" 22 4 22 12] ma <- { ma with current = ( * ma + ([#"../inc_max_3.rs" 22 11 22 12] (2 : uint32))) ; };
     assume { resolve1 ma };
-    [#"../inc_max_3.rs" 23 4 23 12] mb <- { mb with current = ([#"../inc_max_3.rs" 23 4 23 12]  * mb + ([#"../inc_max_3.rs" 23 11 23 12] [#"../inc_max_3.rs" 23 11 23 12] (1 : uint32))) ; };
+    [#"../inc_max_3.rs" 23 4 23 12] mb <- { mb with current = ( * mb + ([#"../inc_max_3.rs" 23 11 23 12] (1 : uint32))) ; };
     assume { resolve1 mb };
     [#"../inc_max_3.rs" 12 80 24 1] _0 <- ([#"../inc_max_3.rs" 12 80 24 1] ());
     return _0
@@ -176,6 +182,9 @@ module IncMax3_TestIncMax3
   var _9 : borrowed uint32;
   var _10 : borrowed uint32;
   var _11 : borrowed uint32;
+  var _13 : bool;
+  var _16 : bool;
+  var _19 : bool;
   {
     goto BB0
   }
@@ -202,19 +211,22 @@ module IncMax3_TestIncMax3
     assume { resolve0 _11 };
     assume { resolve0 _9 };
     assume { resolve0 _7 };
-    switch ([#"../inc_max_3.rs" 29 12 29 18] ([#"../inc_max_3.rs" 29 12 29 13] a) <> ([#"../inc_max_3.rs" 29 17 29 18] b))
+    [#"../inc_max_3.rs" 29 12 29 18] _13 <- a <> b;
+    switch (_13)
       | False -> goto BB7
       | True -> goto BB2
       end
   }
   BB2 {
-    switch ([#"../inc_max_3.rs" 29 22 29 28] ([#"../inc_max_3.rs" 29 22 29 23] b) <> ([#"../inc_max_3.rs" 29 27 29 28] c))
+    [#"../inc_max_3.rs" 29 22 29 28] _16 <- b <> c;
+    switch (_16)
       | False -> goto BB6
       | True -> goto BB3
       end
   }
   BB3 {
-    switch ([#"../inc_max_3.rs" 29 32 29 38] ([#"../inc_max_3.rs" 29 32 29 33] c) <> ([#"../inc_max_3.rs" 29 37 29 38] a))
+    [#"../inc_max_3.rs" 29 32 29 38] _19 <- c <> a;
+    switch (_19)
       | False -> goto BB5
       | True -> goto BB4
       end
diff --git a/creusot/tests/should_succeed/rusthorn/inc_max_3/why3session.xml b/creusot/tests/should_succeed/rusthorn/inc_max_3/why3session.xml
index 8bfcc6d23d..6a0fbad5e5 100644
--- a/creusot/tests/should_succeed/rusthorn/inc_max_3/why3session.xml
+++ b/creusot/tests/should_succeed/rusthorn/inc_max_3/why3session.xml
@@ -7,12 +7,12 @@
 <path name=".."/><path name="inc_max_3.mlcfg"/>
 <theory name="IncMax3_IncMax3" proved="true">
  <goal name="inc_max_3&#39;vc" expl="VC for inc_max_3" proved="true">
- <proof prover="0"><result status="valid" time="0.174631" steps="48410"/></proof>
+ <proof prover="0"><result status="valid" time="0.021678" steps="41474"/></proof>
  </goal>
 </theory>
 <theory name="IncMax3_TestIncMax3" proved="true">
  <goal name="test_inc_max_3&#39;vc" expl="VC for test_inc_max_3" proved="true">
- <proof prover="0"><result status="valid" time="0.016236" steps="17302"/></proof>
+ <proof prover="0"><result status="valid" time="0.016236" steps="17857"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/rusthorn/inc_max_3/why3shapes.gz b/creusot/tests/should_succeed/rusthorn/inc_max_3/why3shapes.gz
index 864e153711..427548bb44 100644
Binary files a/creusot/tests/should_succeed/rusthorn/inc_max_3/why3shapes.gz and b/creusot/tests/should_succeed/rusthorn/inc_max_3/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/rusthorn/inc_max_many.mlcfg b/creusot/tests/should_succeed/rusthorn/inc_max_many.mlcfg
index 8d77158a62..5ccd22941a 100644
--- a/creusot/tests/should_succeed/rusthorn/inc_max_many.mlcfg
+++ b/creusot/tests/should_succeed/rusthorn/inc_max_many.mlcfg
@@ -21,12 +21,14 @@ module IncMaxMany_TakeMax
   var mb : borrowed uint32 = mb;
   var _3 : borrowed uint32;
   var _5 : borrowed uint32;
+  var _6 : bool;
   var _9 : borrowed uint32;
   {
     goto BB0
   }
   BB0 {
-    switch ([#"../inc_max_many.rs" 7 7 7 17] ([#"../inc_max_many.rs" 7 7 7 10]  * ma) >= ([#"../inc_max_many.rs" 7 14 7 17]  * mb))
+    [#"../inc_max_many.rs" 7 7 7 17] _6 <-  * ma >=  * mb;
+    switch (_6)
       | False -> goto BB2
       | True -> goto BB1
       end
@@ -88,6 +90,10 @@ module IncMaxMany_IncMaxMany
   var _7 : borrowed uint32;
   var _8 : borrowed uint32;
   var _9 : borrowed uint32;
+  var _12 : bool;
+  var _14 : uint32;
+  var _17 : bool;
+  var _19 : uint32;
   {
     goto BB0
   }
@@ -108,9 +114,12 @@ module IncMaxMany_IncMaxMany
   BB1 {
     assume { resolve0 _9 };
     assume { resolve0 _7 };
-    [#"../inc_max_many.rs" 17 4 17 12] mc <- { mc with current = ([#"../inc_max_many.rs" 17 4 17 12]  * mc + ([#"../inc_max_many.rs" 17 11 17 12] k)) ; };
+    [#"../inc_max_many.rs" 17 4 17 12] mc <- { mc with current = ( * mc + k) ; };
     assume { resolve0 mc };
-    switch ([#"../inc_max_many.rs" 18 12 18 22] ([#"../inc_max_many.rs" 18 12 18 13] a) >= ([#"../inc_max_many.rs" 18 17 18 22] ([#"../inc_max_many.rs" 18 17 18 18] b) + ([#"../inc_max_many.rs" 18 21 18 22] k)))
+    [#"../inc_max_many.rs" 18 17 18 22] _14 <- b + k;
+    [#"../inc_max_many.rs" 18 12 18 22] _12 <- a >= _14;
+    _14 <- any uint32;
+    switch (_12)
       | False -> goto BB3
       | True -> goto BB2
       end
@@ -119,7 +128,10 @@ module IncMaxMany_IncMaxMany
     goto BB4
   }
   BB3 {
-    switch ([#"../inc_max_many.rs" 18 26 18 36] ([#"../inc_max_many.rs" 18 26 18 27] b) >= ([#"../inc_max_many.rs" 18 31 18 36] ([#"../inc_max_many.rs" 18 31 18 32] a) + ([#"../inc_max_many.rs" 18 35 18 36] k)))
+    [#"../inc_max_many.rs" 18 31 18 36] _19 <- a + k;
+    [#"../inc_max_many.rs" 18 26 18 36] _17 <- b >= _19;
+    _19 <- any uint32;
+    switch (_17)
       | False -> goto BB5
       | True -> goto BB4
       end
diff --git a/creusot/tests/should_succeed/rusthorn/inc_max_many/why3session.xml b/creusot/tests/should_succeed/rusthorn/inc_max_many/why3session.xml
index b220a46584..83d3114756 100644
--- a/creusot/tests/should_succeed/rusthorn/inc_max_many/why3session.xml
+++ b/creusot/tests/should_succeed/rusthorn/inc_max_many/why3session.xml
@@ -8,12 +8,12 @@
 <path name=".."/><path name="inc_max_many.mlcfg"/>
 <theory name="IncMaxMany_TakeMax" proved="true">
  <goal name="take_max&#39;vc" expl="VC for take_max" proved="true">
- <proof prover="2"><result status="valid" time="0.011466" steps="164"/></proof>
+ <proof prover="2"><result status="valid" time="0.011466" steps="171"/></proof>
  </goal>
 </theory>
 <theory name="IncMaxMany_IncMaxMany" proved="true">
  <goal name="inc_max_many&#39;vc" expl="VC for inc_max_many" proved="true">
- <proof prover="1"><result status="valid" time="0.020667" steps="18873"/></proof>
+ <proof prover="1"><result status="valid" time="0.020667" steps="19249"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/rusthorn/inc_max_many/why3shapes.gz b/creusot/tests/should_succeed/rusthorn/inc_max_many/why3shapes.gz
index 6af70ae55c..baa7c69838 100644
Binary files a/creusot/tests/should_succeed/rusthorn/inc_max_many/why3shapes.gz and b/creusot/tests/should_succeed/rusthorn/inc_max_many/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/rusthorn/inc_max_repeat.mlcfg b/creusot/tests/should_succeed/rusthorn/inc_max_repeat.mlcfg
index c8d8c0d34a..e9833795a0 100644
--- a/creusot/tests/should_succeed/rusthorn/inc_max_repeat.mlcfg
+++ b/creusot/tests/should_succeed/rusthorn/inc_max_repeat.mlcfg
@@ -3,7 +3,7 @@ module IncMaxRepeat_TakeMax
   use prelude.Borrow
   use prelude.UInt32
   predicate resolve0 (self : borrowed uint32) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed uint32) : bool
     ensures { result = resolve0 self }
     
@@ -21,12 +21,14 @@ module IncMaxRepeat_TakeMax
   var mb : borrowed uint32 = mb;
   var _3 : borrowed uint32;
   var _5 : borrowed uint32;
+  var _6 : bool;
   var _9 : borrowed uint32;
   {
     goto BB0
   }
   BB0 {
-    switch ([#"../inc_max_repeat.rs" 7 7 7 17] ([#"../inc_max_repeat.rs" 7 7 7 10]  * ma) >= ([#"../inc_max_repeat.rs" 7 14 7 17]  * mb))
+    [#"../inc_max_repeat.rs" 7 7 7 17] _6 <-  * ma >=  * mb;
+    switch (_6)
       | False -> goto BB2
       | True -> goto BB1
       end
@@ -137,7 +139,9 @@ module IncMaxRepeat_IncMaxRepeat
   predicate produces0 (self : Core_Ops_Range_Range_Type.t_range uint32) (visited : Seq.seq uint32) (o : Core_Ops_Range_Range_Type.t_range uint32)
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
+    [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0
+     -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
   val produces0 (self : Core_Ops_Range_Range_Type.t_range uint32) (visited : Seq.seq uint32) (o : Core_Ops_Range_Range_Type.t_range uint32) : bool
     ensures { result = produces0 self visited o }
     
@@ -153,23 +157,31 @@ module IncMaxRepeat_IncMaxRepeat
     requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range uint32, ab : Seq.seq uint32, b : Core_Ops_Range_Range_Type.t_range uint32, bc : Seq.seq uint32, c : Core_Ops_Range_Range_Type.t_range uint32 . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv3 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv3 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range uint32, ab : Seq.seq uint32, b : Core_Ops_Range_Range_Type.t_range uint32, bc : Seq.seq uint32, c : Core_Ops_Range_Range_Type.t_range uint32 . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv3 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv3 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : Core_Ops_Range_Range_Type.t_range uint32) : ()
   val produces_refl0 (self : Core_Ops_Range_Range_Type.t_range uint32) : ()
     requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range uint32 . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range uint32 . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
   predicate invariant0 (self : Core_Ops_Range_Range_Type.t_range uint32) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant0 (self : Core_Ops_Range_Range_Type.t_range uint32) : bool
     ensures { result = invariant0 self }
     
   axiom inv0 : forall x : Core_Ops_Range_Range_Type.t_range uint32 . inv0 x = true
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate resolve1 (self : borrowed uint32) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve1 (self : borrowed uint32) : bool
     ensures { result = resolve1 self }
     
@@ -182,7 +194,7 @@ module IncMaxRepeat_IncMaxRepeat
     
   use seq.Seq
   predicate resolve0 (self : borrowed (Core_Ops_Range_Range_Type.t_range uint32)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (Core_Ops_Range_Range_Type.t_range uint32)) : bool
     ensures { result = resolve0 self }
     
@@ -199,11 +211,11 @@ module IncMaxRepeat_IncMaxRepeat
       end }
     ensures { inv2 result }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate into_iter_post0 (self : Core_Ops_Range_Range_Type.t_range uint32) (res : Core_Ops_Range_Range_Type.t_range uint32)
     
    =
@@ -231,31 +243,38 @@ module IncMaxRepeat_IncMaxRepeat
   var b : uint32 = b;
   var n : uint32 = n;
   var iter : Core_Ops_Range_Range_Type.t_range uint32;
-  var iter_old : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range uint32);
-  var produced : Ghost.ghost_ty (Seq.seq uint32);
+  var _7 : Core_Ops_Range_Range_Type.t_range uint32;
+  var iter_old : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range uint32);
+  var produced : Snapshot.snap_ty (Seq.seq uint32);
   var _18 : Core_Option_Option_Type.t_option uint32;
   var _19 : borrowed (Core_Ops_Range_Range_Type.t_range uint32);
   var _20 : borrowed (Core_Ops_Range_Range_Type.t_range uint32);
   var __creusot_proc_iter_elem : uint32;
-  var _23 : Ghost.ghost_ty (Seq.seq uint32);
+  var _23 : Snapshot.snap_ty (Seq.seq uint32);
   var mc : borrowed uint32;
   var _26 : borrowed uint32;
   var _27 : borrowed uint32;
   var _28 : borrowed uint32;
   var _29 : borrowed uint32;
+  var _32 : bool;
+  var _34 : uint32;
+  var _37 : bool;
+  var _39 : uint32;
   {
     goto BB0
   }
   BB0 {
-    [#"../inc_max_repeat.rs" 16 4 16 86] iter <- ([#"../inc_max_repeat.rs" 16 4 16 86] into_iter0 ([#"../inc_max_repeat.rs" 18 13 18 17] Core_Ops_Range_Range_Type.C_Range ([#"../inc_max_repeat.rs" 18 13 18 14] [#"../inc_max_repeat.rs" 18 13 18 14] (0 : uint32)) ([#"../inc_max_repeat.rs" 18 16 18 17] n)));
+    [#"../inc_max_repeat.rs" 18 13 18 17] _7 <- Core_Ops_Range_Range_Type.C_Range ([#"../inc_max_repeat.rs" 18 13 18 14] (0 : uint32)) n;
+    [#"../inc_max_repeat.rs" 16 4 16 86] iter <- ([#"../inc_max_repeat.rs" 16 4 16 86] into_iter0 _7);
+    _7 <- any Core_Ops_Range_Range_Type.t_range uint32;
     goto BB1
   }
   BB1 {
-    [#"../inc_max_repeat.rs" 16 4 16 86] iter_old <- ([#"../inc_max_repeat.rs" 16 4 16 86] Ghost.new iter);
+    [#"../inc_max_repeat.rs" 16 4 16 86] iter_old <- ([#"../inc_max_repeat.rs" 16 4 16 86] Snapshot.new iter);
     goto BB2
   }
   BB2 {
-    [#"../inc_max_repeat.rs" 16 4 16 86] produced <- ([#"../inc_max_repeat.rs" 16 4 16 86] Ghost.new (Seq.empty ));
+    [#"../inc_max_repeat.rs" 16 4 16 86] produced <- ([#"../inc_max_repeat.rs" 16 4 16 86] Snapshot.new (Seq.empty ));
     goto BB3
   }
   BB3 {
@@ -263,9 +282,9 @@ module IncMaxRepeat_IncMaxRepeat
   }
   BB4 {
     invariant { [#"../inc_max_repeat.rs" 16 4 16 86] inv0 iter };
-    invariant { [#"../inc_max_repeat.rs" 16 4 16 86] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter };
-    invariant { [#"../inc_max_repeat.rs" 16 16 16 84] UInt32.to_int a <= 1000000 + Seq.length (Ghost.inner produced) /\ UInt32.to_int b <= 1000000 + Seq.length (Ghost.inner produced) };
-    invariant { [#"../inc_max_repeat.rs" 17 16 17 70] UInt32.to_int a >= UInt32.to_int b + Seq.length (Ghost.inner produced) \/ UInt32.to_int b >= UInt32.to_int a + Seq.length (Ghost.inner produced) };
+    invariant { [#"../inc_max_repeat.rs" 16 4 16 86] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter };
+    invariant { [#"../inc_max_repeat.rs" 16 16 16 84] UInt32.to_int a <= 1000000 + Seq.length (Snapshot.inner produced) /\ UInt32.to_int b <= 1000000 + Seq.length (Snapshot.inner produced) };
+    invariant { [#"../inc_max_repeat.rs" 17 16 17 70] UInt32.to_int a >= UInt32.to_int b + Seq.length (Snapshot.inner produced) \/ UInt32.to_int b >= UInt32.to_int a + Seq.length (Snapshot.inner produced) };
     goto BB5
   }
   BB5 {
@@ -285,7 +304,10 @@ module IncMaxRepeat_IncMaxRepeat
       end
   }
   BB7 {
-    switch ([#"../inc_max_repeat.rs" 22 12 22 22] ([#"../inc_max_repeat.rs" 22 12 22 13] a) >= ([#"../inc_max_repeat.rs" 22 17 22 22] ([#"../inc_max_repeat.rs" 22 17 22 18] b) + ([#"../inc_max_repeat.rs" 22 21 22 22] n)))
+    [#"../inc_max_repeat.rs" 22 17 22 22] _34 <- b + n;
+    [#"../inc_max_repeat.rs" 22 12 22 22] _32 <- a >= _34;
+    _34 <- any uint32;
+    switch (_32)
       | False -> goto BB14
       | True -> goto BB13
       end
@@ -298,13 +320,13 @@ module IncMaxRepeat_IncMaxRepeat
     absurd
   }
   BB10 {
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _18);
-    [#"../inc_max_repeat.rs" 16 4 16 86] _23 <- ([#"../inc_max_repeat.rs" 16 4 16 86] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _18;
+    [#"../inc_max_repeat.rs" 16 4 16 86] _23 <- ([#"../inc_max_repeat.rs" 16 4 16 86] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB11
   }
   BB11 {
-    [#"../inc_max_repeat.rs" 16 4 16 86] produced <- ([#"../inc_max_repeat.rs" 16 4 16 86] _23);
-    [#"../inc_max_repeat.rs" 16 4 16 86] _23 <- any Ghost.ghost_ty (Seq.seq uint32);
+    [#"../inc_max_repeat.rs" 16 4 16 86] produced <- _23;
+    _23 <- any Snapshot.snap_ty (Seq.seq uint32);
     [#"../inc_max_repeat.rs" 19 26 19 32] _27 <- Borrow.borrow_mut a;
     [#"../inc_max_repeat.rs" 19 26 19 32] a <-  ^ _27;
     [#"../inc_max_repeat.rs" 19 26 19 32] _26 <- Borrow.borrow_final ( * _27) (Borrow.get_id _27);
@@ -321,7 +343,7 @@ module IncMaxRepeat_IncMaxRepeat
   BB12 {
     assume { resolve1 _29 };
     assume { resolve1 _27 };
-    [#"../inc_max_repeat.rs" 20 8 20 16] mc <- { mc with current = ([#"../inc_max_repeat.rs" 20 8 20 16]  * mc + ([#"../inc_max_repeat.rs" 20 15 20 16] [#"../inc_max_repeat.rs" 20 15 20 16] (1 : uint32))) ; };
+    [#"../inc_max_repeat.rs" 20 8 20 16] mc <- { mc with current = ( * mc + ([#"../inc_max_repeat.rs" 20 15 20 16] (1 : uint32))) ; };
     assume { resolve1 mc };
     goto BB4
   }
@@ -329,7 +351,10 @@ module IncMaxRepeat_IncMaxRepeat
     goto BB15
   }
   BB14 {
-    switch ([#"../inc_max_repeat.rs" 22 26 22 36] ([#"../inc_max_repeat.rs" 22 26 22 27] b) >= ([#"../inc_max_repeat.rs" 22 31 22 36] ([#"../inc_max_repeat.rs" 22 31 22 32] a) + ([#"../inc_max_repeat.rs" 22 35 22 36] n)))
+    [#"../inc_max_repeat.rs" 22 31 22 36] _39 <- a + n;
+    [#"../inc_max_repeat.rs" 22 26 22 36] _37 <- b >= _39;
+    _39 <- any uint32;
+    switch (_37)
       | False -> goto BB16
       | True -> goto BB15
       end
diff --git a/creusot/tests/should_succeed/rusthorn/inc_max_repeat/why3session.xml b/creusot/tests/should_succeed/rusthorn/inc_max_repeat/why3session.xml
index 67cd4d381e..9a95523da0 100644
--- a/creusot/tests/should_succeed/rusthorn/inc_max_repeat/why3session.xml
+++ b/creusot/tests/should_succeed/rusthorn/inc_max_repeat/why3session.xml
@@ -8,12 +8,12 @@
 <path name=".."/><path name="inc_max_repeat.mlcfg"/>
 <theory name="IncMaxRepeat_TakeMax" proved="true">
  <goal name="take_max&#39;vc" expl="VC for take_max" proved="true">
- <proof prover="2"><result status="valid" time="0.010682" steps="164"/></proof>
+ <proof prover="2"><result status="valid" time="0.010682" steps="171"/></proof>
  </goal>
 </theory>
 <theory name="IncMaxRepeat_IncMaxRepeat" proved="true">
  <goal name="inc_max_repeat&#39;vc" expl="VC for inc_max_repeat" proved="true">
- <proof prover="0"><result status="valid" time="0.147812" steps="666720"/></proof>
+ <proof prover="0"><result status="valid" time="0.147812" steps="647565"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/rusthorn/inc_max_repeat/why3shapes.gz b/creusot/tests/should_succeed/rusthorn/inc_max_repeat/why3shapes.gz
index 0e80f8e5f6..44dd6b4651 100644
Binary files a/creusot/tests/should_succeed/rusthorn/inc_max_repeat/why3shapes.gz and b/creusot/tests/should_succeed/rusthorn/inc_max_repeat/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_2_list.mlcfg b/creusot/tests/should_succeed/rusthorn/inc_some_2_list.mlcfg
index e924fd6dec..82bd843c1b 100644
--- a/creusot/tests/should_succeed/rusthorn/inc_some_2_list.mlcfg
+++ b/creusot/tests/should_succeed/rusthorn/inc_some_2_list.mlcfg
@@ -30,15 +30,13 @@ module IncSome2List_Impl0_LemmaSumNonneg_Impl
   val sum0 [#"../inc_some_2_list.rs" 21 4 21 23] (self : IncSome2List_List_Type.t_list) : int
     ensures { result = sum0 self }
     
-  let rec ghost function lemma_sum_nonneg [#"../inc_some_2_list.rs" 34 4 34 30] (self : IncSome2List_List_Type.t_list) : ()
-    ensures { [#"../inc_some_2_list.rs" 33 14 33 29] sum0 self >= 0 }
-    variant {[#"../inc_some_2_list.rs" 32 15 32 19] self}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../inc_some_2_list.rs" 35 8 38 9] match self with
-      | IncSome2List_List_Type.C_Cons _ l -> lemma_sum_nonneg l
-      | IncSome2List_List_Type.C_Nil -> ()
-      end
+  constant self  : IncSome2List_List_Type.t_list
+  function lemma_sum_nonneg [#"../inc_some_2_list.rs" 34 4 34 30] (self : IncSome2List_List_Type.t_list) : ()
+  goal vc_lemma_sum_nonneg : match self with
+    | IncSome2List_List_Type.C_Cons _ l -> ([#"../inc_some_2_list.rs" 33 14 33 29] sum0 l >= 0)
+     -> ([#"../inc_some_2_list.rs" 33 14 33 29] sum0 self >= 0)
+    | IncSome2List_List_Type.C_Nil -> [#"../inc_some_2_list.rs" 33 14 33 29] sum0 self >= 0
+    end
 end
 module IncSome2List_Impl0_SumX
   use prelude.UInt32
@@ -77,7 +75,7 @@ module IncSome2List_Impl0_SumX
     goto BB4
   }
   BB2 {
-    [#"../inc_some_2_list.rs" 46 19 46 20] _0 <- ([#"../inc_some_2_list.rs" 46 19 46 20] [#"../inc_some_2_list.rs" 46 19 46 20] (0 : uint32));
+    [#"../inc_some_2_list.rs" 46 19 46 20] _0 <- ([#"../inc_some_2_list.rs" 46 19 46 20] (0 : uint32));
     goto BB6
   }
   BB3 {
@@ -85,13 +83,13 @@ module IncSome2List_Impl0_SumX
     absurd
   }
   BB4 {
-    [#"../inc_some_2_list.rs" 45 17 45 18] a <- ([#"../inc_some_2_list.rs" 45 17 45 18] IncSome2List_List_Type.cons_0 self);
-    [#"../inc_some_2_list.rs" 45 20 45 21] l <- ([#"../inc_some_2_list.rs" 45 20 45 21] IncSome2List_List_Type.cons_1 self);
-    [#"../inc_some_2_list.rs" 45 31 45 40] _8 <- ([#"../inc_some_2_list.rs" 45 31 45 40] sum_x ([#"../inc_some_2_list.rs" 45 31 45 32] l));
+    [#"../inc_some_2_list.rs" 45 17 45 18] a <- IncSome2List_List_Type.cons_0 self;
+    [#"../inc_some_2_list.rs" 45 20 45 21] l <- IncSome2List_List_Type.cons_1 self;
+    [#"../inc_some_2_list.rs" 45 31 45 40] _8 <- ([#"../inc_some_2_list.rs" 45 31 45 40] sum_x l);
     goto BB5
   }
   BB5 {
-    [#"../inc_some_2_list.rs" 45 26 45 40] _0 <- ([#"../inc_some_2_list.rs" 45 26 45 40] ([#"../inc_some_2_list.rs" 45 26 45 28] a) + _8);
+    [#"../inc_some_2_list.rs" 45 26 45 40] _0 <- a + _8;
     _8 <- any uint32;
     goto BB6
   }
@@ -120,7 +118,7 @@ module IncSome2List_Impl0_TakeSomeRest
   val sum0 [#"../inc_some_2_list.rs" 21 4 21 23] (self : IncSome2List_List_Type.t_list) : int
     ensures { result = sum0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate resolve2 (self : borrowed (IncSome2List_List_Type.t_list)) =
     [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve2 (self : borrowed (IncSome2List_List_Type.t_list)) : bool
@@ -137,7 +135,7 @@ module IncSome2List_Impl0_TakeSomeRest
     ensures { result = resolve0 self }
     
   val random0 [#"../inc_some_2_list.rs" 15 0 15 19] (_1 : ()) : bool
-  use prelude.Ghost
+  use prelude.Snapshot
   function lemma_sum_nonneg0 [#"../inc_some_2_list.rs" 34 4 34 30] (self : IncSome2List_List_Type.t_list) : ()
   axiom lemma_sum_nonneg0_def : forall self : IncSome2List_List_Type.t_list . lemma_sum_nonneg0 self = ([#"../inc_some_2_list.rs" 35 8 38 9] match self with
     | IncSome2List_List_Type.C_Cons _ l -> lemma_sum_nonneg0 l
@@ -157,7 +155,7 @@ module IncSome2List_Impl0_TakeSomeRest
   var self : borrowed (IncSome2List_List_Type.t_list) = self;
   var ma : borrowed uint32;
   var ml : borrowed (IncSome2List_List_Type.t_list);
-  var _8 : Ghost.ghost_ty ();
+  var _8 : Snapshot.snap_ty ();
   var _10 : bool;
   var _11 : borrowed uint32;
   var _12 : borrowed (IncSome2List_List_Type.t_list);
@@ -188,11 +186,11 @@ module IncSome2List_Impl0_TakeSomeRest
     [#"../inc_some_2_list.rs" 56 17 56 19] self <- { self with current = (let IncSome2List_List_Type.C_Cons x0 x1 =  * self in IncSome2List_List_Type.C_Cons ( ^ ma) x1) ; };
     [#"../inc_some_2_list.rs" 56 21 56 23] ml <- Borrow.borrow_final (IncSome2List_List_Type.cons_1 ( * self)) (Borrow.inherit_id (Borrow.get_id self) 2);
     [#"../inc_some_2_list.rs" 56 21 56 23] self <- { self with current = (let IncSome2List_List_Type.C_Cons x0 x1 =  * self in IncSome2List_List_Type.C_Cons x0 ( ^ ml)) ; };
-    [#"../inc_some_2_list.rs" 57 16 57 45] _8 <- ([#"../inc_some_2_list.rs" 57 16 57 45] Ghost.new (lemma_sum_nonneg0 ( * ml)));
+    [#"../inc_some_2_list.rs" 57 16 57 51] _8 <- ([#"../inc_some_2_list.rs" 57 16 57 51] Snapshot.new (lemma_sum_nonneg0 ( * ml)));
     goto BB5
   }
   BB5 {
-    [#"../inc_some_2_list.rs" 58 19 58 27] _10 <- ([#"../inc_some_2_list.rs" 58 19 58 27] random0 ());
+    [#"../inc_some_2_list.rs" 58 19 58 27] _10 <- ([#"../inc_some_2_list.rs" 58 19 58 27] random0 ([#"../inc_some_2_list.rs" 58 19 58 27] ()));
     goto BB6
   }
   BB6 {
@@ -206,7 +204,7 @@ module IncSome2List_Impl0_TakeSomeRest
     [#"../inc_some_2_list.rs" 59 21 59 23] ma <- { ma with current = ( ^ _11) ; };
     [#"../inc_some_2_list.rs" 59 25 59 27] _12 <- Borrow.borrow_mut ( * ml);
     [#"../inc_some_2_list.rs" 59 25 59 27] ml <- { ml with current = ( ^ _12) ; };
-    [#"../inc_some_2_list.rs" 59 20 59 28] _0 <- ([#"../inc_some_2_list.rs" 59 20 59 28] (_11, _12));
+    [#"../inc_some_2_list.rs" 59 20 59 28] _0 <- (_11, _12);
     _11 <- any borrowed uint32;
     _12 <- any borrowed (IncSome2List_List_Type.t_list);
     goto BB10
@@ -296,7 +294,10 @@ module IncSome2List_IncSome2List
   var mb : borrowed uint32;
   var _12 : (borrowed uint32, borrowed (IncSome2List_List_Type.t_list));
   var _13 : borrowed (IncSome2List_List_Type.t_list);
+  var _17 : bool;
   var _18 : uint32;
+  var _20 : uint32;
+  var _21 : uint32;
   {
     goto BB0
   }
@@ -304,7 +305,7 @@ module IncSome2List_IncSome2List
     goto BB1
   }
   BB1 {
-    [#"../inc_some_2_list.rs" 71 15 71 24] sum0 <- ([#"../inc_some_2_list.rs" 71 15 71 24] sum_x0 ([#"../inc_some_2_list.rs" 71 15 71 16] l));
+    [#"../inc_some_2_list.rs" 71 15 71 24] sum0 <- ([#"../inc_some_2_list.rs" 71 15 71 24] sum_x0 l);
     goto BB2
   }
   BB2 {
@@ -315,10 +316,10 @@ module IncSome2List_IncSome2List
     goto BB3
   }
   BB3 {
-    [#"../inc_some_2_list.rs" 72 9 72 11] ma <- ([#"../inc_some_2_list.rs" 72 9 72 11] let (a, _) = _9 in a);
-    [#"../inc_some_2_list.rs" 72 9 72 11] _9 <- (let (x0, x1) = _9 in (any borrowed uint32, x1));
-    [#"../inc_some_2_list.rs" 72 13 72 15] ml <- ([#"../inc_some_2_list.rs" 72 13 72 15] let (_, a) = _9 in a);
-    [#"../inc_some_2_list.rs" 72 13 72 15] _9 <- (let (x0, x1) = _9 in (x0, any borrowed (IncSome2List_List_Type.t_list)));
+    [#"../inc_some_2_list.rs" 72 9 72 11] ma <- (let (a, _) = _9 in a);
+    _9 <- (let (x0, x1) = _9 in (any borrowed uint32, x1));
+    [#"../inc_some_2_list.rs" 72 13 72 15] ml <- (let (_, a) = _9 in a);
+    _9 <- (let (x0, x1) = _9 in (x0, any borrowed (IncSome2List_List_Type.t_list)));
     assume { resolve0 _9 };
     [#"../inc_some_2_list.rs" 73 18 73 20] _13 <- Borrow.borrow_final ( * ml) (Borrow.get_id ml);
     [#"../inc_some_2_list.rs" 73 18 73 20] ml <- { ml with current = ( ^ _13) ; };
@@ -327,19 +328,25 @@ module IncSome2List_IncSome2List
     goto BB4
   }
   BB4 {
-    [#"../inc_some_2_list.rs" 73 9 73 11] mb <- ([#"../inc_some_2_list.rs" 73 9 73 11] let (a, _) = _12 in a);
-    [#"../inc_some_2_list.rs" 73 9 73 11] _12 <- (let (x0, x1) = _12 in (any borrowed uint32, x1));
+    [#"../inc_some_2_list.rs" 73 9 73 11] mb <- (let (a, _) = _12 in a);
+    _12 <- (let (x0, x1) = _12 in (any borrowed uint32, x1));
     assume { resolve0 _12 };
-    [#"../inc_some_2_list.rs" 74 4 74 12] ma <- { ma with current = ([#"../inc_some_2_list.rs" 74 4 74 12]  * ma + ([#"../inc_some_2_list.rs" 74 11 74 12] j)) ; };
+    [#"../inc_some_2_list.rs" 74 4 74 12] ma <- { ma with current = ( * ma + j) ; };
     assume { resolve1 ma };
-    [#"../inc_some_2_list.rs" 75 4 75 12] mb <- { mb with current = ([#"../inc_some_2_list.rs" 75 4 75 12]  * mb + ([#"../inc_some_2_list.rs" 75 11 75 12] k)) ; };
+    [#"../inc_some_2_list.rs" 75 4 75 12] mb <- { mb with current = ( * mb + k) ; };
     assume { resolve1 mb };
     assume { resolve2 ml };
-    [#"../inc_some_2_list.rs" 76 12 76 21] _18 <- ([#"../inc_some_2_list.rs" 76 12 76 21] sum_x0 ([#"../inc_some_2_list.rs" 76 12 76 13] l));
+    [#"../inc_some_2_list.rs" 76 12 76 21] _18 <- ([#"../inc_some_2_list.rs" 76 12 76 21] sum_x0 l);
     goto BB5
   }
   BB5 {
-    switch ([#"../inc_some_2_list.rs" 76 12 76 37] _18 = ([#"../inc_some_2_list.rs" 76 25 76 37] ([#"../inc_some_2_list.rs" 76 25 76 33] ([#"../inc_some_2_list.rs" 76 25 76 29] sum0) + ([#"../inc_some_2_list.rs" 76 32 76 33] j)) + ([#"../inc_some_2_list.rs" 76 36 76 37] k)))
+    [#"../inc_some_2_list.rs" 76 25 76 33] _21 <- sum0 + j;
+    [#"../inc_some_2_list.rs" 76 25 76 37] _20 <- _21 + k;
+    _21 <- any uint32;
+    [#"../inc_some_2_list.rs" 76 12 76 37] _17 <- _18 = _20;
+    _18 <- any uint32;
+    _20 <- any uint32;
+    switch (_17)
       | False -> goto BB7
       | True -> goto BB6
       end
diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_2_list.rs b/creusot/tests/should_succeed/rusthorn/inc_some_2_list.rs
index 9b6c99adf9..e440b224d1 100644
--- a/creusot/tests/should_succeed/rusthorn/inc_some_2_list.rs
+++ b/creusot/tests/should_succeed/rusthorn/inc_some_2_list.rs
@@ -17,7 +17,7 @@ fn random() -> bool {
 }
 
 impl List {
-    #[ghost]
+    #[logic]
     fn sum(self) -> Int {
         pearlite! {
             match self {
@@ -28,7 +28,7 @@ impl List {
     }
 
     // TODO: Make this ghost
-    #[ghost]
+    #[logic]
     #[variant(*self)]
     #[ensures(self.sum() >= 0)]
     fn lemma_sum_nonneg(&self) {
@@ -54,7 +54,7 @@ impl List {
     fn take_some_rest(&mut self) -> (&mut u32, &mut List) {
         match self {
             Cons(ma, ml) => {
-                gh! { ml.lemma_sum_nonneg() };
+                snapshot! { ml.lemma_sum_nonneg() };
                 if random() {
                     (ma, ml)
                 } else {
diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_2_list/why3session.xml b/creusot/tests/should_succeed/rusthorn/inc_some_2_list/why3session.xml
index f7d1b6296f..000f1a83fd 100644
--- a/creusot/tests/should_succeed/rusthorn/inc_some_2_list/why3session.xml
+++ b/creusot/tests/should_succeed/rusthorn/inc_some_2_list/why3session.xml
@@ -7,8 +7,8 @@
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="inc_some_2_list.mlcfg"/>
 <theory name="IncSome2List_Impl0_LemmaSumNonneg_Impl" proved="true">
- <goal name="lemma_sum_nonneg&#39;vc" expl="VC for lemma_sum_nonneg" proved="true">
- <proof prover="3"><result status="valid" time="0.008121" steps="63"/></proof>
+ <goal name="vc_lemma_sum_nonneg" proved="true">
+ <proof prover="3"><result status="valid" time="0.008121" steps="31"/></proof>
  </goal>
 </theory>
 <theory name="IncSome2List_Impl0_SumX" proved="true">
@@ -23,7 +23,7 @@
 </theory>
 <theory name="IncSome2List_IncSome2List" proved="true">
  <goal name="inc_some_2_list&#39;vc" expl="VC for inc_some_2_list" proved="true">
- <proof prover="2"><result status="valid" time="0.155422" steps="33911"/></proof>
+ <proof prover="2"><result status="valid" time="0.021201" steps="34183"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_2_list/why3shapes.gz b/creusot/tests/should_succeed/rusthorn/inc_some_2_list/why3shapes.gz
index 9a7d3a8879..72e8ec813a 100644
Binary files a/creusot/tests/should_succeed/rusthorn/inc_some_2_list/why3shapes.gz and b/creusot/tests/should_succeed/rusthorn/inc_some_2_list/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_2_tree.mlcfg b/creusot/tests/should_succeed/rusthorn/inc_some_2_tree.mlcfg
index 9a0a06f071..dc6bc2c188 100644
--- a/creusot/tests/should_succeed/rusthorn/inc_some_2_tree.mlcfg
+++ b/creusot/tests/should_succeed/rusthorn/inc_some_2_tree.mlcfg
@@ -35,15 +35,14 @@ module IncSome2Tree_Impl0_LemmaSumNonneg_Impl
   val sum0 [#"../inc_some_2_tree.rs" 21 4 21 23] (self : IncSome2Tree_Tree_Type.t_tree) : int
     ensures { result = sum0 self }
     
-  let rec ghost function lemma_sum_nonneg [#"../inc_some_2_tree.rs" 33 4 33 30] (self : IncSome2Tree_Tree_Type.t_tree) : ()
-    ensures { [#"../inc_some_2_tree.rs" 32 14 32 29] sum0 self >= 0 }
-    variant {[#"../inc_some_2_tree.rs" 31 15 31 19] self}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../inc_some_2_tree.rs" 34 8 40 9] match self with
-      | IncSome2Tree_Tree_Type.C_Node tl _ tr -> let _ = lemma_sum_nonneg tl in let _ = lemma_sum_nonneg tr in ()
-      | IncSome2Tree_Tree_Type.C_Leaf -> ()
-      end
+  constant self  : IncSome2Tree_Tree_Type.t_tree
+  function lemma_sum_nonneg [#"../inc_some_2_tree.rs" 33 4 33 30] (self : IncSome2Tree_Tree_Type.t_tree) : ()
+  goal vc_lemma_sum_nonneg : match self with
+    | IncSome2Tree_Tree_Type.C_Node tl _ tr -> ([#"../inc_some_2_tree.rs" 32 14 32 29] sum0 tl >= 0)
+     -> (let _ = lemma_sum_nonneg tl in ([#"../inc_some_2_tree.rs" 32 14 32 29] sum0 tr >= 0)
+     -> (let _ = lemma_sum_nonneg tr in [#"../inc_some_2_tree.rs" 32 14 32 29] sum0 self >= 0))
+    | IncSome2Tree_Tree_Type.C_Leaf -> [#"../inc_some_2_tree.rs" 32 14 32 29] sum0 self >= 0
+    end
 end
 module IncSome2Tree_Impl0_SumX
   use prelude.UInt32
@@ -78,6 +77,7 @@ module IncSome2Tree_Impl0_SumX
   var tl : IncSome2Tree_Tree_Type.t_tree;
   var a : uint32;
   var tr : IncSome2Tree_Tree_Type.t_tree;
+  var _10 : uint32;
   var _11 : uint32;
   var _14 : uint32;
   {
@@ -93,7 +93,7 @@ module IncSome2Tree_Impl0_SumX
     goto BB4
   }
   BB2 {
-    [#"../inc_some_2_tree.rs" 55 20 55 21] _0 <- ([#"../inc_some_2_tree.rs" 55 20 55 21] [#"../inc_some_2_tree.rs" 55 20 55 21] (0 : uint32));
+    [#"../inc_some_2_tree.rs" 55 20 55 21] _0 <- ([#"../inc_some_2_tree.rs" 55 20 55 21] (0 : uint32));
     goto BB7
   }
   BB3 {
@@ -101,20 +101,22 @@ module IncSome2Tree_Impl0_SumX
     absurd
   }
   BB4 {
-    [#"../inc_some_2_tree.rs" 47 17 47 19] tl <- ([#"../inc_some_2_tree.rs" 47 17 47 19] IncSome2Tree_Tree_Type.node_0 self);
-    [#"../inc_some_2_tree.rs" 47 21 47 22] a <- ([#"../inc_some_2_tree.rs" 47 21 47 22] IncSome2Tree_Tree_Type.node_1 self);
-    [#"../inc_some_2_tree.rs" 47 24 47 26] tr <- ([#"../inc_some_2_tree.rs" 47 24 47 26] IncSome2Tree_Tree_Type.node_2 self);
+    [#"../inc_some_2_tree.rs" 47 17 47 19] tl <- IncSome2Tree_Tree_Type.node_0 self;
+    [#"../inc_some_2_tree.rs" 47 21 47 22] a <- IncSome2Tree_Tree_Type.node_1 self;
+    [#"../inc_some_2_tree.rs" 47 24 47 26] tr <- IncSome2Tree_Tree_Type.node_2 self;
     assert { [@expl:assertion] [#"../inc_some_2_tree.rs" 49 20 49 41] let _ = lemma_sum_nonneg0 tl in let _ = lemma_sum_nonneg0 tr in true };
-    [#"../inc_some_2_tree.rs" 53 16 53 26] _11 <- ([#"../inc_some_2_tree.rs" 53 16 53 26] sum_x ([#"../inc_some_2_tree.rs" 53 16 53 18] tl));
+    [#"../inc_some_2_tree.rs" 53 16 53 26] _11 <- ([#"../inc_some_2_tree.rs" 53 16 53 26] sum_x tl);
     goto BB5
   }
   BB5 {
-    [#"../inc_some_2_tree.rs" 53 34 53 44] _14 <- ([#"../inc_some_2_tree.rs" 53 34 53 44] sum_x ([#"../inc_some_2_tree.rs" 53 34 53 36] tr));
+    [#"../inc_some_2_tree.rs" 53 16 53 31] _10 <- _11 + a;
+    _11 <- any uint32;
+    [#"../inc_some_2_tree.rs" 53 34 53 44] _14 <- ([#"../inc_some_2_tree.rs" 53 34 53 44] sum_x tr);
     goto BB6
   }
   BB6 {
-    [#"../inc_some_2_tree.rs" 53 16 53 44] _0 <- ([#"../inc_some_2_tree.rs" 53 16 53 44] ([#"../inc_some_2_tree.rs" 53 16 53 31] _11 + ([#"../inc_some_2_tree.rs" 53 29 53 31] a)) + _14);
-    _11 <- any uint32;
+    [#"../inc_some_2_tree.rs" 53 16 53 44] _0 <- _10 + _14;
+    _10 <- any uint32;
     _14 <- any uint32;
     goto BB7
   }
@@ -217,7 +219,7 @@ module IncSome2Tree_Impl0_TakeSomeRest
     [#"../inc_some_2_tree.rs" 65 26 65 29] mtr <- Borrow.borrow_final (IncSome2Tree_Tree_Type.node_2 ( * self)) (Borrow.inherit_id (Borrow.get_id self) 3);
     [#"../inc_some_2_tree.rs" 65 26 65 29] self <- { self with current = (let IncSome2Tree_Tree_Type.C_Node x0 x1 x2 =  * self in IncSome2Tree_Tree_Type.C_Node x0 x1 ( ^ mtr)) ; };
     assert { [@expl:assertion] [#"../inc_some_2_tree.rs" 67 20 67 42] let _ = lemma_sum_nonneg0 ( * mtl) in let _ = lemma_sum_nonneg0 ( * mtr) in true };
-    [#"../inc_some_2_tree.rs" 71 19 71 27] _11 <- ([#"../inc_some_2_tree.rs" 71 19 71 27] random0 ());
+    [#"../inc_some_2_tree.rs" 71 19 71 27] _11 <- ([#"../inc_some_2_tree.rs" 71 19 71 27] random0 ([#"../inc_some_2_tree.rs" 71 19 71 27] ()));
     goto BB5
   }
   BB5 {
@@ -229,7 +231,7 @@ module IncSome2Tree_Impl0_TakeSomeRest
   BB6 {
     [#"../inc_some_2_tree.rs" 72 21 72 23] _12 <- Borrow.borrow_final ( * ma) (Borrow.get_id ma);
     [#"../inc_some_2_tree.rs" 72 21 72 23] ma <- { ma with current = ( ^ _12) ; };
-    [#"../inc_some_2_tree.rs" 72 28 72 36] _15 <- ([#"../inc_some_2_tree.rs" 72 28 72 36] random0 ());
+    [#"../inc_some_2_tree.rs" 72 28 72 36] _15 <- ([#"../inc_some_2_tree.rs" 72 28 72 36] random0 ([#"../inc_some_2_tree.rs" 72 28 72 36] ()));
     goto BB7
   }
   BB7 {
@@ -256,7 +258,7 @@ module IncSome2Tree_Impl0_TakeSomeRest
   BB10 {
     [#"../inc_some_2_tree.rs" 72 25 72 57] _13 <- Borrow.borrow_final ( * _14) (Borrow.get_id _14);
     [#"../inc_some_2_tree.rs" 72 25 72 57] _14 <- { _14 with current = ( ^ _13) ; };
-    [#"../inc_some_2_tree.rs" 72 20 72 58] _0 <- ([#"../inc_some_2_tree.rs" 72 20 72 58] (_12, _13));
+    [#"../inc_some_2_tree.rs" 72 20 72 58] _0 <- (_12, _13);
     _12 <- any borrowed uint32;
     _13 <- any borrowed (IncSome2Tree_Tree_Type.t_tree);
     assume { resolve2 _14 };
@@ -264,7 +266,7 @@ module IncSome2Tree_Impl0_TakeSomeRest
   }
   BB11 {
     assume { resolve0 ma };
-    [#"../inc_some_2_tree.rs" 73 26 73 34] _17 <- ([#"../inc_some_2_tree.rs" 73 26 73 34] random0 ());
+    [#"../inc_some_2_tree.rs" 73 26 73 34] _17 <- ([#"../inc_some_2_tree.rs" 73 26 73 34] random0 ([#"../inc_some_2_tree.rs" 73 26 73 34] ()));
     goto BB12
   }
   BB12 {
@@ -373,7 +375,10 @@ module IncSome2Tree_IncSome2Tree
   var mb : borrowed uint32;
   var _12 : (borrowed uint32, borrowed (IncSome2Tree_Tree_Type.t_tree));
   var _13 : borrowed (IncSome2Tree_Tree_Type.t_tree);
+  var _17 : bool;
   var _18 : uint32;
+  var _20 : uint32;
+  var _21 : uint32;
   {
     goto BB0
   }
@@ -381,7 +386,7 @@ module IncSome2Tree_IncSome2Tree
     goto BB1
   }
   BB1 {
-    [#"../inc_some_2_tree.rs" 86 15 86 24] sum0 <- ([#"../inc_some_2_tree.rs" 86 15 86 24] sum_x0 ([#"../inc_some_2_tree.rs" 86 15 86 16] t));
+    [#"../inc_some_2_tree.rs" 86 15 86 24] sum0 <- ([#"../inc_some_2_tree.rs" 86 15 86 24] sum_x0 t);
     goto BB2
   }
   BB2 {
@@ -392,10 +397,10 @@ module IncSome2Tree_IncSome2Tree
     goto BB3
   }
   BB3 {
-    [#"../inc_some_2_tree.rs" 87 9 87 11] ma <- ([#"../inc_some_2_tree.rs" 87 9 87 11] let (a, _) = _9 in a);
-    [#"../inc_some_2_tree.rs" 87 9 87 11] _9 <- (let (x0, x1) = _9 in (any borrowed uint32, x1));
-    [#"../inc_some_2_tree.rs" 87 13 87 15] mt <- ([#"../inc_some_2_tree.rs" 87 13 87 15] let (_, a) = _9 in a);
-    [#"../inc_some_2_tree.rs" 87 13 87 15] _9 <- (let (x0, x1) = _9 in (x0, any borrowed (IncSome2Tree_Tree_Type.t_tree)));
+    [#"../inc_some_2_tree.rs" 87 9 87 11] ma <- (let (a, _) = _9 in a);
+    _9 <- (let (x0, x1) = _9 in (any borrowed uint32, x1));
+    [#"../inc_some_2_tree.rs" 87 13 87 15] mt <- (let (_, a) = _9 in a);
+    _9 <- (let (x0, x1) = _9 in (x0, any borrowed (IncSome2Tree_Tree_Type.t_tree)));
     assume { resolve0 _9 };
     [#"../inc_some_2_tree.rs" 88 18 88 20] _13 <- Borrow.borrow_final ( * mt) (Borrow.get_id mt);
     [#"../inc_some_2_tree.rs" 88 18 88 20] mt <- { mt with current = ( ^ _13) ; };
@@ -404,19 +409,25 @@ module IncSome2Tree_IncSome2Tree
     goto BB4
   }
   BB4 {
-    [#"../inc_some_2_tree.rs" 88 9 88 11] mb <- ([#"../inc_some_2_tree.rs" 88 9 88 11] let (a, _) = _12 in a);
-    [#"../inc_some_2_tree.rs" 88 9 88 11] _12 <- (let (x0, x1) = _12 in (any borrowed uint32, x1));
+    [#"../inc_some_2_tree.rs" 88 9 88 11] mb <- (let (a, _) = _12 in a);
+    _12 <- (let (x0, x1) = _12 in (any borrowed uint32, x1));
     assume { resolve0 _12 };
-    [#"../inc_some_2_tree.rs" 89 4 89 12] ma <- { ma with current = ([#"../inc_some_2_tree.rs" 89 4 89 12]  * ma + ([#"../inc_some_2_tree.rs" 89 11 89 12] j)) ; };
+    [#"../inc_some_2_tree.rs" 89 4 89 12] ma <- { ma with current = ( * ma + j) ; };
     assume { resolve1 ma };
-    [#"../inc_some_2_tree.rs" 90 4 90 12] mb <- { mb with current = ([#"../inc_some_2_tree.rs" 90 4 90 12]  * mb + ([#"../inc_some_2_tree.rs" 90 11 90 12] k)) ; };
+    [#"../inc_some_2_tree.rs" 90 4 90 12] mb <- { mb with current = ( * mb + k) ; };
     assume { resolve1 mb };
     assume { resolve2 mt };
-    [#"../inc_some_2_tree.rs" 91 12 91 21] _18 <- ([#"../inc_some_2_tree.rs" 91 12 91 21] sum_x0 ([#"../inc_some_2_tree.rs" 91 12 91 13] t));
+    [#"../inc_some_2_tree.rs" 91 12 91 21] _18 <- ([#"../inc_some_2_tree.rs" 91 12 91 21] sum_x0 t);
     goto BB5
   }
   BB5 {
-    switch ([#"../inc_some_2_tree.rs" 91 12 91 37] _18 = ([#"../inc_some_2_tree.rs" 91 25 91 37] ([#"../inc_some_2_tree.rs" 91 25 91 33] ([#"../inc_some_2_tree.rs" 91 25 91 29] sum0) + ([#"../inc_some_2_tree.rs" 91 32 91 33] j)) + ([#"../inc_some_2_tree.rs" 91 36 91 37] k)))
+    [#"../inc_some_2_tree.rs" 91 25 91 33] _21 <- sum0 + j;
+    [#"../inc_some_2_tree.rs" 91 25 91 37] _20 <- _21 + k;
+    _21 <- any uint32;
+    [#"../inc_some_2_tree.rs" 91 12 91 37] _17 <- _18 = _20;
+    _18 <- any uint32;
+    _20 <- any uint32;
+    switch (_17)
       | False -> goto BB7
       | True -> goto BB6
       end
diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_2_tree.rs b/creusot/tests/should_succeed/rusthorn/inc_some_2_tree.rs
index 3074f94c8f..059d409e9e 100644
--- a/creusot/tests/should_succeed/rusthorn/inc_some_2_tree.rs
+++ b/creusot/tests/should_succeed/rusthorn/inc_some_2_tree.rs
@@ -17,7 +17,7 @@ fn random() -> bool {
 }
 
 impl Tree {
-    #[ghost]
+    #[logic]
     fn sum(self) -> Int {
         pearlite! {
             match self {
@@ -27,7 +27,7 @@ impl Tree {
         }
     }
 
-    #[ghost]
+    #[logic]
     #[variant(*self)]
     #[ensures(self.sum() >= 0)]
     fn lemma_sum_nonneg(&self) {
diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_2_tree/why3session.xml b/creusot/tests/should_succeed/rusthorn/inc_some_2_tree/why3session.xml
index bb0f580289..ff2a97b0eb 100644
--- a/creusot/tests/should_succeed/rusthorn/inc_some_2_tree/why3session.xml
+++ b/creusot/tests/should_succeed/rusthorn/inc_some_2_tree/why3session.xml
@@ -7,13 +7,13 @@
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="inc_some_2_tree.mlcfg"/>
 <theory name="IncSome2Tree_Impl0_LemmaSumNonneg_Impl" proved="true">
- <goal name="lemma_sum_nonneg&#39;vc" expl="VC for lemma_sum_nonneg" proved="true">
- <proof prover="2"><result status="valid" time="0.009947" steps="112"/></proof>
+ <goal name="vc_lemma_sum_nonneg" proved="true">
+ <proof prover="2"><result status="valid" time="0.009947" steps="35"/></proof>
  </goal>
 </theory>
 <theory name="IncSome2Tree_Impl0_SumX" proved="true">
  <goal name="sum_x&#39;vc" expl="VC for sum_x" proved="true">
- <proof prover="1"><result status="valid" time="0.013090" steps="12735"/></proof>
+ <proof prover="1"><result status="valid" time="0.013090" steps="13363"/></proof>
  </goal>
 </theory>
 <theory name="IncSome2Tree_Impl0_TakeSomeRest" proved="true">
@@ -23,7 +23,7 @@
 </theory>
 <theory name="IncSome2Tree_IncSome2Tree" proved="true">
  <goal name="inc_some_2_tree&#39;vc" expl="VC for inc_some_2_tree" proved="true">
- <proof prover="1"><result status="valid" time="0.019419" steps="33912"/></proof>
+ <proof prover="1"><result status="valid" time="0.019419" steps="34667"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_2_tree/why3shapes.gz b/creusot/tests/should_succeed/rusthorn/inc_some_2_tree/why3shapes.gz
index 0569464489..61064af20e 100644
Binary files a/creusot/tests/should_succeed/rusthorn/inc_some_2_tree/why3shapes.gz and b/creusot/tests/should_succeed/rusthorn/inc_some_2_tree/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_list.mlcfg b/creusot/tests/should_succeed/rusthorn/inc_some_list.mlcfg
index 15ce4f9cdc..2e5afae782 100644
--- a/creusot/tests/should_succeed/rusthorn/inc_some_list.mlcfg
+++ b/creusot/tests/should_succeed/rusthorn/inc_some_list.mlcfg
@@ -30,15 +30,13 @@ module IncSomeList_Impl0_LemmaSumNonneg_Impl
   val sum0 [#"../inc_some_list.rs" 21 4 21 23] (self : IncSomeList_List_Type.t_list) : int
     ensures { result = sum0 self }
     
-  let rec ghost function lemma_sum_nonneg [#"../inc_some_list.rs" 33 4 33 30] (self : IncSomeList_List_Type.t_list) : ()
-    ensures { [#"../inc_some_list.rs" 32 14 32 29] sum0 self >= 0 }
-    variant {[#"../inc_some_list.rs" 31 15 31 19] self}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../inc_some_list.rs" 34 8 37 9] match self with
-      | IncSomeList_List_Type.C_Cons _ l -> lemma_sum_nonneg l
-      | IncSomeList_List_Type.C_Nil -> ()
-      end
+  constant self  : IncSomeList_List_Type.t_list
+  function lemma_sum_nonneg [#"../inc_some_list.rs" 33 4 33 30] (self : IncSomeList_List_Type.t_list) : ()
+  goal vc_lemma_sum_nonneg : match self with
+    | IncSomeList_List_Type.C_Cons _ l -> ([#"../inc_some_list.rs" 32 14 32 29] sum0 l >= 0)
+     -> ([#"../inc_some_list.rs" 32 14 32 29] sum0 self >= 0)
+    | IncSomeList_List_Type.C_Nil -> [#"../inc_some_list.rs" 32 14 32 29] sum0 self >= 0
+    end
 end
 module IncSomeList_Impl0_SumX
   use prelude.UInt32
@@ -77,7 +75,7 @@ module IncSomeList_Impl0_SumX
     goto BB4
   }
   BB2 {
-    [#"../inc_some_list.rs" 45 19 45 20] _0 <- ([#"../inc_some_list.rs" 45 19 45 20] [#"../inc_some_list.rs" 45 19 45 20] (0 : uint32));
+    [#"../inc_some_list.rs" 45 19 45 20] _0 <- ([#"../inc_some_list.rs" 45 19 45 20] (0 : uint32));
     goto BB6
   }
   BB3 {
@@ -85,13 +83,13 @@ module IncSomeList_Impl0_SumX
     absurd
   }
   BB4 {
-    [#"../inc_some_list.rs" 44 17 44 18] a <- ([#"../inc_some_list.rs" 44 17 44 18] IncSomeList_List_Type.cons_0 self);
-    [#"../inc_some_list.rs" 44 20 44 21] l <- ([#"../inc_some_list.rs" 44 20 44 21] IncSomeList_List_Type.cons_1 self);
-    [#"../inc_some_list.rs" 44 31 44 40] _8 <- ([#"../inc_some_list.rs" 44 31 44 40] sum_x ([#"../inc_some_list.rs" 44 31 44 32] l));
+    [#"../inc_some_list.rs" 44 17 44 18] a <- IncSomeList_List_Type.cons_0 self;
+    [#"../inc_some_list.rs" 44 20 44 21] l <- IncSomeList_List_Type.cons_1 self;
+    [#"../inc_some_list.rs" 44 31 44 40] _8 <- ([#"../inc_some_list.rs" 44 31 44 40] sum_x l);
     goto BB5
   }
   BB5 {
-    [#"../inc_some_list.rs" 44 26 44 40] _0 <- ([#"../inc_some_list.rs" 44 26 44 40] ([#"../inc_some_list.rs" 44 26 44 28] a) + _8);
+    [#"../inc_some_list.rs" 44 26 44 40] _0 <- a + _8;
     _8 <- any uint32;
     goto BB6
   }
@@ -120,7 +118,7 @@ module IncSomeList_Impl0_TakeSome
   val sum0 [#"../inc_some_list.rs" 21 4 21 23] (self : IncSomeList_List_Type.t_list) : int
     ensures { result = sum0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate resolve2 (self : borrowed (IncSomeList_List_Type.t_list)) =
     [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve2 (self : borrowed (IncSomeList_List_Type.t_list)) : bool
@@ -137,7 +135,7 @@ module IncSomeList_Impl0_TakeSome
     ensures { result = resolve0 self }
     
   val random0 [#"../inc_some_list.rs" 15 0 15 19] (_1 : ()) : bool
-  use prelude.Ghost
+  use prelude.Snapshot
   function lemma_sum_nonneg0 [#"../inc_some_list.rs" 33 4 33 30] (self : IncSomeList_List_Type.t_list) : ()
   axiom lemma_sum_nonneg0_def : forall self : IncSomeList_List_Type.t_list . lemma_sum_nonneg0 self = ([#"../inc_some_list.rs" 34 8 37 9] match self with
     | IncSomeList_List_Type.C_Cons _ l -> lemma_sum_nonneg0 l
@@ -159,7 +157,7 @@ module IncSomeList_Impl0_TakeSome
   var ma : borrowed uint32;
   var ml : borrowed (IncSomeList_List_Type.t_list);
   var _9 : borrowed uint32;
-  var _10 : Ghost.ghost_ty ();
+  var _10 : Snapshot.snap_ty ();
   var _12 : borrowed uint32;
   var _13 : bool;
   var _14 : borrowed uint32;
@@ -191,11 +189,11 @@ module IncSomeList_Impl0_TakeSome
     [#"../inc_some_list.rs" 53 17 53 19] self <- { self with current = (let IncSomeList_List_Type.C_Cons x0 x1 =  * self in IncSomeList_List_Type.C_Cons ( ^ ma) x1) ; };
     [#"../inc_some_list.rs" 53 21 53 23] ml <- Borrow.borrow_final (IncSomeList_List_Type.cons_1 ( * self)) (Borrow.inherit_id (Borrow.get_id self) 2);
     [#"../inc_some_list.rs" 53 21 53 23] self <- { self with current = (let IncSomeList_List_Type.C_Cons x0 x1 =  * self in IncSomeList_List_Type.C_Cons x0 ( ^ ml)) ; };
-    [#"../inc_some_list.rs" 54 16 54 45] _10 <- ([#"../inc_some_list.rs" 54 16 54 45] Ghost.new (lemma_sum_nonneg0 ( * ml)));
+    [#"../inc_some_list.rs" 54 16 54 51] _10 <- ([#"../inc_some_list.rs" 54 16 54 51] Snapshot.new (lemma_sum_nonneg0 ( * ml)));
     goto BB5
   }
   BB5 {
-    [#"../inc_some_list.rs" 55 19 55 27] _13 <- ([#"../inc_some_list.rs" 55 19 55 27] random0 ());
+    [#"../inc_some_list.rs" 55 19 55 27] _13 <- ([#"../inc_some_list.rs" 55 19 55 27] random0 ([#"../inc_some_list.rs" 55 19 55 27] ()));
     goto BB6
   }
   BB6 {
@@ -296,7 +294,9 @@ module IncSomeList_IncSomeList
   var sum0 : uint32;
   var ma : borrowed uint32;
   var _7 : borrowed (IncSomeList_List_Type.t_list);
+  var _10 : bool;
   var _11 : uint32;
+  var _13 : uint32;
   {
     goto BB0
   }
@@ -304,7 +304,7 @@ module IncSomeList_IncSomeList
     goto BB1
   }
   BB1 {
-    [#"../inc_some_list.rs" 68 15 68 24] sum0 <- ([#"../inc_some_list.rs" 68 15 68 24] sum_x0 ([#"../inc_some_list.rs" 68 15 68 16] l));
+    [#"../inc_some_list.rs" 68 15 68 24] sum0 <- ([#"../inc_some_list.rs" 68 15 68 24] sum_x0 l);
     goto BB2
   }
   BB2 {
@@ -315,13 +315,17 @@ module IncSomeList_IncSomeList
     goto BB3
   }
   BB3 {
-    [#"../inc_some_list.rs" 70 4 70 12] ma <- { ma with current = ([#"../inc_some_list.rs" 70 4 70 12]  * ma + ([#"../inc_some_list.rs" 70 11 70 12] k)) ; };
+    [#"../inc_some_list.rs" 70 4 70 12] ma <- { ma with current = ( * ma + k) ; };
     assume { resolve0 ma };
-    [#"../inc_some_list.rs" 71 12 71 21] _11 <- ([#"../inc_some_list.rs" 71 12 71 21] sum_x0 ([#"../inc_some_list.rs" 71 12 71 13] l));
+    [#"../inc_some_list.rs" 71 12 71 21] _11 <- ([#"../inc_some_list.rs" 71 12 71 21] sum_x0 l);
     goto BB4
   }
   BB4 {
-    switch ([#"../inc_some_list.rs" 71 12 71 33] _11 = ([#"../inc_some_list.rs" 71 25 71 33] ([#"../inc_some_list.rs" 71 25 71 29] sum0) + ([#"../inc_some_list.rs" 71 32 71 33] k)))
+    [#"../inc_some_list.rs" 71 25 71 33] _13 <- sum0 + k;
+    [#"../inc_some_list.rs" 71 12 71 33] _10 <- _11 = _13;
+    _11 <- any uint32;
+    _13 <- any uint32;
+    switch (_10)
       | False -> goto BB6
       | True -> goto BB5
       end
diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_list.rs b/creusot/tests/should_succeed/rusthorn/inc_some_list.rs
index 5f865b043f..36a4b51e37 100644
--- a/creusot/tests/should_succeed/rusthorn/inc_some_list.rs
+++ b/creusot/tests/should_succeed/rusthorn/inc_some_list.rs
@@ -17,7 +17,7 @@ fn random() -> bool {
 }
 
 impl List {
-    #[ghost]
+    #[logic]
     fn sum(self) -> Int {
         pearlite! {
             match self {
@@ -27,7 +27,7 @@ impl List {
         }
     }
 
-    #[ghost]
+    #[logic]
     #[variant(*self)]
     #[ensures(self.sum() >= 0)]
     fn lemma_sum_nonneg(&self) {
@@ -51,7 +51,7 @@ impl List {
     fn take_some(&mut self) -> &mut u32 {
         match self {
             Cons(ma, ml) => {
-                gh! { ml.lemma_sum_nonneg() };
+                snapshot! { ml.lemma_sum_nonneg() };
                 if random() {
                     ma
                 } else {
diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_list/why3session.xml b/creusot/tests/should_succeed/rusthorn/inc_some_list/why3session.xml
index 45737da04b..afc9d52bcc 100644
--- a/creusot/tests/should_succeed/rusthorn/inc_some_list/why3session.xml
+++ b/creusot/tests/should_succeed/rusthorn/inc_some_list/why3session.xml
@@ -7,8 +7,8 @@
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="inc_some_list.mlcfg"/>
 <theory name="IncSomeList_Impl0_LemmaSumNonneg_Impl" proved="true">
- <goal name="lemma_sum_nonneg&#39;vc" expl="VC for lemma_sum_nonneg" proved="true">
- <proof prover="0"><result status="valid" time="0.008183" steps="63"/></proof>
+ <goal name="vc_lemma_sum_nonneg" proved="true">
+ <proof prover="0"><result status="valid" time="0.008183" steps="31"/></proof>
  </goal>
 </theory>
 <theory name="IncSomeList_Impl0_SumX" proved="true">
@@ -23,7 +23,7 @@
 </theory>
 <theory name="IncSomeList_IncSomeList" proved="true">
  <goal name="inc_some_list&#39;vc" expl="VC for inc_some_list" proved="true">
- <proof prover="0"><result status="valid" time="0.023585" steps="395"/></proof>
+ <proof prover="0"><result status="valid" time="0.023585" steps="397"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_list/why3shapes.gz b/creusot/tests/should_succeed/rusthorn/inc_some_list/why3shapes.gz
index d213ec8f15..30f95ddefb 100644
Binary files a/creusot/tests/should_succeed/rusthorn/inc_some_list/why3shapes.gz and b/creusot/tests/should_succeed/rusthorn/inc_some_list/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_tree.mlcfg b/creusot/tests/should_succeed/rusthorn/inc_some_tree.mlcfg
index f96ef485e0..2845d5d0b1 100644
--- a/creusot/tests/should_succeed/rusthorn/inc_some_tree.mlcfg
+++ b/creusot/tests/should_succeed/rusthorn/inc_some_tree.mlcfg
@@ -35,15 +35,14 @@ module IncSomeTree_Impl0_LemmaSumNonneg_Impl
   val sum0 [#"../inc_some_tree.rs" 21 4 21 23] (self : IncSomeTree_Tree_Type.t_tree) : int
     ensures { result = sum0 self }
     
-  let rec ghost function lemma_sum_nonneg [#"../inc_some_tree.rs" 33 4 33 30] (self : IncSomeTree_Tree_Type.t_tree) : ()
-    ensures { [#"../inc_some_tree.rs" 32 14 32 29] sum0 self >= 0 }
-    variant {[#"../inc_some_tree.rs" 31 15 31 19] self}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../inc_some_tree.rs" 34 8 40 9] match self with
-      | IncSomeTree_Tree_Type.C_Node tl _ tr -> let _ = lemma_sum_nonneg tl in let _ = lemma_sum_nonneg tr in ()
-      | IncSomeTree_Tree_Type.C_Leaf -> ()
-      end
+  constant self  : IncSomeTree_Tree_Type.t_tree
+  function lemma_sum_nonneg [#"../inc_some_tree.rs" 33 4 33 30] (self : IncSomeTree_Tree_Type.t_tree) : ()
+  goal vc_lemma_sum_nonneg : match self with
+    | IncSomeTree_Tree_Type.C_Node tl _ tr -> ([#"../inc_some_tree.rs" 32 14 32 29] sum0 tl >= 0)
+     -> (let _ = lemma_sum_nonneg tl in ([#"../inc_some_tree.rs" 32 14 32 29] sum0 tr >= 0)
+     -> (let _ = lemma_sum_nonneg tr in [#"../inc_some_tree.rs" 32 14 32 29] sum0 self >= 0))
+    | IncSomeTree_Tree_Type.C_Leaf -> [#"../inc_some_tree.rs" 32 14 32 29] sum0 self >= 0
+    end
 end
 module IncSomeTree_Impl0_SumX
   use prelude.UInt32
@@ -78,6 +77,7 @@ module IncSomeTree_Impl0_SumX
   var tl : IncSomeTree_Tree_Type.t_tree;
   var a : uint32;
   var tr : IncSomeTree_Tree_Type.t_tree;
+  var _10 : uint32;
   var _11 : uint32;
   var _14 : uint32;
   {
@@ -93,7 +93,7 @@ module IncSomeTree_Impl0_SumX
     goto BB4
   }
   BB2 {
-    [#"../inc_some_tree.rs" 55 20 55 21] _0 <- ([#"../inc_some_tree.rs" 55 20 55 21] [#"../inc_some_tree.rs" 55 20 55 21] (0 : uint32));
+    [#"../inc_some_tree.rs" 55 20 55 21] _0 <- ([#"../inc_some_tree.rs" 55 20 55 21] (0 : uint32));
     goto BB7
   }
   BB3 {
@@ -101,20 +101,22 @@ module IncSomeTree_Impl0_SumX
     absurd
   }
   BB4 {
-    [#"../inc_some_tree.rs" 47 17 47 19] tl <- ([#"../inc_some_tree.rs" 47 17 47 19] IncSomeTree_Tree_Type.node_0 self);
-    [#"../inc_some_tree.rs" 47 21 47 22] a <- ([#"../inc_some_tree.rs" 47 21 47 22] IncSomeTree_Tree_Type.node_1 self);
-    [#"../inc_some_tree.rs" 47 24 47 26] tr <- ([#"../inc_some_tree.rs" 47 24 47 26] IncSomeTree_Tree_Type.node_2 self);
+    [#"../inc_some_tree.rs" 47 17 47 19] tl <- IncSomeTree_Tree_Type.node_0 self;
+    [#"../inc_some_tree.rs" 47 21 47 22] a <- IncSomeTree_Tree_Type.node_1 self;
+    [#"../inc_some_tree.rs" 47 24 47 26] tr <- IncSomeTree_Tree_Type.node_2 self;
     assert { [@expl:assertion] [#"../inc_some_tree.rs" 49 20 49 41] let _ = lemma_sum_nonneg0 tl in let _ = lemma_sum_nonneg0 tr in true };
-    [#"../inc_some_tree.rs" 53 16 53 26] _11 <- ([#"../inc_some_tree.rs" 53 16 53 26] sum_x ([#"../inc_some_tree.rs" 53 16 53 18] tl));
+    [#"../inc_some_tree.rs" 53 16 53 26] _11 <- ([#"../inc_some_tree.rs" 53 16 53 26] sum_x tl);
     goto BB5
   }
   BB5 {
-    [#"../inc_some_tree.rs" 53 34 53 44] _14 <- ([#"../inc_some_tree.rs" 53 34 53 44] sum_x ([#"../inc_some_tree.rs" 53 34 53 36] tr));
+    [#"../inc_some_tree.rs" 53 16 53 31] _10 <- _11 + a;
+    _11 <- any uint32;
+    [#"../inc_some_tree.rs" 53 34 53 44] _14 <- ([#"../inc_some_tree.rs" 53 34 53 44] sum_x tr);
     goto BB6
   }
   BB6 {
-    [#"../inc_some_tree.rs" 53 16 53 44] _0 <- ([#"../inc_some_tree.rs" 53 16 53 44] ([#"../inc_some_tree.rs" 53 16 53 31] _11 + ([#"../inc_some_tree.rs" 53 29 53 31] a)) + _14);
-    _11 <- any uint32;
+    [#"../inc_some_tree.rs" 53 16 53 44] _0 <- _10 + _14;
+    _10 <- any uint32;
     _14 <- any uint32;
     goto BB7
   }
@@ -219,7 +221,7 @@ module IncSomeTree_Impl0_TakeSome
     [#"../inc_some_tree.rs" 63 26 63 29] mtr <- Borrow.borrow_final (IncSomeTree_Tree_Type.node_2 ( * self)) (Borrow.inherit_id (Borrow.get_id self) 3);
     [#"../inc_some_tree.rs" 63 26 63 29] self <- { self with current = (let IncSomeTree_Tree_Type.C_Node x0 x1 x2 =  * self in IncSomeTree_Tree_Type.C_Node x0 x1 ( ^ mtr)) ; };
     assert { [@expl:assertion] [#"../inc_some_tree.rs" 65 20 65 42] let _ = lemma_sum_nonneg0 ( * mtl) in let _ = lemma_sum_nonneg0 ( * mtr) in true };
-    [#"../inc_some_tree.rs" 69 19 69 27] _14 <- ([#"../inc_some_tree.rs" 69 19 69 27] random0 ());
+    [#"../inc_some_tree.rs" 69 19 69 27] _14 <- ([#"../inc_some_tree.rs" 69 19 69 27] random0 ([#"../inc_some_tree.rs" 69 19 69 27] ()));
     goto BB5
   }
   BB5 {
@@ -240,7 +242,7 @@ module IncSomeTree_Impl0_TakeSome
   }
   BB7 {
     assume { resolve0 ma };
-    [#"../inc_some_tree.rs" 71 26 71 34] _16 <- ([#"../inc_some_tree.rs" 71 26 71 34] random0 ());
+    [#"../inc_some_tree.rs" 71 26 71 34] _16 <- ([#"../inc_some_tree.rs" 71 26 71 34] random0 ([#"../inc_some_tree.rs" 71 26 71 34] ()));
     goto BB8
   }
   BB8 {
@@ -353,7 +355,9 @@ module IncSomeTree_IncSomeTree
   var sum0 : uint32;
   var ma : borrowed uint32;
   var _7 : borrowed (IncSomeTree_Tree_Type.t_tree);
+  var _10 : bool;
   var _11 : uint32;
+  var _13 : uint32;
   {
     goto BB0
   }
@@ -361,7 +365,7 @@ module IncSomeTree_IncSomeTree
     goto BB1
   }
   BB1 {
-    [#"../inc_some_tree.rs" 84 15 84 24] sum0 <- ([#"../inc_some_tree.rs" 84 15 84 24] sum_x0 ([#"../inc_some_tree.rs" 84 15 84 16] t));
+    [#"../inc_some_tree.rs" 84 15 84 24] sum0 <- ([#"../inc_some_tree.rs" 84 15 84 24] sum_x0 t);
     goto BB2
   }
   BB2 {
@@ -372,13 +376,17 @@ module IncSomeTree_IncSomeTree
     goto BB3
   }
   BB3 {
-    [#"../inc_some_tree.rs" 86 4 86 12] ma <- { ma with current = ([#"../inc_some_tree.rs" 86 4 86 12]  * ma + ([#"../inc_some_tree.rs" 86 11 86 12] k)) ; };
+    [#"../inc_some_tree.rs" 86 4 86 12] ma <- { ma with current = ( * ma + k) ; };
     assume { resolve0 ma };
-    [#"../inc_some_tree.rs" 87 12 87 21] _11 <- ([#"../inc_some_tree.rs" 87 12 87 21] sum_x0 ([#"../inc_some_tree.rs" 87 12 87 13] t));
+    [#"../inc_some_tree.rs" 87 12 87 21] _11 <- ([#"../inc_some_tree.rs" 87 12 87 21] sum_x0 t);
     goto BB4
   }
   BB4 {
-    switch ([#"../inc_some_tree.rs" 87 12 87 33] _11 = ([#"../inc_some_tree.rs" 87 25 87 33] ([#"../inc_some_tree.rs" 87 25 87 29] sum0) + ([#"../inc_some_tree.rs" 87 32 87 33] k)))
+    [#"../inc_some_tree.rs" 87 25 87 33] _13 <- sum0 + k;
+    [#"../inc_some_tree.rs" 87 12 87 33] _10 <- _11 = _13;
+    _11 <- any uint32;
+    _13 <- any uint32;
+    switch (_10)
       | False -> goto BB6
       | True -> goto BB5
       end
diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_tree.rs b/creusot/tests/should_succeed/rusthorn/inc_some_tree.rs
index ece870a132..908c02e973 100644
--- a/creusot/tests/should_succeed/rusthorn/inc_some_tree.rs
+++ b/creusot/tests/should_succeed/rusthorn/inc_some_tree.rs
@@ -17,7 +17,7 @@ fn random() -> bool {
 }
 
 impl Tree {
-    #[ghost]
+    #[logic]
     fn sum(self) -> Int {
         pearlite! {
             match self {
@@ -27,7 +27,7 @@ impl Tree {
         }
     }
 
-    #[ghost]
+    #[logic]
     #[variant(*self)]
     #[ensures(self.sum() >= 0)]
     fn lemma_sum_nonneg(&self) {
diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_tree/why3session.xml b/creusot/tests/should_succeed/rusthorn/inc_some_tree/why3session.xml
index bca9d83a88..13138a09eb 100644
--- a/creusot/tests/should_succeed/rusthorn/inc_some_tree/why3session.xml
+++ b/creusot/tests/should_succeed/rusthorn/inc_some_tree/why3session.xml
@@ -7,13 +7,13 @@
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="inc_some_tree.mlcfg"/>
 <theory name="IncSomeTree_Impl0_LemmaSumNonneg_Impl" proved="true">
- <goal name="lemma_sum_nonneg&#39;vc" expl="VC for lemma_sum_nonneg" proved="true">
- <proof prover="1"><result status="valid" time="0.009766" steps="112"/></proof>
+ <goal name="vc_lemma_sum_nonneg" proved="true">
+ <proof prover="1"><result status="valid" time="0.009766" steps="35"/></proof>
  </goal>
 </theory>
 <theory name="IncSomeTree_Impl0_SumX" proved="true">
  <goal name="sum_x&#39;vc" expl="VC for sum_x" proved="true">
- <proof prover="3"><result status="valid" time="0.013884" steps="12735"/></proof>
+ <proof prover="3"><result status="valid" time="0.013884" steps="13363"/></proof>
  </goal>
 </theory>
 <theory name="IncSomeTree_Impl0_TakeSome" proved="true">
@@ -23,7 +23,7 @@
 </theory>
 <theory name="IncSomeTree_IncSomeTree" proved="true">
  <goal name="inc_some_tree&#39;vc" expl="VC for inc_some_tree" proved="true">
- <proof prover="1"><result status="valid" time="0.024087" steps="399"/></proof>
+ <proof prover="1"><result status="valid" time="0.024087" steps="398"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/rusthorn/inc_some_tree/why3shapes.gz b/creusot/tests/should_succeed/rusthorn/inc_some_tree/why3shapes.gz
index 10e715f7e4..aaa9e12f0e 100644
Binary files a/creusot/tests/should_succeed/rusthorn/inc_some_tree/why3shapes.gz and b/creusot/tests/should_succeed/rusthorn/inc_some_tree/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/selection_sort_generic.mlcfg b/creusot/tests/should_succeed/selection_sort_generic.mlcfg
index 9af190e290..c3181a6861 100644
--- a/creusot/tests/should_succeed/selection_sort_generic.mlcfg
+++ b/creusot/tests/should_succeed/selection_sort_generic.mlcfg
@@ -48,12 +48,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -197,7 +203,8 @@ module SelectionSortGeneric_SelectionSort
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self}
     ensures { result = shallow_model3 self }
     
-  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv12 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
+  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv12 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
   predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv12 (shallow_model3 self)
   val invariant3 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -224,7 +231,9 @@ module SelectionSortGeneric_SelectionSort
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv14 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv14 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv14 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -232,7 +241,10 @@ module SelectionSortGeneric_SelectionSort
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv14 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv14 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv14 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -240,7 +252,10 @@ module SelectionSortGeneric_SelectionSort
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv14 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv14 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv14 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -251,13 +266,19 @@ module SelectionSortGeneric_SelectionSort
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv14 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv14 z) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv14 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv14 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv14 z)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv14 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv14 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -268,7 +289,9 @@ module SelectionSortGeneric_SelectionSort
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv14 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv14 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv14 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -279,7 +302,9 @@ module SelectionSortGeneric_SelectionSort
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv14 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv14 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv14 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -290,7 +315,9 @@ module SelectionSortGeneric_SelectionSort
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv14 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv14 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv14 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -301,7 +328,9 @@ module SelectionSortGeneric_SelectionSort
     requires {[#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv14 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv14 x) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv14 y) -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv14 x)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv14 y)
+   -> ([#"../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   use seq.Seq
   predicate inv1 (_x : Core_Ops_Range_Range_Type.t_range usize)
   val inv1 (_x : Core_Ops_Range_Range_Type.t_range usize) : bool
@@ -318,7 +347,9 @@ module SelectionSortGeneric_SelectionSort
   predicate produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize)
     
    =
-    [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model2 (Core_Ops_Range_Range_Type.range_start self) <= deep_model2 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model2 (Core_Ops_Range_Range_Type.range_start o) <= deep_model2 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model2 (Core_Ops_Range_Range_Type.range_start o) - deep_model2 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model2 (Seq.get visited i) = deep_model2 (Core_Ops_Range_Range_Type.range_start self) + i)
+    [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model2 (Core_Ops_Range_Range_Type.range_start self) <= deep_model2 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0
+     -> deep_model2 (Core_Ops_Range_Range_Type.range_start o) <= deep_model2 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model2 (Core_Ops_Range_Range_Type.range_start o) - deep_model2 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> deep_model2 (Seq.get visited i) = deep_model2 (Core_Ops_Range_Range_Type.range_start self) + i)
   val produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool
     ensures { result = produces0 self visited o }
     
@@ -334,35 +365,44 @@ module SelectionSortGeneric_SelectionSort
     requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv1 a) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv13 ab) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv1 b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv13 bc) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv1 a)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv13 ab)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv1 b)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv13 bc)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
   val produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
     requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
   predicate invariant1 (self : Core_Ops_Range_Range_Type.t_range usize) =
     [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant1 (self : Core_Ops_Range_Range_Type.t_range usize) : bool
     ensures { result = invariant1 self }
     
   axiom inv1 : forall x : Core_Ops_Range_Range_Type.t_range usize . inv1 x = true
-  use prelude.Ghost
-  predicate invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+  use prelude.Snapshot
+  predicate invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
     
-  val invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  val invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = invariant0 self }
     
-  predicate inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
-  val inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  predicate inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+  val inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true
+  axiom inv0 : forall x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true
   use seq.Seq
   predicate sorted_range0 [#"../selection_sort_generic.rs" 10 0 10 63] (s : Seq.seq deep_model_ty0) (l : int) (u : int)
    =
-    [#"../selection_sort_generic.rs" 11 4 13 5] forall j : int . forall i : int . l <= i /\ i < j /\ j < u -> le_log0 (Seq.get s i) (Seq.get s j)
+    [#"../selection_sort_generic.rs" 11 4 13 5] forall j : int . forall i : int . l <= i /\ i < j /\ j < u
+     -> le_log0 (Seq.get s i) (Seq.get s j)
   val sorted_range0 [#"../selection_sort_generic.rs" 10 0 10 63] (s : Seq.seq deep_model_ty0) (l : int) (u : int) : bool
     ensures { result = sorted_range0 s l u }
     
@@ -389,14 +429,16 @@ module SelectionSortGeneric_SelectionSort
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv3 self}
     ensures { result = deep_model1 self }
     
-  axiom deep_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv3 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv11 (deep_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) -> Seq.get (deep_model1 self) i = deep_model4 (index_logic2 self i)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model3 self) = Seq.length (deep_model1 self))
+  axiom deep_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv3 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv11 (deep_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self)
+   -> Seq.get (deep_model1 self) i = deep_model4 (index_logic2 self i)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model3 self) = Seq.length (deep_model1 self))
   predicate resolve4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = resolve4 self }
     
   predicate resolve3 (self : borrowed (slice t)) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve3 (self : borrowed (slice t)) : bool
     ensures { result = resolve3 self }
     
@@ -407,9 +449,10 @@ module SelectionSortGeneric_SelectionSort
     requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self}
     ensures { result = shallow_model7 self }
     
-  axiom shallow_model7_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv12 (shallow_model7 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model7 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0)
+  axiom shallow_model7_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv12 (shallow_model7 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model7 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0)
   function shallow_model6 (self : borrowed (slice t)) : Seq.seq t =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model7 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model7 ( * self)
   val shallow_model6 (self : borrowed (slice t)) : Seq.seq t
     ensures { result = shallow_model6 self }
     
@@ -421,7 +464,7 @@ module SelectionSortGeneric_SelectionSort
     
   function shallow_model0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
    =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model3 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model3 ( * self)
   val shallow_model0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
     ensures { result = shallow_model0 self }
     
@@ -432,7 +475,7 @@ module SelectionSortGeneric_SelectionSort
     ensures { inv5 result }
     
   function deep_model3 (self : t) : deep_model_ty0 =
-    [#"../../../../creusot-contracts/src/model.rs" 70 8 70 28] deep_model4 self
+    [#"../../../../creusot-contracts/src/model.rs" 74 8 74 28] deep_model4 self
   val deep_model3 (self : t) : deep_model_ty0
     ensures { result = deep_model3 self }
     
@@ -456,7 +499,7 @@ module SelectionSortGeneric_SelectionSort
     ensures { result = in_bounds0 self seq }
     
   function shallow_model4 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : Seq.seq t =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model3 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model3 self
   val shallow_model4 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : Seq.seq t
     ensures { result = shallow_model4 self }
     
@@ -469,7 +512,7 @@ module SelectionSortGeneric_SelectionSort
     
   use seq.Seq
   predicate resolve1 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve1 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) : bool
     ensures { result = resolve1 self }
     
@@ -487,15 +530,16 @@ module SelectionSortGeneric_SelectionSort
     ensures { inv9 result }
     
   predicate partition0 [#"../selection_sort_generic.rs" 24 0 24 52] (v : Seq.seq deep_model_ty0) (i : int) =
-    [#"../selection_sort_generic.rs" 25 4 25 106] forall k2 : int . forall k1 : int . 0 <= k1 /\ k1 < i /\ i <= k2 /\ k2 < Seq.length v -> le_log0 (Seq.get v k1) (Seq.get v k2)
+    [#"../selection_sort_generic.rs" 25 4 25 106] forall k2 : int . forall k1 : int . 0 <= k1 /\ k1 < i /\ i <= k2 /\ k2 < Seq.length v
+     -> le_log0 (Seq.get v k1) (Seq.get v k2)
   val partition0 [#"../selection_sort_generic.rs" 24 0 24 52] (v : Seq.seq deep_model_ty0) (i : int) : bool
     ensures { result = partition0 v i }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   function deep_model0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq deep_model_ty0
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 88 8 88 28] deep_model1 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 92 8 92 28] deep_model1 ( * self)
   val deep_model0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq deep_model_ty0
     ensures { result = deep_model0 self }
     
@@ -507,22 +551,22 @@ module SelectionSortGeneric_SelectionSort
     
   function shallow_model5 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
    =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model0 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model0 self
   val shallow_model5 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
     ensures { result = shallow_model5 self }
     
-  use prelude.Ghost
-  function shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
+  use prelude.Snapshot
+  function shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
     
    =
-    [#"../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model5 (Ghost.inner self)
-  val shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
+    [#"../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model5 (Snapshot.inner self)
+  val shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
     ensures { result = shallow_model1 self }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate into_iter_post0 (self : Core_Ops_Range_Range_Type.t_range usize) (res : Core_Ops_Range_Range_Type.t_range usize)
     
    =
@@ -545,11 +589,12 @@ module SelectionSortGeneric_SelectionSort
     requires {inv7 self}
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 75 26 75 48] UIntSize.to_int result = Seq.length (shallow_model4 self) }
     
-  predicate resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
-  val resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  predicate resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+    
+  val resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   let rec cfg selection_sort [#"../selection_sort_generic.rs" 30 0 32 29] [@cfg:stackify] [@cfg:subregion_analysis] (v : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : ()
     requires {[#"../selection_sort_generic.rs" 30 42 30 43] inv6 v}
     ensures { [#"../selection_sort_generic.rs" 28 10 28 35] sorted0 (deep_model1 ( ^ v)) }
@@ -558,28 +603,31 @@ module SelectionSortGeneric_SelectionSort
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var v : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = v;
-  var old_v : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)));
+  var old_v : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)));
   var iter : Core_Ops_Range_Range_Type.t_range usize;
+  var _7 : Core_Ops_Range_Range_Type.t_range usize;
   var _8 : usize;
-  var iter_old : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range usize);
-  var produced : Ghost.ghost_ty (Seq.seq usize);
+  var iter_old : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range usize);
+  var produced : Snapshot.snap_ty (Seq.seq usize);
   var _19 : ();
   var _20 : Core_Option_Option_Type.t_option usize;
   var _21 : borrowed (Core_Ops_Range_Range_Type.t_range usize);
   var _22 : borrowed (Core_Ops_Range_Range_Type.t_range usize);
   var __creusot_proc_iter_elem : usize;
-  var _25 : Ghost.ghost_ty (Seq.seq usize);
+  var _25 : Snapshot.snap_ty (Seq.seq usize);
   var i : usize;
   var min : usize;
   var iter1 : Core_Ops_Range_Range_Type.t_range usize;
+  var _31 : Core_Ops_Range_Range_Type.t_range usize;
+  var _32 : usize;
   var _34 : usize;
-  var iter_old1 : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range usize);
-  var produced1 : Ghost.ghost_ty (Seq.seq usize);
+  var iter_old1 : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range usize);
+  var produced1 : Snapshot.snap_ty (Seq.seq usize);
   var _44 : Core_Option_Option_Type.t_option usize;
   var _45 : borrowed (Core_Ops_Range_Range_Type.t_range usize);
   var _46 : borrowed (Core_Ops_Range_Range_Type.t_range usize);
   var __creusot_proc_iter_elem1 : usize;
-  var _49 : Ghost.ghost_ty (Seq.seq usize);
+  var _49 : Snapshot.snap_ty (Seq.seq usize);
   var j : usize;
   var _52 : bool;
   var _54 : t;
@@ -592,26 +640,28 @@ module SelectionSortGeneric_SelectionSort
     goto BB0
   }
   BB0 {
-    [#"../selection_sort_generic.rs" 34 16 34 25] old_v <- ([#"../selection_sort_generic.rs" 34 16 34 25] Ghost.new v);
+    [#"../selection_sort_generic.rs" 34 16 34 31] old_v <- ([#"../selection_sort_generic.rs" 34 16 34 31] Snapshot.new v);
     goto BB1
   }
   BB1 {
     assert { [@expl:type invariant] inv0 old_v };
     assume { resolve0 old_v };
-    [#"../selection_sort_generic.rs" 38 16 38 23] _8 <- ([#"../selection_sort_generic.rs" 38 16 38 23] len0 ([#"../selection_sort_generic.rs" 38 16 38 17]  * v));
+    [#"../selection_sort_generic.rs" 38 16 38 23] _8 <- ([#"../selection_sort_generic.rs" 38 16 38 23] len0 ( * v));
     goto BB2
   }
   BB2 {
-    [#"../selection_sort_generic.rs" 35 4 35 43] iter <- ([#"../selection_sort_generic.rs" 35 4 35 43] into_iter0 ([#"../selection_sort_generic.rs" 38 13 38 23] Core_Ops_Range_Range_Type.C_Range ([#"../selection_sort_generic.rs" 38 13 38 14] [#"../selection_sort_generic.rs" 38 13 38 14] (0 : usize)) _8));
+    [#"../selection_sort_generic.rs" 38 13 38 23] _7 <- Core_Ops_Range_Range_Type.C_Range ([#"../selection_sort_generic.rs" 38 13 38 14] (0 : usize)) _8;
     _8 <- any usize;
+    [#"../selection_sort_generic.rs" 35 4 35 43] iter <- ([#"../selection_sort_generic.rs" 35 4 35 43] into_iter0 _7);
+    _7 <- any Core_Ops_Range_Range_Type.t_range usize;
     goto BB3
   }
   BB3 {
-    [#"../selection_sort_generic.rs" 35 4 35 43] iter_old <- ([#"../selection_sort_generic.rs" 35 4 35 43] Ghost.new iter);
+    [#"../selection_sort_generic.rs" 35 4 35 43] iter_old <- ([#"../selection_sort_generic.rs" 35 4 35 43] Snapshot.new iter);
     goto BB4
   }
   BB4 {
-    [#"../selection_sort_generic.rs" 35 4 35 43] produced <- ([#"../selection_sort_generic.rs" 35 4 35 43] Ghost.new (Seq.empty ));
+    [#"../selection_sort_generic.rs" 35 4 35 43] produced <- ([#"../selection_sort_generic.rs" 35 4 35 43] Snapshot.new (Seq.empty ));
     goto BB5
   }
   BB5 {
@@ -619,10 +669,10 @@ module SelectionSortGeneric_SelectionSort
   }
   BB6 {
     invariant { [#"../selection_sort_generic.rs" 35 4 35 43] inv1 iter };
-    invariant { [#"../selection_sort_generic.rs" 35 4 35 43] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter };
+    invariant { [#"../selection_sort_generic.rs" 35 4 35 43] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter };
     invariant { [#"../selection_sort_generic.rs" 35 4 35 43] permutation_of0 (shallow_model0 v) (shallow_model1 old_v) };
-    invariant { [#"../selection_sort_generic.rs" 36 16 36 63] sorted_range0 (deep_model0 v) 0 (Seq.length (Ghost.inner produced)) };
-    invariant { [#"../selection_sort_generic.rs" 37 16 37 57] partition0 (deep_model0 v) (Seq.length (Ghost.inner produced)) };
+    invariant { [#"../selection_sort_generic.rs" 36 16 36 63] sorted_range0 (deep_model0 v) 0 (Seq.length (Snapshot.inner produced)) };
+    invariant { [#"../selection_sort_generic.rs" 37 16 37 57] partition0 (deep_model0 v) (Seq.length (Snapshot.inner produced)) };
     goto BB7
   }
   BB7 {
@@ -651,33 +701,39 @@ module SelectionSortGeneric_SelectionSort
     goto BB12
   }
   BB11 {
+    assert { [@expl:type invariant] inv6 v };
+    assume { resolve4 v };
     assert { [#"../selection_sort_generic.rs" 35 4 35 43] false };
     absurd
   }
   BB12 {
-    [#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _20);
-    [#"../selection_sort_generic.rs" 35 4 35 43] _25 <- ([#"../selection_sort_generic.rs" 35 4 35 43] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _20;
+    [#"../selection_sort_generic.rs" 35 4 35 43] _25 <- ([#"../selection_sort_generic.rs" 35 4 35 43] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB13
   }
   BB13 {
-    [#"../selection_sort_generic.rs" 35 4 35 43] produced <- ([#"../selection_sort_generic.rs" 35 4 35 43] _25);
-    [#"../selection_sort_generic.rs" 35 4 35 43] _25 <- any Ghost.ghost_ty (Seq.seq usize);
-    [#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] i <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem);
-    [#"../selection_sort_generic.rs" 39 22 39 23] min <- ([#"../selection_sort_generic.rs" 39 22 39 23] i);
-    [#"../selection_sort_generic.rs" 43 26 43 33] _34 <- ([#"../selection_sort_generic.rs" 43 26 43 33] len0 ([#"../selection_sort_generic.rs" 43 26 43 27]  * v));
+    [#"../selection_sort_generic.rs" 35 4 35 43] produced <- _25;
+    _25 <- any Snapshot.snap_ty (Seq.seq usize);
+    [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] i <- __creusot_proc_iter_elem;
+    [#"../selection_sort_generic.rs" 39 22 39 23] min <- i;
+    [#"../selection_sort_generic.rs" 43 17 43 24] _32 <- i + ([#"../selection_sort_generic.rs" 43 22 43 23] (1 : usize));
+    [#"../selection_sort_generic.rs" 43 26 43 33] _34 <- ([#"../selection_sort_generic.rs" 43 26 43 33] len0 ( * v));
     goto BB14
   }
   BB14 {
-    [#"../selection_sort_generic.rs" 41 8 41 121] iter1 <- ([#"../selection_sort_generic.rs" 41 8 41 121] into_iter0 ([#"../selection_sort_generic.rs" 43 17 43 33] Core_Ops_Range_Range_Type.C_Range ([#"../selection_sort_generic.rs" 43 17 43 24] ([#"../selection_sort_generic.rs" 43 18 43 19] i) + ([#"../selection_sort_generic.rs" 43 22 43 23] [#"../selection_sort_generic.rs" 43 22 43 23] (1 : usize))) _34));
+    [#"../selection_sort_generic.rs" 43 17 43 33] _31 <- Core_Ops_Range_Range_Type.C_Range _32 _34;
+    _32 <- any usize;
     _34 <- any usize;
+    [#"../selection_sort_generic.rs" 41 8 41 121] iter1 <- ([#"../selection_sort_generic.rs" 41 8 41 121] into_iter0 _31);
+    _31 <- any Core_Ops_Range_Range_Type.t_range usize;
     goto BB15
   }
   BB15 {
-    [#"../selection_sort_generic.rs" 41 8 41 121] iter_old1 <- ([#"../selection_sort_generic.rs" 41 8 41 121] Ghost.new iter1);
+    [#"../selection_sort_generic.rs" 41 8 41 121] iter_old1 <- ([#"../selection_sort_generic.rs" 41 8 41 121] Snapshot.new iter1);
     goto BB16
   }
   BB16 {
-    [#"../selection_sort_generic.rs" 41 8 41 121] produced1 <- ([#"../selection_sort_generic.rs" 41 8 41 121] Ghost.new (Seq.empty ));
+    [#"../selection_sort_generic.rs" 41 8 41 121] produced1 <- ([#"../selection_sort_generic.rs" 41 8 41 121] Snapshot.new (Seq.empty ));
     goto BB17
   }
   BB17 {
@@ -685,9 +741,10 @@ module SelectionSortGeneric_SelectionSort
   }
   BB18 {
     invariant { [#"../selection_sort_generic.rs" 41 8 41 121] inv1 iter1 };
-    invariant { [#"../selection_sort_generic.rs" 41 8 41 121] produces0 (Ghost.inner iter_old1) (Ghost.inner produced1) iter1 };
-    invariant { [#"../selection_sort_generic.rs" 41 8 41 121] forall k : int . UIntSize.to_int i <= k /\ k < Seq.length (Ghost.inner produced1) + UIntSize.to_int i + 1 -> le_log0 (Seq.get (deep_model0 v) (UIntSize.to_int min)) (Seq.get (deep_model0 v) k) };
-    invariant { [#"../selection_sort_generic.rs" 42 20 42 64] UIntSize.to_int i <= UIntSize.to_int min /\ UIntSize.to_int min < Seq.length (Ghost.inner produced1) + UIntSize.to_int i + 1 };
+    invariant { [#"../selection_sort_generic.rs" 41 8 41 121] produces0 (Snapshot.inner iter_old1) (Snapshot.inner produced1) iter1 };
+    invariant { [#"../selection_sort_generic.rs" 41 8 41 121] forall k : int . UIntSize.to_int i <= k /\ k < Seq.length (Snapshot.inner produced1) + UIntSize.to_int i + 1
+     -> le_log0 (Seq.get (deep_model0 v) (UIntSize.to_int min)) (Seq.get (deep_model0 v) k) };
+    invariant { [#"../selection_sort_generic.rs" 42 20 42 64] UIntSize.to_int i <= UIntSize.to_int min /\ UIntSize.to_int min < Seq.length (Snapshot.inner produced1) + UIntSize.to_int i + 1 };
     goto BB19
   }
   BB19 {
@@ -712,77 +769,74 @@ module SelectionSortGeneric_SelectionSort
     assume { inv3 ( ^ _66) };
     [#"../selection_sort_generic.rs" 48 8 48 22] _65 <- ([#"../selection_sort_generic.rs" 48 8 48 22] deref_mut0 _66);
     _66 <- any borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
-    goto BB31
+    goto BB32
   }
   BB22 {
-    goto BB23
+    goto BB24
   }
   BB23 {
-    [#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem1 <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _44);
-    [#"../selection_sort_generic.rs" 41 8 41 121] _49 <- ([#"../selection_sort_generic.rs" 41 8 41 121] Ghost.new (Seq.(++) (Ghost.inner produced1) (Seq.singleton __creusot_proc_iter_elem1)));
-    goto BB24
+    assert { [@expl:type invariant] inv6 v };
+    assume { resolve4 v };
+    assert { [#"../selection_sort_generic.rs" 41 8 41 121] false };
+    absurd
   }
   BB24 {
-    [#"../selection_sort_generic.rs" 41 8 41 121] produced1 <- ([#"../selection_sort_generic.rs" 41 8 41 121] _49);
-    [#"../selection_sort_generic.rs" 41 8 41 121] _49 <- any Ghost.ghost_ty (Seq.seq usize);
-    [#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] j <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem1);
-    [#"../selection_sort_generic.rs" 44 16 44 19] _54 <- ([#"../selection_sort_generic.rs" 44 16 44 19] index0 ([#"../selection_sort_generic.rs" 44 15 44 16]  * v) ([#"../selection_sort_generic.rs" 44 17 44 18] j));
+    [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem1 <- Core_Option_Option_Type.some_0 _44;
+    [#"../selection_sort_generic.rs" 41 8 41 121] _49 <- ([#"../selection_sort_generic.rs" 41 8 41 121] Snapshot.new (Seq.(++) (Snapshot.inner produced1) (Seq.singleton __creusot_proc_iter_elem1)));
     goto BB25
   }
   BB25 {
-    assert { [@expl:type invariant] inv2 _54 };
-    assume { resolve2 _54 };
-    [#"../selection_sort_generic.rs" 44 23 44 28] _58 <- ([#"../selection_sort_generic.rs" 44 23 44 28] index0 ([#"../selection_sort_generic.rs" 44 22 44 23]  * v) ([#"../selection_sort_generic.rs" 44 24 44 27] min));
+    [#"../selection_sort_generic.rs" 41 8 41 121] produced1 <- _49;
+    _49 <- any Snapshot.snap_ty (Seq.seq usize);
+    [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] j <- __creusot_proc_iter_elem1;
+    [#"../selection_sort_generic.rs" 44 16 44 19] _54 <- ([#"../selection_sort_generic.rs" 44 16 44 19] index0 ( * v) j);
     goto BB26
   }
   BB26 {
-    assert { [@expl:type invariant] inv2 _58 };
-    assume { resolve2 _58 };
-    [#"../selection_sort_generic.rs" 44 15 44 28] _52 <- ([#"../selection_sort_generic.rs" 44 15 44 28] lt0 ([#"../selection_sort_generic.rs" 44 15 44 19] _54) ([#"../selection_sort_generic.rs" 44 22 44 28] _58));
+    assert { [@expl:type invariant] inv2 _54 };
+    assume { resolve2 _54 };
+    [#"../selection_sort_generic.rs" 44 23 44 28] _58 <- ([#"../selection_sort_generic.rs" 44 23 44 28] index0 ( * v) min);
     goto BB27
   }
   BB27 {
+    assert { [@expl:type invariant] inv2 _58 };
+    assume { resolve2 _58 };
+    [#"../selection_sort_generic.rs" 44 15 44 28] _52 <- ([#"../selection_sort_generic.rs" 44 15 44 28] lt0 _54 _58);
+    goto BB28
+  }
+  BB28 {
     switch (_52)
-      | False -> goto BB29
-      | True -> goto BB28
+      | False -> goto BB30
+      | True -> goto BB29
       end
   }
-  BB28 {
-    [#"../selection_sort_generic.rs" 45 16 45 23] min <- ([#"../selection_sort_generic.rs" 45 22 45 23] j);
+  BB29 {
+    [#"../selection_sort_generic.rs" 45 16 45 23] min <- j;
     [#"../selection_sort_generic.rs" 44 29 46 13] _19 <- ([#"../selection_sort_generic.rs" 44 29 46 13] ());
-    goto BB30
+    goto BB31
   }
-  BB29 {
+  BB30 {
     [#"../selection_sort_generic.rs" 46 13 46 13] _19 <- ([#"../selection_sort_generic.rs" 46 13 46 13] ());
-    goto BB30
+    goto BB31
   }
-  BB30 {
+  BB31 {
     goto BB18
   }
-  BB31 {
+  BB32 {
     [#"../selection_sort_generic.rs" 48 8 48 9] _64 <- Borrow.borrow_final ( * _65) (Borrow.get_id _65);
     [#"../selection_sort_generic.rs" 48 8 48 9] _65 <- { _65 with current = ( ^ _64) ; };
     assume { inv4 ( ^ _64) };
-    [#"../selection_sort_generic.rs" 48 8 48 22] _63 <- ([#"../selection_sort_generic.rs" 48 8 48 22] swap0 _64 ([#"../selection_sort_generic.rs" 48 15 48 16] i) ([#"../selection_sort_generic.rs" 48 18 48 21] min));
+    [#"../selection_sort_generic.rs" 48 8 48 22] _63 <- ([#"../selection_sort_generic.rs" 48 8 48 22] swap0 _64 i min);
     _64 <- any borrowed (slice t);
-    goto BB32
+    goto BB33
   }
-  BB32 {
+  BB33 {
     assert { [@expl:type invariant] inv5 _65 };
     assume { resolve3 _65 };
-    assert { [@expl:assertion] [#"../selection_sort_generic.rs" 49 8 50 63] let i = Seq.length (Ghost.inner produced) in forall k2 : int . forall k1 : int . 0 <= k1 /\ k1 < i /\ i <= k2 /\ k2 < Seq.length (deep_model0 v) -> le_log0 (Seq.get (deep_model0 v) k1) (Seq.get (deep_model0 v) k2) };
+    assert { [@expl:assertion] [#"../selection_sort_generic.rs" 49 8 50 63] let i = Seq.length (Snapshot.inner produced) in forall k2 : int . forall k1 : int . 0 <= k1 /\ k1 < i /\ i <= k2 /\ k2 < Seq.length (deep_model0 v)
+     -> le_log0 (Seq.get (deep_model0 v) k1) (Seq.get (deep_model0 v) k2) };
     [#"../selection_sort_generic.rs" 38 24 51 5] _19 <- ([#"../selection_sort_generic.rs" 38 24 51 5] ());
     goto BB6
   }
-  BB34 {
-    assert { [@expl:type invariant] inv6 v };
-    assume { resolve4 v };
-    goto BB11
-  }
-  BB35 {
-    assert { [@expl:type invariant] inv6 v };
-    assume { resolve4 v };
-    goto BB11
-  }
   
 end
diff --git a/creusot/tests/should_succeed/selection_sort_generic.rs b/creusot/tests/should_succeed/selection_sort_generic.rs
index 6beb8d5349..47a92baa7d 100644
--- a/creusot/tests/should_succeed/selection_sort_generic.rs
+++ b/creusot/tests/should_succeed/selection_sort_generic.rs
@@ -31,7 +31,7 @@ pub fn selection_sort<T: Ord + DeepModel>(v: &mut Vec<T>)
 where
     T::DeepModelTy: OrdLogic,
 {
-    let old_v = gh! { v };
+    let old_v = snapshot! { v };
     #[invariant(v@.permutation_of(old_v@))]
     #[invariant(sorted_range(v.deep_model(), 0, produced.len()))]
     #[invariant(partition(v.deep_model(), produced.len()))]
diff --git a/creusot/tests/should_succeed/selection_sort_generic/why3session.xml b/creusot/tests/should_succeed/selection_sort_generic/why3session.xml
index ececd1be15..28c6265065 100644
--- a/creusot/tests/should_succeed/selection_sort_generic/why3session.xml
+++ b/creusot/tests/should_succeed/selection_sort_generic/why3session.xml
@@ -18,25 +18,25 @@
   <proof prover="4"><result status="valid" time="0.036574" steps="12"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.010000" steps="12"/></proof>
+  <proof prover="4"><result status="valid" time="0.010000" steps="16"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.3" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.047018" steps="22"/></proof>
+  <proof prover="4"><result status="valid" time="0.030580" steps="22"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.4" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.010000" steps="22"/></proof>
+  <proof prover="4"><result status="valid" time="0.010000" steps="24"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.5" expl="loop invariant init" proved="true">
   <proof prover="4"><result status="valid" time="0.010000" steps="32"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.6" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.010000" steps="90"/></proof>
+  <proof prover="4"><result status="valid" time="0.010000" steps="91"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.7" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.010000" steps="80"/></proof>
+  <proof prover="4"><result status="valid" time="0.010000" steps="82"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.8" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.010000" steps="84"/></proof>
+  <proof prover="4"><result status="valid" time="0.010000" steps="86"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.9" expl="precondition" proved="true">
   <proof prover="4"><result status="valid" time="0.010000" steps="56"/></proof>
@@ -45,64 +45,64 @@
   <proof prover="4"><result status="valid" time="0.033242" steps="61"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.11" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.020000" steps="287"/></proof>
+  <proof prover="4"><result status="valid" time="0.020000" steps="288"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.12" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.010000" steps="69"/></proof>
+  <proof prover="4"><result status="valid" time="0.010000" steps="70"/></proof>
   </goal>
-  <goal name="selection_sort&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.043977" steps="75"/></proof>
+  <goal name="selection_sort&#39;vc.13" expl="integer overflow" proved="true">
+  <proof prover="4"><result status="valid" time="0.030000" steps="512"/></proof>
   </goal>
-  <goal name="selection_sort&#39;vc.14" expl="integer overflow" proved="true">
-  <proof prover="4"><result status="valid" time="0.030000" steps="594"/></proof>
+  <goal name="selection_sort&#39;vc.14" expl="precondition" proved="true">
+  <proof prover="4"><result status="valid" time="0.043977" steps="84"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.010000" steps="70"/></proof>
+  <proof prover="4"><result status="valid" time="0.010000" steps="74"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.030580" steps="95"/></proof>
+  <proof prover="4"><result status="valid" time="0.047018" steps="97"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.17" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.010000" steps="78"/></proof>
+  <proof prover="4"><result status="valid" time="0.010000" steps="82"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.18" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.010000" steps="108"/></proof>
+  <proof prover="4"><result status="valid" time="0.010000" steps="110"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.19" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.020000" steps="517"/></proof>
+  <proof prover="4"><result status="valid" time="0.020000" steps="519"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.20" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.010000" steps="115"/></proof>
+  <proof prover="4"><result status="valid" time="0.010000" steps="117"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.21" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.019355" steps="123"/></proof>
+  <proof prover="4"><result status="valid" time="0.019355" steps="126"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.22" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.033361" steps="138"/></proof>
+  <proof prover="4"><result status="valid" time="0.033361" steps="140"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.23" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.177677" steps="1199"/></proof>
+  <proof prover="4"><result status="valid" time="0.177677" steps="1202"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.24" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.101040" steps="708"/></proof>
+  <proof prover="4"><result status="valid" time="0.101040" steps="712"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.25" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.016432" steps="158"/></proof>
+  <proof prover="4"><result status="valid" time="0.016432" steps="160"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.26" expl="type invariant" proved="true">
-  <proof prover="4"><result status="valid" time="0.026885" steps="159"/></proof>
+  <proof prover="4"><result status="valid" time="0.026885" steps="162"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.27" expl="assertion" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="selection_sort&#39;vc.27.0" expl="assertion" proved="true">
    <transf name="assert" proved="true" arg1="(length1 (inner produced) = length1 (inner produced2) + 1)">
     <goal name="selection_sort&#39;vc.27.0.0" expl="asserted formula" proved="true">
-    <proof prover="4"><result status="valid" time="0.024382" steps="179"/></proof>
+    <proof prover="4"><result status="valid" time="0.024382" steps="181"/></proof>
     </goal>
     <goal name="selection_sort&#39;vc.27.0.1" expl="assertion" proved="true">
     <transf name="remove" proved="true" arg1="one,(-),(&gt;),(&gt;=),uint64&#39;maxInt,uint64&#39;minInt,max_uint64,length1,singleton,cons,snoc,(++),mem,iseq,occ,occ_all,permut,mAX&#39;,is_inhabited,sorted_range,sorted,permutation_of,shallow_model,Mul_distr_r,Comm,Unitary,NonTrivialRing,Total,CompatOrderAdd,CompatOrderMult,Mod_inf,Div_mult,Mod_mult,Numof_append,Numof_left_no_add,Numof_left_add,Empty,Full,numof_increasing,numof_strictly_increasing,numof_change_any,numof_change_some,numof_change_equiv,length_nonnegative,([&lt;-])&#39;def,singleton&#39;spec,cons&#39;spec,snoc&#39;spec,mem_append,occ_cons,occ_tail,append_num_occ,exchange_set,permut_sym,permut_trans,permut_exists,new&#39;spec,produces_trans_spec,produces_refl_spec,is_inhabited_spec">
      <goal name="selection_sort&#39;vc.27.0.1.0" expl="assertion" proved="true">
-     <proof prover="0" timelimit="5"><result status="valid" time="0.092697" steps="471739"/></proof>
+     <proof prover="0" timelimit="5"><result status="valid" time="0.092697" steps="472905"/></proof>
      </goal>
     </transf>
     </goal>
@@ -111,27 +111,27 @@
   </transf>
   </goal>
   <goal name="selection_sort&#39;vc.28" expl="loop invariant preservation" proved="true">
-  <proof prover="0"><result status="valid" time="0.119854" steps="249993"/></proof>
+  <proof prover="0"><result status="valid" time="0.119854" steps="250038"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.29" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.415124" steps="38284"/></proof>
+  <proof prover="2"><result status="valid" time="0.158825" steps="38947"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.30" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.040000" steps="655"/></proof>
+  <proof prover="4"><result status="valid" time="0.040000" steps="662"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.31" expl="loop invariant preservation" proved="true">
   <transf name="instantiate" proved="true" arg1="deep_model1_spec" arg2="( * v)">
    <goal name="selection_sort&#39;vc.31.0" expl="loop invariant preservation" proved="true">
    <transf name="assert" proved="true" arg1="(forall x, y. le_log0 x y = True &lt;-&gt; not cmp_log0 x y = C_Greater)">
     <goal name="selection_sort&#39;vc.31.0.0" expl="asserted formula" proved="true">
-    <proof prover="4"><result status="valid" time="0.260442" steps="1389"/></proof>
+    <proof prover="4"><result status="valid" time="0.100609" steps="1400"/></proof>
     </goal>
     <goal name="selection_sort&#39;vc.31.0.1" expl="loop invariant preservation" proved="true">
     <transf name="inline_goal" proved="true" >
      <goal name="selection_sort&#39;vc.31.0.1.0" expl="loop invariant preservation" proved="true">
      <transf name="split_vc" proved="true" >
       <goal name="selection_sort&#39;vc.31.0.1.0.0" expl="loop invariant preservation" proved="true">
-      <proof prover="1" timelimit="1"><result status="valid" time="1.021066" steps="127287"/></proof>
+      <proof prover="1" timelimit="1"><result status="valid" time="1.021066" steps="330847"/></proof>
       </goal>
      </transf>
      </goal>
@@ -142,53 +142,53 @@
   </transf>
   </goal>
   <goal name="selection_sort&#39;vc.32" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.239504" steps="1027"/></proof>
+  <proof prover="4"><result status="valid" time="0.083692" steps="1029"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.33" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.152739" steps="1230"/></proof>
+  <proof prover="4"><result status="valid" time="0.152739" steps="1235"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.34" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.118334" steps="151"/></proof>
+  <proof prover="4"><result status="valid" time="0.031688" steps="152"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.35" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.031963" steps="151"/></proof>
+  <proof prover="4"><result status="valid" time="0.031963" steps="153"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.36" expl="type invariant" proved="true">
-  <proof prover="4"><result status="valid" time="0.044225" steps="118"/></proof>
+  <proof prover="4"><result status="valid" time="0.044225" steps="122"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.37" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.077391" steps="561"/></proof>
+  <proof prover="4"><result status="valid" time="0.077391" steps="563"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.38" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.031688" steps="153"/></proof>
+  <proof prover="4"><result status="valid" time="0.118334" steps="156"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.39" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.032602" steps="155"/></proof>
+  <proof prover="4"><result status="valid" time="0.032602" steps="156"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.40" expl="type invariant" proved="true">
-  <proof prover="4"><result status="valid" time="0.029730" steps="124"/></proof>
+  <proof prover="4"><result status="valid" time="0.029730" steps="128"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.41" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.017093" steps="126"/></proof>
+  <proof prover="4"><result status="valid" time="0.017093" steps="130"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.42" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.036204" steps="126"/></proof>
+  <proof prover="4"><result status="valid" time="0.036204" steps="130"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.43" expl="loop invariant preservation" proved="true">
-  <proof prover="0"><result status="valid" time="0.125893" steps="238734"/></proof>
+  <proof prover="0"><result status="valid" time="0.125893" steps="238792"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.44" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.313757" steps="37664"/></proof>
+  <proof prover="2"><result status="valid" time="0.148744" steps="37889"/></proof>
   </goal>
   <goal name="selection_sort&#39;vc.45" expl="loop invariant preservation" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="selection_sort&#39;vc.45.0" expl="loop invariant preservation" proved="true">
-   <proof prover="1"><result status="valid" time="0.637192" steps="113279"/></proof>
+   <proof prover="1"><result status="valid" time="0.637192" steps="123069"/></proof>
    </goal>
   </transf>
   </goal>
   <goal name="selection_sort&#39;vc.46" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.255950" steps="43593"/></proof>
+  <proof prover="2"><result status="valid" time="0.255950" steps="43605"/></proof>
   </goal>
  </transf>
  </goal>
diff --git a/creusot/tests/should_succeed/selection_sort_generic/why3shapes.gz b/creusot/tests/should_succeed/selection_sort_generic/why3shapes.gz
index 937544f077..17febaf113 100644
Binary files a/creusot/tests/should_succeed/selection_sort_generic/why3shapes.gz and b/creusot/tests/should_succeed/selection_sort_generic/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/slices/01.mlcfg b/creusot/tests/should_succeed/slices/01.mlcfg
index 748b31c2e4..b12c5dfbc4 100644
--- a/creusot/tests/should_succeed/slices/01.mlcfg
+++ b/creusot/tests/should_succeed/slices/01.mlcfg
@@ -35,7 +35,8 @@ module C01_IndexSlice
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model1 self }
     
-  axiom shallow_model1_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv1 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
+  axiom shallow_model1_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv1 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
   use prelude.Borrow
   function shallow_model0 (self : slice uint32) : Seq.seq uint32 =
     [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model1 self
@@ -49,18 +50,20 @@ module C01_IndexSlice
   var _0 : uint32;
   var a : slice uint32 = a;
   var _3 : usize;
+  var _4 : usize;
   var _5 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../01.rs" 7 6 7 8] _3 <- ([#"../01.rs" 7 6 7 8] [#"../01.rs" 7 6 7 8] (10 : usize));
-    [#"../01.rs" 7 4 7 9] _5 <- ([#"../01.rs" 7 4 7 9] _3 < ([#"../01.rs" 7 4 7 9] Slice.length a));
+    [#"../01.rs" 7 6 7 8] _3 <- ([#"../01.rs" 7 6 7 8] (10 : usize));
+    [#"../01.rs" 7 4 7 9] _4 <- Slice.length a;
+    [#"../01.rs" 7 4 7 9] _5 <- _3 < _4;
     assert { [@expl:index in bounds] [#"../01.rs" 7 4 7 9] _5 };
     goto BB1
   }
   BB1 {
-    [#"../01.rs" 7 4 7 9] _0 <- ([#"../01.rs" 7 4 7 9] Slice.get a _3);
+    [#"../01.rs" 7 4 7 9] _0 <- Slice.get a _3;
     return _0
   }
   
@@ -103,7 +106,8 @@ module C01_IndexMutSlice
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model2 self }
     
-  axiom shallow_model2_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv1 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model2 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
+  axiom shallow_model2_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv1 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model2 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
   function index_logic0 [@inline:trivial] (self : slice uint32) (ix : int) : uint32 =
     [#"../../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model2 self) ix
   val index_logic0 [@inline:trivial] (self : slice uint32) (ix : int) : uint32
@@ -128,18 +132,20 @@ module C01_IndexMutSlice
   var _0 : ();
   var a : borrowed (slice uint32) = a;
   var _4 : usize;
+  var _5 : usize;
   var _6 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../01.rs" 13 6 13 7] _4 <- ([#"../01.rs" 13 6 13 7] [#"../01.rs" 13 6 13 7] (2 : usize));
-    [#"../01.rs" 13 4 13 8] _6 <- ([#"../01.rs" 13 4 13 8] _4 < ([#"../01.rs" 13 4 13 8] Slice.length ( * a)));
+    [#"../01.rs" 13 6 13 7] _4 <- ([#"../01.rs" 13 6 13 7] (2 : usize));
+    [#"../01.rs" 13 4 13 8] _5 <- Slice.length ( * a);
+    [#"../01.rs" 13 4 13 8] _6 <- _4 < _5;
     assert { [@expl:index in bounds] [#"../01.rs" 13 4 13 8] _6 };
     goto BB1
   }
   BB1 {
-    [#"../01.rs" 13 4 13 12] a <- { a with current = Slice.set ( * a) _4 ([#"../01.rs" 13 4 13 12] [#"../01.rs" 13 11 13 12] (3 : uint32)) ; };
+    [#"../01.rs" 13 4 13 12] a <- { a with current = Slice.set ( * a) _4 ([#"../01.rs" 13 11 13 12] (3 : uint32)) ; };
     assume { resolve0 a };
     [#"../01.rs" 12 38 14 1] _0 <- ([#"../01.rs" 12 38 14 1] ());
     return _0
@@ -214,7 +220,8 @@ module C01_SliceFirst
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self}
     ensures { result = shallow_model2 self }
     
-  axiom shallow_model2_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv4 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model2 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
+  axiom shallow_model2_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv4 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model2 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
   use prelude.Borrow
   function shallow_model0 (self : slice t) : Seq.seq t =
     [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model2 self
@@ -250,42 +257,47 @@ module C01_SliceFirst
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : Core_Option_Option_Type.t_option t;
   var a : slice t = a;
+  var _3 : bool;
   var _4 : usize;
   var _7 : t;
   var _8 : usize;
+  var _9 : usize;
   var _10 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../01.rs" 21 7 21 14] _4 <- ([#"../01.rs" 21 7 21 14] len0 ([#"../01.rs" 21 7 21 8] a));
+    [#"../01.rs" 21 7 21 14] _4 <- ([#"../01.rs" 21 7 21 14] len0 a);
     goto BB1
   }
   BB1 {
-    switch ([#"../01.rs" 21 7 21 18] _4 > ([#"../01.rs" 21 17 21 18] [#"../01.rs" 21 17 21 18] (0 : usize)))
+    [#"../01.rs" 21 7 21 18] _3 <- _4 > ([#"../01.rs" 21 17 21 18] (0 : usize));
+    _4 <- any usize;
+    switch (_3)
       | False -> goto BB4
       | True -> goto BB2
       end
   }
   BB2 {
-    [#"../01.rs" 22 16 22 17] _8 <- ([#"../01.rs" 22 16 22 17] [#"../01.rs" 22 16 22 17] (0 : usize));
-    [#"../01.rs" 22 14 22 18] _10 <- ([#"../01.rs" 22 14 22 18] _8 < ([#"../01.rs" 22 14 22 18] Slice.length a));
+    [#"../01.rs" 22 16 22 17] _8 <- ([#"../01.rs" 22 16 22 17] (0 : usize));
+    [#"../01.rs" 22 14 22 18] _9 <- Slice.length a;
+    [#"../01.rs" 22 14 22 18] _10 <- _8 < _9;
     assert { [@expl:index in bounds] [#"../01.rs" 22 14 22 18] _10 };
     goto BB3
   }
   BB3 {
-    [#"../01.rs" 22 13 22 18] _7 <- ([#"../01.rs" 22 13 22 18] Slice.get a _8);
+    [#"../01.rs" 22 13 22 18] _7 <- Slice.get a _8;
     assert { [@expl:type invariant] inv0 a };
     assume { resolve0 a };
     assert { [@expl:type invariant] inv1 _7 };
     assume { resolve1 _7 };
-    [#"../01.rs" 22 8 22 19] _0 <- ([#"../01.rs" 22 8 22 19] Core_Option_Option_Type.C_Some ([#"../01.rs" 22 13 22 18] _7));
+    [#"../01.rs" 22 8 22 19] _0 <- Core_Option_Option_Type.C_Some _7;
     goto BB5
   }
   BB4 {
     assert { [@expl:type invariant] inv0 a };
     assume { resolve0 a };
-    [#"../01.rs" 24 8 24 12] _0 <- ([#"../01.rs" 24 8 24 12] Core_Option_Option_Type.C_None);
+    [#"../01.rs" 24 8 24 12] _0 <- Core_Option_Option_Type.C_None;
     goto BB5
   }
   BB5 {
diff --git a/creusot/tests/should_succeed/slices/01/why3session.xml b/creusot/tests/should_succeed/slices/01/why3session.xml
index 41fb5e6c61..c13a3cf1fb 100644
--- a/creusot/tests/should_succeed/slices/01/why3session.xml
+++ b/creusot/tests/should_succeed/slices/01/why3session.xml
@@ -8,17 +8,17 @@
 <path name=".."/><path name="01.mlcfg"/>
 <theory name="C01_IndexSlice" proved="true">
  <goal name="index_slice&#39;vc" expl="VC for index_slice" proved="true">
- <proof prover="1"><result status="valid" time="0.014857" steps="54086"/></proof>
+ <proof prover="1"><result status="valid" time="0.014857" steps="54240"/></proof>
  </goal>
 </theory>
 <theory name="C01_IndexMutSlice" proved="true">
  <goal name="index_mut_slice&#39;vc" expl="VC for index_mut_slice" proved="true">
- <proof prover="3"><result status="valid" time="0.017381" steps="268"/></proof>
+ <proof prover="3"><result status="valid" time="0.017381" steps="286"/></proof>
  </goal>
 </theory>
 <theory name="C01_SliceFirst" proved="true">
  <goal name="slice_first&#39;vc" expl="VC for slice_first" proved="true">
- <proof prover="3"><result status="valid" time="0.014152" steps="129"/></proof>
+ <proof prover="3"><result status="valid" time="0.014152" steps="159"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/slices/01/why3shapes.gz b/creusot/tests/should_succeed/slices/01/why3shapes.gz
index a947021695..88d5b3d077 100644
Binary files a/creusot/tests/should_succeed/slices/01/why3shapes.gz and b/creusot/tests/should_succeed/slices/01/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/slices/02_std.mlcfg b/creusot/tests/should_succeed/slices/02_std.mlcfg
index 543941cdaf..2eb93e5c56 100644
--- a/creusot/tests/should_succeed/slices/02_std.mlcfg
+++ b/creusot/tests/should_succeed/slices/02_std.mlcfg
@@ -102,7 +102,8 @@ module C02Std_BinarySearch
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self}
     ensures { result = shallow_model3 self }
     
-  axiom shallow_model3_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv6 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model3 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
+  axiom shallow_model3_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv6 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model3 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
   function index_logic0 [@inline:trivial] (self : slice uint32) (ix : int) : uint32 =
     [#"../../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model3 self) ix
   val index_logic0 [@inline:trivial] (self : slice uint32) (ix : int) : uint32
@@ -138,10 +139,13 @@ module C02Std_BinarySearch
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 32 18 32 22] inv4 self}
     ensures { result = deep_model1 self }
     
-  axiom deep_model1_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 32 18 32 22] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 32 4 32 44] inv5 (deep_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 31 4 31 98] forall i : int . 0 <= i /\ i < Seq.length (deep_model1 self) -> Seq.get (deep_model1 self) i = deep_model3 (index_logic0 self i)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 30 14 30 44] Seq.length (shallow_model1 self) = Seq.length (deep_model1 self))
+  axiom deep_model1_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 32 18 32 22] inv4 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 32 4 32 44] inv5 (deep_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 31 4 31 98] forall i : int . 0 <= i /\ i < Seq.length (deep_model1 self)
+   -> Seq.get (deep_model1 self) i = deep_model3 (index_logic0 self i)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 30 14 30 44] Seq.length (shallow_model1 self) = Seq.length (deep_model1 self))
   use int.Int
   predicate sorted_range0 (self : Seq.seq int) (l : int) (u : int) =
-    [#"../../../../../creusot-contracts/src/logic/seq.rs" 138 8 140 9] forall j : int . forall i : int . l <= i /\ i <= j /\ j < u -> Seq.get self i <= Seq.get self j
+    [#"../../../../../creusot-contracts/src/logic/seq.rs" 138 8 140 9] forall j : int . forall i : int . l <= i /\ i <= j /\ j < u
+     -> Seq.get self i <= Seq.get self j
   val sorted_range0 (self : Seq.seq int) (l : int) (u : int) : bool
     ensures { result = sorted_range0 self l u }
     
@@ -159,15 +163,22 @@ module C02Std_BinarySearch
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 238 0 334 1] sorted0 (deep_model0 self)}
     requires {inv0 self}
     requires {inv1 x}
-    ensures { [#"../../../../../creusot-contracts/src/std/slice.rs" 304 8 304 118] forall i : usize . result = Core_Result_Result_Type.C_Ok i -> UIntSize.to_int i < Seq.length (shallow_model1 self) /\ Seq.get (deep_model1 self) (UIntSize.to_int i) = deep_model2 x }
-    ensures { [#"../../../../../creusot-contracts/src/std/slice.rs" 305 8 306 96] forall i : usize . result = Core_Result_Result_Type.C_Err i -> UIntSize.to_int i <= Seq.length (shallow_model1 self) /\ (forall j : int . 0 <= j /\ j < Seq.length (shallow_model1 self) -> Seq.get (deep_model0 self) j <> deep_model2 x) }
-    ensures { [#"../../../../../creusot-contracts/src/std/slice.rs" 307 8 308 78] forall i : usize . result = Core_Result_Result_Type.C_Err i -> (forall j : usize . j < i -> Seq.get (deep_model0 self) (UIntSize.to_int j) < deep_model2 x) }
-    ensures { [#"../../../../../creusot-contracts/src/std/slice.rs" 309 8 310 99] forall i : usize . result = Core_Result_Result_Type.C_Err i -> (forall j : usize . i <= j /\ UIntSize.to_int j < Seq.length (shallow_model1 self) -> deep_model2 x < Seq.get (deep_model0 self) (UIntSize.to_int j)) }
+    ensures { [#"../../../../../creusot-contracts/src/std/slice.rs" 304 8 304 118] forall i : usize . result = Core_Result_Result_Type.C_Ok i
+     -> UIntSize.to_int i < Seq.length (shallow_model1 self) /\ Seq.get (deep_model1 self) (UIntSize.to_int i) = deep_model2 x }
+    ensures { [#"../../../../../creusot-contracts/src/std/slice.rs" 305 8 306 96] forall i : usize . result = Core_Result_Result_Type.C_Err i
+     -> UIntSize.to_int i <= Seq.length (shallow_model1 self) /\ (forall j : int . 0 <= j /\ j < Seq.length (shallow_model1 self)
+     -> Seq.get (deep_model0 self) j <> deep_model2 x) }
+    ensures { [#"../../../../../creusot-contracts/src/std/slice.rs" 307 8 308 78] forall i : usize . result = Core_Result_Result_Type.C_Err i
+     -> (forall j : usize . j < i  -> Seq.get (deep_model0 self) (UIntSize.to_int j) < deep_model2 x) }
+    ensures { [#"../../../../../creusot-contracts/src/std/slice.rs" 309 8 310 99] forall i : usize . result = Core_Result_Result_Type.C_Err i
+     -> (forall j : usize . i <= j /\ UIntSize.to_int j < Seq.length (shallow_model1 self)
+     -> deep_model2 x < Seq.get (deep_model0 self) (UIntSize.to_int j)) }
     
   let constant promoted0 [#"../02_std.rs" 8 0 8 40]  : uint32 = [@vc:do_not_keep_trace] [@vc:sp]
-    let _1 = [#"../02_std.rs" 9 30 9 31] [#"../02_std.rs" 9 30 9 31] (2 : uint32) in let _0 = [#"../02_std.rs" 9 29 9 31] _1 in _0
+    let _1 = [#"../02_std.rs" 9 30 9 31] (2 : uint32) in let _0 = _1 in _0
   let rec cfg binary_search [#"../02_std.rs" 8 0 8 40] [@cfg:stackify] [@cfg:subregion_analysis] (s : slice uint32) : usize
-    requires {[#"../02_std.rs" 6 0 6 64] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 s) -> UInt32.to_int (index_logic0 s i) = i}
+    requires {[#"../02_std.rs" 6 0 6 64] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 s)
+     -> UInt32.to_int (index_logic0 s i) = i}
     requires {[#"../02_std.rs" 7 11 7 24] Seq.length (shallow_model1 s) = 5}
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -181,9 +192,9 @@ module C02Std_BinarySearch
     goto BB0
   }
   BB0 {
-    [#"../02_std.rs" 9 29 9 31] _12 <- ([#"../02_std.rs" 9 29 9 31] [#"../02_std.rs" 9 29 9 31] promoted0);
-    [#"../02_std.rs" 9 29 9 31] _8 <- ([#"../02_std.rs" 9 29 9 31] _12);
-    [#"../02_std.rs" 9 13 9 32] _5 <- ([#"../02_std.rs" 9 13 9 32] binary_search0 ([#"../02_std.rs" 9 13 9 14] s) ([#"../02_std.rs" 9 29 9 31] _8));
+    [#"../02_std.rs" 9 29 9 31] _12 <- ([#"../02_std.rs" 9 29 9 31] promoted0);
+    [#"../02_std.rs" 9 29 9 31] _8 <- _12;
+    [#"../02_std.rs" 9 13 9 32] _5 <- ([#"../02_std.rs" 9 13 9 32] binary_search0 s _8);
     goto BB1
   }
   BB1 {
@@ -193,7 +204,7 @@ module C02Std_BinarySearch
   }
   BB2 {
     assert { [@expl:assertion] [#"../02_std.rs" 11 20 11 27] UIntSize.to_int ix < 5 };
-    [#"../02_std.rs" 12 4 12 6] _0 <- ([#"../02_std.rs" 12 4 12 6] ix);
+    [#"../02_std.rs" 12 4 12 6] _0 <- ix;
     return _0
   }
   
diff --git a/creusot/tests/should_succeed/sparse_array.mlcfg b/creusot/tests/should_succeed/sparse_array.mlcfg
index edb4812333..7336c113a8 100644
--- a/creusot/tests/should_succeed/sparse_array.mlcfg
+++ b/creusot/tests/should_succeed/sparse_array.mlcfg
@@ -17,12 +17,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -105,7 +111,8 @@ module SparseArray_Impl2_Get
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv10 self}
     ensures { result = shallow_model6 self }
     
-  axiom shallow_model6_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv10 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv11 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0)
+  axiom shallow_model6_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv10 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv11 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0)
   predicate invariant10 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv11 (shallow_model6 self)
   val invariant10 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -132,7 +139,8 @@ module SparseArray_Impl2_Get
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self}
     ensures { result = shallow_model5 self }
     
-  axiom shallow_model5_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv9 (shallow_model5 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max0)
+  axiom shallow_model5_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv8 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv9 (shallow_model5 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max0)
   predicate invariant8 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv9 (shallow_model5 self)
   val invariant8 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -178,7 +186,8 @@ module SparseArray_Impl2_Get
     ensures { result = shallow_model4 self }
     
   predicate invariant7 [#"../sparse_array.rs" 49 4 49 30] (self : SparseArray_Sparse_Type.t_sparse t) =
-    [#"../sparse_array.rs" 50 8 61 9] UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) <= UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model4 self) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model6 (SparseArray_Sparse_Type.sparse_values self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model5 (SparseArray_Sparse_Type.sparse_idx self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model5 (SparseArray_Sparse_Type.sparse_back self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) -> match index_logic4 (SparseArray_Sparse_Type.sparse_back self) i with
+    [#"../sparse_array.rs" 50 8 61 9] UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) <= UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model4 self) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model6 (SparseArray_Sparse_Type.sparse_values self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model5 (SparseArray_Sparse_Type.sparse_idx self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model5 (SparseArray_Sparse_Type.sparse_back self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self)
+     -> match index_logic4 (SparseArray_Sparse_Type.sparse_back self) i with
       | j -> 0 <= UIntSize.to_int j /\ UIntSize.to_int j < UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ UIntSize.to_int (index_logic4 (SparseArray_Sparse_Type.sparse_idx self) (UIntSize.to_int j)) = i
       end)
   val invariant7 [#"../sparse_array.rs" 49 4 49 30] (self : SparseArray_Sparse_Type.t_sparse t) : bool
@@ -259,7 +268,7 @@ module SparseArray_Impl2_Get
   axiom inv0 : forall x : SparseArray_Sparse_Type.t_sparse t . inv0 x = inv7 x
   use seq.Seq
   function shallow_model1 (self : SparseArray_Sparse_Type.t_sparse t) : Seq.seq (Core_Option_Option_Type.t_option t) =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model4 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model4 self
   val shallow_model1 (self : SparseArray_Sparse_Type.t_sparse t) : Seq.seq (Core_Option_Option_Type.t_option t)
     ensures { result = shallow_model1 self }
     
@@ -279,7 +288,7 @@ module SparseArray_Impl2_Get
     ensures { result = in_bounds1 self seq }
     
   function shallow_model3 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : Seq.seq t =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model6 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model6 self
   val shallow_model3 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : Seq.seq t
     ensures { result = shallow_model3 self }
     
@@ -305,7 +314,7 @@ module SparseArray_Impl2_Get
     ensures { result = in_bounds0 self seq }
     
   function shallow_model2 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : Seq.seq usize =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model5 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model5 self
   val shallow_model2 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : Seq.seq usize
     ensures { result = shallow_model2 self }
     
@@ -335,6 +344,8 @@ module SparseArray_Impl2_Get
   var i : usize = i;
   var index : usize;
   var _7 : usize;
+  var _10 : bool;
+  var _13 : bool;
   var _15 : usize;
   var _20 : t;
   var _21 : t;
@@ -342,22 +353,24 @@ module SparseArray_Impl2_Get
     goto BB0
   }
   BB0 {
-    [#"../sparse_array.rs" 90 28 90 31] _7 <- ([#"../sparse_array.rs" 90 28 90 31] index0 ([#"../sparse_array.rs" 90 20 90 28] SparseArray_Sparse_Type.sparse_idx self) ([#"../sparse_array.rs" 90 29 90 30] i));
+    [#"../sparse_array.rs" 90 28 90 31] _7 <- ([#"../sparse_array.rs" 90 28 90 31] index0 (SparseArray_Sparse_Type.sparse_idx self) i);
     goto BB1
   }
   BB1 {
-    [#"../sparse_array.rs" 90 20 90 31] index <- ([#"../sparse_array.rs" 90 20 90 31] _7);
-    switch ([#"../sparse_array.rs" 91 11 91 25] ([#"../sparse_array.rs" 91 11 91 16] index) < ([#"../sparse_array.rs" 91 19 91 25] SparseArray_Sparse_Type.sparse_n self))
+    [#"../sparse_array.rs" 90 20 90 31] index <- _7;
+    [#"../sparse_array.rs" 91 11 91 25] _10 <- index < SparseArray_Sparse_Type.sparse_n self;
+    switch (_10)
       | False -> goto BB7
       | True -> goto BB2
       end
   }
   BB2 {
-    [#"../sparse_array.rs" 91 38 91 45] _15 <- ([#"../sparse_array.rs" 91 38 91 45] index0 ([#"../sparse_array.rs" 91 29 91 38] SparseArray_Sparse_Type.sparse_back self) ([#"../sparse_array.rs" 91 39 91 44] index));
+    [#"../sparse_array.rs" 91 38 91 45] _15 <- ([#"../sparse_array.rs" 91 38 91 45] index0 (SparseArray_Sparse_Type.sparse_back self) index);
     goto BB3
   }
   BB3 {
-    switch ([#"../sparse_array.rs" 91 29 91 50] ([#"../sparse_array.rs" 91 29 91 45] _15) = ([#"../sparse_array.rs" 91 49 91 50] i))
+    [#"../sparse_array.rs" 91 29 91 50] _13 <- _15 = i;
+    switch (_13)
       | False -> goto BB6
       | True -> goto BB4
       end
@@ -365,16 +378,16 @@ module SparseArray_Impl2_Get
   BB4 {
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../sparse_array.rs" 92 29 92 32] _21 <- ([#"../sparse_array.rs" 92 29 92 32] index1 ([#"../sparse_array.rs" 92 18 92 29] SparseArray_Sparse_Type.sparse_values self) ([#"../sparse_array.rs" 92 30 92 31] i));
+    [#"../sparse_array.rs" 92 29 92 32] _21 <- ([#"../sparse_array.rs" 92 29 92 32] index1 (SparseArray_Sparse_Type.sparse_values self) i);
     goto BB5
   }
   BB5 {
-    [#"../sparse_array.rs" 92 17 92 32] _20 <- ([#"../sparse_array.rs" 92 17 92 32] _21);
+    [#"../sparse_array.rs" 92 17 92 32] _20 <- _21;
     assert { [@expl:type invariant] inv1 _21 };
     assume { resolve1 _21 };
     assert { [@expl:type invariant] inv1 _20 };
     assume { resolve1 _20 };
-    [#"../sparse_array.rs" 92 12 92 33] _0 <- ([#"../sparse_array.rs" 92 12 92 33] Core_Option_Option_Type.C_Some ([#"../sparse_array.rs" 92 17 92 32] _20));
+    [#"../sparse_array.rs" 92 12 92 33] _0 <- Core_Option_Option_Type.C_Some _20;
     goto BB9
   }
   BB6 {
@@ -388,7 +401,7 @@ module SparseArray_Impl2_Get
     goto BB8
   }
   BB8 {
-    [#"../sparse_array.rs" 94 12 94 16] _0 <- ([#"../sparse_array.rs" 94 12 94 16] Core_Option_Option_Type.C_None);
+    [#"../sparse_array.rs" 94 12 94 16] _0 <- Core_Option_Option_Type.C_None;
     goto BB9
   }
   BB9 {
@@ -435,7 +448,8 @@ module SparseArray_Impl2_LemmaPermutation_Impl
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self}
     ensures { result = shallow_model1 self }
     
-  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
+  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv3 (shallow_model1 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
   predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv3 (shallow_model1 self)
   val invariant2 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -452,7 +466,8 @@ module SparseArray_Impl2_LemmaPermutation_Impl
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self}
     ensures { result = shallow_model3 self }
     
-  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
+  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
   predicate invariant1 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv4 (shallow_model3 self)
   val invariant1 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -498,7 +513,8 @@ module SparseArray_Impl2_LemmaPermutation_Impl
     ensures { result = shallow_model2 self }
     
   predicate invariant0 [#"../sparse_array.rs" 49 4 49 30] (self : SparseArray_Sparse_Type.t_sparse t) =
-    [#"../sparse_array.rs" 50 8 61 9] UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) <= UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model2 self) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model3 (SparseArray_Sparse_Type.sparse_values self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model1 (SparseArray_Sparse_Type.sparse_idx self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model1 (SparseArray_Sparse_Type.sparse_back self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) -> match index_logic0 (SparseArray_Sparse_Type.sparse_back self) i with
+    [#"../sparse_array.rs" 50 8 61 9] UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) <= UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model2 self) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model3 (SparseArray_Sparse_Type.sparse_values self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model1 (SparseArray_Sparse_Type.sparse_idx self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model1 (SparseArray_Sparse_Type.sparse_back self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self)
+     -> match index_logic0 (SparseArray_Sparse_Type.sparse_back self) i with
       | j -> 0 <= UIntSize.to_int j /\ UIntSize.to_int j < UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ UIntSize.to_int (index_logic0 (SparseArray_Sparse_Type.sparse_idx self) (UIntSize.to_int j)) = i
       end)
   val invariant0 [#"../sparse_array.rs" 49 4 49 30] (self : SparseArray_Sparse_Type.t_sparse t) : bool
@@ -511,14 +527,14 @@ module SparseArray_Impl2_LemmaPermutation_Impl
   axiom inv0 : forall x : SparseArray_Sparse_Type.t_sparse t . inv0 x = (invariant0 x /\ match x with
     | SparseArray_Sparse_Type.C_Sparse size n values idx back -> true
     end)
-  let rec ghost function lemma_permutation [#"../sparse_array.rs" 104 4 104 38] (self : SparseArray_Sparse_Type.t_sparse t) (i : int) : ()
-    requires {[#"../sparse_array.rs" 101 15 101 34] SparseArray_Sparse_Type.sparse_n self = SparseArray_Sparse_Type.sparse_size self}
-    requires {[#"../sparse_array.rs" 102 15 102 39] 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self)}
-    requires {[#"../sparse_array.rs" 104 25 104 29] inv0 self}
-    ensures { [#"../sparse_array.rs" 103 14 103 28] is_elt0 self i }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../sparse_array.rs" 100 4 100 12] ()
+  constant self  : SparseArray_Sparse_Type.t_sparse t
+  constant i  : int
+  function lemma_permutation [#"../sparse_array.rs" 104 4 104 38] (self : SparseArray_Sparse_Type.t_sparse t) (i : int) : ()
+    
+  goal vc_lemma_permutation : ([#"../sparse_array.rs" 104 25 104 29] inv0 self)
+   -> ([#"../sparse_array.rs" 102 15 102 39] 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self))
+   -> ([#"../sparse_array.rs" 101 15 101 34] SparseArray_Sparse_Type.sparse_n self = SparseArray_Sparse_Type.sparse_size self)
+   -> ([#"../sparse_array.rs" 103 14 103 28] is_elt0 self i)
 end
 module SparseArray_Impl2_Set
   type t
@@ -550,7 +566,8 @@ module SparseArray_Impl2_Set
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv12 self}
     ensures { result = shallow_model7 self }
     
-  axiom shallow_model7_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv12 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv13 (shallow_model7 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0)
+  axiom shallow_model7_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv12 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv13 (shallow_model7 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0)
   predicate invariant12 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv13 (shallow_model7 self)
   val invariant12 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -606,7 +623,8 @@ module SparseArray_Impl2_Set
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model4 self }
     
-  axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv11 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0)
+  axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv11 (shallow_model4 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0)
   use seq.Seq
   use seq.Seq
   use prelude.Mapping
@@ -636,7 +654,8 @@ module SparseArray_Impl2_Set
     ensures { result = shallow_model2 self }
     
   predicate invariant8 [#"../sparse_array.rs" 49 4 49 30] (self : SparseArray_Sparse_Type.t_sparse t) =
-    [#"../sparse_array.rs" 50 8 61 9] UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) <= UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model2 self) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model4 (SparseArray_Sparse_Type.sparse_values self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model7 (SparseArray_Sparse_Type.sparse_idx self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model7 (SparseArray_Sparse_Type.sparse_back self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) -> match index_logic4 (SparseArray_Sparse_Type.sparse_back self) i with
+    [#"../sparse_array.rs" 50 8 61 9] UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) <= UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model2 self) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model4 (SparseArray_Sparse_Type.sparse_values self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model7 (SparseArray_Sparse_Type.sparse_idx self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model7 (SparseArray_Sparse_Type.sparse_back self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self)
+     -> match index_logic4 (SparseArray_Sparse_Type.sparse_back self) i with
       | j -> 0 <= UIntSize.to_int j /\ UIntSize.to_int j < UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ UIntSize.to_int (index_logic4 (SparseArray_Sparse_Type.sparse_idx self) (UIntSize.to_int j)) = i
       end)
   val invariant8 [#"../sparse_array.rs" 49 4 49 30] (self : SparseArray_Sparse_Type.t_sparse t) : bool
@@ -725,24 +744,25 @@ module SparseArray_Impl2_Set
   function shallow_model1 (self : borrowed (SparseArray_Sparse_Type.t_sparse t)) : Seq.seq (Core_Option_Option_Type.t_option t)
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model2 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model2 ( * self)
   val shallow_model1 (self : borrowed (SparseArray_Sparse_Type.t_sparse t)) : Seq.seq (Core_Option_Option_Type.t_option t)
     ensures { result = shallow_model1 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate resolve4 (self : borrowed (SparseArray_Sparse_Type.t_sparse t)) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve4 (self : borrowed (SparseArray_Sparse_Type.t_sparse t)) : bool
     ensures { result = resolve4 self }
     
   predicate resolve3 (self : borrowed usize) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve3 (self : borrowed usize) : bool
     ensures { result = resolve3 self }
     
   use prelude.Slice
   predicate resolve_elswhere1 [@inline:trivial] (self : usize) (old' : Seq.seq usize) (fin : Seq.seq usize) =
-    [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i
+    [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old'
+     -> Seq.get old' i = Seq.get fin i
   val resolve_elswhere1 [@inline:trivial] (self : usize) (old' : Seq.seq usize) (fin : Seq.seq usize) : bool
     ensures { result = resolve_elswhere1 self old' fin }
     
@@ -759,7 +779,7 @@ module SparseArray_Impl2_Set
   function shallow_model6 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : Seq.seq usize
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model7 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model7 ( * self)
   val shallow_model6 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : Seq.seq usize
     ensures { result = shallow_model6 self }
     
@@ -773,11 +793,11 @@ module SparseArray_Impl2_Set
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 136 26 136 55] Seq.length (shallow_model7 ( ^ self)) = Seq.length (shallow_model6 self) }
     ensures { inv10 result }
     
-  predicate resolve2 (self : Ghost.ghost_ty ())
-  val resolve2 (self : Ghost.ghost_ty ()) : bool
+  predicate resolve2 (self : Snapshot.snap_ty ())
+  val resolve2 (self : Snapshot.snap_ty ()) : bool
     ensures { result = resolve2 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   function lemma_permutation0 [#"../sparse_array.rs" 104 4 104 38] (self : SparseArray_Sparse_Type.t_sparse t) (i : int) : ()
     
    =
@@ -788,9 +808,11 @@ module SparseArray_Impl2_Set
     requires {[#"../sparse_array.rs" 104 25 104 29] inv8 self}
     ensures { result = lemma_permutation0 self i }
     
-  axiom lemma_permutation0_spec : forall self : SparseArray_Sparse_Type.t_sparse t, i : int . ([#"../sparse_array.rs" 101 15 101 34] SparseArray_Sparse_Type.sparse_n self = SparseArray_Sparse_Type.sparse_size self) -> ([#"../sparse_array.rs" 102 15 102 39] 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self)) -> ([#"../sparse_array.rs" 104 25 104 29] inv8 self) -> ([#"../sparse_array.rs" 103 14 103 28] is_elt0 self i)
+  axiom lemma_permutation0_spec : forall self : SparseArray_Sparse_Type.t_sparse t, i : int . ([#"../sparse_array.rs" 101 15 101 34] SparseArray_Sparse_Type.sparse_n self = SparseArray_Sparse_Type.sparse_size self)
+   -> ([#"../sparse_array.rs" 102 15 102 39] 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self))
+   -> ([#"../sparse_array.rs" 104 25 104 29] inv8 self)  -> ([#"../sparse_array.rs" 103 14 103 28] is_elt0 self i)
   function shallow_model5 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : Seq.seq usize =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model7 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model7 self
   val shallow_model5 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : Seq.seq usize
     ensures { result = shallow_model5 self }
     
@@ -802,7 +824,7 @@ module SparseArray_Impl2_Set
     ensures { inv7 result }
     
   predicate resolve1 (self : borrowed t) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve1 (self : borrowed t) : bool
     ensures { result = resolve1 self }
     
@@ -811,7 +833,8 @@ module SparseArray_Impl2_Set
     ensures { result = resolve0 self }
     
   predicate resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq t) (fin : Seq.seq t) =
-    [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i
+    [#"../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old'
+     -> Seq.get old' i = Seq.get fin i
   val resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq t) (fin : Seq.seq t) : bool
     ensures { result = resolve_elswhere0 self old' fin }
     
@@ -827,7 +850,7 @@ module SparseArray_Impl2_Set
     
   function shallow_model3 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
    =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model4 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model4 ( * self)
   val shallow_model3 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
     ensures { result = shallow_model3 self }
     
@@ -846,7 +869,8 @@ module SparseArray_Impl2_Set
     requires {[#"../sparse_array.rs" 112 20 112 24] inv3 self}
     requires {[#"../sparse_array.rs" 112 36 112 37] inv1 v}
     ensures { [#"../sparse_array.rs" 109 14 109 43] Seq.length (shallow_model2 ( ^ self)) = Seq.length (shallow_model1 self) }
-    ensures { [#"../sparse_array.rs" 110 4 110 95] forall j : int . 0 <= j /\ j < Seq.length (shallow_model1 self) /\ j <> UIntSize.to_int i -> Seq.get (shallow_model2 ( ^ self)) j = Seq.get (shallow_model1 self) j }
+    ensures { [#"../sparse_array.rs" 110 4 110 95] forall j : int . 0 <= j /\ j < Seq.length (shallow_model1 self) /\ j <> UIntSize.to_int i
+     -> Seq.get (shallow_model2 ( ^ self)) j = Seq.get (shallow_model1 self) j }
     ensures { [#"../sparse_array.rs" 111 14 111 37] Seq.get (shallow_model2 ( ^ self)) (UIntSize.to_int i) = Core_Option_Option_Type.C_Some v }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -858,8 +882,10 @@ module SparseArray_Impl2_Set
   var _10 : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
   var index : usize;
   var _13 : usize;
+  var _16 : bool;
+  var _19 : bool;
   var _21 : usize;
-  var _25 : Ghost.ghost_ty ();
+  var _25 : Snapshot.snap_ty ();
   var _30 : borrowed usize;
   var _31 : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global));
   var _34 : borrowed usize;
@@ -874,7 +900,7 @@ module SparseArray_Impl2_Set
     [#"../sparse_array.rs" 113 8 113 19] _10 <- Borrow.borrow_final (SparseArray_Sparse_Type.sparse_values ( * self)) (Borrow.inherit_id (Borrow.get_id self) 3);
     [#"../sparse_array.rs" 113 8 113 19] self <- { self with current = (let SparseArray_Sparse_Type.C_Sparse x0 x1 x2 x3 x4 =  * self in SparseArray_Sparse_Type.C_Sparse x0 x1 ( ^ _10) x3 x4) ; };
     assume { inv0 ( ^ _10) };
-    [#"../sparse_array.rs" 113 19 113 22] _9 <- ([#"../sparse_array.rs" 113 19 113 22] index_mut0 _10 ([#"../sparse_array.rs" 113 20 113 21] i));
+    [#"../sparse_array.rs" 113 19 113 22] _9 <- ([#"../sparse_array.rs" 113 19 113 22] index_mut0 _10 i);
     _10 <- any borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
     goto BB2
   }
@@ -882,8 +908,8 @@ module SparseArray_Impl2_Set
     goto BB3
   }
   BB3 {
-    [#"../sparse_array.rs" 113 8 113 22] _9 <- { _9 with current = ([#"../sparse_array.rs" 113 25 113 26] v) ; };
-    [#"../sparse_array.rs" 113 25 113 26] v <- any t;
+    [#"../sparse_array.rs" 113 8 113 22] _9 <- { _9 with current = v ; };
+    v <- any t;
     assert { [@expl:type invariant] inv1 ( * _9) };
     assume { resolve0 ( * _9) };
     assert { [@expl:type invariant] inv2 _9 };
@@ -891,22 +917,24 @@ module SparseArray_Impl2_Set
     goto BB5
   }
   BB5 {
-    [#"../sparse_array.rs" 114 28 114 31] _13 <- ([#"../sparse_array.rs" 114 28 114 31] index0 ([#"../sparse_array.rs" 114 20 114 28] SparseArray_Sparse_Type.sparse_idx ( * self)) ([#"../sparse_array.rs" 114 29 114 30] i));
+    [#"../sparse_array.rs" 114 28 114 31] _13 <- ([#"../sparse_array.rs" 114 28 114 31] index0 (SparseArray_Sparse_Type.sparse_idx ( * self)) i);
     goto BB6
   }
   BB6 {
-    [#"../sparse_array.rs" 114 20 114 31] index <- ([#"../sparse_array.rs" 114 20 114 31] _13);
-    switch ([#"../sparse_array.rs" 115 13 115 27] ([#"../sparse_array.rs" 115 13 115 18] index) < ([#"../sparse_array.rs" 115 21 115 27] SparseArray_Sparse_Type.sparse_n ( * self)))
+    [#"../sparse_array.rs" 114 20 114 31] index <- _13;
+    [#"../sparse_array.rs" 115 13 115 27] _16 <- index < SparseArray_Sparse_Type.sparse_n ( * self);
+    switch (_16)
       | False -> goto BB11
       | True -> goto BB7
       end
   }
   BB7 {
-    [#"../sparse_array.rs" 115 40 115 47] _21 <- ([#"../sparse_array.rs" 115 40 115 47] index0 ([#"../sparse_array.rs" 115 31 115 40] SparseArray_Sparse_Type.sparse_back ( * self)) ([#"../sparse_array.rs" 115 41 115 46] index));
+    [#"../sparse_array.rs" 115 40 115 47] _21 <- ([#"../sparse_array.rs" 115 40 115 47] index0 (SparseArray_Sparse_Type.sparse_back ( * self)) index);
     goto BB8
   }
   BB8 {
-    switch ([#"../sparse_array.rs" 115 31 115 52] ([#"../sparse_array.rs" 115 31 115 47] _21) = ([#"../sparse_array.rs" 115 51 115 52] i))
+    [#"../sparse_array.rs" 115 31 115 52] _19 <- _21 = i;
+    switch (_19)
       | False -> goto BB10
       | True -> goto BB9
       end
@@ -924,7 +952,7 @@ module SparseArray_Impl2_Set
     goto BB12
   }
   BB12 {
-    [#"../sparse_array.rs" 117 12 117 40] _25 <- ([#"../sparse_array.rs" 117 12 117 40] Ghost.new ());
+    [#"../sparse_array.rs" 117 12 117 46] _25 <- ([#"../sparse_array.rs" 117 12 117 46] Snapshot.new ());
     goto BB13
   }
   BB13 {
@@ -932,23 +960,23 @@ module SparseArray_Impl2_Set
     assert { [@expl:assertion] [#"../sparse_array.rs" 118 26 118 46] UIntSize.to_int (SparseArray_Sparse_Type.sparse_n ( * self)) < UIntSize.to_int (SparseArray_Sparse_Type.sparse_size ( * self)) };
     [#"../sparse_array.rs" 120 12 120 20] _31 <- Borrow.borrow_final (SparseArray_Sparse_Type.sparse_idx ( * self)) (Borrow.inherit_id (Borrow.get_id self) 4);
     [#"../sparse_array.rs" 120 12 120 20] self <- { self with current = (let SparseArray_Sparse_Type.C_Sparse x0 x1 x2 x3 x4 =  * self in SparseArray_Sparse_Type.C_Sparse x0 x1 x2 ( ^ _31) x4) ; };
-    [#"../sparse_array.rs" 120 20 120 23] _30 <- ([#"../sparse_array.rs" 120 20 120 23] index_mut1 _31 ([#"../sparse_array.rs" 120 21 120 22] i));
+    [#"../sparse_array.rs" 120 20 120 23] _30 <- ([#"../sparse_array.rs" 120 20 120 23] index_mut1 _31 i);
     _31 <- any borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global));
     goto BB14
   }
   BB14 {
-    [#"../sparse_array.rs" 120 12 120 32] _30 <- { _30 with current = ([#"../sparse_array.rs" 120 26 120 32] SparseArray_Sparse_Type.sparse_n ( * self)) ; };
+    [#"../sparse_array.rs" 120 12 120 32] _30 <- { _30 with current = SparseArray_Sparse_Type.sparse_n ( * self) ; };
     assume { resolve3 _30 };
     [#"../sparse_array.rs" 121 12 121 21] _35 <- Borrow.borrow_final (SparseArray_Sparse_Type.sparse_back ( * self)) (Borrow.inherit_id (Borrow.get_id self) 5);
     [#"../sparse_array.rs" 121 12 121 21] self <- { self with current = (let SparseArray_Sparse_Type.C_Sparse x0 x1 x2 x3 x4 =  * self in SparseArray_Sparse_Type.C_Sparse x0 x1 x2 x3 ( ^ _35)) ; };
-    [#"../sparse_array.rs" 121 21 121 29] _34 <- ([#"../sparse_array.rs" 121 21 121 29] index_mut1 _35 ([#"../sparse_array.rs" 121 22 121 28] SparseArray_Sparse_Type.sparse_n ( * self)));
+    [#"../sparse_array.rs" 121 21 121 29] _34 <- ([#"../sparse_array.rs" 121 21 121 29] index_mut1 _35 (SparseArray_Sparse_Type.sparse_n ( * self)));
     _35 <- any borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global));
     goto BB15
   }
   BB15 {
-    [#"../sparse_array.rs" 121 12 121 33] _34 <- { _34 with current = ([#"../sparse_array.rs" 121 32 121 33] i) ; };
+    [#"../sparse_array.rs" 121 12 121 33] _34 <- { _34 with current = i ; };
     assume { resolve3 _34 };
-    [#"../sparse_array.rs" 122 12 122 23] self <- { self with current = (let SparseArray_Sparse_Type.C_Sparse x0 x1 x2 x3 x4 =  * self in SparseArray_Sparse_Type.C_Sparse x0 ([#"../sparse_array.rs" 122 12 122 23] SparseArray_Sparse_Type.sparse_n ( * self) + ([#"../sparse_array.rs" 122 22 122 23] [#"../sparse_array.rs" 122 22 122 23] (1 : usize))) x2 x3 x4) ; };
+    [#"../sparse_array.rs" 122 12 122 23] self <- { self with current = (let SparseArray_Sparse_Type.C_Sparse x0 x1 x2 x3 x4 =  * self in SparseArray_Sparse_Type.C_Sparse x0 (SparseArray_Sparse_Type.sparse_n ( * self) + ([#"../sparse_array.rs" 122 22 122 23] (1 : usize))) x2 x3 x4) ; };
     assert { [@expl:type invariant] inv3 self };
     assume { resolve4 self };
     [#"../sparse_array.rs" 115 54 123 9] _0 <- ([#"../sparse_array.rs" 115 54 123 9] ());
@@ -1001,7 +1029,8 @@ module SparseArray_Create
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self}
     ensures { result = shallow_model3 self }
     
-  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
+  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model3 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
   predicate invariant4 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv6 (shallow_model3 self)
   val invariant4 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -1028,7 +1057,8 @@ module SparseArray_Create
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self}
     ensures { result = shallow_model2 self }
     
-  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model2 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
+  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model2 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
   predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv5 (shallow_model2 self)
   val invariant2 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -1074,7 +1104,8 @@ module SparseArray_Create
     ensures { result = shallow_model1 self }
     
   predicate invariant1 [#"../sparse_array.rs" 49 4 49 30] (self : SparseArray_Sparse_Type.t_sparse t) =
-    [#"../sparse_array.rs" 50 8 61 9] UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) <= UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model1 self) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model2 (SparseArray_Sparse_Type.sparse_values self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model3 (SparseArray_Sparse_Type.sparse_idx self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model3 (SparseArray_Sparse_Type.sparse_back self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) -> match index_logic2 (SparseArray_Sparse_Type.sparse_back self) i with
+    [#"../sparse_array.rs" 50 8 61 9] UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) <= UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model1 self) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model2 (SparseArray_Sparse_Type.sparse_values self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model3 (SparseArray_Sparse_Type.sparse_idx self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model3 (SparseArray_Sparse_Type.sparse_back self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self)
+     -> match index_logic2 (SparseArray_Sparse_Type.sparse_back self) i with
       | j -> 0 <= UIntSize.to_int j /\ UIntSize.to_int j < UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ UIntSize.to_int (index_logic2 (SparseArray_Sparse_Type.sparse_idx self) (UIntSize.to_int j)) = i
       end)
   val invariant1 [#"../sparse_array.rs" 49 4 49 30] (self : SparseArray_Sparse_Type.t_sparse t) : bool
@@ -1100,13 +1131,15 @@ module SparseArray_Create
   val from_elem1 (elem : usize) (n : usize) : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)
     requires {inv3 elem}
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 157 22 157 41] Seq.length (shallow_model3 result) = UIntSize.to_int n }
-    ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n -> index_logic2 result i = elem }
+    ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n
+     -> index_logic2 result i = elem }
     ensures { inv4 result }
     
   val from_elem0 (elem : t) (n : usize) : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)
     requires {inv0 elem}
     ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 157 22 157 41] Seq.length (shallow_model2 result) = UIntSize.to_int n }
-    ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n -> index_logic1 result i = elem }
+    ensures { [#"../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n
+     -> index_logic1 result i = elem }
     ensures { inv2 result }
     
   predicate resolve0 (self : t)
@@ -1116,7 +1149,8 @@ module SparseArray_Create
   let rec cfg create [#"../sparse_array.rs" 134 0 134 64] [@cfg:stackify] [@cfg:subregion_analysis] (sz : usize) (dummy : t) : SparseArray_Sparse_Type.t_sparse t
     requires {[#"../sparse_array.rs" 134 42 134 47] inv0 dummy}
     ensures { [#"../sparse_array.rs" 132 10 132 27] SparseArray_Sparse_Type.sparse_size result = sz }
-    ensures { [#"../sparse_array.rs" 133 0 133 67] forall i : int . 0 <= i /\ i < UIntSize.to_int sz -> Seq.get (shallow_model1 result) i = Core_Option_Option_Type.C_None }
+    ensures { [#"../sparse_array.rs" 133 0 133 67] forall i : int . 0 <= i /\ i < UIntSize.to_int sz
+     -> Seq.get (shallow_model1 result) i = Core_Option_Option_Type.C_None }
     ensures { [#"../sparse_array.rs" 134 55 134 64] inv1 result }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
@@ -1132,19 +1166,19 @@ module SparseArray_Create
   BB0 {
     assert { [@expl:type invariant] inv0 dummy };
     assume { resolve0 dummy };
-    [#"../../../../creusot-contracts/src/lib.rs" 196 8 196 40] _6 <- ([#"../sparse_array.rs" 135 37 135 52] from_elem0 ([#"../sparse_array.rs" 135 42 135 47] dummy) ([#"../sparse_array.rs" 135 49 135 51] sz));
+    [#"../sparse_array.rs" 135 37 135 52] _6 <- ([#"../sparse_array.rs" 135 37 135 52] from_elem0 dummy sz);
     goto BB1
   }
   BB1 {
-    [#"../../../../creusot-contracts/src/lib.rs" 196 8 196 40] _9 <- ([#"../sparse_array.rs" 135 59 135 70] from_elem1 ([#"../sparse_array.rs" 135 64 135 65] [#"../sparse_array.rs" 135 64 135 65] (0 : usize)) ([#"../sparse_array.rs" 135 67 135 69] sz));
+    [#"../sparse_array.rs" 135 59 135 70] _9 <- ([#"../sparse_array.rs" 135 59 135 70] from_elem1 ([#"../sparse_array.rs" 135 64 135 65] (0 : usize)) sz);
     goto BB2
   }
   BB2 {
-    [#"../../../../creusot-contracts/src/lib.rs" 196 8 196 40] _11 <- ([#"../sparse_array.rs" 135 78 135 89] from_elem1 ([#"../sparse_array.rs" 135 83 135 84] [#"../sparse_array.rs" 135 83 135 84] (0 : usize)) ([#"../sparse_array.rs" 135 86 135 88] sz));
+    [#"../sparse_array.rs" 135 78 135 89] _11 <- ([#"../sparse_array.rs" 135 78 135 89] from_elem1 ([#"../sparse_array.rs" 135 83 135 84] (0 : usize)) sz);
     goto BB3
   }
   BB3 {
-    [#"../sparse_array.rs" 135 4 135 91] _0 <- ([#"../sparse_array.rs" 135 4 135 91] SparseArray_Sparse_Type.C_Sparse ([#"../sparse_array.rs" 135 19 135 21] sz) ([#"../sparse_array.rs" 135 26 135 27] [#"../sparse_array.rs" 135 26 135 27] (0 : usize)) _6 _9 _11);
+    [#"../sparse_array.rs" 135 4 135 91] _0 <- SparseArray_Sparse_Type.C_Sparse sz ([#"../sparse_array.rs" 135 26 135 27] (0 : usize)) _6 _9 _11;
     _6 <- any Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global);
     _9 <- any Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global);
     _11 <- any Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global);
@@ -1190,7 +1224,8 @@ module SparseArray_F
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self}
     ensures { result = shallow_model7 self }
     
-  axiom shallow_model7_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model7 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0)
+  axiom shallow_model7_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model7 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0)
   predicate invariant7 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv8 (shallow_model7 self)
   val invariant7 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -1218,7 +1253,8 @@ module SparseArray_F
     requires {[#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self}
     ensures { result = shallow_model6 self }
     
-  axiom shallow_model6_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0)
+  axiom shallow_model6_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self)
+   -> ([#"../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model6 self)) && ([#"../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0)
   predicate invariant5 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv6 (shallow_model6 self)
   val invariant5 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -1308,7 +1344,8 @@ module SparseArray_F
     ensures { result = shallow_model2 self }
     
   predicate invariant0 [#"../sparse_array.rs" 49 4 49 30] (self : SparseArray_Sparse_Type.t_sparse int32) =
-    [#"../sparse_array.rs" 50 8 61 9] UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) <= UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model2 self) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model6 (SparseArray_Sparse_Type.sparse_values self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model7 (SparseArray_Sparse_Type.sparse_idx self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model7 (SparseArray_Sparse_Type.sparse_back self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) -> match index_logic2 (SparseArray_Sparse_Type.sparse_back self) i with
+    [#"../sparse_array.rs" 50 8 61 9] UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self) <= UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model2 self) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model6 (SparseArray_Sparse_Type.sparse_values self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model7 (SparseArray_Sparse_Type.sparse_idx self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ Seq.length (shallow_model7 (SparseArray_Sparse_Type.sparse_back self)) = UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (SparseArray_Sparse_Type.sparse_n self)
+     -> match index_logic2 (SparseArray_Sparse_Type.sparse_back self) i with
       | j -> 0 <= UIntSize.to_int j /\ UIntSize.to_int j < UIntSize.to_int (SparseArray_Sparse_Type.sparse_size self) /\ UIntSize.to_int (index_logic2 (SparseArray_Sparse_Type.sparse_idx self) (UIntSize.to_int j)) = i
       end)
   val invariant0 [#"../sparse_array.rs" 49 4 49 30] (self : SparseArray_Sparse_Type.t_sparse int32) : bool
@@ -1320,7 +1357,7 @@ module SparseArray_F
   use prelude.Int32
   use prelude.Int
   function shallow_model0 (self : int32) : int =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] Int32.to_int self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] Int32.to_int self
   val shallow_model0 (self : int32) : int
     ensures { result = shallow_model0 self }
     
@@ -1328,7 +1365,7 @@ module SparseArray_F
   function shallow_model4 (self : borrowed (SparseArray_Sparse_Type.t_sparse int32)) : Seq.seq (Core_Option_Option_Type.t_option int32)
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model2 ( * self)
+    [#"../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model2 ( * self)
   val shallow_model4 (self : borrowed (SparseArray_Sparse_Type.t_sparse int32)) : Seq.seq (Core_Option_Option_Type.t_option int32)
     ensures { result = shallow_model4 self }
     
@@ -1337,13 +1374,14 @@ module SparseArray_F
     requires {[#"../sparse_array.rs" 112 20 112 24] inv4 self}
     requires {[#"../sparse_array.rs" 112 36 112 37] inv1 v}
     ensures { [#"../sparse_array.rs" 109 14 109 43] Seq.length (shallow_model2 ( ^ self)) = Seq.length (shallow_model4 self) }
-    ensures { [#"../sparse_array.rs" 110 4 110 95] forall j : int . 0 <= j /\ j < Seq.length (shallow_model4 self) /\ j <> UIntSize.to_int i -> Seq.get (shallow_model2 ( ^ self)) j = Seq.get (shallow_model4 self) j }
+    ensures { [#"../sparse_array.rs" 110 4 110 95] forall j : int . 0 <= j /\ j < Seq.length (shallow_model4 self) /\ j <> UIntSize.to_int i
+     -> Seq.get (shallow_model2 ( ^ self)) j = Seq.get (shallow_model4 self) j }
     ensures { [#"../sparse_array.rs" 111 14 111 37] Seq.get (shallow_model2 ( ^ self)) (UIntSize.to_int i) = Core_Option_Option_Type.C_Some v }
     
   function shallow_model3 (self : SparseArray_Sparse_Type.t_sparse int32) : Seq.seq (Core_Option_Option_Type.t_option int32)
     
    =
-    [#"../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model2 self
+    [#"../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model2 self
   val shallow_model3 (self : SparseArray_Sparse_Type.t_sparse int32) : Seq.seq (Core_Option_Option_Type.t_option int32)
     ensures { result = shallow_model3 self }
     
@@ -1363,7 +1401,8 @@ module SparseArray_F
   val create0 [#"../sparse_array.rs" 134 0 134 64] (sz : usize) (dummy : int32) : SparseArray_Sparse_Type.t_sparse int32
     requires {[#"../sparse_array.rs" 134 42 134 47] inv1 dummy}
     ensures { [#"../sparse_array.rs" 132 10 132 27] SparseArray_Sparse_Type.sparse_size result = sz }
-    ensures { [#"../sparse_array.rs" 133 0 133 67] forall i : int . 0 <= i /\ i < UIntSize.to_int sz -> Seq.get (shallow_model2 result) i = Core_Option_Option_Type.C_None }
+    ensures { [#"../sparse_array.rs" 133 0 133 67] forall i : int . 0 <= i /\ i < UIntSize.to_int sz
+     -> Seq.get (shallow_model2 result) i = Core_Option_Option_Type.C_None }
     ensures { [#"../sparse_array.rs" 134 55 134 64] inv0 result }
     
   let rec cfg f [#"../sparse_array.rs" 140 0 140 10] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
@@ -1390,20 +1429,20 @@ module SparseArray_F
     goto BB0
   }
   BB0 {
-    [#"../sparse_array.rs" 141 18 141 19] default <- ([#"../sparse_array.rs" 141 18 141 19] [#"../sparse_array.rs" 141 18 141 19] (0 : int32));
-    [#"../sparse_array.rs" 142 16 142 35] a <- ([#"../sparse_array.rs" 142 16 142 35] create0 ([#"../sparse_array.rs" 142 23 142 25] [#"../sparse_array.rs" 142 23 142 25] (10 : usize)) ([#"../sparse_array.rs" 142 27 142 34] default));
+    [#"../sparse_array.rs" 141 18 141 19] default <- ([#"../sparse_array.rs" 141 18 141 19] (0 : int32));
+    [#"../sparse_array.rs" 142 16 142 35] a <- ([#"../sparse_array.rs" 142 16 142 35] create0 ([#"../sparse_array.rs" 142 23 142 25] (10 : usize)) default);
     goto BB1
   }
   BB1 {
-    [#"../sparse_array.rs" 143 16 143 35] b <- ([#"../sparse_array.rs" 143 16 143 35] create0 ([#"../sparse_array.rs" 143 23 143 25] [#"../sparse_array.rs" 143 23 143 25] (20 : usize)) ([#"../sparse_array.rs" 143 27 143 34] default));
+    [#"../sparse_array.rs" 143 16 143 35] b <- ([#"../sparse_array.rs" 143 16 143 35] create0 ([#"../sparse_array.rs" 143 23 143 25] (20 : usize)) default);
     goto BB2
   }
   BB2 {
-    [#"../sparse_array.rs" 144 16 144 24] x <- ([#"../sparse_array.rs" 144 16 144 24] get0 ([#"../sparse_array.rs" 144 16 144 17] a) ([#"../sparse_array.rs" 144 22 144 23] [#"../sparse_array.rs" 144 22 144 23] (5 : usize)));
+    [#"../sparse_array.rs" 144 16 144 24] x <- ([#"../sparse_array.rs" 144 16 144 24] get0 a ([#"../sparse_array.rs" 144 22 144 23] (5 : usize)));
     goto BB3
   }
   BB3 {
-    [#"../sparse_array.rs" 145 16 145 24] y <- ([#"../sparse_array.rs" 145 16 145 24] get0 ([#"../sparse_array.rs" 145 16 145 17] b) ([#"../sparse_array.rs" 145 22 145 23] [#"../sparse_array.rs" 145 22 145 23] (7 : usize)));
+    [#"../sparse_array.rs" 145 16 145 24] y <- ([#"../sparse_array.rs" 145 16 145 24] get0 b ([#"../sparse_array.rs" 145 22 145 23] (7 : usize)));
     goto BB4
   }
   BB4 {
@@ -1411,7 +1450,7 @@ module SparseArray_F
     [#"../sparse_array.rs" 148 4 148 5] _13 <- Borrow.borrow_mut a;
     [#"../sparse_array.rs" 148 4 148 5] a <-  ^ _13;
     assume { inv0 ( ^ _13) };
-    [#"../sparse_array.rs" 148 4 148 15] _12 <- ([#"../sparse_array.rs" 148 4 148 15] set0 _13 ([#"../sparse_array.rs" 148 10 148 11] [#"../sparse_array.rs" 148 10 148 11] (5 : usize)) ([#"../sparse_array.rs" 148 13 148 14] [#"../sparse_array.rs" 148 13 148 14] (1 : int32)));
+    [#"../sparse_array.rs" 148 4 148 15] _12 <- ([#"../sparse_array.rs" 148 4 148 15] set0 _13 ([#"../sparse_array.rs" 148 10 148 11] (5 : usize)) ([#"../sparse_array.rs" 148 13 148 14] (1 : int32)));
     _13 <- any borrowed (SparseArray_Sparse_Type.t_sparse int32);
     goto BB5
   }
@@ -1419,23 +1458,23 @@ module SparseArray_F
     [#"../sparse_array.rs" 149 4 149 5] _15 <- Borrow.borrow_mut b;
     [#"../sparse_array.rs" 149 4 149 5] b <-  ^ _15;
     assume { inv0 ( ^ _15) };
-    [#"../sparse_array.rs" 149 4 149 15] _14 <- ([#"../sparse_array.rs" 149 4 149 15] set0 _15 ([#"../sparse_array.rs" 149 10 149 11] [#"../sparse_array.rs" 149 10 149 11] (7 : usize)) ([#"../sparse_array.rs" 149 13 149 14] [#"../sparse_array.rs" 149 13 149 14] (2 : int32)));
+    [#"../sparse_array.rs" 149 4 149 15] _14 <- ([#"../sparse_array.rs" 149 4 149 15] set0 _15 ([#"../sparse_array.rs" 149 10 149 11] (7 : usize)) ([#"../sparse_array.rs" 149 13 149 14] (2 : int32)));
     _15 <- any borrowed (SparseArray_Sparse_Type.t_sparse int32);
     goto BB6
   }
   BB6 {
-    [#"../sparse_array.rs" 150 8 150 16] _16 <- ([#"../sparse_array.rs" 150 8 150 16] get0 ([#"../sparse_array.rs" 150 8 150 9] a) ([#"../sparse_array.rs" 150 14 150 15] [#"../sparse_array.rs" 150 14 150 15] (5 : usize)));
+    [#"../sparse_array.rs" 150 8 150 16] _16 <- ([#"../sparse_array.rs" 150 8 150 16] get0 a ([#"../sparse_array.rs" 150 14 150 15] (5 : usize)));
     goto BB7
   }
   BB7 {
-    [#"../sparse_array.rs" 150 4 150 16] x <- ([#"../sparse_array.rs" 150 4 150 16] _16);
-    [#"../sparse_array.rs" 150 4 150 16] _16 <- any Core_Option_Option_Type.t_option int32;
-    [#"../sparse_array.rs" 151 8 151 16] _18 <- ([#"../sparse_array.rs" 151 8 151 16] get0 ([#"../sparse_array.rs" 151 8 151 9] b) ([#"../sparse_array.rs" 151 14 151 15] [#"../sparse_array.rs" 151 14 151 15] (7 : usize)));
+    [#"../sparse_array.rs" 150 4 150 16] x <- _16;
+    _16 <- any Core_Option_Option_Type.t_option int32;
+    [#"../sparse_array.rs" 151 8 151 16] _18 <- ([#"../sparse_array.rs" 151 8 151 16] get0 b ([#"../sparse_array.rs" 151 14 151 15] (7 : usize)));
     goto BB8
   }
   BB8 {
-    [#"../sparse_array.rs" 151 4 151 16] y <- ([#"../sparse_array.rs" 151 4 151 16] _18);
-    [#"../sparse_array.rs" 151 4 151 16] _18 <- any Core_Option_Option_Type.t_option int32;
+    [#"../sparse_array.rs" 151 4 151 16] y <- _18;
+    _18 <- any Core_Option_Option_Type.t_option int32;
     assert { [@expl:assertion] [#"../sparse_array.rs" 152 18 155 5] match x with
       | Core_Option_Option_Type.C_None -> false
       | Core_Option_Option_Type.C_Some z -> shallow_model0 z = 1
@@ -1444,44 +1483,44 @@ module SparseArray_F
       | Core_Option_Option_Type.C_None -> false
       | Core_Option_Option_Type.C_Some z -> shallow_model0 z = 2
       end };
-    [#"../sparse_array.rs" 161 8 161 16] _24 <- ([#"../sparse_array.rs" 161 8 161 16] get0 ([#"../sparse_array.rs" 161 8 161 9] a) ([#"../sparse_array.rs" 161 14 161 15] [#"../sparse_array.rs" 161 14 161 15] (7 : usize)));
+    [#"../sparse_array.rs" 161 8 161 16] _24 <- ([#"../sparse_array.rs" 161 8 161 16] get0 a ([#"../sparse_array.rs" 161 14 161 15] (7 : usize)));
     goto BB9
   }
   BB9 {
-    [#"../sparse_array.rs" 161 4 161 16] x <- ([#"../sparse_array.rs" 161 4 161 16] _24);
-    [#"../sparse_array.rs" 161 4 161 16] _24 <- any Core_Option_Option_Type.t_option int32;
-    [#"../sparse_array.rs" 162 8 162 16] _26 <- ([#"../sparse_array.rs" 162 8 162 16] get0 ([#"../sparse_array.rs" 162 8 162 9] b) ([#"../sparse_array.rs" 162 14 162 15] [#"../sparse_array.rs" 162 14 162 15] (5 : usize)));
+    [#"../sparse_array.rs" 161 4 161 16] x <- _24;
+    _24 <- any Core_Option_Option_Type.t_option int32;
+    [#"../sparse_array.rs" 162 8 162 16] _26 <- ([#"../sparse_array.rs" 162 8 162 16] get0 b ([#"../sparse_array.rs" 162 14 162 15] (5 : usize)));
     goto BB10
   }
   BB10 {
-    [#"../sparse_array.rs" 162 4 162 16] y <- ([#"../sparse_array.rs" 162 4 162 16] _26);
-    [#"../sparse_array.rs" 162 4 162 16] _26 <- any Core_Option_Option_Type.t_option int32;
+    [#"../sparse_array.rs" 162 4 162 16] y <- _26;
+    _26 <- any Core_Option_Option_Type.t_option int32;
     assert { [@expl:assertion] [#"../sparse_array.rs" 163 18 163 40] x = Core_Option_Option_Type.C_None /\ y = Core_Option_Option_Type.C_None };
-    [#"../sparse_array.rs" 165 8 165 16] _30 <- ([#"../sparse_array.rs" 165 8 165 16] get0 ([#"../sparse_array.rs" 165 8 165 9] a) ([#"../sparse_array.rs" 165 14 165 15] [#"../sparse_array.rs" 165 14 165 15] (0 : usize)));
+    [#"../sparse_array.rs" 165 8 165 16] _30 <- ([#"../sparse_array.rs" 165 8 165 16] get0 a ([#"../sparse_array.rs" 165 14 165 15] (0 : usize)));
     goto BB11
   }
   BB11 {
-    [#"../sparse_array.rs" 165 4 165 16] x <- ([#"../sparse_array.rs" 165 4 165 16] _30);
-    [#"../sparse_array.rs" 165 4 165 16] _30 <- any Core_Option_Option_Type.t_option int32;
-    [#"../sparse_array.rs" 166 8 166 16] _32 <- ([#"../sparse_array.rs" 166 8 166 16] get0 ([#"../sparse_array.rs" 166 8 166 9] b) ([#"../sparse_array.rs" 166 14 166 15] [#"../sparse_array.rs" 166 14 166 15] (0 : usize)));
+    [#"../sparse_array.rs" 165 4 165 16] x <- _30;
+    _30 <- any Core_Option_Option_Type.t_option int32;
+    [#"../sparse_array.rs" 166 8 166 16] _32 <- ([#"../sparse_array.rs" 166 8 166 16] get0 b ([#"../sparse_array.rs" 166 14 166 15] (0 : usize)));
     goto BB12
   }
   BB12 {
-    [#"../sparse_array.rs" 166 4 166 16] y <- ([#"../sparse_array.rs" 166 4 166 16] _32);
-    [#"../sparse_array.rs" 166 4 166 16] _32 <- any Core_Option_Option_Type.t_option int32;
+    [#"../sparse_array.rs" 166 4 166 16] y <- _32;
+    _32 <- any Core_Option_Option_Type.t_option int32;
     assert { [@expl:assertion] [#"../sparse_array.rs" 167 18 167 40] x = Core_Option_Option_Type.C_None /\ y = Core_Option_Option_Type.C_None };
-    [#"../sparse_array.rs" 169 8 169 16] _36 <- ([#"../sparse_array.rs" 169 8 169 16] get0 ([#"../sparse_array.rs" 169 8 169 9] a) ([#"../sparse_array.rs" 169 14 169 15] [#"../sparse_array.rs" 169 14 169 15] (9 : usize)));
+    [#"../sparse_array.rs" 169 8 169 16] _36 <- ([#"../sparse_array.rs" 169 8 169 16] get0 a ([#"../sparse_array.rs" 169 14 169 15] (9 : usize)));
     goto BB13
   }
   BB13 {
-    [#"../sparse_array.rs" 169 4 169 16] x <- ([#"../sparse_array.rs" 169 4 169 16] _36);
-    [#"../sparse_array.rs" 169 4 169 16] _36 <- any Core_Option_Option_Type.t_option int32;
-    [#"../sparse_array.rs" 170 8 170 16] _38 <- ([#"../sparse_array.rs" 170 8 170 16] get0 ([#"../sparse_array.rs" 170 8 170 9] b) ([#"../sparse_array.rs" 170 14 170 15] [#"../sparse_array.rs" 170 14 170 15] (9 : usize)));
+    [#"../sparse_array.rs" 169 4 169 16] x <- _36;
+    _36 <- any Core_Option_Option_Type.t_option int32;
+    [#"../sparse_array.rs" 170 8 170 16] _38 <- ([#"../sparse_array.rs" 170 8 170 16] get0 b ([#"../sparse_array.rs" 170 14 170 15] (9 : usize)));
     goto BB14
   }
   BB14 {
-    [#"../sparse_array.rs" 170 4 170 16] y <- ([#"../sparse_array.rs" 170 4 170 16] _38);
-    [#"../sparse_array.rs" 170 4 170 16] _38 <- any Core_Option_Option_Type.t_option int32;
+    [#"../sparse_array.rs" 170 4 170 16] y <- _38;
+    _38 <- any Core_Option_Option_Type.t_option int32;
     assert { [@expl:assertion] [#"../sparse_array.rs" 171 18 171 40] x = Core_Option_Option_Type.C_None /\ y = Core_Option_Option_Type.C_None };
     [#"../sparse_array.rs" 171 4 171 41] _0 <- ([#"../sparse_array.rs" 171 4 171 41] ());
     goto BB15
diff --git a/creusot/tests/should_succeed/sparse_array.rs b/creusot/tests/should_succeed/sparse_array.rs
index cff884529a..20fd0adb32 100644
--- a/creusot/tests/should_succeed/sparse_array.rs
+++ b/creusot/tests/should_succeed/sparse_array.rs
@@ -33,7 +33,7 @@ pub struct Sparse<T> {
 impl<T> ShallowModel for Sparse<T> {
     type ShallowModelTy = Seq<Option<T>>;
 
-    #[ghost]
+    #[logic]
     #[open(self)]
     fn shallow_model(self) -> Self::ShallowModelTy {
         pearlite! {
@@ -68,7 +68,7 @@ impl<T> Sparse<T> {
      *   (1) check that array `idx` maps `i` to a index `j` between 0 and `n` (excluded)
      *   (2) check that `back[j]` is `i`
      */
-    #[ghost]
+    #[logic]
     fn is_elt(&self, i: Int) -> bool {
         pearlite! { self.idx[i]@ < self.n@
                     && self.back[self.idx[i]@]@ == i
@@ -97,7 +97,7 @@ impl<T> Sparse<T> {
 
     /* A key lemma to prove for safety of access in `set()`
      */
-    #[ghost]
+    #[logic]
     #[requires(self.n == self.size)]
     #[requires(0 <= i && i < self.size@)]
     #[ensures(self.is_elt(i))]
@@ -114,7 +114,7 @@ impl<T> Sparse<T> {
         let index = self.idx[i];
         if !(index < self.n && self.back[index] == i) {
             // the hard assertion!
-            gh!(Self::lemma_permutation);
+            snapshot!(Self::lemma_permutation);
             proof_assert!(self.n@ < self.size@);
             // assert!(self.n < self.size);
             self.idx[i] = self.n;
diff --git a/creusot/tests/should_succeed/sparse_array/why3session.xml b/creusot/tests/should_succeed/sparse_array/why3session.xml
index e28360c26e..3f75890758 100644
--- a/creusot/tests/should_succeed/sparse_array/why3session.xml
+++ b/creusot/tests/should_succeed/sparse_array/why3session.xml
@@ -9,34 +9,34 @@
 <path name=".."/><path name="sparse_array.mlcfg"/>
 <theory name="SparseArray_Impl2_Get" proved="true">
  <goal name="get&#39;vc" expl="VC for get" proved="true">
- <proof prover="3"><result status="valid" time="0.119879" steps="23726"/></proof>
+ <proof prover="3"><result status="valid" time="0.119879" steps="24325"/></proof>
  </goal>
 </theory>
 <theory name="SparseArray_Impl2_LemmaPermutation_Impl" proved="true">
- <goal name="lemma_permutation&#39;vc" expl="VC for lemma_permutation" proved="true">
+ <goal name="vc_lemma_permutation" proved="true">
  <transf name="split_vc" proved="true" >
-  <goal name="lemma_permutation&#39;vc.0" expl="postcondition" proved="true">
+  <goal name="vc_lemma_permutation.0" proved="true">
   <transf name="use_th" proved="true" arg1="map.MapInjection">
-   <goal name="lemma_permutation&#39;vc.0.0" expl="postcondition" proved="true">
+   <goal name="vc_lemma_permutation.0.0" proved="true">
    <transf name="pose" proved="true" arg1="f" arg2="(fun k -&gt; to_int (get1 (shallow_model1 (sparse_back self)) k))">
-    <goal name="lemma_permutation&#39;vc.0.0.0" expl="postcondition" proved="true">
+    <goal name="vc_lemma_permutation.0.0.0" proved="true">
     <transf name="assert" proved="true" arg1="(surjective f (sparse_n self))">
-     <goal name="lemma_permutation&#39;vc.0.0.0.0" expl="asserted formula" proved="true">
-     <proof prover="0"><result status="valid" time="0.054183" steps="219953"/></proof>
+     <goal name="vc_lemma_permutation.0.0.0.0" expl="asserted formula" proved="true">
+     <proof prover="0"><result status="valid" time="0.054183" steps="245973"/></proof>
      </goal>
-     <goal name="lemma_permutation&#39;vc.0.0.0.1" expl="postcondition" proved="true">
+     <goal name="vc_lemma_permutation.0.0.0.1" proved="true">
      <transf name="assert" proved="true" arg1="(exists k. 0 &lt;= k &lt; sparse_n self /\ (f k) = i)">
-      <goal name="lemma_permutation&#39;vc.0.0.0.1.0" expl="asserted formula" proved="true">
+      <goal name="vc_lemma_permutation.0.0.0.1.0" expl="asserted formula" proved="true">
       <transf name="unfold" proved="true" arg1="surjective" arg2="in" arg3="h1">
-       <goal name="lemma_permutation&#39;vc.0.0.0.1.0.0" expl="asserted formula" proved="true">
-       <proof prover="4"><result status="valid" time="0.142095" steps="2178"/></proof>
+       <goal name="vc_lemma_permutation.0.0.0.1.0.0" expl="asserted formula" proved="true">
+       <proof prover="4"><result status="valid" time="0.142095" steps="2155"/></proof>
        </goal>
       </transf>
       </goal>
-      <goal name="lemma_permutation&#39;vc.0.0.0.1.1" expl="postcondition" proved="true">
-      <proof prover="0"><result status="valid" time="0.066092" steps="279713"/></proof>
-      <proof prover="3"><result status="valid" time="0.107415" steps="12270"/></proof>
-      <proof prover="4"><result status="valid" time="0.030666" steps="302"/></proof>
+      <goal name="vc_lemma_permutation.0.0.0.1.1" proved="true">
+      <proof prover="0"><result status="valid" time="0.066092" steps="279710"/></proof>
+      <proof prover="3"><result status="valid" time="0.107415" steps="12473"/></proof>
+      <proof prover="4"><result status="valid" time="0.030666" steps="304"/></proof>
       </goal>
      </transf>
      </goal>
@@ -53,103 +53,103 @@
  <goal name="set&#39;vc" expl="VC for set" proved="true">
  <transf name="split_vc" proved="true" >
   <goal name="set&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.060684" steps="17282"/></proof>
+  <proof prover="3"><result status="valid" time="0.060684" steps="17464"/></proof>
   </goal>
   <goal name="set&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.039946" steps="15115"/></proof>
+  <proof prover="3"><result status="valid" time="0.039946" steps="15297"/></proof>
   </goal>
   <goal name="set&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.050465" steps="15120"/></proof>
+  <proof prover="3"><result status="valid" time="0.050465" steps="15302"/></proof>
   <proof prover="4"><result status="valid" time="0.015922" steps="37"/></proof>
   </goal>
   <goal name="set&#39;vc.3" expl="type invariant" proved="true">
   <proof prover="3"><result status="valid" time="0.098301" steps="14388"/></proof>
   </goal>
   <goal name="set&#39;vc.4" expl="type invariant" proved="true">
-  <proof prover="0"><result status="valid" time="0.030498" steps="116716"/></proof>
-  <proof prover="3"><result status="valid" time="0.126567" steps="15762"/></proof>
+  <proof prover="0"><result status="valid" time="0.030498" steps="116727"/></proof>
+  <proof prover="3"><result status="valid" time="0.126567" steps="15944"/></proof>
   </goal>
   <goal name="set&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.140696" steps="21248"/></proof>
+  <proof prover="3"><result status="valid" time="0.140696" steps="21430"/></proof>
   <proof prover="4"><result status="valid" time="0.034954" steps="277"/></proof>
   </goal>
   <goal name="set&#39;vc.6" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.142968" steps="18552"/></proof>
+  <proof prover="3"><result status="valid" time="0.142968" steps="18734"/></proof>
   <proof prover="4"><result status="valid" time="0.015282" steps="54"/></proof>
   </goal>
   <goal name="set&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.109818" steps="18553"/></proof>
+  <proof prover="3"><result status="valid" time="0.109818" steps="18735"/></proof>
   <proof prover="4"><result status="valid" time="0.021630" steps="55"/></proof>
   </goal>
   <goal name="set&#39;vc.8" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.038147" steps="358"/></proof>
+  <proof prover="4"><result status="valid" time="0.038147" steps="359"/></proof>
   </goal>
   <goal name="set&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.109230" steps="19111"/></proof>
-  <proof prover="4"><result status="valid" time="0.016175" steps="63"/></proof>
+  <proof prover="3"><result status="valid" time="0.109230" steps="19317"/></proof>
+  <proof prover="4"><result status="valid" time="0.016175" steps="65"/></proof>
   </goal>
   <goal name="set&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.108040" steps="19117"/></proof>
-  <proof prover="4"><result status="valid" time="0.016050" steps="65"/></proof>
+  <proof prover="3"><result status="valid" time="0.108040" steps="19323"/></proof>
+  <proof prover="4"><result status="valid" time="0.016050" steps="66"/></proof>
   </goal>
   <goal name="set&#39;vc.11" expl="type invariant" proved="true">
-  <proof prover="0"><result status="valid" time="0.151516" steps="698662"/></proof>
+  <proof prover="0"><result status="valid" time="0.151516" steps="698760"/></proof>
   </goal>
   <goal name="set&#39;vc.12" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.224840" steps="27215"/></proof>
+  <proof prover="3"><result status="valid" time="0.224840" steps="27555"/></proof>
   </goal>
   <goal name="set&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.041721" steps="168846"/></proof>
-  <proof prover="3"><result status="valid" time="0.186530" steps="23097"/></proof>
+  <proof prover="0"><result status="valid" time="0.041721" steps="180034"/></proof>
+  <proof prover="3"><result status="valid" time="0.186530" steps="23130"/></proof>
   </goal>
   <goal name="set&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.048217" steps="20037"/></proof>
+  <proof prover="3"><result status="valid" time="0.048217" steps="20096"/></proof>
   <proof prover="4"><result status="valid" time="0.026925" steps="69"/></proof>
   </goal>
   <goal name="set&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.036540" steps="20042"/></proof>
+  <proof prover="3"><result status="valid" time="0.036540" steps="20101"/></proof>
   </goal>
   <goal name="set&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.041598" steps="174879"/></proof>
-  <proof prover="3"><result status="valid" time="0.198549" steps="24595"/></proof>
+  <proof prover="0"><result status="valid" time="0.041598" steps="186244"/></proof>
+  <proof prover="3"><result status="valid" time="0.198549" steps="24632"/></proof>
   </goal>
   <goal name="set&#39;vc.17" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.093846" steps="20612"/></proof>
-  <proof prover="4"><result status="valid" time="0.028049" steps="133"/></proof>
+  <proof prover="3"><result status="valid" time="0.093846" steps="20671"/></proof>
+  <proof prover="4"><result status="valid" time="0.028049" steps="134"/></proof>
   </goal>
   <goal name="set&#39;vc.18" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.039638" steps="162641"/></proof>
-  <proof prover="3"><result status="valid" time="0.160266" steps="20627"/></proof>
+  <proof prover="0"><result status="valid" time="0.039638" steps="174104"/></proof>
+  <proof prover="3"><result status="valid" time="0.160266" steps="20686"/></proof>
   </goal>
   <goal name="set&#39;vc.19" expl="integer overflow" proved="true">
-  <proof prover="3"><result status="valid" time="0.239162" steps="29183"/></proof>
+  <proof prover="3"><result status="valid" time="0.114869" steps="29245"/></proof>
   <proof prover="4"><result status="valid" time="0.042526" steps="321"/></proof>
   </goal>
   <goal name="set&#39;vc.20" expl="type invariant" proved="true">
-  <proof prover="0"><result status="valid" time="0.333334" steps="916003"/></proof>
+  <proof prover="0"><result status="valid" time="0.333334" steps="1022543"/></proof>
   </goal>
   <goal name="set&#39;vc.21" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.259022" steps="35981"/></proof>
+  <proof prover="3"><result status="valid" time="0.121540" steps="36589"/></proof>
   </goal>
   <goal name="set&#39;vc.22" expl="postcondition" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="set&#39;vc.22.0" expl="postcondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.307527" steps="36103"/></proof>
+   <proof prover="3"><result status="valid" time="0.157569" steps="36337"/></proof>
    </goal>
    <goal name="set&#39;vc.22.1" expl="postcondition" proved="true">
-   <proof prover="0"><result status="valid" time="0.702967" steps="2656564"/></proof>
+   <proof prover="0"><result status="valid" time="0.702967" steps="2554551"/></proof>
    </goal>
   </transf>
   </goal>
   <goal name="set&#39;vc.23" expl="postcondition" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="set&#39;vc.23.0" expl="postcondition" proved="true">
-   <proof prover="0"><result status="valid" time="0.048344" steps="470944"/></proof>
-   <proof prover="3"><result status="valid" time="0.206222" steps="24462"/></proof>
+   <proof prover="0"><result status="valid" time="0.048344" steps="471014"/></proof>
+   <proof prover="3"><result status="valid" time="0.206222" steps="24525"/></proof>
    </goal>
    <goal name="set&#39;vc.23.1" expl="postcondition" proved="true">
-   <proof prover="0"><result status="valid" time="0.146411" steps="551224"/></proof>
-   <proof prover="3"><result status="valid" time="0.288166" steps="34838"/></proof>
+   <proof prover="0"><result status="valid" time="0.146411" steps="547626"/></proof>
+   <proof prover="3"><result status="valid" time="0.155241" steps="36518"/></proof>
    </goal>
   </transf>
   </goal>
@@ -158,12 +158,12 @@
 </theory>
 <theory name="SparseArray_Create" proved="true">
  <goal name="create&#39;vc" expl="VC for create" proved="true">
- <proof prover="4"><result status="valid" time="0.040253" steps="504"/></proof>
+ <proof prover="4"><result status="valid" time="0.040253" steps="503"/></proof>
  </goal>
 </theory>
 <theory name="SparseArray_F" proved="true">
  <goal name="f&#39;vc" expl="VC for f" proved="true">
- <proof prover="0"><result status="valid" time="0.115563" steps="403605"/></proof>
+ <proof prover="0"><result status="valid" time="0.115563" steps="391441"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/sparse_array/why3shapes.gz b/creusot/tests/should_succeed/sparse_array/why3shapes.gz
index e61ca48563..dcd64fa10f 100644
Binary files a/creusot/tests/should_succeed/sparse_array/why3shapes.gz and b/creusot/tests/should_succeed/sparse_array/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/specification/division.mlcfg b/creusot/tests/should_succeed/specification/division.mlcfg
index 55664b635c..2d53404a9a 100644
--- a/creusot/tests/should_succeed/specification/division.mlcfg
+++ b/creusot/tests/should_succeed/specification/division.mlcfg
@@ -15,13 +15,13 @@ module Division_Divide
     goto BB0
   }
   BB0 {
-    [#"../division.rs" 7 8 7 9] _5 <- ([#"../division.rs" 7 8 7 9] x);
-    [#"../division.rs" 7 4 7 9] _6 <- ([#"../division.rs" 7 4 7 9] _5 = ([#"../division.rs" 7 4 7 9] [#"../division.rs" 7 4 7 9] (0 : uint32)));
+    [#"../division.rs" 7 8 7 9] _5 <- x;
+    [#"../division.rs" 7 4 7 9] _6 <- _5 = ([#"../division.rs" 7 4 7 9] (0 : uint32));
     assert { [@expl:division by zero] [#"../division.rs" 7 4 7 9] not _6 };
     goto BB1
   }
   BB1 {
-    [#"../division.rs" 7 4 7 9] _0 <- ([#"../division.rs" 7 4 7 9] ([#"../division.rs" 7 4 7 5] y) / _5);
+    [#"../division.rs" 7 4 7 9] _0 <- y / _5;
     _5 <- any uint32;
     return _0
   }
diff --git a/creusot/tests/should_succeed/specification/forall.mlcfg b/creusot/tests/should_succeed/specification/forall.mlcfg
index f4f9ba2051..d2905b36d8 100644
--- a/creusot/tests/should_succeed/specification/forall.mlcfg
+++ b/creusot/tests/should_succeed/specification/forall.mlcfg
@@ -18,10 +18,8 @@ module Forall_F
 end
 module Forall_Omg_Impl
   use prelude.Int
-  let rec ghost predicate omg [#"../forall.rs" 12 0 12 34] (a : int) (b : int)
-    requires {[#"../forall.rs" 10 11 10 17] a <= b}
-    ensures { [#"../forall.rs" 11 10 11 14] true }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../forall.rs" 13 4 15 7] pure {exists c : int . a + c = b}
+  constant a  : int
+  constant b  : int
+  predicate omg [#"../forall.rs" 12 0 12 34] (a : int) (b : int)
+  goal vc_omg : [#"../forall.rs" 11 10 11 14] true
 end
diff --git a/creusot/tests/should_succeed/specification/forall/why3session.xml b/creusot/tests/should_succeed/specification/forall/why3session.xml
index a13cb3153e..7bd4f2e982 100644
--- a/creusot/tests/should_succeed/specification/forall/why3session.xml
+++ b/creusot/tests/should_succeed/specification/forall/why3session.xml
@@ -11,7 +11,7 @@
  </goal>
 </theory>
 <theory name="Forall_Omg_Impl" proved="true">
- <goal name="omg&#39;vc" expl="VC for omg" proved="true">
+ <goal name="vc_omg" proved="true">
  <proof prover="0"><result status="valid" time="0.005485" steps="0"/></proof>
  </goal>
 </theory>
diff --git a/creusot/tests/should_succeed/specification/forall/why3shapes.gz b/creusot/tests/should_succeed/specification/forall/why3shapes.gz
index 5091d03c58..0fa81b2f15 100644
Binary files a/creusot/tests/should_succeed/specification/forall/why3shapes.gz and b/creusot/tests/should_succeed/specification/forall/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/specification/logic_call.mlcfg b/creusot/tests/should_succeed/specification/logic_call.mlcfg
index 9f18d949a6..90835dd6b0 100644
--- a/creusot/tests/should_succeed/specification/logic_call.mlcfg
+++ b/creusot/tests/should_succeed/specification/logic_call.mlcfg
@@ -16,7 +16,7 @@ module LogicCall_Dummy
     goto BB0
   }
   BB0 {
-    [#"../logic_call.rs" 12 4 12 5] _0 <- ([#"../logic_call.rs" 12 4 12 5] [#"../logic_call.rs" 12 4 12 5] (0 : uint32));
+    [#"../logic_call.rs" 12 4 12 5] _0 <- ([#"../logic_call.rs" 12 4 12 5] (0 : uint32));
     return _0
   }
   
diff --git a/creusot/tests/should_succeed/specification/logic_call.rs b/creusot/tests/should_succeed/specification/logic_call.rs
index 9d75253f5d..db19f7db1f 100644
--- a/creusot/tests/should_succeed/specification/logic_call.rs
+++ b/creusot/tests/should_succeed/specification/logic_call.rs
@@ -2,7 +2,7 @@ extern crate creusot_contracts;
 
 use creusot_contracts::*;
 
-#[ghost]
+#[logic]
 fn reflexive<T: PartialEq>(x: T) -> bool {
     pearlite! { x == x }
 }
diff --git a/creusot/tests/should_succeed/specification/logic_functions.rs b/creusot/tests/should_succeed/specification/logic_functions.rs
index b0b2ae096d..553dcb2f8c 100644
--- a/creusot/tests/should_succeed/specification/logic_functions.rs
+++ b/creusot/tests/should_succeed/specification/logic_functions.rs
@@ -1,7 +1,7 @@
 extern crate creusot_contracts;
 use creusot_contracts::{logic::Int, *};
 
-#[ghost]
+#[logic]
 fn logic() -> bool {
     true
 }
@@ -10,7 +10,7 @@ fn logic() -> bool {
 pub fn use_logic() {}
 
 // When we want to use pearlite syntax, we use pearlite! macro
-#[ghost]
+#[logic]
 fn logic_pearlite() -> bool {
     pearlite! { 0 == 0 }
 }
@@ -21,7 +21,7 @@ pub fn use_logic_pearlite() {}
 pub mod nested {
     use creusot_contracts::*;
 
-    #[ghost]
+    #[logic]
     #[open]
     pub fn nested() -> bool {
         true
@@ -29,7 +29,7 @@ pub mod nested {
 }
 
 #[open]
-#[ghost]
+#[logic]
 pub fn arith(n: Int, b: bool) -> Int {
     if !b {
         -n + n - n * n
@@ -39,7 +39,7 @@ pub fn arith(n: Int, b: bool) -> Int {
 }
 
 #[open]
-#[ghost]
+#[logic]
 pub fn deref_pat<'a>(o: &'a Option<Int>) -> Int {
     match o {
         Some(a) => *a,
diff --git a/creusot/tests/should_succeed/specification/loops.mlcfg b/creusot/tests/should_succeed/specification/loops.mlcfg
index b94afea8f7..bdf5f2abd2 100644
--- a/creusot/tests/should_succeed/specification/loops.mlcfg
+++ b/creusot/tests/should_succeed/specification/loops.mlcfg
@@ -15,7 +15,7 @@ module Loops_WhileLoopVariant
     goto BB2
   }
   BB2 {
-    switch ([#"../loops.rs" 6 10 6 11] x)
+    switch (x)
       | False -> goto BB4
       | True -> goto BB3
       end
diff --git a/creusot/tests/should_succeed/specification/model.rs b/creusot/tests/should_succeed/specification/model.rs
index 2f93c5f6d7..5407192a21 100644
--- a/creusot/tests/should_succeed/specification/model.rs
+++ b/creusot/tests/should_succeed/specification/model.rs
@@ -6,7 +6,7 @@ pub struct Seven();
 impl ShallowModel for Seven {
     type ShallowModelTy = Int;
 
-    #[ghost]
+    #[logic]
     #[open]
     #[trusted]
     fn shallow_model(self) -> Self::ShallowModelTy {
@@ -25,7 +25,7 @@ pub struct Pair<T, U>(T, U);
 impl<T, U> ShallowModel for Pair<T, U> {
     type ShallowModelTy = (T, U);
 
-    #[ghost]
+    #[logic]
     #[open]
     #[trusted]
     fn shallow_model(self) -> Self::ShallowModelTy {
diff --git a/creusot/tests/should_succeed/specification/trusted.mlcfg b/creusot/tests/should_succeed/specification/trusted.mlcfg
index 0cda691d90..97a7981afd 100644
--- a/creusot/tests/should_succeed/specification/trusted.mlcfg
+++ b/creusot/tests/should_succeed/specification/trusted.mlcfg
@@ -14,7 +14,7 @@ module Trusted_VictimOfLie
     goto BB0
   }
   BB0 {
-    [#"../trusted.rs" 19 4 19 9] _0 <- ([#"../trusted.rs" 19 4 19 9] lie0 ());
+    [#"../trusted.rs" 19 4 19 9] _0 <- ([#"../trusted.rs" 19 4 19 9] lie0 ([#"../trusted.rs" 19 4 19 9] ()));
     goto BB1
   }
   BB1 {
diff --git a/creusot/tests/should_succeed/split_borrow.mlcfg b/creusot/tests/should_succeed/split_borrow.mlcfg
index 273608c8c3..487120ff2f 100644
--- a/creusot/tests/should_succeed/split_borrow.mlcfg
+++ b/creusot/tests/should_succeed/split_borrow.mlcfg
@@ -7,7 +7,7 @@ module SplitBorrow_Z
     goto BB0
   }
   BB0 {
-    [#"../split_borrow.rs" 6 4 6 8] _0 <- ([#"../split_borrow.rs" 6 4 6 8] [#"../split_borrow.rs" 6 4 6 8] true);
+    [#"../split_borrow.rs" 6 4 6 8] _0 <- ([#"../split_borrow.rs" 6 4 6 8] true);
     return _0
   }
   
@@ -44,17 +44,25 @@ module SplitBorrow_F
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var x : (SplitBorrow_MyInt_Type.t_myint, SplitBorrow_MyInt_Type.t_myint);
+  var _2 : SplitBorrow_MyInt_Type.t_myint;
+  var _3 : SplitBorrow_MyInt_Type.t_myint;
   var y : borrowed (SplitBorrow_MyInt_Type.t_myint, SplitBorrow_MyInt_Type.t_myint);
   var _5 : ();
   var _6 : bool;
+  var _7 : SplitBorrow_MyInt_Type.t_myint;
+  var _8 : SplitBorrow_MyInt_Type.t_myint;
   {
     goto BB0
   }
   BB0 {
-    [#"../split_borrow.rs" 10 16 10 36] x <- ([#"../split_borrow.rs" 10 16 10 36] (([#"../split_borrow.rs" 10 17 10 25] SplitBorrow_MyInt_Type.C_MyInt ([#"../split_borrow.rs" 10 23 10 24] [#"../split_borrow.rs" 10 23 10 24] (1 : usize))), ([#"../split_borrow.rs" 10 27 10 35] SplitBorrow_MyInt_Type.C_MyInt ([#"../split_borrow.rs" 10 33 10 34] [#"../split_borrow.rs" 10 33 10 34] (2 : usize)))));
+    [#"../split_borrow.rs" 10 17 10 25] _2 <- SplitBorrow_MyInt_Type.C_MyInt ([#"../split_borrow.rs" 10 23 10 24] (1 : usize));
+    [#"../split_borrow.rs" 10 27 10 35] _3 <- SplitBorrow_MyInt_Type.C_MyInt ([#"../split_borrow.rs" 10 33 10 34] (2 : usize));
+    [#"../split_borrow.rs" 10 16 10 36] x <- (_2, _3);
+    _2 <- any SplitBorrow_MyInt_Type.t_myint;
+    _3 <- any SplitBorrow_MyInt_Type.t_myint;
     [#"../split_borrow.rs" 11 12 11 18] y <- Borrow.borrow_mut x;
     [#"../split_borrow.rs" 11 12 11 18] x <-  ^ y;
-    [#"../split_borrow.rs" 13 7 13 10] _6 <- ([#"../split_borrow.rs" 13 7 13 10] z0 ());
+    [#"../split_borrow.rs" 13 7 13 10] _6 <- ([#"../split_borrow.rs" 13 7 13 10] z0 ([#"../split_borrow.rs" 13 7 13 10] ()));
     goto BB1
   }
   BB1 {
@@ -64,12 +72,16 @@ module SplitBorrow_F
       end
   }
   BB2 {
-    [#"../split_borrow.rs" 14 8 14 25] y <- { y with current = (let (x0, x1) =  * y in (x0, ([#"../split_borrow.rs" 14 17 14 25] SplitBorrow_MyInt_Type.C_MyInt ([#"../split_borrow.rs" 14 23 14 24] [#"../split_borrow.rs" 14 23 14 24] (4 : usize))))) ; };
+    [#"../split_borrow.rs" 14 17 14 25] _7 <- SplitBorrow_MyInt_Type.C_MyInt ([#"../split_borrow.rs" 14 23 14 24] (4 : usize));
+    [#"../split_borrow.rs" 14 8 14 25] y <- { y with current = (let (x0, x1) =  * y in (x0, _7)) ; };
+    _7 <- any SplitBorrow_MyInt_Type.t_myint;
     [#"../split_borrow.rs" 13 11 15 5] _5 <- ([#"../split_borrow.rs" 13 11 15 5] ());
     goto BB4
   }
   BB3 {
-    [#"../split_borrow.rs" 16 8 16 26] y <- { y with current = (let (x0, x1) =  * y in (([#"../split_borrow.rs" 16 17 16 26] SplitBorrow_MyInt_Type.C_MyInt ([#"../split_borrow.rs" 16 23 16 25] [#"../split_borrow.rs" 16 23 16 25] (10 : usize))), x1)) ; };
+    [#"../split_borrow.rs" 16 17 16 26] _8 <- SplitBorrow_MyInt_Type.C_MyInt ([#"../split_borrow.rs" 16 23 16 25] (10 : usize));
+    [#"../split_borrow.rs" 16 8 16 26] y <- { y with current = (let (x0, x1) =  * y in (_8, x1)) ; };
+    _8 <- any SplitBorrow_MyInt_Type.t_myint;
     [#"../split_borrow.rs" 15 11 17 5] _5 <- ([#"../split_borrow.rs" 15 11 17 5] ());
     goto BB4
   }
@@ -110,19 +122,28 @@ module SplitBorrow_G
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var a : (SplitBorrow_MyInt_Type.t_myint, SplitBorrow_MyInt_Type.t_myint);
+  var _2 : SplitBorrow_MyInt_Type.t_myint;
+  var _3 : SplitBorrow_MyInt_Type.t_myint;
   var x : borrowed (SplitBorrow_MyInt_Type.t_myint, SplitBorrow_MyInt_Type.t_myint);
   var _z : borrowed (SplitBorrow_MyInt_Type.t_myint);
+  var _6 : SplitBorrow_MyInt_Type.t_myint;
   {
     goto BB0
   }
   BB0 {
-    [#"../split_borrow.rs" 24 16 24 36] a <- ([#"../split_borrow.rs" 24 16 24 36] (([#"../split_borrow.rs" 24 17 24 25] SplitBorrow_MyInt_Type.C_MyInt ([#"../split_borrow.rs" 24 23 24 24] [#"../split_borrow.rs" 24 23 24 24] (1 : usize))), ([#"../split_borrow.rs" 24 27 24 35] SplitBorrow_MyInt_Type.C_MyInt ([#"../split_borrow.rs" 24 33 24 34] [#"../split_borrow.rs" 24 33 24 34] (2 : usize)))));
+    [#"../split_borrow.rs" 24 17 24 25] _2 <- SplitBorrow_MyInt_Type.C_MyInt ([#"../split_borrow.rs" 24 23 24 24] (1 : usize));
+    [#"../split_borrow.rs" 24 27 24 35] _3 <- SplitBorrow_MyInt_Type.C_MyInt ([#"../split_borrow.rs" 24 33 24 34] (2 : usize));
+    [#"../split_borrow.rs" 24 16 24 36] a <- (_2, _3);
+    _2 <- any SplitBorrow_MyInt_Type.t_myint;
+    _3 <- any SplitBorrow_MyInt_Type.t_myint;
     [#"../split_borrow.rs" 25 12 25 18] x <- Borrow.borrow_mut a;
     [#"../split_borrow.rs" 25 12 25 18] a <-  ^ x;
     [#"../split_borrow.rs" 27 13 27 21] _z <- Borrow.borrow_final (let (_, a) =  * x in a) (Borrow.inherit_id (Borrow.get_id x) 2);
     [#"../split_borrow.rs" 27 13 27 21] x <- { x with current = (let (x0, x1) =  * x in (x0,  ^ _z)) ; };
     assume { resolve0 _z };
-    [#"../split_borrow.rs" 29 4 29 21] x <- { x with current = (let (x0, x1) =  * x in (([#"../split_borrow.rs" 29 13 29 21] SplitBorrow_MyInt_Type.C_MyInt ([#"../split_borrow.rs" 29 19 29 20] [#"../split_borrow.rs" 29 19 29 20] (3 : usize))), x1)) ; };
+    [#"../split_borrow.rs" 29 13 29 21] _6 <- SplitBorrow_MyInt_Type.C_MyInt ([#"../split_borrow.rs" 29 19 29 20] (3 : usize));
+    [#"../split_borrow.rs" 29 4 29 21] x <- { x with current = (let (x0, x1) =  * x in (_6, x1)) ; };
+    _6 <- any SplitBorrow_MyInt_Type.t_myint;
     assume { resolve1 x };
     assume { resolve2 a };
     [#"../split_borrow.rs" 23 11 32 1] _0 <- ([#"../split_borrow.rs" 23 11 32 1] ());
diff --git a/creusot/tests/should_succeed/std_types.rs b/creusot/tests/should_succeed/std_types.rs
index 2aed557a1a..1ec28c7987 100644
--- a/creusot/tests/should_succeed/std_types.rs
+++ b/creusot/tests/should_succeed/std_types.rs
@@ -1,5 +1,5 @@
 extern crate creusot_contracts;
 
-pub struct MyType(Option<u32>);
+pub struct MyType(pub Option<u32>);
 
 pub fn x(_x: MyType) {}
diff --git a/creusot/tests/should_succeed/sum.mlcfg b/creusot/tests/should_succeed/sum.mlcfg
index 2be602f1d5..24accef357 100644
--- a/creusot/tests/should_succeed/sum.mlcfg
+++ b/creusot/tests/should_succeed/sum.mlcfg
@@ -96,7 +96,9 @@ module Sum_SumFirstN
     requires {[#"../../../../creusot-contracts/src/std/ops.rs" 207 20 207 24] inv0 self}
     ensures { result = is_empty_log0 self }
     
-  axiom is_empty_log0_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32 . ([#"../../../../creusot-contracts/src/std/ops.rs" 207 20 207 24] inv0 self) -> ([#"../../../../creusot-contracts/src/std/ops.rs" 206 4 206 88] not is_empty_log0 self -> deep_model0 (start_log0 self) <= deep_model0 (end_log0 self))
+  axiom is_empty_log0_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32 . ([#"../../../../creusot-contracts/src/std/ops.rs" 207 20 207 24] inv0 self)
+   -> ([#"../../../../creusot-contracts/src/std/ops.rs" 206 4 206 88] not is_empty_log0 self
+   -> deep_model0 (start_log0 self) <= deep_model0 (end_log0 self))
   function range_inclusive_len0 (r : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32) : int =
     [#"../../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5] if is_empty_log0 r then
       0
@@ -107,12 +109,15 @@ module Sum_SumFirstN
     requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 46 62 46 63] inv0 r}
     ensures { result = range_inclusive_len0 r }
     
-  axiom range_inclusive_len0_spec : forall r : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32 . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 46 62 46 63] inv0 r) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43] is_empty_log0 r = (range_inclusive_len0 r = 0))
+  axiom range_inclusive_len0_spec : forall r : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32 . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 46 62 46 63] inv0 r)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43] is_empty_log0 r = (range_inclusive_len0 r = 0))
   use seq.Seq
   predicate produces0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32) (visited : Seq.seq uint32) (o : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32)
     
    =
-    [#"../../../../creusot-contracts/src/std/iter/range.rs" 65 8 71 9] Seq.length visited = range_inclusive_len0 self - range_inclusive_len0 o /\ (is_empty_log0 self -> is_empty_log0 o) /\ (is_empty_log0 o \/ end_log0 self = end_log0 o) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (start_log0 self) + i)
+    [#"../../../../creusot-contracts/src/std/iter/range.rs" 65 8 71 9] Seq.length visited = range_inclusive_len0 self - range_inclusive_len0 o /\ (is_empty_log0 self
+     -> is_empty_log0 o) /\ (is_empty_log0 o \/ end_log0 self = end_log0 o) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> deep_model0 (Seq.get visited i) = deep_model0 (start_log0 self) + i)
   val produces0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32) (visited : Seq.seq uint32) (o : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32) : bool
     ensures { result = produces0 self visited o }
     
@@ -130,7 +135,14 @@ module Sum_SumFirstN
     requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 84 82 84 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32, ab : Seq.seq uint32, b : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32, bc : Seq.seq uint32, c : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32 . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 81 15 81 32] produces0 a ab b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 82 15 82 32] produces0 b bc c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 22 84 23] inv0 a) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 31 84 33] inv4 ab) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 52 84 53] inv0 b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 61 84 63] inv4 bc) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 82 84 83] inv0 c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 83 14 83 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32, ab : Seq.seq uint32, b : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32, bc : Seq.seq uint32, c : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32 . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 81 15 81 32] produces0 a ab b)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 82 15 82 32] produces0 b bc c)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 22 84 23] inv0 a)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 31 84 33] inv4 ab)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 52 84 53] inv0 b)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 61 84 63] inv4 bc)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 84 82 84 83] inv0 c)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 83 14 83 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32) : () =
     [#"../../../../creusot-contracts/src/std/iter/range.rs" 74 4 74 10] ()
@@ -138,17 +150,18 @@ module Sum_SumFirstN
     requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 77 21 77 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32 . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 77 21 77 25] inv0 self) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 76 14 76 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32 . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 77 21 77 25] inv0 self)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 76 14 76 45] produces0 self (Seq.empty ) self)
   predicate invariant0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32) =
     [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32) : bool
     ensures { result = invariant0 self }
     
   axiom inv0 : forall x : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32 . inv0 x = true
-  use prelude.Ghost
+  use prelude.Snapshot
   use seq.Seq
   predicate resolve0 (self : borrowed (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32)) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32)) : bool
     ensures { result = resolve0 self }
     
@@ -165,11 +178,11 @@ module Sum_SumFirstN
       end }
     ensures { inv3 result }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate into_iter_post0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32) (res : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32)
     
    =
@@ -193,7 +206,8 @@ module Sum_SumFirstN
     requires {inv1 end'}
     ensures { [#"../../../../creusot-contracts/src/std/ops.rs" 220 26 220 53] start_log0 result = start }
     ensures { [#"../../../../creusot-contracts/src/std/ops.rs" 221 26 221 49] end_log0 result = end' }
-    ensures { [#"../../../../creusot-contracts/src/std/ops.rs" 222 16 222 93] deep_model0 start <= deep_model0 end' -> not is_empty_log0 result }
+    ensures { [#"../../../../creusot-contracts/src/std/ops.rs" 222 16 222 93] deep_model0 start <= deep_model0 end'
+     -> not is_empty_log0 result }
     ensures { inv0 result }
     
   let rec cfg sum_first_n [#"../sum.rs" 6 0 6 33] [@cfg:stackify] [@cfg:subregion_analysis] (n : uint32) : uint32
@@ -206,20 +220,20 @@ module Sum_SumFirstN
   var sum : uint32;
   var iter : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32;
   var _7 : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32;
-  var iter_old : Ghost.ghost_ty (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32);
-  var produced : Ghost.ghost_ty (Seq.seq uint32);
+  var iter_old : Snapshot.snap_ty (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32);
+  var produced : Snapshot.snap_ty (Seq.seq uint32);
   var _17 : Core_Option_Option_Type.t_option uint32;
   var _18 : borrowed (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32);
   var _19 : borrowed (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive uint32);
   var __creusot_proc_iter_elem : uint32;
-  var _22 : Ghost.ghost_ty (Seq.seq uint32);
+  var _22 : Snapshot.snap_ty (Seq.seq uint32);
   var i : uint32;
   {
     goto BB0
   }
   BB0 {
-    [#"../sum.rs" 7 18 7 19] sum <- ([#"../sum.rs" 7 18 7 19] [#"../sum.rs" 7 18 7 19] (0 : uint32));
-    [#"../sum.rs" 9 13 9 18] _7 <- ([#"../sum.rs" 9 13 9 18] new0 ([#"../sum.rs" 9 13 9 14] [#"../sum.rs" 9 13 9 14] (1 : uint32)) ([#"../sum.rs" 9 17 9 18] n));
+    [#"../sum.rs" 7 18 7 19] sum <- ([#"../sum.rs" 7 18 7 19] (0 : uint32));
+    [#"../sum.rs" 9 13 9 18] _7 <- ([#"../sum.rs" 9 13 9 18] new0 ([#"../sum.rs" 9 13 9 14] (1 : uint32)) n);
     goto BB1
   }
   BB1 {
@@ -228,11 +242,11 @@ module Sum_SumFirstN
     goto BB2
   }
   BB2 {
-    [#"../sum.rs" 8 4 8 67] iter_old <- ([#"../sum.rs" 8 4 8 67] Ghost.new iter);
+    [#"../sum.rs" 8 4 8 67] iter_old <- ([#"../sum.rs" 8 4 8 67] Snapshot.new iter);
     goto BB3
   }
   BB3 {
-    [#"../sum.rs" 8 4 8 67] produced <- ([#"../sum.rs" 8 4 8 67] Ghost.new (Seq.empty ));
+    [#"../sum.rs" 8 4 8 67] produced <- ([#"../sum.rs" 8 4 8 67] Snapshot.new (Seq.empty ));
     goto BB4
   }
   BB4 {
@@ -240,8 +254,8 @@ module Sum_SumFirstN
   }
   BB5 {
     invariant { [#"../sum.rs" 8 4 8 67] inv0 iter };
-    invariant { [#"../sum.rs" 8 4 8 67] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter };
-    invariant { [#"../sum.rs" 8 16 8 65] UInt32.to_int sum = div (Seq.length (Ghost.inner produced) * (Seq.length (Ghost.inner produced) + 1)) 2 };
+    invariant { [#"../sum.rs" 8 4 8 67] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter };
+    invariant { [#"../sum.rs" 8 16 8 65] UInt32.to_int sum = div (Seq.length (Snapshot.inner produced) * (Seq.length (Snapshot.inner produced) + 1)) 2 };
     goto BB6
   }
   BB6 {
@@ -261,7 +275,7 @@ module Sum_SumFirstN
       end
   }
   BB8 {
-    [#"../sum.rs" 12 4 12 7] _0 <- ([#"../sum.rs" 12 4 12 7] sum);
+    [#"../sum.rs" 12 4 12 7] _0 <- sum;
     return _0
   }
   BB9 {
@@ -272,15 +286,15 @@ module Sum_SumFirstN
     absurd
   }
   BB11 {
-    [#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _17);
-    [#"../sum.rs" 8 4 8 67] _22 <- ([#"../sum.rs" 8 4 8 67] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _17;
+    [#"../sum.rs" 8 4 8 67] _22 <- ([#"../sum.rs" 8 4 8 67] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB12
   }
   BB12 {
-    [#"../sum.rs" 8 4 8 67] produced <- ([#"../sum.rs" 8 4 8 67] _22);
-    [#"../sum.rs" 8 4 8 67] _22 <- any Ghost.ghost_ty (Seq.seq uint32);
-    [#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] i <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem);
-    [#"../sum.rs" 10 8 10 16] sum <- ([#"../sum.rs" 10 8 10 16] sum + ([#"../sum.rs" 10 15 10 16] i));
+    [#"../sum.rs" 8 4 8 67] produced <- _22;
+    _22 <- any Snapshot.snap_ty (Seq.seq uint32);
+    [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] i <- __creusot_proc_iter_elem;
+    [#"../sum.rs" 10 8 10 16] sum <- sum + i;
     goto BB5
   }
   
diff --git a/creusot/tests/should_succeed/sum_of_odds.mlcfg b/creusot/tests/should_succeed/sum_of_odds.mlcfg
index 67a12e3b14..fdedb69611 100644
--- a/creusot/tests/should_succeed/sum_of_odds.mlcfg
+++ b/creusot/tests/should_succeed/sum_of_odds.mlcfg
@@ -1,11 +1,12 @@
 
 module SumOfOdds_SumOfOdd_Impl
   use prelude.Int
-  let rec ghost function sum_of_odd [#"../sum_of_odds.rs" 18 0 18 28] (x : int) : int
-    variant {[#"../sum_of_odds.rs" 17 10 17 11] x}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../sum_of_odds.rs" 16 0 16 8] if pure {x <= 0} then 0 else sum_of_odd (x - 1) + 2 * x - 1
+  constant x  : int
+  function sum_of_odd [#"../sum_of_odds.rs" 18 0 18 28] (x : int) : int
+  goal vc_sum_of_odd : match x <= 0 with
+    | True -> true
+    | False -> 0 <= ([#"../sum_of_odds.rs" 17 10 17 11] x) /\ ([#"../sum_of_odds.rs" 17 10 17 11] x - 1) < ([#"../sum_of_odds.rs" 17 10 17 11] x)
+    end
 end
 module SumOfOdds_SumOfOddIsSqr_Impl
   use prelude.Int
@@ -23,13 +24,14 @@ module SumOfOdds_SumOfOddIsSqr_Impl
   val sum_of_odd0 [#"../sum_of_odds.rs" 18 0 18 28] (x : int) : int
     ensures { result = sum_of_odd0 x }
     
-  let rec ghost function sum_of_odd_is_sqr [#"../sum_of_odds.rs" 30 0 30 28] (x : int) : ()
-    requires {[#"../sum_of_odds.rs" 27 11 27 17] x >= 0}
-    ensures { [#"../sum_of_odds.rs" 28 10 28 33] sum_of_odd0 x = sqr0 x }
-    variant {[#"../sum_of_odds.rs" 29 10 29 11] x}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../sum_of_odds.rs" 31 4 31 65] if pure {x > 0} then sum_of_odd_is_sqr (x - 1) else ()
+  constant x  : int
+  function sum_of_odd_is_sqr [#"../sum_of_odds.rs" 30 0 30 28] (x : int) : ()
+  goal vc_sum_of_odd_is_sqr : ([#"../sum_of_odds.rs" 27 11 27 17] x >= 0)
+   -> match x > 0 with
+    | True -> (([#"../sum_of_odds.rs" 27 11 27 17] x - 1 >= 0) /\ 0 <= ([#"../sum_of_odds.rs" 29 10 29 11] x) /\ ([#"../sum_of_odds.rs" 29 10 29 11] x - 1) < ([#"../sum_of_odds.rs" 29 10 29 11] x)) /\ (([#"../sum_of_odds.rs" 28 10 28 33] sum_of_odd0 (x - 1) = sqr0 (x - 1))
+     -> ([#"../sum_of_odds.rs" 28 10 28 33] sum_of_odd0 x = sqr0 x))
+    | False -> [#"../sum_of_odds.rs" 28 10 28 33] sum_of_odd0 x = sqr0 x
+    end
 end
 module Core_Ops_Range_Range_Type
   type t_range 'idx =
@@ -109,7 +111,9 @@ module SumOfOdds_ComputeSumOfOdd
   predicate produces0 (self : Core_Ops_Range_Range_Type.t_range uint32) (visited : Seq.seq uint32) (o : Core_Ops_Range_Range_Type.t_range uint32)
     
    =
-    [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
+    [#"../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0
+     -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
   val produces0 (self : Core_Ops_Range_Range_Type.t_range uint32) (visited : Seq.seq uint32) (o : Core_Ops_Range_Range_Type.t_range uint32) : bool
     ensures { result = produces0 self visited o }
     
@@ -125,21 +129,29 @@ module SumOfOdds_ComputeSumOfOdd
     requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range uint32, ab : Seq.seq uint32, b : Core_Ops_Range_Range_Type.t_range uint32, bc : Seq.seq uint32, c : Core_Ops_Range_Range_Type.t_range uint32 . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv3 ab) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv3 bc) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range uint32, ab : Seq.seq uint32, b : Core_Ops_Range_Range_Type.t_range uint32, bc : Seq.seq uint32, c : Core_Ops_Range_Range_Type.t_range uint32 . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv3 ab)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv3 bc)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : Core_Ops_Range_Range_Type.t_range uint32) : ()
   val produces_refl0 (self : Core_Ops_Range_Range_Type.t_range uint32) : ()
     requires {[#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range uint32 . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range uint32 . ([#"../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self)
+   -> ([#"../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
   predicate invariant0 (self : Core_Ops_Range_Range_Type.t_range uint32) =
     [#"../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant0 (self : Core_Ops_Range_Range_Type.t_range uint32) : bool
     ensures { result = invariant0 self }
     
   axiom inv0 : forall x : Core_Ops_Range_Range_Type.t_range uint32 . inv0 x = true
-  use prelude.Ghost
+  use prelude.Snapshot
   function sqr0 [#"../sum_of_odds.rs" 7 0 7 21] (x : int) : int =
     [#"../sum_of_odds.rs" 8 4 8 9] x * x
   val sqr0 [#"../sum_of_odds.rs" 7 0 7 21] (x : int) : int
@@ -164,10 +176,11 @@ module SumOfOdds_ComputeSumOfOdd
     requires {[#"../sum_of_odds.rs" 27 11 27 17] x >= 0}
     ensures { result = sum_of_odd_is_sqr0 x }
     
-  axiom sum_of_odd_is_sqr0_spec : forall x : int . ([#"../sum_of_odds.rs" 27 11 27 17] x >= 0) -> ([#"../sum_of_odds.rs" 28 10 28 33] sum_of_odd0 x = sqr0 x)
+  axiom sum_of_odd_is_sqr0_spec : forall x : int . ([#"../sum_of_odds.rs" 27 11 27 17] x >= 0)
+   -> ([#"../sum_of_odds.rs" 28 10 28 33] sum_of_odd0 x = sqr0 x)
   use seq.Seq
   predicate resolve0 (self : borrowed (Core_Ops_Range_Range_Type.t_range uint32)) =
-    [#"../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (Core_Ops_Range_Range_Type.t_range uint32)) : bool
     ensures { result = resolve0 self }
     
@@ -184,11 +197,11 @@ module SumOfOdds_ComputeSumOfOdd
       end }
     ensures { inv2 result }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate into_iter_post0 (self : Core_Ops_Range_Range_Type.t_range uint32) (res : Core_Ops_Range_Range_Type.t_range uint32)
     
    =
@@ -216,28 +229,33 @@ module SumOfOdds_ComputeSumOfOdd
   var x : uint32 = x;
   var s : uint32;
   var iter : Core_Ops_Range_Range_Type.t_range uint32;
-  var iter_old : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range uint32);
-  var produced : Ghost.ghost_ty (Seq.seq uint32);
+  var _8 : Core_Ops_Range_Range_Type.t_range uint32;
+  var iter_old : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range uint32);
+  var produced : Snapshot.snap_ty (Seq.seq uint32);
   var _18 : Core_Option_Option_Type.t_option uint32;
   var _19 : borrowed (Core_Ops_Range_Range_Type.t_range uint32);
   var _20 : borrowed (Core_Ops_Range_Range_Type.t_range uint32);
   var __creusot_proc_iter_elem : uint32;
-  var _23 : Ghost.ghost_ty (Seq.seq uint32);
+  var _23 : Snapshot.snap_ty (Seq.seq uint32);
   var i : uint32;
+  var _28 : uint32;
+  var _29 : uint32;
   {
     goto BB0
   }
   BB0 {
-    [#"../sum_of_odds.rs" 37 21 37 22] s <- ([#"../sum_of_odds.rs" 37 21 37 22] [#"../sum_of_odds.rs" 37 21 37 22] (0 : uint32));
-    [#"../sum_of_odds.rs" 38 4 38 50] iter <- ([#"../sum_of_odds.rs" 38 4 38 50] into_iter0 ([#"../sum_of_odds.rs" 39 13 39 17] Core_Ops_Range_Range_Type.C_Range ([#"../sum_of_odds.rs" 39 13 39 14] [#"../sum_of_odds.rs" 39 13 39 14] (0 : uint32)) ([#"../sum_of_odds.rs" 39 16 39 17] x)));
+    [#"../sum_of_odds.rs" 37 21 37 22] s <- ([#"../sum_of_odds.rs" 37 21 37 22] (0 : uint32));
+    [#"../sum_of_odds.rs" 39 13 39 17] _8 <- Core_Ops_Range_Range_Type.C_Range ([#"../sum_of_odds.rs" 39 13 39 14] (0 : uint32)) x;
+    [#"../sum_of_odds.rs" 38 4 38 50] iter <- ([#"../sum_of_odds.rs" 38 4 38 50] into_iter0 _8);
+    _8 <- any Core_Ops_Range_Range_Type.t_range uint32;
     goto BB1
   }
   BB1 {
-    [#"../sum_of_odds.rs" 38 4 38 50] iter_old <- ([#"../sum_of_odds.rs" 38 4 38 50] Ghost.new iter);
+    [#"../sum_of_odds.rs" 38 4 38 50] iter_old <- ([#"../sum_of_odds.rs" 38 4 38 50] Snapshot.new iter);
     goto BB2
   }
   BB2 {
-    [#"../sum_of_odds.rs" 38 4 38 50] produced <- ([#"../sum_of_odds.rs" 38 4 38 50] Ghost.new (Seq.empty ));
+    [#"../sum_of_odds.rs" 38 4 38 50] produced <- ([#"../sum_of_odds.rs" 38 4 38 50] Snapshot.new (Seq.empty ));
     goto BB3
   }
   BB3 {
@@ -245,8 +263,8 @@ module SumOfOdds_ComputeSumOfOdd
   }
   BB4 {
     invariant { [#"../sum_of_odds.rs" 38 4 38 50] inv0 iter };
-    invariant { [#"../sum_of_odds.rs" 38 4 38 50] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter };
-    invariant { [#"../sum_of_odds.rs" 38 16 38 48] UInt32.to_int s = sum_of_odd0 (Seq.length (Ghost.inner produced)) };
+    invariant { [#"../sum_of_odds.rs" 38 4 38 50] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter };
+    invariant { [#"../sum_of_odds.rs" 38 16 38 48] UInt32.to_int s = sum_of_odd0 (Seq.length (Snapshot.inner produced)) };
     goto BB5
   }
   BB5 {
@@ -266,7 +284,7 @@ module SumOfOdds_ComputeSumOfOdd
       end
   }
   BB7 {
-    [#"../sum_of_odds.rs" 46 11 46 12] _0 <- ([#"../sum_of_odds.rs" 46 11 46 12] s);
+    [#"../sum_of_odds.rs" 46 11 46 12] _0 <- s;
     return _0
   }
   BB8 {
@@ -277,16 +295,20 @@ module SumOfOdds_ComputeSumOfOdd
     absurd
   }
   BB10 {
-    [#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _18);
-    [#"../sum_of_odds.rs" 38 4 38 50] _23 <- ([#"../sum_of_odds.rs" 38 4 38 50] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _18;
+    [#"../sum_of_odds.rs" 38 4 38 50] _23 <- ([#"../sum_of_odds.rs" 38 4 38 50] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB11
   }
   BB11 {
-    [#"../sum_of_odds.rs" 38 4 38 50] produced <- ([#"../sum_of_odds.rs" 38 4 38 50] _23);
-    [#"../sum_of_odds.rs" 38 4 38 50] _23 <- any Ghost.ghost_ty (Seq.seq uint32);
-    [#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] i <- ([#"../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem);
+    [#"../sum_of_odds.rs" 38 4 38 50] produced <- _23;
+    _23 <- any Snapshot.snap_ty (Seq.seq uint32);
+    [#"../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] i <- __creusot_proc_iter_elem;
     assert { [@expl:assertion] [#"../sum_of_odds.rs" 41 12 41 33] let _ = sum_of_odd_is_sqr0 (UInt32.to_int i) in true };
-    [#"../sum_of_odds.rs" 44 8 44 22] s <- ([#"../sum_of_odds.rs" 44 8 44 22] s + ([#"../sum_of_odds.rs" 44 13 44 22] ([#"../sum_of_odds.rs" 44 13 44 18] ([#"../sum_of_odds.rs" 44 13 44 14] [#"../sum_of_odds.rs" 44 13 44 14] (2 : uint32)) * ([#"../sum_of_odds.rs" 44 17 44 18] i)) + ([#"../sum_of_odds.rs" 44 21 44 22] [#"../sum_of_odds.rs" 44 21 44 22] (1 : uint32))));
+    [#"../sum_of_odds.rs" 44 13 44 18] _29 <- ([#"../sum_of_odds.rs" 44 13 44 14] (2 : uint32)) * i;
+    [#"../sum_of_odds.rs" 44 13 44 22] _28 <- _29 + ([#"../sum_of_odds.rs" 44 21 44 22] (1 : uint32));
+    _29 <- any uint32;
+    [#"../sum_of_odds.rs" 44 8 44 22] s <- s + _28;
+    _28 <- any uint32;
     goto BB4
   }
   
@@ -323,7 +345,8 @@ module SumOfOdds_Test
     requires {[#"../sum_of_odds.rs" 27 11 27 17] x >= 0}
     ensures { result = sum_of_odd_is_sqr0 x }
     
-  axiom sum_of_odd_is_sqr0_spec : forall x : int . ([#"../sum_of_odds.rs" 27 11 27 17] x >= 0) -> ([#"../sum_of_odds.rs" 28 10 28 33] sum_of_odd0 x = sqr0 x)
+  axiom sum_of_odd_is_sqr0_spec : forall x : int . ([#"../sum_of_odds.rs" 27 11 27 17] x >= 0)
+   -> ([#"../sum_of_odds.rs" 28 10 28 33] sum_of_odd0 x = sqr0 x)
   use prelude.UInt32
   val compute_sum_of_odd0 [#"../sum_of_odds.rs" 36 0 36 36] (x : uint32) : uint32
     requires {[#"../sum_of_odds.rs" 34 11 34 23] UInt32.to_int x < 65536}
@@ -340,7 +363,7 @@ module SumOfOdds_Test
     goto BB0
   }
   BB0 {
-    [#"../sum_of_odds.rs" 51 12 51 33] y <- ([#"../sum_of_odds.rs" 51 12 51 33] compute_sum_of_odd0 ([#"../sum_of_odds.rs" 51 31 51 32] x));
+    [#"../sum_of_odds.rs" 51 12 51 33] y <- ([#"../sum_of_odds.rs" 51 12 51 33] compute_sum_of_odd0 x);
     goto BB1
   }
   BB1 {
diff --git a/creusot/tests/should_succeed/sum_of_odds.rs b/creusot/tests/should_succeed/sum_of_odds.rs
index f16c467ade..971972807b 100644
--- a/creusot/tests/should_succeed/sum_of_odds.rs
+++ b/creusot/tests/should_succeed/sum_of_odds.rs
@@ -3,7 +3,7 @@
 extern crate creusot_contracts;
 use creusot_contracts::{logic::Int, *};
 
-#[ghost]
+#[logic]
 fn sqr(x: Int) -> Int {
     x * x
 }
@@ -13,7 +13,7 @@ fn is_square(y: Int) -> bool {
     pearlite! { exists<z: Int> y == sqr(z) }
 }
 
-#[ghost]
+#[logic]
 #[variant(x)]
 fn sum_of_odd(x: Int) -> Int {
     if x <= 0 {
@@ -23,7 +23,7 @@ fn sum_of_odd(x: Int) -> Int {
     }
 }
 
-#[ghost]
+#[logic]
 #[requires(x >= 0)]
 #[ensures(sum_of_odd(x) == sqr(x))]
 #[variant(x)]
diff --git a/creusot/tests/should_succeed/sum_of_odds/why3session.xml b/creusot/tests/should_succeed/sum_of_odds/why3session.xml
index 19cd4f6545..af019f2ad0 100644
--- a/creusot/tests/should_succeed/sum_of_odds/why3session.xml
+++ b/creusot/tests/should_succeed/sum_of_odds/why3session.xml
@@ -7,59 +7,59 @@
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="sum_of_odds.mlcfg"/>
 <theory name="SumOfOdds_SumOfOdd_Impl" proved="true">
- <goal name="sum_of_odd&#39;vc" expl="VC for sum_of_odd" proved="true">
+ <goal name="vc_sum_of_odd" proved="true">
  <proof prover="3"><result status="valid" time="0.007178" steps="2"/></proof>
  </goal>
 </theory>
 <theory name="SumOfOdds_SumOfOddIsSqr_Impl" proved="true">
- <goal name="sum_of_odd_is_sqr&#39;vc" expl="VC for sum_of_odd_is_sqr" proved="true">
- <proof prover="0"><result status="valid" time="0.010615" steps="1603"/></proof>
+ <goal name="vc_sum_of_odd_is_sqr" proved="true">
+ <proof prover="0"><result status="valid" time="0.010615" steps="1574"/></proof>
  </goal>
 </theory>
 <theory name="SumOfOdds_ComputeSumOfOdd" proved="true">
  <goal name="compute_sum_of_odd&#39;vc" expl="VC for compute_sum_of_odd" proved="true">
  <transf name="split_vc" proved="true" >
   <goal name="compute_sum_of_odd&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.009885" steps="8"/></proof>
+  <proof prover="3"><result status="valid" time="0.009885" steps="10"/></proof>
   </goal>
   <goal name="compute_sum_of_odd&#39;vc.1" expl="precondition" proved="true">
   <proof prover="3"><result status="valid" time="0.019646" steps="15"/></proof>
   </goal>
   <goal name="compute_sum_of_odd&#39;vc.2" expl="loop invariant init" proved="true">
-  <proof prover="3"><result status="valid" time="0.011411" steps="16"/></proof>
+  <proof prover="3"><result status="valid" time="0.011411" steps="18"/></proof>
   </goal>
   <goal name="compute_sum_of_odd&#39;vc.3" expl="loop invariant init" proved="true">
   <proof prover="3"><result status="valid" time="0.014429" steps="25"/></proof>
   </goal>
   <goal name="compute_sum_of_odd&#39;vc.4" expl="loop invariant init" proved="true">
-  <proof prover="3"><result status="valid" time="0.018927" steps="95"/></proof>
+  <proof prover="3"><result status="valid" time="0.018927" steps="96"/></proof>
   </goal>
   <goal name="compute_sum_of_odd&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.010425" steps="51"/></proof>
+  <proof prover="3"><result status="valid" time="0.010425" steps="52"/></proof>
   </goal>
   <goal name="compute_sum_of_odd&#39;vc.6" expl="postcondition" proved="true">
   <proof prover="3"><result status="valid" time="0.048413" steps="442"/></proof>
   </goal>
   <goal name="compute_sum_of_odd&#39;vc.7" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.007018" steps="50"/></proof>
+  <proof prover="3"><result status="valid" time="0.007018" steps="52"/></proof>
   </goal>
   <goal name="compute_sum_of_odd&#39;vc.8" expl="integer overflow" proved="true">
-  <proof prover="3"><result status="valid" time="0.093643" steps="1076"/></proof>
+  <proof prover="3"><result status="valid" time="0.093643" steps="1077"/></proof>
   </goal>
   <goal name="compute_sum_of_odd&#39;vc.9" expl="integer overflow" proved="true">
-  <proof prover="3"><result status="valid" time="0.027777" steps="221"/></proof>
+  <proof prover="3"><result status="valid" time="0.027777" steps="224"/></proof>
   </goal>
   <goal name="compute_sum_of_odd&#39;vc.10" expl="integer overflow" proved="true">
-  <proof prover="3"><result status="valid" time="0.113176" steps="2954"/></proof>
+  <proof prover="3"><result status="valid" time="0.113176" steps="2968"/></proof>
   </goal>
   <goal name="compute_sum_of_odd&#39;vc.11" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.037591" steps="97"/></proof>
+  <proof prover="3"><result status="valid" time="0.037591" steps="99"/></proof>
   </goal>
   <goal name="compute_sum_of_odd&#39;vc.12" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.158851" steps="4026"/></proof>
+  <proof prover="3"><result status="valid" time="0.158851" steps="4033"/></proof>
   </goal>
   <goal name="compute_sum_of_odd&#39;vc.13" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.070890" steps="577"/></proof>
+  <proof prover="3"><result status="valid" time="0.070890" steps="581"/></proof>
   </goal>
  </transf>
  </goal>
diff --git a/creusot/tests/should_succeed/sum_of_odds/why3shapes.gz b/creusot/tests/should_succeed/sum_of_odds/why3shapes.gz
index 0950c89fd2..e54c48ad90 100644
Binary files a/creusot/tests/should_succeed/sum_of_odds/why3shapes.gz and b/creusot/tests/should_succeed/sum_of_odds/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/swap_borrows.mlcfg b/creusot/tests/should_succeed/swap_borrows.mlcfg
index 4067ecdb4e..e4c49fbaa8 100644
--- a/creusot/tests/should_succeed/swap_borrows.mlcfg
+++ b/creusot/tests/should_succeed/swap_borrows.mlcfg
@@ -36,9 +36,9 @@ module SwapBorrows_Swap
   BB1 {
     assert { [@expl:type invariant] inv0 x };
     assume { resolve0 x };
-    [#"../swap_borrows.rs" 6 4 6 14] _0 <- ([#"../swap_borrows.rs" 6 4 6 14] (([#"../swap_borrows.rs" 6 5 6 8] let (_, a) = x in a), ([#"../swap_borrows.rs" 6 10 6 13] let (a, _) = x in a)));
-    [#"../swap_borrows.rs" 6 5 6 8] x <- (let (x0, x1) = x in (x0, any t));
-    [#"../swap_borrows.rs" 6 10 6 13] x <- (let (x0, x1) = x in (any t, x1));
+    [#"../swap_borrows.rs" 6 4 6 14] _0 <- ((let (_, a) = x in a), (let (a, _) = x in a));
+    x <- (let (x0, x1) = x in (x0, any t));
+    x <- (let (x0, x1) = x in (any t, x1));
     goto BB2
   }
   BB2 {
@@ -98,6 +98,7 @@ module SwapBorrows_F
   var b : uint32;
   var _3 : (uint32, uint32);
   var p : (borrowed uint32, borrowed uint32);
+  var _5 : (borrowed uint32, borrowed uint32);
   var _6 : borrowed uint32;
   var _7 : borrowed uint32;
   var _8 : borrowed uint32;
@@ -105,9 +106,9 @@ module SwapBorrows_F
     goto BB0
   }
   BB0 {
-    [#"../swap_borrows.rs" 11 25 11 31] _3 <- ([#"../swap_borrows.rs" 11 25 11 31] (([#"../swap_borrows.rs" 11 26 11 27] [#"../swap_borrows.rs" 11 26 11 27] (0 : uint32)), ([#"../swap_borrows.rs" 11 29 11 30] [#"../swap_borrows.rs" 11 29 11 30] (0 : uint32))));
-    [#"../swap_borrows.rs" 11 9 11 14] a <- ([#"../swap_borrows.rs" 11 9 11 14] let (a, _) = _3 in a);
-    [#"../swap_borrows.rs" 11 16 11 21] b <- ([#"../swap_borrows.rs" 11 16 11 21] let (_, a) = _3 in a);
+    [#"../swap_borrows.rs" 11 25 11 31] _3 <- (([#"../swap_borrows.rs" 11 26 11 27] (0 : uint32)), ([#"../swap_borrows.rs" 11 29 11 30] (0 : uint32)));
+    [#"../swap_borrows.rs" 11 9 11 14] a <- (let (a, _) = _3 in a);
+    [#"../swap_borrows.rs" 11 16 11 21] b <- (let (_, a) = _3 in a);
     assume { resolve0 _3 };
     [#"../swap_borrows.rs" 12 18 12 24] _6 <- Borrow.borrow_mut a;
     [#"../swap_borrows.rs" 12 18 12 24] a <-  ^ _6;
@@ -115,14 +116,16 @@ module SwapBorrows_F
     [#"../swap_borrows.rs" 12 26 12 32] b <-  ^ _8;
     [#"../swap_borrows.rs" 12 26 12 32] _7 <- Borrow.borrow_final ( * _8) (Borrow.get_id _8);
     [#"../swap_borrows.rs" 12 26 12 32] _8 <- { _8 with current = ( ^ _7) ; };
-    [#"../swap_borrows.rs" 12 12 12 34] p <- ([#"../swap_borrows.rs" 12 12 12 34] swap0 ([#"../swap_borrows.rs" 12 17 12 33] (_6, _7)));
+    [#"../swap_borrows.rs" 12 17 12 33] _5 <- (_6, _7);
     _6 <- any borrowed uint32;
     _7 <- any borrowed uint32;
+    [#"../swap_borrows.rs" 12 12 12 34] p <- ([#"../swap_borrows.rs" 12 12 12 34] swap0 _5);
+    _5 <- any (borrowed uint32, borrowed uint32);
     goto BB1
   }
   BB1 {
     assume { resolve1 _8 };
-    [#"../swap_borrows.rs" 13 4 13 13] p <- (let (x0, x1) = p in ({ (let (a, _) = p in a) with current = ([#"../swap_borrows.rs" 13 4 13 13] [#"../swap_borrows.rs" 13 11 13 13] (10 : uint32)) ; }, x1));
+    [#"../swap_borrows.rs" 13 4 13 13] p <- (let (x0, x1) = p in ({ (let (a, _) = p in a) with current = ([#"../swap_borrows.rs" 13 11 13 13] (10 : uint32)) ; }, x1));
     assume { resolve2 p };
     assert { [@expl:assertion] [#"../swap_borrows.rs" 15 20 15 30] b = (10 : uint32) };
     assert { [@expl:assertion] [#"../swap_borrows.rs" 16 20 16 29] a = (0 : uint32) };
diff --git a/creusot/tests/should_succeed/swap_borrows/why3session.xml b/creusot/tests/should_succeed/swap_borrows/why3session.xml
index a20fa9420b..59893a90fe 100644
--- a/creusot/tests/should_succeed/swap_borrows/why3session.xml
+++ b/creusot/tests/should_succeed/swap_borrows/why3session.xml
@@ -12,7 +12,7 @@
 </theory>
 <theory name="SwapBorrows_F" proved="true">
  <goal name="f&#39;vc" expl="VC for f" proved="true">
- <proof prover="0"><result status="valid" time="0.017480" steps="109"/></proof>
+ <proof prover="0"><result status="valid" time="0.017480" steps="115"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/swap_borrows/why3shapes.gz b/creusot/tests/should_succeed/swap_borrows/why3shapes.gz
index 861ff8bfce..52b7f61adc 100644
Binary files a/creusot/tests/should_succeed/swap_borrows/why3shapes.gz and b/creusot/tests/should_succeed/swap_borrows/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/switch.mlcfg b/creusot/tests/should_succeed/switch.mlcfg
index cd5d0cb6b9..23503d36fb 100644
--- a/creusot/tests/should_succeed/switch.mlcfg
+++ b/creusot/tests/should_succeed/switch.mlcfg
@@ -33,7 +33,7 @@ module Switch_Test
     goto BB4
   }
   BB2 {
-    [#"../switch.rs" 12 16 12 21] _0 <- ([#"../switch.rs" 12 16 12 21] [#"../switch.rs" 12 16 12 21] false);
+    [#"../switch.rs" 12 16 12 21] _0 <- ([#"../switch.rs" 12 16 12 21] false);
     goto BB5
   }
   BB3 {
@@ -41,8 +41,8 @@ module Switch_Test
     absurd
   }
   BB4 {
-    [#"../switch.rs" 11 13 11 14] x <- ([#"../switch.rs" 11 13 11 14] Switch_Option_Type.some_0 o);
-    [#"../switch.rs" 11 19 11 24] _0 <- ([#"../switch.rs" 11 19 11 24] ([#"../switch.rs" 11 19 11 20] x) > ([#"../switch.rs" 11 23 11 24] [#"../switch.rs" 11 23 11 24] (0 : uint32)));
+    [#"../switch.rs" 11 13 11 14] x <- Switch_Option_Type.some_0 o;
+    [#"../switch.rs" 11 19 11 24] _0 <- x > ([#"../switch.rs" 11 23 11 24] (0 : uint32));
     goto BB5
   }
   BB5 {
@@ -88,7 +88,7 @@ module Switch_Test2
     goto BB4
   }
   BB2 {
-    [#"../switch.rs" 19 16 19 19] _0 <- ([#"../switch.rs" 19 16 19 19] let (_, a) = o in a);
+    [#"../switch.rs" 19 16 19 19] _0 <- (let (_, a) = o in a);
     assume { resolve0 o };
     goto BB5
   }
@@ -98,9 +98,9 @@ module Switch_Test2
     absurd
   }
   BB4 {
-    [#"../switch.rs" 18 13 18 14] x <- ([#"../switch.rs" 18 13 18 14] Switch_Option_Type.some_0 (let (a, _) = o in a));
+    [#"../switch.rs" 18 13 18 14] x <- Switch_Option_Type.some_0 (let (a, _) = o in a);
     assume { resolve0 o };
-    [#"../switch.rs" 18 19 18 20] _0 <- ([#"../switch.rs" 18 19 18 20] x);
+    [#"../switch.rs" 18 19 18 20] _0 <- x;
     goto BB5
   }
   BB5 {
diff --git a/creusot/tests/should_succeed/switch_struct.mlcfg b/creusot/tests/should_succeed/switch_struct.mlcfg
index 49ec529774..8dc5ed23a9 100644
--- a/creusot/tests/should_succeed/switch_struct.mlcfg
+++ b/creusot/tests/should_succeed/switch_struct.mlcfg
@@ -41,8 +41,8 @@ module SwitchStruct_Test
     goto BB4
   }
   BB2 {
-    [#"../switch_struct.rs" 12 12 12 18] field2 <- ([#"../switch_struct.rs" 12 12 12 18] SwitchStruct_M_Type.g_field2 o);
-    [#"../switch_struct.rs" 12 24 12 35] _0 <- ([#"../switch_struct.rs" 12 24 12 35] ([#"../switch_struct.rs" 12 24 12 30] field2) = ([#"../switch_struct.rs" 12 34 12 35] [#"../switch_struct.rs" 12 34 12 35] (0 : uint32)));
+    [#"../switch_struct.rs" 12 12 12 18] field2 <- SwitchStruct_M_Type.g_field2 o;
+    [#"../switch_struct.rs" 12 24 12 35] _0 <- field2 = ([#"../switch_struct.rs" 12 34 12 35] (0 : uint32));
     goto BB5
   }
   BB3 {
@@ -50,8 +50,8 @@ module SwitchStruct_Test
     absurd
   }
   BB4 {
-    [#"../switch_struct.rs" 11 12 11 18] field1 <- ([#"../switch_struct.rs" 11 12 11 18] SwitchStruct_M_Type.f_field1 o);
-    [#"../switch_struct.rs" 11 24 11 34] _0 <- ([#"../switch_struct.rs" 11 24 11 34] ([#"../switch_struct.rs" 11 24 11 30] field1) > ([#"../switch_struct.rs" 11 33 11 34] [#"../switch_struct.rs" 11 33 11 34] (0 : uint32)));
+    [#"../switch_struct.rs" 11 12 11 18] field1 <- SwitchStruct_M_Type.f_field1 o;
+    [#"../switch_struct.rs" 11 24 11 34] _0 <- field1 > ([#"../switch_struct.rs" 11 33 11 34] (0 : uint32));
     goto BB5
   }
   BB5 {
diff --git a/creusot/tests/should_succeed/syntax/02_operators.mlcfg b/creusot/tests/should_succeed/syntax/02_operators.mlcfg
index 1417306221..af8d352226 100644
--- a/creusot/tests/should_succeed/syntax/02_operators.mlcfg
+++ b/creusot/tests/should_succeed/syntax/02_operators.mlcfg
@@ -16,13 +16,13 @@ module C02Operators_Division
     goto BB0
   }
   BB0 {
-    [#"../02_operators.rs" 9 8 9 9] _5 <- ([#"../02_operators.rs" 9 8 9 9] y);
-    [#"../02_operators.rs" 9 4 9 9] _6 <- ([#"../02_operators.rs" 9 4 9 9] _5 = ([#"../02_operators.rs" 9 4 9 9] [#"../02_operators.rs" 9 4 9 9] (0 : usize)));
+    [#"../02_operators.rs" 9 8 9 9] _5 <- y;
+    [#"../02_operators.rs" 9 4 9 9] _6 <- _5 = ([#"../02_operators.rs" 9 4 9 9] (0 : usize));
     assert { [@expl:division by zero] [#"../02_operators.rs" 9 4 9 9] not _6 };
     goto BB1
   }
   BB1 {
-    [#"../02_operators.rs" 9 4 9 9] _0 <- ([#"../02_operators.rs" 9 4 9 9] ([#"../02_operators.rs" 9 4 9 5] x) / _5);
+    [#"../02_operators.rs" 9 4 9 9] _0 <- x / _5;
     _5 <- any usize;
     return _0
   }
@@ -45,13 +45,13 @@ module C02Operators_Modulus
     goto BB0
   }
   BB0 {
-    [#"../02_operators.rs" 24 8 24 9] _5 <- ([#"../02_operators.rs" 24 8 24 9] y);
-    [#"../02_operators.rs" 24 4 24 9] _6 <- ([#"../02_operators.rs" 24 4 24 9] _5 = ([#"../02_operators.rs" 24 4 24 9] [#"../02_operators.rs" 24 4 24 9] (0 : usize)));
+    [#"../02_operators.rs" 24 8 24 9] _5 <- y;
+    [#"../02_operators.rs" 24 4 24 9] _6 <- _5 = ([#"../02_operators.rs" 24 4 24 9] (0 : usize));
     assert { [@expl:remainder by zero] [#"../02_operators.rs" 24 4 24 9] not _6 };
     goto BB1
   }
   BB1 {
-    [#"../02_operators.rs" 24 4 24 9] _0 <- ([#"../02_operators.rs" 24 4 24 9] ([#"../02_operators.rs" 24 4 24 5] x) % _5);
+    [#"../02_operators.rs" 24 4 24 9] _0 <- x % _5;
     _5 <- any usize;
     return _0
   }
@@ -74,7 +74,7 @@ module C02Operators_Multiply
     goto BB0
   }
   BB0 {
-    [#"../02_operators.rs" 39 4 39 9] _0 <- ([#"../02_operators.rs" 39 4 39 9] ([#"../02_operators.rs" 39 4 39 5] x) * ([#"../02_operators.rs" 39 8 39 9] y));
+    [#"../02_operators.rs" 39 4 39 9] _0 <- x * y;
     return _0
   }
   
@@ -96,7 +96,7 @@ module C02Operators_Add
     goto BB0
   }
   BB0 {
-    [#"../02_operators.rs" 49 4 49 9] _0 <- ([#"../02_operators.rs" 49 4 49 9] ([#"../02_operators.rs" 49 4 49 5] x) + ([#"../02_operators.rs" 49 8 49 9] y));
+    [#"../02_operators.rs" 49 4 49 9] _0 <- x + y;
     return _0
   }
   
@@ -116,7 +116,7 @@ module C02Operators_Sub
     goto BB0
   }
   BB0 {
-    [#"../02_operators.rs" 64 4 64 9] _0 <- ([#"../02_operators.rs" 64 4 64 9] ([#"../02_operators.rs" 64 4 64 5] x) - ([#"../02_operators.rs" 64 8 64 9] y));
+    [#"../02_operators.rs" 64 4 64 9] _0 <- x - y;
     return _0
   }
   
@@ -137,29 +137,41 @@ module C02Operators_Expression
   var x : usize = x;
   var y : usize = y;
   var z : usize = z;
+  var _7 : usize;
+  var _8 : usize;
   var _10 : usize;
   var _11 : bool;
+  var _13 : usize;
+  var _14 : usize;
   var _16 : usize;
   var _17 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../02_operators.rs" 78 8 78 9] _10 <- ([#"../02_operators.rs" 78 8 78 9] y);
-    [#"../02_operators.rs" 78 4 78 9] _11 <- ([#"../02_operators.rs" 78 4 78 9] _10 = ([#"../02_operators.rs" 78 4 78 9] [#"../02_operators.rs" 78 4 78 9] (0 : usize)));
+    [#"../02_operators.rs" 78 8 78 9] _10 <- y;
+    [#"../02_operators.rs" 78 4 78 9] _11 <- _10 = ([#"../02_operators.rs" 78 4 78 9] (0 : usize));
     assert { [@expl:division by zero] [#"../02_operators.rs" 78 4 78 9] not _11 };
     goto BB1
   }
   BB1 {
-    [#"../02_operators.rs" 78 22 78 23] _16 <- ([#"../02_operators.rs" 78 22 78 23] y);
-    [#"../02_operators.rs" 78 17 78 24] _17 <- ([#"../02_operators.rs" 78 17 78 24] _16 = ([#"../02_operators.rs" 78 17 78 24] [#"../02_operators.rs" 78 17 78 24] (0 : usize)));
+    [#"../02_operators.rs" 78 4 78 9] _8 <- x / _10;
+    _10 <- any usize;
+    [#"../02_operators.rs" 78 4 78 13] _7 <- _8 * z;
+    _8 <- any usize;
+    [#"../02_operators.rs" 78 22 78 23] _16 <- y;
+    [#"../02_operators.rs" 78 17 78 24] _17 <- _16 = ([#"../02_operators.rs" 78 17 78 24] (0 : usize));
     assert { [@expl:division by zero] [#"../02_operators.rs" 78 17 78 24] not _17 };
     goto BB2
   }
   BB2 {
-    [#"../02_operators.rs" 78 4 78 28] _0 <- ([#"../02_operators.rs" 78 4 78 28] ([#"../02_operators.rs" 78 4 78 13] ([#"../02_operators.rs" 78 4 78 9] ([#"../02_operators.rs" 78 4 78 5] x) / _10) * ([#"../02_operators.rs" 78 12 78 13] z)) = ([#"../02_operators.rs" 78 17 78 28] ([#"../02_operators.rs" 78 17 78 24] ([#"../02_operators.rs" 78 18 78 19] x) / _16) * ([#"../02_operators.rs" 78 27 78 28] z)));
-    _10 <- any usize;
+    [#"../02_operators.rs" 78 17 78 24] _14 <- x / _16;
     _16 <- any usize;
+    [#"../02_operators.rs" 78 17 78 28] _13 <- _14 * z;
+    _14 <- any usize;
+    [#"../02_operators.rs" 78 4 78 28] _0 <- _7 = _13;
+    _7 <- any usize;
+    _13 <- any usize;
     return _0
   }
   
@@ -167,11 +179,11 @@ end
 module C02Operators_ExpressionLogic_Impl
   use prelude.UIntSize
   use prelude.Int
-  let rec ghost function expression_logic [#"../02_operators.rs" 83 0 83 57] (x : usize) (y : usize) (z : usize) : bool
-    ensures { [#"../02_operators.rs" 82 10 82 16] result }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../02_operators.rs" 84 4 84 28] pure {div x y * z = div x y * z}
+  constant x  : usize
+  constant y  : usize
+  constant z  : usize
+  function expression_logic [#"../02_operators.rs" 83 0 83 57] (x : usize) (y : usize) (z : usize) : bool
+  goal vc_expression_logic : [#"../02_operators.rs" 82 10 82 16] div x y * z = div x y * z
 end
 module C02Operators_X_Type
   use prelude.UIntSize
@@ -214,7 +226,7 @@ module C02Operators_BoolEq
     goto BB0
   }
   BB0 {
-    [#"../02_operators.rs" 96 4 96 10] _0 <- ([#"../02_operators.rs" 96 4 96 10] Bool.eqb ([#"../02_operators.rs" 96 4 96 5] a) ([#"../02_operators.rs" 96 9 96 10] b));
+    [#"../02_operators.rs" 96 4 96 10] _0 <- Bool.eqb a b;
     return _0
   }
   
diff --git a/creusot/tests/should_succeed/syntax/02_operators.rs b/creusot/tests/should_succeed/syntax/02_operators.rs
index df0b14bc17..7b0ebbe17f 100644
--- a/creusot/tests/should_succeed/syntax/02_operators.rs
+++ b/creusot/tests/should_succeed/syntax/02_operators.rs
@@ -9,12 +9,12 @@ fn division(x: usize, y: usize) -> usize {
     x / y
 }
 
-// #[ghost]
+// #[logic]
 // fn division_logic(x : usize, y : usize) -> usize {
 //     x / y
 // }
 
-#[ghost]
+#[logic]
 fn division_int(x: Int, y: Int) -> Int {
     x / y
 }
@@ -24,12 +24,12 @@ fn modulus(x: usize, y: usize) -> usize {
     x % y
 }
 
-// #[ghost]
+// #[logic]
 // fn modulus_logic(x : usize, y : usize) -> usize {
 //     x % y
 // }
 
-#[ghost]
+#[logic]
 fn modulus_int(x: Int, y: Int) -> Int {
     x % y
 }
@@ -39,7 +39,7 @@ fn multiply(x: usize, y: usize) -> usize {
     x * y
 }
 
-#[ghost]
+#[logic]
 fn multiply_int(x: Int, y: Int) -> Int {
     x * y
 }
@@ -49,12 +49,12 @@ fn add(x: usize, y: usize) -> usize {
     x + y
 }
 
-#[ghost]
+#[logic]
 fn add_int(x: Int, y: Int) -> Int {
     x + y
 }
 
-// #[ghost]
+// #[logic]
 // fn add_logic(x : usize, y : usize) -> usize {
 //     x + y
 // }
@@ -64,7 +64,7 @@ fn sub(x: usize, y: usize) -> usize {
     x - y
 }
 
-#[ghost]
+#[logic]
 fn sub_int(x: Int, y: Int) -> Int {
     x - y
 }
@@ -78,7 +78,7 @@ fn expression(x: usize, y: usize, z: usize) -> bool {
     x / y * z == (x / y) * z
 }
 
-#[ghost]
+#[logic]
 #[ensures(result)]
 fn expression_logic(x: usize, y: usize, z: usize) -> bool {
     x / y * z == (x / y) * z
diff --git a/creusot/tests/should_succeed/syntax/02_operators/why3session.xml b/creusot/tests/should_succeed/syntax/02_operators/why3session.xml
index f6a9daf9e0..d427ef5464 100644
--- a/creusot/tests/should_succeed/syntax/02_operators/why3session.xml
+++ b/creusot/tests/should_succeed/syntax/02_operators/why3session.xml
@@ -34,11 +34,11 @@
 </theory>
 <theory name="C02Operators_Expression" proved="true">
  <goal name="expression&#39;vc" expl="VC for expression" proved="true">
- <proof prover="2"><result status="valid" time="0.159217" steps="23261"/></proof>
+ <proof prover="2"><result status="valid" time="0.159217" steps="23548"/></proof>
  </goal>
 </theory>
 <theory name="C02Operators_ExpressionLogic_Impl" proved="true">
- <goal name="expression_logic&#39;vc" expl="VC for expression_logic" proved="true">
+ <goal name="vc_expression_logic" proved="true">
  <proof prover="4"><result status="valid" time="0.005586" steps="2"/></proof>
  </goal>
 </theory>
diff --git a/creusot/tests/should_succeed/syntax/02_operators/why3shapes.gz b/creusot/tests/should_succeed/syntax/02_operators/why3shapes.gz
index baeb8793d9..38f6afe3ad 100644
Binary files a/creusot/tests/should_succeed/syntax/02_operators/why3shapes.gz and b/creusot/tests/should_succeed/syntax/02_operators/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/syntax/04_assoc_prec.mlcfg b/creusot/tests/should_succeed/syntax/04_assoc_prec.mlcfg
index d06183df33..af25846965 100644
--- a/creusot/tests/should_succeed/syntax/04_assoc_prec.mlcfg
+++ b/creusot/tests/should_succeed/syntax/04_assoc_prec.mlcfg
@@ -13,7 +13,7 @@ module C04AssocPrec_RespectPrec
     ensures { result = resolve0 self }
     
   let rec cfg respect_prec [#"../04_assoc_prec.rs" 10 0 10 34] [@cfg:stackify] [@cfg:subregion_analysis] (x : (uint32, uint32)) : ()
-    ensures { [#"../04_assoc_prec.rs" 7 0 7 33] 5 = 3 -> 2 + 1 = 3 }
+    ensures { [#"../04_assoc_prec.rs" 7 0 7 33] 5 = 3  -> 2 + 1 = 3 }
     ensures { [#"../04_assoc_prec.rs" 8 10 8 35] div (5 * 3) 2 <> 4 * (40 + 1) }
     ensures { [#"../04_assoc_prec.rs" 9 10 9 20] (let (a, _) = x in a) = (let (_, a) = x in a) }
     
diff --git a/creusot/tests/should_succeed/syntax/05_pearlite.mlcfg b/creusot/tests/should_succeed/syntax/05_pearlite.mlcfg
index edba55275d..59a2e688f7 100644
--- a/creusot/tests/should_succeed/syntax/05_pearlite.mlcfg
+++ b/creusot/tests/should_succeed/syntax/05_pearlite.mlcfg
@@ -36,17 +36,16 @@ module C05Pearlite_HasLen3_Impl
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model1 self }
     
-  axiom shallow_model1_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv1 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
+  axiom shallow_model1_spec : forall self : slice uint32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv1 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model1 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
   function shallow_model0 (self : slice uint32) : Seq.seq uint32 =
     [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model1 self
   val shallow_model0 (self : slice uint32) : Seq.seq uint32
     ensures { result = shallow_model0 self }
     
-  let rec ghost predicate has_len_3 [#"../05_pearlite.rs" 9 0 9 35] (v : slice uint32)
-    requires {[#"../05_pearlite.rs" 8 11 8 24] Seq.length (shallow_model0 v) = 3}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../05_pearlite.rs" 10 16 10 29] let x0 = let a' = shallow_model0 v in Seq.length a' in pure {x0 = 3}
+  constant v  : slice uint32
+  predicate has_len_3 [#"../05_pearlite.rs" 9 0 9 35] (v : slice uint32)
+  goal vc_has_len_3 : true
 end
 module C05Pearlite_A_Type
   type t_a  =
@@ -101,19 +100,19 @@ end
 module C05Pearlite_GhostClosure
   use prelude.UInt32
   use map.Map
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
   use prelude.Mapping
   use prelude.Int
   let rec cfg ghost_closure [#"../05_pearlite.rs" 48 0 48 22] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
-  var _x : Ghost.ghost_ty (Map.map uint32 uint32);
+  var _x : Snapshot.snap_ty (Map.map uint32 uint32);
   {
     goto BB0
   }
   BB0 {
-    [#"../05_pearlite.rs" 49 13 49 32] _x <- ([#"../05_pearlite.rs" 49 13 49 32] Ghost.new (Mapping.from_fn (fun (a : uint32) -> a)));
+    [#"../05_pearlite.rs" 49 13 49 38] _x <- ([#"../05_pearlite.rs" 49 13 49 38] Snapshot.new (Mapping.from_fn (fun (a : uint32) -> a)));
     goto BB1
   }
   BB1 {
@@ -126,8 +125,8 @@ module C05Pearlite_PearliteClosure
   use prelude.UInt32
   use prelude.Int
   use map.Map
-  use prelude.Ghost
-  let rec cfg pearlite_closure [#"../05_pearlite.rs" 52 0 52 54] [@cfg:stackify] [@cfg:subregion_analysis] (_x : Ghost.ghost_ty (Map.map uint32 bool)) : ()
+  use prelude.Snapshot
+  let rec cfg pearlite_closure [#"../05_pearlite.rs" 52 0 52 57] [@cfg:stackify] [@cfg:subregion_analysis] (_x : Snapshot.snap_ty (Map.map uint32 bool)) : ()
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
@@ -135,7 +134,7 @@ module C05Pearlite_PearliteClosure
     goto BB0
   }
   BB0 {
-    [#"../05_pearlite.rs" 52 55 52 57] _0 <- ([#"../05_pearlite.rs" 52 55 52 57] ());
+    [#"../05_pearlite.rs" 52 58 52 60] _0 <- ([#"../05_pearlite.rs" 52 58 52 60] ());
     return _0
   }
   
@@ -143,26 +142,26 @@ end
 module C05Pearlite_Caller
   use prelude.UInt32
   use map.Map
-  use prelude.Ghost
+  use prelude.Snapshot
   use prelude.Int
-  val pearlite_closure0 [#"../05_pearlite.rs" 52 0 52 54] (_x : Ghost.ghost_ty (Map.map uint32 bool)) : ()
-  use prelude.Ghost
+  val pearlite_closure0 [#"../05_pearlite.rs" 52 0 52 57] (_x : Snapshot.snap_ty (Map.map uint32 bool)) : ()
+  use prelude.Snapshot
   use prelude.Mapping
   let rec cfg caller [#"../05_pearlite.rs" 54 0 54 15] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var _1 : ();
-  var _2 : Ghost.ghost_ty (Map.map uint32 bool);
+  var _2 : Snapshot.snap_ty (Map.map uint32 bool);
   {
     goto BB0
   }
   BB0 {
-    [#"../05_pearlite.rs" 55 21 55 38] _2 <- ([#"../05_pearlite.rs" 55 21 55 38] Ghost.new (Mapping.from_fn (fun (_a : uint32) -> true)));
+    [#"../05_pearlite.rs" 55 21 55 44] _2 <- ([#"../05_pearlite.rs" 55 21 55 44] Snapshot.new (Mapping.from_fn (fun (_a : uint32) -> true)));
     goto BB1
   }
   BB1 {
-    [#"../05_pearlite.rs" 55 4 55 39] _1 <- ([#"../05_pearlite.rs" 55 4 55 39] pearlite_closure0 _2);
-    _2 <- any Ghost.ghost_ty (Map.map uint32 bool);
+    [#"../05_pearlite.rs" 55 4 55 45] _1 <- ([#"../05_pearlite.rs" 55 4 55 45] pearlite_closure0 _2);
+    _2 <- any Snapshot.snap_ty (Map.map uint32 bool);
     goto BB2
   }
   BB2 {
@@ -194,12 +193,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
diff --git a/creusot/tests/should_succeed/syntax/05_pearlite.rs b/creusot/tests/should_succeed/syntax/05_pearlite.rs
index 4fb2ab7010..5a9a7612f9 100644
--- a/creusot/tests/should_succeed/syntax/05_pearlite.rs
+++ b/creusot/tests/should_succeed/syntax/05_pearlite.rs
@@ -46,13 +46,13 @@ pub fn field1_is_true(x: B) -> bool {
 }
 
 pub fn ghost_closure() {
-    let _x = gh! { |a : u32| a };
+    let _x = snapshot! { |a : u32| a };
 }
 
-pub fn pearlite_closure(_x: Ghost<Mapping<u32, bool>>) {}
+pub fn pearlite_closure(_x: Snapshot<Mapping<u32, bool>>) {}
 
 pub fn caller() {
-    pearlite_closure(gh! { |_a| true });
+    pearlite_closure(snapshot! { |_a| true });
 }
 
 // Implicit logical reborrows
@@ -61,20 +61,20 @@ pub struct S {}
 
 impl S {
     #[open]
-    #[ghost]
+    #[logic]
     pub fn x(&mut self) -> bool {
         true
     }
 }
 
 #[open]
-#[ghost]
+#[logic]
 pub fn proj(x: &mut (S, S)) -> bool {
     x.0.x()
 }
 
 #[open]
-#[ghost]
+#[logic]
 pub fn proj2(x: &mut &mut (S, S)) -> bool {
     x.0.x()
 }
@@ -82,43 +82,43 @@ pub fn proj2(x: &mut &mut (S, S)) -> bool {
 // Unnesting through an index projection
 
 #[open(self)]
-#[ghost]
+#[logic]
 pub fn reborrow_index_projection<'a, 'b, T>(a: &'a mut &'b mut [T]) -> &'a mut T {
     &mut a[0]
 }
 
 #[open(self)]
-#[ghost]
+#[logic]
 pub fn reborrow_index_projection2<'a, 'b, T>(a: &'a &'b [T]) -> &'a T {
     &a[0]
 }
 
 #[open(self)]
-#[ghost]
-pub fn test3<'a, T>(a: Ghost<&'a mut Vec<T>>) -> &'a mut T {
+#[logic]
+pub fn test3<'a, T>(a: Snapshot<&'a mut Vec<T>>) -> &'a mut T {
     &mut a[0]
 }
 
 #[open(self)]
-#[ghost]
-pub fn test4<'a, T>(a: &'a mut Ghost<Vec<T>>) -> &'a mut T {
+#[logic]
+pub fn test4<'a, T>(a: &'a mut Snapshot<Vec<T>>) -> &'a mut T {
     &mut a[0]
 }
 
 #[open(self)]
-#[ghost]
+#[logic]
 pub fn test5<'a, T>(a: &'a mut &mut &mut Vec<T>) -> &'a mut T {
     &mut a[0]
 }
 
 #[open(self)]
-#[ghost]
+#[logic]
 pub fn test6<'a>(a: &'a mut &&mut u32) -> &'a mut u32 {
     &mut ***a
 }
 
 // Left out until I understand the semantics of `Deref` patterns.
-// #[ghost]
+// #[logic]
 // pub fn proj_opt(x : &mut Option<S>)  -> bool {
 //     match x {
 //         Some(a) => a.x(),
diff --git a/creusot/tests/should_succeed/syntax/06_logic_function_contracts.mlcfg b/creusot/tests/should_succeed/syntax/06_logic_function_contracts.mlcfg
index 43b989b7cc..d724bcec3c 100644
--- a/creusot/tests/should_succeed/syntax/06_logic_function_contracts.mlcfg
+++ b/creusot/tests/should_succeed/syntax/06_logic_function_contracts.mlcfg
@@ -6,15 +6,12 @@ module C06LogicFunctionContracts_Sum_Impl
   use prelude.Int
   use seq.Seq
   use seq.Seq
-  let rec ghost function sum [#"../06_logic_function_contracts.rs" 10 0 10 32] (seq : Seq.seq int) : int
-    variant {[#"../06_logic_function_contracts.rs" 9 10 9 19] Seq.length seq}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../06_logic_function_contracts.rs" 11 4 16 5] if pure {Seq.length seq = 0} then
-      0
-    else
-      Seq.get seq (Seq.length seq - 1) + sum (SeqExt.subsequence seq 0 (Seq.length seq - 1))
-    
+  constant seq  : Seq.seq int
+  function sum [#"../06_logic_function_contracts.rs" 10 0 10 32] (seq : Seq.seq int) : int
+  goal vc_sum : match Seq.length seq = 0 with
+    | True -> true
+    | False -> 0 <= ([#"../06_logic_function_contracts.rs" 9 10 9 19] Seq.length seq) /\ ([#"../06_logic_function_contracts.rs" 9 10 9 19] Seq.length (SeqExt.subsequence seq 0 (Seq.length seq - 1))) < ([#"../06_logic_function_contracts.rs" 9 10 9 19] Seq.length seq)
+    end
 end
 module C06LogicFunctionContracts_AllZero_Impl
   use seq_ext.SeqExt
@@ -23,26 +20,28 @@ module C06LogicFunctionContracts_AllZero_Impl
   use prelude.Int
   use seq.Seq
   use seq.Seq
-  let rec ghost predicate all_zero [#"../06_logic_function_contracts.rs" 22 0 22 38] (seq : Seq.seq int)
-    variant {[#"../06_logic_function_contracts.rs" 21 10 21 19] Seq.length seq}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../06_logic_function_contracts.rs" 23 4 28 5] if pure {Seq.length seq = 0} then
-      true
+  constant seq  : Seq.seq int
+  predicate all_zero [#"../06_logic_function_contracts.rs" 22 0 22 38] (seq : Seq.seq int)
+  goal vc_all_zero : match Seq.length seq = 0 with
+    | True -> true
+    | False -> if Seq.get seq (Seq.length seq - 1) = 0 then
+      0 <= ([#"../06_logic_function_contracts.rs" 21 10 21 19] Seq.length seq) /\ ([#"../06_logic_function_contracts.rs" 21 10 21 19] Seq.length (SeqExt.subsequence seq 0 (Seq.length seq - 1))) < ([#"../06_logic_function_contracts.rs" 21 10 21 19] Seq.length seq)
     else
-      pure {Seq.get seq (Seq.length seq - 1) = 0} && all_zero (SeqExt.subsequence seq 0 (Seq.length seq - 1))
+      true
     
+    end
 end
 module C06LogicFunctionContracts_Stupid_Impl
   type t
   use prelude.Int
-  let rec ghost predicate stupid [#"../06_logic_function_contracts.rs" 34 0 34 38] (x : t) (i : int)
-    variant {[#"../06_logic_function_contracts.rs" 33 10 33 11] i}
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../06_logic_function_contracts.rs" 35 4 43 5] if pure {i <= 0} then
-      true
-    else
-      if pure {x = x} then stupid x 0 else false
-    
+  constant x  : t
+  constant i  : int
+  predicate stupid [#"../06_logic_function_contracts.rs" 34 0 34 38] (x : t) (i : int)
+  goal vc_stupid : match i <= 0 with
+    | True -> true
+    | False -> match x = x with
+      | True -> 0 <= ([#"../06_logic_function_contracts.rs" 33 10 33 11] i) /\ ([#"../06_logic_function_contracts.rs" 33 10 33 11] 0) < ([#"../06_logic_function_contracts.rs" 33 10 33 11] i)
+      | False -> true
+      end
+    end
 end
diff --git a/creusot/tests/should_succeed/syntax/06_logic_function_contracts.rs b/creusot/tests/should_succeed/syntax/06_logic_function_contracts.rs
index c50a5713e1..83e05c9327 100644
--- a/creusot/tests/should_succeed/syntax/06_logic_function_contracts.rs
+++ b/creusot/tests/should_succeed/syntax/06_logic_function_contracts.rs
@@ -5,7 +5,7 @@ use creusot_contracts::{
 };
 
 #[open]
-#[ghost]
+#[logic]
 #[variant(seq.len())]
 pub fn sum(seq: Seq<Int>) -> Int {
     pearlite! {
diff --git a/creusot/tests/should_succeed/syntax/06_logic_function_contracts/why3session.xml b/creusot/tests/should_succeed/syntax/06_logic_function_contracts/why3session.xml
index 40beb9cd22..5e4ccbb6e1 100644
--- a/creusot/tests/should_succeed/syntax/06_logic_function_contracts/why3session.xml
+++ b/creusot/tests/should_succeed/syntax/06_logic_function_contracts/why3session.xml
@@ -1,23 +1,23 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
-"http://why3.lri.fr/why3session.dtd">
+"https://www.why3.org/why3session.dtd">
 <why3session shape_version="6">
 <prover id="0" name="Z3" version="4.12.4" timelimit="1" steplimit="0" memlimit="1000"/>
 <prover id="3" name="Alt-Ergo" version="2.4.3" timelimit="1" steplimit="0" memlimit="1000"/>
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="06_logic_function_contracts.mlcfg"/>
 <theory name="C06LogicFunctionContracts_Sum_Impl" proved="true">
- <goal name="sum&#39;vc" expl="VC for sum" proved="true">
- <proof prover="0"><result status="valid" time="0.012757" steps="37880"/></proof>
+ <goal name="vc_sum" proved="true">
+ <proof prover="0"><result status="valid" time="0.012757" steps="37873"/></proof>
  </goal>
 </theory>
 <theory name="C06LogicFunctionContracts_AllZero_Impl" proved="true">
- <goal name="all_zero&#39;vc" expl="VC for all_zero" proved="true">
+ <goal name="vc_all_zero" proved="true">
  <proof prover="3"><result status="valid" time="0.008419" steps="15"/></proof>
  </goal>
 </theory>
 <theory name="C06LogicFunctionContracts_Stupid_Impl" proved="true">
- <goal name="stupid&#39;vc" expl="VC for stupid" proved="true">
+ <goal name="vc_stupid" proved="true">
  <proof prover="3"><result status="valid" time="0.006345" steps="2"/></proof>
  </goal>
 </theory>
diff --git a/creusot/tests/should_succeed/syntax/06_logic_function_contracts/why3shapes.gz b/creusot/tests/should_succeed/syntax/06_logic_function_contracts/why3shapes.gz
index 11f34d98cb..5bd94da32e 100644
Binary files a/creusot/tests/should_succeed/syntax/06_logic_function_contracts/why3shapes.gz and b/creusot/tests/should_succeed/syntax/06_logic_function_contracts/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/syntax/07_extern_spec.mlcfg b/creusot/tests/should_succeed/syntax/07_extern_spec.mlcfg
index c1687a288a..bf420021a7 100644
--- a/creusot/tests/should_succeed/syntax/07_extern_spec.mlcfg
+++ b/creusot/tests/should_succeed/syntax/07_extern_spec.mlcfg
@@ -9,7 +9,7 @@ module C07ExternSpec_Impl0_Func
     goto BB0
   }
   BB0 {
-    [#"../07_extern_spec.rs" 12 8 12 12] _0 <- ([#"../07_extern_spec.rs" 12 8 12 12] [#"../07_extern_spec.rs" 12 8 12 12] true);
+    [#"../07_extern_spec.rs" 12 8 12 12] _0 <- ([#"../07_extern_spec.rs" 12 8 12 12] true);
     return _0
   }
   
diff --git a/creusot/tests/should_succeed/syntax/08_const.rs b/creusot/tests/should_succeed/syntax/08_const.rs
index 64a8d80210..97410d4ccb 100644
--- a/creusot/tests/should_succeed/syntax/08_const.rs
+++ b/creusot/tests/should_succeed/syntax/08_const.rs
@@ -2,7 +2,7 @@ extern crate creusot_contracts;
 use creusot_contracts::{logic::Seq, *};
 
 #[open]
-#[ghost]
+#[logic]
 pub fn omg<T>() -> Seq<T> {
     Seq::EMPTY
 }
diff --git a/creusot/tests/should_succeed/syntax/10_mutual_rec_types.mlcfg b/creusot/tests/should_succeed/syntax/10_mutual_rec_types.mlcfg
index 215afe36ae..6e05b7b0e9 100644
--- a/creusot/tests/should_succeed/syntax/10_mutual_rec_types.mlcfg
+++ b/creusot/tests/should_succeed/syntax/10_mutual_rec_types.mlcfg
@@ -88,8 +88,10 @@ module C10MutualRecTypes_Impl0_Height
     ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 53 26 53 66] deep_model0 result >= deep_model0 self }
     ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 54 26 54 63] deep_model0 result >= deep_model0 other }
     ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 7 0 62 1] result = self \/ result = other }
-    ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 56 16 56 79] deep_model0 self <= deep_model0 other -> result = other }
-    ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 57 16 57 81] deep_model0 other < deep_model0 self -> result = self }
+    ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 56 16 56 79] deep_model0 self <= deep_model0 other
+     -> result = other }
+    ensures { [#"../../../../../creusot-contracts/src/std/cmp.rs" 57 16 57 81] deep_model0 other < deep_model0 self
+     -> result = self }
     ensures { inv0 result }
     
   use C10MutualRecTypes_Node_Type as C10MutualRecTypes_Node_Type
@@ -117,8 +119,8 @@ module C10MutualRecTypes_Impl0_Height
     goto BB4
   }
   BB2 {
-    [#"../10_mutual_rec_types.rs" 19 22 19 23] n <- ([#"../10_mutual_rec_types.rs" 19 22 19 23] Core_Option_Option_Type.some_0 (C10MutualRecTypes_Tree_Type.tree_0 self));
-    [#"../10_mutual_rec_types.rs" 19 29 19 44] _5 <- ([#"../10_mutual_rec_types.rs" 19 29 19 44] height ([#"../10_mutual_rec_types.rs" 19 29 19 35] C10MutualRecTypes_Node_Type.node_left n));
+    [#"../10_mutual_rec_types.rs" 19 22 19 23] n <- Core_Option_Option_Type.some_0 (C10MutualRecTypes_Tree_Type.tree_0 self);
+    [#"../10_mutual_rec_types.rs" 19 29 19 44] _5 <- ([#"../10_mutual_rec_types.rs" 19 29 19 44] height (C10MutualRecTypes_Node_Type.node_left n));
     goto BB5
   }
   BB3 {
@@ -126,11 +128,11 @@ module C10MutualRecTypes_Impl0_Height
     absurd
   }
   BB4 {
-    [#"../10_mutual_rec_types.rs" 18 26 18 27] _0 <- ([#"../10_mutual_rec_types.rs" 18 26 18 27] [#"../10_mutual_rec_types.rs" 18 26 18 27] (0 : uint64));
+    [#"../10_mutual_rec_types.rs" 18 26 18 27] _0 <- ([#"../10_mutual_rec_types.rs" 18 26 18 27] (0 : uint64));
     goto BB8
   }
   BB5 {
-    [#"../10_mutual_rec_types.rs" 19 49 19 65] _7 <- ([#"../10_mutual_rec_types.rs" 19 49 19 65] height ([#"../10_mutual_rec_types.rs" 19 49 19 56] C10MutualRecTypes_Node_Type.node_right n));
+    [#"../10_mutual_rec_types.rs" 19 49 19 65] _7 <- ([#"../10_mutual_rec_types.rs" 19 49 19 65] height (C10MutualRecTypes_Node_Type.node_right n));
     goto BB6
   }
   BB6 {
@@ -140,7 +142,7 @@ module C10MutualRecTypes_Impl0_Height
     goto BB7
   }
   BB7 {
-    [#"../10_mutual_rec_types.rs" 19 29 19 70] _0 <- ([#"../10_mutual_rec_types.rs" 19 29 19 70] _4 + ([#"../10_mutual_rec_types.rs" 19 69 19 70] [#"../10_mutual_rec_types.rs" 19 69 19 70] (1 : uint64)));
+    [#"../10_mutual_rec_types.rs" 19 29 19 70] _0 <- _4 + ([#"../10_mutual_rec_types.rs" 19 69 19 70] (1 : uint64));
     _4 <- any uint64;
     goto BB8
   }
diff --git a/creusot/tests/should_succeed/syntax/11_array_types.mlcfg b/creusot/tests/should_succeed/syntax/11_array_types.mlcfg
index 395084c784..b1c5968fc3 100644
--- a/creusot/tests/should_succeed/syntax/11_array_types.mlcfg
+++ b/creusot/tests/should_succeed/syntax/11_array_types.mlcfg
@@ -36,18 +36,20 @@ module C11ArrayTypes_Omg
   var _0 : ();
   var x : C11ArrayTypes_UsesArray_Type.t_usesarray = x;
   var _3 : usize;
+  var _4 : usize;
   var _5 : bool;
   {
     goto BB0
   }
   BB0 {
-    [#"../11_array_types.rs" 9 8 9 9] _3 <- ([#"../11_array_types.rs" 9 8 9 9] [#"../11_array_types.rs" 9 8 9 9] (0 : usize));
-    [#"../11_array_types.rs" 9 4 9 10] _5 <- ([#"../11_array_types.rs" 9 4 9 10] _3 < ([#"../11_array_types.rs" 9 4 9 10] Slice.length (C11ArrayTypes_UsesArray_Type.usesarray_0 x)));
+    [#"../11_array_types.rs" 9 8 9 9] _3 <- ([#"../11_array_types.rs" 9 8 9 9] (0 : usize));
+    [#"../11_array_types.rs" 9 4 9 10] _4 <- Slice.length (C11ArrayTypes_UsesArray_Type.usesarray_0 x);
+    [#"../11_array_types.rs" 9 4 9 10] _5 <- _3 < _4;
     assert { [@expl:index in bounds] [#"../11_array_types.rs" 9 4 9 10] _5 };
     goto BB1
   }
   BB1 {
-    [#"../11_array_types.rs" 9 4 9 14] x <- (let C11ArrayTypes_UsesArray_Type.C_UsesArray x0 = x in C11ArrayTypes_UsesArray_Type.C_UsesArray (Slice.set (C11ArrayTypes_UsesArray_Type.usesarray_0 x) _3 ([#"../11_array_types.rs" 9 4 9 14] [#"../11_array_types.rs" 9 13 9 14] (5 : int64))));
+    [#"../11_array_types.rs" 9 4 9 14] x <- (let C11ArrayTypes_UsesArray_Type.C_UsesArray x0 = x in C11ArrayTypes_UsesArray_Type.C_UsesArray (Slice.set (C11ArrayTypes_UsesArray_Type.usesarray_0 x) _3 ([#"../11_array_types.rs" 9 13 9 14] (5 : int64))));
     assert { [@expl:assertion] [#"../11_array_types.rs" 11 20 11 32] Int64.to_int (index_logic0 (C11ArrayTypes_UsesArray_Type.usesarray_0 x) 0) = 5 };
     [#"../11_array_types.rs" 8 29 12 1] _0 <- ([#"../11_array_types.rs" 8 29 12 1] ());
     return _0
@@ -72,12 +74,15 @@ module C11ArrayTypes_CallOmg
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var arr : array int64;
+  var _2 : C11ArrayTypes_UsesArray_Type.t_usesarray;
   {
     goto BB0
   }
   BB0 {
-    [#"../11_array_types.rs" 15 14 15 24] arr <- ([#"../11_array_types.rs" 15 14 15 24] Slice.create ([#"../11_array_types.rs" 15 14 15 24] [#"../11_array_types.rs" 15 14 15 24] (5 : usize)) (fun _ -> [#"../11_array_types.rs" 15 15 15 20] [#"../11_array_types.rs" 15 15 15 20] (3 : int64)));
-    [#"../11_array_types.rs" 16 4 16 23] _0 <- ([#"../11_array_types.rs" 16 4 16 23] omg0 ([#"../11_array_types.rs" 16 8 16 22] C11ArrayTypes_UsesArray_Type.C_UsesArray ([#"../11_array_types.rs" 16 18 16 21] arr)));
+    [#"../11_array_types.rs" 15 14 15 24] arr <- Slice.create ([#"../11_array_types.rs" 15 14 15 24] (5 : usize)) (fun _ -> [#"../11_array_types.rs" 15 15 15 20] (3 : int64));
+    [#"../11_array_types.rs" 16 8 16 22] _2 <- C11ArrayTypes_UsesArray_Type.C_UsesArray arr;
+    [#"../11_array_types.rs" 16 4 16 23] _0 <- ([#"../11_array_types.rs" 16 4 16 23] omg0 _2);
+    _2 <- any C11ArrayTypes_UsesArray_Type.t_usesarray;
     goto BB1
   }
   BB1 {
diff --git a/creusot/tests/should_succeed/syntax/11_array_types/why3session.xml b/creusot/tests/should_succeed/syntax/11_array_types/why3session.xml
index 6e22e2d924..dd4d2d99d3 100644
--- a/creusot/tests/should_succeed/syntax/11_array_types/why3session.xml
+++ b/creusot/tests/should_succeed/syntax/11_array_types/why3session.xml
@@ -7,12 +7,12 @@
 <path name=".."/><path name="11_array_types.mlcfg"/>
 <theory name="C11ArrayTypes_Omg" proved="true">
  <goal name="omg&#39;vc" expl="VC for omg" proved="true">
- <proof prover="1"><result status="valid" time="0.007404" steps="55"/></proof>
+ <proof prover="1"><result status="valid" time="0.007404" steps="57"/></proof>
  </goal>
 </theory>
 <theory name="C11ArrayTypes_CallOmg" proved="true">
  <goal name="call_omg&#39;vc" expl="VC for call_omg" proved="true">
- <proof prover="1"><result status="valid" time="0.007545" steps="29"/></proof>
+ <proof prover="1"><result status="valid" time="0.007545" steps="31"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/syntax/11_array_types/why3shapes.gz b/creusot/tests/should_succeed/syntax/11_array_types/why3shapes.gz
index 7bdaf6147c..725cf157bd 100644
Binary files a/creusot/tests/should_succeed/syntax/11_array_types/why3shapes.gz and b/creusot/tests/should_succeed/syntax/11_array_types/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/syntax/12_ghost_code.mlcfg b/creusot/tests/should_succeed/syntax/12_ghost_code.mlcfg
index 2d0655518f..eb0d5386e3 100644
--- a/creusot/tests/should_succeed/syntax/12_ghost_code.mlcfg
+++ b/creusot/tests/should_succeed/syntax/12_ghost_code.mlcfg
@@ -2,24 +2,24 @@
 module C12GhostCode_GhostArg
   use prelude.UInt32
   use prelude.Int
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  let rec cfg ghost_arg [#"../12_ghost_code.rs" 4 0 4 31] [@cfg:stackify] [@cfg:subregion_analysis] (g : Ghost.ghost_ty uint32) : ()
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  let rec cfg ghost_arg [#"../12_ghost_code.rs" 4 0 4 34] [@cfg:stackify] [@cfg:subregion_analysis] (g : Snapshot.snap_ty uint32) : ()
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
-  var g : Ghost.ghost_ty uint32 = g;
-  var _x : Ghost.ghost_ty uint32;
+  var g : Snapshot.snap_ty uint32 = g;
+  var _x : Snapshot.snap_ty uint32;
   {
     goto BB0
   }
   BB0 {
-    [#"../12_ghost_code.rs" 5 25 5 35] _x <- ([#"../12_ghost_code.rs" 5 25 5 35] Ghost.new (Ghost.inner g));
+    [#"../12_ghost_code.rs" 5 28 5 44] _x <- ([#"../12_ghost_code.rs" 5 28 5 44] Snapshot.new (Snapshot.inner g));
     goto BB1
   }
   BB1 {
-    [#"../12_ghost_code.rs" 4 32 6 1] _0 <- ([#"../12_ghost_code.rs" 4 32 6 1] ());
+    [#"../12_ghost_code.rs" 4 35 6 1] _0 <- ([#"../12_ghost_code.rs" 4 35 6 1] ());
     return _0
   }
   
@@ -42,12 +42,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -93,15 +99,16 @@ module C12GhostCode_GhostVec
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model0 self)
   val invariant0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = invariant0 self }
     
   axiom inv0 : forall x : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . inv0 x = true
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate resolve1 (self : uint32) =
     [#"../../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
   val resolve1 (self : uint32) : bool
@@ -116,7 +123,8 @@ module C12GhostCode_GhostVec
     ensures { result = index_logic0 self ix }
     
   predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) =
-    [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve1 (index_logic0 self i)
+    [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self)
+     -> resolve1 (index_logic0 self i)
   val resolve0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve0 self }
     
@@ -128,17 +136,17 @@ module C12GhostCode_GhostVec
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var x : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global);
-  var _s : Ghost.ghost_ty (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global));
+  var _s : Snapshot.snap_ty (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global));
   {
     goto BB0
   }
   BB0 {
-    [#"../12_ghost_code.rs" 9 22 9 32] x <- ([#"../12_ghost_code.rs" 9 22 9 32] new0 ());
+    [#"../12_ghost_code.rs" 9 22 9 32] x <- ([#"../12_ghost_code.rs" 9 22 9 32] new0 ([#"../12_ghost_code.rs" 9 22 9 32] ()));
     goto BB1
   }
   BB1 {
     assume { resolve0 x };
-    [#"../12_ghost_code.rs" 10 32 10 41] _s <- ([#"../12_ghost_code.rs" 10 32 10 41] Ghost.new x);
+    [#"../12_ghost_code.rs" 10 35 10 50] _s <- ([#"../12_ghost_code.rs" 10 35 10 50] Snapshot.new x);
     goto BB2
   }
   BB2 {
@@ -153,9 +161,9 @@ end
 module C12GhostCode_GhostCopy
   use prelude.Int32
   use seq.Seq
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   use seq.Seq
   use seq.Seq
   use prelude.Int
@@ -163,23 +171,23 @@ module C12GhostCode_GhostCopy
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var a : int32;
-  var _s : Ghost.ghost_ty (Seq.seq int32);
-  var _4 : Ghost.ghost_ty (Seq.seq int32);
+  var _s : Snapshot.snap_ty (Seq.seq int32);
+  var _4 : Snapshot.snap_ty (Seq.seq int32);
   {
     goto BB0
   }
   BB0 {
-    [#"../12_ghost_code.rs" 18 12 18 13] a <- ([#"../12_ghost_code.rs" 18 12 18 13] [#"../12_ghost_code.rs" 18 12 18 13] (0 : int32));
-    [#"../12_ghost_code.rs" 19 17 19 46] _s <- ([#"../12_ghost_code.rs" 19 17 19 46] Ghost.new (Seq.snoc (Seq.empty ) (0 : int32)));
+    [#"../12_ghost_code.rs" 18 12 18 13] a <- ([#"../12_ghost_code.rs" 18 12 18 13] (0 : int32));
+    [#"../12_ghost_code.rs" 19 17 19 52] _s <- ([#"../12_ghost_code.rs" 19 17 19 52] Snapshot.new (Seq.snoc (Seq.empty ) (0 : int32)));
     goto BB1
   }
   BB1 {
-    [#"../12_ghost_code.rs" 20 9 20 27] _4 <- ([#"../12_ghost_code.rs" 20 9 20 27] Ghost.new (Seq.snoc (Ghost.inner _s) a));
+    [#"../12_ghost_code.rs" 20 9 20 33] _4 <- ([#"../12_ghost_code.rs" 20 9 20 33] Snapshot.new (Seq.snoc (Snapshot.inner _s) a));
     goto BB2
   }
   BB2 {
-    [#"../12_ghost_code.rs" 20 4 20 27] _s <- ([#"../12_ghost_code.rs" 20 4 20 27] _4);
-    [#"../12_ghost_code.rs" 20 4 20 27] _4 <- any Ghost.ghost_ty (Seq.seq int32);
+    [#"../12_ghost_code.rs" 20 4 20 33] _s <- _4;
+    _4 <- any Snapshot.snap_ty (Seq.seq int32);
     [#"../12_ghost_code.rs" 17 20 21 1] _0 <- ([#"../12_ghost_code.rs" 17 20 21 1] ());
     return _0
   }
@@ -188,8 +196,8 @@ end
 module C12GhostCode_GhostIsCopy
   use prelude.Int32
   use prelude.Borrow
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate resolve0 (self : borrowed int32) =
     [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve0 (self : borrowed int32) : bool
@@ -201,23 +209,23 @@ module C12GhostCode_GhostIsCopy
   var _0 : ();
   var x : int32;
   var r : borrowed int32;
-  var g : Ghost.ghost_ty (borrowed int32);
-  var g1 : Ghost.ghost_ty (borrowed int32);
-  var g2 : Ghost.ghost_ty (borrowed int32);
+  var g : Snapshot.snap_ty (borrowed int32);
+  var g1 : Snapshot.snap_ty (borrowed int32);
+  var g2 : Snapshot.snap_ty (borrowed int32);
   {
     goto BB0
   }
   BB0 {
-    [#"../12_ghost_code.rs" 24 16 24 17] x <- ([#"../12_ghost_code.rs" 24 16 24 17] [#"../12_ghost_code.rs" 24 16 24 17] (0 : int32));
+    [#"../12_ghost_code.rs" 24 16 24 17] x <- ([#"../12_ghost_code.rs" 24 16 24 17] (0 : int32));
     [#"../12_ghost_code.rs" 25 12 25 18] r <- Borrow.borrow_mut x;
     [#"../12_ghost_code.rs" 25 12 25 18] x <-  ^ r;
     assume { resolve0 r };
-    [#"../12_ghost_code.rs" 26 12 26 21] g <- ([#"../12_ghost_code.rs" 26 12 26 21] Ghost.new r);
+    [#"../12_ghost_code.rs" 26 12 26 27] g <- ([#"../12_ghost_code.rs" 26 12 26 27] Snapshot.new r);
     goto BB1
   }
   BB1 {
-    [#"../12_ghost_code.rs" 27 13 27 14] g1 <- ([#"../12_ghost_code.rs" 27 13 27 14] g);
-    [#"../12_ghost_code.rs" 28 13 28 14] g2 <- ([#"../12_ghost_code.rs" 28 13 28 14] g);
+    [#"../12_ghost_code.rs" 27 13 27 14] g1 <- g;
+    [#"../12_ghost_code.rs" 28 13 28 14] g2 <- g;
     assert { [@expl:assertion] [#"../12_ghost_code.rs" 29 18 29 26] g1 = g2 };
     [#"../12_ghost_code.rs" 23 23 30 1] _0 <- ([#"../12_ghost_code.rs" 23 23 30 1] ());
     return _0
@@ -285,14 +293,15 @@ module C12GhostCode_GhostCheck
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv4 (shallow_model0 self)
   val invariant0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = invariant0 self }
     
   axiom inv0 : forall x : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . inv0 x = true
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate resolve1 (self : int32) =
     [#"../../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
   val resolve1 (self : int32) : bool
@@ -307,7 +316,8 @@ module C12GhostCode_GhostCheck
     ensures { result = index_logic0 self ix }
     
   predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) =
-    [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve1 (index_logic0 self i)
+    [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self)
+     -> resolve1 (index_logic0 self i)
   val resolve0 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve0 self }
     
@@ -333,7 +343,7 @@ module C12GhostCode_GhostCheck
     requires {inv2 value}
     ensures { [#"../../../../../creusot-contracts/src/std/vec.rs" 78 26 78 51] shallow_model0 ( ^ self) = Seq.snoc (shallow_model1 self) value }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   function logi_drop0 [#"../12_ghost_code.rs" 33 0 33 21] (_1 : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : ()
     
    =
@@ -349,35 +359,38 @@ module C12GhostCode_GhostCheck
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var x : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global);
-  var _2 : Ghost.ghost_ty ();
+  var _2 : Snapshot.snap_ty ();
   var _4 : ();
   var _5 : borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global));
+  var _7 : bool;
   var _8 : usize;
   {
     goto BB0
   }
   BB0 {
-    [#"../12_ghost_code.rs" 36 16 36 26] x <- ([#"../12_ghost_code.rs" 36 16 36 26] new0 ());
+    [#"../12_ghost_code.rs" 36 16 36 26] x <- ([#"../12_ghost_code.rs" 36 16 36 26] new0 ([#"../12_ghost_code.rs" 36 16 36 26] ()));
     goto BB1
   }
   BB1 {
-    [#"../12_ghost_code.rs" 39 4 39 25] _2 <- ([#"../12_ghost_code.rs" 39 4 39 25] Ghost.new (let _ = logi_drop0 x in ()));
+    [#"../12_ghost_code.rs" 39 4 39 31] _2 <- ([#"../12_ghost_code.rs" 39 4 39 31] Snapshot.new (let _ = logi_drop0 x in ()));
     goto BB2
   }
   BB2 {
     [#"../12_ghost_code.rs" 41 4 41 5] _5 <- Borrow.borrow_mut x;
     [#"../12_ghost_code.rs" 41 4 41 5] x <-  ^ _5;
-    [#"../12_ghost_code.rs" 41 4 41 13] _4 <- ([#"../12_ghost_code.rs" 41 4 41 13] push0 _5 ([#"../12_ghost_code.rs" 41 11 41 12] [#"../12_ghost_code.rs" 41 11 41 12] (0 : int32)));
+    [#"../12_ghost_code.rs" 41 4 41 13] _4 <- ([#"../12_ghost_code.rs" 41 4 41 13] push0 _5 ([#"../12_ghost_code.rs" 41 11 41 12] (0 : int32)));
     _5 <- any borrowed (Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global));
     goto BB3
   }
   BB3 {
-    [#"../12_ghost_code.rs" 43 12 43 19] _8 <- ([#"../12_ghost_code.rs" 43 12 43 19] len0 ([#"../12_ghost_code.rs" 43 12 43 13] x));
+    [#"../12_ghost_code.rs" 43 12 43 19] _8 <- ([#"../12_ghost_code.rs" 43 12 43 19] len0 x);
     goto BB4
   }
   BB4 {
     assume { resolve0 x };
-    switch ([#"../12_ghost_code.rs" 43 12 43 24] _8 = ([#"../12_ghost_code.rs" 43 23 43 24] [#"../12_ghost_code.rs" 43 23 43 24] (1 : usize)))
+    [#"../12_ghost_code.rs" 43 12 43 24] _7 <- _8 = ([#"../12_ghost_code.rs" 43 23 43 24] (1 : usize));
+    _8 <- any usize;
+    switch (_7)
       | False -> goto BB6
       | True -> goto BB5
       end
@@ -397,16 +410,16 @@ module C12GhostCode_GhostCheck
 end
 module C12GhostCode_MyStruct_Type
   use prelude.UInt32
-  use prelude.Ghost
+  use prelude.Snapshot
   use prelude.Int
   type t_mystruct  =
-    | C_MyStruct uint32 (Ghost.ghost_ty uint32)
+    | C_MyStruct uint32 (Snapshot.snap_ty uint32)
     
   let function mystruct_f (self : t_mystruct) : uint32 = [@vc:do_not_keep_trace] [@vc:sp]
     match self with
       | C_MyStruct a _ -> a
       end
-  let function mystruct_g (self : t_mystruct) : Ghost.ghost_ty uint32 = [@vc:do_not_keep_trace] [@vc:sp]
+  let function mystruct_g (self : t_mystruct) : Snapshot.snap_ty uint32 = [@vc:do_not_keep_trace] [@vc:sp]
     match self with
       | C_MyStruct _ a -> a
       end
@@ -421,15 +434,15 @@ module C12GhostCode_TakesStruct
   val shallow_model1 (self : uint32) : int
     ensures { result = shallow_model1 self }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  function shallow_model0 (self : Ghost.ghost_ty uint32) : int =
-    [#"../../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model1 (Ghost.inner self)
-  val shallow_model0 (self : Ghost.ghost_ty uint32) : int
+  use prelude.Snapshot
+  use prelude.Snapshot
+  function shallow_model0 (self : Snapshot.snap_ty uint32) : int =
+    [#"../../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model1 (Snapshot.inner self)
+  val shallow_model0 (self : Snapshot.snap_ty uint32) : int
     ensures { result = shallow_model0 self }
     
   use prelude.Int
-  use prelude.Ghost
+  use prelude.Snapshot
   use C12GhostCode_MyStruct_Type as C12GhostCode_MyStruct_Type
   let rec cfg takes_struct [#"../12_ghost_code.rs" 52 0 52 36] [@cfg:stackify] [@cfg:subregion_analysis] (x : C12GhostCode_MyStruct_Type.t_mystruct) : ()
     requires {[#"../12_ghost_code.rs" 51 11 51 20] shallow_model0 (C12GhostCode_MyStruct_Type.mystruct_g x) = 0}
@@ -437,17 +450,17 @@ module C12GhostCode_TakesStruct
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var x : C12GhostCode_MyStruct_Type.t_mystruct = x;
-  var _3 : Ghost.ghost_ty uint32;
+  var _3 : Snapshot.snap_ty uint32;
   {
     goto BB0
   }
   BB0 {
-    [#"../12_ghost_code.rs" 53 10 53 21] _3 <- ([#"../12_ghost_code.rs" 53 10 53 21] Ghost.new (C12GhostCode_MyStruct_Type.mystruct_f x));
+    [#"../12_ghost_code.rs" 53 10 53 27] _3 <- ([#"../12_ghost_code.rs" 53 10 53 27] Snapshot.new (C12GhostCode_MyStruct_Type.mystruct_f x));
     goto BB1
   }
   BB1 {
-    [#"../12_ghost_code.rs" 53 4 53 21] x <- (let C12GhostCode_MyStruct_Type.C_MyStruct x0 x1 = x in C12GhostCode_MyStruct_Type.C_MyStruct x0 ([#"../12_ghost_code.rs" 53 4 53 21] _3));
-    [#"../12_ghost_code.rs" 53 4 53 21] _3 <- any Ghost.ghost_ty uint32;
+    [#"../12_ghost_code.rs" 53 4 53 27] x <- (let C12GhostCode_MyStruct_Type.C_MyStruct x0 x1 = x in C12GhostCode_MyStruct_Type.C_MyStruct x0 _3);
+    _3 <- any Snapshot.snap_ty uint32;
     [#"../12_ghost_code.rs" 52 37 54 1] _0 <- ([#"../12_ghost_code.rs" 52 37 54 1] ());
     return _0
   }
diff --git a/creusot/tests/should_succeed/syntax/12_ghost_code.rs b/creusot/tests/should_succeed/syntax/12_ghost_code.rs
index a4dfc8143b..206fed9302 100644
--- a/creusot/tests/should_succeed/syntax/12_ghost_code.rs
+++ b/creusot/tests/should_succeed/syntax/12_ghost_code.rs
@@ -1,42 +1,42 @@
 extern crate creusot_contracts;
 use creusot_contracts::{logic::Seq, *};
 
-pub fn ghost_arg(g: Ghost<u32>) {
-    let _x: Ghost<u32> = gh! { *g };
+pub fn ghost_arg(g: Snapshot<u32>) {
+    let _x: Snapshot<u32> = snapshot! { *g };
 }
 
 pub fn ghost_vec() {
     let x: Vec<u32> = Vec::new();
-    let mut _s: Ghost<Vec<_>> = gh! { x };
+    let mut _s: Snapshot<Vec<_>> = snapshot! { x };
 }
 
 #[open]
-#[ghost]
+#[logic]
 pub fn omg() {}
 
 pub fn ghost_copy() {
     let a = 0;
-    let mut _s = gh! { Seq::EMPTY.push(0i32) };
-    _s = gh! { _s.push(a) };
+    let mut _s = snapshot! { Seq::EMPTY.push(0i32) };
+    _s = snapshot! { _s.push(a) };
 }
 
 pub fn ghost_is_copy() {
     let mut x = 0;
     let r = &mut x;
-    let g = gh! { r };
+    let g = snapshot! { r };
     let g1 = g;
     let g2 = g;
     proof_assert!(g1 == g2);
 }
 
-#[ghost]
+#[logic]
 fn logi_drop<T>(_: T) {}
 
 pub fn ghost_check() {
     let mut x = Vec::new();
 
     // We ghost capture the value and then drop it without affecting program
-    gh! { logi_drop(x); };
+    snapshot! { logi_drop(x); };
 
     x.push(0);
 
@@ -45,10 +45,10 @@ pub fn ghost_check() {
 
 pub struct MyStruct {
     f: u32,
-    g: Ghost<u32>,
+    g: Snapshot<u32>,
 }
 
 #[requires(x.g@ == 0)]
 pub fn takes_struct(mut x: MyStruct) {
-    x.g = gh! { x.f };
+    x.g = snapshot! { x.f };
 }
diff --git a/creusot/tests/should_succeed/syntax/12_ghost_code/why3shapes.gz b/creusot/tests/should_succeed/syntax/12_ghost_code/why3shapes.gz
index 4d445d9041..ee4613588c 100644
Binary files a/creusot/tests/should_succeed/syntax/12_ghost_code/why3shapes.gz and b/creusot/tests/should_succeed/syntax/12_ghost_code/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/syntax/13_vec_macro.mlcfg b/creusot/tests/should_succeed/syntax/13_vec_macro.mlcfg
index 98f6021c4d..738ef3bc83 100644
--- a/creusot/tests/should_succeed/syntax/13_vec_macro.mlcfg
+++ b/creusot/tests/should_succeed/syntax/13_vec_macro.mlcfg
@@ -17,12 +17,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -95,7 +101,8 @@ module C13VecMacro_X
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self}
     ensures { result = shallow_model1 self }
     
-  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
+  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
   predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv4 (shallow_model1 self)
   val invariant3 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -133,7 +140,8 @@ module C13VecMacro_X
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv1 (shallow_model0 self)
   val invariant0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -146,7 +154,8 @@ module C13VecMacro_X
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self}
     ensures { result = shallow_model4 self }
     
-  axiom shallow_model4_spec : forall self : slice int32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv4 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model4 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0)
+  axiom shallow_model4_spec : forall self : slice int32 . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv6 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv4 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model4 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0)
   function shallow_model3 (self : slice int32) : Seq.seq int32 =
     [#"../../../../../creusot-contracts/src/std/boxed.rs" 20 8 20 31] shallow_model4 self
   val shallow_model3 (self : slice int32) : Seq.seq int32
@@ -158,7 +167,7 @@ module C13VecMacro_X
     ensures { inv3 result }
     
   predicate resolve3 (self : int32) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
+    [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true
   val resolve3 (self : int32) : bool
     ensures { result = resolve3 self }
     
@@ -171,18 +180,20 @@ module C13VecMacro_X
     ensures { result = index_logic1 self ix }
     
   predicate resolve1 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) =
-    [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self) -> resolve3 (index_logic1 self i)
+    [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self)
+     -> resolve3 (index_logic1 self i)
   val resolve1 (self : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve1 self }
     
   val from_elem0 (elem : int32) (n : usize) : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global)
     requires {inv2 elem}
     ensures { [#"../../../../../creusot-contracts/src/std/vec.rs" 157 22 157 41] Seq.length (shallow_model1 result) = UIntSize.to_int n }
-    ensures { [#"../../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n -> index_logic1 result i = elem }
+    ensures { [#"../../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n
+     -> index_logic1 result i = elem }
     ensures { inv3 result }
     
   predicate resolve2 (self : uint32) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
+    [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true
   val resolve2 (self : uint32) : bool
     ensures { result = resolve2 self }
     
@@ -195,7 +206,8 @@ module C13VecMacro_X
     ensures { result = index_logic0 self ix }
     
   predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) =
-    [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve2 (index_logic0 self i)
+    [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self)
+     -> resolve2 (index_logic0 self i)
   val resolve0 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve0 self }
     
@@ -209,11 +221,12 @@ module C13VecMacro_X
   var v0 : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global);
   var v1 : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global);
   var v2 : Alloc_Vec_Vec_Type.t_vec int32 (Alloc_Alloc_Global_Type.t_global);
+  var _10 : array int32;
   {
     goto BB0
   }
   BB0 {
-    [#"../../../../../creusot-contracts/src/lib.rs" 193 8 193 30] v0 <- ([#"../13_vec_macro.rs" 6 23 6 29] new0 ());
+    [#"../13_vec_macro.rs" 6 23 6 29] v0 <- ([#"../13_vec_macro.rs" 6 23 6 29] new0 ([#"../../../../../creusot-contracts/src/lib.rs" 290 8 290 30] ()));
     goto BB1
   }
   BB1 {
@@ -222,7 +235,7 @@ module C13VecMacro_X
     goto BB2
   }
   BB2 {
-    [#"../../../../../creusot-contracts/src/lib.rs" 196 8 196 40] v1 <- ([#"../13_vec_macro.rs" 9 13 9 23] from_elem0 ([#"../13_vec_macro.rs" 9 18 9 19] [#"../13_vec_macro.rs" 9 18 9 19] (0 : int32)) ([#"../13_vec_macro.rs" 9 21 9 22] [#"../13_vec_macro.rs" 9 21 9 22] (2 : usize)));
+    [#"../13_vec_macro.rs" 9 13 9 23] v1 <- ([#"../13_vec_macro.rs" 9 13 9 23] from_elem0 ([#"../13_vec_macro.rs" 9 18 9 19] (0 : int32)) ([#"../13_vec_macro.rs" 9 21 9 22] (2 : usize)));
     goto BB3
   }
   BB3 {
@@ -231,13 +244,15 @@ module C13VecMacro_X
     goto BB4
   }
   BB4 {
+    [#"../../../../../creusot-contracts/src/lib.rs" 296 47 296 56] _10 <- (let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = ([#"../13_vec_macro.rs" 12 18 12 19] (1 : int32))}; assume {Seq.get (__arr_temp.elts) 1 = ([#"../13_vec_macro.rs" 12 21 12 22] (2 : int32))}; assume {Seq.get (__arr_temp.elts) 2 = ([#"../13_vec_macro.rs" 12 24 12 25] (3 : int32))}; assume {Slice.length __arr_temp = 3}; __arr_temp);
     goto BB5
   }
   BB5 {
     goto BB6
   }
   BB6 {
-    [#"../../../../../creusot-contracts/src/lib.rs" 199 8 199 58] v2 <- ([#"../13_vec_macro.rs" 12 13 12 26] into_vec0 ([#"../../../../../creusot-contracts/src/lib.rs" 199 47 199 56] let __arr_temp = any array int32 in assume {Seq.get (__arr_temp.elts) 0 = ([#"../13_vec_macro.rs" 12 18 12 19] [#"../13_vec_macro.rs" 12 18 12 19] (1 : int32))}; assume {Seq.get (__arr_temp.elts) 1 = ([#"../13_vec_macro.rs" 12 21 12 22] [#"../13_vec_macro.rs" 12 21 12 22] (2 : int32))}; assume {Seq.get (__arr_temp.elts) 2 = ([#"../13_vec_macro.rs" 12 24 12 25] [#"../13_vec_macro.rs" 12 24 12 25] (3 : int32))}; assume {Slice.length __arr_temp = 3}; __arr_temp));
+    [#"../13_vec_macro.rs" 12 13 12 26] v2 <- ([#"../13_vec_macro.rs" 12 13 12 26] into_vec0 _10);
+    _10 <- any array int32;
     goto BB7
   }
   BB7 {
diff --git a/creusot/tests/should_succeed/syntax/13_vec_macro/why3shapes.gz b/creusot/tests/should_succeed/syntax/13_vec_macro/why3shapes.gz
index b3e68613da..a8176c822f 100644
Binary files a/creusot/tests/should_succeed/syntax/13_vec_macro/why3shapes.gz and b/creusot/tests/should_succeed/syntax/13_vec_macro/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/syntax/14_const_fns.mlcfg b/creusot/tests/should_succeed/syntax/14_const_fns.mlcfg
index cc11542340..748e49e9fd 100644
--- a/creusot/tests/should_succeed/syntax/14_const_fns.mlcfg
+++ b/creusot/tests/should_succeed/syntax/14_const_fns.mlcfg
@@ -13,7 +13,7 @@ module C14ConstFns_Omg
     goto BB0
   }
   BB0 {
-    [#"../14_const_fns.rs" 6 4 6 9] _0 <- ([#"../14_const_fns.rs" 6 4 6 9] ([#"../14_const_fns.rs" 6 4 6 5] x) - ([#"../14_const_fns.rs" 6 8 6 9] [#"../14_const_fns.rs" 6 8 6 9] (1 : int32)));
+    [#"../14_const_fns.rs" 6 4 6 9] _0 <- x - ([#"../14_const_fns.rs" 6 8 6 9] (1 : int32));
     return _0
   }
   
diff --git a/creusot/tests/should_succeed/syntax/derive_macros.mlcfg b/creusot/tests/should_succeed/syntax/derive_macros.mlcfg
index 56bc2f9cf1..8d2fe3952a 100644
--- a/creusot/tests/should_succeed/syntax/derive_macros.mlcfg
+++ b/creusot/tests/should_succeed/syntax/derive_macros.mlcfg
@@ -109,23 +109,23 @@ module DeriveMacros_Impl2_Clone
     goto BB0
   }
   BB0 {
-    [#"../derive_macros.rs" 10 4 10 8] _5 <- ([#"../derive_macros.rs" 10 4 10 8] DeriveMacros_Product_Type.product_a self);
+    [#"../derive_macros.rs" 10 4 10 8] _5 <- DeriveMacros_Product_Type.product_a self;
     assert { [@expl:type invariant] inv0 _5 };
     assume { resolve0 _5 };
-    [#"../derive_macros.rs" 10 4 10 8] _3 <- ([#"../derive_macros.rs" 10 4 10 8] clone0 ([#"../derive_macros.rs" 10 4 10 8] _5));
+    [#"../derive_macros.rs" 10 4 10 8] _3 <- ([#"../derive_macros.rs" 10 4 10 8] clone0 _5);
     goto BB1
   }
   BB1 {
-    [#"../derive_macros.rs" 11 4 11 8] _8 <- ([#"../derive_macros.rs" 11 4 11 8] DeriveMacros_Product_Type.product_b self);
+    [#"../derive_macros.rs" 11 4 11 8] _8 <- DeriveMacros_Product_Type.product_b self;
     assert { [@expl:type invariant] inv1 self };
     assume { resolve1 self };
     assert { [@expl:type invariant] inv2 _8 };
     assume { resolve2 _8 };
-    [#"../derive_macros.rs" 11 4 11 8] _6 <- ([#"../derive_macros.rs" 11 4 11 8] clone1 ([#"../derive_macros.rs" 11 4 11 8] _8));
+    [#"../derive_macros.rs" 11 4 11 8] _6 <- ([#"../derive_macros.rs" 11 4 11 8] clone1 _8);
     goto BB2
   }
   BB2 {
-    [#"../derive_macros.rs" 8 9 8 14] _0 <- ([#"../derive_macros.rs" 8 9 8 14] DeriveMacros_Product_Type.C_Product _3 _6);
+    [#"../derive_macros.rs" 8 9 8 14] _0 <- DeriveMacros_Product_Type.C_Product _3 _6;
     _3 <- any a;
     _6 <- any b;
     goto BB3
@@ -242,10 +242,10 @@ module DeriveMacros_Impl3_Eq
     goto BB0
   }
   BB0 {
-    [#"../derive_macros.rs" 10 4 10 8] _7 <- ([#"../derive_macros.rs" 10 4 10 8] DeriveMacros_Product_Type.product_a rhs);
+    [#"../derive_macros.rs" 10 4 10 8] _7 <- DeriveMacros_Product_Type.product_a rhs;
     assert { [@expl:type invariant] inv0 _7 };
     assume { resolve0 _7 };
-    [#"../derive_macros.rs" 10 4 10 8] _4 <- ([#"../derive_macros.rs" 10 4 10 8] eq0 ([#"../derive_macros.rs" 10 4 10 8] DeriveMacros_Product_Type.product_a self) ([#"../derive_macros.rs" 10 4 10 8] _7));
+    [#"../derive_macros.rs" 10 4 10 8] _4 <- ([#"../derive_macros.rs" 10 4 10 8] eq0 (DeriveMacros_Product_Type.product_a self) _7);
     goto BB1
   }
   BB1 {
@@ -257,12 +257,12 @@ module DeriveMacros_Impl3_Eq
   BB2 {
     assert { [@expl:type invariant] inv1 self };
     assume { resolve1 self };
-    [#"../derive_macros.rs" 11 4 11 8] _10 <- ([#"../derive_macros.rs" 11 4 11 8] DeriveMacros_Product_Type.product_b rhs);
+    [#"../derive_macros.rs" 11 4 11 8] _10 <- DeriveMacros_Product_Type.product_b rhs;
     assert { [@expl:type invariant] inv1 rhs };
     assume { resolve1 rhs };
     assert { [@expl:type invariant] inv2 _10 };
     assume { resolve2 _10 };
-    [#"../derive_macros.rs" 11 4 11 8] _0 <- ([#"../derive_macros.rs" 11 4 11 8] eq1 ([#"../derive_macros.rs" 11 4 11 8] DeriveMacros_Product_Type.product_b self) ([#"../derive_macros.rs" 11 4 11 8] _10));
+    [#"../derive_macros.rs" 11 4 11 8] _0 <- ([#"../derive_macros.rs" 11 4 11 8] eq1 (DeriveMacros_Product_Type.product_b self) _10);
     goto BB4
   }
   BB3 {
@@ -270,7 +270,7 @@ module DeriveMacros_Impl3_Eq
     assume { resolve1 rhs };
     assert { [@expl:type invariant] inv1 self };
     assume { resolve1 self };
-    [#"../derive_macros.rs" 10 4 11 8] _0 <- ([#"../derive_macros.rs" 10 4 11 8] [#"../derive_macros.rs" 10 4 11 8] false);
+    [#"../derive_macros.rs" 10 4 11 8] _0 <- ([#"../derive_macros.rs" 10 4 11 8] false);
     goto BB5
   }
   BB4 {
@@ -431,13 +431,13 @@ module DeriveMacros_Impl4_Clone
     goto BB4
   }
   BB2 {
-    [#"../derive_macros.rs" 28 9 28 14] v0_11 <- ([#"../derive_macros.rs" 28 9 28 14] DeriveMacros_Sum_Type.b_0 self);
+    [#"../derive_macros.rs" 28 9 28 14] v0_11 <- DeriveMacros_Sum_Type.b_0 self;
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../derive_macros.rs" 28 9 28 14] _11 <- ([#"../derive_macros.rs" 28 9 28 14] v0_11);
+    [#"../derive_macros.rs" 28 9 28 14] _11 <- v0_11;
     assert { [@expl:type invariant] inv3 _11 };
     assume { resolve3 _11 };
-    [#"../derive_macros.rs" 28 9 28 14] _9 <- ([#"../derive_macros.rs" 28 9 28 14] clone1 ([#"../derive_macros.rs" 28 9 28 14] _11));
+    [#"../derive_macros.rs" 28 9 28 14] _9 <- ([#"../derive_macros.rs" 28 9 28 14] clone1 _11);
     goto BB7
   }
   BB3 {
@@ -447,19 +447,19 @@ module DeriveMacros_Impl4_Clone
     absurd
   }
   BB4 {
-    [#"../derive_macros.rs" 28 9 28 14] v0_1 <- ([#"../derive_macros.rs" 28 9 28 14] DeriveMacros_Sum_Type.a_0 self);
+    [#"../derive_macros.rs" 28 9 28 14] v0_1 <- DeriveMacros_Sum_Type.a_0 self;
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../derive_macros.rs" 28 9 28 14] _7 <- ([#"../derive_macros.rs" 28 9 28 14] v0_1);
+    [#"../derive_macros.rs" 28 9 28 14] _7 <- v0_1;
     assert { [@expl:type invariant] inv1 _7 };
     assume { resolve1 _7 };
-    [#"../derive_macros.rs" 28 9 28 14] _5 <- ([#"../derive_macros.rs" 28 9 28 14] clone0 ([#"../derive_macros.rs" 28 9 28 14] _7));
+    [#"../derive_macros.rs" 28 9 28 14] _5 <- ([#"../derive_macros.rs" 28 9 28 14] clone0 _7);
     goto BB5
   }
   BB5 {
     assert { [@expl:type invariant] inv2 v0_1 };
     assume { resolve2 v0_1 };
-    [#"../derive_macros.rs" 28 9 28 14] _0 <- ([#"../derive_macros.rs" 28 9 28 14] DeriveMacros_Sum_Type.C_A _5);
+    [#"../derive_macros.rs" 28 9 28 14] _0 <- DeriveMacros_Sum_Type.C_A _5;
     _5 <- any a;
     goto BB6
   }
@@ -469,7 +469,7 @@ module DeriveMacros_Impl4_Clone
   BB7 {
     assert { [@expl:type invariant] inv4 v0_11 };
     assume { resolve4 v0_11 };
-    [#"../derive_macros.rs" 28 9 28 14] _0 <- ([#"../derive_macros.rs" 28 9 28 14] DeriveMacros_Sum_Type.C_B _9);
+    [#"../derive_macros.rs" 28 9 28 14] _0 <- DeriveMacros_Sum_Type.C_B _9;
     _9 <- any b;
     goto BB8
   }
@@ -610,7 +610,7 @@ module DeriveMacros_Impl5_Eq
     assume { resolve0 self };
     assert { [@expl:type invariant] inv0 rhs };
     assume { resolve0 rhs };
-    [#"../derive_macros.rs" 28 16 28 25] _4 <- ([#"../derive_macros.rs" 28 16 28 25] (([#"../derive_macros.rs" 28 16 28 25] self), ([#"../derive_macros.rs" 28 16 28 25] rhs)));
+    [#"../derive_macros.rs" 28 16 28 25] _4 <- (self, rhs);
     switch (let (a, _) = _4 in a)
       | DeriveMacros_Sum_Type.C_A _ -> goto BB1
       | DeriveMacros_Sum_Type.C_B _ -> goto BB4
@@ -628,7 +628,7 @@ module DeriveMacros_Impl5_Eq
   BB3 {
     assert { [@expl:type invariant] inv1 _4 };
     assume { resolve1 _4 };
-    [#"../derive_macros.rs" 28 16 28 25] _0 <- ([#"../derive_macros.rs" 28 16 28 25] [#"../derive_macros.rs" 28 16 28 25] false);
+    [#"../derive_macros.rs" 28 16 28 25] _0 <- ([#"../derive_macros.rs" 28 16 28 25] false);
     goto BB16
   }
   BB4 {
@@ -641,15 +641,15 @@ module DeriveMacros_Impl5_Eq
     goto BB11
   }
   BB6 {
-    [#"../derive_macros.rs" 28 16 28 25] v0_1 <- ([#"../derive_macros.rs" 28 16 28 25] DeriveMacros_Sum_Type.a_0 (let (a, _) = _4 in a));
-    [#"../derive_macros.rs" 28 16 28 25] v0_2 <- ([#"../derive_macros.rs" 28 16 28 25] DeriveMacros_Sum_Type.a_0 (let (_, a) = _4 in a));
+    [#"../derive_macros.rs" 28 16 28 25] v0_1 <- DeriveMacros_Sum_Type.a_0 (let (a, _) = _4 in a);
+    [#"../derive_macros.rs" 28 16 28 25] v0_2 <- DeriveMacros_Sum_Type.a_0 (let (_, a) = _4 in a);
     assert { [@expl:type invariant] inv1 _4 };
     assume { resolve1 _4 };
     assert { [@expl:type invariant] inv2 v0_1 };
     assume { resolve2 v0_1 };
     assert { [@expl:type invariant] inv2 v0_2 };
     assume { resolve2 v0_2 };
-    [#"../derive_macros.rs" 28 16 28 25] _12 <- ([#"../derive_macros.rs" 28 16 28 25] eq0 ([#"../derive_macros.rs" 28 16 28 25] v0_1) ([#"../derive_macros.rs" 28 16 28 25] v0_2));
+    [#"../derive_macros.rs" 28 16 28 25] _12 <- ([#"../derive_macros.rs" 28 16 28 25] eq0 v0_1 v0_2);
     goto BB7
   }
   BB7 {
@@ -659,26 +659,26 @@ module DeriveMacros_Impl5_Eq
       end
   }
   BB8 {
-    [#"../derive_macros.rs" 28 16 28 25] _0 <- ([#"../derive_macros.rs" 28 16 28 25] [#"../derive_macros.rs" 28 16 28 25] true);
+    [#"../derive_macros.rs" 28 16 28 25] _0 <- ([#"../derive_macros.rs" 28 16 28 25] true);
     goto BB10
   }
   BB9 {
-    [#"../derive_macros.rs" 28 16 28 25] _0 <- ([#"../derive_macros.rs" 28 16 28 25] [#"../derive_macros.rs" 28 16 28 25] false);
+    [#"../derive_macros.rs" 28 16 28 25] _0 <- ([#"../derive_macros.rs" 28 16 28 25] false);
     goto BB10
   }
   BB10 {
     goto BB16
   }
   BB11 {
-    [#"../derive_macros.rs" 28 16 28 25] v0_11 <- ([#"../derive_macros.rs" 28 16 28 25] DeriveMacros_Sum_Type.b_0 (let (a, _) = _4 in a));
-    [#"../derive_macros.rs" 28 16 28 25] v0_21 <- ([#"../derive_macros.rs" 28 16 28 25] DeriveMacros_Sum_Type.b_0 (let (_, a) = _4 in a));
+    [#"../derive_macros.rs" 28 16 28 25] v0_11 <- DeriveMacros_Sum_Type.b_0 (let (a, _) = _4 in a);
+    [#"../derive_macros.rs" 28 16 28 25] v0_21 <- DeriveMacros_Sum_Type.b_0 (let (_, a) = _4 in a);
     assert { [@expl:type invariant] inv1 _4 };
     assume { resolve1 _4 };
     assert { [@expl:type invariant] inv3 v0_11 };
     assume { resolve3 v0_11 };
     assert { [@expl:type invariant] inv3 v0_21 };
     assume { resolve3 v0_21 };
-    [#"../derive_macros.rs" 28 16 28 25] _17 <- ([#"../derive_macros.rs" 28 16 28 25] eq1 ([#"../derive_macros.rs" 28 16 28 25] v0_11) ([#"../derive_macros.rs" 28 16 28 25] v0_21));
+    [#"../derive_macros.rs" 28 16 28 25] _17 <- ([#"../derive_macros.rs" 28 16 28 25] eq1 v0_11 v0_21);
     goto BB12
   }
   BB12 {
@@ -688,11 +688,11 @@ module DeriveMacros_Impl5_Eq
       end
   }
   BB13 {
-    [#"../derive_macros.rs" 28 16 28 25] _0 <- ([#"../derive_macros.rs" 28 16 28 25] [#"../derive_macros.rs" 28 16 28 25] true);
+    [#"../derive_macros.rs" 28 16 28 25] _0 <- ([#"../derive_macros.rs" 28 16 28 25] true);
     goto BB15
   }
   BB14 {
-    [#"../derive_macros.rs" 28 16 28 25] _0 <- ([#"../derive_macros.rs" 28 16 28 25] [#"../derive_macros.rs" 28 16 28 25] false);
+    [#"../derive_macros.rs" 28 16 28 25] _0 <- ([#"../derive_macros.rs" 28 16 28 25] false);
     goto BB15
   }
   BB15 {
@@ -721,12 +721,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -839,7 +845,9 @@ module DeriveMacros_Impl2
     
   axiom inv0 : forall x : DeriveMacros_Product_Type.t_product a b . inv0 x = true
   use prelude.Borrow
-  goal clone'_refn : [#"../derive_macros.rs" 8 9 8 14] forall self : DeriveMacros_Product_Type.t_product a b . inv0 self -> inv0 self /\ (forall result : DeriveMacros_Product_Type.t_product a b . inv1 result /\ result = self -> inv1 result /\ result = self)
+  goal clone'_refn : [#"../derive_macros.rs" 8 9 8 14] forall self : DeriveMacros_Product_Type.t_product a b . inv0 self
+   -> inv0 self /\ (forall result : DeriveMacros_Product_Type.t_product a b . inv1 result /\ result = self
+   -> inv1 result /\ result = self)
 end
 module DeriveMacros_Impl4
   type a
@@ -864,7 +872,9 @@ module DeriveMacros_Impl4
     
   axiom inv0 : forall x : DeriveMacros_Sum_Type.t_sum a b . inv0 x = true
   use prelude.Borrow
-  goal clone'_refn : [#"../derive_macros.rs" 28 9 28 14] forall self : DeriveMacros_Sum_Type.t_sum a b . inv0 self -> inv0 self /\ (forall result : DeriveMacros_Sum_Type.t_sum a b . inv1 result /\ result = self -> inv1 result /\ result = self)
+  goal clone'_refn : [#"../derive_macros.rs" 28 9 28 14] forall self : DeriveMacros_Sum_Type.t_sum a b . inv0 self
+   -> inv0 self /\ (forall result : DeriveMacros_Sum_Type.t_sum a b . inv1 result /\ result = self
+   -> inv1 result /\ result = self)
 end
 module DeriveMacros_Impl3
   type a
@@ -904,7 +914,9 @@ module DeriveMacros_Impl3
   val deep_model0 (self : DeriveMacros_Product_Type.t_product a b) : DeriveMacros_Product_Type.t_product deep_model_ty0 deep_model_ty1
     ensures { result = deep_model0 self }
     
-  goal eq_refn : [#"../derive_macros.rs" 8 16 8 25] forall self : DeriveMacros_Product_Type.t_product a b . forall other : DeriveMacros_Product_Type.t_product a b . inv0 other /\ inv0 self -> inv0 other /\ inv0 self /\ (forall result : bool . result = (deep_model0 self = deep_model0 other) -> result = (deep_model0 self = deep_model0 other))
+  goal eq_refn : [#"../derive_macros.rs" 8 16 8 25] forall self : DeriveMacros_Product_Type.t_product a b . forall other : DeriveMacros_Product_Type.t_product a b . inv0 other /\ inv0 self
+   -> inv0 other /\ inv0 self /\ (forall result : bool . result = (deep_model0 self = deep_model0 other)
+   -> result = (deep_model0 self = deep_model0 other))
 end
 module DeriveMacros_Impl5
   type a
@@ -947,7 +959,9 @@ module DeriveMacros_Impl5
   val deep_model0 (self : DeriveMacros_Sum_Type.t_sum a b) : DeriveMacros_Sum_Type.t_sum deep_model_ty0 deep_model_ty1
     ensures { result = deep_model0 self }
     
-  goal eq_refn : [#"../derive_macros.rs" 28 16 28 25] forall self : DeriveMacros_Sum_Type.t_sum a b . forall other : DeriveMacros_Sum_Type.t_sum a b . inv0 other /\ inv0 self -> inv0 other /\ inv0 self /\ (forall result : bool . result = (deep_model0 self = deep_model0 other) -> result = (deep_model0 self = deep_model0 other))
+  goal eq_refn : [#"../derive_macros.rs" 28 16 28 25] forall self : DeriveMacros_Sum_Type.t_sum a b . forall other : DeriveMacros_Sum_Type.t_sum a b . inv0 other /\ inv0 self
+   -> inv0 other /\ inv0 self /\ (forall result : bool . result = (deep_model0 self = deep_model0 other)
+   -> result = (deep_model0 self = deep_model0 other))
 end
 module DeriveMacros_Impl0
   type a
diff --git a/creusot/tests/should_succeed/syntax/derive_macros.rs b/creusot/tests/should_succeed/syntax/derive_macros.rs
index fc85641c23..063e18b6ff 100644
--- a/creusot/tests/should_succeed/syntax/derive_macros.rs
+++ b/creusot/tests/should_succeed/syntax/derive_macros.rs
@@ -19,7 +19,7 @@ where
     type DeepModelTy = Product<A::DeepModelTy, B::DeepModelTy>;
 
     #[open]
-    #[ghost]
+    #[logic]
     fn deep_model(self) -> Self::DeepModelTy {
         Product { a: self.a.deep_model(), b: self.b.deep_model() }
     }
@@ -35,7 +35,7 @@ impl<A: DeepModel, B: DeepModel> DeepModel for Sum<A, B> {
     type DeepModelTy = Sum<A::DeepModelTy, B::DeepModelTy>;
 
     #[open]
-    #[ghost]
+    #[logic]
     fn deep_model(self) -> Self::DeepModelTy {
         match self {
             Sum::A(a) => Sum::A(a.deep_model()),
diff --git a/creusot/tests/should_succeed/take_first_mut.mlcfg b/creusot/tests/should_succeed/take_first_mut.mlcfg
index 2909df7a72..dab5b7906f 100644
--- a/creusot/tests/should_succeed/take_first_mut.mlcfg
+++ b/creusot/tests/should_succeed/take_first_mut.mlcfg
@@ -107,7 +107,8 @@ module TakeFirstMut_TakeFirstMut
     requires {[#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv1 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv1 self) -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv7 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model0 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : slice t . ([#"../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv1 self)
+   -> ([#"../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv7 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model0 self = Slice.id self) && ([#"../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   use seq.Seq
   function index_logic0 [@inline:trivial] (self : slice t) (ix : int) : t =
     [#"../../../../creusot-contracts/src/logic/ops.rs" 43 8 43 31] Seq.get (shallow_model0 self) ix
@@ -205,17 +206,17 @@ module TakeFirstMut_TakeFirstMut
     goto BB6
   }
   BB4 {
-    [#"../take_first_mut.rs" 17 14 17 19] first <- ([#"../take_first_mut.rs" 17 14 17 19] let (a, _) = Core_Option_Option_Type.some_0 _3 in a);
-    [#"../take_first_mut.rs" 17 14 17 19] _3 <- (let Core_Option_Option_Type.C_Some x0 = _3 in Core_Option_Option_Type.C_Some (let (x0, x1) = Core_Option_Option_Type.some_0 _3 in (any borrowed t, x1)));
-    [#"../take_first_mut.rs" 17 21 17 24] rem <- ([#"../take_first_mut.rs" 17 21 17 24] let (_, a) = Core_Option_Option_Type.some_0 _3 in a);
-    [#"../take_first_mut.rs" 17 21 17 24] _3 <- (let Core_Option_Option_Type.C_Some x0 = _3 in Core_Option_Option_Type.C_Some (let (x0, x1) = Core_Option_Option_Type.some_0 _3 in (x0, any borrowed (slice t))));
+    [#"../take_first_mut.rs" 17 14 17 19] first <- (let (a, _) = Core_Option_Option_Type.some_0 _3 in a);
+    _3 <- (let Core_Option_Option_Type.C_Some x0 = _3 in Core_Option_Option_Type.C_Some (let (x0, x1) = Core_Option_Option_Type.some_0 _3 in (any borrowed t, x1)));
+    [#"../take_first_mut.rs" 17 21 17 24] rem <- (let (_, a) = Core_Option_Option_Type.some_0 _3 in a);
+    _3 <- (let Core_Option_Option_Type.C_Some x0 = _3 in Core_Option_Option_Type.C_Some (let (x0, x1) = Core_Option_Option_Type.some_0 _3 in (x0, any borrowed (slice t))));
     assert { [@expl:type invariant] inv2 _3 };
     assume { resolve0 _3 };
     [#"../take_first_mut.rs" 18 21 18 24] _11 <- Borrow.borrow_final ( * rem) (Borrow.get_id rem);
     [#"../take_first_mut.rs" 18 21 18 24] rem <- { rem with current = ( ^ _11) ; };
     assume { inv1 ( ^ _11) };
-    [#"../take_first_mut.rs" 18 12 18 24] self_ <- { self_ with current = ([#"../take_first_mut.rs" 18 12 18 24] _11) ; };
-    [#"../take_first_mut.rs" 18 12 18 24] _11 <- any borrowed (slice t);
+    [#"../take_first_mut.rs" 18 12 18 24] self_ <- { self_ with current = _11 ; };
+    _11 <- any borrowed (slice t);
     assert { [@expl:type invariant] inv0 ( * self_) };
     assume { resolve2 ( * self_) };
     assert { [@expl:type invariant] inv3 self_ };
@@ -223,7 +224,7 @@ module TakeFirstMut_TakeFirstMut
     [#"../take_first_mut.rs" 19 17 19 22] _12 <- Borrow.borrow_final ( * first) (Borrow.get_id first);
     [#"../take_first_mut.rs" 19 17 19 22] first <- { first with current = ( ^ _12) ; };
     assume { inv4 ( ^ _12) };
-    [#"../take_first_mut.rs" 19 12 19 23] _0 <- ([#"../take_first_mut.rs" 19 12 19 23] Core_Option_Option_Type.C_Some _12);
+    [#"../take_first_mut.rs" 19 12 19 23] _0 <- Core_Option_Option_Type.C_Some _12;
     _12 <- any borrowed t;
     assert { [@expl:type invariant] inv0 rem };
     assume { resolve2 rem };
@@ -234,10 +235,10 @@ module TakeFirstMut_TakeFirstMut
     goto BB7
   }
   BB5 {
-    assert { [@expl:type invariant] inv2 _3 };
-    assume { resolve0 _3 };
     assert { [@expl:type invariant] inv3 self_ };
     assume { resolve1 self_ };
+    assert { [@expl:type invariant] inv2 _3 };
+    assume { resolve0 _3 };
     assert { [@expl:type invariant] inv0 _5 };
     assume { resolve2 _5 };
     assert { [#"../take_first_mut.rs" 15 10 15 44] false };
@@ -248,7 +249,7 @@ module TakeFirstMut_TakeFirstMut
     assume { resolve0 _3 };
     assert { [@expl:type invariant] inv3 self_ };
     assume { resolve1 self_ };
-    [#"../take_first_mut.rs" 16 23 16 27] _0 <- ([#"../take_first_mut.rs" 16 23 16 27] Core_Option_Option_Type.C_None);
+    [#"../take_first_mut.rs" 16 23 16 27] _0 <- Core_Option_Option_Type.C_None;
     assert { [@expl:type invariant] inv0 _5 };
     assume { resolve2 _5 };
     goto BB7
diff --git a/creusot/tests/should_succeed/trait_impl.mlcfg b/creusot/tests/should_succeed/trait_impl.mlcfg
index 4672d79f24..d9c07a96fc 100644
--- a/creusot/tests/should_succeed/trait_impl.mlcfg
+++ b/creusot/tests/should_succeed/trait_impl.mlcfg
@@ -74,7 +74,7 @@ module TraitImpl_Impl0
     ensures { result = inv0 _x }
     
   axiom inv0 : forall x : (t1, t2) . inv0 x = true
-  goal x_refn : [#"../trait_impl.rs" 25 4 25 14] forall self : (t1, t2) . inv0 self -> inv0 self
+  goal x_refn : [#"../trait_impl.rs" 25 4 25 14] forall self : (t1, t2) . inv0 self  -> inv0 self
 end
 module TraitImpl_Impl1
   type b
diff --git a/creusot/tests/should_succeed/traits/01.mlcfg b/creusot/tests/should_succeed/traits/01.mlcfg
index 2aa032fa9e..cbf4812629 100644
--- a/creusot/tests/should_succeed/traits/01.mlcfg
+++ b/creusot/tests/should_succeed/traits/01.mlcfg
@@ -36,8 +36,8 @@ module C01_UsesGeneric
     goto BB0
   }
   BB0 {
-    [#"../01.rs" 9 4 9 16] _0 <- ([#"../01.rs" 9 4 9 16] from_b0 ([#"../01.rs" 9 14 9 15] b));
-    [#"../01.rs" 9 14 9 15] b <- any t;
+    [#"../01.rs" 9 4 9 16] _0 <- ([#"../01.rs" 9 4 9 16] from_b0 b);
+    b <- any t;
     goto BB1
   }
   BB1 {
diff --git a/creusot/tests/should_succeed/traits/02.mlcfg b/creusot/tests/should_succeed/traits/02.mlcfg
index 0df90390e3..12dce51990 100644
--- a/creusot/tests/should_succeed/traits/02.mlcfg
+++ b/creusot/tests/should_succeed/traits/02.mlcfg
@@ -39,7 +39,7 @@ module C02_Omg
     goto BB0
   }
   BB0 {
-    [#"../02.rs" 12 4 12 15] _0 <- ([#"../02.rs" 12 4 12 15] is_true0 ([#"../02.rs" 12 4 12 5] a));
+    [#"../02.rs" 12 4 12 15] _0 <- ([#"../02.rs" 12 4 12 15] is_true0 a);
     goto BB1
   }
   BB1 {
diff --git a/creusot/tests/should_succeed/traits/03.mlcfg b/creusot/tests/should_succeed/traits/03.mlcfg
index fecedca641..0207562222 100644
--- a/creusot/tests/should_succeed/traits/03.mlcfg
+++ b/creusot/tests/should_succeed/traits/03.mlcfg
@@ -10,7 +10,7 @@ module C03_Impl0_F
     goto BB0
   }
   BB0 {
-    [#"../03.rs" 10 8 10 9] _0 <- ([#"../03.rs" 10 8 10 9] [#"../03.rs" 10 8 10 9] (0 : int32));
+    [#"../03.rs" 10 8 10 9] _0 <- ([#"../03.rs" 10 8 10 9] (0 : int32));
     return _0
   }
   
@@ -26,7 +26,7 @@ module C03_Impl1_G
     goto BB0
   }
   BB0 {
-    [#"../03.rs" 21 8 21 9] _0 <- ([#"../03.rs" 21 8 21 9] [#"../03.rs" 21 8 21 9] (1 : uint32));
+    [#"../03.rs" 21 8 21 9] _0 <- ([#"../03.rs" 21 8 21 9] (1 : uint32));
     return _0
   }
   
@@ -58,7 +58,7 @@ module C03_Impl2_H
     goto BB0
   }
   BB0 {
-    [#"../03.rs" 31 8 31 9] _0 <- ([#"../03.rs" 31 8 31 9] y);
+    [#"../03.rs" 31 8 31 9] _0 <- y;
     assert { [@expl:type invariant] inv0 y };
     assume { resolve0 y };
     return _0
@@ -89,7 +89,7 @@ module C03_Impl0
   axiom inv0 : forall x : int32 . inv0 x = true
   use prelude.Int
   use prelude.Borrow
-  goal f_refn : [#"../03.rs" 9 4 9 23] forall self : int32 . inv0 self -> (forall result : int32 . inv1 result)
+  goal f_refn : [#"../03.rs" 9 4 9 23] forall self : int32 . inv0 self  -> (forall result : int32 . inv1 result)
 end
 module C03_Impl1
   use prelude.UInt32
@@ -115,7 +115,8 @@ module C03_Impl1
   axiom inv0 : forall x : uint32 . inv0 x = true
   use prelude.Int
   use prelude.Borrow
-  goal g_refn : [#"../03.rs" 20 4 20 23] forall self : uint32 . inv0 self -> (forall result : uint32 . inv1 result /\ result = result)
+  goal g_refn : [#"../03.rs" 20 4 20 23] forall self : uint32 . inv0 self
+   -> (forall result : uint32 . inv1 result /\ result = result)
 end
 module C03_Impl2
   type g
@@ -129,5 +130,6 @@ module C03_Impl2
     
   axiom inv0 : forall x : g . inv0 x = true
   use prelude.Borrow
-  goal h_refn : [#"../03.rs" 30 4 30 24] forall x : g . inv0 x -> inv0 x /\ (forall result : g . inv0 result -> inv0 result)
+  goal h_refn : [#"../03.rs" 30 4 30 24] forall x : g . inv0 x
+   -> inv0 x /\ (forall result : g . inv0 result  -> inv0 result)
 end
diff --git a/creusot/tests/should_succeed/traits/04.mlcfg b/creusot/tests/should_succeed/traits/04.mlcfg
index 0bf0c30aef..f29b5ed62e 100644
--- a/creusot/tests/should_succeed/traits/04.mlcfg
+++ b/creusot/tests/should_succeed/traits/04.mlcfg
@@ -42,7 +42,7 @@ module C04_User
     goto BB0
   }
   BB0 {
-    [#"../04.rs" 13 4 13 14] _4 <- ([#"../04.rs" 13 4 13 14] func10 ([#"../04.rs" 13 4 13 5] a) ([#"../04.rs" 13 12 13 13] b));
+    [#"../04.rs" 13 4 13 14] _4 <- ([#"../04.rs" 13 4 13 14] func10 a b);
     goto BB1
   }
   BB1 {
@@ -52,7 +52,7 @@ module C04_User
       end
   }
   BB2 {
-    [#"../04.rs" 13 18 13 28] _7 <- ([#"../04.rs" 13 18 13 28] func20 ([#"../04.rs" 13 18 13 19] b) ([#"../04.rs" 13 26 13 27] a));
+    [#"../04.rs" 13 18 13 28] _7 <- ([#"../04.rs" 13 18 13 28] func20 b a);
     goto BB3
   }
   BB3 {
@@ -66,7 +66,7 @@ module C04_User
     assume { resolve0 a };
     assert { [@expl:type invariant] inv0 b };
     assume { resolve0 b };
-    [#"../04.rs" 13 32 13 42] _0 <- ([#"../04.rs" 13 32 13 42] func30 ([#"../04.rs" 13 32 13 33] a) ([#"../04.rs" 13 40 13 41] b));
+    [#"../04.rs" 13 32 13 42] _0 <- ([#"../04.rs" 13 32 13 42] func30 a b);
     goto BB8
   }
   BB5 {
@@ -84,7 +84,7 @@ module C04_User
     goto BB7
   }
   BB7 {
-    [#"../04.rs" 13 4 13 42] _0 <- ([#"../04.rs" 13 4 13 42] [#"../04.rs" 13 4 13 42] false);
+    [#"../04.rs" 13 4 13 42] _0 <- ([#"../04.rs" 13 4 13 42] false);
     goto BB9
   }
   BB8 {
diff --git a/creusot/tests/should_succeed/traits/06.mlcfg b/creusot/tests/should_succeed/traits/06.mlcfg
index 460eeb1ee1..592474a80b 100644
--- a/creusot/tests/should_succeed/traits/06.mlcfg
+++ b/creusot/tests/should_succeed/traits/06.mlcfg
@@ -44,7 +44,7 @@ module C06_Test
   BB0 {
     assert { [@expl:type invariant] inv0 a };
     assume { resolve0 a };
-    [#"../06.rs" 13 4 13 11] _0 <- ([#"../06.rs" 13 4 13 11] ix0 ([#"../06.rs" 13 4 13 5] a) ([#"../06.rs" 13 9 13 10] [#"../06.rs" 13 9 13 10] (0 : usize)));
+    [#"../06.rs" 13 4 13 11] _0 <- ([#"../06.rs" 13 4 13 11] ix0 a ([#"../06.rs" 13 9 13 10] (0 : usize)));
     goto BB1
   }
   BB1 {
diff --git a/creusot/tests/should_succeed/traits/07.mlcfg b/creusot/tests/should_succeed/traits/07.mlcfg
index 1fbeef35ac..5f9d9cf45b 100644
--- a/creusot/tests/should_succeed/traits/07.mlcfg
+++ b/creusot/tests/should_succeed/traits/07.mlcfg
@@ -10,7 +10,7 @@ module C07_Impl0_Ix
     goto BB0
   }
   BB0 {
-    [#"../07.rs" 12 8 12 10] _0 <- ([#"../07.rs" 12 8 12 10] ());
+    [#"../07.rs" 12 8 12 10] _0 <- ();
     return _0
   }
   
@@ -29,7 +29,7 @@ module C07_Test
     goto BB0
   }
   BB0 {
-    [#"../07.rs" 17 4 17 8] _0 <- ([#"../07.rs" 17 4 17 8] [#"../07.rs" 17 4 17 8] true);
+    [#"../07.rs" 17 4 17 8] _0 <- ([#"../07.rs" 17 4 17 8] true);
     return _0
   }
   
@@ -47,7 +47,7 @@ module C07_Test2
     goto BB0
   }
   BB0 {
-    [#"../07.rs" 21 4 21 10] _0 <- ([#"../07.rs" 21 4 21 10] ix0 ([#"../07.rs" 21 4 21 5] a));
+    [#"../07.rs" 21 4 21 10] _0 <- ([#"../07.rs" 21 4 21 10] ix0 a);
     goto BB1
   }
   BB1 {
@@ -79,5 +79,5 @@ module C07_Impl0
   axiom inv0 : forall x : int32 . inv0 x = true
   use prelude.Int
   use prelude.Borrow
-  goal ix_refn : [#"../07.rs" 11 4 11 36] forall self : int32 . inv0 self -> (forall result : () . inv1 result)
+  goal ix_refn : [#"../07.rs" 11 4 11 36] forall self : int32 . inv0 self  -> (forall result : () . inv1 result)
 end
diff --git a/creusot/tests/should_succeed/traits/08.rs b/creusot/tests/should_succeed/traits/08.rs
index 850aa34efb..4d3040d412 100644
--- a/creusot/tests/should_succeed/traits/08.rs
+++ b/creusot/tests/should_succeed/traits/08.rs
@@ -5,7 +5,7 @@ use creusot_contracts::{logic::Int, *};
 // Ensure that different kinds of functions are translated to the
 // correct abstract symbol in Rust
 pub trait Tr {
-    #[ghost]
+    #[logic]
     fn logical(&self) -> Int;
     #[predicate]
     fn predicate(&self) -> bool;
diff --git a/creusot/tests/should_succeed/traits/09.mlcfg b/creusot/tests/should_succeed/traits/09.mlcfg
index e808e87016..b60d9fe059 100644
--- a/creusot/tests/should_succeed/traits/09.mlcfg
+++ b/creusot/tests/should_succeed/traits/09.mlcfg
@@ -11,7 +11,7 @@ module C09_Test
     goto BB0
   }
   BB0 {
-    [#"../09.rs" 8 4 8 9] _0 <- ([#"../09.rs" 8 4 8 9] ([#"../09.rs" 8 4 8 5] t) + ([#"../09.rs" 8 8 8 9] [#"../09.rs" 8 8 8 9] (0 : uint32)));
+    [#"../09.rs" 8 4 8 9] _0 <- t + ([#"../09.rs" 8 8 8 9] (0 : uint32));
     return _0
   }
   
@@ -40,8 +40,8 @@ module C09_Test2
     goto BB0
   }
   BB0 {
-    [#"../09.rs" 12 4 12 5] _0 <- ([#"../09.rs" 12 4 12 5] t);
-    [#"../09.rs" 12 4 12 5] t <- any x0;
+    [#"../09.rs" 12 4 12 5] _0 <- t;
+    t <- any x0;
     goto BB1
   }
   BB1 {
diff --git a/creusot/tests/should_succeed/traits/11.rs b/creusot/tests/should_succeed/traits/11.rs
index 0a8a8ef20f..faf81bba58 100644
--- a/creusot/tests/should_succeed/traits/11.rs
+++ b/creusot/tests/should_succeed/traits/11.rs
@@ -3,7 +3,7 @@ extern crate creusot_contracts;
 use creusot_contracts::*;
 
 #[open]
-#[ghost]
+#[logic]
 pub fn id<T>(x: T) -> T {
     x
 }
diff --git a/creusot/tests/should_succeed/traits/12_default_method.mlcfg b/creusot/tests/should_succeed/traits/12_default_method.mlcfg
index 255d6e4713..d57d1dff80 100644
--- a/creusot/tests/should_succeed/traits/12_default_method.mlcfg
+++ b/creusot/tests/should_succeed/traits/12_default_method.mlcfg
@@ -27,7 +27,7 @@ module C12DefaultMethod_T_Default
     goto BB0
   }
   BB0 {
-    [#"../12_default_method.rs" 7 8 7 9] _0 <- ([#"../12_default_method.rs" 7 8 7 9] [#"../12_default_method.rs" 7 8 7 9] (0 : uint32));
+    [#"../12_default_method.rs" 7 8 7 9] _0 <- ([#"../12_default_method.rs" 7 8 7 9] (0 : uint32));
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
     return _0
@@ -67,7 +67,7 @@ module C12DefaultMethod_ShouldUseImpl
     goto BB0
   }
   BB0 {
-    [#"../12_default_method.rs" 21 4 21 15] _3 <- ([#"../12_default_method.rs" 21 4 21 15] default0 ([#"../12_default_method.rs" 21 4 21 5] x));
+    [#"../12_default_method.rs" 21 4 21 15] _3 <- ([#"../12_default_method.rs" 21 4 21 15] default0 x);
     goto BB1
   }
   BB1 {
diff --git a/creusot/tests/should_succeed/traits/12_default_method.rs b/creusot/tests/should_succeed/traits/12_default_method.rs
index fd408f3743..963d97a8d2 100644
--- a/creusot/tests/should_succeed/traits/12_default_method.rs
+++ b/creusot/tests/should_succeed/traits/12_default_method.rs
@@ -8,7 +8,7 @@ pub trait T {
     }
 
     #[open]
-    #[ghost]
+    #[logic]
     fn logic_default(self) -> bool {
         true
     }
diff --git a/creusot/tests/should_succeed/traits/13_assoc_types.mlcfg b/creusot/tests/should_succeed/traits/13_assoc_types.mlcfg
index 6d7855ec6e..cf4ce49501 100644
--- a/creusot/tests/should_succeed/traits/13_assoc_types.mlcfg
+++ b/creusot/tests/should_succeed/traits/13_assoc_types.mlcfg
@@ -38,7 +38,7 @@ module C13AssocTypes_Impl0_Model
   BB0 {
     assert { [@expl:type invariant] inv0 self };
     assume { resolve0 self };
-    [#"../13_assoc_types.rs" 14 8 14 22] _0 <- ([#"../13_assoc_types.rs" 14 8 14 22] model ([#"../13_assoc_types.rs" 14 8 14 14] self));
+    [#"../13_assoc_types.rs" 14 8 14 22] _0 <- ([#"../13_assoc_types.rs" 14 8 14 22] model self);
     goto BB1
   }
   BB1 {
@@ -68,5 +68,6 @@ module C13AssocTypes_Impl0
     
   axiom inv0 : forall x : t . inv0 x = true
   use prelude.Borrow
-  goal model_refn : [#"../13_assoc_types.rs" 13 4 13 35] forall self : t . inv0 self -> inv0 self /\ (forall result : model_ty0 . inv1 result -> inv1 result)
+  goal model_refn : [#"../13_assoc_types.rs" 13 4 13 35] forall self : t . inv0 self
+   -> inv0 self /\ (forall result : model_ty0 . inv1 result  -> inv1 result)
 end
diff --git a/creusot/tests/should_succeed/traits/14_assoc_in_logic.rs b/creusot/tests/should_succeed/traits/14_assoc_in_logic.rs
index 7c51cac64c..021306e5fa 100644
--- a/creusot/tests/should_succeed/traits/14_assoc_in_logic.rs
+++ b/creusot/tests/should_succeed/traits/14_assoc_in_logic.rs
@@ -6,13 +6,13 @@ pub trait Assoc {
     type Ty;
 }
 
-#[ghost]
+#[logic]
 #[trusted]
 fn from_ty<T: Assoc>(_x: T::Ty) -> T {
     absurd
 }
 
-#[ghost]
+#[logic]
 #[trusted]
 fn to_ty<T: Assoc>(_x: T) -> T::Ty {
     absurd
diff --git a/creusot/tests/should_succeed/traits/15_impl_interfaces.rs b/creusot/tests/should_succeed/traits/15_impl_interfaces.rs
index a2bf356bc0..e02030aff1 100644
--- a/creusot/tests/should_succeed/traits/15_impl_interfaces.rs
+++ b/creusot/tests/should_succeed/traits/15_impl_interfaces.rs
@@ -14,7 +14,7 @@ impl Tr for () {
 }
 
 #[trusted]
-#[ghost]
+#[logic]
 fn x<T: Tr>(_x: T) -> T::A {
     absurd
 }
diff --git a/creusot/tests/should_succeed/traits/16_impl_cloning.mlcfg b/creusot/tests/should_succeed/traits/16_impl_cloning.mlcfg
index d01383217a..1b9ff9d2ad 100644
--- a/creusot/tests/should_succeed/traits/16_impl_cloning.mlcfg
+++ b/creusot/tests/should_succeed/traits/16_impl_cloning.mlcfg
@@ -17,12 +17,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
diff --git a/creusot/tests/should_succeed/traits/16_impl_cloning.rs b/creusot/tests/should_succeed/traits/16_impl_cloning.rs
index 9fbe4d93aa..7161813951 100644
--- a/creusot/tests/should_succeed/traits/16_impl_cloning.rs
+++ b/creusot/tests/should_succeed/traits/16_impl_cloning.rs
@@ -2,11 +2,11 @@ extern crate creusot_contracts;
 
 use creusot_contracts::{logic::Seq, *};
 
-pub struct Vec<T>(std::vec::Vec<T>);
+pub struct Vec<T>(pub std::vec::Vec<T>);
 impl<T> ShallowModel for Vec<T> {
     type ShallowModelTy = Seq<T>;
     #[open]
-    #[ghost]
+    #[logic]
     #[trusted]
     fn shallow_model(self) -> Self::ShallowModelTy {
         absurd
diff --git a/creusot/tests/should_succeed/traits/16_impl_cloning/why3shapes.gz b/creusot/tests/should_succeed/traits/16_impl_cloning/why3shapes.gz
index ad207a1324..8f16dcd348 100644
Binary files a/creusot/tests/should_succeed/traits/16_impl_cloning/why3shapes.gz and b/creusot/tests/should_succeed/traits/16_impl_cloning/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/traits/18_trait_laws.mlcfg b/creusot/tests/should_succeed/traits/18_trait_laws.mlcfg
index 101e578eff..34e8b7e21e 100644
--- a/creusot/tests/should_succeed/traits/18_trait_laws.mlcfg
+++ b/creusot/tests/should_succeed/traits/18_trait_laws.mlcfg
@@ -15,19 +15,19 @@ module C18TraitLaws_UsesOp_Impl
     requires {[#"../18_trait_laws.rs" 10 26 10 27] inv0 b}
     ensures { result = reflexive0 a b }
     
-  axiom reflexive0_spec : forall a : t, b : t . ([#"../18_trait_laws.rs" 10 17 10 18] inv0 a) -> ([#"../18_trait_laws.rs" 10 26 10 27] inv0 b) -> ([#"../18_trait_laws.rs" 9 14 9 32] op0 a b = op0 b a)
+  axiom reflexive0_spec : forall a : t, b : t . ([#"../18_trait_laws.rs" 10 17 10 18] inv0 a)
+   -> ([#"../18_trait_laws.rs" 10 26 10 27] inv0 b)  -> ([#"../18_trait_laws.rs" 9 14 9 32] op0 a b = op0 b a)
   predicate invariant0 (self : t)
   val invariant0 (self : t) : bool
     ensures { result = invariant0 self }
     
   axiom inv0 : forall x : t . inv0 x = true
-  let rec ghost function uses_op [#"../18_trait_laws.rs" 16 0 16 48] (x : t) (y : t) : bool
-    requires {[#"../18_trait_laws.rs" 16 29 16 30] inv0 x}
-    requires {[#"../18_trait_laws.rs" 16 35 16 36] inv0 y}
-    ensures { [#"../18_trait_laws.rs" 15 10 15 24] result = true }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../18_trait_laws.rs" 17 16 17 34] let x1 = op0 y x in let x0 = op0 x y in pure {x0 = x1}
+  constant x  : t
+  constant y  : t
+  function uses_op [#"../18_trait_laws.rs" 16 0 16 48] (x : t) (y : t) : bool
+  goal vc_uses_op : ([#"../18_trait_laws.rs" 16 35 16 36] inv0 y)
+   -> ([#"../18_trait_laws.rs" 16 29 16 30] inv0 x)
+   -> ([#"../18_trait_laws.rs" 15 10 15 24] (op0 x y = op0 y x) = true)
 end
 module C18TraitLaws_Impl0_Reflexive_Impl
   function op0 [#"../18_trait_laws.rs" 23 4 23 32] (self : ()) (_2 : ()) : () =
@@ -35,11 +35,10 @@ module C18TraitLaws_Impl0_Reflexive_Impl
   val op0 [#"../18_trait_laws.rs" 23 4 23 32] (self : ()) (_2 : ()) : ()
     ensures { result = op0 self _2 }
     
-  let rec ghost function reflexive [#"../18_trait_laws.rs" 30 4 30 34] (a : ()) (b : ()) : ()
-    ensures { [#"../18_trait_laws.rs" 29 14 29 32] op0 a b = op0 b a }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../18_trait_laws.rs" 27 4 27 10] ()
+  constant a  : ()
+  constant b  : ()
+  function reflexive [#"../18_trait_laws.rs" 30 4 30 34] (a : ()) (b : ()) : ()
+  goal vc_reflexive : [#"../18_trait_laws.rs" 29 14 29 32] op0 a b = op0 b a
 end
 module C18TraitLaws_ImplLaws_Impl
   function op0 [#"../18_trait_laws.rs" 23 4 23 32] (self : ()) (_2 : ()) : () =
@@ -53,11 +52,9 @@ module C18TraitLaws_ImplLaws_Impl
     ensures { result = reflexive0 a b }
     
   axiom reflexive0_spec : forall a : (), b : () . [#"../18_trait_laws.rs" 29 14 29 32] op0 a b = op0 b a
-  let rec ghost function impl_laws [#"../18_trait_laws.rs" 36 0 36 26] (_1 : ()) : bool
-    ensures { [#"../18_trait_laws.rs" 35 10 35 24] result = true }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../18_trait_laws.rs" 37 16 37 38] let x1 = op0 () () in let x0 = op0 () () in pure {x0 = x1}
+  constant _1  : ()
+  function impl_laws [#"../18_trait_laws.rs" 36 0 36 26] (_1 : ()) : bool
+  goal vc_impl_laws : [#"../18_trait_laws.rs" 35 10 35 24] (op0 () () = op0 () ()) = true
 end
 module C18TraitLaws_Impl0
   predicate invariant0 (self : ()) =
@@ -75,5 +72,6 @@ module C18TraitLaws_Impl0
   val op0 [#"../18_trait_laws.rs" 23 4 23 32] (self : ()) (_2 : ()) : ()
     ensures { result = op0 self _2 }
     
-  goal reflexive_refn : [#"../18_trait_laws.rs" 30 4 30 34] forall a : () . forall b : () . inv0 b /\ inv0 a -> (forall result : () . op0 a b = op0 b a -> op0 a b = op0 b a)
+  goal reflexive_refn : [#"../18_trait_laws.rs" 30 4 30 34] forall a : () . forall b : () . inv0 b /\ inv0 a
+   -> (forall result : () . op0 a b = op0 b a  -> op0 a b = op0 b a)
 end
diff --git a/creusot/tests/should_succeed/traits/18_trait_laws.rs b/creusot/tests/should_succeed/traits/18_trait_laws.rs
index c03d1b3103..b63d2eca86 100644
--- a/creusot/tests/should_succeed/traits/18_trait_laws.rs
+++ b/creusot/tests/should_succeed/traits/18_trait_laws.rs
@@ -2,7 +2,7 @@ extern crate creusot_contracts;
 use creusot_contracts::*;
 
 pub trait Symmetric {
-    #[ghost]
+    #[logic]
     fn op(self, _: Self) -> Self;
 
     #[law]
@@ -11,7 +11,7 @@ pub trait Symmetric {
 }
 
 #[open]
-#[ghost]
+#[logic]
 #[ensures(result == true)]
 pub fn uses_op<T: Symmetric>(x: T, y: T) -> bool {
     pearlite! { x.op(y) == y.op(x) }
@@ -19,7 +19,7 @@ pub fn uses_op<T: Symmetric>(x: T, y: T) -> bool {
 
 impl Symmetric for () {
     #[open]
-    #[ghost]
+    #[logic]
     fn op(self, _: Self) -> Self {
         ()
     }
@@ -31,7 +31,7 @@ impl Symmetric for () {
 }
 
 #[open]
-#[ghost]
+#[logic]
 #[ensures(result == true)]
 pub fn impl_laws() -> bool {
     pearlite! { ().op(()) == ().op(()) }
diff --git a/creusot/tests/should_succeed/traits/18_trait_laws/why3session.xml b/creusot/tests/should_succeed/traits/18_trait_laws/why3session.xml
index bfd0c24fa6..72a1d23385 100644
--- a/creusot/tests/should_succeed/traits/18_trait_laws/why3session.xml
+++ b/creusot/tests/should_succeed/traits/18_trait_laws/why3session.xml
@@ -1,23 +1,23 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
-"http://why3.lri.fr/why3session.dtd">
+"https://www.why3.org/why3session.dtd">
 <why3session shape_version="6">
 <prover id="0" name="Z3" version="4.12.4" timelimit="1" steplimit="0" memlimit="1000"/>
 <prover id="3" name="Alt-Ergo" version="2.4.3" timelimit="1" steplimit="0" memlimit="1000"/>
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="18_trait_laws.mlcfg"/>
 <theory name="C18TraitLaws_UsesOp_Impl" proved="true">
- <goal name="uses_op&#39;vc" expl="VC for uses_op" proved="true">
+ <goal name="vc_uses_op" proved="true">
  <proof prover="3"><result status="valid" time="0.004897" steps="6"/></proof>
  </goal>
 </theory>
 <theory name="C18TraitLaws_Impl0_Reflexive_Impl" proved="true">
- <goal name="reflexive&#39;vc" expl="VC for reflexive" proved="true">
+ <goal name="vc_reflexive" proved="true">
  <proof prover="0"><result status="valid" time="0.007368" steps="6"/></proof>
  </goal>
 </theory>
 <theory name="C18TraitLaws_ImplLaws_Impl" proved="true">
- <goal name="impl_laws&#39;vc" expl="VC for impl_laws" proved="true">
+ <goal name="vc_impl_laws" proved="true">
  <proof prover="3"><result status="valid" time="0.005844" steps="0"/></proof>
  </goal>
 </theory>
diff --git a/creusot/tests/should_succeed/traits/18_trait_laws/why3shapes.gz b/creusot/tests/should_succeed/traits/18_trait_laws/why3shapes.gz
index e9f474f20d..a4bdc70ea5 100644
Binary files a/creusot/tests/should_succeed/traits/18_trait_laws/why3shapes.gz and b/creusot/tests/should_succeed/traits/18_trait_laws/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/two_modules.mlcfg b/creusot/tests/should_succeed/two_modules.mlcfg
index c461c70677..05014b6a89 100644
--- a/creusot/tests/should_succeed/two_modules.mlcfg
+++ b/creusot/tests/should_succeed/two_modules.mlcfg
@@ -16,7 +16,7 @@ module TwoModules_Mod2_X
     goto BB0
   }
   BB0 {
-    [#"../two_modules.rs" 16 8 16 12] _0 <- ([#"../two_modules.rs" 16 8 16 12] [#"../two_modules.rs" 16 8 16 12] true);
+    [#"../two_modules.rs" 16 8 16 12] _0 <- ([#"../two_modules.rs" 16 8 16 12] true);
     return _0
   }
   
@@ -28,11 +28,14 @@ module TwoModules_F
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var _1 : bool;
+  var _2 : TwoModules_Mod1_T_Type.t_t;
   {
     goto BB0
   }
   BB0 {
-    [#"../two_modules.rs" 23 4 23 14] _1 <- ([#"../two_modules.rs" 23 4 23 14] x0 ([#"../two_modules.rs" 23 12 23 13] TwoModules_Mod1_T_Type.C_B));
+    [#"../two_modules.rs" 23 12 23 13] _2 <- TwoModules_Mod1_T_Type.C_B;
+    [#"../two_modules.rs" 23 4 23 14] _1 <- ([#"../two_modules.rs" 23 4 23 14] x0 _2);
+    _2 <- any TwoModules_Mod1_T_Type.t_t;
     goto BB1
   }
   BB1 {
diff --git a/creusot/tests/should_succeed/type_constructors.mlcfg b/creusot/tests/should_succeed/type_constructors.mlcfg
index ac9d580983..3c4e89ee68 100644
--- a/creusot/tests/should_succeed/type_constructors.mlcfg
+++ b/creusot/tests/should_succeed/type_constructors.mlcfg
@@ -1,12 +1,22 @@
 
+module TypeConstructors_B_X_Type
+  type t_x  =
+    | C_A
+    | C_B
+    | C_C
+    
+end
 module TypeConstructors_F
+  use TypeConstructors_B_X_Type as TypeConstructors_B_X_Type
   let rec cfg f [#"../type_constructors.rs" 16 0 16 10] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
+  var _3 : TypeConstructors_B_X_Type.t_x;
   {
     goto BB0
   }
   BB0 {
+    [#"../type_constructors.rs" 18 17 18 24] _3 <- TypeConstructors_B_X_Type.C_B;
     [#"../type_constructors.rs" 16 11 19 1] _0 <- ([#"../type_constructors.rs" 16 11 19 1] ());
     return _0
   }
diff --git a/creusot/tests/should_succeed/type_invariants/borrows.mlcfg b/creusot/tests/should_succeed/type_invariants/borrows.mlcfg
index b1c72fc907..0781b4f646 100644
--- a/creusot/tests/should_succeed/type_invariants/borrows.mlcfg
+++ b/creusot/tests/should_succeed/type_invariants/borrows.mlcfg
@@ -39,7 +39,7 @@ module Borrows_Impl1_New
     goto BB0
   }
   BB0 {
-    [#"../borrows.rs" 18 8 18 15] _0 <- ([#"../borrows.rs" 18 8 18 15] Borrows_NonZero_Type.C_NonZero ([#"../borrows.rs" 18 13 18 14] n));
+    [#"../borrows.rs" 18 8 18 15] _0 <- Borrows_NonZero_Type.C_NonZero n;
     return _0
   }
   
@@ -139,7 +139,7 @@ module Borrows_Inc
     goto BB0
   }
   BB0 {
-    [#"../borrows.rs" 102 4 102 11] x <- { x with current = ([#"../borrows.rs" 102 4 102 11]  * x + ([#"../borrows.rs" 102 10 102 11] [#"../borrows.rs" 102 10 102 11] (1 : int32))) ; };
+    [#"../borrows.rs" 102 4 102 11] x <- { x with current = ( * x + ([#"../borrows.rs" 102 10 102 11] (1 : int32))) ; };
     assume { resolve0 x };
     [#"../borrows.rs" 101 24 103 1] _0 <- ([#"../borrows.rs" 101 24 103 1] ());
     return _0
@@ -407,7 +407,7 @@ module Borrows_Tuple
     goto BB0
   }
   BB0 {
-    [#"../borrows.rs" 46 4 46 14] x <- (let (x0, x1) = x in ((let Borrows_NonZero_Type.C_NonZero x0 = let (a, _) = x in a in Borrows_NonZero_Type.C_NonZero ([#"../borrows.rs" 46 4 46 14] [#"../borrows.rs" 46 13 46 14] (0 : int32))), x1));
+    [#"../borrows.rs" 46 4 46 14] x <- (let (x0, x1) = x in ((let Borrows_NonZero_Type.C_NonZero x0 = let (a, _) = x in a in Borrows_NonZero_Type.C_NonZero ([#"../borrows.rs" 46 13 46 14] (0 : int32))), x1));
     [#"../borrows.rs" 47 8 47 19] _6 <- Borrow.borrow_final (Borrows_NonZero_Type.nonzero_0 ( * (let (_, a) = x in a))) (Borrow.inherit_id (Borrow.get_id (let (_, a) = x in a)) 1);
     [#"../borrows.rs" 47 8 47 19] x <- (let (x0, x1) = x in (x0, { (let (_, a) = x in a) with current = (let Borrows_NonZero_Type.C_NonZero x0 =  * (let (_, a) = x in a) in Borrows_NonZero_Type.C_NonZero ( ^ _6)) ; }));
     [#"../borrows.rs" 47 8 47 19] _5 <- Borrow.borrow_final ( * _6) (Borrow.get_id _6);
@@ -511,8 +511,8 @@ module Borrows_PartialMove
     goto BB0
   }
   BB0 {
-    [#"../borrows.rs" 54 16 54 19] a <- ([#"../borrows.rs" 54 16 54 19] let (a, _) = x in a);
-    [#"../borrows.rs" 54 16 54 19] x <- (let (x0, x1) = x in (any Borrows_NonZero_Type.t_nonzero, x1));
+    [#"../borrows.rs" 54 16 54 19] a <- (let (a, _) = x in a);
+    x <- (let (x0, x1) = x in (any Borrows_NonZero_Type.t_nonzero, x1));
     [#"../borrows.rs" 55 8 55 19] _7 <- Borrow.borrow_final (Borrows_NonZero_Type.nonzero_0 ( * (let (_, a) = x in a))) (Borrow.inherit_id (Borrow.get_id (let (_, a) = x in a)) 1);
     [#"../borrows.rs" 55 8 55 19] x <- (let (x0, x1) = x in (x0, { (let (_, a) = x in a) with current = (let Borrows_NonZero_Type.C_NonZero x0 =  * (let (_, a) = x in a) in Borrows_NonZero_Type.C_NonZero ( ^ _7)) ; }));
     [#"../borrows.rs" 55 8 55 19] _6 <- Borrow.borrow_final ( * _7) (Borrow.get_id _7);
@@ -525,7 +525,7 @@ module Borrows_PartialMove
     assume { resolve0 _7 };
     assert { [@expl:type invariant] inv0 x };
     assume { resolve1 x };
-    [#"../borrows.rs" 56 4 56 11] a <- (let Borrows_NonZero_Type.C_NonZero x0 = a in Borrows_NonZero_Type.C_NonZero ([#"../borrows.rs" 56 4 56 11] [#"../borrows.rs" 56 10 56 11] (0 : int32)));
+    [#"../borrows.rs" 56 4 56 11] a <- (let Borrows_NonZero_Type.C_NonZero x0 = a in Borrows_NonZero_Type.C_NonZero ([#"../borrows.rs" 56 10 56 11] (0 : int32)));
     [#"../borrows.rs" 53 48 57 1] _0 <- ([#"../borrows.rs" 53 48 57 1] ());
     return _0
   }
@@ -618,13 +618,13 @@ module Borrows_Destruct
     goto BB0
   }
   BB0 {
-    [#"../borrows.rs" 62 9 62 14] a <- ([#"../borrows.rs" 62 9 62 14] let (a, _) = x in a);
-    [#"../borrows.rs" 62 9 62 14] x <- (let (x0, x1) = x in (any Borrows_NonZero_Type.t_nonzero, x1));
-    [#"../borrows.rs" 62 16 62 17] b <- ([#"../borrows.rs" 62 16 62 17] let (_, a) = x in a);
-    [#"../borrows.rs" 62 16 62 17] x <- (let (x0, x1) = x in (x0, any borrowed (Borrows_NonZero_Type.t_nonzero)));
+    [#"../borrows.rs" 62 9 62 14] a <- (let (a, _) = x in a);
+    x <- (let (x0, x1) = x in (any Borrows_NonZero_Type.t_nonzero, x1));
+    [#"../borrows.rs" 62 16 62 17] b <- (let (_, a) = x in a);
+    x <- (let (x0, x1) = x in (x0, any borrowed (Borrows_NonZero_Type.t_nonzero)));
     assert { [@expl:type invariant] inv0 x };
     assume { resolve0 x };
-    [#"../borrows.rs" 63 4 63 11] a <- (let Borrows_NonZero_Type.C_NonZero x0 = a in Borrows_NonZero_Type.C_NonZero ([#"../borrows.rs" 63 4 63 11] [#"../borrows.rs" 63 10 63 11] (0 : int32)));
+    [#"../borrows.rs" 63 4 63 11] a <- (let Borrows_NonZero_Type.C_NonZero x0 = a in Borrows_NonZero_Type.C_NonZero ([#"../borrows.rs" 63 10 63 11] (0 : int32)));
     [#"../borrows.rs" 64 8 64 16] _8 <- Borrow.borrow_final (Borrows_NonZero_Type.nonzero_0 ( * b)) (Borrow.inherit_id (Borrow.get_id b) 1);
     [#"../borrows.rs" 64 8 64 16] b <- { b with current = (let Borrows_NonZero_Type.C_NonZero x0 =  * b in Borrows_NonZero_Type.C_NonZero ( ^ _8)) ; };
     [#"../borrows.rs" 64 8 64 16] _7 <- Borrow.borrow_final ( * _8) (Borrow.get_id _8);
@@ -717,8 +717,8 @@ module Borrows_FrozenDead
     assume { inv0 ( ^ _6) };
     assert { [@expl:type invariant] inv1 x };
     assume { resolve0 x };
-    [#"../borrows.rs" 73 4 74 9] x <- ([#"../borrows.rs" 73 4 74 9] _6);
-    [#"../borrows.rs" 73 4 74 9] _6 <- any borrowed (Borrows_NonZero_Type.t_nonzero);
+    [#"../borrows.rs" 73 4 74 9] x <- _6;
+    _6 <- any borrowed (Borrows_NonZero_Type.t_nonzero);
     assert { [@expl:type invariant] inv1 x };
     assume { resolve0 x };
     [#"../borrows.rs" 75 8 75 10] _8 <- Borrow.borrow_final ( * _a) (Borrow.get_id _a);
@@ -780,7 +780,7 @@ module Borrows_Dec
     goto BB0
   }
   BB0 {
-    [#"../borrows.rs" 108 4 108 11] x <- { x with current = ([#"../borrows.rs" 108 4 108 11]  * x - ([#"../borrows.rs" 108 10 108 11] [#"../borrows.rs" 108 10 108 11] (1 : int32))) ; };
+    [#"../borrows.rs" 108 4 108 11] x <- { x with current = ( * x - ([#"../borrows.rs" 108 10 108 11] (1 : int32))) ; };
     assume { resolve0 x };
     [#"../borrows.rs" 107 24 109 1] _0 <- ([#"../borrows.rs" 107 24 109 1] ());
     return _0
diff --git a/creusot/tests/should_succeed/type_invariants/non_zero.mlcfg b/creusot/tests/should_succeed/type_invariants/non_zero.mlcfg
index b2658f8554..28344900de 100644
--- a/creusot/tests/should_succeed/type_invariants/non_zero.mlcfg
+++ b/creusot/tests/should_succeed/type_invariants/non_zero.mlcfg
@@ -38,7 +38,7 @@ module NonZero_Impl1_New
     goto BB0
   }
   BB0 {
-    [#"../non_zero.rs" 17 8 17 15] _0 <- ([#"../non_zero.rs" 17 8 17 15] NonZero_NonZeroU32_Type.C_NonZeroU32 ([#"../non_zero.rs" 17 13 17 14] n));
+    [#"../non_zero.rs" 17 8 17 15] _0 <- NonZero_NonZeroU32_Type.C_NonZeroU32 n;
     return _0
   }
   
@@ -72,11 +72,14 @@ module NonZero_Impl1_Add
   var _0 : NonZero_NonZeroU32_Type.t_nonzerou32;
   var self : NonZero_NonZeroU32_Type.t_nonzerou32 = self;
   var rhs : NonZero_NonZeroU32_Type.t_nonzerou32 = rhs;
+  var _4 : uint32;
   {
     goto BB0
   }
   BB0 {
-    [#"../non_zero.rs" 22 8 22 28] _0 <- ([#"../non_zero.rs" 22 8 22 28] NonZero_NonZeroU32_Type.C_NonZeroU32 ([#"../non_zero.rs" 22 13 22 27] ([#"../non_zero.rs" 22 13 22 19] NonZero_NonZeroU32_Type.nonzerou32_0 self) + ([#"../non_zero.rs" 22 22 22 27] NonZero_NonZeroU32_Type.nonzerou32_0 rhs)));
+    [#"../non_zero.rs" 22 13 22 27] _4 <- NonZero_NonZeroU32_Type.nonzerou32_0 self + NonZero_NonZeroU32_Type.nonzerou32_0 rhs;
+    [#"../non_zero.rs" 22 8 22 28] _0 <- NonZero_NonZeroU32_Type.C_NonZeroU32 _4;
+    _4 <- any uint32;
     return _0
   }
   
@@ -104,16 +107,16 @@ module NonZero_Impl1_SubPreTrans_Impl
   val sub_pre0 [#"../non_zero.rs" 27 4 27 43] (self : NonZero_NonZeroU32_Type.t_nonzerou32) (rhs : NonZero_NonZeroU32_Type.t_nonzerou32) : bool
     ensures { result = sub_pre0 self rhs }
     
-  let rec ghost function sub_pre_trans [#"../non_zero.rs" 36 4 36 51] (a : NonZero_NonZeroU32_Type.t_nonzerou32) (b : NonZero_NonZeroU32_Type.t_nonzerou32) (c : NonZero_NonZeroU32_Type.t_nonzerou32) : ()
-    requires {[#"../non_zero.rs" 33 15 33 27] sub_pre0 a b}
-    requires {[#"../non_zero.rs" 34 15 34 27] sub_pre0 b c}
-    requires {[#"../non_zero.rs" 36 25 36 26] inv0 a}
-    requires {[#"../non_zero.rs" 36 34 36 35] inv0 b}
-    requires {[#"../non_zero.rs" 36 43 36 44] inv0 c}
-    ensures { [#"../non_zero.rs" 35 14 35 26] sub_pre0 a c }
+  constant a  : NonZero_NonZeroU32_Type.t_nonzerou32
+  constant b  : NonZero_NonZeroU32_Type.t_nonzerou32
+  constant c  : NonZero_NonZeroU32_Type.t_nonzerou32
+  function sub_pre_trans [#"../non_zero.rs" 36 4 36 51] (a : NonZero_NonZeroU32_Type.t_nonzerou32) (b : NonZero_NonZeroU32_Type.t_nonzerou32) (c : NonZero_NonZeroU32_Type.t_nonzerou32) : ()
     
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../non_zero.rs" 31 4 31 10] ()
+  goal vc_sub_pre_trans : ([#"../non_zero.rs" 36 43 36 44] inv0 c)
+   -> ([#"../non_zero.rs" 36 34 36 35] inv0 b)
+   -> ([#"../non_zero.rs" 36 25 36 26] inv0 a)
+   -> ([#"../non_zero.rs" 34 15 34 27] sub_pre0 b c)
+   -> ([#"../non_zero.rs" 33 15 33 27] sub_pre0 a b)  -> ([#"../non_zero.rs" 35 14 35 26] sub_pre0 a c)
 end
 module NonZero_Impl1_Sub
   use prelude.Int
@@ -149,11 +152,14 @@ module NonZero_Impl1_Sub
   var _0 : NonZero_NonZeroU32_Type.t_nonzerou32;
   var self : NonZero_NonZeroU32_Type.t_nonzerou32 = self;
   var rhs : NonZero_NonZeroU32_Type.t_nonzerou32 = rhs;
+  var _4 : uint32;
   {
     goto BB0
   }
   BB0 {
-    [#"../non_zero.rs" 41 8 41 28] _0 <- ([#"../non_zero.rs" 41 8 41 28] NonZero_NonZeroU32_Type.C_NonZeroU32 ([#"../non_zero.rs" 41 13 41 27] ([#"../non_zero.rs" 41 13 41 19] NonZero_NonZeroU32_Type.nonzerou32_0 self) - ([#"../non_zero.rs" 41 22 41 27] NonZero_NonZeroU32_Type.nonzerou32_0 rhs)));
+    [#"../non_zero.rs" 41 13 41 27] _4 <- NonZero_NonZeroU32_Type.nonzerou32_0 self - NonZero_NonZeroU32_Type.nonzerou32_0 rhs;
+    [#"../non_zero.rs" 41 8 41 28] _0 <- NonZero_NonZeroU32_Type.C_NonZeroU32 _4;
+    _4 <- any uint32;
     return _0
   }
   
diff --git a/creusot/tests/should_succeed/type_invariants/non_zero/why3session.xml b/creusot/tests/should_succeed/type_invariants/non_zero/why3session.xml
index d303e5e495..cce66003e4 100644
--- a/creusot/tests/should_succeed/type_invariants/non_zero/why3session.xml
+++ b/creusot/tests/should_succeed/type_invariants/non_zero/why3session.xml
@@ -17,13 +17,13 @@
  </goal>
 </theory>
 <theory name="NonZero_Impl1_SubPreTrans_Impl" proved="true">
- <goal name="sub_pre_trans&#39;vc" expl="VC for sub_pre_trans" proved="true">
- <proof prover="0"><result status="valid" time="0.012607" steps="2296"/></proof>
+ <goal name="vc_sub_pre_trans" proved="true">
+ <proof prover="0"><result status="valid" time="0.012607" steps="2206"/></proof>
  </goal>
 </theory>
 <theory name="NonZero_Impl1_Sub" proved="true">
  <goal name="sub&#39;vc" expl="VC for sub" proved="true">
- <proof prover="3"><result status="valid" time="0.016281" steps="183"/></proof>
+ <proof prover="3"><result status="valid" time="0.016281" steps="184"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/type_invariants/non_zero/why3shapes.gz b/creusot/tests/should_succeed/type_invariants/non_zero/why3shapes.gz
index 4b83edb208..06f4f61679 100644
Binary files a/creusot/tests/should_succeed/type_invariants/non_zero/why3shapes.gz and b/creusot/tests/should_succeed/type_invariants/non_zero/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/type_invariants/quant.mlcfg b/creusot/tests/should_succeed/type_invariants/quant.mlcfg
index 573a17ad37..6ca7198898 100644
--- a/creusot/tests/should_succeed/type_invariants/quant.mlcfg
+++ b/creusot/tests/should_succeed/type_invariants/quant.mlcfg
@@ -18,11 +18,10 @@ module Quant_Forall_Impl
   axiom inv0 : forall x : Quant_WithInvariant_Type.t_withinvariant . inv0 x = (invariant0 x /\ match x with
     | Quant_WithInvariant_Type.C_WithInvariant -> true
     end)
-  let rec ghost function forall' [#"../quant.rs" 17 0 17 15] (_1 : ()) : ()
-    ensures { [#"../quant.rs" 16 0 16 50] forall x : Quant_WithInvariant_Type.t_withinvariant . inv0 x -> invariant0 x }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../quant.rs" 14 0 14 6] ()
+  constant _1  : ()
+  function forall' [#"../quant.rs" 17 0 17 15] (_1 : ()) : ()
+  goal vc_forall' : [#"../quant.rs" 16 0 16 50] forall x : Quant_WithInvariant_Type.t_withinvariant . inv0 x
+   -> invariant0 x
 end
 module Quant_Exists_Impl
   use Quant_WithInvariant_Type as Quant_WithInvariant_Type
@@ -38,11 +37,9 @@ module Quant_Exists_Impl
   axiom inv0 : forall x : Quant_WithInvariant_Type.t_withinvariant . inv0 x = (invariant0 x /\ match x with
     | Quant_WithInvariant_Type.C_WithInvariant -> true
     end)
-  let rec ghost function exists' [#"../quant.rs" 22 0 22 15] (_1 : ()) : ()
-    ensures { [#"../quant.rs" 21 0 21 42] exists _x : Quant_WithInvariant_Type.t_withinvariant . inv0 _x }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../quant.rs" 19 0 19 6] ()
+  constant _1  : ()
+  function exists' [#"../quant.rs" 22 0 22 15] (_1 : ()) : ()
+  goal vc_exists' : [#"../quant.rs" 21 0 21 42] exists _x : Quant_WithInvariant_Type.t_withinvariant . inv0 _x
 end
 module Quant_Impl0
   
diff --git a/creusot/tests/should_succeed/type_invariants/quant/why3session.xml b/creusot/tests/should_succeed/type_invariants/quant/why3session.xml
index da7f747618..9a4cbfb0ea 100644
--- a/creusot/tests/should_succeed/type_invariants/quant/why3session.xml
+++ b/creusot/tests/should_succeed/type_invariants/quant/why3session.xml
@@ -1,18 +1,18 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
-"http://why3.lri.fr/why3session.dtd">
+"https://www.why3.org/why3session.dtd">
 <why3session shape_version="6">
 <prover id="2" name="Z3" version="4.12.4" timelimit="1" steplimit="0" memlimit="1000"/>
 <prover id="3" name="Alt-Ergo" version="2.4.3" timelimit="1" steplimit="0" memlimit="1000"/>
 <file format="mlcfg" proved="true">
 <path name=".."/><path name="quant.mlcfg"/>
 <theory name="Quant_Forall_Impl" proved="true">
- <goal name="forall&#39;&#39;vc" expl="VC for forall&#39;" proved="true">
+ <goal name="postcondition" proved="true">
  <proof prover="3"><result status="valid" time="0.004267" steps="2"/></proof>
  </goal>
 </theory>
 <theory name="Quant_Exists_Impl" proved="true">
- <goal name="exists&#39;&#39;vc" expl="VC for exists&#39;" proved="true">
+ <goal name="postcondition" proved="true">
  <proof prover="2"><result status="valid" time="0.012453" steps="413"/></proof>
  </goal>
 </theory>
diff --git a/creusot/tests/should_succeed/type_invariants/quant/why3shapes.gz b/creusot/tests/should_succeed/type_invariants/quant/why3shapes.gz
index f9e79a1ce9..a106b9f87d 100644
Binary files a/creusot/tests/should_succeed/type_invariants/quant/why3shapes.gz and b/creusot/tests/should_succeed/type_invariants/quant/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/type_invariants/type_invariants.mlcfg b/creusot/tests/should_succeed/type_invariants/type_invariants.mlcfg
index c9c565eed0..d24fa5afcd 100644
--- a/creusot/tests/should_succeed/type_invariants/type_invariants.mlcfg
+++ b/creusot/tests/should_succeed/type_invariants/type_invariants.mlcfg
@@ -29,8 +29,8 @@ module TypeInvariants_Id
     goto BB0
   }
   BB0 {
-    [#"../type_invariants.rs" 15 4 15 5] _0 <- ([#"../type_invariants.rs" 15 4 15 5] x);
-    [#"../type_invariants.rs" 15 4 15 5] x <- any TypeInvariants_WithInvariant_Type.t_withinvariant;
+    [#"../type_invariants.rs" 15 4 15 5] _0 <- x;
+    x <- any TypeInvariants_WithInvariant_Type.t_withinvariant;
     return _0
   }
   
diff --git a/creusot/tests/should_succeed/type_invariants/vec_inv.mlcfg b/creusot/tests/should_succeed/type_invariants/vec_inv.mlcfg
index 26f925c66f..b596eb99df 100644
--- a/creusot/tests/should_succeed/type_invariants/vec_inv.mlcfg
+++ b/creusot/tests/should_succeed/type_invariants/vec_inv.mlcfg
@@ -32,12 +32,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -108,7 +114,8 @@ module VecInv_Vec
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self}
     ensures { result = shallow_model3 self }
     
-  axiom shallow_model3_spec : forall self : slice (borrowed (VecInv_SumTo10_Type.t_sumto10)) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv1 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model3 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
+  axiom shallow_model3_spec : forall self : slice (borrowed (VecInv_SumTo10_Type.t_sumto10)) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv1 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model3 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
   function index_logic2 [@inline:trivial] (self : slice (borrowed (VecInv_SumTo10_Type.t_sumto10))) (ix : int) : borrowed (VecInv_SumTo10_Type.t_sumto10)
     
    =
@@ -122,7 +129,8 @@ module VecInv_Vec
     ensures { result = slice_len0 x }
     
   use prelude.UInt64
-  axiom inv3 : forall x : slice (borrowed (VecInv_SumTo10_Type.t_sumto10)) . inv3 x = (forall i : uint64 . 0 <= i -> i < slice_len0 x -> inv4 (index_logic2 x i))
+  axiom inv3 : forall x : slice (borrowed (VecInv_SumTo10_Type.t_sumto10)) . inv3 x = (forall i : uint64 . 0 <= i
+   -> i < slice_len0 x  -> inv4 (index_logic2 x i))
   use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type
   use Alloc_RawVec_RawVec_Type as Alloc_RawVec_RawVec_Type
   predicate invariant2 (self : Alloc_RawVec_RawVec_Type.t_rawvec (borrowed (VecInv_SumTo10_Type.t_sumto10)) (Alloc_Alloc_Global_Type.t_global))
@@ -138,7 +146,8 @@ module VecInv_Vec
     ensures { result = inv2 _x }
     
   axiom inv2 : forall x : Alloc_RawVec_RawVec_Type.t_rawvec (borrowed (VecInv_SumTo10_Type.t_sumto10)) (Alloc_Alloc_Global_Type.t_global) . inv2 x = true
-  axiom inv1 : forall x : Seq.seq (borrowed (VecInv_SumTo10_Type.t_sumto10)) . inv1 x = (forall i : int . 0 <= i -> i < Seq.length x -> inv4 (Seq.get x i))
+  axiom inv1 : forall x : Seq.seq (borrowed (VecInv_SumTo10_Type.t_sumto10)) . inv1 x = (forall i : int . 0 <= i
+   -> i < Seq.length x  -> inv4 (Seq.get x i))
   use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type
   predicate inv0 (_x : Alloc_Vec_Vec_Type.t_vec (borrowed (VecInv_SumTo10_Type.t_sumto10)) (Alloc_Alloc_Global_Type.t_global))
     
@@ -151,7 +160,8 @@ module VecInv_Vec
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model1 self }
     
-  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (borrowed (VecInv_SumTo10_Type.t_sumto10)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
+  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (borrowed (VecInv_SumTo10_Type.t_sumto10)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv1 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
   predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec (borrowed (VecInv_SumTo10_Type.t_sumto10)) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -177,7 +187,8 @@ module VecInv_Vec
   predicate resolve0 (self : Alloc_Vec_Vec_Type.t_vec (borrowed (VecInv_SumTo10_Type.t_sumto10)) (Alloc_Alloc_Global_Type.t_global))
     
    =
-    [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self) -> resolve1 (index_logic0 self i)
+    [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 self)
+     -> resolve1 (index_logic0 self i)
   val resolve0 (self : Alloc_Vec_Vec_Type.t_vec (borrowed (VecInv_SumTo10_Type.t_sumto10)) (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve0 self }
     
diff --git a/creusot/tests/should_succeed/type_invariants/vec_inv/why3shapes.gz b/creusot/tests/should_succeed/type_invariants/vec_inv/why3shapes.gz
index 6238e0697c..98e5159798 100644
Binary files a/creusot/tests/should_succeed/type_invariants/vec_inv/why3shapes.gz and b/creusot/tests/should_succeed/type_invariants/vec_inv/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/unused_in_loop.mlcfg b/creusot/tests/should_succeed/unused_in_loop.mlcfg
index 83cb0a9cd5..3e27964fce 100644
--- a/creusot/tests/should_succeed/unused_in_loop.mlcfg
+++ b/creusot/tests/should_succeed/unused_in_loop.mlcfg
@@ -13,7 +13,7 @@ module UnusedInLoop_UnusedInLoop
     goto BB0
   }
   BB0 {
-    [#"../unused_in_loop.rs" 6 12 6 14] x <- ([#"../unused_in_loop.rs" 6 12 6 14] [#"../unused_in_loop.rs" 6 12 6 14] (10 : uint32));
+    [#"../unused_in_loop.rs" 6 12 6 14] x <- ([#"../unused_in_loop.rs" 6 12 6 14] (10 : uint32));
     goto BB1
   }
   BB1 {
@@ -21,13 +21,13 @@ module UnusedInLoop_UnusedInLoop
     goto BB2
   }
   BB2 {
-    switch ([#"../unused_in_loop.rs" 9 11 9 12] b)
+    switch (b)
       | False -> goto BB4
       | True -> goto BB3
       end
   }
   BB3 {
-    [#"../unused_in_loop.rs" 13 4 13 5] _0 <- ([#"../unused_in_loop.rs" 13 4 13 5] x);
+    [#"../unused_in_loop.rs" 13 4 13 5] _0 <- x;
     return _0
   }
   BB4 {
diff --git a/creusot/tests/should_succeed/vecdeque.mlcfg b/creusot/tests/should_succeed/vecdeque.mlcfg
index 5a8c3e6ce9..2daf1be858 100644
--- a/creusot/tests/should_succeed/vecdeque.mlcfg
+++ b/creusot/tests/should_succeed/vecdeque.mlcfg
@@ -17,12 +17,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Collections_VecDeque_VecDeque_Type
@@ -140,7 +146,8 @@ module Vecdeque_TestDeque
     requires {[#"../../../../creusot-contracts/src/std/deque.rs" 12 21 12 25] inv5 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Collections_VecDeque_VecDeque_Type.t_vecdeque uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/deque.rs" 12 21 12 25] inv5 self) -> ([#"../../../../creusot-contracts/src/std/deque.rs" 12 4 12 36] inv6 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/deque.rs" 11 14 11 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Collections_VecDeque_VecDeque_Type.t_vecdeque uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../creusot-contracts/src/std/deque.rs" 12 21 12 25] inv5 self)
+   -> ([#"../../../../creusot-contracts/src/std/deque.rs" 12 4 12 36] inv6 (shallow_model0 self)) && ([#"../../../../creusot-contracts/src/std/deque.rs" 11 14 11 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   val clear0 (self : borrowed (Alloc_Collections_VecDeque_VecDeque_Type.t_vecdeque uint32 (Alloc_Alloc_Global_Type.t_global))) : ()
     requires {inv1 self}
     ensures { [#"../../../../creusot-contracts/src/std/deque.rs" 71 26 71 45] Seq.length (shallow_model0 ( ^ self)) = 0 }
@@ -231,24 +238,26 @@ module Vecdeque_TestDeque
     
   let constant promoted0 [#"../vecdeque.rs" 5 0 5 19]  : Core_Option_Option_Type.t_option uint32
    = [@vc:do_not_keep_trace] [@vc:sp]
-    let _1 = [#"../vecdeque.rs" 24 32 24 39] Core_Option_Option_Type.C_Some ([#"../vecdeque.rs" 24 37 24 38] [#"../vecdeque.rs" 24 37 24 38] (3 : uint32)) in let _0 = [#"../vecdeque.rs" 24 32 24 39] _1 in _0
+    let _1 = Core_Option_Option_Type.C_Some ([#"../vecdeque.rs" 24 37 24 38] (3 : uint32)) in let _0 = _1 in _0
   let constant promoted1 [#"../vecdeque.rs" 5 0 5 19]  : Core_Option_Option_Type.t_option uint32
    = [@vc:do_not_keep_trace] [@vc:sp]
-    let _1 = [#"../vecdeque.rs" 23 33 23 40] Core_Option_Option_Type.C_Some ([#"../vecdeque.rs" 23 38 23 39] [#"../vecdeque.rs" 23 38 23 39] (2 : uint32)) in let _0 = [#"../vecdeque.rs" 23 33 23 40] _1 in _0
+    let _1 = Core_Option_Option_Type.C_Some ([#"../vecdeque.rs" 23 38 23 39] (2 : uint32)) in let _0 = _1 in _0
   let constant promoted2 [#"../vecdeque.rs" 5 0 5 19]  : Core_Option_Option_Type.t_option uint32
    = [@vc:do_not_keep_trace] [@vc:sp]
-    let _1 = [#"../vecdeque.rs" 17 32 17 36] Core_Option_Option_Type.C_None in let _0 = [#"../vecdeque.rs" 17 32 17 36] _1 in _0
+    let _1 = Core_Option_Option_Type.C_None in let _0 = _1 in _0
   let constant promoted3 [#"../vecdeque.rs" 5 0 5 19]  : Core_Option_Option_Type.t_option uint32
    = [@vc:do_not_keep_trace] [@vc:sp]
-    let _1 = [#"../vecdeque.rs" 16 33 16 37] Core_Option_Option_Type.C_None in let _0 = [#"../vecdeque.rs" 16 33 16 37] _1 in _0
+    let _1 = Core_Option_Option_Type.C_None in let _0 = _1 in _0
   let rec cfg test_deque [#"../vecdeque.rs" 5 0 5 19] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : ()) : ()
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var deque : Alloc_Collections_VecDeque_VecDeque_Type.t_vecdeque uint32 (Alloc_Alloc_Global_Type.t_global);
   var _3 : bool;
+  var _7 : bool;
   var _8 : usize;
   var deque1 : Alloc_Collections_VecDeque_VecDeque_Type.t_vecdeque uint32 (Alloc_Alloc_Global_Type.t_global);
   var _13 : bool;
+  var _17 : bool;
   var _18 : usize;
   var _22 : bool;
   var _24 : Core_Option_Option_Type.t_option uint32;
@@ -279,11 +288,11 @@ module Vecdeque_TestDeque
     goto BB0
   }
   BB0 {
-    [#"../vecdeque.rs" 6 31 6 57] deque <- ([#"../vecdeque.rs" 6 31 6 57] with_capacity0 ([#"../vecdeque.rs" 6 55 6 56] [#"../vecdeque.rs" 6 55 6 56] (5 : usize)));
+    [#"../vecdeque.rs" 6 31 6 57] deque <- ([#"../vecdeque.rs" 6 31 6 57] with_capacity0 ([#"../vecdeque.rs" 6 55 6 56] (5 : usize)));
     goto BB1
   }
   BB1 {
-    [#"../vecdeque.rs" 8 12 8 28] _3 <- ([#"../vecdeque.rs" 8 12 8 28] is_empty0 ([#"../vecdeque.rs" 8 12 8 17] deque));
+    [#"../vecdeque.rs" 8 12 8 28] _3 <- ([#"../vecdeque.rs" 8 12 8 28] is_empty0 deque);
     goto BB2
   }
   BB2 {
@@ -293,7 +302,7 @@ module Vecdeque_TestDeque
       end
   }
   BB3 {
-    [#"../vecdeque.rs" 9 12 9 23] _8 <- ([#"../vecdeque.rs" 9 12 9 23] len0 ([#"../vecdeque.rs" 9 12 9 17] deque));
+    [#"../vecdeque.rs" 9 12 9 23] _8 <- ([#"../vecdeque.rs" 9 12 9 23] len0 deque);
     goto BB5
   }
   BB4 {
@@ -301,13 +310,15 @@ module Vecdeque_TestDeque
     absurd
   }
   BB5 {
-    switch ([#"../vecdeque.rs" 9 12 9 28] _8 = ([#"../vecdeque.rs" 9 27 9 28] [#"../vecdeque.rs" 9 27 9 28] (0 : usize)))
+    [#"../vecdeque.rs" 9 12 9 28] _7 <- _8 = ([#"../vecdeque.rs" 9 27 9 28] (0 : usize));
+    _8 <- any usize;
+    switch (_7)
       | False -> goto BB7
       | True -> goto BB6
       end
   }
   BB6 {
-    [#"../vecdeque.rs" 11 35 11 50] deque1 <- ([#"../vecdeque.rs" 11 35 11 50] new0 ());
+    [#"../vecdeque.rs" 11 35 11 50] deque1 <- ([#"../vecdeque.rs" 11 35 11 50] new0 ([#"../vecdeque.rs" 11 35 11 50] ()));
     goto BB8
   }
   BB7 {
@@ -315,7 +326,7 @@ module Vecdeque_TestDeque
     absurd
   }
   BB8 {
-    [#"../vecdeque.rs" 13 12 13 28] _13 <- ([#"../vecdeque.rs" 13 12 13 28] is_empty0 ([#"../vecdeque.rs" 13 12 13 17] deque1));
+    [#"../vecdeque.rs" 13 12 13 28] _13 <- ([#"../vecdeque.rs" 13 12 13 28] is_empty0 deque1);
     goto BB9
   }
   BB9 {
@@ -325,7 +336,7 @@ module Vecdeque_TestDeque
       end
   }
   BB10 {
-    [#"../vecdeque.rs" 14 12 14 23] _18 <- ([#"../vecdeque.rs" 14 12 14 23] len0 ([#"../vecdeque.rs" 14 12 14 17] deque1));
+    [#"../vecdeque.rs" 14 12 14 23] _18 <- ([#"../vecdeque.rs" 14 12 14 23] len0 deque1);
     goto BB12
   }
   BB11 {
@@ -333,7 +344,9 @@ module Vecdeque_TestDeque
     absurd
   }
   BB12 {
-    switch ([#"../vecdeque.rs" 14 12 14 28] _18 = ([#"../vecdeque.rs" 14 27 14 28] [#"../vecdeque.rs" 14 27 14 28] (0 : usize)))
+    [#"../vecdeque.rs" 14 12 14 28] _17 <- _18 = ([#"../vecdeque.rs" 14 27 14 28] (0 : usize));
+    _18 <- any usize;
+    switch (_17)
       | False -> goto BB14
       | True -> goto BB13
       end
@@ -350,8 +363,8 @@ module Vecdeque_TestDeque
     absurd
   }
   BB15 {
-    [#"../vecdeque.rs" 16 33 16 37] _68 <- ([#"../vecdeque.rs" 16 33 16 37] [#"../vecdeque.rs" 16 33 16 37] promoted3);
-    [#"../vecdeque.rs" 16 12 16 37] _22 <- ([#"../vecdeque.rs" 16 12 16 37] eq0 ([#"../vecdeque.rs" 16 12 16 29] _24) ([#"../vecdeque.rs" 16 33 16 37] _68));
+    [#"../vecdeque.rs" 16 33 16 37] _68 <- ([#"../vecdeque.rs" 16 33 16 37] promoted3);
+    [#"../vecdeque.rs" 16 12 16 37] _22 <- ([#"../vecdeque.rs" 16 12 16 37] eq0 _24 _68);
     goto BB16
   }
   BB16 {
@@ -372,8 +385,8 @@ module Vecdeque_TestDeque
     absurd
   }
   BB19 {
-    [#"../vecdeque.rs" 17 32 17 36] _67 <- ([#"../vecdeque.rs" 17 32 17 36] [#"../vecdeque.rs" 17 32 17 36] promoted2);
-    [#"../vecdeque.rs" 17 12 17 36] _30 <- ([#"../vecdeque.rs" 17 12 17 36] eq0 ([#"../vecdeque.rs" 17 12 17 28] _32) ([#"../vecdeque.rs" 17 32 17 36] _67));
+    [#"../vecdeque.rs" 17 32 17 36] _67 <- ([#"../vecdeque.rs" 17 32 17 36] promoted2);
+    [#"../vecdeque.rs" 17 12 17 36] _30 <- ([#"../vecdeque.rs" 17 12 17 36] eq0 _32 _67);
     goto BB20
   }
   BB20 {
@@ -385,7 +398,7 @@ module Vecdeque_TestDeque
   BB21 {
     [#"../vecdeque.rs" 19 4 19 9] _38 <- Borrow.borrow_mut deque1;
     [#"../vecdeque.rs" 19 4 19 9] deque1 <-  ^ _38;
-    [#"../vecdeque.rs" 19 4 19 23] _37 <- ([#"../vecdeque.rs" 19 4 19 23] push_front0 _38 ([#"../vecdeque.rs" 19 21 19 22] [#"../vecdeque.rs" 19 21 19 22] (1 : uint32)));
+    [#"../vecdeque.rs" 19 4 19 23] _37 <- ([#"../vecdeque.rs" 19 4 19 23] push_front0 _38 ([#"../vecdeque.rs" 19 21 19 22] (1 : uint32)));
     _38 <- any borrowed (Alloc_Collections_VecDeque_VecDeque_Type.t_vecdeque uint32 (Alloc_Alloc_Global_Type.t_global));
     goto BB23
   }
@@ -396,14 +409,14 @@ module Vecdeque_TestDeque
   BB23 {
     [#"../vecdeque.rs" 20 4 20 9] _40 <- Borrow.borrow_mut deque1;
     [#"../vecdeque.rs" 20 4 20 9] deque1 <-  ^ _40;
-    [#"../vecdeque.rs" 20 4 20 23] _39 <- ([#"../vecdeque.rs" 20 4 20 23] push_front0 _40 ([#"../vecdeque.rs" 20 21 20 22] [#"../vecdeque.rs" 20 21 20 22] (2 : uint32)));
+    [#"../vecdeque.rs" 20 4 20 23] _39 <- ([#"../vecdeque.rs" 20 4 20 23] push_front0 _40 ([#"../vecdeque.rs" 20 21 20 22] (2 : uint32)));
     _40 <- any borrowed (Alloc_Collections_VecDeque_VecDeque_Type.t_vecdeque uint32 (Alloc_Alloc_Global_Type.t_global));
     goto BB24
   }
   BB24 {
     [#"../vecdeque.rs" 21 4 21 9] _42 <- Borrow.borrow_mut deque1;
     [#"../vecdeque.rs" 21 4 21 9] deque1 <-  ^ _42;
-    [#"../vecdeque.rs" 21 4 21 22] _41 <- ([#"../vecdeque.rs" 21 4 21 22] push_back0 _42 ([#"../vecdeque.rs" 21 20 21 21] [#"../vecdeque.rs" 21 20 21 21] (3 : uint32)));
+    [#"../vecdeque.rs" 21 4 21 22] _41 <- ([#"../vecdeque.rs" 21 4 21 22] push_back0 _42 ([#"../vecdeque.rs" 21 20 21 21] (3 : uint32)));
     _42 <- any borrowed (Alloc_Collections_VecDeque_VecDeque_Type.t_vecdeque uint32 (Alloc_Alloc_Global_Type.t_global));
     goto BB25
   }
@@ -415,8 +428,8 @@ module Vecdeque_TestDeque
     goto BB26
   }
   BB26 {
-    [#"../vecdeque.rs" 23 33 23 40] _66 <- ([#"../vecdeque.rs" 23 33 23 40] [#"../vecdeque.rs" 23 33 23 40] promoted1);
-    [#"../vecdeque.rs" 23 12 23 40] _44 <- ([#"../vecdeque.rs" 23 12 23 40] eq0 ([#"../vecdeque.rs" 23 12 23 29] _46) ([#"../vecdeque.rs" 23 33 23 40] _66));
+    [#"../vecdeque.rs" 23 33 23 40] _66 <- ([#"../vecdeque.rs" 23 33 23 40] promoted1);
+    [#"../vecdeque.rs" 23 12 23 40] _44 <- ([#"../vecdeque.rs" 23 12 23 40] eq0 _46 _66);
     goto BB27
   }
   BB27 {
@@ -437,8 +450,8 @@ module Vecdeque_TestDeque
     absurd
   }
   BB30 {
-    [#"../vecdeque.rs" 24 32 24 39] _65 <- ([#"../vecdeque.rs" 24 32 24 39] [#"../vecdeque.rs" 24 32 24 39] promoted0);
-    [#"../vecdeque.rs" 24 12 24 39] _52 <- ([#"../vecdeque.rs" 24 12 24 39] eq0 ([#"../vecdeque.rs" 24 12 24 28] _54) ([#"../vecdeque.rs" 24 32 24 39] _65));
+    [#"../vecdeque.rs" 24 32 24 39] _65 <- ([#"../vecdeque.rs" 24 32 24 39] promoted0);
+    [#"../vecdeque.rs" 24 12 24 39] _52 <- ([#"../vecdeque.rs" 24 12 24 39] eq0 _54 _65);
     goto BB31
   }
   BB31 {
@@ -459,7 +472,7 @@ module Vecdeque_TestDeque
     absurd
   }
   BB34 {
-    [#"../vecdeque.rs" 26 12 26 28] _62 <- ([#"../vecdeque.rs" 26 12 26 28] is_empty0 ([#"../vecdeque.rs" 26 12 26 17] deque1));
+    [#"../vecdeque.rs" 26 12 26 28] _62 <- ([#"../vecdeque.rs" 26 12 26 28] is_empty0 deque1);
     goto BB35
   }
   BB35 {
diff --git a/creusot/tests/should_succeed/vecdeque/why3session.xml b/creusot/tests/should_succeed/vecdeque/why3session.xml
index dc0909ad90..b14bbbe157 100644
--- a/creusot/tests/should_succeed/vecdeque/why3session.xml
+++ b/creusot/tests/should_succeed/vecdeque/why3session.xml
@@ -21,119 +21,119 @@
   <goal name="test_deque&#39;vc.3" expl="precondition" proved="true">
   <proof prover="3"><result status="valid" time="0.022440" steps="11"/></proof>
   </goal>
-  <goal name="test_deque&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.019733" steps="23"/></proof>
+  <goal name="test_deque&#39;vc.4" expl="assertion" proved="true">
+  <proof prover="3"><result status="valid" time="0.013994" steps="16"/></proof>
   </goal>
-  <goal name="test_deque&#39;vc.5" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.016911" steps="19"/></proof>
+  <goal name="test_deque&#39;vc.5" expl="unreachable point" proved="true">
+  <proof prover="3"><result status="valid" time="0.008724" steps="16"/></proof>
   </goal>
-  <goal name="test_deque&#39;vc.6" expl="unreachable point" proved="true">
-  <proof prover="3"><result status="valid" time="0.008515" steps="19"/></proof>
+  <goal name="test_deque&#39;vc.6" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.019733" steps="24"/></proof>
   </goal>
-  <goal name="test_deque&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.017564" steps="24"/></proof>
+  <goal name="test_deque&#39;vc.7" expl="assertion" proved="true">
+  <proof prover="3"><result status="valid" time="0.036262" steps="20"/></proof>
   </goal>
-  <goal name="test_deque&#39;vc.8" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.041070" steps="32"/></proof>
+  <goal name="test_deque&#39;vc.8" expl="unreachable point" proved="true">
+  <proof prover="3"><result status="valid" time="0.009117" steps="20"/></proof>
   </goal>
   <goal name="test_deque&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.016604" steps="38"/></proof>
+  <proof prover="3"><result status="valid" time="0.017564" steps="25"/></proof>
   </goal>
-  <goal name="test_deque&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.019949" steps="40"/></proof>
+  <goal name="test_deque&#39;vc.10" expl="assertion" proved="true">
+  <proof prover="3"><result status="valid" time="0.016911" steps="26"/></proof>
   </goal>
-  <goal name="test_deque&#39;vc.11" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.017351" steps="302"/></proof>
+  <goal name="test_deque&#39;vc.11" expl="unreachable point" proved="true">
+  <proof prover="3"><result status="valid" time="0.008515" steps="26"/></proof>
   </goal>
-  <goal name="test_deque&#39;vc.12" expl="unreachable point" proved="true">
-  <proof prover="3"><result status="valid" time="0.008909" steps="34"/></proof>
+  <goal name="test_deque&#39;vc.12" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.041070" steps="35"/></proof>
   </goal>
   <goal name="test_deque&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.026044" steps="44"/></proof>
+  <proof prover="3"><result status="valid" time="0.016604" steps="40"/></proof>
   </goal>
   <goal name="test_deque&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.017203" steps="48"/></proof>
+  <proof prover="3"><result status="valid" time="0.019949" steps="41"/></proof>
   </goal>
-  <goal name="test_deque&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.020579" steps="49"/></proof>
+  <goal name="test_deque&#39;vc.15" expl="assertion" proved="true">
+  <proof prover="3"><result status="valid" time="0.013569" steps="304"/></proof>
   </goal>
-  <goal name="test_deque&#39;vc.16" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.053939" steps="510"/></proof>
+  <goal name="test_deque&#39;vc.16" expl="unreachable point" proved="true">
+  <proof prover="3"><result status="valid" time="0.013097" steps="38"/></proof>
   </goal>
-  <goal name="test_deque&#39;vc.17" expl="unreachable point" proved="true">
-  <proof prover="3"><result status="valid" time="0.009516" steps="46"/></proof>
+  <goal name="test_deque&#39;vc.17" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.026044" steps="46"/></proof>
   </goal>
   <goal name="test_deque&#39;vc.18" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.030211" steps="57"/></proof>
+  <proof prover="3"><result status="valid" time="0.017203" steps="50"/></proof>
   </goal>
   <goal name="test_deque&#39;vc.19" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.016907" steps="61"/></proof>
+  <proof prover="3"><result status="valid" time="0.020579" steps="52"/></proof>
   </goal>
-  <goal name="test_deque&#39;vc.20" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.006744" steps="77"/></proof>
+  <goal name="test_deque&#39;vc.20" expl="assertion" proved="true">
+  <proof prover="0"><result status="valid" time="0.086368" steps="210674"/></proof>
   </goal>
-  <goal name="test_deque&#39;vc.21" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.010514" steps="83"/></proof>
+  <goal name="test_deque&#39;vc.21" expl="unreachable point" proved="true">
+  <proof prover="3"><result status="valid" time="0.012610" steps="50"/></proof>
   </goal>
   <goal name="test_deque&#39;vc.22" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.018384" steps="99"/></proof>
+  <proof prover="3"><result status="valid" time="0.030211" steps="58"/></proof>
   </goal>
   <goal name="test_deque&#39;vc.23" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.043553" steps="105"/></proof>
+  <proof prover="3"><result status="valid" time="0.016907" steps="63"/></proof>
   </goal>
   <goal name="test_deque&#39;vc.24" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.036039" steps="112"/></proof>
+  <proof prover="3"><result status="valid" time="0.006744" steps="79"/></proof>
   </goal>
   <goal name="test_deque&#39;vc.25" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.038955" steps="117"/></proof>
+  <proof prover="3"><result status="valid" time="0.010514" steps="85"/></proof>
   </goal>
   <goal name="test_deque&#39;vc.26" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.029489" steps="118"/></proof>
+  <proof prover="3"><result status="valid" time="0.018384" steps="101"/></proof>
   </goal>
-  <goal name="test_deque&#39;vc.27" expl="assertion" proved="true">
-  <proof prover="0"><result status="valid" time="0.039880" steps="147255"/></proof>
+  <goal name="test_deque&#39;vc.27" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.043553" steps="107"/></proof>
   </goal>
-  <goal name="test_deque&#39;vc.28" expl="unreachable point" proved="true">
-  <proof prover="3"><result status="valid" time="0.010661" steps="86"/></proof>
+  <goal name="test_deque&#39;vc.28" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.036039" steps="114"/></proof>
   </goal>
   <goal name="test_deque&#39;vc.29" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.016260" steps="124"/></proof>
+  <proof prover="3"><result status="valid" time="0.038955" steps="120"/></proof>
   </goal>
   <goal name="test_deque&#39;vc.30" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.026337" steps="130"/></proof>
+  <proof prover="3"><result status="valid" time="0.029489" steps="121"/></proof>
   </goal>
-  <goal name="test_deque&#39;vc.31" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.031166" steps="132"/></proof>
+  <goal name="test_deque&#39;vc.31" expl="assertion" proved="true">
+  <proof prover="0"><result status="valid" time="0.039880" steps="147200"/></proof>
   </goal>
-  <goal name="test_deque&#39;vc.32" expl="assertion" proved="true">
-  <proof prover="0"><result status="valid" time="0.086368" steps="494633"/></proof>
+  <goal name="test_deque&#39;vc.32" expl="unreachable point" proved="true">
+  <proof prover="3"><result status="valid" time="0.010661" steps="90"/></proof>
   </goal>
-  <goal name="test_deque&#39;vc.33" expl="unreachable point" proved="true">
-  <proof prover="3"><result status="valid" time="0.012610" steps="98"/></proof>
+  <goal name="test_deque&#39;vc.33" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.016260" steps="125"/></proof>
   </goal>
   <goal name="test_deque&#39;vc.34" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.014104" steps="136"/></proof>
+  <proof prover="3"><result status="valid" time="0.026337" steps="132"/></proof>
   </goal>
   <goal name="test_deque&#39;vc.35" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.015340" steps="141"/></proof>
+  <proof prover="3"><result status="valid" time="0.031166" steps="133"/></proof>
   </goal>
   <goal name="test_deque&#39;vc.36" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.013569" steps="107"/></proof>
+  <proof prover="3"><result status="valid" time="0.208192" steps="4296"/></proof>
   </goal>
   <goal name="test_deque&#39;vc.37" expl="unreachable point" proved="true">
-  <proof prover="3"><result status="valid" time="0.013097" steps="107"/></proof>
+  <proof prover="3"><result status="valid" time="0.009516" steps="102"/></proof>
   </goal>
-  <goal name="test_deque&#39;vc.38" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.036262" steps="22"/></proof>
+  <goal name="test_deque&#39;vc.38" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.014104" steps="138"/></proof>
   </goal>
-  <goal name="test_deque&#39;vc.39" expl="unreachable point" proved="true">
-  <proof prover="3"><result status="valid" time="0.009117" steps="22"/></proof>
+  <goal name="test_deque&#39;vc.39" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.015340" steps="142"/></proof>
   </goal>
   <goal name="test_deque&#39;vc.40" expl="assertion" proved="true">
-  <proof prover="3"><result status="valid" time="0.013994" steps="14"/></proof>
+  <proof prover="3"><result status="valid" time="0.017351" steps="111"/></proof>
   </goal>
   <goal name="test_deque&#39;vc.41" expl="unreachable point" proved="true">
-  <proof prover="3"><result status="valid" time="0.008724" steps="14"/></proof>
+  <proof prover="3"><result status="valid" time="0.008909" steps="111"/></proof>
   </goal>
  </transf>
  </goal>
diff --git a/creusot/tests/should_succeed/vecdeque/why3shapes.gz b/creusot/tests/should_succeed/vecdeque/why3shapes.gz
index 45d982724d..f3332fdeaf 100644
Binary files a/creusot/tests/should_succeed/vecdeque/why3shapes.gz and b/creusot/tests/should_succeed/vecdeque/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/vector/01.mlcfg b/creusot/tests/should_succeed/vector/01.mlcfg
index fc675e6d18..2cbeba8fc1 100644
--- a/creusot/tests/should_succeed/vector/01.mlcfg
+++ b/creusot/tests/should_succeed/vector/01.mlcfg
@@ -30,12 +30,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -102,7 +108,8 @@ module C01_AllZero
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self}
     ensures { result = shallow_model2 self }
     
-  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
+  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
   predicate invariant7 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv8 (shallow_model2 self)
   val invariant7 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -188,7 +195,9 @@ module C01_AllZero
   predicate produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize)
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
+    [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0
+     -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
   val produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool
     ensures { result = produces0 self visited o }
     
@@ -204,35 +213,44 @@ module C01_AllZero
     requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv9 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv9 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv9 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv9 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
   val produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
     requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
   predicate invariant0 (self : Core_Ops_Range_Range_Type.t_range usize) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant0 (self : Core_Ops_Range_Range_Type.t_range usize) : bool
     ensures { result = invariant0 self }
     
   axiom inv0 : forall x : Core_Ops_Range_Range_Type.t_range usize . inv0 x = true
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate resolve2 (self : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global))) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve2 (self : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = resolve2 self }
     
   predicate resolve1 (self : borrowed uint32) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve1 (self : borrowed uint32) : bool
     ensures { result = resolve1 self }
     
   use prelude.Slice
   use seq.Seq
   predicate resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq uint32) (fin : Seq.seq uint32) =
-    [#"../../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i
+    [#"../../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old'
+     -> Seq.get old' i = Seq.get fin i
   val resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq uint32) (fin : Seq.seq uint32) : bool
     ensures { result = resolve_elswhere0 self old' fin }
     
@@ -249,7 +267,7 @@ module C01_AllZero
   function shallow_model0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global))) : Seq.seq uint32
     
    =
-    [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model2 ( * self)
+    [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model2 ( * self)
   val shallow_model0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global))) : Seq.seq uint32
     ensures { result = shallow_model0 self }
     
@@ -265,7 +283,7 @@ module C01_AllZero
     
   use seq.Seq
   predicate resolve0 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) : bool
     ensures { result = resolve0 self }
     
@@ -289,26 +307,26 @@ module C01_AllZero
   val index_logic0 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) (ix : int) : uint32
     ensures { result = index_logic0 self ix }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   function shallow_model5 (self : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global))) : Seq.seq uint32
     
    =
-    [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model0 self
+    [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model0 self
   val shallow_model5 (self : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global))) : Seq.seq uint32
     ensures { result = shallow_model5 self }
     
-  use prelude.Ghost
-  function shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq uint32
+  use prelude.Snapshot
+  function shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq uint32
     
    =
-    [#"../../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model5 (Ghost.inner self)
-  val shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq uint32
+    [#"../../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model5 (Snapshot.inner self)
+  val shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq uint32
     ensures { result = shallow_model1 self }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate into_iter_post0 (self : Core_Ops_Range_Range_Type.t_range usize) (res : Core_Ops_Range_Range_Type.t_range usize)
     
    =
@@ -328,7 +346,7 @@ module C01_AllZero
     ensures { inv0 result }
     
   function shallow_model4 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : Seq.seq uint32 =
-    [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model2 self
+    [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model2 self
   val shallow_model4 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : Seq.seq uint32
     ensures { result = shallow_model4 self }
     
@@ -336,24 +354,26 @@ module C01_AllZero
     requires {inv1 self}
     ensures { [#"../../../../../creusot-contracts/src/std/vec.rs" 75 26 75 48] UIntSize.to_int result = Seq.length (shallow_model4 self) }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   let rec cfg all_zero [#"../01.rs" 7 0 7 33] [@cfg:stackify] [@cfg:subregion_analysis] (v : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global))) : ()
-    ensures { [#"../01.rs" 5 0 5 73] forall i : int . 0 <= i /\ i < Seq.length (shallow_model2 ( ^ v)) -> index_logic0 ( ^ v) i = (0 : uint32) }
+    ensures { [#"../01.rs" 5 0 5 73] forall i : int . 0 <= i /\ i < Seq.length (shallow_model2 ( ^ v))
+     -> index_logic0 ( ^ v) i = (0 : uint32) }
     ensures { [#"../01.rs" 6 10 6 33] Seq.length (shallow_model0 v) = Seq.length (shallow_model2 ( ^ v)) }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var v : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) = v;
-  var old_v : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)));
+  var old_v : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)));
   var iter : Core_Ops_Range_Range_Type.t_range usize;
+  var _7 : Core_Ops_Range_Range_Type.t_range usize;
   var _8 : usize;
-  var iter_old : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range usize);
-  var produced : Ghost.ghost_ty (Seq.seq usize);
+  var iter_old : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range usize);
+  var produced : Snapshot.snap_ty (Seq.seq usize);
   var _19 : Core_Option_Option_Type.t_option usize;
   var _20 : borrowed (Core_Ops_Range_Range_Type.t_range usize);
   var _21 : borrowed (Core_Ops_Range_Range_Type.t_range usize);
   var __creusot_proc_iter_elem : usize;
-  var _24 : Ghost.ghost_ty (Seq.seq usize);
+  var _24 : Snapshot.snap_ty (Seq.seq usize);
   var i : usize;
   var _27 : borrowed uint32;
   var _28 : borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global));
@@ -361,24 +381,26 @@ module C01_AllZero
     goto BB0
   }
   BB0 {
-    [#"../01.rs" 8 16 8 25] old_v <- ([#"../01.rs" 8 16 8 25] Ghost.new v);
+    [#"../01.rs" 8 16 8 31] old_v <- ([#"../01.rs" 8 16 8 31] Snapshot.new v);
     goto BB1
   }
   BB1 {
-    [#"../01.rs" 11 16 11 23] _8 <- ([#"../01.rs" 11 16 11 23] len0 ([#"../01.rs" 11 16 11 17]  * v));
+    [#"../01.rs" 11 16 11 23] _8 <- ([#"../01.rs" 11 16 11 23] len0 ( * v));
     goto BB2
   }
   BB2 {
-    [#"../01.rs" 9 4 9 42] iter <- ([#"../01.rs" 9 4 9 42] into_iter0 ([#"../01.rs" 11 13 11 23] Core_Ops_Range_Range_Type.C_Range ([#"../01.rs" 11 13 11 14] [#"../01.rs" 11 13 11 14] (0 : usize)) _8));
+    [#"../01.rs" 11 13 11 23] _7 <- Core_Ops_Range_Range_Type.C_Range ([#"../01.rs" 11 13 11 14] (0 : usize)) _8;
     _8 <- any usize;
+    [#"../01.rs" 9 4 9 42] iter <- ([#"../01.rs" 9 4 9 42] into_iter0 _7);
+    _7 <- any Core_Ops_Range_Range_Type.t_range usize;
     goto BB3
   }
   BB3 {
-    [#"../01.rs" 9 4 9 42] iter_old <- ([#"../01.rs" 9 4 9 42] Ghost.new iter);
+    [#"../01.rs" 9 4 9 42] iter_old <- ([#"../01.rs" 9 4 9 42] Snapshot.new iter);
     goto BB4
   }
   BB4 {
-    [#"../01.rs" 9 4 9 42] produced <- ([#"../01.rs" 9 4 9 42] Ghost.new (Seq.empty ));
+    [#"../01.rs" 9 4 9 42] produced <- ([#"../01.rs" 9 4 9 42] Snapshot.new (Seq.empty ));
     goto BB5
   }
   BB5 {
@@ -386,9 +408,10 @@ module C01_AllZero
   }
   BB6 {
     invariant { [#"../01.rs" 9 4 9 42] inv0 iter };
-    invariant { [#"../01.rs" 9 4 9 42] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter };
+    invariant { [#"../01.rs" 9 4 9 42] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter };
     invariant { [#"../01.rs" 9 16 9 40] Seq.length (shallow_model0 v) = Seq.length (shallow_model1 old_v) };
-    invariant { [#"../01.rs" 9 4 9 42] forall j : int . 0 <= j /\ j < Seq.length (Ghost.inner produced) -> index_logic0 ( * v) j = (0 : uint32) };
+    invariant { [#"../01.rs" 9 4 9 42] forall j : int . 0 <= j /\ j < Seq.length (Snapshot.inner produced)
+     -> index_logic0 ( * v) j = (0 : uint32) };
     goto BB7
   }
   BB7 {
@@ -421,22 +444,22 @@ module C01_AllZero
     absurd
   }
   BB12 {
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _19);
-    [#"../01.rs" 9 4 9 42] _24 <- ([#"../01.rs" 9 4 9 42] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _19;
+    [#"../01.rs" 9 4 9 42] _24 <- ([#"../01.rs" 9 4 9 42] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB13
   }
   BB13 {
-    [#"../01.rs" 9 4 9 42] produced <- ([#"../01.rs" 9 4 9 42] _24);
-    [#"../01.rs" 9 4 9 42] _24 <- any Ghost.ghost_ty (Seq.seq usize);
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] i <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem);
+    [#"../01.rs" 9 4 9 42] produced <- _24;
+    _24 <- any Snapshot.snap_ty (Seq.seq usize);
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] i <- __creusot_proc_iter_elem;
     [#"../01.rs" 12 8 12 9] _28 <- Borrow.borrow_mut ( * v);
     [#"../01.rs" 12 8 12 9] v <- { v with current = ( ^ _28) ; };
-    [#"../01.rs" 12 9 12 12] _27 <- ([#"../01.rs" 12 9 12 12] index_mut0 _28 ([#"../01.rs" 12 10 12 11] i));
+    [#"../01.rs" 12 9 12 12] _27 <- ([#"../01.rs" 12 9 12 12] index_mut0 _28 i);
     _28 <- any borrowed (Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global));
     goto BB14
   }
   BB14 {
-    [#"../01.rs" 12 8 12 16] _27 <- { _27 with current = ([#"../01.rs" 12 8 12 16] [#"../01.rs" 12 15 12 16] (0 : uint32)) ; };
+    [#"../01.rs" 12 8 12 16] _27 <- { _27 with current = ([#"../01.rs" 12 15 12 16] (0 : uint32)) ; };
     assume { resolve1 _27 };
     goto BB6
   }
diff --git a/creusot/tests/should_succeed/vector/01.rs b/creusot/tests/should_succeed/vector/01.rs
index 2e01e398f1..89966fb772 100644
--- a/creusot/tests/should_succeed/vector/01.rs
+++ b/creusot/tests/should_succeed/vector/01.rs
@@ -5,7 +5,7 @@ use creusot_contracts::{logic::Int, *};
 #[ensures(forall<i : Int> 0 <= i && i < (^v)@.len() ==> (^v)[i] == 0u32)]
 #[ensures(v@.len() == (^v)@.len())]
 pub fn all_zero(v: &mut Vec<u32>) {
-    let old_v = gh! { v };
+    let old_v = snapshot! { v };
     #[invariant(v@.len() == old_v@.len())]
     #[invariant(forall<j : Int> 0 <= j && j < produced.len() ==> v[j] == 0u32)]
     for i in 0..v.len() {
diff --git a/creusot/tests/should_succeed/vector/01/why3session.xml b/creusot/tests/should_succeed/vector/01/why3session.xml
index 6f49181aae..0acb99500e 100644
--- a/creusot/tests/should_succeed/vector/01/why3session.xml
+++ b/creusot/tests/should_succeed/vector/01/why3session.xml
@@ -7,7 +7,7 @@
 <path name=".."/><path name="01.mlcfg"/>
 <theory name="C01_AllZero" proved="true">
  <goal name="all_zero&#39;vc" expl="VC for all_zero" proved="true">
- <proof prover="0"><result status="valid" time="0.244759" steps="61929"/></proof>
+ <proof prover="0"><result status="valid" time="0.244759" steps="64274"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/vector/01/why3shapes.gz b/creusot/tests/should_succeed/vector/01/why3shapes.gz
index 5dd4c5002d..4c7526bba1 100644
Binary files a/creusot/tests/should_succeed/vector/01/why3shapes.gz and b/creusot/tests/should_succeed/vector/01/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/vector/02_gnome.mlcfg b/creusot/tests/should_succeed/vector/02_gnome.mlcfg
index bf2192d118..f027569599 100644
--- a/creusot/tests/should_succeed/vector/02_gnome.mlcfg
+++ b/creusot/tests/should_succeed/vector/02_gnome.mlcfg
@@ -24,12 +24,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -109,7 +115,9 @@ module C02Gnome_GnomeSort
     requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv10 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv10 x)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv10 y)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -117,7 +125,10 @@ module C02Gnome_GnomeSort
     requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv10 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv10 x)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv10 y)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -125,7 +136,10 @@ module C02Gnome_GnomeSort
     requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv10 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv10 x)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv10 y)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -136,13 +150,19 @@ module C02Gnome_GnomeSort
     requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv10 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv10 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv10 x)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv10 y)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv10 z)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv10 x)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -153,7 +173,9 @@ module C02Gnome_GnomeSort
     requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv10 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv10 x)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv10 y)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -164,7 +186,9 @@ module C02Gnome_GnomeSort
     requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv10 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv10 x)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv10 y)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -175,7 +199,9 @@ module C02Gnome_GnomeSort
     requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv10 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv10 x)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv10 y)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -186,7 +212,9 @@ module C02Gnome_GnomeSort
     requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv10 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv10 x)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv10 y)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   use prelude.Slice
   use prelude.Borrow
   predicate invariant5 (self : borrowed (slice t))
@@ -221,7 +249,8 @@ module C02Gnome_GnomeSort
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self}
     ensures { result = shallow_model3 self }
     
-  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv9 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
+  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv9 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
   predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv9 (shallow_model3 self)
   val invariant3 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -246,20 +275,21 @@ module C02Gnome_GnomeSort
     ensures { result = inv1 _x }
     
   axiom inv1 : forall x : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) . inv1 x = true
-  use prelude.Ghost
-  predicate invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+  use prelude.Snapshot
+  predicate invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
     
-  val invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  val invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = invariant0 self }
     
-  predicate inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
-  val inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  predicate inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+  val inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true
+  axiom inv0 : forall x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true
   use seq.Seq
   predicate sorted_range0 [#"../02_gnome.rs" 9 0 9 63] (s : Seq.seq deep_model_ty0) (l : int) (u : int) =
-    [#"../02_gnome.rs" 10 4 12 5] forall j : int . forall i : int . l <= i /\ i < j /\ j < u -> le_log0 (Seq.get s i) (Seq.get s j)
+    [#"../02_gnome.rs" 10 4 12 5] forall j : int . forall i : int . l <= i /\ i < j /\ j < u
+     -> le_log0 (Seq.get s i) (Seq.get s j)
   val sorted_range0 [#"../02_gnome.rs" 9 0 9 63] (s : Seq.seq deep_model_ty0) (l : int) (u : int) : bool
     ensures { result = sorted_range0 s l u }
     
@@ -286,7 +316,9 @@ module C02Gnome_GnomeSort
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv3 self}
     ensures { result = deep_model1 self }
     
-  axiom deep_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv8 (deep_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) -> Seq.get (deep_model1 self) i = deep_model3 (index_logic1 self i)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model3 self) = Seq.length (deep_model1 self))
+  axiom deep_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv3 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv8 (deep_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self)
+   -> Seq.get (deep_model1 self) i = deep_model3 (index_logic1 self i)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model3 self) = Seq.length (deep_model1 self))
   predicate resolve3 (self : borrowed (slice t)) =
     [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
   val resolve3 (self : borrowed (slice t)) : bool
@@ -299,7 +331,8 @@ module C02Gnome_GnomeSort
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self}
     ensures { result = shallow_model7 self }
     
-  axiom shallow_model7_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv9 (shallow_model7 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model7 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0)
+  axiom shallow_model7_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv4 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv9 (shallow_model7 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model7 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0)
   function shallow_model6 (self : borrowed (slice t)) : Seq.seq t =
     [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model7 ( * self)
   val shallow_model6 (self : borrowed (slice t)) : Seq.seq t
@@ -380,12 +413,12 @@ module C02Gnome_GnomeSort
   val shallow_model4 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
     ensures { result = shallow_model4 self }
     
-  use prelude.Ghost
-  function shallow_model2 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
+  use prelude.Snapshot
+  function shallow_model2 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
     
    =
-    [#"../../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model4 (Ghost.inner self)
-  val shallow_model2 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
+    [#"../../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model4 (Snapshot.inner self)
+  val shallow_model2 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
     ensures { result = shallow_model2 self }
     
   function deep_model0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq deep_model_ty0
@@ -395,11 +428,12 @@ module C02Gnome_GnomeSort
   val deep_model0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq deep_model_ty0
     ensures { result = deep_model0 self }
     
-  predicate resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
-  val resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  predicate resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+    
+  val resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   let rec cfg gnome_sort [#"../02_gnome.rs" 22 0 24 29] [@cfg:stackify] [@cfg:subregion_analysis] (v : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : ()
     requires {[#"../02_gnome.rs" 22 38 22 39] inv1 v}
     ensures { [#"../02_gnome.rs" 20 10 20 35] sorted0 (deep_model1 ( ^ v)) }
@@ -408,29 +442,33 @@ module C02Gnome_GnomeSort
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var v : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = v;
-  var old_v : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)));
+  var old_v : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)));
   var i : usize;
   var _9 : ();
+  var _10 : bool;
   var _12 : usize;
+  var _14 : bool;
   var _16 : bool;
   var _18 : t;
+  var _20 : usize;
   var _23 : t;
   var _24 : t;
   var _27 : ();
   var _28 : borrowed (slice t);
   var _29 : borrowed (slice t);
   var _30 : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
+  var _31 : usize;
   {
     goto BB0
   }
   BB0 {
-    [#"../02_gnome.rs" 26 16 26 25] old_v <- ([#"../02_gnome.rs" 26 16 26 25] Ghost.new v);
+    [#"../02_gnome.rs" 26 16 26 31] old_v <- ([#"../02_gnome.rs" 26 16 26 31] Snapshot.new v);
     goto BB1
   }
   BB1 {
     assert { [@expl:type invariant] inv0 old_v };
     assume { resolve0 old_v };
-    [#"../02_gnome.rs" 27 16 27 17] i <- ([#"../02_gnome.rs" 27 16 27 17] [#"../02_gnome.rs" 27 16 27 17] (0 : usize));
+    [#"../02_gnome.rs" 27 16 27 17] i <- ([#"../02_gnome.rs" 27 16 27 17] (0 : usize));
     goto BB2
   }
   BB2 {
@@ -439,17 +477,20 @@ module C02Gnome_GnomeSort
     goto BB3
   }
   BB3 {
-    [#"../02_gnome.rs" 30 14 30 21] _12 <- ([#"../02_gnome.rs" 30 14 30 21] len0 ([#"../02_gnome.rs" 30 14 30 15]  * v));
+    [#"../02_gnome.rs" 30 14 30 21] _12 <- ([#"../02_gnome.rs" 30 14 30 21] len0 ( * v));
     goto BB4
   }
   BB4 {
-    switch ([#"../02_gnome.rs" 30 10 30 21] ([#"../02_gnome.rs" 30 10 30 11] i) < _12)
+    [#"../02_gnome.rs" 30 10 30 21] _10 <- i < _12;
+    _12 <- any usize;
+    switch (_10)
       | False -> goto BB16
       | True -> goto BB5
       end
   }
   BB5 {
-    switch ([#"../02_gnome.rs" 31 11 31 17] ([#"../02_gnome.rs" 31 11 31 12] i) = ([#"../02_gnome.rs" 31 16 31 17] [#"../02_gnome.rs" 31 16 31 17] (0 : usize)))
+    [#"../02_gnome.rs" 31 11 31 17] _14 <- i = ([#"../02_gnome.rs" 31 16 31 17] (0 : usize));
+    switch (_14)
       | False -> goto BB7
       | True -> goto BB6
       end
@@ -458,22 +499,24 @@ module C02Gnome_GnomeSort
     goto BB11
   }
   BB7 {
-    [#"../02_gnome.rs" 31 22 31 29] _18 <- ([#"../02_gnome.rs" 31 22 31 29] index0 ([#"../02_gnome.rs" 31 21 31 22]  * v) ([#"../02_gnome.rs" 31 23 31 28] ([#"../02_gnome.rs" 31 23 31 24] i) - ([#"../02_gnome.rs" 31 27 31 28] [#"../02_gnome.rs" 31 27 31 28] (1 : usize))));
+    [#"../02_gnome.rs" 31 23 31 28] _20 <- i - ([#"../02_gnome.rs" 31 27 31 28] (1 : usize));
+    [#"../02_gnome.rs" 31 22 31 29] _18 <- ([#"../02_gnome.rs" 31 22 31 29] index0 ( * v) _20);
+    _20 <- any usize;
     goto BB8
   }
   BB8 {
     assert { [@expl:type invariant] inv2 _18 };
     assume { resolve2 _18 };
-    [#"../02_gnome.rs" 31 35 31 38] _24 <- ([#"../02_gnome.rs" 31 35 31 38] index0 ([#"../02_gnome.rs" 31 34 31 35]  * v) ([#"../02_gnome.rs" 31 36 31 37] i));
+    [#"../02_gnome.rs" 31 35 31 38] _24 <- ([#"../02_gnome.rs" 31 35 31 38] index0 ( * v) i);
     goto BB9
   }
   BB9 {
-    [#"../02_gnome.rs" 31 33 31 38] _23 <- ([#"../02_gnome.rs" 31 33 31 38] _24);
+    [#"../02_gnome.rs" 31 33 31 38] _23 <- _24;
     assert { [@expl:type invariant] inv2 _24 };
     assume { resolve2 _24 };
     assert { [@expl:type invariant] inv2 _23 };
     assume { resolve2 _23 };
-    [#"../02_gnome.rs" 31 21 31 39] _16 <- ([#"../02_gnome.rs" 31 21 31 39] le0 ([#"../02_gnome.rs" 31 21 31 29] _18) ([#"../02_gnome.rs" 31 33 31 38] _23));
+    [#"../02_gnome.rs" 31 21 31 39] _16 <- ([#"../02_gnome.rs" 31 21 31 39] le0 _18 _23);
     goto BB10
   }
   BB10 {
@@ -483,7 +526,7 @@ module C02Gnome_GnomeSort
       end
   }
   BB11 {
-    [#"../02_gnome.rs" 32 12 32 18] i <- ([#"../02_gnome.rs" 32 12 32 18] i + ([#"../02_gnome.rs" 32 17 32 18] [#"../02_gnome.rs" 32 17 32 18] (1 : usize)));
+    [#"../02_gnome.rs" 32 12 32 18] i <- i + ([#"../02_gnome.rs" 32 17 32 18] (1 : usize));
     [#"../02_gnome.rs" 31 40 33 9] _9 <- ([#"../02_gnome.rs" 31 40 33 9] ());
     goto BB15
   }
@@ -499,14 +542,16 @@ module C02Gnome_GnomeSort
     [#"../02_gnome.rs" 34 12 34 13] _28 <- Borrow.borrow_final ( * _29) (Borrow.get_id _29);
     [#"../02_gnome.rs" 34 12 34 13] _29 <- { _29 with current = ( ^ _28) ; };
     assume { inv4 ( ^ _28) };
-    [#"../02_gnome.rs" 34 12 34 28] _27 <- ([#"../02_gnome.rs" 34 12 34 28] swap0 _28 ([#"../02_gnome.rs" 34 19 34 24] ([#"../02_gnome.rs" 34 19 34 20] i) - ([#"../02_gnome.rs" 34 23 34 24] [#"../02_gnome.rs" 34 23 34 24] (1 : usize))) ([#"../02_gnome.rs" 34 26 34 27] i));
+    [#"../02_gnome.rs" 34 19 34 24] _31 <- i - ([#"../02_gnome.rs" 34 23 34 24] (1 : usize));
+    [#"../02_gnome.rs" 34 12 34 28] _27 <- ([#"../02_gnome.rs" 34 12 34 28] swap0 _28 _31 i);
     _28 <- any borrowed (slice t);
+    _31 <- any usize;
     goto BB14
   }
   BB14 {
     assert { [@expl:type invariant] inv5 _29 };
     assume { resolve3 _29 };
-    [#"../02_gnome.rs" 35 12 35 18] i <- ([#"../02_gnome.rs" 35 12 35 18] i - ([#"../02_gnome.rs" 35 17 35 18] [#"../02_gnome.rs" 35 17 35 18] (1 : usize)));
+    [#"../02_gnome.rs" 35 12 35 18] i <- i - ([#"../02_gnome.rs" 35 17 35 18] (1 : usize));
     [#"../02_gnome.rs" 33 15 36 9] _9 <- ([#"../02_gnome.rs" 33 15 36 9] ());
     goto BB15
   }
diff --git a/creusot/tests/should_succeed/vector/02_gnome.rs b/creusot/tests/should_succeed/vector/02_gnome.rs
index 208058d019..02171fbeff 100644
--- a/creusot/tests/should_succeed/vector/02_gnome.rs
+++ b/creusot/tests/should_succeed/vector/02_gnome.rs
@@ -23,7 +23,7 @@ pub fn gnome_sort<T: Ord + DeepModel>(v: &mut Vec<T>)
 where
     T::DeepModelTy: OrdLogic,
 {
-    let old_v = gh! { v };
+    let old_v = snapshot! { v };
     let mut i = 0;
     #[invariant(sorted_range(v.deep_model(), 0, i@))]
     #[invariant(v@.permutation_of(old_v@))]
diff --git a/creusot/tests/should_succeed/vector/02_gnome/why3session.xml b/creusot/tests/should_succeed/vector/02_gnome/why3session.xml
index ecaea744fe..326a99d456 100644
--- a/creusot/tests/should_succeed/vector/02_gnome/why3session.xml
+++ b/creusot/tests/should_succeed/vector/02_gnome/why3session.xml
@@ -23,87 +23,87 @@
   <goal name="gnome_sort&#39;vc.3" expl="precondition" proved="true">
   <proof prover="3"><result status="valid" time="0.014145" steps="25"/></proof>
   </goal>
-  <goal name="gnome_sort&#39;vc.4" expl="integer overflow" proved="true">
-  <proof prover="3"><result status="valid" time="0.012470" steps="73"/></proof>
+  <goal name="gnome_sort&#39;vc.4" expl="type invariant" proved="true">
+  <proof prover="3"><result status="valid" time="0.016869" steps="35"/></proof>
   </goal>
-  <goal name="gnome_sort&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.010845" steps="32"/></proof>
+  <goal name="gnome_sort&#39;vc.5" expl="postcondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.016845" steps="200"/></proof>
   </goal>
-  <goal name="gnome_sort&#39;vc.6" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.028757" steps="132654"/></proof>
+  <goal name="gnome_sort&#39;vc.6" expl="postcondition" proved="true">
+  <proof prover="0"><result status="valid" time="0.027288" steps="131254"/></proof>
   </goal>
-  <goal name="gnome_sort&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.015968" steps="43"/></proof>
+  <goal name="gnome_sort&#39;vc.7" expl="integer overflow" proved="true">
+  <proof prover="3"><result status="valid" time="0.012470" steps="77"/></proof>
   </goal>
-  <goal name="gnome_sort&#39;vc.8" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.024696" steps="36"/></proof>
+  <goal name="gnome_sort&#39;vc.8" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.010845" steps="36"/></proof>
   </goal>
   <goal name="gnome_sort&#39;vc.9" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.027521" steps="65637"/></proof>
+  <proof prover="0"><result status="valid" time="0.028757" steps="132719"/></proof>
   </goal>
   <goal name="gnome_sort&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.010591" steps="46"/></proof>
+  <proof prover="3"><result status="valid" time="0.015968" steps="46"/></proof>
   </goal>
-  <goal name="gnome_sort&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.029629" steps="47"/></proof>
+  <goal name="gnome_sort&#39;vc.11" expl="type invariant" proved="true">
+  <proof prover="3"><result status="valid" time="0.024696" steps="40"/></proof>
   </goal>
-  <goal name="gnome_sort&#39;vc.12" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.010559" steps="44"/></proof>
+  <goal name="gnome_sort&#39;vc.12" expl="precondition" proved="true">
+  <proof prover="0"><result status="valid" time="0.027521" steps="65720"/></proof>
   </goal>
-  <goal name="gnome_sort&#39;vc.13" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.010624" steps="46"/></proof>
+  <goal name="gnome_sort&#39;vc.13" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.010591" steps="49"/></proof>
   </goal>
   <goal name="gnome_sort&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.014700" steps="48"/></proof>
+  <proof prover="3"><result status="valid" time="0.029629" steps="49"/></proof>
   </goal>
-  <goal name="gnome_sort&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.028250" steps="10634"/></proof>
+  <goal name="gnome_sort&#39;vc.15" expl="type invariant" proved="true">
+  <proof prover="3"><result status="valid" time="0.010559" steps="48"/></proof>
   </goal>
-  <goal name="gnome_sort&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.012033" steps="64"/></proof>
+  <goal name="gnome_sort&#39;vc.16" expl="type invariant" proved="true">
+  <proof prover="3"><result status="valid" time="0.010624" steps="50"/></proof>
   </goal>
-  <goal name="gnome_sort&#39;vc.17" expl="integer overflow" proved="true">
-  <proof prover="3"><result status="valid" time="0.014728" steps="81"/></proof>
+  <goal name="gnome_sort&#39;vc.17" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.014700" steps="52"/></proof>
   </goal>
   <goal name="gnome_sort&#39;vc.18" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.014839" steps="91"/></proof>
+  <proof prover="0"><result status="valid" time="0.028250" steps="10664"/></proof>
   </goal>
   <goal name="gnome_sort&#39;vc.19" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.014869" steps="96"/></proof>
+  <proof prover="3"><result status="valid" time="0.012033" steps="66"/></proof>
   </goal>
-  <goal name="gnome_sort&#39;vc.20" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.016746" steps="90"/></proof>
+  <goal name="gnome_sort&#39;vc.20" expl="integer overflow" proved="true">
+  <proof prover="3"><result status="valid" time="0.014728" steps="84"/></proof>
   </goal>
-  <goal name="gnome_sort&#39;vc.21" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.010592" steps="91"/></proof>
+  <goal name="gnome_sort&#39;vc.21" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.014839" steps="93"/></proof>
   </goal>
-  <goal name="gnome_sort&#39;vc.22" expl="integer overflow" proved="true">
-  <proof prover="3"><result status="valid" time="0.014222" steps="96"/></proof>
+  <goal name="gnome_sort&#39;vc.22" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.014869" steps="98"/></proof>
   </goal>
-  <goal name="gnome_sort&#39;vc.23" expl="type invariant" proved="true">
-  <proof prover="3"><result status="valid" time="0.016869" steps="34"/></proof>
+  <goal name="gnome_sort&#39;vc.23" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.016746" steps="92"/></proof>
   </goal>
-  <goal name="gnome_sort&#39;vc.24" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.016845" steps="199"/></proof>
+  <goal name="gnome_sort&#39;vc.24" expl="type invariant" proved="true">
+  <proof prover="3"><result status="valid" time="0.010592" steps="94"/></proof>
   </goal>
-  <goal name="gnome_sort&#39;vc.25" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.027288" steps="126744"/></proof>
+  <goal name="gnome_sort&#39;vc.25" expl="integer overflow" proved="true">
+  <proof prover="3"><result status="valid" time="0.014222" steps="99"/></proof>
   </goal>
   <goal name="gnome_sort&#39;vc.26" expl="integer overflow" proved="true">
-  <proof prover="0"><result status="valid" time="0.028493" steps="129985"/></proof>
+  <proof prover="0"><result status="valid" time="0.028493" steps="144333"/></proof>
   </goal>
   <goal name="gnome_sort&#39;vc.27" expl="loop invariant preservation" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="gnome_sort&#39;vc.27.0" expl="loop invariant preservation" proved="true">
-   <proof prover="3"><result status="valid" time="0.234617" steps="3213"/></proof>
+   <proof prover="3"><result status="valid" time="0.234617" steps="3465"/></proof>
    </goal>
    <goal name="gnome_sort&#39;vc.27.1" expl="loop invariant preservation" proved="true">
-   <proof prover="1"><result status="valid" time="0.325622" steps="74549"/></proof>
+   <proof prover="1"><result status="valid" time="0.325622" steps="73659"/></proof>
    </goal>
   </transf>
   </goal>
   <goal name="gnome_sort&#39;vc.28" expl="loop invariant preservation" proved="true">
-  <proof prover="2"><result status="valid" time="0.210595" steps="28484"/></proof>
+  <proof prover="2"><result status="valid" time="0.210595" steps="29441"/></proof>
   </goal>
  </transf>
  </goal>
diff --git a/creusot/tests/should_succeed/vector/02_gnome/why3shapes.gz b/creusot/tests/should_succeed/vector/02_gnome/why3shapes.gz
index 1767762b70..f9c9c00c41 100644
Binary files a/creusot/tests/should_succeed/vector/02_gnome/why3shapes.gz and b/creusot/tests/should_succeed/vector/02_gnome/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/vector/03_knuth_shuffle.mlcfg b/creusot/tests/should_succeed/vector/03_knuth_shuffle.mlcfg
index 0c4834b7e6..36cd1196d5 100644
--- a/creusot/tests/should_succeed/vector/03_knuth_shuffle.mlcfg
+++ b/creusot/tests/should_succeed/vector/03_knuth_shuffle.mlcfg
@@ -41,12 +41,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -161,7 +167,8 @@ module C03KnuthShuffle_KnuthShuffle
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self}
     ensures { result = shallow_model2 self }
     
-  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv9 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
+  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv2 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv9 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
   predicate invariant2 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv9 (shallow_model2 self)
   val invariant2 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -184,7 +191,9 @@ module C03KnuthShuffle_KnuthShuffle
   predicate produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize)
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
+    [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0
+     -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
   val produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool
     ensures { result = produces0 self visited o }
     
@@ -200,38 +209,46 @@ module C03KnuthShuffle_KnuthShuffle
     requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv1 a) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv10 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv1 b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv10 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv1 a)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv10 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv1 b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv10 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
   val produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
     requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
   predicate invariant1 (self : Core_Ops_Range_Range_Type.t_range usize) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant1 (self : Core_Ops_Range_Range_Type.t_range usize) : bool
     ensures { result = invariant1 self }
     
   axiom inv1 : forall x : Core_Ops_Range_Range_Type.t_range usize . inv1 x = true
-  use prelude.Ghost
-  predicate invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+  use prelude.Snapshot
+  predicate invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
     
-  val invariant0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  val invariant0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = invariant0 self }
     
-  predicate inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
-  val inv0 (_x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  predicate inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+  val inv0 (_x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = inv0 _x }
     
-  axiom inv0 : forall x : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true
+  axiom inv0 : forall x : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) . inv0 x = true
   predicate resolve3 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve3 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = resolve3 self }
     
   predicate resolve2 (self : borrowed (slice t)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve2 (self : borrowed (slice t)) : bool
     ensures { result = resolve2 self }
     
@@ -242,9 +259,10 @@ module C03KnuthShuffle_KnuthShuffle
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self}
     ensures { result = shallow_model7 self }
     
-  axiom shallow_model7_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv9 (shallow_model7 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model7 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0)
+  axiom shallow_model7_spec : forall self : slice t . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv3 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv9 (shallow_model7 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model7 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model7 self) <= UIntSize.to_int max0)
   function shallow_model6 (self : borrowed (slice t)) : Seq.seq t =
-    [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model7 ( * self)
+    [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model7 ( * self)
   val shallow_model6 (self : borrowed (slice t)) : Seq.seq t
     ensures { result = shallow_model6 self }
     
@@ -256,7 +274,7 @@ module C03KnuthShuffle_KnuthShuffle
     
   function shallow_model0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
    =
-    [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model2 ( * self)
+    [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model2 ( * self)
   val shallow_model0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
     ensures { result = shallow_model0 self }
     
@@ -272,7 +290,7 @@ module C03KnuthShuffle_KnuthShuffle
     
   use seq.Seq
   predicate resolve1 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve1 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) : bool
     ensures { result = resolve1 self }
     
@@ -297,22 +315,22 @@ module C03KnuthShuffle_KnuthShuffle
     
   function shallow_model5 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
    =
-    [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model0 self
+    [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model0 self
   val shallow_model5 (self : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : Seq.seq t
     ensures { result = shallow_model5 self }
     
-  use prelude.Ghost
-  function shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
+  use prelude.Snapshot
+  function shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
     
    =
-    [#"../../../../../creusot-contracts/src/ghost.rs" 27 20 27 48] shallow_model5 (Ghost.inner self)
-  val shallow_model1 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
+    [#"../../../../../creusot-contracts/src/snapshot.rs" 27 20 27 48] shallow_model5 (Snapshot.inner self)
+  val shallow_model1 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : Seq.seq t
     ensures { result = shallow_model1 self }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate into_iter_post0 (self : Core_Ops_Range_Range_Type.t_range usize) (res : Core_Ops_Range_Range_Type.t_range usize)
     
    =
@@ -332,7 +350,7 @@ module C03KnuthShuffle_KnuthShuffle
     ensures { inv1 result }
     
   function shallow_model4 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : Seq.seq t =
-    [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model2 self
+    [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model2 self
   val shallow_model4 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : Seq.seq t
     ensures { result = shallow_model4 self }
     
@@ -340,11 +358,12 @@ module C03KnuthShuffle_KnuthShuffle
     requires {inv6 self}
     ensures { [#"../../../../../creusot-contracts/src/std/vec.rs" 75 26 75 48] UIntSize.to_int result = Seq.length (shallow_model4 self) }
     
-  predicate resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
-  val resolve0 (self : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
+  predicate resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))))
+    
+  val resolve0 (self : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)))) : bool
     ensures { result = resolve0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   let rec cfg knuth_shuffle [#"../03_knuth_shuffle.rs" 13 0 13 39] [@cfg:stackify] [@cfg:subregion_analysis] (v : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : ()
     requires {[#"../03_knuth_shuffle.rs" 13 24 13 25] inv5 v}
     ensures { [#"../03_knuth_shuffle.rs" 12 0 12 36] permutation_of0 (shallow_model2 ( ^ v)) (shallow_model0 v) }
@@ -352,16 +371,17 @@ module C03KnuthShuffle_KnuthShuffle
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
   var v : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = v;
-  var old_v : Ghost.ghost_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)));
+  var old_v : Snapshot.snap_ty (borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)));
   var iter : Core_Ops_Range_Range_Type.t_range usize;
+  var _6 : Core_Ops_Range_Range_Type.t_range usize;
   var _7 : usize;
-  var iter_old : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range usize);
-  var produced : Ghost.ghost_ty (Seq.seq usize);
+  var iter_old : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range usize);
+  var produced : Snapshot.snap_ty (Seq.seq usize);
   var _17 : Core_Option_Option_Type.t_option usize;
   var _18 : borrowed (Core_Ops_Range_Range_Type.t_range usize);
   var _19 : borrowed (Core_Ops_Range_Range_Type.t_range usize);
   var __creusot_proc_iter_elem : usize;
-  var _22 : Ghost.ghost_ty (Seq.seq usize);
+  var _22 : Snapshot.snap_ty (Seq.seq usize);
   var n : usize;
   var upper : usize;
   var _26 : usize;
@@ -370,30 +390,33 @@ module C03KnuthShuffle_KnuthShuffle
   var _32 : borrowed (slice t);
   var _33 : borrowed (slice t);
   var _34 : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
+  var _36 : usize;
   {
     goto BB0
   }
   BB0 {
-    [#"../03_knuth_shuffle.rs" 14 16 14 25] old_v <- ([#"../03_knuth_shuffle.rs" 14 16 14 25] Ghost.new v);
+    [#"../03_knuth_shuffle.rs" 14 16 14 31] old_v <- ([#"../03_knuth_shuffle.rs" 14 16 14 31] Snapshot.new v);
     goto BB1
   }
   BB1 {
     assert { [@expl:type invariant] inv0 old_v };
     assume { resolve0 old_v };
-    [#"../03_knuth_shuffle.rs" 17 16 17 23] _7 <- ([#"../03_knuth_shuffle.rs" 17 16 17 23] len0 ([#"../03_knuth_shuffle.rs" 17 16 17 17]  * v));
+    [#"../03_knuth_shuffle.rs" 17 16 17 23] _7 <- ([#"../03_knuth_shuffle.rs" 17 16 17 23] len0 ( * v));
     goto BB2
   }
   BB2 {
-    [#"../03_knuth_shuffle.rs" 16 4 16 43] iter <- ([#"../03_knuth_shuffle.rs" 16 4 16 43] into_iter0 ([#"../03_knuth_shuffle.rs" 17 13 17 23] Core_Ops_Range_Range_Type.C_Range ([#"../03_knuth_shuffle.rs" 17 13 17 14] [#"../03_knuth_shuffle.rs" 17 13 17 14] (0 : usize)) _7));
+    [#"../03_knuth_shuffle.rs" 17 13 17 23] _6 <- Core_Ops_Range_Range_Type.C_Range ([#"../03_knuth_shuffle.rs" 17 13 17 14] (0 : usize)) _7;
     _7 <- any usize;
+    [#"../03_knuth_shuffle.rs" 16 4 16 43] iter <- ([#"../03_knuth_shuffle.rs" 16 4 16 43] into_iter0 _6);
+    _6 <- any Core_Ops_Range_Range_Type.t_range usize;
     goto BB3
   }
   BB3 {
-    [#"../03_knuth_shuffle.rs" 16 4 16 43] iter_old <- ([#"../03_knuth_shuffle.rs" 16 4 16 43] Ghost.new iter);
+    [#"../03_knuth_shuffle.rs" 16 4 16 43] iter_old <- ([#"../03_knuth_shuffle.rs" 16 4 16 43] Snapshot.new iter);
     goto BB4
   }
   BB4 {
-    [#"../03_knuth_shuffle.rs" 16 4 16 43] produced <- ([#"../03_knuth_shuffle.rs" 16 4 16 43] Ghost.new (Seq.empty ));
+    [#"../03_knuth_shuffle.rs" 16 4 16 43] produced <- ([#"../03_knuth_shuffle.rs" 16 4 16 43] Snapshot.new (Seq.empty ));
     goto BB5
   }
   BB5 {
@@ -401,7 +424,7 @@ module C03KnuthShuffle_KnuthShuffle
   }
   BB6 {
     invariant { [#"../03_knuth_shuffle.rs" 16 4 16 43] inv1 iter };
-    invariant { [#"../03_knuth_shuffle.rs" 16 4 16 43] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter };
+    invariant { [#"../03_knuth_shuffle.rs" 16 4 16 43] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter };
     invariant { [#"../03_knuth_shuffle.rs" 16 4 16 43] permutation_of0 (shallow_model0 v) (shallow_model1 old_v) };
     goto BB7
   }
@@ -437,21 +460,21 @@ module C03KnuthShuffle_KnuthShuffle
     absurd
   }
   BB12 {
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _17);
-    [#"../03_knuth_shuffle.rs" 16 4 16 43] _22 <- ([#"../03_knuth_shuffle.rs" 16 4 16 43] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _17;
+    [#"../03_knuth_shuffle.rs" 16 4 16 43] _22 <- ([#"../03_knuth_shuffle.rs" 16 4 16 43] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB13
   }
   BB13 {
-    [#"../03_knuth_shuffle.rs" 16 4 16 43] produced <- ([#"../03_knuth_shuffle.rs" 16 4 16 43] _22);
-    [#"../03_knuth_shuffle.rs" 16 4 16 43] _22 <- any Ghost.ghost_ty (Seq.seq usize);
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] n <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem);
-    [#"../03_knuth_shuffle.rs" 20 20 20 27] _26 <- ([#"../03_knuth_shuffle.rs" 20 20 20 27] len0 ([#"../03_knuth_shuffle.rs" 20 20 20 21]  * v));
+    [#"../03_knuth_shuffle.rs" 16 4 16 43] produced <- _22;
+    _22 <- any Snapshot.snap_ty (Seq.seq usize);
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] n <- __creusot_proc_iter_elem;
+    [#"../03_knuth_shuffle.rs" 20 20 20 27] _26 <- ([#"../03_knuth_shuffle.rs" 20 20 20 27] len0 ( * v));
     goto BB14
   }
   BB14 {
-    [#"../03_knuth_shuffle.rs" 20 20 20 31] upper <- ([#"../03_knuth_shuffle.rs" 20 20 20 31] _26 - ([#"../03_knuth_shuffle.rs" 20 30 20 31] n));
+    [#"../03_knuth_shuffle.rs" 20 20 20 31] upper <- _26 - n;
     _26 <- any usize;
-    [#"../03_knuth_shuffle.rs" 21 16 21 39] i <- ([#"../03_knuth_shuffle.rs" 21 16 21 39] rand_in_range0 ([#"../03_knuth_shuffle.rs" 21 30 21 31] [#"../03_knuth_shuffle.rs" 21 30 21 31] (0 : usize)) ([#"../03_knuth_shuffle.rs" 21 33 21 38] upper));
+    [#"../03_knuth_shuffle.rs" 21 16 21 39] i <- ([#"../03_knuth_shuffle.rs" 21 16 21 39] rand_in_range0 ([#"../03_knuth_shuffle.rs" 21 30 21 31] (0 : usize)) upper);
     goto BB15
   }
   BB15 {
@@ -466,8 +489,10 @@ module C03KnuthShuffle_KnuthShuffle
     [#"../03_knuth_shuffle.rs" 22 8 22 9] _32 <- Borrow.borrow_final ( * _33) (Borrow.get_id _33);
     [#"../03_knuth_shuffle.rs" 22 8 22 9] _33 <- { _33 with current = ( ^ _32) ; };
     assume { inv3 ( ^ _32) };
-    [#"../03_knuth_shuffle.rs" 22 8 22 28] _31 <- ([#"../03_knuth_shuffle.rs" 22 8 22 28] swap0 _32 ([#"../03_knuth_shuffle.rs" 22 15 22 16] i) ([#"../03_knuth_shuffle.rs" 22 18 22 27] ([#"../03_knuth_shuffle.rs" 22 18 22 23] upper) - ([#"../03_knuth_shuffle.rs" 22 26 22 27] [#"../03_knuth_shuffle.rs" 22 26 22 27] (1 : usize))));
+    [#"../03_knuth_shuffle.rs" 22 18 22 27] _36 <- upper - ([#"../03_knuth_shuffle.rs" 22 26 22 27] (1 : usize));
+    [#"../03_knuth_shuffle.rs" 22 8 22 28] _31 <- ([#"../03_knuth_shuffle.rs" 22 8 22 28] swap0 _32 i _36);
     _32 <- any borrowed (slice t);
+    _36 <- any usize;
     goto BB17
   }
   BB17 {
diff --git a/creusot/tests/should_succeed/vector/03_knuth_shuffle.rs b/creusot/tests/should_succeed/vector/03_knuth_shuffle.rs
index ae6d15918c..c93b1e2313 100644
--- a/creusot/tests/should_succeed/vector/03_knuth_shuffle.rs
+++ b/creusot/tests/should_succeed/vector/03_knuth_shuffle.rs
@@ -11,7 +11,7 @@ fn rand_in_range(l: usize, u: usize) -> usize {
 
 #[ensures((^v)@.permutation_of(v@))]
 pub fn knuth_shuffle<T>(v: &mut Vec<T>) {
-    let old_v = gh! { v };
+    let old_v = snapshot! { v };
 
     #[invariant(v@.permutation_of(old_v@))]
     for n in 0..v.len() {
diff --git a/creusot/tests/should_succeed/vector/03_knuth_shuffle/why3session.xml b/creusot/tests/should_succeed/vector/03_knuth_shuffle/why3session.xml
index 2052bd043d..791be6bbf7 100644
--- a/creusot/tests/should_succeed/vector/03_knuth_shuffle/why3session.xml
+++ b/creusot/tests/should_succeed/vector/03_knuth_shuffle/why3session.xml
@@ -7,7 +7,7 @@
 <path name=".."/><path name="03_knuth_shuffle.mlcfg"/>
 <theory name="C03KnuthShuffle_KnuthShuffle" proved="true">
  <goal name="knuth_shuffle&#39;vc" expl="VC for knuth_shuffle" proved="true">
- <proof prover="0"><result status="valid" time="0.554466" steps="103988"/></proof>
+ <proof prover="0"><result status="valid" time="0.397790" steps="107029"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/vector/03_knuth_shuffle/why3shapes.gz b/creusot/tests/should_succeed/vector/03_knuth_shuffle/why3shapes.gz
index ac07e7a229..57292663de 100644
Binary files a/creusot/tests/should_succeed/vector/03_knuth_shuffle/why3shapes.gz and b/creusot/tests/should_succeed/vector/03_knuth_shuffle/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/vector/04_binary_search.mlcfg b/creusot/tests/should_succeed/vector/04_binary_search.mlcfg
index e5db108728..ef236d6abb 100644
--- a/creusot/tests/should_succeed/vector/04_binary_search.mlcfg
+++ b/creusot/tests/should_succeed/vector/04_binary_search.mlcfg
@@ -17,12 +17,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -74,7 +80,8 @@ module C04BinarySearch_BinarySearch
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self}
     ensures { result = shallow_model2 self }
     
-  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
+  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv3 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
   predicate invariant3 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv4 (shallow_model2 self)
   val invariant3 (self : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -113,7 +120,8 @@ module C04BinarySearch_BinarySearch
   axiom inv0 : forall x : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) . inv0 x = true
   use seq.Seq
   predicate sorted_range0 [#"../04_binary_search.rs" 8 0 8 52] (s : Seq.seq uint32) (l : int) (u : int) =
-    [#"../04_binary_search.rs" 9 4 11 5] forall j : int . forall i : int . l <= i /\ i < j /\ j < u -> Seq.get s i <= Seq.get s j
+    [#"../04_binary_search.rs" 9 4 11 5] forall j : int . forall i : int . l <= i /\ i < j /\ j < u
+     -> Seq.get s i <= Seq.get s j
   val sorted_range0 [#"../04_binary_search.rs" 8 0 8 52] (s : Seq.seq uint32) (l : int) (u : int) : bool
     ensures { result = sorted_range0 s l u }
     
@@ -161,119 +169,139 @@ module C04BinarySearch_BinarySearch
   let rec cfg binary_search [#"../04_binary_search.rs" 26 0 26 71] [@cfg:stackify] [@cfg:subregion_analysis] (arr : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global)) (elem : uint32) : Core_Result_Result_Type.t_result usize usize
     requires {[#"../04_binary_search.rs" 19 11 19 36] Seq.length (shallow_model1 arr) <= UIntSize.to_int max0}
     requires {[#"../04_binary_search.rs" 20 11 20 23] sorted0 (shallow_model1 arr)}
-    ensures { [#"../04_binary_search.rs" 21 0 21 63] forall x : usize . result = Core_Result_Result_Type.C_Ok x -> index_logic0 arr (UIntSize.to_int x) = elem }
-    ensures { [#"../04_binary_search.rs" 22 0 23 48] forall x : usize . result = Core_Result_Result_Type.C_Err x -> (forall i : usize . i < x -> index_logic0 arr (UIntSize.to_int i) <= elem) }
-    ensures { [#"../04_binary_search.rs" 24 0 25 65] forall x : usize . result = Core_Result_Result_Type.C_Err x -> (forall i : usize . x < i /\ UIntSize.to_int i < Seq.length (shallow_model1 arr) -> elem < index_logic0 arr (UIntSize.to_int i)) }
+    ensures { [#"../04_binary_search.rs" 21 0 21 63] forall x : usize . result = Core_Result_Result_Type.C_Ok x
+     -> index_logic0 arr (UIntSize.to_int x) = elem }
+    ensures { [#"../04_binary_search.rs" 22 0 23 48] forall x : usize . result = Core_Result_Result_Type.C_Err x
+     -> (forall i : usize . i < x  -> index_logic0 arr (UIntSize.to_int i) <= elem) }
+    ensures { [#"../04_binary_search.rs" 24 0 25 65] forall x : usize . result = Core_Result_Result_Type.C_Err x
+     -> (forall i : usize . x < i /\ UIntSize.to_int i < Seq.length (shallow_model1 arr)
+     -> elem < index_logic0 arr (UIntSize.to_int i)) }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : Core_Result_Result_Type.t_result usize usize;
   var arr : Alloc_Vec_Vec_Type.t_vec uint32 (Alloc_Alloc_Global_Type.t_global) = arr;
   var elem : uint32 = elem;
+  var _9 : bool;
   var _10 : usize;
   var size : usize;
   var base : usize;
+  var _21 : bool;
   var half : usize;
   var _25 : bool;
   var mid : usize;
   var _29 : usize;
+  var _30 : bool;
   var _32 : uint32;
   var cmp : uint32;
   var _41 : uint32;
+  var _44 : bool;
+  var _48 : bool;
+  var _51 : usize;
   {
     goto BB0
   }
   BB0 {
-    [#"../04_binary_search.rs" 27 7 27 16] _10 <- ([#"../04_binary_search.rs" 27 7 27 16] len0 ([#"../04_binary_search.rs" 27 7 27 10] arr));
+    [#"../04_binary_search.rs" 27 7 27 16] _10 <- ([#"../04_binary_search.rs" 27 7 27 16] len0 arr);
     goto BB1
   }
   BB1 {
-    switch ([#"../04_binary_search.rs" 27 7 27 21] _10 = ([#"../04_binary_search.rs" 27 20 27 21] [#"../04_binary_search.rs" 27 20 27 21] (0 : usize)))
+    [#"../04_binary_search.rs" 27 7 27 21] _9 <- _10 = ([#"../04_binary_search.rs" 27 20 27 21] (0 : usize));
+    _10 <- any usize;
+    switch (_9)
       | False -> goto BB3
       | True -> goto BB2
       end
   }
   BB2 {
-    [#"../04_binary_search.rs" 28 15 28 21] _0 <- ([#"../04_binary_search.rs" 28 15 28 21] Core_Result_Result_Type.C_Err ([#"../04_binary_search.rs" 28 19 28 20] [#"../04_binary_search.rs" 28 19 28 20] (0 : usize)));
+    [#"../04_binary_search.rs" 28 15 28 21] _0 <- Core_Result_Result_Type.C_Err ([#"../04_binary_search.rs" 28 19 28 20] (0 : usize));
     goto BB21
   }
   BB3 {
-    [#"../04_binary_search.rs" 30 19 30 28] size <- ([#"../04_binary_search.rs" 30 19 30 28] len0 ([#"../04_binary_search.rs" 30 19 30 22] arr));
+    [#"../04_binary_search.rs" 30 19 30 28] size <- ([#"../04_binary_search.rs" 30 19 30 28] len0 arr);
     goto BB4
   }
   BB4 {
-    [#"../04_binary_search.rs" 31 19 31 20] base <- ([#"../04_binary_search.rs" 31 19 31 20] [#"../04_binary_search.rs" 31 19 31 20] (0 : usize));
+    [#"../04_binary_search.rs" 31 19 31 20] base <- ([#"../04_binary_search.rs" 31 19 31 20] (0 : usize));
     goto BB5
   }
   BB5 {
     invariant { [#"../04_binary_search.rs" 33 16 33 56] 0 < UIntSize.to_int size /\ UIntSize.to_int size + UIntSize.to_int base <= Seq.length (shallow_model1 arr) };
-    invariant { [#"../04_binary_search.rs" 33 4 33 58] forall i : usize . i < base -> index_logic0 arr (UIntSize.to_int i) <= elem };
-    invariant { [#"../04_binary_search.rs" 33 4 33 58] forall i : usize . UIntSize.to_int base + UIntSize.to_int size < UIntSize.to_int i /\ UIntSize.to_int i < Seq.length (shallow_model1 arr) -> elem < index_logic0 arr (UIntSize.to_int i) };
+    invariant { [#"../04_binary_search.rs" 33 4 33 58] forall i : usize . i < base
+     -> index_logic0 arr (UIntSize.to_int i) <= elem };
+    invariant { [#"../04_binary_search.rs" 33 4 33 58] forall i : usize . UIntSize.to_int base + UIntSize.to_int size < UIntSize.to_int i /\ UIntSize.to_int i < Seq.length (shallow_model1 arr)
+     -> elem < index_logic0 arr (UIntSize.to_int i) };
     goto BB6
   }
   BB6 {
-    switch ([#"../04_binary_search.rs" 36 10 36 18] ([#"../04_binary_search.rs" 36 10 36 14] size) > ([#"../04_binary_search.rs" 36 17 36 18] [#"../04_binary_search.rs" 36 17 36 18] (1 : usize)))
+    [#"../04_binary_search.rs" 36 10 36 18] _21 <- size > ([#"../04_binary_search.rs" 36 17 36 18] (1 : usize));
+    switch (_21)
       | False -> goto BB13
       | True -> goto BB7
       end
   }
   BB7 {
-    [#"../04_binary_search.rs" 37 19 37 27] _25 <- ([#"../04_binary_search.rs" 37 19 37 27] ([#"../04_binary_search.rs" 37 26 37 27] [#"../04_binary_search.rs" 37 26 37 27] (2 : usize)) = ([#"../04_binary_search.rs" 37 19 37 27] [#"../04_binary_search.rs" 37 19 37 27] (0 : usize)));
+    [#"../04_binary_search.rs" 37 19 37 27] _25 <- ([#"../04_binary_search.rs" 37 26 37 27] (2 : usize)) = ([#"../04_binary_search.rs" 37 19 37 27] (0 : usize));
     assert { [@expl:division by zero] [#"../04_binary_search.rs" 37 19 37 27] not _25 };
     goto BB8
   }
   BB8 {
-    [#"../04_binary_search.rs" 37 19 37 27] half <- ([#"../04_binary_search.rs" 37 19 37 27] ([#"../04_binary_search.rs" 37 19 37 23] size) / ([#"../04_binary_search.rs" 37 26 37 27] [#"../04_binary_search.rs" 37 26 37 27] (2 : usize)));
-    [#"../04_binary_search.rs" 38 18 38 29] mid <- ([#"../04_binary_search.rs" 38 18 38 29] ([#"../04_binary_search.rs" 38 18 38 22] base) + ([#"../04_binary_search.rs" 38 25 38 29] half));
-    [#"../04_binary_search.rs" 40 21 40 26] _32 <- ([#"../04_binary_search.rs" 40 21 40 26] index0 ([#"../04_binary_search.rs" 40 18 40 21] arr) ([#"../04_binary_search.rs" 40 22 40 25] mid));
+    [#"../04_binary_search.rs" 37 19 37 27] half <- size / ([#"../04_binary_search.rs" 37 26 37 27] (2 : usize));
+    [#"../04_binary_search.rs" 38 18 38 29] mid <- base + half;
+    [#"../04_binary_search.rs" 40 21 40 26] _32 <- ([#"../04_binary_search.rs" 40 21 40 26] index0 arr mid);
     goto BB9
   }
   BB9 {
-    switch ([#"../04_binary_search.rs" 40 18 40 33] ([#"../04_binary_search.rs" 40 18 40 26] _32) > ([#"../04_binary_search.rs" 40 29 40 33] elem))
+    [#"../04_binary_search.rs" 40 18 40 33] _30 <- _32 > elem;
+    switch (_30)
       | False -> goto BB11
       | True -> goto BB10
       end
   }
   BB10 {
-    [#"../04_binary_search.rs" 40 36 40 40] _29 <- ([#"../04_binary_search.rs" 40 36 40 40] base);
+    [#"../04_binary_search.rs" 40 36 40 40] _29 <- base;
     goto BB12
   }
   BB11 {
-    [#"../04_binary_search.rs" 40 50 40 53] _29 <- ([#"../04_binary_search.rs" 40 50 40 53] mid);
+    [#"../04_binary_search.rs" 40 50 40 53] _29 <- mid;
     goto BB12
   }
   BB12 {
-    [#"../04_binary_search.rs" 40 8 40 55] base <- ([#"../04_binary_search.rs" 40 8 40 55] _29);
-    [#"../04_binary_search.rs" 40 8 40 55] _29 <- any usize;
-    [#"../04_binary_search.rs" 41 8 41 20] size <- ([#"../04_binary_search.rs" 41 8 41 20] size - ([#"../04_binary_search.rs" 41 16 41 20] half));
+    [#"../04_binary_search.rs" 40 8 40 55] base <- _29;
+    _29 <- any usize;
+    [#"../04_binary_search.rs" 41 8 41 20] size <- size - half;
     goto BB5
   }
   BB13 {
-    [#"../04_binary_search.rs" 44 17 44 23] _41 <- ([#"../04_binary_search.rs" 44 17 44 23] index0 ([#"../04_binary_search.rs" 44 14 44 17] arr) ([#"../04_binary_search.rs" 44 18 44 22] base));
+    [#"../04_binary_search.rs" 44 17 44 23] _41 <- ([#"../04_binary_search.rs" 44 17 44 23] index0 arr base);
     goto BB14
   }
   BB14 {
-    [#"../04_binary_search.rs" 44 14 44 23] cmp <- ([#"../04_binary_search.rs" 44 14 44 23] _41);
-    switch ([#"../04_binary_search.rs" 45 7 45 18] ([#"../04_binary_search.rs" 45 7 45 10] cmp) = ([#"../04_binary_search.rs" 45 14 45 18] elem))
+    [#"../04_binary_search.rs" 44 14 44 23] cmp <- _41;
+    [#"../04_binary_search.rs" 45 7 45 18] _44 <- cmp = elem;
+    switch (_44)
       | False -> goto BB16
       | True -> goto BB15
       end
   }
   BB15 {
-    [#"../04_binary_search.rs" 46 8 46 16] _0 <- ([#"../04_binary_search.rs" 46 8 46 16] Core_Result_Result_Type.C_Ok ([#"../04_binary_search.rs" 46 11 46 15] base));
+    [#"../04_binary_search.rs" 46 8 46 16] _0 <- Core_Result_Result_Type.C_Ok base;
     goto BB20
   }
   BB16 {
-    switch ([#"../04_binary_search.rs" 47 14 47 24] ([#"../04_binary_search.rs" 47 14 47 17] cmp) < ([#"../04_binary_search.rs" 47 20 47 24] elem))
+    [#"../04_binary_search.rs" 47 14 47 24] _48 <- cmp < elem;
+    switch (_48)
       | False -> goto BB18
       | True -> goto BB17
       end
   }
   BB17 {
-    [#"../04_binary_search.rs" 48 8 48 21] _0 <- ([#"../04_binary_search.rs" 48 8 48 21] Core_Result_Result_Type.C_Err ([#"../04_binary_search.rs" 48 12 48 20] ([#"../04_binary_search.rs" 48 12 48 16] base) + ([#"../04_binary_search.rs" 48 19 48 20] [#"../04_binary_search.rs" 48 19 48 20] (1 : usize))));
+    [#"../04_binary_search.rs" 48 12 48 20] _51 <- base + ([#"../04_binary_search.rs" 48 19 48 20] (1 : usize));
+    [#"../04_binary_search.rs" 48 8 48 21] _0 <- Core_Result_Result_Type.C_Err _51;
+    _51 <- any usize;
     goto BB19
   }
   BB18 {
-    [#"../04_binary_search.rs" 50 8 50 17] _0 <- ([#"../04_binary_search.rs" 50 8 50 17] Core_Result_Result_Type.C_Err ([#"../04_binary_search.rs" 50 12 50 16] base));
+    [#"../04_binary_search.rs" 50 8 50 17] _0 <- Core_Result_Result_Type.C_Err base;
     goto BB19
   }
   BB19 {
diff --git a/creusot/tests/should_succeed/vector/04_binary_search/why3session.xml b/creusot/tests/should_succeed/vector/04_binary_search/why3session.xml
index 32032521f5..e36126bd30 100644
--- a/creusot/tests/should_succeed/vector/04_binary_search/why3session.xml
+++ b/creusot/tests/should_succeed/vector/04_binary_search/why3session.xml
@@ -7,7 +7,7 @@
 <path name=".."/><path name="04_binary_search.mlcfg"/>
 <theory name="C04BinarySearch_BinarySearch" proved="true">
  <goal name="binary_search&#39;vc" expl="VC for binary_search" proved="true">
- <proof prover="1"><result status="valid" time="0.043744" steps="203870"/></proof>
+ <proof prover="1"><result status="valid" time="0.043744" steps="208692"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/vector/04_binary_search/why3shapes.gz b/creusot/tests/should_succeed/vector/04_binary_search/why3shapes.gz
index a9085a3afd..2ed60b930f 100644
Binary files a/creusot/tests/should_succeed/vector/04_binary_search/why3shapes.gz and b/creusot/tests/should_succeed/vector/04_binary_search/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/vector/05_binary_search_generic.mlcfg b/creusot/tests/should_succeed/vector/05_binary_search_generic.mlcfg
index 286b5a6f5c..8cb86801aa 100644
--- a/creusot/tests/should_succeed/vector/05_binary_search_generic.mlcfg
+++ b/creusot/tests/should_succeed/vector/05_binary_search_generic.mlcfg
@@ -30,12 +30,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -99,7 +105,8 @@ module C05BinarySearchGeneric_BinarySearch
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self}
     ensures { result = shallow_model2 self }
     
-  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
+  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
   predicate invariant4 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv5 (shallow_model2 self)
   val invariant4 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -154,7 +161,9 @@ module C05BinarySearchGeneric_BinarySearch
     requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv7 y}
     ensures { result = eq_cmp0 x y }
     
-  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv7 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv7 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
+  axiom eq_cmp0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 70 14 70 15] inv7 x)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 70 23 70 24] inv7 y)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 69 14 69 59] (x = y) = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Equal))
   function antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym20 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater}
@@ -162,7 +171,10 @@ module C05BinarySearchGeneric_BinarySearch
     requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv7 y}
     ensures { result = antisym20 x y }
     
-  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv7 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv7 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
+  axiom antisym20_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 64 15 64 48] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 66 16 66 17] inv7 x)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 66 25 66 26] inv7 y)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 65 14 65 44] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Less)
   function antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
   val antisym10 (x : deep_model_ty0) (y : deep_model_ty0) : ()
     requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less}
@@ -170,7 +182,10 @@ module C05BinarySearchGeneric_BinarySearch
     requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv7 y}
     ensures { result = antisym10 x y }
     
-  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv7 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv7 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
+  axiom antisym10_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 59 15 59 45] cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 61 16 61 17] inv7 x)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 61 25 61 26] inv7 y)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 60 14 60 47] cmp_log0 y x = Core_Cmp_Ordering_Type.C_Greater)
   function trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
     
   val trans0 (x : deep_model_ty0) (y : deep_model_ty0) (z : deep_model_ty0) (o : Core_Cmp_Ordering_Type.t_ordering) : ()
@@ -181,13 +196,19 @@ module C05BinarySearchGeneric_BinarySearch
     requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv7 z}
     ensures { result = trans0 x y z o }
     
-  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv7 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv7 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv7 z) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
+  axiom trans0_spec : forall x : deep_model_ty0, y : deep_model_ty0, z : deep_model_ty0, o : Core_Cmp_Ordering_Type.t_ordering . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 53 15 53 32] cmp_log0 x y = o)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 54 15 54 32] cmp_log0 y z = o)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 13 56 14] inv7 x)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 22 56 23] inv7 y)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 56 31 56 32] inv7 z)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 55 14 55 31] cmp_log0 x z = o)
   function refl0 (x : deep_model_ty0) : ()
   val refl0 (x : deep_model_ty0) : ()
     requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv7 x}
     ensures { result = refl0 x }
     
-  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv7 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
+  axiom refl0_spec : forall x : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 50 12 50 13] inv7 x)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 49 14 49 45] cmp_log0 x x = Core_Cmp_Ordering_Type.C_Equal)
   function gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val gt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = gt_log0 self o }
@@ -198,7 +219,9 @@ module C05BinarySearchGeneric_BinarySearch
     requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv7 y}
     ensures { result = cmp_gt_log0 x y }
     
-  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv7 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv7 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_gt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 46 18 46 19] inv7 x)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 46 27 46 28] inv7 y)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 45 14 45 64] gt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Greater))
   function ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val ge_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = ge_log0 self o }
@@ -209,7 +232,9 @@ module C05BinarySearchGeneric_BinarySearch
     requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv7 y}
     ensures { result = cmp_ge_log0 x y }
     
-  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv7 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv7 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_ge_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 36 18 36 19] inv7 x)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 36 27 36 28] inv7 y)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 35 14 35 61] ge_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Less))
   function lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val lt_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = lt_log0 self o }
@@ -220,7 +245,9 @@ module C05BinarySearchGeneric_BinarySearch
     requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv7 y}
     ensures { result = cmp_lt_log0 x y }
     
-  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv7 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv7 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
+  axiom cmp_lt_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 26 18 26 19] inv7 x)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 26 27 26 28] inv7 y)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 25 14 25 61] lt_log0 x y = (cmp_log0 x y = Core_Cmp_Ordering_Type.C_Less))
   function le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
   val le_log0 (self : deep_model_ty0) (o : deep_model_ty0) : bool
     ensures { result = le_log0 self o }
@@ -231,11 +258,14 @@ module C05BinarySearchGeneric_BinarySearch
     requires {[#"../../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv7 y}
     ensures { result = cmp_le_log0 x y }
     
-  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv7 x) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv7 y) -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
+  axiom cmp_le_log0_spec : forall x : deep_model_ty0, y : deep_model_ty0 . ([#"../../../../../creusot-contracts/src/logic/ord.rs" 16 18 16 19] inv7 x)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 16 27 16 28] inv7 y)
+   -> ([#"../../../../../creusot-contracts/src/logic/ord.rs" 15 14 15 64] le_log0 x y = (cmp_log0 x y <> Core_Cmp_Ordering_Type.C_Greater))
   use seq.Seq
   predicate sorted_range0 [#"../05_binary_search_generic.rs" 9 0 9 63] (s : Seq.seq deep_model_ty0) (l : int) (u : int)
    =
-    [#"../05_binary_search_generic.rs" 10 4 12 5] forall j : int . forall i : int . l <= i /\ i <= j /\ j < u -> le_log0 (Seq.get s i) (Seq.get s j)
+    [#"../05_binary_search_generic.rs" 10 4 12 5] forall j : int . forall i : int . l <= i /\ i <= j /\ j < u
+     -> le_log0 (Seq.get s i) (Seq.get s j)
   val sorted_range0 [#"../05_binary_search_generic.rs" 9 0 9 63] (s : Seq.seq deep_model_ty0) (l : int) (u : int) : bool
     ensures { result = sorted_range0 s l u }
     
@@ -314,7 +344,9 @@ module C05BinarySearchGeneric_BinarySearch
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv4 self}
     ensures { result = deep_model2 self }
     
-  axiom deep_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv6 (deep_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model2 self) -> Seq.get (deep_model2 self) i = deep_model1 (index_logic1 self i)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model2 self) = Seq.length (deep_model2 self))
+  axiom deep_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 33 18 33 22] inv4 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 33 4 33 44] inv6 (deep_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 31 4 32 53] forall i : int . 0 <= i /\ i < Seq.length (shallow_model2 self)
+   -> Seq.get (deep_model2 self) i = deep_model1 (index_logic1 self i)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 30 14 30 56] Seq.length (shallow_model2 self) = Seq.length (deep_model2 self))
   function deep_model0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : Seq.seq deep_model_ty0 =
     [#"../../../../../creusot-contracts/src/model.rs" 70 8 70 28] deep_model2 self
   val deep_model0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : Seq.seq deep_model_ty0
@@ -329,17 +361,23 @@ module C05BinarySearchGeneric_BinarySearch
     requires {[#"../05_binary_search_generic.rs" 21 11 21 35] sorted0 (deep_model0 arr)}
     requires {[#"../05_binary_search_generic.rs" 27 41 27 44] inv0 arr}
     requires {[#"../05_binary_search_generic.rs" 27 55 27 59] inv2 elem}
-    ensures { [#"../05_binary_search_generic.rs" 22 0 22 89] forall x : usize . result = Core_Result_Result_Type.C_Ok x -> Seq.get (deep_model0 arr) (UIntSize.to_int x) = deep_model1 elem }
-    ensures { [#"../05_binary_search_generic.rs" 23 0 24 74] forall x : usize . result = Core_Result_Result_Type.C_Err x -> (forall i : usize . i < x -> le_log0 (Seq.get (deep_model0 arr) (UIntSize.to_int i)) (deep_model1 elem)) }
-    ensures { [#"../05_binary_search_generic.rs" 25 0 26 92] forall x : usize . result = Core_Result_Result_Type.C_Err x -> (forall i : usize . x <= i /\ UIntSize.to_int i < Seq.length (shallow_model1 arr) -> lt_log0 (deep_model1 elem) (Seq.get (deep_model0 arr) (UIntSize.to_int i))) }
+    ensures { [#"../05_binary_search_generic.rs" 22 0 22 89] forall x : usize . result = Core_Result_Result_Type.C_Ok x
+     -> Seq.get (deep_model0 arr) (UIntSize.to_int x) = deep_model1 elem }
+    ensures { [#"../05_binary_search_generic.rs" 23 0 24 74] forall x : usize . result = Core_Result_Result_Type.C_Err x
+     -> (forall i : usize . i < x  -> le_log0 (Seq.get (deep_model0 arr) (UIntSize.to_int i)) (deep_model1 elem)) }
+    ensures { [#"../05_binary_search_generic.rs" 25 0 26 92] forall x : usize . result = Core_Result_Result_Type.C_Err x
+     -> (forall i : usize . x <= i /\ UIntSize.to_int i < Seq.length (shallow_model1 arr)
+     -> lt_log0 (deep_model1 elem) (Seq.get (deep_model0 arr) (UIntSize.to_int i))) }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : Core_Result_Result_Type.t_result usize usize;
   var arr : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) = arr;
   var elem : t = elem;
+  var _9 : bool;
   var _10 : usize;
   var size : usize;
   var base : usize;
+  var _21 : bool;
   var half : usize;
   var _25 : bool;
   var mid : usize;
@@ -350,6 +388,7 @@ module C05BinarySearchGeneric_BinarySearch
   var _41 : t;
   var _44 : Core_Cmp_Ordering_Type.t_ordering;
   var _47 : t;
+  var _50 : usize;
   {
     goto BB0
   }
@@ -363,12 +402,14 @@ module C05BinarySearchGeneric_BinarySearch
     goto BB3
   }
   BB3 {
-    [#"../05_binary_search_generic.rs" 31 7 31 16] _10 <- ([#"../05_binary_search_generic.rs" 31 7 31 16] len0 ([#"../05_binary_search_generic.rs" 31 7 31 10] arr));
+    [#"../05_binary_search_generic.rs" 31 7 31 16] _10 <- ([#"../05_binary_search_generic.rs" 31 7 31 16] len0 arr);
     goto BB4
   }
   BB4 {
-    switch ([#"../05_binary_search_generic.rs" 31 7 31 21] _10 = ([#"../05_binary_search_generic.rs" 31 20 31 21] [#"../05_binary_search_generic.rs" 31 20 31 21] (0 : usize)))
-      | False -> goto BB7
+    [#"../05_binary_search_generic.rs" 31 7 31 21] _9 <- _10 = ([#"../05_binary_search_generic.rs" 31 20 31 21] (0 : usize));
+    _10 <- any usize;
+    switch (_9)
+      | False -> goto BB6
       | True -> goto BB5
       end
   }
@@ -377,119 +418,124 @@ module C05BinarySearchGeneric_BinarySearch
     assume { resolve2 elem };
     assert { [@expl:type invariant] inv0 arr };
     assume { resolve0 arr };
-    [#"../05_binary_search_generic.rs" 32 15 32 21] _0 <- ([#"../05_binary_search_generic.rs" 32 15 32 21] Core_Result_Result_Type.C_Err ([#"../05_binary_search_generic.rs" 32 19 32 20] [#"../05_binary_search_generic.rs" 32 19 32 20] (0 : usize)));
+    [#"../05_binary_search_generic.rs" 32 15 32 21] _0 <- Core_Result_Result_Type.C_Err ([#"../05_binary_search_generic.rs" 32 19 32 20] (0 : usize));
     goto BB29
   }
   BB6 {
-    assert { [#"../05_binary_search_generic.rs" 31 22 33 5] false };
-    absurd
+    [#"../05_binary_search_generic.rs" 34 26 34 35] size <- ([#"../05_binary_search_generic.rs" 34 26 34 35] len0 arr);
+    goto BB7
   }
   BB7 {
-    [#"../05_binary_search_generic.rs" 34 26 34 35] size <- ([#"../05_binary_search_generic.rs" 34 26 34 35] len0 ([#"../05_binary_search_generic.rs" 34 26 34 29] arr));
+    [#"../05_binary_search_generic.rs" 35 26 35 27] base <- ([#"../05_binary_search_generic.rs" 35 26 35 27] (0 : usize));
     goto BB8
   }
   BB8 {
-    [#"../05_binary_search_generic.rs" 35 26 35 27] base <- ([#"../05_binary_search_generic.rs" 35 26 35 27] [#"../05_binary_search_generic.rs" 35 26 35 27] (0 : usize));
     goto BB9
   }
   BB9 {
     goto BB10
   }
   BB10 {
+    invariant { [#"../05_binary_search_generic.rs" 37 16 37 56] 0 < UIntSize.to_int size /\ UIntSize.to_int size + UIntSize.to_int base <= Seq.length (shallow_model1 arr) };
+    invariant { [#"../05_binary_search_generic.rs" 37 4 37 58] forall i : usize . i < base
+     -> le_log0 (Seq.get (deep_model0 arr) (UIntSize.to_int i)) (deep_model1 elem) };
+    invariant { [#"../05_binary_search_generic.rs" 37 4 37 58] forall i : usize . UIntSize.to_int base + UIntSize.to_int size <= UIntSize.to_int i /\ UIntSize.to_int i < Seq.length (shallow_model1 arr)
+     -> lt_log0 (deep_model1 elem) (Seq.get (deep_model0 arr) (UIntSize.to_int i)) };
     goto BB11
   }
   BB11 {
-    invariant { [#"../05_binary_search_generic.rs" 37 16 37 56] 0 < UIntSize.to_int size /\ UIntSize.to_int size + UIntSize.to_int base <= Seq.length (shallow_model1 arr) };
-    invariant { [#"../05_binary_search_generic.rs" 37 4 37 58] forall i : usize . i < base -> le_log0 (Seq.get (deep_model0 arr) (UIntSize.to_int i)) (deep_model1 elem) };
-    invariant { [#"../05_binary_search_generic.rs" 37 4 37 58] forall i : usize . UIntSize.to_int base + UIntSize.to_int size <= UIntSize.to_int i /\ UIntSize.to_int i < Seq.length (shallow_model1 arr) -> lt_log0 (deep_model1 elem) (Seq.get (deep_model0 arr) (UIntSize.to_int i)) };
-    goto BB12
+    [#"../05_binary_search_generic.rs" 40 10 40 18] _21 <- size > ([#"../05_binary_search_generic.rs" 40 17 40 18] (1 : usize));
+    switch (_21)
+      | False -> goto BB19
+      | True -> goto BB12
+      end
   }
   BB12 {
-    switch ([#"../05_binary_search_generic.rs" 40 10 40 18] ([#"../05_binary_search_generic.rs" 40 10 40 14] size) > ([#"../05_binary_search_generic.rs" 40 17 40 18] [#"../05_binary_search_generic.rs" 40 17 40 18] (1 : usize)))
-      | False -> goto BB20
-      | True -> goto BB13
-      end
+    [#"../05_binary_search_generic.rs" 41 19 41 27] _25 <- ([#"../05_binary_search_generic.rs" 41 26 41 27] (2 : usize)) = ([#"../05_binary_search_generic.rs" 41 19 41 27] (0 : usize));
+    assert { [@expl:division by zero] [#"../05_binary_search_generic.rs" 41 19 41 27] not _25 };
+    goto BB13
   }
   BB13 {
-    [#"../05_binary_search_generic.rs" 41 19 41 27] _25 <- ([#"../05_binary_search_generic.rs" 41 19 41 27] ([#"../05_binary_search_generic.rs" 41 26 41 27] [#"../05_binary_search_generic.rs" 41 26 41 27] (2 : usize)) = ([#"../05_binary_search_generic.rs" 41 19 41 27] [#"../05_binary_search_generic.rs" 41 19 41 27] (0 : usize)));
-    assert { [@expl:division by zero] [#"../05_binary_search_generic.rs" 41 19 41 27] not _25 };
+    [#"../05_binary_search_generic.rs" 41 19 41 27] half <- size / ([#"../05_binary_search_generic.rs" 41 26 41 27] (2 : usize));
+    [#"../05_binary_search_generic.rs" 42 18 42 29] mid <- base + half;
+    [#"../05_binary_search_generic.rs" 44 21 44 26] _32 <- ([#"../05_binary_search_generic.rs" 44 21 44 26] index0 arr mid);
     goto BB14
   }
   BB14 {
-    [#"../05_binary_search_generic.rs" 41 19 41 27] half <- ([#"../05_binary_search_generic.rs" 41 19 41 27] ([#"../05_binary_search_generic.rs" 41 19 41 23] size) / ([#"../05_binary_search_generic.rs" 41 26 41 27] [#"../05_binary_search_generic.rs" 41 26 41 27] (2 : usize)));
-    [#"../05_binary_search_generic.rs" 42 18 42 29] mid <- ([#"../05_binary_search_generic.rs" 42 18 42 29] ([#"../05_binary_search_generic.rs" 42 18 42 22] base) + ([#"../05_binary_search_generic.rs" 42 25 42 29] half));
-    [#"../05_binary_search_generic.rs" 44 21 44 26] _32 <- ([#"../05_binary_search_generic.rs" 44 21 44 26] index0 ([#"../05_binary_search_generic.rs" 44 18 44 21] arr) ([#"../05_binary_search_generic.rs" 44 22 44 25] mid));
-    goto BB15
-  }
-  BB15 {
     assert { [@expl:type invariant] inv1 _32 };
     assume { resolve1 _32 };
-    [#"../05_binary_search_generic.rs" 44 18 44 33] _30 <- ([#"../05_binary_search_generic.rs" 44 18 44 33] gt0 ([#"../05_binary_search_generic.rs" 44 18 44 26] _32) ([#"../05_binary_search_generic.rs" 44 29 44 33] elem));
-    goto BB16
+    [#"../05_binary_search_generic.rs" 44 18 44 33] _30 <- ([#"../05_binary_search_generic.rs" 44 18 44 33] gt0 _32 elem);
+    goto BB15
   }
-  BB16 {
+  BB15 {
     switch (_30)
-      | False -> goto BB18
-      | True -> goto BB17
+      | False -> goto BB17
+      | True -> goto BB16
       end
   }
+  BB16 {
+    [#"../05_binary_search_generic.rs" 44 36 44 40] _29 <- base;
+    goto BB18
+  }
   BB17 {
-    [#"../05_binary_search_generic.rs" 44 36 44 40] _29 <- ([#"../05_binary_search_generic.rs" 44 36 44 40] base);
-    goto BB19
+    [#"../05_binary_search_generic.rs" 44 50 44 53] _29 <- mid;
+    goto BB18
   }
   BB18 {
-    [#"../05_binary_search_generic.rs" 44 50 44 53] _29 <- ([#"../05_binary_search_generic.rs" 44 50 44 53] mid);
-    goto BB19
+    [#"../05_binary_search_generic.rs" 44 8 44 55] base <- _29;
+    _29 <- any usize;
+    [#"../05_binary_search_generic.rs" 46 8 46 20] size <- size - half;
+    goto BB10
   }
   BB19 {
-    [#"../05_binary_search_generic.rs" 44 8 44 55] base <- ([#"../05_binary_search_generic.rs" 44 8 44 55] _29);
-    [#"../05_binary_search_generic.rs" 44 8 44 55] _29 <- any usize;
-    [#"../05_binary_search_generic.rs" 46 8 46 20] size <- ([#"../05_binary_search_generic.rs" 46 8 46 20] size - ([#"../05_binary_search_generic.rs" 46 16 46 20] half));
-    goto BB11
-  }
-  BB20 {
     assert { [@expl:type invariant] inv0 arr };
     assume { resolve0 arr };
-    [#"../05_binary_search_generic.rs" 49 18 49 24] _41 <- ([#"../05_binary_search_generic.rs" 49 18 49 24] index0 ([#"../05_binary_search_generic.rs" 49 15 49 18] arr) ([#"../05_binary_search_generic.rs" 49 19 49 23] base));
-    goto BB21
+    [#"../05_binary_search_generic.rs" 49 18 49 24] _41 <- ([#"../05_binary_search_generic.rs" 49 18 49 24] index0 arr base);
+    goto BB20
   }
-  BB21 {
-    [#"../05_binary_search_generic.rs" 49 14 49 24] cmp <- ([#"../05_binary_search_generic.rs" 49 14 49 24] _41);
+  BB20 {
+    [#"../05_binary_search_generic.rs" 49 14 49 24] cmp <- _41;
     assert { [@expl:type invariant] inv1 _41 };
     assume { resolve1 _41 };
     assert { [@expl:type invariant] inv1 cmp };
     assume { resolve1 cmp };
-    [#"../05_binary_search_generic.rs" 51 18 51 23] _47 <- ([#"../05_binary_search_generic.rs" 51 18 51 23] elem);
+    [#"../05_binary_search_generic.rs" 51 18 51 23] _47 <- elem;
     assert { [@expl:type invariant] inv1 _47 };
     assume { resolve1 _47 };
-    [#"../05_binary_search_generic.rs" 51 10 51 24] _44 <- ([#"../05_binary_search_generic.rs" 51 10 51 24] cmp0 ([#"../05_binary_search_generic.rs" 51 10 51 13] cmp) ([#"../05_binary_search_generic.rs" 51 18 51 23] _47));
-    goto BB22
+    [#"../05_binary_search_generic.rs" 51 10 51 24] _44 <- ([#"../05_binary_search_generic.rs" 51 10 51 24] cmp0 cmp _47);
+    goto BB21
   }
-  BB22 {
+  BB21 {
     assert { [@expl:type invariant] inv2 elem };
     assume { resolve2 elem };
     switch (_44)
-      | Core_Cmp_Ordering_Type.C_Less -> goto BB23
-      | Core_Cmp_Ordering_Type.C_Equal -> goto BB24
-      | Core_Cmp_Ordering_Type.C_Greater -> goto BB25
+      | Core_Cmp_Ordering_Type.C_Less -> goto BB22
+      | Core_Cmp_Ordering_Type.C_Equal -> goto BB23
+      | Core_Cmp_Ordering_Type.C_Greater -> goto BB24
       end
   }
-  BB23 {
+  BB22 {
     goto BB27
   }
-  BB24 {
+  BB23 {
     goto BB26
   }
-  BB25 {
-    [#"../05_binary_search_generic.rs" 54 29 54 38] _0 <- ([#"../05_binary_search_generic.rs" 54 29 54 38] Core_Result_Result_Type.C_Err ([#"../05_binary_search_generic.rs" 54 33 54 37] base));
+  BB24 {
+    [#"../05_binary_search_generic.rs" 54 29 54 38] _0 <- Core_Result_Result_Type.C_Err base;
     goto BB28
   }
+  BB25 {
+    assert { [#"../05_binary_search_generic.rs" 51 10 51 24] false };
+    absurd
+  }
   BB26 {
-    [#"../05_binary_search_generic.rs" 52 27 52 35] _0 <- ([#"../05_binary_search_generic.rs" 52 27 52 35] Core_Result_Result_Type.C_Ok ([#"../05_binary_search_generic.rs" 52 30 52 34] base));
+    [#"../05_binary_search_generic.rs" 52 27 52 35] _0 <- Core_Result_Result_Type.C_Ok base;
     goto BB28
   }
   BB27 {
-    [#"../05_binary_search_generic.rs" 53 26 53 39] _0 <- ([#"../05_binary_search_generic.rs" 53 26 53 39] Core_Result_Result_Type.C_Err ([#"../05_binary_search_generic.rs" 53 30 53 38] ([#"../05_binary_search_generic.rs" 53 30 53 34] base) + ([#"../05_binary_search_generic.rs" 53 37 53 38] [#"../05_binary_search_generic.rs" 53 37 53 38] (1 : usize))));
+    [#"../05_binary_search_generic.rs" 53 30 53 38] _50 <- base + ([#"../05_binary_search_generic.rs" 53 37 53 38] (1 : usize));
+    [#"../05_binary_search_generic.rs" 53 26 53 39] _0 <- Core_Result_Result_Type.C_Err _50;
+    _50 <- any usize;
     goto BB28
   }
   BB28 {
@@ -498,5 +544,11 @@ module C05BinarySearchGeneric_BinarySearch
   BB29 {
     return _0
   }
+  BB32 {
+    goto BB22
+  }
+  BB33 {
+    goto BB24
+  }
   
 end
diff --git a/creusot/tests/should_succeed/vector/05_binary_search_generic/why3session.xml b/creusot/tests/should_succeed/vector/05_binary_search_generic/why3session.xml
index a08f3afa12..920b26633f 100644
--- a/creusot/tests/should_succeed/vector/05_binary_search_generic/why3session.xml
+++ b/creusot/tests/should_succeed/vector/05_binary_search_generic/why3session.xml
@@ -13,107 +13,107 @@
   <goal name="binary_search&#39;vc.0" expl="precondition" proved="true">
   <proof prover="4"><result status="valid" time="0.013170" steps="10"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.1" expl="type invariant" proved="true">
-  <proof prover="0"><result status="valid" time="0.009512" steps="6007"/></proof>
+  <goal name="binary_search&#39;vc.1" expl="precondition" proved="true">
+  <proof prover="3"><result status="valid" time="0.069202" steps="9040"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.2" expl="type invariant" proved="true">
-  <proof prover="4"><result status="valid" time="0.020246" steps="18"/></proof>
+  <goal name="binary_search&#39;vc.2" expl="loop invariant init" proved="true">
+  <proof prover="0"><result status="valid" time="0.017749" steps="75628"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.3" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.069202" steps="9029"/></proof>
+  <goal name="binary_search&#39;vc.3" expl="loop invariant init" proved="true">
+  <proof prover="0"><result status="valid" time="0.020032" steps="91671"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.4" expl="loop invariant init" proved="true">
-  <proof prover="0"><result status="valid" time="0.017749" steps="75596"/></proof>
+  <proof prover="4"><result status="valid" time="0.008712" steps="29"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.5" expl="loop invariant init" proved="true">
-  <proof prover="0"><result status="valid" time="0.020032" steps="91639"/></proof>
+  <goal name="binary_search&#39;vc.5" expl="type invariant" proved="true">
+  <proof prover="4"><result status="valid" time="0.022533" steps="32"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.6" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.008712" steps="27"/></proof>
+  <goal name="binary_search&#39;vc.6" expl="precondition" proved="true">
+  <proof prover="0"><result status="valid" time="0.021647" steps="92535"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.7" expl="division by zero" proved="true">
-  <proof prover="4"><result status="valid" time="0.008926" steps="31"/></proof>
+  <goal name="binary_search&#39;vc.7" expl="precondition" proved="true">
+  <proof prover="4"><result status="valid" time="0.012406" steps="35"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.8" expl="division by zero" proved="true">
-  <proof prover="4"><result status="valid" time="0.008616" steps="35"/></proof>
+  <goal name="binary_search&#39;vc.8" expl="precondition" proved="true">
+  <proof prover="0"><result status="valid" time="0.019786" steps="93788"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.9" expl="integer overflow" proved="true">
-  <proof prover="4"><result status="valid" time="0.011959" steps="91"/></proof>
+  <goal name="binary_search&#39;vc.9" expl="type invariant" proved="true">
+  <proof prover="4"><result status="valid" time="0.008573" steps="40"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.10" expl="integer overflow" proved="true">
-  <proof prover="0"><result status="valid" time="0.021739" steps="104875"/></proof>
+  <goal name="binary_search&#39;vc.10" expl="type invariant" proved="true">
+  <proof prover="4"><result status="valid" time="0.008558" steps="42"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.008769" steps="120"/></proof>
+  <goal name="binary_search&#39;vc.11" expl="type invariant" proved="true">
+  <proof prover="4"><result status="valid" time="0.010241" steps="52"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.008765" steps="41"/></proof>
+  <proof prover="4"><result status="valid" time="0.028871" steps="50"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.008900" steps="101"/></proof>
+  <proof prover="4"><result status="valid" time="0.011303" steps="50"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.14" expl="type invariant" proved="true">
-  <proof prover="4"><result status="valid" time="0.008788" steps="43"/></proof>
+  <proof prover="4"><result status="valid" time="0.007496" steps="52"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.010248" steps="45"/></proof>
+  <goal name="binary_search&#39;vc.15" expl="integer overflow" proved="true">
+  <proof prover="0"><result status="valid" time="0.020319" steps="98532"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.009508" steps="105"/></proof>
+  <goal name="binary_search&#39;vc.16" expl="division by zero" proved="true">
+  <proof prover="4"><result status="valid" time="0.008926" steps="35"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.17" expl="type invariant" proved="true">
-  <proof prover="4"><result status="valid" time="0.022533" steps="28"/></proof>
+  <goal name="binary_search&#39;vc.17" expl="division by zero" proved="true">
+  <proof prover="4"><result status="valid" time="0.008616" steps="39"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.18" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.021647" steps="92379"/></proof>
+  <goal name="binary_search&#39;vc.18" expl="integer overflow" proved="true">
+  <proof prover="4"><result status="valid" time="0.011959" steps="94"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.19" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.012406" steps="31"/></proof>
+  <goal name="binary_search&#39;vc.19" expl="integer overflow" proved="true">
+  <proof prover="0"><result status="valid" time="0.021739" steps="104941"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.20" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.019786" steps="93632"/></proof>
+  <proof prover="4"><result status="valid" time="0.008769" steps="123"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.21" expl="type invariant" proved="true">
-  <proof prover="4"><result status="valid" time="0.008573" steps="36"/></proof>
+  <goal name="binary_search&#39;vc.21" expl="precondition" proved="true">
+  <proof prover="4"><result status="valid" time="0.008765" steps="45"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.22" expl="type invariant" proved="true">
-  <proof prover="4"><result status="valid" time="0.008558" steps="38"/></proof>
+  <goal name="binary_search&#39;vc.22" expl="precondition" proved="true">
+  <proof prover="4"><result status="valid" time="0.008900" steps="103"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.23" expl="type invariant" proved="true">
-  <proof prover="4"><result status="valid" time="0.010241" steps="50"/></proof>
+  <proof prover="4"><result status="valid" time="0.008788" steps="47"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.24" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.028871" steps="46"/></proof>
+  <proof prover="4"><result status="valid" time="0.010248" steps="49"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.25" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.011303" steps="46"/></proof>
+  <proof prover="4"><result status="valid" time="0.009508" steps="107"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.26" expl="type invariant" proved="true">
-  <proof prover="4"><result status="valid" time="0.007496" steps="48"/></proof>
+  <goal name="binary_search&#39;vc.26" expl="integer overflow" proved="true">
+  <proof prover="4"><result status="valid" time="0.026441" steps="532"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.27" expl="integer overflow" proved="true">
-  <proof prover="0"><result status="valid" time="0.020319" steps="98450"/></proof>
+  <goal name="binary_search&#39;vc.27" expl="loop invariant preservation" proved="true">
+  <proof prover="4"><result status="valid" time="0.018221" steps="259"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.28" expl="integer overflow" proved="true">
-  <proof prover="4"><result status="valid" time="0.026441" steps="456"/></proof>
+  <goal name="binary_search&#39;vc.28" expl="loop invariant preservation" proved="true">
+  <proof prover="3"><result status="valid" time="0.156187" steps="46489"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.29" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.018221" steps="218"/></proof>
+  <proof prover="3"><result status="valid" time="0.194575" steps="48801"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.30" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.305670" steps="49597"/></proof>
+  <goal name="binary_search&#39;vc.30" expl="type invariant" proved="true">
+  <proof prover="0"><result status="valid" time="0.009512" steps="6018"/></proof>
   </goal>
-  <goal name="binary_search&#39;vc.31" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.148233" steps="36553"/></proof>
+  <goal name="binary_search&#39;vc.31" expl="type invariant" proved="true">
+  <proof prover="4"><result status="valid" time="0.020246" steps="20"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.32" expl="postcondition" proved="true">
   <proof prover="4"><result status="valid" time="0.028855" steps="413"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.33" expl="postcondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.076317" steps="1426"/></proof>
+  <proof prover="4"><result status="valid" time="0.076317" steps="1440"/></proof>
   </goal>
   <goal name="binary_search&#39;vc.34" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.296167" steps="126899"/></proof>
+  <proof prover="0"><result status="valid" time="0.034645" steps="124223"/></proof>
   </goal>
  </transf>
  </goal>
diff --git a/creusot/tests/should_succeed/vector/05_binary_search_generic/why3shapes.gz b/creusot/tests/should_succeed/vector/05_binary_search_generic/why3shapes.gz
index d3fe3766c3..18d18835cf 100644
Binary files a/creusot/tests/should_succeed/vector/05_binary_search_generic/why3shapes.gz and b/creusot/tests/should_succeed/vector/05_binary_search_generic/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/vector/06_knights_tour.mlcfg b/creusot/tests/should_succeed/vector/06_knights_tour.mlcfg
index e458b1f9d8..d5220031f2 100644
--- a/creusot/tests/should_succeed/vector/06_knights_tour.mlcfg
+++ b/creusot/tests/should_succeed/vector/06_knights_tour.mlcfg
@@ -36,17 +36,17 @@ module C06KnightsTour_Impl3_Clone
     goto BB0
   }
   BB0 {
-    [#"../06_knights_tour.rs" 6 4 6 12] _5 <- ([#"../06_knights_tour.rs" 6 4 6 12] C06KnightsTour_Point_Type.point_x self);
-    [#"../06_knights_tour.rs" 6 4 6 12] _3 <- ([#"../06_knights_tour.rs" 6 4 6 12] clone0 ([#"../06_knights_tour.rs" 6 4 6 12] _5));
+    [#"../06_knights_tour.rs" 6 4 6 12] _5 <- C06KnightsTour_Point_Type.point_x self;
+    [#"../06_knights_tour.rs" 6 4 6 12] _3 <- ([#"../06_knights_tour.rs" 6 4 6 12] clone0 _5);
     goto BB1
   }
   BB1 {
-    [#"../06_knights_tour.rs" 7 4 7 12] _8 <- ([#"../06_knights_tour.rs" 7 4 7 12] C06KnightsTour_Point_Type.point_y self);
-    [#"../06_knights_tour.rs" 7 4 7 12] _6 <- ([#"../06_knights_tour.rs" 7 4 7 12] clone0 ([#"../06_knights_tour.rs" 7 4 7 12] _8));
+    [#"../06_knights_tour.rs" 7 4 7 12] _8 <- C06KnightsTour_Point_Type.point_y self;
+    [#"../06_knights_tour.rs" 7 4 7 12] _6 <- ([#"../06_knights_tour.rs" 7 4 7 12] clone0 _8);
     goto BB2
   }
   BB2 {
-    [#"../06_knights_tour.rs" 4 15 4 20] _0 <- ([#"../06_knights_tour.rs" 4 15 4 20] C06KnightsTour_Point_Type.C_Point _3 _6);
+    [#"../06_knights_tour.rs" 4 15 4 20] _0 <- C06KnightsTour_Point_Type.C_Point _3 _6;
     _3 <- any isize;
     _6 <- any isize;
     return _0
@@ -71,11 +71,17 @@ module C06KnightsTour_Impl0_Mov
   var _0 : C06KnightsTour_Point_Type.t_point;
   var self : C06KnightsTour_Point_Type.t_point = self;
   var p : (isize, isize) = p;
+  var _9 : isize;
+  var _12 : isize;
   {
     goto BB0
   }
   BB0 {
-    [#"../06_knights_tour.rs" 19 8 19 53] _0 <- ([#"../06_knights_tour.rs" 19 8 19 53] C06KnightsTour_Point_Type.C_Point ([#"../06_knights_tour.rs" 19 18 19 32] ([#"../06_knights_tour.rs" 19 19 19 25] C06KnightsTour_Point_Type.point_x self) + ([#"../06_knights_tour.rs" 19 28 19 31] let (a, _) = p in a)) ([#"../06_knights_tour.rs" 19 37 19 51] ([#"../06_knights_tour.rs" 19 38 19 44] C06KnightsTour_Point_Type.point_y self) + ([#"../06_knights_tour.rs" 19 47 19 50] let (_, a) = p in a)));
+    [#"../06_knights_tour.rs" 19 18 19 32] _9 <- C06KnightsTour_Point_Type.point_x self + (let (a, _) = p in a);
+    [#"../06_knights_tour.rs" 19 37 19 51] _12 <- C06KnightsTour_Point_Type.point_y self + (let (_, a) = p in a);
+    [#"../06_knights_tour.rs" 19 8 19 53] _0 <- C06KnightsTour_Point_Type.C_Point _9 _12;
+    _9 <- any isize;
+    _12 <- any isize;
     return _0
   }
   
@@ -98,12 +104,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -138,26 +150,6 @@ module C06KnightsTour_Board_Type
       | C_Board _ a -> a
       end
 end
-module CreusotContracts_Std1_Iter_MapInv_MapInv_Type
-  use seq.Seq
-  use prelude.Ghost
-  type t_mapinv 'i 'b 'f =
-    | C_MapInv 'i 'f (Ghost.ghost_ty (Seq.seq 'b))
-    
-  let function mapinv_iter (self : t_mapinv 'i 'b 'f) : 'i = [@vc:do_not_keep_trace] [@vc:sp]
-    match self with
-      | C_MapInv a _ _ -> a
-      end
-  let function mapinv_func (self : t_mapinv 'i 'b 'f) : 'f = [@vc:do_not_keep_trace] [@vc:sp]
-    match self with
-      | C_MapInv _ a _ -> a
-      end
-  let function mapinv_produced (self : t_mapinv 'i 'b 'f) : Ghost.ghost_ty (Seq.seq 'b)
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    match self with
-      | C_MapInv _ _ a -> a
-      end
-end
 module Core_Ops_Range_Range_Type
   type t_range 'idx =
     | C_Range 'idx 'idx
@@ -176,7 +168,7 @@ module C06KnightsTour_Impl1_New_Closure3_Type
   use prelude.UIntSize
   use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type
   use seq.Seq
-  use prelude.Ghost
+  use prelude.Snapshot
   use prelude.Int16
   use prelude.Int
   use prelude.Borrow
@@ -213,7 +205,8 @@ module C06KnightsTour_Impl1_New_Closure3
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv2 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv2 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant1 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv2 (shallow_model0 self)
   val invariant1 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -231,7 +224,7 @@ module C06KnightsTour_Impl1_New_Closure3
     
   axiom inv0 : forall x : usize . inv0 x = true
   use prelude.Int16
-  use prelude.Ghost
+  use prelude.Snapshot
   use prelude.Borrow
   use C06KnightsTour_Impl1_New_Closure3_Type as C06KnightsTour_Impl1_New_Closure3
   function field_00 [#"../06_knights_tour.rs" 43 16 43 50] (self : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) : usize
@@ -256,15 +249,16 @@ module C06KnightsTour_Impl1_New_Closure3
   val from_elem0 (elem : usize) (n : usize) : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)
     requires {inv0 elem}
     ensures { [#"../../../../../creusot-contracts/src/std/vec.rs" 157 22 157 41] Seq.length (shallow_model0 result) = UIntSize.to_int n }
-    ensures { [#"../../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n -> index_logic0 result i = elem }
+    ensures { [#"../../../../../creusot-contracts/src/std/vec.rs" 158 12 158 78] forall i : int . 0 <= i /\ i < UIntSize.to_int n
+     -> index_logic0 result i = elem }
     ensures { inv1 result }
     
   predicate resolve0 (self : borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) : bool
     ensures { result = resolve0 self }
     
-  let rec cfg c06KnightsTour_Impl1_New_Closure3 [#"../06_knights_tour.rs" 43 16 43 50] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (_2 : usize) (_3 : Ghost.ghost_ty (Seq.seq usize)) : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)
+  let rec cfg c06KnightsTour_Impl1_New_Closure3 [#"../06_knights_tour.rs" 43 16 43 50] [@cfg:stackify] [@cfg:subregion_analysis] (_1 : borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (_2 : usize) (_3 : Snapshot.snap_ty (Seq.seq usize)) : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)
     ensures { [#"../06_knights_tour.rs" 43 26 43 48] Seq.length (shallow_model0 result) = UIntSize.to_int (field_00 ( ^ _1)) }
     ensures { unnest0 ( * _1) ( ^ _1) }
     
@@ -277,15 +271,15 @@ module C06KnightsTour_Impl1_New_Closure3
   }
   BB0 {
     assume { resolve0 _1 };
-    [#"../../../../../creusot-contracts/src/lib.rs" 196 8 196 40] res <- ([#"../06_knights_tour.rs" 44 23 44 36] from_elem0 ([#"../06_knights_tour.rs" 44 28 44 29] [#"../06_knights_tour.rs" 44 28 44 29] (0 : usize)) ([#"../06_knights_tour.rs" 44 31 44 35] field_00 ( * _1)));
+    [#"../06_knights_tour.rs" 44 23 44 36] res <- ([#"../06_knights_tour.rs" 44 23 44 36] from_elem0 ([#"../06_knights_tour.rs" 44 28 44 29] (0 : usize)) (field_00 ( * _1)));
     goto BB1
   }
   BB1 {
     goto BB2
   }
   BB2 {
-    [#"../06_knights_tour.rs" 43 16 43 50] _0 <- ([#"../06_knights_tour.rs" 43 16 43 50] res);
-    [#"../06_knights_tour.rs" 43 16 43 50] res <- any Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global);
+    [#"../06_knights_tour.rs" 43 16 43 50] _0 <- res;
+    res <- any Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global);
     goto BB3
   }
   BB3 {
@@ -293,20 +287,40 @@ module C06KnightsTour_Impl1_New_Closure3
   }
   
 end
+module CreusotContracts_Std1_Iter_MapInv_MapInv_Type
+  use seq.Seq
+  use prelude.Snapshot
+  type t_mapinv 'i 'b 'f =
+    | C_MapInv 'i 'f (Snapshot.snap_ty (Seq.seq 'b))
+    
+  let function mapinv_iter (self : t_mapinv 'i 'b 'f) : 'i = [@vc:do_not_keep_trace] [@vc:sp]
+    match self with
+      | C_MapInv a _ _ -> a
+      end
+  let function mapinv_func (self : t_mapinv 'i 'b 'f) : 'f = [@vc:do_not_keep_trace] [@vc:sp]
+    match self with
+      | C_MapInv _ a _ -> a
+      end
+  let function mapinv_produced (self : t_mapinv 'i 'b 'f) : Snapshot.snap_ty (Seq.seq 'b)
+   = [@vc:do_not_keep_trace] [@vc:sp]
+    match self with
+      | C_MapInv _ _ a -> a
+      end
+end
 module C06KnightsTour_Impl1_New
   use prelude.UIntSize
   use seq.Seq
-  use prelude.Ghost
-  predicate invariant12 (self : Ghost.ghost_ty (Seq.seq usize)) =
+  use prelude.Snapshot
+  predicate invariant12 (self : Snapshot.snap_ty (Seq.seq usize)) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
-  val invariant12 (self : Ghost.ghost_ty (Seq.seq usize)) : bool
+  val invariant12 (self : Snapshot.snap_ty (Seq.seq usize)) : bool
     ensures { result = invariant12 self }
     
-  predicate inv12 (_x : Ghost.ghost_ty (Seq.seq usize))
-  val inv12 (_x : Ghost.ghost_ty (Seq.seq usize)) : bool
+  predicate inv12 (_x : Snapshot.snap_ty (Seq.seq usize))
+  val inv12 (_x : Snapshot.snap_ty (Seq.seq usize)) : bool
     ensures { result = inv12 _x }
     
-  axiom inv12 : forall x : Ghost.ghost_ty (Seq.seq usize) . inv12 x = true
+  axiom inv12 : forall x : Snapshot.snap_ty (Seq.seq usize) . inv12 x = true
   use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type
   use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type
   use prelude.Int16
@@ -351,7 +365,8 @@ module C06KnightsTour_Impl1_New
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self}
     ensures { result = shallow_model2 self }
     
-  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv7 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
+  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv7 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
   predicate invariant9 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv7 (shallow_model2 self)
   val invariant9 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -391,7 +406,8 @@ module C06KnightsTour_Impl1_New
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self}
     ensures { result = shallow_model1 self }
     
-  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
+  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
   predicate invariant6 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -418,23 +434,23 @@ module C06KnightsTour_Impl1_New
     
    =
     field_00 _2 = field_00 self
-  predicate postcondition_mut0 [#"../06_knights_tour.rs" 43 16 43 50] (self : borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (args : (usize, Ghost.ghost_ty (Seq.seq usize))) (result : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))
+  predicate postcondition_mut0 [#"../06_knights_tour.rs" 43 16 43 50] (self : borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (args : (usize, Snapshot.snap_ty (Seq.seq usize))) (result : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))
     
    =
     (let (_2, _3) = args in Seq.length (shallow_model2 result) = UIntSize.to_int (field_00 ( ^ self))) /\ unnest0 ( * self) ( ^ self)
   use seq.Seq
-  predicate precondition0 [#"../06_knights_tour.rs" 43 16 43 50] (self : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (args : (usize, Ghost.ghost_ty (Seq.seq usize)))
+  predicate precondition0 [#"../06_knights_tour.rs" 43 16 43 50] (self : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (args : (usize, Snapshot.snap_ty (Seq.seq usize)))
     
    =
     let (_2, _3) = args in true
-  use prelude.Ghost
+  use prelude.Snapshot
   use seq_ext.SeqExt
   use seq.Seq
   use seq.Seq
   use seq.Seq
   use seq.Seq
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
   use prelude.Int
   function deep_model0 (self : usize) : int =
     [#"../../../../../creusot-contracts/src/std/num.rs" 22 16 22 35] UIntSize.to_int self
@@ -444,18 +460,22 @@ module C06KnightsTour_Impl1_New
   predicate produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize)
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
+    [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0
+     -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
   val produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool
     ensures { result = produces0 self visited o }
     
   predicate produces1 [@inline:trivial] (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (visited : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) (succ : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3)
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9] unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ) /\ (exists s : Seq.seq usize . inv7 s /\ Seq.length s = Seq.length visited /\ produces0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter self) s (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter succ) /\ Ghost.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced succ) = Seq.(++) (Ghost.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) s /\ (exists fs : Seq.seq (borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) . inv11 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
+    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 37 8 49 9] unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ) /\ (exists s : Seq.seq usize . inv7 s /\ Seq.length s = Seq.length visited /\ produces0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter self) s (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter succ) /\ Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced succ) = Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) s /\ (exists fs : Seq.seq (borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) . inv11 fs /\ Seq.length fs = Seq.length visited /\ (forall i : int . 1 <= i /\ i < Seq.length fs
+     ->  ^ Seq.get fs (i - 1) =  * Seq.get fs i) /\ (if Seq.length visited = 0 then
       CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ
     else
        * Seq.get fs 0 = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self /\  ^ Seq.get fs (Seq.length visited - 1) = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func succ
-    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Ghost.new (Seq.(++) (Ghost.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i))))
+    ) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> unnest0 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self) ( * Seq.get fs i) /\ precondition0 ( * Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) /\ postcondition_mut0 (Seq.get fs i) (Seq.get s i, Snapshot.new (Seq.(++) (Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced self)) (SeqExt.subsequence s 0 i))) (Seq.get visited i))))
   val produces1 [@inline:trivial] (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (visited : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) (succ : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) : bool
     ensures { result = produces1 self visited succ }
     
@@ -471,7 +491,14 @@ module C06KnightsTour_Impl1_New
     requires {[#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 82 31 83] inv3 c}
     ensures { result = produces_trans2 a ab b bc c }
     
-  axiom produces_trans2_spec : forall a : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3, ab : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)), b : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3, bc : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)), c : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3 . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32] produces1 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32] produces1 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 22 31 23] inv3 a) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 31 31 33] inv4 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 52 31 53] inv3 b) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 61 31 63] inv4 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 82 31 83] inv3 c) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans2_spec : forall a : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3, ab : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)), b : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3, bc : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)), c : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3 . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 28 15 28 32] produces1 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 29 15 29 32] produces1 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 22 31 23] inv3 a)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 31 31 33] inv4 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 52 31 53] inv3 b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 61 31 63] inv4 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 31 82 31 83] inv3 c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 30 14 30 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl2 (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) : ()
     
@@ -479,7 +506,8 @@ module C06KnightsTour_Impl1_New
     requires {[#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 24 21 24 25] inv3 self}
     ensures { result = produces_refl2 self }
     
-  axiom produces_refl2_spec : forall self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3 . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 24 21 24 25] inv3 self) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl2_spec : forall self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3 . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 24 21 24 25] inv3 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 23 14 23 45] produces1 self (Seq.empty ) self)
   predicate invariant5 (self : borrowed (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3))
     
    =
@@ -511,7 +539,8 @@ module C06KnightsTour_Impl1_New
   predicate next_precondition0 (iter : Core_Ops_Range_Range_Type.t_range usize) (func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (produced : Seq.seq usize)
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 112 8 116 9] forall i : Core_Ops_Range_Range_Type.t_range usize . forall e : usize . inv0 i -> inv1 e -> produces0 iter (Seq.singleton e) i -> precondition0 func (e, Ghost.new produced)
+    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 112 8 116 9] forall i : Core_Ops_Range_Range_Type.t_range usize . forall e : usize . inv0 i
+     -> inv1 e  -> produces0 iter (Seq.singleton e) i  -> precondition0 func (e, Snapshot.new produced)
   val next_precondition0 (iter : Core_Ops_Range_Range_Type.t_range usize) (func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) (produced : Seq.seq usize) : bool
     ensures { result = next_precondition0 iter func produced }
     
@@ -519,7 +548,16 @@ module C06KnightsTour_Impl1_New
   predicate preservation0 (iter : Core_Ops_Range_Range_Type.t_range usize) (func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3)
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 135 8 142 9] forall i : Core_Ops_Range_Range_Type.t_range usize . forall b : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . forall f : borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3 . forall e2 : usize . forall e1 : usize . forall s : Seq.seq usize . inv0 i -> inv9 b -> inv10 f -> inv1 e2 -> inv1 e1 -> inv7 s -> unnest0 func ( * f) -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i -> precondition0 ( * f) (e1, Ghost.new s) -> postcondition_mut0 f (e1, Ghost.new s) b -> precondition0 ( ^ f) (e2, Ghost.new (Seq.snoc s e1))
+    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 135 8 142 9] forall i : Core_Ops_Range_Range_Type.t_range usize . forall b : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . forall f : borrowed C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3 . forall e2 : usize . forall e1 : usize . forall s : Seq.seq usize . inv0 i
+     -> inv9 b
+     -> inv10 f
+     -> inv1 e2
+     -> inv1 e1
+     -> inv7 s
+     -> unnest0 func ( * f)
+     -> produces0 iter (Seq.snoc (Seq.snoc s e1) e2) i
+     -> precondition0 ( * f) (e1, Snapshot.new s)
+     -> postcondition_mut0 f (e1, Snapshot.new s) b  -> precondition0 ( ^ f) (e2, Snapshot.new (Seq.snoc s e1))
   val preservation0 (iter : Core_Ops_Range_Range_Type.t_range usize) (func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) : bool
     ensures { result = preservation0 iter func }
     
@@ -536,9 +574,13 @@ module C06KnightsTour_Impl1_New
     requires {[#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 42 121 50] inv7 produced}
     ensures { result = preservation_inv0 iter func produced }
     
-  axiom preservation_inv0_spec : forall iter : Core_Ops_Range_Range_Type.t_range usize, func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3, produced : Seq.seq usize . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 24 121 28] inv0 iter) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 33 121 37] inv2 func) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 42 121 50] inv7 produced) -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 120 4 120 83] produced = Seq.empty  -> preservation_inv0 iter func produced = preservation0 iter func)
+  axiom preservation_inv0_spec : forall iter : Core_Ops_Range_Range_Type.t_range usize, func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3, produced : Seq.seq usize . ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 24 121 28] inv0 iter)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 33 121 37] inv2 func)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 121 42 121 50] inv7 produced)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 120 4 120 83] produced = Seq.empty 
+   -> preservation_inv0 iter func produced = preservation0 iter func)
   predicate resolve3 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve3 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) : bool
     ensures { result = resolve3 self }
     
@@ -548,7 +590,8 @@ module C06KnightsTour_Impl1_New
     ensures { result = completed1 self }
     
   predicate reinitialize0 (_1 : ()) =
-    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 148 8 153 9] forall func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3 . forall iter : borrowed (Core_Ops_Range_Range_Type.t_range usize) . inv2 func -> inv8 iter -> completed1 iter -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
+    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 148 8 153 9] forall func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3 . forall iter : borrowed (Core_Ops_Range_Range_Type.t_range usize) . inv2 func
+     -> inv8 iter  -> completed1 iter  -> next_precondition0 ( ^ iter) func (Seq.empty ) /\ preservation0 ( ^ iter) func
   val reinitialize0 (_1 : ()) : bool
     ensures { result = reinitialize0 _1 }
     
@@ -578,13 +621,21 @@ module C06KnightsTour_Impl1_New
     requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c}
     ensures { result = produces_trans1 a ab b bc c }
     
-  axiom produces_trans1_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv7 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv7 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans1_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv7 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv7 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
   function produces_refl1 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
   val produces_refl1 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
     requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self}
     ensures { result = produces_refl1 self }
     
-  axiom produces_refl1_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl1_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
   predicate invariant1 (self : usize) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant1 (self : usize) : bool
@@ -609,13 +660,21 @@ module C06KnightsTour_Impl1_New
     requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv0 a) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv7 ab) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv7 bc) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter.rs" 38 15 38 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 39 15 39 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 22 41 23] inv0 a)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 31 41 33] inv7 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 52 41 53] inv0 b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 61 41 63] inv7 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 41 82 41 83] inv0 c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 40 14 40 42] produces0 a (Seq.(++) ab bc) c)
   function produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
   val produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
     requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter.rs" 35 21 35 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter.rs" 34 14 34 45] produces0 self (Seq.empty ) self)
   function index_logic0 [@inline:trivial] (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) (ix : int) : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)
     
    =
@@ -625,7 +684,8 @@ module C06KnightsTour_Impl1_New
     
   use C06KnightsTour_Board_Type as C06KnightsTour_Board_Type
   predicate wf0 [#"../06_knights_tour.rs" 30 4 30 23] (self : C06KnightsTour_Board_Type.t_board) =
-    [#"../06_knights_tour.rs" 31 8 35 9] UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) <= 1000 /\ Seq.length (shallow_model1 (C06KnightsTour_Board_Type.board_field self)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) -> Seq.length (shallow_model2 (index_logic0 (C06KnightsTour_Board_Type.board_field self) i)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self))
+    [#"../06_knights_tour.rs" 31 8 35 9] UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) <= 1000 /\ Seq.length (shallow_model1 (C06KnightsTour_Board_Type.board_field self)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (C06KnightsTour_Board_Type.board_size self)
+     -> Seq.length (shallow_model2 (index_logic0 (C06KnightsTour_Board_Type.board_field self) i)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self))
   val wf0 [#"../06_knights_tour.rs" 30 4 30 23] (self : C06KnightsTour_Board_Type.t_board) : bool
     ensures { result = wf0 self }
     
@@ -639,7 +699,7 @@ module C06KnightsTour_Impl1_New
   predicate completed0 (self : borrowed (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3))
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 15 8 18 9] Ghost.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced ( ^ self)) = Seq.empty  /\ completed1 (Borrow.borrow_logic (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter ( * self)) (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1)) /\ CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func ( * self) = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func ( ^ self)
+    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 15 8 18 9] Snapshot.inner (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_produced ( ^ self)) = Seq.empty  /\ completed1 (Borrow.borrow_logic (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter ( * self)) (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter ( ^ self)) (Borrow.inherit_id (Borrow.get_id self) 1)) /\ CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func ( * self) = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func ( ^ self)
   val completed0 (self : borrowed (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3)) : bool
     ensures { result = completed0 self }
     
@@ -648,14 +708,14 @@ module C06KnightsTour_Impl1_New
    =
     true
   predicate resolve1 (self : Core_Ops_Range_Range_Type.t_range usize) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
+    [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true
   val resolve1 (self : Core_Ops_Range_Range_Type.t_range usize) : bool
     ensures { result = resolve1 self }
     
   predicate resolve0 (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3)
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 56 4 56 16] resolve1 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter self) /\ resolve2 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self)
+    [#"../../../../../creusot-contracts/src/std/iter/map_inv.rs" 56 4 56 27] resolve1 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_iter self) /\ resolve2 (CreusotContracts_Std1_Iter_MapInv_MapInv_Type.mapinv_func self)
   val resolve0 (self : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) : bool
     ensures { result = resolve0 self }
     
@@ -665,13 +725,14 @@ module C06KnightsTour_Impl1_New
     ensures { inv6 result }
     
   val map_inv0 (self : Core_Ops_Range_Range_Type.t_range usize) (func : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3) : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3
-    requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 43 4 43 138] forall i2 : Core_Ops_Range_Range_Type.t_range usize . forall e : usize . inv0 i2 -> inv1 e -> produces0 self (Seq.singleton e) i2 -> precondition0 func (e, Ghost.new (Seq.empty ))}
+    requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 43 4 43 141] forall i2 : Core_Ops_Range_Range_Type.t_range usize . forall e : usize . inv0 i2
+     -> inv1 e  -> produces0 self (Seq.singleton e) i2  -> precondition0 func (e, Snapshot.new (Seq.empty ))}
     requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 44 15 44 51] reinitialize0 ()}
     requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 45 15 45 70] preservation0 self func}
     requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 47 21 47 25] inv0 self}
     requires {[#"../../../../../creusot-contracts/src/std/iter.rs" 47 27 47 31] inv2 func}
-    ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 46 14 46 85] result = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.C_MapInv self func (Ghost.new (Seq.empty )) }
-    ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 47 4 50 58] inv3 result }
+    ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 46 14 46 88] result = CreusotContracts_Std1_Iter_MapInv_MapInv_Type.C_MapInv self func (Snapshot.new (Seq.empty )) }
+    ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 47 4 50 61] inv3 result }
     
   let rec cfg new [#"../06_knights_tour.rs" 40 4 40 31] [@cfg:stackify] [@cfg:subregion_analysis] (size : usize) : C06KnightsTour_Board_Type.t_board
     requires {[#"../06_knights_tour.rs" 37 15 37 28] UIntSize.to_int size <= 1000}
@@ -683,11 +744,17 @@ module C06KnightsTour_Impl1_New
   var size : usize = size;
   var rows : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global);
   var _6 : CreusotContracts_Std1_Iter_MapInv_MapInv_Type.t_mapinv (Core_Ops_Range_Range_Type.t_range usize) usize C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3;
+  var _7 : Core_Ops_Range_Range_Type.t_range usize;
+  var _9 : C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3;
   {
     goto BB0
   }
   BB0 {
-    [#"../06_knights_tour.rs" 41 19 45 13] _6 <- ([#"../06_knights_tour.rs" 41 19 45 13] map_inv0 ([#"../06_knights_tour.rs" 41 19 41 28] Core_Ops_Range_Range_Type.C_Range ([#"../06_knights_tour.rs" 41 20 41 21] [#"../06_knights_tour.rs" 41 20 41 21] (0 : usize)) ([#"../06_knights_tour.rs" 41 23 41 27] size)) ([#"../06_knights_tour.rs" 43 16 43 50] C06KnightsTour_Impl1_New_Closure3.C06KnightsTour_Impl1_New_Closure3 ([#"../06_knights_tour.rs" 43 16 43 50] size)));
+    [#"../06_knights_tour.rs" 41 19 41 28] _7 <- Core_Ops_Range_Range_Type.C_Range ([#"../06_knights_tour.rs" 41 20 41 21] (0 : usize)) size;
+    [#"../06_knights_tour.rs" 43 16 43 50] _9 <- C06KnightsTour_Impl1_New_Closure3.C06KnightsTour_Impl1_New_Closure3 size;
+    [#"../06_knights_tour.rs" 41 19 45 13] _6 <- ([#"../06_knights_tour.rs" 41 19 45 13] map_inv0 _7 _9);
+    _7 <- any Core_Ops_Range_Range_Type.t_range usize;
+    _9 <- any C06KnightsTour_Impl1_New_Closure3.c06knightstour_impl1_new_closure3;
     goto BB1
   }
   BB1 {
@@ -696,8 +763,8 @@ module C06KnightsTour_Impl1_New
     goto BB2
   }
   BB2 {
-    [#"../06_knights_tour.rs" 47 8 47 34] _0 <- ([#"../06_knights_tour.rs" 47 8 47 34] C06KnightsTour_Board_Type.C_Board ([#"../06_knights_tour.rs" 47 15 47 19] size) ([#"../06_knights_tour.rs" 47 28 47 32] rows));
-    [#"../06_knights_tour.rs" 47 28 47 32] rows <- any Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global);
+    [#"../06_knights_tour.rs" 47 8 47 34] _0 <- C06KnightsTour_Board_Type.C_Board size rows;
+    rows <- any Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global);
     goto BB3
   }
   BB3 {
@@ -737,7 +804,8 @@ module C06KnightsTour_Impl1_Available
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self}
     ensures { result = shallow_model4 self }
     
-  axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv7 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0)
+  axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv7 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0)
   predicate invariant6 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv7 (shallow_model4 self)
   val invariant6 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -766,7 +834,8 @@ module C06KnightsTour_Impl1_Available
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self}
     ensures { result = shallow_model3 self }
     
-  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
+  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
   predicate invariant4 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -837,7 +906,8 @@ module C06KnightsTour_Impl1_Available
     ensures { result = index_logic0 self ix }
     
   predicate wf0 [#"../06_knights_tour.rs" 30 4 30 23] (self : C06KnightsTour_Board_Type.t_board) =
-    [#"../06_knights_tour.rs" 31 8 35 9] UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) <= 1000 /\ Seq.length (shallow_model3 (C06KnightsTour_Board_Type.board_field self)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) -> Seq.length (shallow_model4 (index_logic0 (C06KnightsTour_Board_Type.board_field self) i)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self))
+    [#"../06_knights_tour.rs" 31 8 35 9] UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) <= 1000 /\ Seq.length (shallow_model3 (C06KnightsTour_Board_Type.board_field self)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (C06KnightsTour_Board_Type.board_size self)
+     -> Seq.length (shallow_model4 (index_logic0 (C06KnightsTour_Board_Type.board_field self) i)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self))
   val wf0 [#"../06_knights_tour.rs" 30 4 30 23] (self : C06KnightsTour_Board_Type.t_board) : bool
     ensures { result = wf0 self }
     
@@ -855,7 +925,7 @@ module C06KnightsTour_Impl1_Available
     ensures { result = in_bounds2 self seq }
     
   function shallow_model1 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : Seq.seq usize =
-    [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model4 self
+    [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model4 self
   val shallow_model1 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : Seq.seq usize
     ensures { result = shallow_model1 self }
     
@@ -883,7 +953,7 @@ module C06KnightsTour_Impl1_Available
   function shallow_model0 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))
     
    =
-    [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model3 self
+    [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model3 self
   val shallow_model0 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global)) : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))
     ensures { result = shallow_model0 self }
     
@@ -897,43 +967,61 @@ module C06KnightsTour_Impl1_Available
   use prelude.IntSize
   let rec cfg available [#"../06_knights_tour.rs" 52 4 52 41] [@cfg:stackify] [@cfg:subregion_analysis] (self : C06KnightsTour_Board_Type.t_board) (p : C06KnightsTour_Point_Type.t_point) : bool
     requires {[#"../06_knights_tour.rs" 50 15 50 24] wf0 self}
-    ensures { [#"../06_knights_tour.rs" 51 4 51 44] result -> in_bounds0 self p }
+    ensures { [#"../06_knights_tour.rs" 51 4 51 44] result  -> in_bounds0 self p }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : bool;
   var self : C06KnightsTour_Board_Type.t_board = self;
   var p : C06KnightsTour_Point_Type.t_point = p;
+  var _5 : bool;
+  var _7 : bool;
+  var _8 : usize;
+  var _11 : bool;
+  var _13 : bool;
+  var _14 : usize;
   var _18 : usize;
   var _20 : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global);
+  var _22 : usize;
+  var _24 : usize;
   {
     goto BB0
   }
   BB0 {
-    switch ([#"../06_knights_tour.rs" 53 8 53 16] ([#"../06_knights_tour.rs" 53 8 53 9] [#"../06_knights_tour.rs" 53 8 53 9] (0 : isize)) <= ([#"../06_knights_tour.rs" 53 13 53 16] C06KnightsTour_Point_Type.point_x p))
+    [#"../06_knights_tour.rs" 53 8 53 16] _5 <- ([#"../06_knights_tour.rs" 53 8 53 9] (0 : isize)) <= C06KnightsTour_Point_Type.point_x p;
+    switch (_5)
       | False -> goto BB8
       | True -> goto BB1
       end
   }
   BB1 {
-    switch ([#"../06_knights_tour.rs" 54 15 54 41] ([#"../06_knights_tour.rs" 54 15 54 29] UIntSize.of_int (IntSize.to_int ([#"../06_knights_tour.rs" 54 16 54 19] C06KnightsTour_Point_Type.point_x p))) < ([#"../06_knights_tour.rs" 54 32 54 41] C06KnightsTour_Board_Type.board_size self))
+    [#"../06_knights_tour.rs" 54 15 54 29] _8 <- UIntSize.of_int (IntSize.to_int (C06KnightsTour_Point_Type.point_x p));
+    [#"../06_knights_tour.rs" 54 15 54 41] _7 <- _8 < C06KnightsTour_Board_Type.board_size self;
+    _8 <- any usize;
+    switch (_7)
       | False -> goto BB7
       | True -> goto BB2
       end
   }
   BB2 {
-    switch ([#"../06_knights_tour.rs" 55 15 55 23] ([#"../06_knights_tour.rs" 55 15 55 16] [#"../06_knights_tour.rs" 55 15 55 16] (0 : isize)) <= ([#"../06_knights_tour.rs" 55 20 55 23] C06KnightsTour_Point_Type.point_y p))
+    [#"../06_knights_tour.rs" 55 15 55 23] _11 <- ([#"../06_knights_tour.rs" 55 15 55 16] (0 : isize)) <= C06KnightsTour_Point_Type.point_y p;
+    switch (_11)
       | False -> goto BB6
       | True -> goto BB3
       end
   }
   BB3 {
-    switch ([#"../06_knights_tour.rs" 56 15 56 41] ([#"../06_knights_tour.rs" 56 15 56 29] UIntSize.of_int (IntSize.to_int ([#"../06_knights_tour.rs" 56 16 56 19] C06KnightsTour_Point_Type.point_y p))) < ([#"../06_knights_tour.rs" 56 32 56 41] C06KnightsTour_Board_Type.board_size self))
+    [#"../06_knights_tour.rs" 56 15 56 29] _14 <- UIntSize.of_int (IntSize.to_int (C06KnightsTour_Point_Type.point_y p));
+    [#"../06_knights_tour.rs" 56 15 56 41] _13 <- _14 < C06KnightsTour_Board_Type.board_size self;
+    _14 <- any usize;
+    switch (_13)
       | False -> goto BB5
       | True -> goto BB4
       end
   }
   BB4 {
-    [#"../06_knights_tour.rs" 57 25 57 39] _20 <- ([#"../06_knights_tour.rs" 57 25 57 39] index0 ([#"../06_knights_tour.rs" 57 15 57 25] C06KnightsTour_Board_Type.board_field self) ([#"../06_knights_tour.rs" 57 26 57 38] UIntSize.of_int (IntSize.to_int ([#"../06_knights_tour.rs" 57 26 57 29] C06KnightsTour_Point_Type.point_x p))));
+    [#"../06_knights_tour.rs" 57 26 57 38] _22 <- UIntSize.of_int (IntSize.to_int (C06KnightsTour_Point_Type.point_x p));
+    [#"../06_knights_tour.rs" 57 25 57 39] _20 <- ([#"../06_knights_tour.rs" 57 25 57 39] index0 (C06KnightsTour_Board_Type.board_field self) _22);
+    _22 <- any usize;
     goto BB10
   }
   BB5 {
@@ -949,15 +1037,17 @@ module C06KnightsTour_Impl1_Available
     goto BB9
   }
   BB9 {
-    [#"../06_knights_tour.rs" 53 8 57 58] _0 <- ([#"../06_knights_tour.rs" 53 8 57 58] [#"../06_knights_tour.rs" 53 8 57 58] false);
+    [#"../06_knights_tour.rs" 53 8 57 58] _0 <- ([#"../06_knights_tour.rs" 53 8 57 58] false);
     goto BB12
   }
   BB10 {
-    [#"../06_knights_tour.rs" 57 39 57 53] _18 <- ([#"../06_knights_tour.rs" 57 39 57 53] index1 ([#"../06_knights_tour.rs" 57 15 57 39] _20) ([#"../06_knights_tour.rs" 57 40 57 52] UIntSize.of_int (IntSize.to_int ([#"../06_knights_tour.rs" 57 40 57 43] C06KnightsTour_Point_Type.point_y p))));
+    [#"../06_knights_tour.rs" 57 40 57 52] _24 <- UIntSize.of_int (IntSize.to_int (C06KnightsTour_Point_Type.point_y p));
+    [#"../06_knights_tour.rs" 57 39 57 53] _18 <- ([#"../06_knights_tour.rs" 57 39 57 53] index1 _20 _24);
+    _24 <- any usize;
     goto BB11
   }
   BB11 {
-    [#"../06_knights_tour.rs" 57 15 57 58] _0 <- ([#"../06_knights_tour.rs" 57 15 57 58] ([#"../06_knights_tour.rs" 57 15 57 53] _18) = ([#"../06_knights_tour.rs" 57 57 57 58] [#"../06_knights_tour.rs" 57 57 57 58] (0 : usize)));
+    [#"../06_knights_tour.rs" 57 15 57 58] _0 <- _18 = ([#"../06_knights_tour.rs" 57 57 57 58] (0 : usize));
     goto BB12
   }
   BB12 {
@@ -978,7 +1068,7 @@ module Alloc_Vec_IntoIter_IntoIter_Type
   use Core_Marker_PhantomData_Type as Core_Marker_PhantomData_Type
   use Core_Ptr_NonNull_NonNull_Type as Core_Ptr_NonNull_NonNull_Type
   type t_intoiter 't 'a =
-    | C_IntoIter (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) usize (Core_Mem_ManuallyDrop_ManuallyDrop_Type.t_manuallydrop 'a) opaque_ptr opaque_ptr
+    | C_IntoIter (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't) usize (Core_Mem_ManuallyDrop_ManuallyDrop_Type.t_manuallydrop 'a) (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) opaque_ptr
     
 end
 module Core_Option_Option_Type
@@ -1021,7 +1111,8 @@ module C06KnightsTour_Impl1_CountDegree
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self}
     ensures { result = shallow_model5 self }
     
-  axiom shallow_model5_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model5 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max0)
+  axiom shallow_model5_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv7 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv8 (shallow_model5 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max0)
   predicate invariant7 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv8 (shallow_model5 self)
   val invariant7 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -1050,7 +1141,8 @@ module C06KnightsTour_Impl1_CountDegree
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self}
     ensures { result = shallow_model4 self }
     
-  axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0)
+  axiom shallow_model4_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model4 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model4 self) <= UIntSize.to_int max0)
   predicate invariant5 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -1107,7 +1199,8 @@ module C06KnightsTour_Impl1_CountDegree
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self}
     ensures { result = shallow_model1 self }
     
-  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
+  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv1 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv4 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
   predicate invariant1 (self : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv4 (shallow_model1 self)
   val invariant1 (self : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -1145,7 +1238,14 @@ module C06KnightsTour_Impl1_CountDegree
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global), ab : Seq.seq (isize, isize), b : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global), bc : Seq.seq (isize, isize), c : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 248 15 248 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 249 15 249 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 22 251 23] inv0 a) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 31 251 33] inv4 ab) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 43 251 44] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 52 251 54] inv4 bc) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 250 14 250 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global), ab : Seq.seq (isize, isize), b : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global), bc : Seq.seq (isize, isize), c : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 248 15 248 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 249 15 249 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 22 251 23] inv0 a)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 31 251 33] inv4 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 43 251 44] inv0 b)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 52 251 54] inv4 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv0 c)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 250 14 250 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)) : ()
     
@@ -1155,7 +1255,8 @@ module C06KnightsTour_Impl1_CountDegree
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 243 14 243 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 243 14 243 45] produces0 self (Seq.empty ) self)
   predicate invariant0 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -1183,18 +1284,19 @@ module C06KnightsTour_Impl1_CountDegree
     ensures { result = index_logic2 self ix }
     
   predicate wf0 [#"../06_knights_tour.rs" 30 4 30 23] (self : C06KnightsTour_Board_Type.t_board) =
-    [#"../06_knights_tour.rs" 31 8 35 9] UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) <= 1000 /\ Seq.length (shallow_model4 (C06KnightsTour_Board_Type.board_field self)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) -> Seq.length (shallow_model5 (index_logic2 (C06KnightsTour_Board_Type.board_field self) i)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self))
+    [#"../06_knights_tour.rs" 31 8 35 9] UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) <= 1000 /\ Seq.length (shallow_model4 (C06KnightsTour_Board_Type.board_field self)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (C06KnightsTour_Board_Type.board_size self)
+     -> Seq.length (shallow_model5 (index_logic2 (C06KnightsTour_Board_Type.board_field self) i)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self))
   val wf0 [#"../06_knights_tour.rs" 30 4 30 23] (self : C06KnightsTour_Board_Type.t_board) : bool
     ensures { result = wf0 self }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   predicate resolve3 (self : isize) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
+    [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true
   val resolve3 (self : isize) : bool
     ensures { result = resolve3 self }
     
   predicate resolve1 (self : (isize, isize)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 18 8 18 60] resolve3 (let (a, _) = self in a) /\ resolve3 (let (_, a) = self in a)
+    [#"../../../../../creusot-contracts/src/resolve.rs" 16 8 16 60] resolve3 (let (a, _) = self in a) /\ resolve3 (let (_, a) = self in a)
   val resolve1 (self : (isize, isize)) : bool
     ensures { result = resolve1 self }
     
@@ -1202,13 +1304,14 @@ module C06KnightsTour_Impl1_CountDegree
   predicate resolve2 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global))
     
    =
-    [#"../../../../../creusot-contracts/src/std/vec.rs" 222 8 222 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self) -> resolve1 (Seq.get (shallow_model3 self) i)
+    [#"../../../../../creusot-contracts/src/std/vec.rs" 222 8 222 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model3 self)
+     -> resolve1 (Seq.get (shallow_model3 self) i)
   val resolve2 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve2 self }
     
   val available0 [#"../06_knights_tour.rs" 52 4 52 41] (self : C06KnightsTour_Board_Type.t_board) (p : C06KnightsTour_Point_Type.t_point) : bool
     requires {[#"../06_knights_tour.rs" 50 15 50 24] wf0 self}
-    ensures { [#"../06_knights_tour.rs" 51 4 51 44] result -> in_bounds0 self p }
+    ensures { [#"../06_knights_tour.rs" 51 4 51 44] result  -> in_bounds0 self p }
     
   val mov0 [#"../06_knights_tour.rs" 18 4 18 45] (self : C06KnightsTour_Point_Type.t_point) (p : (isize, isize)) : C06KnightsTour_Point_Type.t_point
     requires {[#"../06_knights_tour.rs" 12 15 12 52] - 10000 <= IntSize.to_int (C06KnightsTour_Point_Type.point_x self) /\ IntSize.to_int (C06KnightsTour_Point_Type.point_x self) <= 10000}
@@ -1222,14 +1325,14 @@ module C06KnightsTour_Impl1_CountDegree
   predicate resolve0 (self : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)))
     
    =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = resolve0 self }
     
   function shallow_model6 (self : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global))) : Seq.seq (isize, isize)
     
    =
-    [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model3 ( * self)
+    [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model3 ( * self)
   val shallow_model6 (self : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global))) : Seq.seq (isize, isize)
     ensures { result = shallow_model6 self }
     
@@ -1248,11 +1351,11 @@ module C06KnightsTour_Impl1_CountDegree
       end }
     ensures { inv3 result }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate into_iter_post0 (self : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global)) (res : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -1280,7 +1383,8 @@ module C06KnightsTour_Impl1_CountDegree
     
   val moves0 [#"../06_knights_tour.rs" 95 0 95 33] (_1 : ()) : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global)
     ensures { [#"../06_knights_tour.rs" 93 10 93 28] Seq.length (shallow_model1 result) = 8 }
-    ensures { [#"../06_knights_tour.rs" 94 0 94 130] forall i : int . 0 <= i /\ i < 8 -> - 2 <= IntSize.to_int (let (a, _) = index_logic0 result i in a) /\ IntSize.to_int (let (a, _) = index_logic0 result i in a) <= 2 /\ - 2 <= IntSize.to_int (let (_, a) = index_logic0 result i in a) /\ IntSize.to_int (let (_, a) = index_logic0 result i in a) <= 2 }
+    ensures { [#"../06_knights_tour.rs" 94 0 94 130] forall i : int . 0 <= i /\ i < 8
+     -> - 2 <= IntSize.to_int (let (a, _) = index_logic0 result i in a) /\ IntSize.to_int (let (a, _) = index_logic0 result i in a) <= 2 /\ - 2 <= IntSize.to_int (let (_, a) = index_logic0 result i in a) /\ IntSize.to_int (let (_, a) = index_logic0 result i in a) <= 2 }
     
   let rec cfg count_degree [#"../06_knights_tour.rs" 70 4 70 45] [@cfg:stackify] [@cfg:subregion_analysis] (self : C06KnightsTour_Board_Type.t_board) (p : C06KnightsTour_Point_Type.t_point) : usize
     requires {[#"../06_knights_tour.rs" 68 15 68 24] wf0 self}
@@ -1293,14 +1397,14 @@ module C06KnightsTour_Impl1_CountDegree
   var count : usize;
   var iter : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global);
   var _8 : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global);
-  var iter_old : Ghost.ghost_ty (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global));
-  var produced : Ghost.ghost_ty (Seq.seq (isize, isize));
+  var iter_old : Snapshot.snap_ty (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global));
+  var produced : Snapshot.snap_ty (Seq.seq (isize, isize));
   var _16 : ();
   var _17 : Core_Option_Option_Type.t_option (isize, isize);
   var _18 : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global));
   var _19 : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global));
   var __creusot_proc_iter_elem : (isize, isize);
-  var _22 : Ghost.ghost_ty (Seq.seq (isize, isize));
+  var _22 : Snapshot.snap_ty (Seq.seq (isize, isize));
   var m : (isize, isize);
   var next : C06KnightsTour_Point_Type.t_point;
   var _28 : (isize, isize);
@@ -1309,8 +1413,8 @@ module C06KnightsTour_Impl1_CountDegree
     goto BB0
   }
   BB0 {
-    [#"../06_knights_tour.rs" 71 24 71 25] count <- ([#"../06_knights_tour.rs" 71 24 71 25] [#"../06_knights_tour.rs" 71 24 71 25] (0 : usize));
-    [#"../06_knights_tour.rs" 74 17 74 24] _8 <- ([#"../06_knights_tour.rs" 74 17 74 24] moves0 ());
+    [#"../06_knights_tour.rs" 71 24 71 25] count <- ([#"../06_knights_tour.rs" 71 24 71 25] (0 : usize));
+    [#"../06_knights_tour.rs" 74 17 74 24] _8 <- ([#"../06_knights_tour.rs" 74 17 74 24] moves0 ([#"../06_knights_tour.rs" 74 17 74 24] ()));
     goto BB1
   }
   BB1 {
@@ -1319,11 +1423,11 @@ module C06KnightsTour_Impl1_CountDegree
     goto BB2
   }
   BB2 {
-    [#"../06_knights_tour.rs" 73 8 73 46] iter_old <- ([#"../06_knights_tour.rs" 73 8 73 46] Ghost.new iter);
+    [#"../06_knights_tour.rs" 73 8 73 46] iter_old <- ([#"../06_knights_tour.rs" 73 8 73 46] Snapshot.new iter);
     goto BB3
   }
   BB3 {
-    [#"../06_knights_tour.rs" 73 8 73 46] produced <- ([#"../06_knights_tour.rs" 73 8 73 46] Ghost.new (Seq.empty ));
+    [#"../06_knights_tour.rs" 73 8 73 46] produced <- ([#"../06_knights_tour.rs" 73 8 73 46] Snapshot.new (Seq.empty ));
     goto BB4
   }
   BB4 {
@@ -1337,8 +1441,8 @@ module C06KnightsTour_Impl1_CountDegree
   }
   BB7 {
     invariant { [#"../06_knights_tour.rs" 73 8 73 46] inv0 iter };
-    invariant { [#"../06_knights_tour.rs" 73 8 73 46] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter };
-    invariant { [#"../06_knights_tour.rs" 73 20 73 44] UIntSize.to_int count <= Seq.length (Ghost.inner produced) };
+    invariant { [#"../06_knights_tour.rs" 73 8 73 46] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter };
+    invariant { [#"../06_knights_tour.rs" 73 20 73 44] UIntSize.to_int count <= Seq.length (Snapshot.inner produced) };
     goto BB8
   }
   BB8 {
@@ -1370,22 +1474,22 @@ module C06KnightsTour_Impl1_CountDegree
     absurd
   }
   BB13 {
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _17);
-    [#"../06_knights_tour.rs" 73 8 73 46] _22 <- ([#"../06_knights_tour.rs" 73 8 73 46] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _17;
+    [#"../06_knights_tour.rs" 73 8 73 46] _22 <- ([#"../06_knights_tour.rs" 73 8 73 46] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB14
   }
   BB14 {
-    [#"../06_knights_tour.rs" 73 8 73 46] produced <- ([#"../06_knights_tour.rs" 73 8 73 46] _22);
-    [#"../06_knights_tour.rs" 73 8 73 46] _22 <- any Ghost.ghost_ty (Seq.seq (isize, isize));
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] m <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem);
+    [#"../06_knights_tour.rs" 73 8 73 46] produced <- _22;
+    _22 <- any Snapshot.snap_ty (Seq.seq (isize, isize));
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] m <- __creusot_proc_iter_elem;
     assume { resolve1 __creusot_proc_iter_elem };
-    [#"../06_knights_tour.rs" 75 29 75 31] _28 <- ([#"../06_knights_tour.rs" 75 29 75 31] m);
-    [#"../06_knights_tour.rs" 75 23 75 32] next <- ([#"../06_knights_tour.rs" 75 23 75 32] mov0 ([#"../06_knights_tour.rs" 75 23 75 24] p) ([#"../06_knights_tour.rs" 75 29 75 31] _28));
+    [#"../06_knights_tour.rs" 75 29 75 31] _28 <- m;
+    [#"../06_knights_tour.rs" 75 23 75 32] next <- ([#"../06_knights_tour.rs" 75 23 75 32] mov0 p _28);
     goto BB15
   }
   BB15 {
     assume { resolve1 m };
-    [#"../06_knights_tour.rs" 76 15 76 35] _29 <- ([#"../06_knights_tour.rs" 76 15 76 35] available0 ([#"../06_knights_tour.rs" 76 15 76 19] self) ([#"../06_knights_tour.rs" 76 30 76 34] next));
+    [#"../06_knights_tour.rs" 76 15 76 35] _29 <- ([#"../06_knights_tour.rs" 76 15 76 35] available0 self next);
     goto BB16
   }
   BB16 {
@@ -1395,7 +1499,7 @@ module C06KnightsTour_Impl1_CountDegree
       end
   }
   BB17 {
-    [#"../06_knights_tour.rs" 77 16 77 26] count <- ([#"../06_knights_tour.rs" 77 16 77 26] count + ([#"../06_knights_tour.rs" 77 25 77 26] [#"../06_knights_tour.rs" 77 25 77 26] (1 : usize)));
+    [#"../06_knights_tour.rs" 77 16 77 26] count <- count + ([#"../06_knights_tour.rs" 77 25 77 26] (1 : usize));
     [#"../06_knights_tour.rs" 76 36 78 13] _16 <- ([#"../06_knights_tour.rs" 76 36 78 13] ());
     goto BB19
   }
@@ -1407,7 +1511,7 @@ module C06KnightsTour_Impl1_CountDegree
     goto BB7
   }
   BB20 {
-    [#"../06_knights_tour.rs" 80 8 80 13] _0 <- ([#"../06_knights_tour.rs" 80 8 80 13] count);
+    [#"../06_knights_tour.rs" 80 8 80 13] _0 <- count;
     return _0
   }
   
@@ -1441,7 +1545,8 @@ module C06KnightsTour_Impl1_Set
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self}
     ensures { result = shallow_model3 self }
     
-  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv7 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
+  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv6 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv7 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
   predicate invariant6 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv7 (shallow_model3 self)
   val invariant6 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -1470,7 +1575,8 @@ module C06KnightsTour_Impl1_Set
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self}
     ensures { result = shallow_model1 self }
     
-  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
+  axiom shallow_model1_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv5 (shallow_model1 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model1 self) <= UIntSize.to_int max0)
   predicate invariant4 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -1542,29 +1648,31 @@ module C06KnightsTour_Impl1_Set
     ensures { result = index_logic0 self ix }
     
   predicate wf0 [#"../06_knights_tour.rs" 30 4 30 23] (self : C06KnightsTour_Board_Type.t_board) =
-    [#"../06_knights_tour.rs" 31 8 35 9] UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) <= 1000 /\ Seq.length (shallow_model1 (C06KnightsTour_Board_Type.board_field self)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) -> Seq.length (shallow_model3 (index_logic0 (C06KnightsTour_Board_Type.board_field self) i)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self))
+    [#"../06_knights_tour.rs" 31 8 35 9] UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) <= 1000 /\ Seq.length (shallow_model1 (C06KnightsTour_Board_Type.board_field self)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (C06KnightsTour_Board_Type.board_size self)
+     -> Seq.length (shallow_model3 (index_logic0 (C06KnightsTour_Board_Type.board_field self) i)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self))
   val wf0 [#"../06_knights_tour.rs" 30 4 30 23] (self : C06KnightsTour_Board_Type.t_board) : bool
     ensures { result = wf0 self }
     
   predicate resolve2 (self : borrowed (C06KnightsTour_Board_Type.t_board)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve2 (self : borrowed (C06KnightsTour_Board_Type.t_board)) : bool
     ensures { result = resolve2 self }
     
   predicate resolve1 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve1 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = resolve1 self }
     
   predicate resolve0 (self : borrowed usize) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed usize) : bool
     ensures { result = resolve0 self }
     
   use prelude.Slice
   use seq.Seq
   predicate resolve_elswhere1 [@inline:trivial] (self : usize) (old' : Seq.seq usize) (fin : Seq.seq usize) =
-    [#"../../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i
+    [#"../../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old'
+     -> Seq.get old' i = Seq.get fin i
   val resolve_elswhere1 [@inline:trivial] (self : usize) (old' : Seq.seq usize) (fin : Seq.seq usize) : bool
     ensures { result = resolve_elswhere1 self old' fin }
     
@@ -1581,7 +1689,7 @@ module C06KnightsTour_Impl1_Set
   function shallow_model2 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : Seq.seq usize
     
    =
-    [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model3 ( * self)
+    [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model3 ( * self)
   val shallow_model2 (self : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : Seq.seq usize
     ensures { result = shallow_model2 self }
     
@@ -1598,7 +1706,8 @@ module C06KnightsTour_Impl1_Set
   predicate resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) (fin : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)))
     
    =
-    [#"../../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i
+    [#"../../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old'
+     -> Seq.get old' i = Seq.get fin i
   val resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) (fin : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = resolve_elswhere0 self old' fin }
     
@@ -1619,7 +1728,7 @@ module C06KnightsTour_Impl1_Set
   function shallow_model0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global))) : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))
     
    =
-    [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model1 ( * self)
+    [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model1 ( * self)
   val shallow_model0 (self : borrowed (Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global))) : Seq.seq (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global))
     ensures { result = shallow_model0 self }
     
@@ -1649,25 +1758,31 @@ module C06KnightsTour_Impl1_Set
   var _10 : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global));
   var _11 : borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global));
   var _12 : borrowed (Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global));
+  var _13 : usize;
+  var _15 : usize;
   {
     goto BB0
   }
   BB0 {
     [#"../06_knights_tour.rs" 88 8 88 18] _12 <- Borrow.borrow_final (C06KnightsTour_Board_Type.board_field ( * self)) (Borrow.inherit_id (Borrow.get_id self) 2);
     [#"../06_knights_tour.rs" 88 8 88 18] self <- { self with current = (let C06KnightsTour_Board_Type.C_Board x0 x1 =  * self in C06KnightsTour_Board_Type.C_Board x0 ( ^ _12)) ; };
-    [#"../06_knights_tour.rs" 88 18 88 32] _11 <- ([#"../06_knights_tour.rs" 88 18 88 32] index_mut0 _12 ([#"../06_knights_tour.rs" 88 19 88 31] UIntSize.of_int (IntSize.to_int ([#"../06_knights_tour.rs" 88 19 88 22] C06KnightsTour_Point_Type.point_x p))));
+    [#"../06_knights_tour.rs" 88 19 88 31] _13 <- UIntSize.of_int (IntSize.to_int (C06KnightsTour_Point_Type.point_x p));
+    [#"../06_knights_tour.rs" 88 18 88 32] _11 <- ([#"../06_knights_tour.rs" 88 18 88 32] index_mut0 _12 _13);
     _12 <- any borrowed (Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global));
+    _13 <- any usize;
     goto BB1
   }
   BB1 {
     [#"../06_knights_tour.rs" 88 8 88 32] _10 <- Borrow.borrow_final ( * _11) (Borrow.get_id _11);
     [#"../06_knights_tour.rs" 88 8 88 32] _11 <- { _11 with current = ( ^ _10) ; };
-    [#"../06_knights_tour.rs" 88 32 88 46] _9 <- ([#"../06_knights_tour.rs" 88 32 88 46] index_mut1 _10 ([#"../06_knights_tour.rs" 88 33 88 45] UIntSize.of_int (IntSize.to_int ([#"../06_knights_tour.rs" 88 33 88 36] C06KnightsTour_Point_Type.point_y p))));
+    [#"../06_knights_tour.rs" 88 33 88 45] _15 <- UIntSize.of_int (IntSize.to_int (C06KnightsTour_Point_Type.point_y p));
+    [#"../06_knights_tour.rs" 88 32 88 46] _9 <- ([#"../06_knights_tour.rs" 88 32 88 46] index_mut1 _10 _15);
     _10 <- any borrowed (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global));
+    _15 <- any usize;
     goto BB2
   }
   BB2 {
-    [#"../06_knights_tour.rs" 88 8 88 50] _9 <- { _9 with current = ([#"../06_knights_tour.rs" 88 49 88 50] v) ; };
+    [#"../06_knights_tour.rs" 88 8 88 50] _9 <- { _9 with current = v ; };
     assume { resolve0 _9 };
     [#"../06_knights_tour.rs" 88 8 88 50] _0 <- ([#"../06_knights_tour.rs" 88 8 88 50] ());
     assume { resolve1 _11 };
@@ -1728,7 +1843,8 @@ module C06KnightsTour_Min
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self}
     ensures { result = shallow_model2 self }
     
-  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
+  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
   predicate invariant5 (self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -1792,7 +1908,8 @@ module C06KnightsTour_Min
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv7 self}
     ensures { result = shallow_model6 self }
     
-  axiom shallow_model6_spec : forall self : slice (usize, C06KnightsTour_Point_Type.t_point) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv7 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv6 (shallow_model6 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0)
+  axiom shallow_model6_spec : forall self : slice (usize, C06KnightsTour_Point_Type.t_point) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 21 19 25] inv7 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 19 4 19 50] inv6 (shallow_model6 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 18 14 18 42] shallow_model6 self = Slice.id self) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 17 14 17 41] Seq.length (shallow_model6 self) <= UIntSize.to_int max0)
   function index_logic3 [@inline:trivial] (self : slice (usize, C06KnightsTour_Point_Type.t_point)) (ix : int) : (usize, C06KnightsTour_Point_Type.t_point)
     
    =
@@ -1804,7 +1921,7 @@ module C06KnightsTour_Min
   function shallow_model3 (self : slice (usize, C06KnightsTour_Point_Type.t_point)) : Seq.seq (usize, C06KnightsTour_Point_Type.t_point)
     
    =
-    [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model6 self
+    [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model6 self
   val shallow_model3 (self : slice (usize, C06KnightsTour_Point_Type.t_point)) : Seq.seq (usize, C06KnightsTour_Point_Type.t_point)
     ensures { result = shallow_model3 self }
     
@@ -1815,7 +1932,9 @@ module C06KnightsTour_Min
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv4 self}
     ensures { result = to_ref_seq0 self }
     
-  axiom to_ref_seq0_spec : forall self : slice (usize, C06KnightsTour_Point_Type.t_point) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv3 (to_ref_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self) -> Seq.get (to_ref_seq0 self) i = index_logic3 self i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model3 self))
+  axiom to_ref_seq0_spec : forall self : slice (usize, C06KnightsTour_Point_Type.t_point) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 19 91 23] inv4 self)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 91 4 91 35] inv3 (to_ref_seq0 self)) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 90 4 90 82] forall i : int . 0 <= i /\ i < Seq.length (to_ref_seq0 self)
+   -> Seq.get (to_ref_seq0 self) i = index_logic3 self i) && ([#"../../../../../creusot-contracts/src/std/slice.rs" 89 14 89 41] Seq.length (to_ref_seq0 self) = Seq.length (shallow_model3 self))
   function shallow_model1 (self : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point)) : slice (usize, C06KnightsTour_Point_Type.t_point)
     
   val shallow_model1 (self : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point)) : slice (usize, C06KnightsTour_Point_Type.t_point)
@@ -1839,7 +1958,11 @@ module C06KnightsTour_Min
     requires {[#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv3 bc}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point), ab : Seq.seq (usize, C06KnightsTour_Point_Type.t_point), b : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point), bc : Seq.seq (usize, C06KnightsTour_Point_Type.t_point), c : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv3 ab) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv3 bc) -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point), ab : Seq.seq (usize, C06KnightsTour_Point_Type.t_point), b : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point), bc : Seq.seq (usize, C06KnightsTour_Point_Type.t_point), c : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point) . ([#"../../../../../creusot-contracts/src/std/slice.rs" 397 15 397 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 398 15 398 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 31 400 33] inv3 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 400 61 400 63] inv3 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/slice.rs" 399 14 399 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point)) : () =
     [#"../../../../../creusot-contracts/src/std/slice.rs" 390 4 390 10] ()
@@ -1857,10 +1980,10 @@ module C06KnightsTour_Min
     ensures { result = inv0 _x }
     
   axiom inv0 : forall x : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point) . inv0 x = true
-  use prelude.Ghost
+  use prelude.Snapshot
   use seq.Seq
   predicate resolve0 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point))) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point))) : bool
     ensures { result = resolve0 self }
     
@@ -1868,7 +1991,7 @@ module C06KnightsTour_Min
   function shallow_model5 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point))) : slice (usize, C06KnightsTour_Point_Type.t_point)
     
    =
-    [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model1 ( * self)
+    [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model1 ( * self)
   val shallow_model5 (self : borrowed (Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point))) : slice (usize, C06KnightsTour_Point_Type.t_point)
     ensures { result = shallow_model5 self }
     
@@ -1894,14 +2017,14 @@ module C06KnightsTour_Min
   function shallow_model0 (self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global)) : Seq.seq (usize, C06KnightsTour_Point_Type.t_point)
     
    =
-    [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model2 self
+    [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model2 self
   val shallow_model0 (self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global)) : Seq.seq (usize, C06KnightsTour_Point_Type.t_point)
     ensures { result = shallow_model0 self }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate into_iter_post0 (self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global)) (res : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point))
     
    =
@@ -1922,37 +2045,41 @@ module C06KnightsTour_Min
     ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 89 0 166 1] into_iter_post0 self result }
     
   let rec cfg min [#"../06_knights_tour.rs" 111 0 111 58] [@cfg:stackify] [@cfg:subregion_analysis] (v : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global)) : Core_Option_Option_Type.t_option (usize, C06KnightsTour_Point_Type.t_point)
-    ensures { [#"../06_knights_tour.rs" 109 0 110 62] forall r : (usize, C06KnightsTour_Point_Type.t_point) . result = Core_Option_Option_Type.C_Some r -> (exists i : int . 0 <= i /\ i < Seq.length (shallow_model0 v) /\ index_logic0 v i = r) }
+    ensures { [#"../06_knights_tour.rs" 109 0 110 62] forall r : (usize, C06KnightsTour_Point_Type.t_point) . result = Core_Option_Option_Type.C_Some r
+     -> (exists i : int . 0 <= i /\ i < Seq.length (shallow_model0 v) /\ index_logic0 v i = r) }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : Core_Option_Option_Type.t_option (usize, C06KnightsTour_Point_Type.t_point);
   var v : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global) = v;
   var min : Core_Option_Option_Type.t_option (usize, C06KnightsTour_Point_Type.t_point);
   var iter : Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point);
-  var iter_old : Ghost.ghost_ty (Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point));
-  var produced : Ghost.ghost_ty (Seq.seq (usize, C06KnightsTour_Point_Type.t_point));
+  var iter_old : Snapshot.snap_ty (Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point));
+  var produced : Snapshot.snap_ty (Seq.seq (usize, C06KnightsTour_Point_Type.t_point));
   var _15 : Core_Option_Option_Type.t_option (usize, C06KnightsTour_Point_Type.t_point);
   var _16 : borrowed (Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point));
   var _17 : borrowed (Core_Slice_Iter_Iter_Type.t_iter (usize, C06KnightsTour_Point_Type.t_point));
   var __creusot_proc_iter_elem : (usize, C06KnightsTour_Point_Type.t_point);
-  var _20 : Ghost.ghost_ty (Seq.seq (usize, C06KnightsTour_Point_Type.t_point));
+  var _20 : Snapshot.snap_ty (Seq.seq (usize, C06KnightsTour_Point_Type.t_point));
   var x : (usize, C06KnightsTour_Point_Type.t_point);
   var _23 : ();
+  var _25 : Core_Option_Option_Type.t_option (usize, C06KnightsTour_Point_Type.t_point);
   var m : (usize, C06KnightsTour_Point_Type.t_point);
+  var _28 : bool;
+  var _31 : Core_Option_Option_Type.t_option (usize, C06KnightsTour_Point_Type.t_point);
   {
     goto BB0
   }
   BB0 {
-    [#"../06_knights_tour.rs" 112 18 112 22] min <- ([#"../06_knights_tour.rs" 112 18 112 22] Core_Option_Option_Type.C_None);
-    [#"../06_knights_tour.rs" 113 4 114 74] iter <- ([#"../06_knights_tour.rs" 113 4 114 74] into_iter0 ([#"../06_knights_tour.rs" 115 13 115 14] v));
+    [#"../06_knights_tour.rs" 112 18 112 22] min <- Core_Option_Option_Type.C_None;
+    [#"../06_knights_tour.rs" 113 4 114 74] iter <- ([#"../06_knights_tour.rs" 113 4 114 74] into_iter0 v);
     goto BB1
   }
   BB1 {
-    [#"../06_knights_tour.rs" 113 4 114 74] iter_old <- ([#"../06_knights_tour.rs" 113 4 114 74] Ghost.new iter);
+    [#"../06_knights_tour.rs" 113 4 114 74] iter_old <- ([#"../06_knights_tour.rs" 113 4 114 74] Snapshot.new iter);
     goto BB2
   }
   BB2 {
-    [#"../06_knights_tour.rs" 113 4 114 74] produced <- ([#"../06_knights_tour.rs" 113 4 114 74] Ghost.new (Seq.empty ));
+    [#"../06_knights_tour.rs" 113 4 114 74] produced <- ([#"../06_knights_tour.rs" 113 4 114 74] Snapshot.new (Seq.empty ));
     goto BB3
   }
   BB3 {
@@ -1960,8 +2087,9 @@ module C06KnightsTour_Min
   }
   BB4 {
     invariant { [#"../06_knights_tour.rs" 113 4 114 74] inv0 iter };
-    invariant { [#"../06_knights_tour.rs" 113 4 114 74] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter };
-    invariant { [#"../06_knights_tour.rs" 113 4 114 74] forall r : (usize, C06KnightsTour_Point_Type.t_point) . min = Core_Option_Option_Type.C_Some r -> (exists i : int . 0 <= i /\ i < Seq.length (shallow_model0 v) /\ index_logic0 v i = r) };
+    invariant { [#"../06_knights_tour.rs" 113 4 114 74] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter };
+    invariant { [#"../06_knights_tour.rs" 113 4 114 74] forall r : (usize, C06KnightsTour_Point_Type.t_point) . min = Core_Option_Option_Type.C_Some r
+     -> (exists i : int . 0 <= i /\ i < Seq.length (shallow_model0 v) /\ index_logic0 v i = r) };
     goto BB5
   }
   BB5 {
@@ -1981,7 +2109,7 @@ module C06KnightsTour_Min
       end
   }
   BB7 {
-    [#"../06_knights_tour.rs" 125 4 125 7] _0 <- ([#"../06_knights_tour.rs" 125 4 125 7] min);
+    [#"../06_knights_tour.rs" 125 4 125 7] _0 <- min;
     return _0
   }
   BB8 {
@@ -1992,54 +2120,57 @@ module C06KnightsTour_Min
     absurd
   }
   BB10 {
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _15);
-    [#"../06_knights_tour.rs" 113 4 114 74] _20 <- ([#"../06_knights_tour.rs" 113 4 114 74] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _15;
+    [#"../06_knights_tour.rs" 113 4 114 74] _20 <- ([#"../06_knights_tour.rs" 113 4 114 74] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB11
   }
   BB11 {
-    [#"../06_knights_tour.rs" 113 4 114 74] produced <- ([#"../06_knights_tour.rs" 113 4 114 74] _20);
-    [#"../06_knights_tour.rs" 113 4 114 74] _20 <- any Ghost.ghost_ty (Seq.seq (usize, C06KnightsTour_Point_Type.t_point));
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] x <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem);
+    [#"../06_knights_tour.rs" 113 4 114 74] produced <- _20;
+    _20 <- any Snapshot.snap_ty (Seq.seq (usize, C06KnightsTour_Point_Type.t_point));
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] x <- __creusot_proc_iter_elem;
     switch (min)
       | Core_Option_Option_Type.C_None -> goto BB12
       | Core_Option_Option_Type.C_Some _ -> goto BB13
       end
   }
   BB12 {
-    goto BB14
+    goto BB15
   }
   BB13 {
-    [#"../06_knights_tour.rs" 118 17 118 18] m <- ([#"../06_knights_tour.rs" 118 17 118 18] Core_Option_Option_Type.some_0 min);
-    switch ([#"../06_knights_tour.rs" 119 19 119 28] ([#"../06_knights_tour.rs" 119 19 119 22] let (a, _) = x in a) < ([#"../06_knights_tour.rs" 119 25 119 28] let (a, _) = m in a))
-      | False -> goto BB16
-      | True -> goto BB15
+    [#"../06_knights_tour.rs" 118 17 118 18] m <- Core_Option_Option_Type.some_0 min;
+    [#"../06_knights_tour.rs" 119 19 119 28] _28 <- (let (a, _) = x in a) < (let (a, _) = m in a);
+    switch (_28)
+      | False -> goto BB17
+      | True -> goto BB16
       end
   }
   BB14 {
-    [#"../06_knights_tour.rs" 117 20 117 33] min <- ([#"../06_knights_tour.rs" 117 26 117 33] Core_Option_Option_Type.C_Some ([#"../06_knights_tour.rs" 117 31 117 32] x));
-    [#"../06_knights_tour.rs" 117 20 117 33] _23 <- ([#"../06_knights_tour.rs" 117 20 117 33] ());
-    goto BB18
+    assert { [#"../06_knights_tour.rs" 116 14 116 17] false };
+    absurd
   }
   BB15 {
-    [#"../06_knights_tour.rs" 120 20 120 33] min <- ([#"../06_knights_tour.rs" 120 26 120 33] Core_Option_Option_Type.C_Some ([#"../06_knights_tour.rs" 120 31 120 32] x));
-    [#"../06_knights_tour.rs" 120 20 120 33] _23 <- ([#"../06_knights_tour.rs" 120 20 120 33] ());
-    goto BB17
+    [#"../06_knights_tour.rs" 117 26 117 33] _25 <- Core_Option_Option_Type.C_Some x;
+    [#"../06_knights_tour.rs" 117 20 117 33] min <- _25;
+    _25 <- any Core_Option_Option_Type.t_option (usize, C06KnightsTour_Point_Type.t_point);
+    [#"../06_knights_tour.rs" 117 20 117 33] _23 <- ([#"../06_knights_tour.rs" 117 20 117 33] ());
+    goto BB19
   }
   BB16 {
-    [#"../06_knights_tour.rs" 121 17 121 17] _23 <- ([#"../06_knights_tour.rs" 121 17 121 17] ());
-    goto BB17
+    [#"../06_knights_tour.rs" 120 26 120 33] _31 <- Core_Option_Option_Type.C_Some x;
+    [#"../06_knights_tour.rs" 120 20 120 33] min <- _31;
+    _31 <- any Core_Option_Option_Type.t_option (usize, C06KnightsTour_Point_Type.t_point);
+    [#"../06_knights_tour.rs" 120 20 120 33] _23 <- ([#"../06_knights_tour.rs" 120 20 120 33] ());
+    goto BB18
   }
   BB17 {
+    [#"../06_knights_tour.rs" 121 17 121 17] _23 <- ([#"../06_knights_tour.rs" 121 17 121 17] ());
     goto BB18
   }
   BB18 {
-    goto BB4
-  }
-  BB20 {
-    goto BB9
+    goto BB19
   }
-  BB21 {
-    goto BB9
+  BB19 {
+    goto BB4
   }
   
 end
@@ -2047,12 +2178,10 @@ module C06KnightsTour_DumbNonlinearArith_Impl
   use prelude.UIntSize
   use prelude.Int
   use prelude.UIntSize
-  let rec ghost function dumb_nonlinear_arith [#"../06_knights_tour.rs" 131 0 131 33] (a : usize) : ()
-    requires {[#"../06_knights_tour.rs" 129 11 129 22] UIntSize.to_int a <= 1000}
-    ensures { [#"../06_knights_tour.rs" 130 10 130 30] UIntSize.to_int a * UIntSize.to_int a <= 1000000 }
-    
-   = [@vc:do_not_keep_trace] [@vc:sp]
-    [#"../06_knights_tour.rs" 128 0 128 8] ()
+  constant a  : usize
+  function dumb_nonlinear_arith [#"../06_knights_tour.rs" 131 0 131 33] (a : usize) : ()
+  goal vc_dumb_nonlinear_arith : ([#"../06_knights_tour.rs" 129 11 129 22] UIntSize.to_int a <= 1000)
+   -> ([#"../06_knights_tour.rs" 130 10 130 30] UIntSize.to_int a * UIntSize.to_int a <= 1000000)
 end
 module C06KnightsTour_KnightsTour
   use prelude.IntSize
@@ -2088,7 +2217,8 @@ module C06KnightsTour_KnightsTour
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv14 self}
     ensures { result = shallow_model3 self }
     
-  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv14 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv11 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
+  axiom shallow_model3_spec : forall self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv14 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv11 (shallow_model3 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model3 self) <= UIntSize.to_int max0)
   predicate invariant14 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv11 (shallow_model3 self)
   val invariant14 (self : Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -2117,7 +2247,8 @@ module C06KnightsTour_KnightsTour
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv12 self}
     ensures { result = shallow_model2 self }
     
-  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv12 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv13 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
+  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv12 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv13 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
   predicate invariant12 (self : Alloc_Vec_Vec_Type.t_vec (Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global)) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -2203,7 +2334,8 @@ module C06KnightsTour_KnightsTour
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self}
     ensures { result = shallow_model5 self }
     
-  axiom shallow_model5_spec : forall self : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv15 (shallow_model5 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max0)
+  axiom shallow_model5_spec : forall self : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv5 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv15 (shallow_model5 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model5 self) <= UIntSize.to_int max0)
   predicate invariant5 (self : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv15 (shallow_model5 self)
   val invariant5 (self : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -2222,7 +2354,8 @@ module C06KnightsTour_KnightsTour
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv4 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv6 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant4 (self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -2283,7 +2416,14 @@ module C06KnightsTour_KnightsTour
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv1 c}
     ensures { result = produces_trans1 a ab b bc c }
     
-  axiom produces_trans1_spec : forall a : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global), ab : Seq.seq (isize, isize), b : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global), bc : Seq.seq (isize, isize), c : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 248 15 248 32] produces1 a ab b) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 249 15 249 32] produces1 b bc c) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 22 251 23] inv1 a) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 31 251 33] inv15 ab) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 43 251 44] inv1 b) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 52 251 54] inv15 bc) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv1 c) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 250 14 250 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans1_spec : forall a : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global), ab : Seq.seq (isize, isize), b : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global), bc : Seq.seq (isize, isize), c : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 248 15 248 32] produces1 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 249 15 249 32] produces1 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 22 251 23] inv1 a)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 31 251 33] inv15 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 43 251 44] inv1 b)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 52 251 54] inv15 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 251 64 251 65] inv1 c)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 250 14 250 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl1 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)) : ()
     
@@ -2293,7 +2433,8 @@ module C06KnightsTour_KnightsTour
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv1 self}
     ensures { result = produces_refl1 self }
     
-  axiom produces_refl1_spec : forall self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 243 14 243 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl1_spec : forall self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 244 21 244 25] inv1 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 243 14 243 45] produces1 self (Seq.empty ) self)
   predicate invariant1 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -2317,7 +2458,9 @@ module C06KnightsTour_KnightsTour
   predicate produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize)
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
+    [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0
+     -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
   val produces0 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool
     ensures { result = produces0 self visited o }
     
@@ -2333,34 +2476,42 @@ module C06KnightsTour_KnightsTour
     requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv11 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv11 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv0 a)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv11 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv0 b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv11 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv0 c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces0 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
   val produces_refl0 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
     requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces0 self (Seq.empty ) self)
   predicate invariant0 (self : Core_Ops_Range_Range_Type.t_range usize) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant0 (self : Core_Ops_Range_Range_Type.t_range usize) : bool
     ensures { result = invariant0 self }
     
   axiom inv0 : forall x : Core_Ops_Range_Range_Type.t_range usize . inv0 x = true
-  use prelude.Ghost
+  use prelude.Snapshot
   use C06KnightsTour_Board_Type as C06KnightsTour_Board_Type
   predicate resolve8 (self : C06KnightsTour_Point_Type.t_point) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
+    [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true
   val resolve8 (self : C06KnightsTour_Point_Type.t_point) : bool
     ensures { result = resolve8 self }
     
   predicate resolve7 (self : usize) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
+    [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true
   val resolve7 (self : usize) : bool
     ensures { result = resolve7 self }
     
   predicate resolve6 (self : (usize, C06KnightsTour_Point_Type.t_point)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 18 8 18 60] resolve7 (let (a, _) = self in a) /\ resolve8 (let (_, a) = self in a)
+    [#"../../../../../creusot-contracts/src/resolve.rs" 16 8 16 60] resolve7 (let (a, _) = self in a) /\ resolve8 (let (_, a) = self in a)
   val resolve6 (self : (usize, C06KnightsTour_Point_Type.t_point)) : bool
     ensures { result = resolve6 self }
     
@@ -2375,27 +2526,29 @@ module C06KnightsTour_KnightsTour
   predicate resolve4 (self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global))
     
    =
-    [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self) -> resolve6 (index_logic0 self i)
+    [#"../../../../../creusot-contracts/src/std/vec.rs" 51 8 51 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 self)
+     -> resolve6 (index_logic0 self i)
   val resolve4 (self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve4 self }
     
   function shallow_model8 (self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global)) : Seq.seq (usize, C06KnightsTour_Point_Type.t_point)
     
    =
-    [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model0 self
+    [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model0 self
   val shallow_model8 (self : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global)) : Seq.seq (usize, C06KnightsTour_Point_Type.t_point)
     ensures { result = shallow_model8 self }
     
   val min0 [#"../06_knights_tour.rs" 111 0 111 58] (v : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global)) : Core_Option_Option_Type.t_option (usize, C06KnightsTour_Point_Type.t_point)
-    ensures { [#"../06_knights_tour.rs" 109 0 110 62] forall r : (usize, C06KnightsTour_Point_Type.t_point) . result = Core_Option_Option_Type.C_Some r -> (exists i : int . 0 <= i /\ i < Seq.length (shallow_model8 v) /\ index_logic0 v i = r) }
+    ensures { [#"../06_knights_tour.rs" 109 0 110 62] forall r : (usize, C06KnightsTour_Point_Type.t_point) . result = Core_Option_Option_Type.C_Some r
+     -> (exists i : int . 0 <= i /\ i < Seq.length (shallow_model8 v) /\ index_logic0 v i = r) }
     
   predicate resolve5 (self : isize) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 47 8 47 12] true
+    [#"../../../../../creusot-contracts/src/resolve.rs" 45 8 45 12] true
   val resolve5 (self : isize) : bool
     ensures { result = resolve5 self }
     
   predicate resolve2 (self : (isize, isize)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 18 8 18 60] resolve5 (let (a, _) = self in a) /\ resolve5 (let (_, a) = self in a)
+    [#"../../../../../creusot-contracts/src/resolve.rs" 16 8 16 60] resolve5 (let (a, _) = self in a) /\ resolve5 (let (_, a) = self in a)
   val resolve2 (self : (isize, isize)) : bool
     ensures { result = resolve2 self }
     
@@ -2403,7 +2556,8 @@ module C06KnightsTour_KnightsTour
   predicate resolve3 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global))
     
    =
-    [#"../../../../../creusot-contracts/src/std/vec.rs" 222 8 222 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model6 self) -> resolve2 (Seq.get (shallow_model6 self) i)
+    [#"../../../../../creusot-contracts/src/std/vec.rs" 222 8 222 85] forall i : int . 0 <= i /\ i < Seq.length (shallow_model6 self)
+     -> resolve2 (Seq.get (shallow_model6 self) i)
   val resolve3 (self : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)) : bool
     ensures { result = resolve3 self }
     
@@ -2411,7 +2565,7 @@ module C06KnightsTour_KnightsTour
   function shallow_model7 (self : borrowed (Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global))) : Seq.seq (usize, C06KnightsTour_Point_Type.t_point)
     
    =
-    [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model0 ( * self)
+    [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model0 ( * self)
   val shallow_model7 (self : borrowed (Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global))) : Seq.seq (usize, C06KnightsTour_Point_Type.t_point)
     ensures { result = shallow_model7 self }
     
@@ -2437,7 +2591,8 @@ module C06KnightsTour_KnightsTour
     ensures { result = index_logic2 self ix }
     
   predicate wf0 [#"../06_knights_tour.rs" 30 4 30 23] (self : C06KnightsTour_Board_Type.t_board) =
-    [#"../06_knights_tour.rs" 31 8 35 9] UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) <= 1000 /\ Seq.length (shallow_model2 (C06KnightsTour_Board_Type.board_field self)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) -> Seq.length (shallow_model3 (index_logic2 (C06KnightsTour_Board_Type.board_field self) i)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self))
+    [#"../06_knights_tour.rs" 31 8 35 9] UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) <= 1000 /\ Seq.length (shallow_model2 (C06KnightsTour_Board_Type.board_field self)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int (C06KnightsTour_Board_Type.board_size self)
+     -> Seq.length (shallow_model3 (index_logic2 (C06KnightsTour_Board_Type.board_field self) i)) = UIntSize.to_int (C06KnightsTour_Board_Type.board_size self))
   val wf0 [#"../06_knights_tour.rs" 30 4 30 23] (self : C06KnightsTour_Board_Type.t_board) : bool
     ensures { result = wf0 self }
     
@@ -2447,7 +2602,7 @@ module C06KnightsTour_KnightsTour
     
   val available0 [#"../06_knights_tour.rs" 52 4 52 41] (self : C06KnightsTour_Board_Type.t_board) (p : C06KnightsTour_Point_Type.t_point) : bool
     requires {[#"../06_knights_tour.rs" 50 15 50 24] wf0 self}
-    ensures { [#"../06_knights_tour.rs" 51 4 51 44] result -> in_bounds0 self p }
+    ensures { [#"../06_knights_tour.rs" 51 4 51 44] result  -> in_bounds0 self p }
     
   val mov0 [#"../06_knights_tour.rs" 18 4 18 45] (self : C06KnightsTour_Point_Type.t_point) (p : (isize, isize)) : C06KnightsTour_Point_Type.t_point
     requires {[#"../06_knights_tour.rs" 12 15 12 52] - 10000 <= IntSize.to_int (C06KnightsTour_Point_Type.point_x self) /\ IntSize.to_int (C06KnightsTour_Point_Type.point_x self) <= 10000}
@@ -2461,14 +2616,14 @@ module C06KnightsTour_KnightsTour
   predicate resolve1 (self : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global)))
     
    =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve1 (self : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global))) : bool
     ensures { result = resolve1 self }
     
   function shallow_model9 (self : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global))) : Seq.seq (isize, isize)
     
    =
-    [#"../../../../../creusot-contracts/src/model.rs" 97 8 97 31] shallow_model6 ( * self)
+    [#"../../../../../creusot-contracts/src/model.rs" 101 8 101 31] shallow_model6 ( * self)
   val shallow_model9 (self : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global))) : Seq.seq (isize, isize)
     ensures { result = shallow_model9 self }
     
@@ -2487,10 +2642,10 @@ module C06KnightsTour_KnightsTour
       end }
     ensures { inv8 result }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate into_iter_post1 (self : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global)) (res : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global))
     
    =
@@ -2518,7 +2673,8 @@ module C06KnightsTour_KnightsTour
     
   val moves0 [#"../06_knights_tour.rs" 95 0 95 33] (_1 : ()) : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global)
     ensures { [#"../06_knights_tour.rs" 93 10 93 28] Seq.length (shallow_model5 result) = 8 }
-    ensures { [#"../06_knights_tour.rs" 94 0 94 130] forall i : int . 0 <= i /\ i < 8 -> - 2 <= IntSize.to_int (let (a, _) = index_logic3 result i in a) /\ IntSize.to_int (let (a, _) = index_logic3 result i in a) <= 2 /\ - 2 <= IntSize.to_int (let (_, a) = index_logic3 result i in a) /\ IntSize.to_int (let (_, a) = index_logic3 result i in a) <= 2 }
+    ensures { [#"../06_knights_tour.rs" 94 0 94 130] forall i : int . 0 <= i /\ i < 8
+     -> - 2 <= IntSize.to_int (let (a, _) = index_logic3 result i in a) /\ IntSize.to_int (let (a, _) = index_logic3 result i in a) <= 2 /\ - 2 <= IntSize.to_int (let (_, a) = index_logic3 result i in a) /\ IntSize.to_int (let (_, a) = index_logic3 result i in a) <= 2 }
     
   val new4 (_1 : ()) : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global)
     ensures { [#"../../../../../creusot-contracts/src/std/vec.rs" 68 26 68 44] Seq.length (shallow_model0 result) = 0 }
@@ -2526,7 +2682,7 @@ module C06KnightsTour_KnightsTour
     
   use seq.Seq
   predicate resolve0 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) : bool
     ensures { result = resolve0 self }
     
@@ -2543,10 +2699,10 @@ module C06KnightsTour_KnightsTour
       end }
     ensures { inv3 result }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate into_iter_post0 (self : Core_Ops_Range_Range_Type.t_range usize) (res : Core_Ops_Range_Range_Type.t_range usize)
     
    =
@@ -2565,14 +2721,15 @@ module C06KnightsTour_KnightsTour
     ensures { [#"../../../../../creusot-contracts/src/std/iter.rs" 89 0 166 1] into_iter_post0 self result }
     ensures { inv0 result }
     
-  use prelude.Ghost
+  use prelude.Snapshot
   function dumb_nonlinear_arith0 [#"../06_knights_tour.rs" 131 0 131 33] (a : usize) : () =
     [#"../06_knights_tour.rs" 128 0 128 8] ()
   val dumb_nonlinear_arith0 [#"../06_knights_tour.rs" 131 0 131 33] (a : usize) : ()
     requires {[#"../06_knights_tour.rs" 129 11 129 22] UIntSize.to_int a <= 1000}
     ensures { result = dumb_nonlinear_arith0 a }
     
-  axiom dumb_nonlinear_arith0_spec : forall a : usize . ([#"../06_knights_tour.rs" 129 11 129 22] UIntSize.to_int a <= 1000) -> ([#"../06_knights_tour.rs" 130 10 130 30] UIntSize.to_int a * UIntSize.to_int a <= 1000000)
+  axiom dumb_nonlinear_arith0_spec : forall a : usize . ([#"../06_knights_tour.rs" 129 11 129 22] UIntSize.to_int a <= 1000)
+   -> ([#"../06_knights_tour.rs" 130 10 130 30] UIntSize.to_int a * UIntSize.to_int a <= 1000000)
   val set0 [#"../06_knights_tour.rs" 87 4 87 41] (self : borrowed (C06KnightsTour_Board_Type.t_board)) (p : C06KnightsTour_Point_Type.t_point) (v : usize) : ()
     requires {[#"../06_knights_tour.rs" 83 15 83 24] wf0 ( * self)}
     requires {[#"../06_knights_tour.rs" 84 15 84 32] in_bounds0 ( * self) p}
@@ -2596,29 +2753,33 @@ module C06KnightsTour_KnightsTour
   var y : usize = y;
   var board : C06KnightsTour_Board_Type.t_board;
   var p : C06KnightsTour_Point_Type.t_point;
+  var _10 : isize;
+  var _12 : isize;
   var _14 : ();
   var _15 : borrowed (C06KnightsTour_Board_Type.t_board);
-  var _17 : Ghost.ghost_ty ();
+  var _17 : Snapshot.snap_ty ();
   var iter : Core_Ops_Range_Range_Type.t_range usize;
-  var iter_old : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range usize);
-  var produced : Ghost.ghost_ty (Seq.seq usize);
+  var _21 : Core_Ops_Range_Range_Type.t_range usize;
+  var _22 : usize;
+  var iter_old : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range usize);
+  var produced : Snapshot.snap_ty (Seq.seq usize);
   var _34 : ();
   var _35 : Core_Option_Option_Type.t_option usize;
   var _36 : borrowed (Core_Ops_Range_Range_Type.t_range usize);
   var _37 : borrowed (Core_Ops_Range_Range_Type.t_range usize);
   var __creusot_proc_iter_elem : usize;
-  var _40 : Ghost.ghost_ty (Seq.seq usize);
+  var _40 : Snapshot.snap_ty (Seq.seq usize);
   var step : usize;
   var candidates : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global);
   var iter1 : Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global);
   var _46 : Alloc_Vec_Vec_Type.t_vec (isize, isize) (Alloc_Alloc_Global_Type.t_global);
-  var iter_old1 : Ghost.ghost_ty (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global));
-  var produced1 : Ghost.ghost_ty (Seq.seq (isize, isize));
+  var iter_old1 : Snapshot.snap_ty (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global));
+  var produced1 : Snapshot.snap_ty (Seq.seq (isize, isize));
   var _54 : Core_Option_Option_Type.t_option (isize, isize);
   var _55 : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global));
   var _56 : borrowed (Alloc_Vec_IntoIter_IntoIter_Type.t_intoiter (isize, isize) (Alloc_Alloc_Global_Type.t_global));
   var __creusot_proc_iter_elem1 : (isize, isize);
-  var _59 : Ghost.ghost_ty (Seq.seq (isize, isize));
+  var _59 : Snapshot.snap_ty (Seq.seq (isize, isize));
   var m : (isize, isize);
   var adj : C06KnightsTour_Point_Type.t_point;
   var _65 : (isize, isize);
@@ -2626,6 +2787,7 @@ module C06KnightsTour_KnightsTour
   var degree : usize;
   var _72 : ();
   var _73 : borrowed (Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global));
+  var _74 : (usize, C06KnightsTour_Point_Type.t_point);
   var _79 : Core_Option_Option_Type.t_option (usize, C06KnightsTour_Point_Type.t_point);
   var _81 : Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global);
   var adj1 : C06KnightsTour_Point_Type.t_point;
@@ -2635,31 +2797,39 @@ module C06KnightsTour_KnightsTour
     goto BB0
   }
   BB0 {
-    [#"../06_knights_tour.rs" 137 20 137 36] board <- ([#"../06_knights_tour.rs" 137 20 137 36] new0 ([#"../06_knights_tour.rs" 137 31 137 35] size));
+    [#"../06_knights_tour.rs" 137 20 137 36] board <- ([#"../06_knights_tour.rs" 137 20 137 36] new0 size);
     goto BB1
   }
   BB1 {
-    [#"../06_knights_tour.rs" 138 16 138 54] p <- ([#"../06_knights_tour.rs" 138 16 138 54] C06KnightsTour_Point_Type.C_Point ([#"../06_knights_tour.rs" 138 27 138 37] IntSize.of_int (UIntSize.to_int ([#"../06_knights_tour.rs" 138 27 138 28] x))) ([#"../06_knights_tour.rs" 138 42 138 52] IntSize.of_int (UIntSize.to_int ([#"../06_knights_tour.rs" 138 42 138 43] y))));
+    [#"../06_knights_tour.rs" 138 27 138 37] _10 <- IntSize.of_int (UIntSize.to_int x);
+    [#"../06_knights_tour.rs" 138 42 138 52] _12 <- IntSize.of_int (UIntSize.to_int y);
+    [#"../06_knights_tour.rs" 138 16 138 54] p <- C06KnightsTour_Point_Type.C_Point _10 _12;
+    _10 <- any isize;
+    _12 <- any isize;
     [#"../06_knights_tour.rs" 139 4 139 9] _15 <- Borrow.borrow_mut board;
     [#"../06_knights_tour.rs" 139 4 139 9] board <-  ^ _15;
-    [#"../06_knights_tour.rs" 139 4 139 19] _14 <- ([#"../06_knights_tour.rs" 139 4 139 19] set0 _15 ([#"../06_knights_tour.rs" 139 14 139 15] p) ([#"../06_knights_tour.rs" 139 17 139 18] [#"../06_knights_tour.rs" 139 17 139 18] (1 : usize)));
+    [#"../06_knights_tour.rs" 139 4 139 19] _14 <- ([#"../06_knights_tour.rs" 139 4 139 19] set0 _15 p ([#"../06_knights_tour.rs" 139 17 139 18] (1 : usize)));
     _15 <- any borrowed (C06KnightsTour_Board_Type.t_board);
     goto BB2
   }
   BB2 {
-    [#"../06_knights_tour.rs" 141 4 141 38] _17 <- ([#"../06_knights_tour.rs" 141 4 141 38] Ghost.new (dumb_nonlinear_arith0 size));
+    [#"../06_knights_tour.rs" 141 4 141 44] _17 <- ([#"../06_knights_tour.rs" 141 4 141 44] Snapshot.new (dumb_nonlinear_arith0 size));
     goto BB3
   }
   BB3 {
-    [#"../06_knights_tour.rs" 142 4 142 36] iter <- ([#"../06_knights_tour.rs" 142 4 142 36] into_iter0 ([#"../06_knights_tour.rs" 145 16 145 32] Core_Ops_Range_Range_Type.C_Range ([#"../06_knights_tour.rs" 145 16 145 17] [#"../06_knights_tour.rs" 145 16 145 17] (2 : usize)) ([#"../06_knights_tour.rs" 145 19 145 32] ([#"../06_knights_tour.rs" 145 20 145 24] size) * ([#"../06_knights_tour.rs" 145 27 145 31] size))));
+    [#"../06_knights_tour.rs" 145 19 145 32] _22 <- size * size;
+    [#"../06_knights_tour.rs" 145 16 145 32] _21 <- Core_Ops_Range_Range_Type.C_Range ([#"../06_knights_tour.rs" 145 16 145 17] (2 : usize)) _22;
+    _22 <- any usize;
+    [#"../06_knights_tour.rs" 142 4 142 36] iter <- ([#"../06_knights_tour.rs" 142 4 142 36] into_iter0 _21);
+    _21 <- any Core_Ops_Range_Range_Type.t_range usize;
     goto BB4
   }
   BB4 {
-    [#"../06_knights_tour.rs" 142 4 142 36] iter_old <- ([#"../06_knights_tour.rs" 142 4 142 36] Ghost.new iter);
+    [#"../06_knights_tour.rs" 142 4 142 36] iter_old <- ([#"../06_knights_tour.rs" 142 4 142 36] Snapshot.new iter);
     goto BB5
   }
   BB5 {
-    [#"../06_knights_tour.rs" 142 4 142 36] produced <- ([#"../06_knights_tour.rs" 142 4 142 36] Ghost.new (Seq.empty ));
+    [#"../06_knights_tour.rs" 142 4 142 36] produced <- ([#"../06_knights_tour.rs" 142 4 142 36] Snapshot.new (Seq.empty ));
     goto BB6
   }
   BB6 {
@@ -2673,7 +2843,7 @@ module C06KnightsTour_KnightsTour
   }
   BB9 {
     invariant { [#"../06_knights_tour.rs" 142 4 142 36] inv0 iter };
-    invariant { [#"../06_knights_tour.rs" 142 4 142 36] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter };
+    invariant { [#"../06_knights_tour.rs" 142 4 142 36] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter };
     invariant { [#"../06_knights_tour.rs" 142 16 142 34] C06KnightsTour_Board_Type.board_size board = size };
     invariant { [#"../06_knights_tour.rs" 143 16 143 26] wf0 board };
     invariant { [#"../06_knights_tour.rs" 144 16 144 34] in_bounds0 board p };
@@ -2696,9 +2866,9 @@ module C06KnightsTour_KnightsTour
       end
   }
   BB12 {
-    [#"../06_knights_tour.rs" 163 4 163 15] _0 <- ([#"../06_knights_tour.rs" 163 4 163 15] Core_Option_Option_Type.C_Some ([#"../06_knights_tour.rs" 163 9 163 14] board));
-    [#"../06_knights_tour.rs" 163 9 163 14] board <- any C06KnightsTour_Board_Type.t_board;
-    goto BB46
+    [#"../06_knights_tour.rs" 163 4 163 15] _0 <- Core_Option_Option_Type.C_Some board;
+    board <- any C06KnightsTour_Board_Type.t_board;
+    goto BB48
   }
   BB13 {
     goto BB15
@@ -2708,19 +2878,19 @@ module C06KnightsTour_KnightsTour
     absurd
   }
   BB15 {
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _35);
-    [#"../06_knights_tour.rs" 142 4 142 36] _40 <- ([#"../06_knights_tour.rs" 142 4 142 36] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _35;
+    [#"../06_knights_tour.rs" 142 4 142 36] _40 <- ([#"../06_knights_tour.rs" 142 4 142 36] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB16
   }
   BB16 {
-    [#"../06_knights_tour.rs" 142 4 142 36] produced <- ([#"../06_knights_tour.rs" 142 4 142 36] _40);
-    [#"../06_knights_tour.rs" 142 4 142 36] _40 <- any Ghost.ghost_ty (Seq.seq usize);
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] step <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem);
-    [#"../06_knights_tour.rs" 147 50 147 60] candidates <- ([#"../06_knights_tour.rs" 147 50 147 60] new4 ());
+    [#"../06_knights_tour.rs" 142 4 142 36] produced <- _40;
+    _40 <- any Snapshot.snap_ty (Seq.seq usize);
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] step <- __creusot_proc_iter_elem;
+    [#"../06_knights_tour.rs" 147 50 147 60] candidates <- ([#"../06_knights_tour.rs" 147 50 147 60] new4 ([#"../06_knights_tour.rs" 147 50 147 60] ()));
     goto BB17
   }
   BB17 {
-    [#"../06_knights_tour.rs" 150 17 150 24] _46 <- ([#"../06_knights_tour.rs" 150 17 150 24] moves0 ());
+    [#"../06_knights_tour.rs" 150 17 150 24] _46 <- ([#"../06_knights_tour.rs" 150 17 150 24] moves0 ([#"../06_knights_tour.rs" 150 17 150 24] ()));
     goto BB18
   }
   BB18 {
@@ -2729,11 +2899,11 @@ module C06KnightsTour_KnightsTour
     goto BB19
   }
   BB19 {
-    [#"../06_knights_tour.rs" 148 8 149 54] iter_old1 <- ([#"../06_knights_tour.rs" 148 8 149 54] Ghost.new iter1);
+    [#"../06_knights_tour.rs" 148 8 149 54] iter_old1 <- ([#"../06_knights_tour.rs" 148 8 149 54] Snapshot.new iter1);
     goto BB20
   }
   BB20 {
-    [#"../06_knights_tour.rs" 148 8 149 54] produced1 <- ([#"../06_knights_tour.rs" 148 8 149 54] Ghost.new (Seq.empty ));
+    [#"../06_knights_tour.rs" 148 8 149 54] produced1 <- ([#"../06_knights_tour.rs" 148 8 149 54] Snapshot.new (Seq.empty ));
     goto BB21
   }
   BB21 {
@@ -2750,8 +2920,9 @@ module C06KnightsTour_KnightsTour
   }
   BB25 {
     invariant { [#"../06_knights_tour.rs" 148 8 149 54] inv1 iter1 };
-    invariant { [#"../06_knights_tour.rs" 148 8 149 54] produces1 (Ghost.inner iter_old1) (Ghost.inner produced1) iter1 };
-    invariant { [#"../06_knights_tour.rs" 148 8 149 54] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 candidates) -> in_bounds0 board (let (_, a) = index_logic0 candidates i in a) };
+    invariant { [#"../06_knights_tour.rs" 148 8 149 54] produces1 (Snapshot.inner iter_old1) (Snapshot.inner produced1) iter1 };
+    invariant { [#"../06_knights_tour.rs" 148 8 149 54] forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 candidates)
+     -> in_bounds0 board (let (_, a) = index_logic0 candidates i in a) };
     goto BB26
   }
   BB26 {
@@ -2772,120 +2943,121 @@ module C06KnightsTour_KnightsTour
   }
   BB28 {
     assume { resolve3 iter1 };
-    goto BB39
+    goto BB40
   }
   BB29 {
-    goto BB30
+    goto BB31
   }
   BB30 {
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem1 <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _54);
-    [#"../06_knights_tour.rs" 148 8 149 54] _59 <- ([#"../06_knights_tour.rs" 148 8 149 54] Ghost.new (Seq.(++) (Ghost.inner produced1) (Seq.singleton __creusot_proc_iter_elem1)));
-    goto BB31
+    assume { resolve3 iter1 };
+    assume { resolve4 candidates };
+    assert { [#"../06_knights_tour.rs" 148 8 149 54] false };
+    absurd
   }
   BB31 {
-    [#"../06_knights_tour.rs" 148 8 149 54] produced1 <- ([#"../06_knights_tour.rs" 148 8 149 54] _59);
-    [#"../06_knights_tour.rs" 148 8 149 54] _59 <- any Ghost.ghost_ty (Seq.seq (isize, isize));
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] m <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem1);
-    assume { resolve2 __creusot_proc_iter_elem1 };
-    [#"../06_knights_tour.rs" 151 28 151 30] _65 <- ([#"../06_knights_tour.rs" 151 28 151 30] m);
-    [#"../06_knights_tour.rs" 151 22 151 31] adj <- ([#"../06_knights_tour.rs" 151 22 151 31] mov0 ([#"../06_knights_tour.rs" 151 22 151 23] p) ([#"../06_knights_tour.rs" 151 28 151 30] _65));
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem1 <- Core_Option_Option_Type.some_0 _54;
+    [#"../06_knights_tour.rs" 148 8 149 54] _59 <- ([#"../06_knights_tour.rs" 148 8 149 54] Snapshot.new (Seq.(++) (Snapshot.inner produced1) (Seq.singleton __creusot_proc_iter_elem1)));
     goto BB32
   }
   BB32 {
-    assume { resolve2 m };
-    [#"../06_knights_tour.rs" 152 15 152 35] _66 <- ([#"../06_knights_tour.rs" 152 15 152 35] available0 ([#"../06_knights_tour.rs" 152 15 152 20] board) ([#"../06_knights_tour.rs" 152 31 152 34] adj));
+    [#"../06_knights_tour.rs" 148 8 149 54] produced1 <- _59;
+    _59 <- any Snapshot.snap_ty (Seq.seq (isize, isize));
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] m <- __creusot_proc_iter_elem1;
+    assume { resolve2 __creusot_proc_iter_elem1 };
+    [#"../06_knights_tour.rs" 151 28 151 30] _65 <- m;
+    [#"../06_knights_tour.rs" 151 22 151 31] adj <- ([#"../06_knights_tour.rs" 151 22 151 31] mov0 p _65);
     goto BB33
   }
   BB33 {
-    switch (_66)
-      | False -> goto BB37
-      | True -> goto BB34
-      end
+    assume { resolve2 m };
+    [#"../06_knights_tour.rs" 152 15 152 35] _66 <- ([#"../06_knights_tour.rs" 152 15 152 35] available0 board adj);
+    goto BB34
   }
   BB34 {
-    [#"../06_knights_tour.rs" 153 29 153 52] degree <- ([#"../06_knights_tour.rs" 153 29 153 52] count_degree0 ([#"../06_knights_tour.rs" 153 29 153 34] board) ([#"../06_knights_tour.rs" 153 48 153 51] adj));
-    goto BB35
+    switch (_66)
+      | False -> goto BB38
+      | True -> goto BB35
+      end
   }
   BB35 {
-    [#"../06_knights_tour.rs" 154 16 154 26] _73 <- Borrow.borrow_mut candidates;
-    [#"../06_knights_tour.rs" 154 16 154 26] candidates <-  ^ _73;
-    [#"../06_knights_tour.rs" 154 16 154 46] _72 <- ([#"../06_knights_tour.rs" 154 16 154 46] push0 _73 ([#"../06_knights_tour.rs" 154 32 154 45] (([#"../06_knights_tour.rs" 154 33 154 39] degree), ([#"../06_knights_tour.rs" 154 41 154 44] adj))));
-    _73 <- any borrowed (Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global));
+    [#"../06_knights_tour.rs" 153 29 153 52] degree <- ([#"../06_knights_tour.rs" 153 29 153 52] count_degree0 board adj);
     goto BB36
   }
   BB36 {
-    [#"../06_knights_tour.rs" 152 36 155 13] _34 <- ([#"../06_knights_tour.rs" 152 36 155 13] ());
-    goto BB38
+    [#"../06_knights_tour.rs" 154 16 154 26] _73 <- Borrow.borrow_mut candidates;
+    [#"../06_knights_tour.rs" 154 16 154 26] candidates <-  ^ _73;
+    [#"../06_knights_tour.rs" 154 32 154 45] _74 <- (degree, adj);
+    [#"../06_knights_tour.rs" 154 16 154 46] _72 <- ([#"../06_knights_tour.rs" 154 16 154 46] push0 _73 _74);
+    _73 <- any borrowed (Alloc_Vec_Vec_Type.t_vec (usize, C06KnightsTour_Point_Type.t_point) (Alloc_Alloc_Global_Type.t_global));
+    _74 <- any (usize, C06KnightsTour_Point_Type.t_point);
+    goto BB37
   }
   BB37 {
-    [#"../06_knights_tour.rs" 155 13 155 13] _34 <- ([#"../06_knights_tour.rs" 155 13 155 13] ());
-    goto BB38
+    [#"../06_knights_tour.rs" 152 36 155 13] _34 <- ([#"../06_knights_tour.rs" 152 36 155 13] ());
+    goto BB39
   }
   BB38 {
-    goto BB25
+    [#"../06_knights_tour.rs" 155 13 155 13] _34 <- ([#"../06_knights_tour.rs" 155 13 155 13] ());
+    goto BB39
   }
   BB39 {
-    [#"../06_knights_tour.rs" 157 18 157 29] _81 <- ([#"../06_knights_tour.rs" 157 18 157 29] candidates);
-    [#"../06_knights_tour.rs" 157 14 157 30] _79 <- ([#"../06_knights_tour.rs" 157 14 157 30] min0 ([#"../06_knights_tour.rs" 157 18 157 29] _81));
-    goto BB40
+    goto BB25
   }
   BB40 {
-    switch (_79)
-      | Core_Option_Option_Type.C_None -> goto BB41
-      | Core_Option_Option_Type.C_Some _ -> goto BB42
-      end
+    [#"../06_knights_tour.rs" 157 18 157 29] _81 <- candidates;
+    [#"../06_knights_tour.rs" 157 14 157 30] _79 <- ([#"../06_knights_tour.rs" 157 14 157 30] min0 _81);
+    goto BB41
   }
   BB41 {
-    [#"../06_knights_tour.rs" 159 27 159 31] _0 <- ([#"../06_knights_tour.rs" 159 27 159 31] Core_Option_Option_Type.C_None);
-    assume { resolve4 candidates };
-    goto BB48
+    switch (_79)
+      | Core_Option_Option_Type.C_None -> goto BB42
+      | Core_Option_Option_Type.C_Some _ -> goto BB43
+      end
   }
   BB42 {
-    goto BB43
+    [#"../06_knights_tour.rs" 159 27 159 31] _0 <- Core_Option_Option_Type.C_None;
+    assume { resolve4 candidates };
+    goto BB50
   }
   BB43 {
-    [#"../06_knights_tour.rs" 158 22 158 25] adj1 <- ([#"../06_knights_tour.rs" 158 22 158 25] let (_, a) = Core_Option_Option_Type.some_0 _79 in a);
-    assume { resolve4 candidates };
-    [#"../06_knights_tour.rs" 158 31 158 38] p <- ([#"../06_knights_tour.rs" 158 35 158 38] adj1);
-    [#"../06_knights_tour.rs" 161 8 161 13] _87 <- Borrow.borrow_mut board;
-    [#"../06_knights_tour.rs" 161 8 161 13] board <-  ^ _87;
-    [#"../06_knights_tour.rs" 161 8 161 26] _86 <- ([#"../06_knights_tour.rs" 161 8 161 26] set0 _87 ([#"../06_knights_tour.rs" 161 18 161 19] p) ([#"../06_knights_tour.rs" 161 21 161 25] step));
-    _87 <- any borrowed (C06KnightsTour_Board_Type.t_board);
-    goto BB44
+    goto BB45
   }
   BB44 {
-    [#"../06_knights_tour.rs" 145 33 162 5] _34 <- ([#"../06_knights_tour.rs" 145 33 162 5] ());
-    goto BB45
+    assume { resolve4 candidates };
+    assert { [#"../06_knights_tour.rs" 157 14 157 30] false };
+    absurd
   }
   BB45 {
-    goto BB9
+    [#"../06_knights_tour.rs" 158 22 158 25] adj1 <- (let (_, a) = Core_Option_Option_Type.some_0 _79 in a);
+    assume { resolve4 candidates };
+    [#"../06_knights_tour.rs" 158 31 158 38] p <- adj1;
+    [#"../06_knights_tour.rs" 161 8 161 13] _87 <- Borrow.borrow_mut board;
+    [#"../06_knights_tour.rs" 161 8 161 13] board <-  ^ _87;
+    [#"../06_knights_tour.rs" 161 8 161 26] _86 <- ([#"../06_knights_tour.rs" 161 8 161 26] set0 _87 p step);
+    _87 <- any borrowed (C06KnightsTour_Board_Type.t_board);
+    goto BB46
   }
   BB46 {
+    [#"../06_knights_tour.rs" 145 33 162 5] _34 <- ([#"../06_knights_tour.rs" 145 33 162 5] ());
     goto BB47
   }
   BB47 {
-    goto BB50
+    goto BB9
   }
   BB48 {
     goto BB49
   }
   BB49 {
-    goto BB50
+    goto BB52
   }
   BB50 {
-    return _0
+    goto BB51
   }
-  BB57 {
-    goto BB14
-  }
-  BB58 {
-    assume { resolve3 iter1 };
-    assume { resolve4 candidates };
-    goto BB14
+  BB51 {
+    goto BB52
   }
-  BB59 {
-    assume { resolve4 candidates };
-    goto BB14
+  BB52 {
+    return _0
   }
   
 end
@@ -2915,5 +3087,6 @@ module C06KnightsTour_Impl3
     
   axiom inv0 : forall x : C06KnightsTour_Point_Type.t_point . inv0 x = true
   use prelude.Borrow
-  goal clone'_refn : [#"../06_knights_tour.rs" 4 15 4 20] forall self : C06KnightsTour_Point_Type.t_point . inv0 self -> (forall result : C06KnightsTour_Point_Type.t_point . result = self -> inv1 result /\ result = self)
+  goal clone'_refn : [#"../06_knights_tour.rs" 4 15 4 20] forall self : C06KnightsTour_Point_Type.t_point . inv0 self
+   -> (forall result : C06KnightsTour_Point_Type.t_point . result = self  -> inv1 result /\ result = self)
 end
diff --git a/creusot/tests/should_succeed/vector/06_knights_tour.rs b/creusot/tests/should_succeed/vector/06_knights_tour.rs
index 84e824fb06..b3f6643fdc 100644
--- a/creusot/tests/should_succeed/vector/06_knights_tour.rs
+++ b/creusot/tests/should_succeed/vector/06_knights_tour.rs
@@ -125,7 +125,7 @@ fn min(v: &Vec<(usize, Point)>) -> Option<&(usize, Point)> {
     min
 }
 
-#[ghost]
+#[logic]
 #[requires(a@ <= 1_000)]
 #[ensures(a@ * a@ <= 1_000_000)]
 fn dumb_nonlinear_arith(a: usize) {}
@@ -138,7 +138,7 @@ pub fn knights_tour(size: usize, x: usize, y: usize) -> Option<Board> {
     let mut p = Point { x: x as isize, y: y as isize };
     board.set(p, 1);
 
-    gh! { dumb_nonlinear_arith(size) };
+    snapshot! { dumb_nonlinear_arith(size) };
     #[invariant(board.size == size)]
     #[invariant(board.wf())]
     #[invariant(board.in_bounds(p))]
diff --git a/creusot/tests/should_succeed/vector/06_knights_tour/why3session.xml b/creusot/tests/should_succeed/vector/06_knights_tour/why3session.xml
index 08fc5c9d89..1484c10f0b 100644
--- a/creusot/tests/should_succeed/vector/06_knights_tour/why3session.xml
+++ b/creusot/tests/should_succeed/vector/06_knights_tour/why3session.xml
@@ -14,7 +14,7 @@
 </theory>
 <theory name="C06KnightsTour_Impl0_Mov" proved="true">
  <goal name="mov&#39;vc" expl="VC for mov" proved="true">
- <proof prover="3"><result status="valid" time="0.020000" steps="310"/></proof>
+ <proof prover="3"><result status="valid" time="0.020000" steps="297"/></proof>
  </goal>
 </theory>
 <theory name="C06KnightsTour_Impl1_New_Closure3" proved="true">
@@ -26,35 +26,35 @@
  <goal name="new&#39;vc" expl="VC for new" proved="true">
  <transf name="split_vc" proved="true" >
   <goal name="new&#39;vc.0" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.041075" steps="23"/></proof>
+  <proof prover="3"><result status="valid" time="0.041075" steps="24"/></proof>
   </goal>
   <goal name="new&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.079378" steps="173"/></proof>
+  <proof prover="3"><result status="valid" time="0.079378" steps="178"/></proof>
   </goal>
   <goal name="new&#39;vc.2" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.048165" steps="62"/></proof>
+  <proof prover="3"><result status="valid" time="0.048165" steps="64"/></proof>
   </goal>
   <goal name="new&#39;vc.3" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.032098" steps="17"/></proof>
+  <proof prover="3"><result status="valid" time="0.032098" steps="19"/></proof>
   </goal>
   <goal name="new&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.029300" steps="18"/></proof>
+  <proof prover="3"><result status="valid" time="0.029300" steps="20"/></proof>
   </goal>
   <goal name="new&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.026648" steps="15"/></proof>
+  <proof prover="3"><result status="valid" time="0.026648" steps="16"/></proof>
   </goal>
   <goal name="new&#39;vc.6" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.041395" steps="63"/></proof>
+  <proof prover="3"><result status="valid" time="0.041395" steps="65"/></proof>
   </goal>
   <goal name="new&#39;vc.7" expl="postcondition" proved="true">
-  <proof prover="2"><result status="valid" time="0.100977" steps="430492"/></proof>
+  <proof prover="2"><result status="valid" time="0.100977" steps="599642"/></proof>
   </goal>
  </transf>
  </goal>
 </theory>
 <theory name="C06KnightsTour_Impl1_Available" proved="true">
  <goal name="available&#39;vc" expl="VC for available" proved="true">
- <proof prover="3"><result status="valid" time="0.030000" steps="1043"/></proof>
+ <proof prover="3"><result status="valid" time="0.030000" steps="1047"/></proof>
  </goal>
 </theory>
 <theory name="C06KnightsTour_Impl1_CountDegree" proved="true">
@@ -95,7 +95,7 @@
       <goal name="count_degree&#39;vc.8.0.0.0.0" expl="VC for count_degree" proved="true">
       <transf name="inline_goal" proved="true" >
        <goal name="count_degree&#39;vc.8.0.0.0.0.0" expl="VC for count_degree" proved="true">
-       <proof prover="3" timelimit="30" memlimit="4000"><result status="valid" time="2.301505" steps="16858"/></proof>
+       <proof prover="3" timelimit="30" memlimit="4000"><result status="valid" time="0.823397" steps="16863"/></proof>
        </goal>
       </transf>
       </goal>
@@ -110,7 +110,7 @@
       <goal name="count_degree&#39;vc.8.0.1.0.0" expl="VC for count_degree" proved="true">
       <transf name="inline_goal" proved="true" >
        <goal name="count_degree&#39;vc.8.0.1.0.0.0" expl="VC for count_degree" proved="true">
-       <proof prover="3" timelimit="30" memlimit="4000"><result status="valid" time="2.338734" steps="16882"/></proof>
+       <proof prover="3" timelimit="30" memlimit="4000"><result status="valid" time="0.823558" steps="16886"/></proof>
        </goal>
       </transf>
       </goal>
@@ -133,7 +133,7 @@
       <goal name="count_degree&#39;vc.9.0.0.0.0" expl="VC for count_degree" proved="true">
       <transf name="inline_goal" proved="true" >
        <goal name="count_degree&#39;vc.9.0.0.0.0.0" expl="VC for count_degree" proved="true">
-       <proof prover="3" timelimit="30" memlimit="4000"><result status="valid" time="2.513265" steps="17179"/></proof>
+       <proof prover="3" timelimit="30" memlimit="4000"><result status="valid" time="0.861381" steps="17180"/></proof>
        </goal>
       </transf>
       </goal>
@@ -148,7 +148,7 @@
       <goal name="count_degree&#39;vc.9.0.1.0.0" expl="VC for count_degree" proved="true">
       <transf name="inline_goal" proved="true" >
        <goal name="count_degree&#39;vc.9.0.1.0.0.0" expl="VC for count_degree" proved="true">
-       <proof prover="3" timelimit="30" memlimit="4000"><result status="valid" time="2.538625" steps="17206"/></proof>
+       <proof prover="3" timelimit="30" memlimit="4000"><result status="valid" time="0.845145" steps="17177"/></proof>
        </goal>
       </transf>
       </goal>
@@ -164,7 +164,7 @@
   <proof prover="3"><result status="valid" time="0.020000" steps="67"/></proof>
   </goal>
   <goal name="count_degree&#39;vc.11" expl="integer overflow" proved="true">
-  <proof prover="3"><result status="valid" time="0.172887" steps="854"/></proof>
+  <proof prover="3"><result status="valid" time="0.172887" steps="855"/></proof>
   </goal>
   <goal name="count_degree&#39;vc.12" expl="loop invariant preservation" proved="true">
   <proof prover="3"><result status="valid" time="0.010000" steps="46"/></proof>
@@ -172,7 +172,7 @@
   <goal name="count_degree&#39;vc.13" expl="loop invariant preservation" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="count_degree&#39;vc.13.0" expl="loop invariant preservation" proved="true">
-   <proof prover="3"><result status="valid" time="0.208015" steps="944"/></proof>
+   <proof prover="3"><result status="valid" time="0.069128" steps="945"/></proof>
    </goal>
   </transf>
   </goal>
@@ -188,7 +188,7 @@
 </theory>
 <theory name="C06KnightsTour_Impl1_Set" proved="true">
  <goal name="set&#39;vc" expl="VC for set" proved="true">
- <proof prover="3"><result status="valid" time="1.181595" steps="5371"/></proof>
+ <proof prover="3"><result status="valid" time="0.429232" steps="5614"/></proof>
  </goal>
 </theory>
 <theory name="C06KnightsTour_Min" proved="true">
@@ -218,7 +218,7 @@
    <proof prover="3"><result status="valid" time="0.010000" steps="17"/></proof>
    </goal>
    <goal name="min&#39;vc.0.7" expl="loop invariant preservation" proved="true">
-   <proof prover="1"><result status="valid" time="0.188149" steps="26494"/></proof>
+   <proof prover="1"><result status="valid" time="0.188149" steps="26847"/></proof>
    </goal>
    <goal name="min&#39;vc.0.8" expl="loop invariant preservation" proved="true">
    <transf name="split_vc" proved="true" >
@@ -227,11 +227,7 @@
      <goal name="min&#39;vc.0.8.0.0" expl="loop invariant preservation" proved="true">
      <transf name="split_vc" proved="true" >
       <goal name="min&#39;vc.0.8.0.0.0" expl="loop invariant preservation" proved="true">
-      <transf name="split_vc" proved="true" >
-       <goal name="min&#39;vc.0.8.0.0.0.0" expl="loop invariant preservation" proved="true">
-       <proof prover="3"><result status="valid" time="1.946908" steps="13587"/></proof>
-       </goal>
-      </transf>
+      <proof prover="3"><result status="valid" time="0.584056" steps="13445"/></proof>
       </goal>
      </transf>
      </goal>
@@ -244,10 +240,10 @@
       <goal name="min&#39;vc.0.8.1.0.0" expl="loop invariant preservation" proved="true">
       <transf name="split_vc" proved="true" >
        <goal name="min&#39;vc.0.8.1.0.0.0" expl="loop invariant preservation" proved="true">
-       <proof prover="3" timelimit="5" memlimit="2000"><result status="valid" time="3.661252" steps="23061"/></proof>
+       <proof prover="3"><result status="valid" time="0.024200" steps="244"/></proof>
        </goal>
        <goal name="min&#39;vc.0.8.1.0.0.1" expl="loop invariant preservation" proved="true">
-       <proof prover="3" timelimit="5"><result status="valid" time="0.019206" steps="242"/></proof>
+       <proof prover="3" timelimit="5" memlimit="2000"><result status="valid" time="1.152518" steps="23026"/></proof>
        </goal>
       </transf>
       </goal>
@@ -263,7 +259,7 @@
  </goal>
 </theory>
 <theory name="C06KnightsTour_DumbNonlinearArith_Impl" proved="true">
- <goal name="dumb_nonlinear_arith&#39;vc" expl="VC for dumb_nonlinear_arith" proved="true">
+ <goal name="vc_dumb_nonlinear_arith" proved="true">
  <proof prover="3"><result status="valid" time="0.000000" steps="7"/></proof>
  </goal>
 </theory>
@@ -274,7 +270,7 @@
   <proof prover="3"><result status="valid" time="0.000000" steps="10"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.1" expl="integer overflow" proved="true">
-  <proof prover="3"><result status="valid" time="0.010000" steps="31"/></proof>
+  <proof prover="3"><result status="valid" time="0.010000" steps="32"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.2" expl="integer overflow" proved="true">
   <proof prover="3"><result status="valid" time="0.010000" steps="37"/></proof>
@@ -283,7 +279,7 @@
   <proof prover="3"><result status="valid" time="0.020000" steps="30"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.4" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.173780" steps="769"/></proof>
+  <proof prover="3"><result status="valid" time="0.053344" steps="767"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.5" expl="precondition" proved="true">
   <proof prover="3"><result status="valid" time="0.010000" steps="34"/></proof>
@@ -292,83 +288,83 @@
   <proof prover="3"><result status="valid" time="0.010000" steps="61"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.7" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.030000" steps="41"/></proof>
+  <proof prover="3"><result status="valid" time="0.030000" steps="57"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.8" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.029820" steps="176"/></proof>
+  <proof prover="3"><result status="valid" time="0.029820" steps="180"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.9" expl="loop invariant init" proved="true">
-  <proof prover="3"><result status="valid" time="0.030000" steps="71"/></proof>
+  <proof prover="3"><result status="valid" time="0.030000" steps="76"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.10" expl="loop invariant init" proved="true">
-  <proof prover="3"><result status="valid" time="0.037720" steps="248"/></proof>
+  <proof prover="3"><result status="valid" time="0.037720" steps="253"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.11" expl="loop invariant init" proved="true">
-  <proof prover="3"><result status="valid" time="0.010000" steps="77"/></proof>
+  <proof prover="3"><result status="valid" time="0.010000" steps="82"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.12" expl="loop invariant init" proved="true">
-  <proof prover="3"><result status="valid" time="0.010000" steps="81"/></proof>
+  <proof prover="3"><result status="valid" time="0.010000" steps="85"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.13" expl="loop invariant init" proved="true">
-  <proof prover="3"><result status="valid" time="0.685382" steps="5241"/></proof>
+  <proof prover="3"><result status="valid" time="0.198898" steps="5224"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.038473" steps="308"/></proof>
+  <proof prover="3"><result status="valid" time="0.038473" steps="313"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.15" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.010000" steps="208"/></proof>
+  <proof prover="3"><result status="valid" time="0.010000" steps="213"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.16" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.086621" steps="426"/></proof>
+  <proof prover="3"><result status="valid" time="0.086621" steps="431"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.17" expl="loop invariant init" proved="true">
-  <proof prover="3"><result status="valid" time="0.010000" steps="229"/></proof>
+  <proof prover="3"><result status="valid" time="0.010000" steps="234"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.18" expl="loop invariant init" proved="true">
-  <proof prover="3"><result status="valid" time="0.122769" steps="553"/></proof>
+  <proof prover="3"><result status="valid" time="0.122769" steps="558"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.19" expl="loop invariant init" proved="true">
-  <proof prover="3" timelimit="5"><result status="valid" time="0.128006" steps="237"/></proof>
+  <proof prover="3" timelimit="5"><result status="valid" time="0.128006" steps="241"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.20" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.050239" steps="521"/></proof>
+  <proof prover="3"><result status="valid" time="0.050239" steps="527"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.21" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.020000" steps="334"/></proof>
+  <proof prover="3"><result status="valid" time="0.020000" steps="339"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.22" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.308253" steps="2026"/></proof>
+  <proof prover="3"><result status="valid" time="0.095998" steps="2020"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.23" expl="loop invariant preservation" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="knights_tour&#39;vc.23.0" expl="loop invariant preservation" proved="true">
-   <proof prover="3"><result status="valid" time="0.030719" steps="641"/></proof>
+   <proof prover="3"><result status="valid" time="0.030719" steps="648"/></proof>
    </goal>
   </transf>
   </goal>
   <goal name="knights_tour&#39;vc.24" expl="loop invariant preservation" proved="true">
   <transf name="split_vc" proved="true" >
    <goal name="knights_tour&#39;vc.24.0" expl="loop invariant preservation" proved="true">
-   <proof prover="3"><result status="valid" time="1.102987" steps="7800"/></proof>
+   <proof prover="3"><result status="valid" time="0.382463" steps="8245"/></proof>
    </goal>
   </transf>
   </goal>
   <goal name="knights_tour&#39;vc.25" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.020000" steps="358"/></proof>
+  <proof prover="3"><result status="valid" time="0.020000" steps="364"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.26" expl="loop invariant preservation" proved="true">
-  <proof prover="1" timelimit="5" memlimit="2000"><result status="valid" time="0.130000" steps="21164"/></proof>
+  <proof prover="1" timelimit="5" memlimit="2000"><result status="valid" time="0.130000" steps="21222"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.27" expl="loop invariant preservation" proved="true">
-  <proof prover="1"><result status="valid" time="0.569207" steps="39430"/></proof>
+  <proof prover="1"><result status="valid" time="0.163254" steps="39630"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.28" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.040000" steps="965"/></proof>
+  <proof prover="3"><result status="valid" time="0.040000" steps="972"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.29" expl="precondition" proved="true">
   <transf name="use_th" proved="true" arg1="seq.FreeMonoid">
    <goal name="knights_tour&#39;vc.29.0" expl="precondition" proved="true">
-   <proof prover="3"><result status="valid" time="0.050000" steps="1085"/></proof>
+   <proof prover="3"><result status="valid" time="0.050000" steps="1099"/></proof>
    </goal>
   </transf>
   </goal>
@@ -383,7 +379,7 @@
       <goal name="knights_tour&#39;vc.30.0.0.0.0" expl="VC for knights_tour" proved="true">
       <transf name="inline_goal" proved="true" >
        <goal name="knights_tour&#39;vc.30.0.0.0.0.0" expl="VC for knights_tour" proved="true">
-       <proof prover="3" timelimit="30" memlimit="4000"><result status="valid" time="5.331987" steps="53021"/></proof>
+       <proof prover="3" timelimit="30" memlimit="4000"><result status="valid" time="2.655442" steps="53064"/></proof>
        </goal>
       </transf>
       </goal>
@@ -398,7 +394,7 @@
       <goal name="knights_tour&#39;vc.30.0.1.0.0" expl="VC for knights_tour" proved="true">
       <transf name="inline_goal" proved="true" >
        <goal name="knights_tour&#39;vc.30.0.1.0.0.0" expl="VC for knights_tour" proved="true">
-       <proof prover="3" timelimit="30" memlimit="4000"><result status="valid" time="5.460148" steps="53146"/></proof>
+       <proof prover="3" timelimit="30" memlimit="4000"><result status="valid" time="2.660177" steps="53122"/></proof>
        </goal>
       </transf>
       </goal>
@@ -421,7 +417,7 @@
       <goal name="knights_tour&#39;vc.31.0.0.0.0" expl="VC for knights_tour" proved="true">
       <transf name="inline_goal" proved="true" >
        <goal name="knights_tour&#39;vc.31.0.0.0.0.0" expl="VC for knights_tour" proved="true">
-       <proof prover="3" timelimit="30" memlimit="4000"><result status="valid" time="6.104377" steps="53644"/></proof>
+       <proof prover="3" timelimit="30" memlimit="4000"><result status="valid" time="2.713706" steps="53647"/></proof>
        </goal>
       </transf>
       </goal>
@@ -436,7 +432,7 @@
       <goal name="knights_tour&#39;vc.31.0.1.0.0" expl="VC for knights_tour" proved="true">
       <transf name="inline_goal" proved="true" >
        <goal name="knights_tour&#39;vc.31.0.1.0.0.0" expl="VC for knights_tour" proved="true">
-       <proof prover="3" timelimit="30" memlimit="4000"><result status="valid" time="5.224801" steps="53630"/></proof>
+       <proof prover="3" timelimit="30" memlimit="4000"><result status="valid" time="2.720566" steps="53740"/></proof>
        </goal>
       </transf>
       </goal>
@@ -449,28 +445,28 @@
   </transf>
   </goal>
   <goal name="knights_tour&#39;vc.32" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.010000" steps="383"/></proof>
+  <proof prover="3"><result status="valid" time="0.010000" steps="388"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.33" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.100000" steps="395"/></proof>
+  <proof prover="3"><result status="valid" time="0.100000" steps="401"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.34" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.037506" steps="395"/></proof>
+  <proof prover="3"><result status="valid" time="0.037506" steps="401"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.35" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.079357" steps="887"/></proof>
+  <proof prover="3"><result status="valid" time="0.079357" steps="906"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.36" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.118800" steps="898"/></proof>
+  <proof prover="3"><result status="valid" time="0.118800" steps="918"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.37" expl="loop invariant preservation" proved="true">
-  <proof prover="3" timelimit="5"><result status="valid" time="0.058954" steps="545"/></proof>
+  <proof prover="3" timelimit="5"><result status="valid" time="0.058954" steps="551"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.38" expl="loop invariant preservation" proved="true">
-  <proof prover="1"><result status="valid" time="0.468388" steps="35410"/></proof>
+  <proof prover="1"><result status="valid" time="0.147380" steps="35786"/></proof>
   </goal>
   <goal name="knights_tour&#39;vc.39" expl="loop invariant preservation" proved="true">
-  <proof prover="1"><result status="valid" time="0.955169" steps="77663"/></proof>
+  <proof prover="1"><result status="valid" time="0.356947" steps="78693"/></proof>
   </goal>
  </transf>
  </goal>
diff --git a/creusot/tests/should_succeed/vector/06_knights_tour/why3shapes.gz b/creusot/tests/should_succeed/vector/06_knights_tour/why3shapes.gz
index b1bd941858..4b844811c1 100644
Binary files a/creusot/tests/should_succeed/vector/06_knights_tour/why3shapes.gz and b/creusot/tests/should_succeed/vector/06_knights_tour/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/vector/07_read_write.mlcfg b/creusot/tests/should_succeed/vector/07_read_write.mlcfg
index d118aaa7f0..2542638fc2 100644
--- a/creusot/tests/should_succeed/vector/07_read_write.mlcfg
+++ b/creusot/tests/should_succeed/vector/07_read_write.mlcfg
@@ -17,12 +17,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -123,7 +129,8 @@ module C07ReadWrite_ReadWrite
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model2 self }
     
-  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv7 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
+  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv7 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
   predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv7 (shallow_model2 self)
   val invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -194,7 +201,8 @@ module C07ReadWrite_ReadWrite
     ensures { result = resolve0 self }
     
   predicate resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq t) (fin : Seq.seq t) =
-    [#"../../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old' -> Seq.get old' i = Seq.get fin i
+    [#"../../../../../creusot-contracts/src/std/slice.rs" 129 8 129 96] forall i : int . 0 <= i /\ i <> UIntSize.to_int self /\ i < Seq.length old'
+     -> Seq.get old' i = Seq.get fin i
   val resolve_elswhere0 [@inline:trivial] (self : usize) (old' : Seq.seq t) (fin : Seq.seq t) : bool
     ensures { result = resolve_elswhere0 self old' fin }
     
@@ -229,23 +237,23 @@ module C07ReadWrite_ReadWrite
     [#"../07_read_write.rs" 7 4 7 5] _7 <- Borrow.borrow_final ( * a) (Borrow.get_id a);
     [#"../07_read_write.rs" 7 4 7 5] a <- { a with current = ( ^ _7) ; };
     assume { inv0 ( ^ _7) };
-    [#"../07_read_write.rs" 7 5 7 8] _6 <- ([#"../07_read_write.rs" 7 5 7 8] index_mut0 _7 ([#"../07_read_write.rs" 7 6 7 7] i));
+    [#"../07_read_write.rs" 7 5 7 8] _6 <- ([#"../07_read_write.rs" 7 5 7 8] index_mut0 _7 i);
     _7 <- any borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
     goto BB1
   }
   BB1 {
-    [#"../07_read_write.rs" 7 4 7 12] _6 <- { _6 with current = ([#"../07_read_write.rs" 7 11 7 12] x) ; };
+    [#"../07_read_write.rs" 7 4 7 12] _6 <- { _6 with current = x ; };
     assert { [@expl:type invariant] inv1 ( * _6) };
     assume { resolve0 ( * _6) };
     assert { [@expl:type invariant] inv2 _6 };
     assume { resolve1 _6 };
-    [#"../07_read_write.rs" 8 13 8 16] _12 <- ([#"../07_read_write.rs" 8 13 8 16] index0 ([#"../07_read_write.rs" 8 12 8 13]  * a) ([#"../07_read_write.rs" 8 14 8 15] i));
+    [#"../07_read_write.rs" 8 13 8 16] _12 <- ([#"../07_read_write.rs" 8 13 8 16] index0 ( * a) i);
     goto BB2
   }
   BB2 {
     assert { [@expl:type invariant] inv3 _12 };
     assume { resolve2 _12 };
-    [#"../07_read_write.rs" 8 12 8 21] _10 <- ([#"../07_read_write.rs" 8 12 8 21] eq0 ([#"../07_read_write.rs" 8 12 8 16] _12) ([#"../07_read_write.rs" 8 20 8 21] x));
+    [#"../07_read_write.rs" 8 12 8 21] _10 <- ([#"../07_read_write.rs" 8 12 8 21] eq0 _12 x);
     goto BB3
   }
   BB3 {
diff --git a/creusot/tests/should_succeed/vector/07_read_write/why3session.xml b/creusot/tests/should_succeed/vector/07_read_write/why3session.xml
index 98a5df018e..2d10346b52 100644
--- a/creusot/tests/should_succeed/vector/07_read_write/why3session.xml
+++ b/creusot/tests/should_succeed/vector/07_read_write/why3session.xml
@@ -7,7 +7,7 @@
 <path name=".."/><path name="07_read_write.mlcfg"/>
 <theory name="C07ReadWrite_ReadWrite" proved="true">
  <goal name="read_write&#39;vc" expl="VC for read_write" proved="true">
- <proof prover="0"><result status="valid" time="0.021785" steps="185"/></proof>
+ <proof prover="0"><result status="valid" time="0.021785" steps="183"/></proof>
  </goal>
 </theory>
 </file>
diff --git a/creusot/tests/should_succeed/vector/07_read_write/why3shapes.gz b/creusot/tests/should_succeed/vector/07_read_write/why3shapes.gz
index 8ef050ee62..bfe8b45a8f 100644
Binary files a/creusot/tests/should_succeed/vector/07_read_write/why3shapes.gz and b/creusot/tests/should_succeed/vector/07_read_write/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/vector/08_haystack.mlcfg b/creusot/tests/should_succeed/vector/08_haystack.mlcfg
index d59267e937..33779650cd 100644
--- a/creusot/tests/should_succeed/vector/08_haystack.mlcfg
+++ b/creusot/tests/should_succeed/vector/08_haystack.mlcfg
@@ -17,12 +17,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -104,7 +110,8 @@ module C08Haystack_Search
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self}
     ensures { result = shallow_model2 self }
     
-  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
+  axiom shallow_model2_spec : forall self : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv9 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv10 (shallow_model2 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model2 self) <= UIntSize.to_int max0)
   predicate invariant9 (self : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv10 (shallow_model2 self)
   val invariant9 (self : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -201,7 +208,9 @@ module C08Haystack_Search
   predicate produces1 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize)
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0 -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
+    [#"../../../../../creusot-contracts/src/std/iter/range.rs" 21 8 27 9] Core_Ops_Range_Range_Type.range_end self = Core_Ops_Range_Range_Type.range_end o /\ deep_model0 (Core_Ops_Range_Range_Type.range_start self) <= deep_model0 (Core_Ops_Range_Range_Type.range_start o) /\ (Seq.length visited > 0
+     -> deep_model0 (Core_Ops_Range_Range_Type.range_start o) <= deep_model0 (Core_Ops_Range_Range_Type.range_end o)) /\ Seq.length visited = deep_model0 (Core_Ops_Range_Range_Type.range_start o) - deep_model0 (Core_Ops_Range_Range_Type.range_start self) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> deep_model0 (Seq.get visited i) = deep_model0 (Core_Ops_Range_Range_Type.range_start self) + i)
   val produces1 (self : Core_Ops_Range_Range_Type.t_range usize) (visited : Seq.seq usize) (o : Core_Ops_Range_Range_Type.t_range usize) : bool
     ensures { result = produces1 self visited o }
     
@@ -217,14 +226,22 @@ module C08Haystack_Search
     requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c}
     ensures { result = produces_trans1 a ab b bc c }
     
-  axiom produces_trans1_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces1 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces1 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv1 a) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv8 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv1 b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv8 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces1 a (Seq.(++) ab bc) c)
+  axiom produces_trans1_spec : forall a : Core_Ops_Range_Range_Type.t_range usize, ab : Seq.seq usize, b : Core_Ops_Range_Range_Type.t_range usize, bc : Seq.seq usize, c : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 37 15 37 32] produces1 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 38 15 38 32] produces1 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 22 40 23] inv1 a)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 31 40 33] inv8 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 52 40 53] inv1 b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 61 40 63] inv8 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 40 82 40 83] inv1 c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 39 14 39 42] produces1 a (Seq.(++) ab bc) c)
   use seq.Seq
   function produces_refl1 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
   val produces_refl1 (self : Core_Ops_Range_Range_Type.t_range usize) : ()
     requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self}
     ensures { result = produces_refl1 self }
     
-  axiom produces_refl1_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces1 self (Seq.empty ) self)
+  axiom produces_refl1_spec : forall self : Core_Ops_Range_Range_Type.t_range usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 33 21 33 25] inv1 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 32 14 32 45] produces1 self (Seq.empty ) self)
   predicate invariant1 (self : Core_Ops_Range_Range_Type.t_range usize) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant1 (self : Core_Ops_Range_Range_Type.t_range usize) : bool
@@ -249,7 +266,9 @@ module C08Haystack_Search
     requires {[#"../../../../../creusot-contracts/src/std/ops.rs" 207 20 207 24] inv0 self}
     ensures { result = is_empty_log0 self }
     
-  axiom is_empty_log0_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../../creusot-contracts/src/std/ops.rs" 207 20 207 24] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 206 4 206 88] not is_empty_log0 self -> deep_model0 (start_log0 self) <= deep_model0 (end_log0 self))
+  axiom is_empty_log0_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../../creusot-contracts/src/std/ops.rs" 207 20 207 24] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/ops.rs" 206 4 206 88] not is_empty_log0 self
+   -> deep_model0 (start_log0 self) <= deep_model0 (end_log0 self))
   function range_inclusive_len0 (r : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) : int =
     [#"../../../../../creusot-contracts/src/std/iter/range.rs" 47 4 50 5] if is_empty_log0 r then
       0
@@ -260,11 +279,14 @@ module C08Haystack_Search
     requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 46 62 46 63] inv0 r}
     ensures { result = range_inclusive_len0 r }
     
-  axiom range_inclusive_len0_spec : forall r : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 46 62 46 63] inv0 r) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43] is_empty_log0 r = (range_inclusive_len0 r = 0))
+  axiom range_inclusive_len0_spec : forall r : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 46 62 46 63] inv0 r)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 45 10 45 43] is_empty_log0 r = (range_inclusive_len0 r = 0))
   predicate produces0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) (visited : Seq.seq usize) (o : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize)
     
    =
-    [#"../../../../../creusot-contracts/src/std/iter/range.rs" 65 8 71 9] Seq.length visited = range_inclusive_len0 self - range_inclusive_len0 o /\ (is_empty_log0 self -> is_empty_log0 o) /\ (is_empty_log0 o \/ end_log0 self = end_log0 o) /\ (forall i : int . 0 <= i /\ i < Seq.length visited -> deep_model0 (Seq.get visited i) = deep_model0 (start_log0 self) + i)
+    [#"../../../../../creusot-contracts/src/std/iter/range.rs" 65 8 71 9] Seq.length visited = range_inclusive_len0 self - range_inclusive_len0 o /\ (is_empty_log0 self
+     -> is_empty_log0 o) /\ (is_empty_log0 o \/ end_log0 self = end_log0 o) /\ (forall i : int . 0 <= i /\ i < Seq.length visited
+     -> deep_model0 (Seq.get visited i) = deep_model0 (start_log0 self) + i)
   val produces0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) (visited : Seq.seq usize) (o : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) : bool
     ensures { result = produces0 self visited o }
     
@@ -282,21 +304,29 @@ module C08Haystack_Search
     requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 84 82 84 83] inv0 c}
     ensures { result = produces_trans0 a ab b bc c }
     
-  axiom produces_trans0_spec : forall a : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize, ab : Seq.seq usize, b : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize, bc : Seq.seq usize, c : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 81 15 81 32] produces0 a ab b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 82 15 82 32] produces0 b bc c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 84 22 84 23] inv0 a) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 84 31 84 33] inv8 ab) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 84 52 84 53] inv0 b) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 84 61 84 63] inv8 bc) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 84 82 84 83] inv0 c) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 83 14 83 42] produces0 a (Seq.(++) ab bc) c)
+  axiom produces_trans0_spec : forall a : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize, ab : Seq.seq usize, b : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize, bc : Seq.seq usize, c : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 81 15 81 32] produces0 a ab b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 82 15 82 32] produces0 b bc c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 84 22 84 23] inv0 a)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 84 31 84 33] inv8 ab)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 84 52 84 53] inv0 b)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 84 61 84 63] inv8 bc)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 84 82 84 83] inv0 c)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 83 14 83 42] produces0 a (Seq.(++) ab bc) c)
   function produces_refl0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) : () =
     [#"../../../../../creusot-contracts/src/std/iter/range.rs" 74 4 74 10] ()
   val produces_refl0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) : ()
     requires {[#"../../../../../creusot-contracts/src/std/iter/range.rs" 77 21 77 25] inv0 self}
     ensures { result = produces_refl0 self }
     
-  axiom produces_refl0_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 77 21 77 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 76 14 76 45] produces0 self (Seq.empty ) self)
+  axiom produces_refl0_spec : forall self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 77 21 77 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/iter/range.rs" 76 14 76 45] produces0 self (Seq.empty ) self)
   predicate invariant0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) =
     [#"../../../../../creusot-contracts/src/invariant.rs" 8 8 8 12] true
   val invariant0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) : bool
     ensures { result = invariant0 self }
     
   axiom inv0 : forall x : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize . inv0 x = true
-  use prelude.Ghost
+  use prelude.Snapshot
   use prelude.Slice
   use seq.Seq
   predicate has_value0 [@inline:trivial] (self : usize) (seq : Seq.seq uint8) (out : uint8) =
@@ -310,7 +340,7 @@ module C08Haystack_Search
     ensures { result = in_bounds0 self seq }
     
   function shallow_model0 (self : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global)) : Seq.seq uint8 =
-    [#"../../../../../creusot-contracts/src/model.rs" 79 8 79 31] shallow_model2 self
+    [#"../../../../../creusot-contracts/src/model.rs" 83 8 83 31] shallow_model2 self
   val shallow_model0 (self : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global)) : Seq.seq uint8
     ensures { result = shallow_model0 self }
     
@@ -322,7 +352,7 @@ module C08Haystack_Search
     ensures { inv7 result }
     
   predicate resolve1 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve1 (self : borrowed (Core_Ops_Range_Range_Type.t_range usize)) : bool
     ensures { result = resolve1 self }
     
@@ -340,8 +370,8 @@ module C08Haystack_Search
       end }
     ensures { inv5 result }
     
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate into_iter_post1 (self : Core_Ops_Range_Range_Type.t_range usize) (res : Core_Ops_Range_Range_Type.t_range usize)
     
    =
@@ -361,7 +391,7 @@ module C08Haystack_Search
     ensures { inv1 result }
     
   predicate resolve0 (self : borrowed (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize)) =
-    [#"../../../../../creusot-contracts/src/resolve.rs" 27 20 27 34]  ^ self =  * self
+    [#"../../../../../creusot-contracts/src/resolve.rs" 25 20 25 34]  ^ self =  * self
   val resolve0 (self : borrowed (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize)) : bool
     ensures { result = resolve0 self }
     
@@ -388,15 +418,16 @@ module C08Haystack_Search
   predicate match_at0 [#"../08_haystack.rs" 7 0 7 77] (needle : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global)) (haystack : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global)) (pos : int) (len : int)
     
    =
-    [#"../08_haystack.rs" 8 4 12 5] len <= Seq.length (shallow_model0 needle) /\ pos <= Seq.length (shallow_model0 haystack) - len /\ (forall i : int . 0 <= i /\ i < len -> index_logic1 needle i = index_logic1 haystack (pos + i))
+    [#"../08_haystack.rs" 8 4 12 5] len <= Seq.length (shallow_model0 needle) /\ pos <= Seq.length (shallow_model0 haystack) - len /\ (forall i : int . 0 <= i /\ i < len
+     -> index_logic1 needle i = index_logic1 haystack (pos + i))
   val match_at0 [#"../08_haystack.rs" 7 0 7 77] (needle : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global)) (haystack : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global)) (pos : int) (len : int) : bool
     ensures { result = match_at0 needle haystack pos len }
     
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
-  use prelude.Ghost
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
+  use prelude.Snapshot
   predicate into_iter_post0 (self : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize) (res : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize)
     
    =
@@ -420,7 +451,8 @@ module C08Haystack_Search
     requires {inv3 end'}
     ensures { [#"../../../../../creusot-contracts/src/std/ops.rs" 220 26 220 53] start_log0 result = start }
     ensures { [#"../../../../../creusot-contracts/src/std/ops.rs" 221 26 221 49] end_log0 result = end' }
-    ensures { [#"../../../../../creusot-contracts/src/std/ops.rs" 222 16 222 93] deep_model0 start <= deep_model0 end' -> not is_empty_log0 result }
+    ensures { [#"../../../../../creusot-contracts/src/std/ops.rs" 222 16 222 93] deep_model0 start <= deep_model0 end'
+     -> not is_empty_log0 result }
     ensures { inv0 result }
     
   val len0 (self : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global)) : usize
@@ -430,8 +462,12 @@ module C08Haystack_Search
   let rec cfg search [#"../08_haystack.rs" 21 0 21 60] [@cfg:stackify] [@cfg:subregion_analysis] (needle : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global)) (haystack : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global)) : usize
     requires {[#"../08_haystack.rs" 15 11 15 65] Seq.length (shallow_model0 needle) >= 1 /\ Seq.length (shallow_model0 needle) <= Seq.length (shallow_model0 haystack)}
     ensures { [#"../08_haystack.rs" 16 10 16 85] UIntSize.to_int result = Seq.length (shallow_model0 haystack) \/ UIntSize.to_int result < Seq.length (shallow_model0 haystack) - Seq.length (shallow_model0 needle) + 1 }
-    ensures { [#"../08_haystack.rs" 17 0 19 108] UIntSize.to_int result < Seq.length (shallow_model0 haystack) -> match_at0 needle haystack (UIntSize.to_int result) (Seq.length (shallow_model0 needle)) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int result -> not match_at0 needle haystack i (Seq.length (shallow_model0 needle))) }
-    ensures { [#"../08_haystack.rs" 20 0 20 139] UIntSize.to_int result = Seq.length (shallow_model0 haystack) -> (forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 haystack) -> not match_at0 needle haystack i (Seq.length (shallow_model0 needle))) }
+    ensures { [#"../08_haystack.rs" 17 0 19 108] UIntSize.to_int result < Seq.length (shallow_model0 haystack)
+     -> match_at0 needle haystack (UIntSize.to_int result) (Seq.length (shallow_model0 needle)) /\ (forall i : int . 0 <= i /\ i < UIntSize.to_int result
+     -> not match_at0 needle haystack i (Seq.length (shallow_model0 needle))) }
+    ensures { [#"../08_haystack.rs" 20 0 20 139] UIntSize.to_int result = Seq.length (shallow_model0 haystack)
+     -> (forall i : int . 0 <= i /\ i < Seq.length (shallow_model0 haystack)
+     -> not match_at0 needle haystack i (Seq.length (shallow_model0 needle))) }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : usize;
@@ -439,43 +475,49 @@ module C08Haystack_Search
   var haystack : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global) = haystack;
   var iter : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize;
   var _10 : Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize;
+  var _11 : usize;
   var _12 : usize;
   var _14 : usize;
-  var iter_old : Ghost.ghost_ty (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize);
-  var produced : Ghost.ghost_ty (Seq.seq usize);
+  var iter_old : Snapshot.snap_ty (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize);
+  var produced : Snapshot.snap_ty (Seq.seq usize);
   var _24 : Core_Option_Option_Type.t_option usize;
   var _25 : borrowed (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize);
   var _26 : borrowed (Core_Ops_Range_RangeInclusive_Type.t_rangeinclusive usize);
   var __creusot_proc_iter_elem : usize;
-  var _29 : Ghost.ghost_ty (Seq.seq usize);
+  var _29 : Snapshot.snap_ty (Seq.seq usize);
   var i : usize;
   var iter1 : Core_Ops_Range_Range_Type.t_range usize;
+  var _35 : Core_Ops_Range_Range_Type.t_range usize;
   var _36 : usize;
-  var iter_old1 : Ghost.ghost_ty (Core_Ops_Range_Range_Type.t_range usize);
-  var produced1 : Ghost.ghost_ty (Seq.seq usize);
+  var iter_old1 : Snapshot.snap_ty (Core_Ops_Range_Range_Type.t_range usize);
+  var produced1 : Snapshot.snap_ty (Seq.seq usize);
   var _45 : Core_Option_Option_Type.t_option usize;
   var _46 : borrowed (Core_Ops_Range_Range_Type.t_range usize);
   var _47 : borrowed (Core_Ops_Range_Range_Type.t_range usize);
   var __creusot_proc_iter_elem1 : usize;
-  var _50 : Ghost.ghost_ty (Seq.seq usize);
+  var _50 : Snapshot.snap_ty (Seq.seq usize);
   var j : usize;
+  var _53 : bool;
   var _55 : uint8;
   var _59 : uint8;
+  var _61 : usize;
   {
     goto BB0
   }
   BB0 {
-    [#"../08_haystack.rs" 23 21 23 35] _12 <- ([#"../08_haystack.rs" 23 21 23 35] len0 ([#"../08_haystack.rs" 23 21 23 29] haystack));
+    [#"../08_haystack.rs" 23 21 23 35] _12 <- ([#"../08_haystack.rs" 23 21 23 35] len0 haystack);
     goto BB1
   }
   BB1 {
-    [#"../08_haystack.rs" 23 38 23 50] _14 <- ([#"../08_haystack.rs" 23 38 23 50] len0 ([#"../08_haystack.rs" 23 38 23 44] needle));
+    [#"../08_haystack.rs" 23 38 23 50] _14 <- ([#"../08_haystack.rs" 23 38 23 50] len0 needle);
     goto BB2
   }
   BB2 {
-    [#"../08_haystack.rs" 23 17 23 50] _10 <- ([#"../08_haystack.rs" 23 17 23 50] new0 ([#"../08_haystack.rs" 23 17 23 18] [#"../08_haystack.rs" 23 17 23 18] (0 : usize)) ([#"../08_haystack.rs" 23 21 23 50] _12 - _14));
+    [#"../08_haystack.rs" 23 21 23 50] _11 <- _12 - _14;
     _12 <- any usize;
     _14 <- any usize;
+    [#"../08_haystack.rs" 23 17 23 50] _10 <- ([#"../08_haystack.rs" 23 17 23 50] new0 ([#"../08_haystack.rs" 23 17 23 18] (0 : usize)) _11);
+    _11 <- any usize;
     goto BB3
   }
   BB3 {
@@ -484,11 +526,11 @@ module C08Haystack_Search
     goto BB4
   }
   BB4 {
-    [#"../08_haystack.rs" 22 4 22 112] iter_old <- ([#"../08_haystack.rs" 22 4 22 112] Ghost.new iter);
+    [#"../08_haystack.rs" 22 4 22 112] iter_old <- ([#"../08_haystack.rs" 22 4 22 112] Snapshot.new iter);
     goto BB5
   }
   BB5 {
-    [#"../08_haystack.rs" 22 4 22 112] produced <- ([#"../08_haystack.rs" 22 4 22 112] Ghost.new (Seq.empty ));
+    [#"../08_haystack.rs" 22 4 22 112] produced <- ([#"../08_haystack.rs" 22 4 22 112] Snapshot.new (Seq.empty ));
     goto BB6
   }
   BB6 {
@@ -496,8 +538,9 @@ module C08Haystack_Search
   }
   BB7 {
     invariant { [#"../08_haystack.rs" 22 4 22 112] inv0 iter };
-    invariant { [#"../08_haystack.rs" 22 4 22 112] produces0 (Ghost.inner iter_old) (Ghost.inner produced) iter };
-    invariant { [#"../08_haystack.rs" 22 4 22 112] forall k : int . 0 <= k /\ k < Seq.length (Ghost.inner produced) -> not match_at0 needle haystack k (Seq.length (shallow_model0 needle)) };
+    invariant { [#"../08_haystack.rs" 22 4 22 112] produces0 (Snapshot.inner iter_old) (Snapshot.inner produced) iter };
+    invariant { [#"../08_haystack.rs" 22 4 22 112] forall k : int . 0 <= k /\ k < Seq.length (Snapshot.inner produced)
+     -> not match_at0 needle haystack k (Seq.length (shallow_model0 needle)) };
     goto BB8
   }
   BB8 {
@@ -517,8 +560,8 @@ module C08Haystack_Search
       end
   }
   BB10 {
-    [#"../08_haystack.rs" 33 11 33 25] _0 <- ([#"../08_haystack.rs" 33 11 33 25] len0 ([#"../08_haystack.rs" 33 11 33 19] haystack));
-    goto BB30
+    [#"../08_haystack.rs" 33 11 33 25] _0 <- ([#"../08_haystack.rs" 33 11 33 25] len0 haystack);
+    goto BB31
   }
   BB11 {
     goto BB13
@@ -528,28 +571,30 @@ module C08Haystack_Search
     absurd
   }
   BB13 {
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _24);
-    [#"../08_haystack.rs" 22 4 22 112] _29 <- ([#"../08_haystack.rs" 22 4 22 112] Ghost.new (Seq.(++) (Ghost.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem <- Core_Option_Option_Type.some_0 _24;
+    [#"../08_haystack.rs" 22 4 22 112] _29 <- ([#"../08_haystack.rs" 22 4 22 112] Snapshot.new (Seq.(++) (Snapshot.inner produced) (Seq.singleton __creusot_proc_iter_elem)));
     goto BB14
   }
   BB14 {
-    [#"../08_haystack.rs" 22 4 22 112] produced <- ([#"../08_haystack.rs" 22 4 22 112] _29);
-    [#"../08_haystack.rs" 22 4 22 112] _29 <- any Ghost.ghost_ty (Seq.seq usize);
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] i <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem);
-    [#"../08_haystack.rs" 25 20 25 32] _36 <- ([#"../08_haystack.rs" 25 20 25 32] len0 ([#"../08_haystack.rs" 25 20 25 26] needle));
+    [#"../08_haystack.rs" 22 4 22 112] produced <- _29;
+    _29 <- any Snapshot.snap_ty (Seq.seq usize);
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] i <- __creusot_proc_iter_elem;
+    [#"../08_haystack.rs" 25 20 25 32] _36 <- ([#"../08_haystack.rs" 25 20 25 32] len0 needle);
     goto BB15
   }
   BB15 {
-    [#"../08_haystack.rs" 24 8 24 68] iter1 <- ([#"../08_haystack.rs" 24 8 24 68] into_iter1 ([#"../08_haystack.rs" 25 17 25 32] Core_Ops_Range_Range_Type.C_Range ([#"../08_haystack.rs" 25 17 25 18] [#"../08_haystack.rs" 25 17 25 18] (0 : usize)) _36));
+    [#"../08_haystack.rs" 25 17 25 32] _35 <- Core_Ops_Range_Range_Type.C_Range ([#"../08_haystack.rs" 25 17 25 18] (0 : usize)) _36;
     _36 <- any usize;
+    [#"../08_haystack.rs" 24 8 24 68] iter1 <- ([#"../08_haystack.rs" 24 8 24 68] into_iter1 _35);
+    _35 <- any Core_Ops_Range_Range_Type.t_range usize;
     goto BB16
   }
   BB16 {
-    [#"../08_haystack.rs" 24 8 24 68] iter_old1 <- ([#"../08_haystack.rs" 24 8 24 68] Ghost.new iter1);
+    [#"../08_haystack.rs" 24 8 24 68] iter_old1 <- ([#"../08_haystack.rs" 24 8 24 68] Snapshot.new iter1);
     goto BB17
   }
   BB17 {
-    [#"../08_haystack.rs" 24 8 24 68] produced1 <- ([#"../08_haystack.rs" 24 8 24 68] Ghost.new (Seq.empty ));
+    [#"../08_haystack.rs" 24 8 24 68] produced1 <- ([#"../08_haystack.rs" 24 8 24 68] Snapshot.new (Seq.empty ));
     goto BB18
   }
   BB18 {
@@ -557,8 +602,8 @@ module C08Haystack_Search
   }
   BB19 {
     invariant { [#"../08_haystack.rs" 24 8 24 68] inv1 iter1 };
-    invariant { [#"../08_haystack.rs" 24 8 24 68] produces1 (Ghost.inner iter_old1) (Ghost.inner produced1) iter1 };
-    invariant { [#"../08_haystack.rs" 24 20 24 66] match_at0 needle haystack (UIntSize.to_int i) (Seq.length (Ghost.inner produced1)) };
+    invariant { [#"../08_haystack.rs" 24 8 24 68] produces1 (Snapshot.inner iter_old1) (Snapshot.inner produced1) iter1 };
+    invariant { [#"../08_haystack.rs" 24 20 24 66] match_at0 needle haystack (UIntSize.to_int i) (Seq.length (Snapshot.inner produced1)) };
     goto BB20
   }
   BB20 {
@@ -578,51 +623,52 @@ module C08Haystack_Search
       end
   }
   BB22 {
-    [#"../08_haystack.rs" 31 15 31 16] _0 <- ([#"../08_haystack.rs" 31 15 31 16] i);
-    goto BB31
+    [#"../08_haystack.rs" 31 15 31 16] _0 <- i;
+    goto BB32
   }
   BB23 {
-    goto BB24
+    goto BB25
   }
   BB24 {
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem1 <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] Core_Option_Option_Type.some_0 _45);
-    [#"../08_haystack.rs" 24 8 24 68] _50 <- ([#"../08_haystack.rs" 24 8 24 68] Ghost.new (Seq.(++) (Ghost.inner produced1) (Seq.singleton __creusot_proc_iter_elem1)));
-    goto BB25
+    assert { [#"../08_haystack.rs" 24 8 24 68] false };
+    absurd
   }
   BB25 {
-    [#"../08_haystack.rs" 24 8 24 68] produced1 <- ([#"../08_haystack.rs" 24 8 24 68] _50);
-    [#"../08_haystack.rs" 24 8 24 68] _50 <- any Ghost.ghost_ty (Seq.seq usize);
-    [#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] j <- ([#"../../../../../creusot-contracts-proc/src/lib.rs" 674 0 674 51] __creusot_proc_iter_elem1);
-    [#"../08_haystack.rs" 26 21 26 24] _55 <- ([#"../08_haystack.rs" 26 21 26 24] index0 ([#"../08_haystack.rs" 26 15 26 21] needle) ([#"../08_haystack.rs" 26 22 26 23] j));
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] __creusot_proc_iter_elem1 <- Core_Option_Option_Type.some_0 _45;
+    [#"../08_haystack.rs" 24 8 24 68] _50 <- ([#"../08_haystack.rs" 24 8 24 68] Snapshot.new (Seq.(++) (Snapshot.inner produced1) (Seq.singleton __creusot_proc_iter_elem1)));
     goto BB26
   }
   BB26 {
-    [#"../08_haystack.rs" 26 36 26 43] _59 <- ([#"../08_haystack.rs" 26 36 26 43] index0 ([#"../08_haystack.rs" 26 28 26 36] haystack) ([#"../08_haystack.rs" 26 37 26 42] ([#"../08_haystack.rs" 26 37 26 38] i) + ([#"../08_haystack.rs" 26 41 26 42] j)));
+    [#"../08_haystack.rs" 24 8 24 68] produced1 <- _50;
+    _50 <- any Snapshot.snap_ty (Seq.seq usize);
+    [#"../../../../../creusot-contracts-proc/src/lib.rs" 654 0 654 51] j <- __creusot_proc_iter_elem1;
+    [#"../08_haystack.rs" 26 21 26 24] _55 <- ([#"../08_haystack.rs" 26 21 26 24] index0 needle j);
     goto BB27
   }
   BB27 {
-    switch ([#"../08_haystack.rs" 26 15 26 43] ([#"../08_haystack.rs" 26 15 26 24] _55) <> ([#"../08_haystack.rs" 26 28 26 43] _59))
-      | False -> goto BB29
-      | True -> goto BB28
-      end
+    [#"../08_haystack.rs" 26 37 26 42] _61 <- i + j;
+    [#"../08_haystack.rs" 26 36 26 43] _59 <- ([#"../08_haystack.rs" 26 36 26 43] index0 haystack _61);
+    _61 <- any usize;
+    goto BB28
   }
   BB28 {
-    goto BB7
+    [#"../08_haystack.rs" 26 15 26 43] _53 <- _55 <> _59;
+    switch (_53)
+      | False -> goto BB30
+      | True -> goto BB29
+      end
   }
   BB29 {
-    goto BB19
+    goto BB7
   }
   BB30 {
-    goto BB31
+    goto BB19
   }
   BB31 {
-    return _0
+    goto BB32
   }
-  BB33 {
-    goto BB12
-  }
-  BB34 {
-    goto BB12
+  BB32 {
+    return _0
   }
   
 end
diff --git a/creusot/tests/should_succeed/vector/08_haystack/why3session.xml b/creusot/tests/should_succeed/vector/08_haystack/why3session.xml
index 95fccb047c..437da35f86 100644
--- a/creusot/tests/should_succeed/vector/08_haystack/why3session.xml
+++ b/creusot/tests/should_succeed/vector/08_haystack/why3session.xml
@@ -15,7 +15,7 @@
   <proof prover="0"><result status="valid" time="0.021521" steps="76480"/></proof>
   </goal>
   <goal name="search&#39;vc.1" expl="precondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.027003" steps="10898"/></proof>
+  <proof prover="3"><result status="valid" time="0.027003" steps="11080"/></proof>
   </goal>
   <goal name="search&#39;vc.2" expl="integer overflow" proved="true">
   <proof prover="4"><result status="valid" time="0.009606" steps="23"/></proof>
@@ -27,94 +27,94 @@
   <proof prover="4"><result status="valid" time="0.009715" steps="32"/></proof>
   </goal>
   <goal name="search&#39;vc.5" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.008654" steps="20"/></proof>
+  <proof prover="4"><result status="valid" time="0.008654" steps="22"/></proof>
   </goal>
   <goal name="search&#39;vc.6" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.086810" steps="20"/></proof>
+  <proof prover="4"><result status="valid" time="0.086810" steps="22"/></proof>
   </goal>
   <goal name="search&#39;vc.7" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.008849" steps="27"/></proof>
+  <proof prover="4"><result status="valid" time="0.008849" steps="29"/></proof>
   </goal>
   <goal name="search&#39;vc.8" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.013109" steps="45"/></proof>
+  <proof prover="4"><result status="valid" time="0.013109" steps="48"/></proof>
   </goal>
   <goal name="search&#39;vc.9" expl="loop invariant init" proved="true">
-  <proof prover="0"><result status="valid" time="0.025817" steps="114896"/></proof>
+  <proof prover="0"><result status="valid" time="0.025817" steps="114917"/></proof>
   </goal>
   <goal name="search&#39;vc.10" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.027203" steps="115062"/></proof>
+  <proof prover="0"><result status="valid" time="0.027203" steps="115083"/></proof>
   </goal>
   <goal name="search&#39;vc.11" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.027197" steps="122466"/></proof>
+  <proof prover="4"><result status="valid" time="0.020785" steps="62"/></proof>
   </goal>
   <goal name="search&#39;vc.12" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.009833" steps="75"/></proof>
+  <proof prover="4"><result status="valid" time="0.009833" steps="77"/></proof>
   </goal>
   <goal name="search&#39;vc.13" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.012903" steps="9834"/></proof>
+  <proof prover="0"><result status="valid" time="0.012903" steps="9912"/></proof>
   </goal>
   <goal name="search&#39;vc.14" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.011722" steps="123043"/></proof>
+  <proof prover="0"><result status="valid" time="0.011722" steps="123093"/></proof>
   </goal>
   <goal name="search&#39;vc.15" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.010443" steps="69"/></proof>
+  <proof prover="4"><result status="valid" time="0.010443" steps="73"/></proof>
   </goal>
   <goal name="search&#39;vc.16" expl="loop invariant init" proved="true">
-  <proof prover="4"><result status="valid" time="0.010430" steps="97"/></proof>
+  <proof prover="4"><result status="valid" time="0.010430" steps="101"/></proof>
   </goal>
   <goal name="search&#39;vc.17" expl="loop invariant init" proved="true">
-  <proof prover="0"><result status="valid" time="0.110319" steps="521202"/></proof>
+  <proof prover="0"><result status="valid" time="0.110319" steps="521242"/></proof>
   </goal>
   <goal name="search&#39;vc.18" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.030444" steps="114"/></proof>
+  <proof prover="4"><result status="valid" time="0.030444" steps="117"/></proof>
   </goal>
   <goal name="search&#39;vc.19" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.040830" steps="158790"/></proof>
+  <proof prover="0"><result status="valid" time="0.040830" steps="158849"/></proof>
   </goal>
   <goal name="search&#39;vc.20" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.008926" steps="140"/></proof>
+  <proof prover="4"><result status="valid" time="0.008926" steps="143"/></proof>
   </goal>
   <goal name="search&#39;vc.21" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.016841" steps="142"/></proof>
+  <proof prover="4"><result status="valid" time="0.016841" steps="143"/></proof>
   </goal>
   <goal name="search&#39;vc.22" expl="integer overflow" proved="true">
-  <proof prover="0"><result status="valid" time="0.034007" steps="163687"/></proof>
+  <proof prover="0"><result status="valid" time="0.034007" steps="163781"/></proof>
   </goal>
   <goal name="search&#39;vc.23" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.448854" steps="2915"/></proof>
+  <proof prover="4"><result status="valid" time="0.184656" steps="2543"/></proof>
   </goal>
   <goal name="search&#39;vc.24" expl="precondition" proved="true">
-  <proof prover="4"><result status="valid" time="0.020785" steps="151"/></proof>
+  <proof prover="0"><result status="valid" time="0.027197" steps="133858"/></proof>
   </goal>
   <goal name="search&#39;vc.25" expl="precondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.021902" steps="133869"/></proof>
+  <proof prover="0"><result status="valid" time="0.021902" steps="133933"/></proof>
   </goal>
   <goal name="search&#39;vc.26" expl="loop invariant preservation" proved="true">
-  <proof prover="0"><result status="valid" time="0.028925" steps="139017"/></proof>
+  <proof prover="0"><result status="valid" time="0.028925" steps="139135"/></proof>
   </goal>
   <goal name="search&#39;vc.27" expl="loop invariant preservation" proved="true">
-  <proof prover="4"><result status="valid" time="0.444287" steps="2327"/></proof>
+  <proof prover="4"><result status="valid" time="0.172712" steps="2382"/></proof>
   </goal>
   <goal name="search&#39;vc.28" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.522973" steps="42481"/></proof>
+  <proof prover="3"><result status="valid" time="0.179799" steps="42727"/></proof>
   </goal>
   <goal name="search&#39;vc.29" expl="loop invariant preservation" proved="true">
-  <proof prover="3"><result status="valid" time="0.049810" steps="18028"/></proof>
+  <proof prover="3"><result status="valid" time="0.049810" steps="18265"/></proof>
   </goal>
   <goal name="search&#39;vc.30" expl="loop invariant preservation" proved="true">
-  <proof prover="0"><result status="valid" time="0.657053" steps="1157207"/></proof>
+  <proof prover="0"><result status="valid" time="0.288665" steps="1157301"/></proof>
   </goal>
   <goal name="search&#39;vc.31" expl="loop invariant preservation" proved="true">
-  <proof prover="1"><result status="valid" time="0.918432" steps="118843"/></proof>
+  <proof prover="1"><result status="valid" time="0.667284" steps="119908"/></proof>
   </goal>
   <goal name="search&#39;vc.32" expl="postcondition" proved="true">
-  <proof prover="3"><result status="valid" time="0.139861" steps="22013"/></proof>
+  <proof prover="3"><result status="valid" time="0.139861" steps="22216"/></proof>
   </goal>
   <goal name="search&#39;vc.33" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.795641" steps="1301282"/></proof>
+  <proof prover="0"><result status="valid" time="0.171700" steps="617319"/></proof>
   </goal>
   <goal name="search&#39;vc.34" expl="postcondition" proved="true">
-  <proof prover="0"><result status="valid" time="0.138599" steps="268937"/></proof>
+  <proof prover="0"><result status="valid" time="0.138599" steps="269178"/></proof>
   </goal>
  </transf>
  </goal>
diff --git a/creusot/tests/should_succeed/vector/08_haystack/why3shapes.gz b/creusot/tests/should_succeed/vector/08_haystack/why3shapes.gz
index a6b9967caa..0e0a6e2749 100644
Binary files a/creusot/tests/should_succeed/vector/08_haystack/why3shapes.gz and b/creusot/tests/should_succeed/vector/08_haystack/why3shapes.gz differ
diff --git a/creusot/tests/should_succeed/vector/09_capacity.mlcfg b/creusot/tests/should_succeed/vector/09_capacity.mlcfg
index a60257f7fd..5f95869967 100644
--- a/creusot/tests/should_succeed/vector/09_capacity.mlcfg
+++ b/creusot/tests/should_succeed/vector/09_capacity.mlcfg
@@ -17,12 +17,18 @@ module Core_Ptr_Unique_Unique_Type
     | C_Unique (Core_Ptr_NonNull_NonNull_Type.t_nonnull 't) (Core_Marker_PhantomData_Type.t_phantomdata 't)
     
 end
-module Alloc_RawVec_RawVec_Type
+module Alloc_RawVec_Cap_Type
   use prelude.UIntSize
   use prelude.Int
+  type t_cap  =
+    | C_Cap usize
+    
+end
+module Alloc_RawVec_RawVec_Type
+  use Alloc_RawVec_Cap_Type as Alloc_RawVec_Cap_Type
   use Core_Ptr_Unique_Unique_Type as Core_Ptr_Unique_Unique_Type
   type t_rawvec 't 'a =
-    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) usize 'a
+    | C_RawVec (Core_Ptr_Unique_Unique_Type.t_unique 't) (Alloc_RawVec_Cap_Type.t_cap) 'a
     
 end
 module Alloc_Vec_Vec_Type
@@ -77,7 +83,8 @@ module C09Capacity_ChangeCapacity
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv2 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv2 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv2 (shallow_model0 self)
   val invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool
@@ -122,7 +129,8 @@ module C09Capacity_ChangeCapacity
   let rec cfg change_capacity [#"../09_capacity.rs" 6 0 6 41] [@cfg:stackify] [@cfg:subregion_analysis] (v : borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global))) : ()
     requires {[#"../09_capacity.rs" 6 26 6 27] inv1 v}
     ensures { [#"../09_capacity.rs" 4 10 4 33] Seq.length (shallow_model0 ( ^ v)) = Seq.length (shallow_model1 v) }
-    ensures { [#"../09_capacity.rs" 5 0 5 69] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 v) -> index_logic0 ( ^ v) i = index_logic0 ( * v) i }
+    ensures { [#"../09_capacity.rs" 5 0 5 69] forall i : int . 0 <= i /\ i < Seq.length (shallow_model1 v)
+     -> index_logic0 ( ^ v) i = index_logic0 ( * v) i }
     
    = [@vc:do_not_keep_trace] [@vc:sp]
   var _0 : ();
@@ -142,7 +150,7 @@ module C09Capacity_ChangeCapacity
     [#"../09_capacity.rs" 7 4 7 5] _5 <- Borrow.borrow_mut ( * v);
     [#"../09_capacity.rs" 7 4 7 5] v <- { v with current = ( ^ _5) ; };
     assume { inv0 ( ^ _5) };
-    [#"../09_capacity.rs" 7 4 7 18] _4 <- ([#"../09_capacity.rs" 7 4 7 18] reserve0 _5 ([#"../09_capacity.rs" 7 14 7 17] [#"../09_capacity.rs" 7 14 7 17] (100 : usize)));
+    [#"../09_capacity.rs" 7 4 7 18] _4 <- ([#"../09_capacity.rs" 7 4 7 18] reserve0 _5 ([#"../09_capacity.rs" 7 14 7 17] (100 : usize)));
     _5 <- any borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
     goto BB1
   }
@@ -150,7 +158,7 @@ module C09Capacity_ChangeCapacity
     [#"../09_capacity.rs" 8 4 8 5] _7 <- Borrow.borrow_mut ( * v);
     [#"../09_capacity.rs" 8 4 8 5] v <- { v with current = ( ^ _7) ; };
     assume { inv0 ( ^ _7) };
-    [#"../09_capacity.rs" 8 4 8 24] _6 <- ([#"../09_capacity.rs" 8 4 8 24] reserve_exact0 _7 ([#"../09_capacity.rs" 8 20 8 23] [#"../09_capacity.rs" 8 20 8 23] (200 : usize)));
+    [#"../09_capacity.rs" 8 4 8 24] _6 <- ([#"../09_capacity.rs" 8 4 8 24] reserve_exact0 _7 ([#"../09_capacity.rs" 8 20 8 23] (200 : usize)));
     _7 <- any borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
     goto BB2
   }
@@ -166,7 +174,7 @@ module C09Capacity_ChangeCapacity
     [#"../09_capacity.rs" 10 4 10 5] _11 <- Borrow.borrow_final ( * v) (Borrow.get_id v);
     [#"../09_capacity.rs" 10 4 10 5] v <- { v with current = ( ^ _11) ; };
     assume { inv0 ( ^ _11) };
-    [#"../09_capacity.rs" 10 4 10 18] _10 <- ([#"../09_capacity.rs" 10 4 10 18] shrink_to0 _11 ([#"../09_capacity.rs" 10 16 10 17] [#"../09_capacity.rs" 10 16 10 17] (1 : usize)));
+    [#"../09_capacity.rs" 10 4 10 18] _10 <- ([#"../09_capacity.rs" 10 4 10 18] shrink_to0 _11 ([#"../09_capacity.rs" 10 16 10 17] (1 : usize)));
     _11 <- any borrowed (Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global));
     goto BB4
   }
@@ -217,7 +225,8 @@ module C09Capacity_ClearVec
     requires {[#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self}
     ensures { result = shallow_model0 self }
     
-  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self) -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv2 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
+  axiom shallow_model0_spec : forall self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) . ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 21 19 25] inv0 self)
+   -> ([#"../../../../../creusot-contracts/src/std/vec.rs" 19 4 19 36] inv2 (shallow_model0 self)) && ([#"../../../../../creusot-contracts/src/std/vec.rs" 18 14 18 41] Seq.length (shallow_model0 self) <= UIntSize.to_int max0)
   predicate invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) =
     [#"../../../../../creusot-contracts/src/std/vec.rs" 60 20 60 41] inv2 (shallow_model0 self)
   val invariant0 (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool
diff --git a/creusot/tests/should_succeed/vector/09_capacity/why3shapes.gz b/creusot/tests/should_succeed/vector/09_capacity/why3shapes.gz
index 0714a03fa3..4c0b0560b3 100644
Binary files a/creusot/tests/should_succeed/vector/09_capacity/why3shapes.gz and b/creusot/tests/should_succeed/vector/09_capacity/why3shapes.gz differ
diff --git a/creusot/tests/ui.rs b/creusot/tests/ui.rs
index 4efc61898a..36b2738fbe 100644
--- a/creusot/tests/ui.rs
+++ b/creusot/tests/ui.rs
@@ -42,15 +42,15 @@ fn main() {
 
     let mut metadata_file = cargo_creusot;
     metadata_file.current_dir(base_path);
-    metadata_file
-        .arg("creusot")
-        .args(&[
-            "--metadata-path".as_ref(),
-            temp_file.as_os_str(),
-            "--output-file=/dev/null".as_ref(),
-        ])
-        .args(&["--", "--package", "creusot-contracts"])
-        .env("CREUSOT_CONTINUE", "true");
+    metadata_file.arg("creusot").args(&[
+        "--metadata-path".as_ref(),
+        temp_file.as_os_str(),
+        "--output-file=/dev/null".as_ref(),
+    ]);
+    if let Some(ref dir) = creusot_dev_config::custom_config_dir() {
+        metadata_file.arg("--config-dir").arg(&dir);
+    }
+    metadata_file.args(&["--", "--package", "creusot-contracts"]).env("CREUSOT_CONTINUE", "true");
 
     if !metadata_file.status().expect("could not dump metadata for `creusot_contracts`").success() {
         // eprintln!("{}", String::from_utf8_lossy(&metadata_file.output().unwrap().stderr));
@@ -91,6 +91,8 @@ fn run_creusot(
     base_path.push("target");
     base_path.push("debug");
 
+    let config_paths = creusot_dev_config::paths().unwrap();
+
     let creusot_contract_path = base_path.join("libcreusot_contracts.rlib");
     let creusot_contract_path =
         creusot_contract_path.to_str().expect("invalid utf-8 in contract path");
@@ -100,12 +102,16 @@ fn run_creusot(
         "--stdout",
         "--export-metadata=false",
         "--span-mode=relative",
-        "--check-why3=false",
+        "--root-path-relative-from-output=.",
     ]);
     cmd.args(&[
         "--creusot-extern",
         &format!("creusot_contracts={}", normalize_file_path(contracts)),
     ]);
+    cmd.arg("--why3-path").arg(&config_paths.why3);
+    if let Some(why3_config) = &config_paths.why3_config {
+        cmd.arg("--why3-config-file").arg(why3_config);
+    }
 
     cmd.args(&["--", "-Zno-codegen", "--crate-type=lib"]);
     cmd.args(&["--extern", &format!("creusot_contracts={}", creusot_contract_path)]);
diff --git a/exercises/04_all_zero.rs b/exercises/04_all_zero.rs
index 2395529747..12b2aeef44 100644
--- a/exercises/04_all_zero.rs
+++ b/exercises/04_all_zero.rs
@@ -5,7 +5,7 @@ use creusot_contracts::*;
 // Also show that no elements were added or removed
 pub fn all_zero(v: &mut Vec<u32>) {
     let mut i = 0;
-    let old_v = gh! { v };
+    let old_v = snapshot! { v };
     // Until https://gitlab.inria.fr/why3/why3/-/merge_requests/667 is merged
     // the following invariant is needed to allow Why3 to remember prophecies dont change
     #[invariant(proph_const, ^v == ^old_v.inner())]
diff --git a/guide/src/type_invariants.md b/guide/src/type_invariants.md
new file mode 100644
index 0000000000..84fd070cac
--- /dev/null
+++ b/guide/src/type_invariants.md
@@ -0,0 +1,92 @@
+# Type Invariants
+
+## Overview
+
+Defining a type invariant allows you to constrain a data type's set of valid values with a logical predicate that all values must satisfy.
+During verification, Creusot enforces that all type invariants are preserved across functions.
+Inside a function, values subject to type invariants may temporarily break their invariants as long as each value's invariant is restored before the value can be observed by another function.
+
+Type invariants were added to Creusot as part of a Master's thesis available [here](https://mediatum.ub.tum.de/1726472).
+
+## Defining Type Invariants
+
+To attach an invariant to a type, you implement the `Invariant` trait provided by Creusot.
+Here is an example:
+
+```rust
+struct SumTo10 {
+    a: i32,
+    b: i32,
+}
+
+// The type invariant constrains the set of valid `SumTo10`s to
+// only allow values where the sum of both fields is equal to 10.
+impl Invariant for SumTo10 {
+    #[predicate]
+    fn invariant(self) -> bool {
+        pearlite! {
+            self.a@ + self.b@ == 10
+        }
+    }
+}
+```
+
+## Enforcement of Type Invariants
+
+Creusot enforces type invariants on function boundaries by generating additional pre- and postconditions based on the types of a function's arguments and return value.
+The type invariants of a function’s arguments are treated as additional preconditions and a type invariant of the return value corresponds to an extra postcondition.
+Here is an example:
+
+```rust
+// `inv` generically refers to the invariant of some value
+#[requires(inv(x))] // generated by Creusot
+#[ensures(inv(result))] // generated by Creusot
+fn foo(x: SumTo10) -> SumTo10 {
+    x
+}
+```
+
+These generated pre- and postconditions require you to prove the invariants of any values used as arguments in function calls or returned values.
+Besides the proof obligations at function boundaries, you must also prove the type invariants of mutably borrowed values when the lifetimes of the created references end.
+When creating a mutable reference `r`, Creusot requires you to prove the type invariant of its current value at the end of `r`'s lifetime, since `r` might have been used to break the invariant of the borrowed value.
+This lets Creusot assume the invariant of the final value `^r` holds, simplifying the reasoning about mutable references.
+Here is an example:
+
+```rust
+fn swap() {
+    let mut s = SumTo10 { a: 3, b: 7 }
+    let r = &mut s;
+    // Creusot can prophetically assume inv(^r) holds:
+    proof_assert! { inv(^r) };
+
+    let tmp = r.a;
+    *r.a = r.b;
+    *r.b = tmp;
+    // The lifetime of r ends: We must prove inv(*r)
+
+    proof_assert! { inv(v) }; // provable since v = ^r = *r
+}
+```
+
+## Structural Invariants
+
+To determine the invariant of a particular type, Creusot considers both whether the user provided an explicit definition through the `Invariant` trait, as well as any invariants the can be derived automatically based on the type's definition.
+We call those automatically derived invariants *structural invariants*.
+When neither an explicit definition exists, nor a structural invariant, the type has the *trivial* invariant, which does not impose any constraints on the set of valid values.
+
+Here are some examples demonstrating structural invariants of various types:
+
+| Type of `x` | Invariant `inv(x)` |
+|-------------|--------------------|
+| `bool, u8, i32, ...` | `true` |
+| `&mut Foo` | `inv(*x) && inv(^x)` |
+| `&Foo` | `inv(*x)` |
+| `Box<Foo>` | `inv(*x)` |
+| `*const Foo, *mut Foo` | `true` |
+| `(Foo, Bar)` | `inv(x.0) && inv(x.1)` |
+| `struct Foo { f: Bar }` | `inv(x.f)` |
+| `enum Foo { A(Bar), B(Baz) }` | `match x { A(y) => inv(y), B(z) => inv(z) }` |
+| `Vec<Foo>` | `inv(x[0]) && ... && inv(x[x.len()-1])` |
+
+
+
diff --git a/ide b/ide
index 2f263cf60a..7c30817483 100755
--- a/ide
+++ b/ide
@@ -1,4 +1,4 @@
 #!/usr/bin/env bash
 
 SCRIPTPATH=$(dirname "$BASH_SOURCE")
-why3 --warn-off=unused_variable --warn-off=clone_not_abstract --warn-off=axiom_abstract ide -L $SCRIPTPATH/prelude $@
+cargo run --bin dev-why3 -- --warn-off=unused_variable --warn-off=clone_not_abstract --warn-off=axiom_abstract ide -L $SCRIPTPATH/prelude $@
diff --git a/prelude/prelude.mlw b/prelude/prelude.mlw
index a132033874..44aeeb6fd8 100644
--- a/prelude/prelude.mlw
+++ b/prelude/prelude.mlw
@@ -214,12 +214,12 @@ module Char
   axiom chr_code: forall c. chr (code c) = c
 end
 
-module Ghost
-  type ghost_ty 't
-  val function new (ghost x : 't) : ghost_ty 't
-  val function inner (x : ghost_ty 't) : 't
+module Snapshot
+  type snap_ty 't
+  val function new (ghost x : 't) : snap_ty 't
+  val function inner (x : snap_ty 't) : 't
   axiom new_spec: forall x: 't [new x]. inner (new x) = x
-  axiom inner_spec: forall x: ghost_ty 't [inner x]. new (inner x) = x
+  axiom inner_spec: forall x: snap_ty 't [inner x]. new (inner x) = x
 end
 
 module Slice
diff --git a/why3/Cargo.toml b/why3/Cargo.toml
index 3e73331ff6..5e6646944c 100644
--- a/why3/Cargo.toml
+++ b/why3/Cargo.toml
@@ -2,7 +2,7 @@
 name = "why3"
 version = "0.2.0"
 authors = ["Xavier Denis <xldenis@gmail.com>"]
-edition = "2018"
+edition = "2021"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
@@ -14,6 +14,11 @@ indexmap = "1.2.0"
 serde = { version = "1.0", optional = true, features = ["derive"] }
 num = "*"
 serde_json = "1.0.107"
-[features]
 
+[dev-dependencies]
+proptest= "1.4.0"
+tempfile="3.10.0"
+
+
+[features]
 serialize = ["serde"]
diff --git a/why3/src/ce_models.rs b/why3/src/ce_models.rs
index a6e085ee32..077ff7e9cd 100644
--- a/why3/src/ce_models.rs
+++ b/why3/src/ce_models.rs
@@ -1,17 +1,18 @@
+#[cfg(feature = "serde")]
 use serde::Deserialize;
 use serde_json::Value as Json;
 use std::fmt::{Debug, Formatter};
 
-#[derive(Deserialize)]
-#[serde(untagged)]
+#[cfg_attr(feature = "serde", derive(Deserialize))]
+#[cfg_attr(feature = "serde", serde(untagged))]
 pub enum Loc {
     Span(Why3Span),
     Other(Json),
 }
 
 #[allow(dead_code)]
-#[derive(Deserialize)]
-#[serde(rename_all = "kebab-case")]
+#[cfg_attr(feature = "serde", derive(Deserialize))]
+#[cfg_attr(feature = "serde", serde(rename_all = "kebab-case"))]
 pub struct Why3Span {
     pub file_name: String,
     pub start_line: u32,
@@ -31,41 +32,47 @@ impl Debug for Loc {
     }
 }
 
-#[derive(Deserialize, Debug)]
-#[serde(untagged)]
+#[derive(Debug)]
+#[cfg_attr(feature = "serde", derive(Deserialize))]
+#[cfg_attr(feature = "serde", serde(untagged))]
 pub enum Fallible<T> {
     Ok(T),
     Err(Json),
 }
 
-#[derive(Deserialize, Debug)]
-#[serde(untagged)]
+#[derive(Debug)]
+#[cfg_attr(feature = "serde", derive(Deserialize))]
+#[cfg_attr(feature = "serde", serde(untagged))]
 pub enum Model {
     Model { answer: String, model: Vec<Fallible<Model2>> },
     Unknown(Json),
 }
 
-#[derive(Deserialize, Debug)]
+#[derive(Debug)]
+#[cfg_attr(feature = "serde", derive(Deserialize))]
 pub struct Model2 {
     pub filename: String,
     pub model: Vec<Fallible<Model3>>,
 }
 
-#[derive(Deserialize, Debug)]
+#[derive(Debug)]
+#[cfg_attr(feature = "serde", derive(Deserialize))]
 pub struct Model3 {
     pub is_vc_line: bool,
     pub line: String,
     pub model_elements: Vec<Fallible<ModelElem>>,
 }
 
-#[derive(Deserialize, Debug)]
+#[derive(Debug)]
+#[cfg_attr(feature = "serde", derive(Deserialize))]
 pub struct LSymbol {
     pub name: String,
     pub attrs: Vec<String>,
     pub loc: Loc,
 }
 
-#[derive(Deserialize, Debug)]
+#[derive(Debug)]
+#[cfg_attr(feature = "serde", derive(Deserialize))]
 pub struct ModelElem {
     pub attrs: Vec<String>,
     pub kind: String,
@@ -74,20 +81,21 @@ pub struct ModelElem {
     pub value: Value,
 }
 
-#[derive(Deserialize, Debug)]
+#[derive(Debug)]
+#[cfg_attr(feature = "serde", derive(Deserialize))]
 pub struct Value {
     pub value_concrete_term: ConcreteTerm,
     pub value_term: Term,
     pub value_type: Type,
 }
 
-#[derive(Deserialize)]
+#[cfg_attr(feature = "serde", derive(Deserialize))]
 pub enum Type {
-    #[serde(rename = "Tyvar")]
+    #[cfg_attr(feature = "serde", serde(rename = "Tyvar"))]
     Var(String),
-    #[serde(rename = "Tyapp")]
+    #[cfg_attr(feature = "serde", serde(rename = "Tyapp"))]
     App { ty_symbol: String, ty_args: Vec<Type> },
-    #[serde(untagged)]
+    #[cfg_attr(feature = "serde", serde(untagged))]
     Unknown(Json),
 }
 
@@ -107,102 +115,107 @@ impl Debug for Type {
     }
 }
 
-#[derive(Deserialize, Debug)]
+#[derive(Debug)]
+#[cfg_attr(feature = "serde", derive(Deserialize))]
 pub struct VSymbol {
     pub vs_name: String,
     pub vs_type: Type,
 }
 
-#[derive(Deserialize, Debug)]
+#[derive(Debug)]
+#[cfg_attr(feature = "serde", derive(Deserialize))]
 pub enum TBool {
-    #[serde(rename = "Ttrue")]
+    #[cfg_attr(feature = "serde", serde(rename = "Ttrue"))]
     True,
-    #[serde(rename = "Tfalse")]
+    #[cfg_attr(feature = "serde", serde(rename = "Tfalse"))]
     False,
 }
 
-#[derive(Deserialize, Debug)]
+#[derive(Debug)]
+#[cfg_attr(feature = "serde", derive(Deserialize))]
 pub enum Term {
-    #[serde(rename = "Tvar")]
+    #[cfg_attr(feature = "serde", serde(rename = "Tvar"))]
     Var(VSymbol),
-    #[serde(rename = "Tconst")]
+    #[cfg_attr(feature = "serde", serde(rename = "Tconst"))]
     Const {
-        #[serde(rename = "const_type")]
+        #[cfg_attr(feature = "serde", serde(rename = "const_type"))]
         ty: String,
-        #[serde(rename = "const_value")]
+        #[cfg_attr(feature = "serde", serde(rename = "const_value"))]
         val: String,
     },
-    #[serde(rename = "Tapp")]
+    #[cfg_attr(feature = "serde", serde(rename = "Tapp"))]
     App {
-        #[serde(rename = "app_ls")]
+        #[cfg_attr(feature = "serde", serde(rename = "app_ls"))]
         ls: String,
-        #[serde(rename = "app_args")]
+        #[cfg_attr(feature = "serde", serde(rename = "app_args"))]
         args: Vec<Term>,
     },
-    #[serde(rename = "Tif")]
+    #[cfg_attr(feature = "serde", serde(rename = "Tif"))]
     If {
-        #[serde(rename = "if")]
+        #[cfg_attr(feature = "serde", serde(rename = "if"))]
         ift: Box<Term>,
         then: Box<Term>,
-        #[serde(rename = "else")]
+        #[cfg_attr(feature = "serde", serde(rename = "else"))]
         elset: Box<Term>,
     },
-    #[serde(rename = "Teps")]
+    #[cfg_attr(feature = "serde", serde(rename = "Teps"))]
     Eps {
-        #[serde(rename = "eps_vs")]
+        #[cfg_attr(feature = "serde", serde(rename = "eps_vs"))]
         vs: VSymbol,
-        #[serde(rename = "eps_t")]
+        #[cfg_attr(feature = "serde", serde(rename = "eps_t"))]
         t: Box<Term>,
     },
-    #[serde(rename = "Tfun")]
+    #[cfg_attr(feature = "serde", serde(rename = "Tfun"))]
     Fun {
-        #[serde(rename = "fun_args")]
+        #[cfg_attr(feature = "serde", serde(rename = "fun_args"))]
         args: Vec<VSymbol>,
-        #[serde(rename = "fun_body")]
+        #[cfg_attr(feature = "serde", serde(rename = "fun_body"))]
         body: Box<Term>,
     },
-    #[serde(rename = "Tquant")]
+    #[cfg_attr(feature = "serde", serde(rename = "Tquant"))]
     Quant {
         quant: String,
-        #[serde(rename = "quant_vs")]
+        #[cfg_attr(feature = "serde", serde(rename = "quant_vs"))]
         vs: Vec<VSymbol>,
-        #[serde(rename = "quant_t")]
+        #[cfg_attr(feature = "serde", serde(rename = "quant_t"))]
         t: Box<Term>,
     },
-    #[serde(rename = "Tbinop")]
+    #[cfg_attr(feature = "serde", serde(rename = "Tbinop"))]
     Binop {
         binop: String,
-        #[serde(rename = "binop_t1")]
+        #[cfg_attr(feature = "serde", serde(rename = "binop_t1"))]
         t1: Box<Term>,
-        #[serde(rename = "binop_t2")]
+        #[cfg_attr(feature = "serde", serde(rename = "binop_t2"))]
         t2: Box<Term>,
     },
-    #[serde(rename = "Tnot")]
+    #[cfg_attr(feature = "serde", serde(rename = "Tnot"))]
     Not(Box<Term>),
-    #[serde(rename = "Tlet")]
+    #[cfg_attr(feature = "serde", serde(rename = "Tlet"))]
     Let(String),
-    #[serde(rename = "Tcase")]
+    #[cfg_attr(feature = "serde", serde(rename = "Tcase"))]
     Case(String),
-    #[serde(untagged)]
+    #[cfg_attr(feature = "serde", serde(untagged))]
     Bool(TBool),
-    #[serde(untagged)]
+    #[cfg_attr(feature = "serde", serde(untagged))]
     Unknown(Json),
 }
 
-#[derive(Deserialize, Debug)]
+#[derive(Debug)]
+#[cfg_attr(feature = "serde", derive(Deserialize))]
 pub struct BitVector {
     pub bv_value_as_decimal: String,
     pub bv_length: u32,
     pub bv_verbatim: String,
 }
 
-#[derive(Deserialize, Debug)]
+#[derive(Debug)]
+#[cfg_attr(feature = "serde", derive(Deserialize))]
 pub struct Real {
     pub real_value: String,
     pub real_verbatim: String,
 }
 
-#[derive(Deserialize)]
+#[cfg_attr(feature = "serde", derive(Deserialize))]
 pub struct Integer {
     pub int_value: String,
     pub int_verbatim: String,
@@ -231,28 +244,31 @@ impl Debug for Integer {
     }
 }
 
-#[derive(Deserialize, Debug)]
+#[derive(Debug)]
+#[cfg_attr(feature = "serde", derive(Deserialize))]
 pub enum Float {
     Infinity,
-    #[serde(rename = "Plus_zero")]
+    #[cfg_attr(feature = "serde", serde(rename = "Plus_zero"))]
     PlusZero,
-    #[serde(rename = "Minus_zero")]
+    #[cfg_attr(feature = "serde", serde(rename = "Minus_zero"))]
     MinusZero,
-    #[serde(rename = "Float_value")]
+    #[cfg_attr(feature = "serde", serde(rename = "Float_value"))]
     Value {
         float_hex: String,
     },
 }
 
 #[allow(dead_code)]
-#[derive(Deserialize, Debug)]
+#[derive(Debug)]
+#[cfg_attr(feature = "serde", derive(Deserialize))]
 pub struct FunLitElt {
     pub indice: ConcreteTerm,
     pub value: ConcreteTerm,
 }
 
-#[derive(Deserialize, Debug)]
-#[serde(tag = "type", content = "val")]
+#[derive(Debug)]
+#[cfg_attr(feature = "serde", derive(Deserialize))]
+#[cfg_attr(feature = "serde", serde(tag = "type", content = "val"))]
 pub enum ConcreteTerm {
     Var(String),
     Boolean(bool),
@@ -261,92 +277,95 @@ pub enum ConcreteTerm {
     Real(Real),
     BitVector(BitVector),
     Fraction {
-        #[serde(rename = "frac_num")]
+        #[cfg_attr(feature = "serde", serde(rename = "frac_num"))]
         num: Real,
-        #[serde(rename = "frac_num")]
+        #[cfg_attr(feature = "serde", serde(rename = "frac_num"))]
         denom: Real,
-        #[serde(rename = "frac_verbatim")]
+        #[cfg_attr(feature = "serde", serde(rename = "frac_verbatim"))]
         verbatim: String,
     },
     Float(Float),
-    #[serde(rename = "Apply")]
+    #[cfg_attr(feature = "serde", serde(rename = "Apply"))]
     App {
-        #[serde(rename = "app_ls")]
+        #[cfg_attr(feature = "serde", serde(rename = "app_ls"))]
         ls: String,
-        #[serde(rename = "app_args")]
+        #[cfg_attr(feature = "serde", serde(rename = "app_args"))]
         args: Vec<ConcreteTerm>,
     },
     If {
-        #[serde(rename = "if")]
+        #[cfg_attr(feature = "serde", serde(rename = "if"))]
         ift: Box<ConcreteTerm>,
         then: Box<ConcreteTerm>,
-        #[serde(rename = "else")]
+        #[cfg_attr(feature = "serde", serde(rename = "else"))]
         elset: Box<ConcreteTerm>,
     },
-    #[serde(rename = "Epsilon")]
+    #[cfg_attr(feature = "serde", serde(rename = "Epsilon"))]
     Eps {
-        #[serde(rename = "eps_var")]
+        #[cfg_attr(feature = "serde", serde(rename = "eps_var"))]
         var: String,
-        #[serde(rename = "eps_t")]
+        #[cfg_attr(feature = "serde", serde(rename = "eps_t"))]
         t: Box<ConcreteTerm>,
     },
-    #[serde(rename = "Function")]
+    #[cfg_attr(feature = "serde", serde(rename = "Function"))]
     Fun {
-        #[serde(rename = "fun_args")]
+        #[cfg_attr(feature = "serde", serde(rename = "fun_args"))]
         args: Vec<String>,
-        #[serde(rename = "fun_body")]
+        #[cfg_attr(feature = "serde", serde(rename = "fun_body"))]
         body: Box<ConcreteTerm>,
     },
     Quant {
         quant: String,
-        #[serde(rename = "quant_vs")]
+        #[cfg_attr(feature = "serde", serde(rename = "quant_vs"))]
         vs: Vec<String>,
-        #[serde(rename = "quant_t")]
+        #[cfg_attr(feature = "serde", serde(rename = "quant_t"))]
         t: Box<ConcreteTerm>,
     },
     Binop {
         binop: String,
-        #[serde(rename = "binop_t1")]
+        #[cfg_attr(feature = "serde", serde(rename = "binop_t1"))]
         t1: Box<ConcreteTerm>,
-        #[serde(rename = "binop_t2")]
+        #[cfg_attr(feature = "serde", serde(rename = "binop_t2"))]
         t2: Box<ConcreteTerm>,
     },
     Not(Box<ConcreteTerm>),
     FunctionLiteral {
-        #[serde(rename = "funliteral_elts")]
+        #[cfg_attr(feature = "serde", serde(rename = "funliteral_elts"))]
         elts: Vec<FunLitElt>,
-        #[serde(rename = "funliteral_others")]
+        #[cfg_attr(feature = "serde", serde(rename = "funliteral_others"))]
         other: Box<ConcreteTerm>,
     },
     Proj {
-        #[serde(rename = "proj_name")]
+        #[cfg_attr(feature = "serde", serde(rename = "proj_name"))]
         name: String,
-        #[serde(rename = "proj_value")]
+        #[cfg_attr(feature = "serde", serde(rename = "proj_value"))]
         value: Box<ConcreteTerm>,
     },
-    #[serde(untagged)]
+    #[cfg_attr(feature = "serde", serde(untagged))]
     Unknown(Json),
 }
 
-#[derive(Deserialize)]
+#[cfg_attr(feature = "serde", derive(Deserialize))]
 pub struct Goal {
     pub term: GoalTerm,
-    #[serde(alias = "prover-result")]
+    #[cfg_attr(feature = "serde", serde(alias = "prover-result"))]
     pub prover_result: ProverResult,
 }
 
-#[derive(Deserialize, Debug)]
+#[derive(Debug)]
+#[cfg_attr(feature = "serde", derive(Deserialize))]
 pub struct GoalTerm {
     pub loc: Loc,
-    #[serde(alias = "goal-name")] //Why3 doesn't currently use kebab-case but this might change
+    #[cfg_attr(feature = "serde", serde(alias = "goal-name"))]
+    //Why3 doesn't currently use kebab-case but this might change
     pub goal_name: String,
     pub explanations: Vec<String>,
 }
 #[allow(dead_code)]
-#[derive(Deserialize, Debug)]
+#[derive(Debug)]
+#[cfg_attr(feature = "serde", derive(Deserialize))]
 pub struct ProverResult {
     pub answer: String,
-    #[serde(rename = "ce-models")]
+    #[cfg_attr(feature = "serde", serde(rename = "ce-models"))]
     pub ce_models: Vec<Model>,
     pub time: f32,
     pub step: i32,
diff --git a/why3/src/coma.rs b/why3/src/coma.rs
new file mode 100644
index 0000000000..631bf9408c
--- /dev/null
+++ b/why3/src/coma.rs
@@ -0,0 +1,352 @@
+use crate::{declaration::Use, ty::Type, Ident, Print, QName};
+use pretty::docs;
+
+#[cfg(feature = "serialize")]
+use serde::{Deserialize, Serialize};
+
+type Term = crate::Exp;
+
+/// The Coma Intermediate Verification Language
+///
+/// This language is developed by Paul Patault, Andrei Paskeivich and Jean-Christophe Filiatre.
+/// In this module is a complete, faithful ast and pretty printer for Coma.
+///
+/// TODO: Document Coma and its motivation
+///
+/// Notable points
+///
+/// 1. Higher order functional language that always generates first-order VCs
+/// 2. User level control on transparency of functions
+/// 3. CPS structure
+
+#[derive(Clone, Debug)]
+#[cfg_attr(feature = "serialize", derive(Serialize, Deserialize))]
+pub enum Expr {
+    /// Variables eg: `x`
+    Symbol(QName),
+    /// Generic application for type lambdas, terms, references and continuations
+    /// e <ty>... t... | e...
+    App(Box<Expr>, Box<Arg>),
+    /// Functions, used for anonymous closures
+    /// fun pl -> e
+    Lambda(Vec<Param>, Box<Expr>),
+    /// Handler group definitions, binds a set of (mutually recursive) handlers
+    /// Can be read as a "where" clause in haskell.
+    //
+    /// e / rec? h p e and ...
+    Defn(Box<Expr>, bool, Vec<Defn>),
+    /// Similarly to handlers, the assignment should be read "backwards", the expression happens in a context where
+    /// the identifiers have been updated
+    Assign(Box<Expr>, Vec<(Ident, Term)>),
+    /// Let binding, introduces a new lexical scope.
+    Let(Box<Expr>, Vec<Var>),
+    /// Asserts that the term holds before evaluating the expression
+    Assert(Box<Term>, Box<Expr>),
+    /// Syntactic sugar for assuming that a term holds before evaluating the inner expression
+    Assume(Box<Term>, Box<Expr>),
+    /// The core operator of coma is the "black box" or *abstraction barrier* operator.
+    /// This operator distinguishes the responsibility between the caller and callee for
+    /// verification. Everything under an abstraction is opaque to the outside world, whereas from the inside,
+    /// we can suppose than any surrounding assertions hold.
+    //
+    /// TODO: Write a more intuitive explanaitio
+    //
+    /// ! e
+    BlackBox(Box<Expr>),
+    /// Good question...
+    WhiteBox(Box<Expr>),
+    /// A non-deterministic value
+    Any,
+}
+
+#[derive(Clone, Debug)]
+#[cfg_attr(feature = "serialize", derive(Serialize, Deserialize))]
+pub struct Var(pub Ident, pub Type, pub Term, pub IsRef);
+
+#[derive(Clone, Debug)]
+#[cfg_attr(feature = "serialize", derive(Serialize, Deserialize))]
+pub enum IsRef {
+    Ref,
+    NotRef,
+}
+
+/// Parameter declarations
+#[derive(Clone, Debug)]
+#[cfg_attr(feature = "serialize", derive(Serialize, Deserialize))]
+pub enum Param {
+    // Can only be type parameters
+    Ty(Type),
+    Term(Ident, Type),
+    Reference(Ident, Type),
+    /// Continuations accept a set of handlers and a set of ordinary parameters
+    Cont(Ident, Vec<Ident>, Vec<Param>),
+}
+
+#[derive(Clone, Debug)]
+#[cfg_attr(feature = "serialize", derive(Serialize, Deserialize))]
+pub enum Arg {
+    /// Type application
+    Ty(Type),
+    /// Logical terms (and 'program' ones)
+    Term(Term),
+    /// Reference
+    Ref(Ident),
+    /// Continuation parameter
+    Cont(Expr),
+}
+
+#[derive(Clone, Debug)]
+#[cfg_attr(feature = "serialize", derive(Serialize, Deserialize))]
+pub struct Defn {
+    pub name: Ident,
+    /// Only relevant if using references
+    pub writes: Vec<Ident>,
+    pub params: Vec<Param>,
+    pub body: Expr,
+}
+
+#[derive(Clone, Debug)]
+#[cfg_attr(feature = "serialize", derive(Serialize, Deserialize))]
+pub enum Decl {
+    /// Coma definitions
+    Defn(Vec<Defn>),
+    /// Escape hatch for type declarations, predicates etc...
+    PureDecl(crate::declaration::Decl),
+    Use(Use),
+}
+
+#[derive(Clone, Debug)]
+pub struct Module(pub Vec<Decl>);
+
+impl Expr {
+    pub fn app(self, args: Vec<Arg>) -> Self {
+        args.into_iter().fold(self, |acc, a| Expr::App(Box::new(acc), Box::new(a)))
+    }
+
+    pub fn assign(mut self, lhs: Ident, rhs: Term) -> Self {
+        match &mut self {
+            Expr::Assign(_, asgns) => {
+                asgns.push((lhs, rhs));
+                self
+            }
+            _ => Expr::Assign(Box::new(self), vec![(lhs, rhs)]),
+        }
+    }
+}
+
+impl Print for Param {
+    fn pretty<'b, 'a: 'b, A: pretty::DocAllocator<'a>>(
+        &'a self,
+        alloc: &'a A,
+    ) -> pretty::DocBuilder<'a, A>
+    where
+        A::Doc: Clone,
+    {
+        match self {
+            Param::Ty(ty) => ty.pretty(alloc),
+            Param::Term(id, ty) => docs![alloc, id.pretty(alloc), ":", ty.pretty(alloc)].parens(),
+            Param::Reference(id, ty) => docs![alloc, "&", id.pretty(alloc), ":", ty.pretty(alloc)],
+            Param::Cont(id, writes, params) => docs![
+                alloc,
+                id.pretty(alloc),
+                alloc.space(),
+                brackets(alloc.intersperse(writes.iter().map(|a| a.pretty(alloc)), " ")),
+                alloc.space(),
+                alloc.intersperse(params.iter().map(|a| a.pretty(alloc)), " "),
+            ]
+            .parens(),
+        }
+    }
+}
+impl Print for Var {
+    fn pretty<'b, 'a: 'b, A: pretty::DocAllocator<'a>>(
+        &'a self,
+        alloc: &'a A,
+    ) -> pretty::DocBuilder<'a, A>
+    where
+        A::Doc: Clone,
+    {
+        docs![
+            alloc,
+            if matches!(self.3, IsRef::Ref) { alloc.text("& ") } else { alloc.nil() },
+            self.0.pretty(alloc),
+            " : ",
+            self.1.pretty(alloc),
+            " = ",
+            self.2.pretty(alloc)
+        ]
+    }
+}
+
+impl Print for Arg {
+    fn pretty<'b, 'a: 'b, A: pretty::DocAllocator<'a>>(
+        &'a self,
+        alloc: &'a A,
+    ) -> pretty::DocBuilder<'a, A>
+    where
+        A::Doc: Clone,
+    {
+        match self {
+            Arg::Ty(ty) => ty.pretty(alloc).enclose("<", ">"),
+            Arg::Term(t) => t.pretty(alloc).braces(),
+            Arg::Ref(r) => alloc.text("& ").append(r.pretty(alloc)),
+            Arg::Cont(e @ Expr::Lambda(_, _)) => e.pretty(alloc),
+            Arg::Cont(c) => c.pretty(alloc).parens(),
+        }
+    }
+}
+
+impl Print for Expr {
+    fn pretty<'b, 'a: 'b, A: pretty::DocAllocator<'a>>(
+        &'a self,
+        alloc: &'a A,
+    ) -> pretty::DocBuilder<'a, A>
+    where
+        A::Doc: Clone,
+    {
+        match self {
+            Expr::Symbol(id) => id.pretty(alloc),
+            Expr::App(e, arg) => {
+                let needs_paren = !matches!(
+                    &**e,
+                    Expr::App(_, _) | Expr::Symbol(_) | Expr::Any | Expr::Lambda(_, _)
+                );
+
+                let doc = e.pretty(alloc);
+
+                docs![
+                    alloc,
+                    if needs_paren { doc.parens() } else { doc },
+                    alloc.softline(),
+                    arg.pretty(alloc)
+                ]
+            }
+            Expr::Lambda(params, body) => {
+                let header = if params.is_empty() {
+                    alloc.text("-> ")
+                } else {
+                    docs![
+                        alloc,
+                        "fun ",
+                        alloc.intersperse(params.iter().map(|p| p.pretty(alloc)), alloc.text(" ")),
+                        alloc.text(" -> ")
+                    ]
+                };
+
+                header.append(body.pretty(alloc).nest(2)).parens()
+            }
+            Expr::Defn(cont, rec, handlers) => {
+                let handlers =
+                    handlers.iter().map(|d| print_defn(d, if *rec { "=" } else { "->" }, alloc));
+                cont.pretty(alloc).append(alloc.softline()).append(bracket_list(
+                    alloc,
+                    handlers,
+                    alloc.line().append(alloc.text("| ")),
+                ))
+            }
+            Expr::Let(cont, lets) => docs![
+                alloc,
+                cont.pretty(alloc),
+                bracket_list(
+                    alloc,
+                    lets.iter().map(|l| l.pretty(alloc)),
+                    alloc.line().append(alloc.text("| "))
+                )
+            ],
+            Expr::Assign(cont, asgns) => docs![
+                alloc,
+                bracket_list(
+                    alloc,
+                    asgns.iter().map(|(id, t)| docs![
+                        alloc,
+                        "&",
+                        id.pretty(alloc),
+                        alloc.space(),
+                        "<-",
+                        alloc.space(),
+                        t.pretty(alloc)
+                    ]),
+                    alloc.line().append(alloc.text("| "))
+                ),
+                cont.pretty(alloc)
+            ],
+            Expr::Assert(t, e) => {
+                docs![alloc, t.pretty(alloc).braces(), alloc.space(), e.pretty(alloc)]
+            }
+            Expr::Assume(t, e) => {
+                docs![alloc, t.pretty(alloc).enclose("-{", "}-"), alloc.space(), e.pretty(alloc)]
+            }
+            Expr::BlackBox(e) => docs![alloc, "!", alloc.space(), e.pretty(alloc)].parens(),
+            Expr::WhiteBox(e) => docs![alloc, "?", alloc.space(), e.pretty(alloc)].parens(),
+            Expr::Any => alloc.text("any"),
+        }
+    }
+}
+
+fn brackets<'a, A: pretty::DocAllocator<'a>>(
+    doc: pretty::DocBuilder<'a, A>,
+) -> pretty::DocBuilder<'a, A>
+where
+    A::Doc: Clone,
+{
+    if !matches!(&*doc.1, pretty::Doc::Nil) {
+        doc.brackets().nest(2)
+    } else {
+        doc
+    }
+}
+
+fn bracket_list<'a, S, A: pretty::DocAllocator<'a>>(
+    alloc: &'a A,
+    docs: impl Iterator<Item = pretty::DocBuilder<'a, A>>,
+    sep: S,
+) -> pretty::DocBuilder<'a, A>
+where
+    S: pretty::Pretty<'a, A> + Clone,
+{
+    let body = alloc.intersperse(docs, sep).group();
+    if matches!(&*body.1, pretty::Doc::Nil) {
+        return body;
+    }
+
+    docs![
+        alloc,
+        alloc.line_(),
+        alloc.space().append(body).append(alloc.space()).brackets().nest(0),
+        alloc.line_()
+    ]
+    .group()
+}
+
+fn print_defn<'a, A: pretty::DocAllocator<'a>>(
+    defn: &'a Defn,
+    arrow_kind: &'a str,
+    alloc: &'a A,
+) -> pretty::DocBuilder<'a, A>
+where
+    A::Doc: Clone,
+{
+    docs![
+        alloc,
+        defn.name.pretty(alloc),
+        alloc.space(),
+        bracket_list(alloc, defn.writes.iter().map(|a| a.pretty(alloc)), " "),
+        if defn.writes.is_empty() { alloc.nil() } else { alloc.space() },
+        alloc.intersperse(defn.params.iter().map(|a| a.pretty(alloc)), " "),
+        arrow_kind,
+        alloc.space(),
+        defn.body.pretty(alloc).nest(2),
+    ]
+}
+
+impl Print for Defn {
+    fn pretty<'b, 'a: 'b, A: pretty::DocAllocator<'a>>(
+        &'a self,
+        alloc: &'a A,
+    ) -> pretty::DocBuilder<'a, A>
+    where
+        A::Doc: Clone,
+    {
+        docs![alloc, "let ", print_defn(self, "=", alloc),]
+    }
+}
diff --git a/why3/src/declaration.rs b/why3/src/declaration.rs
index 3b1b61d676..586e31a41b 100644
--- a/why3/src/declaration.rs
+++ b/why3/src/declaration.rs
@@ -40,7 +40,7 @@ pub enum Decl {
     UseDecl(Use),
     Axiom(Axiom),
     Goal(Goal),
-    // ConstantDecl(Constant),
+    ConstantDecl(Constant),
 }
 
 impl Decl {
@@ -337,3 +337,11 @@ pub enum LetKind {
     Predicate,
     Constant,
 }
+
+#[derive(Debug, Clone)]
+#[cfg_attr(feature = "serialize", derive(Serialize, Deserialize))]
+pub struct Constant {
+    pub name: Ident,
+    pub type_: Type,
+    pub body: Exp,
+}
diff --git a/why3/src/exp.rs b/why3/src/exp.rs
index 94005d19fd..1194cd1d06 100644
--- a/why3/src/exp.rs
+++ b/why3/src/exp.rs
@@ -89,7 +89,7 @@ pub enum UnOp {
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 #[cfg_attr(feature = "serialize", derive(Serialize, Deserialize))]
-pub enum Purity {
+pub(crate) enum Purity {
     Logic,
     Program,
 }
@@ -123,8 +123,8 @@ pub enum Exp {
         arg: Box<Exp>,
         body: Box<Exp>,
     },
-    Var(Ident, Purity),
-    QVar(QName, Purity),
+    Var(Ident),
+    QVar(QName),
     Record {
         fields: Vec<(String, Exp)>,
     },
@@ -194,8 +194,8 @@ pub fn super_visit_mut<T: ExpMutVisitor>(f: &mut T, exp: &mut Exp) {
             f.visit_mut(arg);
             f.visit_mut(body)
         }
-        Exp::Var(_, _) => {}
-        Exp::QVar(_, _) => {}
+        Exp::Var(_) => {}
+        Exp::QVar(_) => {}
         Exp::RecUp { record, updates } => {
             f.visit_mut(record);
             updates.iter_mut().for_each(|(_, val)| f.visit_mut(val));
@@ -276,8 +276,8 @@ pub fn super_visit<T: ExpVisitor>(f: &mut T, exp: &Exp) {
             f.visit(arg);
             f.visit(body)
         }
-        Exp::Var(_, _) => {}
-        Exp::QVar(_, _) => {}
+        Exp::Var(_) => {}
+        Exp::QVar(_) => {}
         Exp::RecUp { record, updates } => {
             f.visit(record);
             updates.iter().for_each(|(_, val)| f.visit(val));
@@ -340,28 +340,30 @@ pub fn super_visit_trigger<T: ExpVisitor>(f: &mut T, trigger: &Trigger) {
 }
 
 impl Exp {
-    pub fn impure_qvar(q: QName) -> Self {
-        Exp::QVar(q, Purity::Program)
+    pub fn qvar(q: QName) -> Self {
+        Exp::QVar(q)
     }
 
-    pub fn impure_var(v: Ident) -> Self {
-        Exp::Var(v, Purity::Program)
-    }
-
-    pub fn pure_qvar(q: QName) -> Self {
-        Exp::QVar(q, Purity::Logic)
-    }
-
-    pub fn pure_var(v: Ident) -> Self {
-        Exp::Var(v, Purity::Logic)
+    pub fn var(v: impl Into<Ident>) -> Self {
+        Exp::Var(v.into())
     }
 
     pub fn lazy_conj(l: Exp, r: Exp) -> Self {
         l.lazy_and(r)
     }
 
+    pub fn not(self) -> Self {
+        Exp::UnaryOp(UnOp::Not, Box::new(self))
+    }
+
     pub fn eq(self, rhs: Self) -> Self {
-        Exp::BinaryOp(BinOp::Eq, Box::new(self), Box::new(rhs))
+        if self.is_true() {
+            rhs
+        } else if rhs.is_true() {
+            self
+        } else {
+            Exp::BinaryOp(BinOp::Eq, Box::new(self), Box::new(rhs))
+        }
     }
 
     pub fn neq(self, rhs: Self) -> Self {
@@ -394,9 +396,9 @@ impl Exp {
     }
 
     pub fn lazy_and(self, other: Self) -> Self {
-        if let Exp::Const(Constant::Bool(true)) = self {
+        if self.is_true() {
             other
-        } else if let Exp::Const(Constant::Bool(true)) = other {
+        } else if other.is_true() {
             self
         } else {
             Exp::BinaryOp(BinOp::LazyAnd, Box::new(self), Box::new(other))
@@ -404,15 +406,42 @@ impl Exp {
     }
 
     pub fn log_and(self, other: Self) -> Self {
-        if let Exp::Const(Constant::Bool(true)) = self {
+        if self.is_true() {
             other
-        } else if let Exp::Const(Constant::Bool(true)) = other {
+        } else if other.is_true() {
             self
         } else {
             Exp::BinaryOp(BinOp::LogAnd, Box::new(self), Box::new(other))
         }
     }
 
+    pub fn log_or(self, other: Self) -> Self {
+        if self.is_true() {
+            self
+        } else if other.is_true() {
+            other
+        } else {
+            Exp::BinaryOp(BinOp::LogOr, Box::new(self), Box::new(other))
+        }
+    }
+
+    pub fn if_(cond: Self, then: Self, else_: Self) -> Self {
+        if then.is_true() && else_.is_true() {
+            then
+        } else if cond.is_true() {
+            then
+        } else if cond.is_false() {
+            else_
+        } else {
+            Exp::IfThenElse(Box::new(cond), Box::new(then), Box::new(else_))
+        }
+    }
+
+    /// Build an implication
+    ///
+    /// Performs the following simplifications
+    /// - True -> A <-> A
+    /// - A -> True <-> True
     pub fn implies(self, other: Self) -> Self {
         if self.is_true() {
             other
@@ -423,10 +452,20 @@ impl Exp {
         }
     }
 
+    /// Builds a quantifier with explicit trigger
+    ///
+    /// Simplfies ∀ x, True into True
     pub fn forall_trig(bound: Vec<(Ident, Type)>, trigger: Trigger, body: Exp) -> Self {
-        Exp::Forall(bound, trigger, Box::new(body))
+        if body.is_true() {
+            body
+        } else {
+            Exp::Forall(bound, trigger, Box::new(body))
+        }
     }
 
+    /// Builds a quantifier
+    ///
+    /// Simplfies ∀ x, True into True
     pub fn forall(bound: Vec<(Ident, Type)>, body: Exp) -> Self {
         Exp::forall_trig(bound, Trigger::NONE, body)
     }
@@ -442,6 +481,18 @@ impl Exp {
     pub fn is_true(&self) -> bool {
         if let Exp::Const(Constant::Bool(true)) = self {
             true
+        } else if let Exp::Attr(_, e) = self {
+            e.is_true()
+        } else {
+            false
+        }
+    }
+
+    pub fn is_false(&self) -> bool {
+        if let Exp::Const(Constant::Bool(false)) = self {
+            true
+        } else if let Exp::Attr(_, e) = self {
+            e.is_false()
         } else {
             false
         }
@@ -455,6 +506,29 @@ impl Exp {
         Exp::Const(Constant::const_false())
     }
 
+    pub fn int(i: i128) -> Self {
+        Exp::Const(Constant::Int(i, None))
+    }
+
+    pub fn let_(id: impl Into<Ident>, arg: Exp, mut body: Exp) -> Exp {
+        let ident = id.into();
+        let occurences = body.occurences();
+
+        if !occurences.contains_key(&ident) {
+            body
+        // Remove this if performance is a concern
+        } else if occurences[&ident] == 1 {
+            body.subst(&[(ident, arg)].into_iter().collect());
+            body
+        } else {
+            Exp::Let { pattern: Pattern::VarP(ident), arg: Box::new(arg), body: Box::new(body) }
+        }
+    }
+
+    pub fn ascribe(self, ty: Type) -> Self {
+        Exp::Ascribe(Box::new(self), ty)
+    }
+
     pub fn is_pure(&self) -> bool {
         struct IsPure {
             pure: bool,
@@ -463,8 +537,6 @@ impl Exp {
         impl ExpVisitor for IsPure {
             fn visit(&mut self, exp: &Exp) {
                 match exp {
-                    Exp::Var(_, Purity::Program) => self.pure &= false,
-                    Exp::QVar(_, Purity::Program) => self.pure &= false,
                     Exp::Verbatim(_) => self.pure &= false,
                     Exp::Absurd => self.pure &= false,
                     // This is a bit absurd, but you can't put "pure {...}"
@@ -619,8 +691,8 @@ impl Exp {
             Exp::Final(_) => Prefix,
             Exp::Let { .. } => IfLet,
             Exp::Abs(_, _) => Abs,
-            Exp::Var(_, _) => Atom,
-            Exp::QVar(_, _) => Atom,
+            Exp::Var(_) => Atom,
+            Exp::QVar(_) => Atom,
             Exp::RecUp { .. } => App,
             Exp::RecField { .. } => Infix4,
             Exp::Tuple(_) => Atom,
@@ -655,50 +727,63 @@ impl Exp {
         }
     }
 
-    pub fn fvs(&self) -> IndexSet<Ident> {
-        struct Fvs {
-            fvs: IndexSet<Ident>,
+    pub fn occurs(&self, id: &Ident) -> bool {
+        let fvs = self.occurences();
+
+        fvs.contains_key(id)
+    }
+
+    pub fn occurences(&self) -> HashMap<Ident, u64> {
+        struct Occurs {
+            occurs: HashMap<Ident, u64>,
         }
 
-        impl ExpVisitor for Fvs {
+        impl ExpVisitor for Occurs {
             fn visit(&mut self, exp: &Exp) {
                 match exp {
-                    Exp::Var(v, _) => {
-                        self.fvs.insert(v.clone());
+                    Exp::Var(v) => {
+                        *self.occurs.entry(v.clone()).or_insert(0) += 1;
                     }
                     Exp::Let { pattern, arg, body } => {
-                        let fvs = std::mem::take(&mut self.fvs);
+                        let mut occurs = std::mem::take(&mut self.occurs);
                         self.visit(body);
-                        self.fvs = (&self.fvs) - &pattern.binders();
+                        pattern.binders().iter().for_each(|p| {
+                            self.occurs.remove(p);
+                        });
+
                         self.visit(arg);
-                        self.fvs.extend(fvs);
+                        occurs.drain().for_each(|(k, v)| *self.occurs.entry(k).or_insert(0) += v);
                     }
                     Exp::Forall(bnds, trig, exp) => {
-                        let fvs = std::mem::take(&mut self.fvs);
+                        let mut fvs = std::mem::take(&mut self.occurs);
                         self.visit(exp);
                         self.visit_trigger(trig);
                         bnds.iter().for_each(|(l, _)| {
-                            self.fvs.remove(l);
+                            self.occurs.remove(l);
                         });
-                        self.fvs.extend(fvs);
+                        fvs.drain().for_each(|(k, v)| *self.occurs.entry(k).or_insert(0) += v);
                     }
                     Exp::Exists(bnds, trig, exp) => {
-                        let fvs = std::mem::take(&mut self.fvs);
+                        let mut fvs = std::mem::take(&mut self.occurs);
                         self.visit(exp);
                         self.visit_trigger(trig);
                         bnds.iter().for_each(|(l, _)| {
-                            self.fvs.remove(l);
+                            self.occurs.remove(l);
                         });
-                        self.fvs.extend(fvs);
+                        fvs.drain().for_each(|(k, v)| *self.occurs.entry(k).or_insert(0) += v);
                     }
                     _ => super_visit(self, exp),
                 }
             }
         }
 
-        let mut fvs = Fvs { fvs: IndexSet::new() };
+        let mut fvs = Occurs { occurs: Default::default() };
         fvs.visit(self);
-        fvs.fvs
+        fvs.occurs
+    }
+
+    pub fn fvs(&self) -> IndexSet<Ident> {
+        self.occurences().into_keys().collect()
     }
 
     pub fn qfvs(&self) -> IndexSet<QName> {
@@ -709,7 +794,7 @@ impl Exp {
         impl ExpVisitor for QFvs {
             fn visit(&mut self, exp: &Exp) {
                 match exp {
-                    Exp::QVar(v, _) => {
+                    Exp::QVar(v) => {
                         self.qfvs.insert(v.clone());
                     }
                     _ => super_visit(self, exp),
@@ -728,7 +813,7 @@ impl Exp {
         impl<'a> ExpMutVisitor for &'a HashMap<Ident, Exp> {
             fn visit_mut(&mut self, exp: &mut Exp) {
                 match exp {
-                    Exp::Var(v, _) => {
+                    Exp::Var(v) => {
                         if let Some(e) = self.get(v) {
                             *exp = e.clone()
                         }
@@ -775,6 +860,20 @@ impl Exp {
                         binders.iter().for_each(|k| {
                             subst.remove(&k.0);
                         });
+                        let bnds: IndexSet<_> = binders.iter().map(|b| &b.0).cloned().collect();
+                        let mut extended = HashMap::new();
+                        for (_, exp) in &mut subst {
+                            for id in &bnds & &exp.fvs() {
+                                extended.insert(id.clone(), Exp::var(format!("{}'", &*id)));
+                            }
+                        }
+                        binders.iter_mut().for_each(|(id, _)| {
+                            if extended.contains_key(id) {
+                                *id = format!("{}'", &**id).into();
+                            }
+                        });
+                        subst.extend(extended);
+
                         let mut s = &subst;
                         s.visit_mut(exp);
                         s.visit_trigger_mut(trig);
@@ -784,6 +883,20 @@ impl Exp {
                         binders.iter().for_each(|k| {
                             subst.remove(&k.0);
                         });
+                        let bnds: IndexSet<_> = binders.iter().map(|b| &b.0).cloned().collect();
+                        let mut extended = HashMap::new();
+                        for (_, exp) in &mut subst {
+                            for id in &bnds & &exp.fvs() {
+                                extended.insert(id.clone(), Exp::var(format!("{}'", &*id)));
+                            }
+                        }
+                        binders.iter_mut().for_each(|(id, _)| {
+                            if extended.contains_key(id) {
+                                *id = format!("{}'", &**id).into();
+                            }
+                        });
+                        subst.extend(extended);
+
                         let mut s = &subst;
                         s.visit_mut(exp);
                         s.visit_trigger_mut(trig);
diff --git a/why3/src/lib.rs b/why3/src/lib.rs
index 7e17f3eee3..c0e0223624 100644
--- a/why3/src/lib.rs
+++ b/why3/src/lib.rs
@@ -1,4 +1,4 @@
-#![feature(box_patterns)]
+#![feature(box_patterns, hash_extract_if)]
 pub mod ce_models;
 pub mod declaration;
 pub mod exp;
@@ -6,6 +6,9 @@ pub mod mlcfg;
 pub mod name;
 pub mod ty;
 
+// Coma IR
+pub mod coma;
+
 pub use exp::Exp;
 pub use mlcfg::printer::Print;
 pub use name::*;
diff --git a/why3/src/mlcfg/printer.rs b/why3/src/mlcfg/printer.rs
index a0f6099332..29431232fa 100644
--- a/why3/src/mlcfg/printer.rs
+++ b/why3/src/mlcfg/printer.rs
@@ -2,39 +2,26 @@ use std::{fmt::Display, iter::once};
 
 use super::*;
 use crate::{
-    declaration::*,
+    declaration::{self, *},
     exp::{AssocDir, BinOp, Binder, Constant, Precedence, Trigger, UnOp},
 };
 use num::{Float, Zero};
 use pretty::*;
 
-#[derive(Default)]
-pub struct PrintEnv {
-    pub scopes: Vec<Ident>,
-}
-
-impl PrintEnv {
-    pub fn new() -> (BoxAllocator, Self) {
-        (BoxAllocator, PrintEnv::default())
-    }
-}
-
 pub struct PrintDisplay<'a, A: Print>(&'a A);
 
 impl<'a, A: Print> Display for PrintDisplay<'a, A> {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        let (alloc, mut env) = PrintEnv::new();
-        self.0.pretty(&alloc, &mut env).1.render_fmt(120, f)?;
+        let alloc = BoxAllocator;
+        self.0.pretty(&alloc).1.render_fmt(120, f)?;
         Ok(())
     }
 }
 
+pub const ALLOC: BoxAllocator = BoxAllocator;
+
 pub trait Print {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone;
 
@@ -48,17 +35,16 @@ pub trait Print {
 
 // TODO: replace with functions
 macro_rules! parens {
-    ($alloc:ident, $env:ident, $parent:ident, $child:ident) => {
-        parens($alloc, $env, $parent.precedence(), $child)
+    ($alloc:ident, $parent:ident, $child:ident) => {
+        parens($alloc, $parent.precedence(), $child)
     };
-    ($alloc:ident, $env:ident, $par_prec:expr, $child:ident) => {
-        parens($alloc, $env, $par_prec, $child)
+    ($alloc:ident, $par_prec:expr, $child:ident) => {
+        parens($alloc, $par_prec, $child)
     };
 }
 
 fn parens<'b, 'a: 'b, A: DocAllocator<'a>>(
     alloc: &'a A,
-    env: &mut PrintEnv,
     prec: Precedence,
     child: &'a Exp,
 ) -> DocBuilder<'a, A>
@@ -67,81 +53,64 @@ where
 {
     let child_prec = child.precedence();
     if child_prec == Precedence::Atom {
-        child.pretty(alloc, env)
+        child.pretty(alloc)
     } else if child_prec < prec {
-        child.pretty(alloc, env).parens()
+        child.pretty(alloc).parens()
     } else if child_prec == prec && child.associativity() != child.associativity() {
-        child.pretty(alloc, env).parens()
+        child.pretty(alloc).parens()
     } else {
-        child.pretty(alloc, env)
+        child.pretty(alloc)
     }
 }
 
 impl Print for Decl {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
         match self {
-            Decl::CfgDecl(fun) => fun.pretty(alloc, env),
-            Decl::LogicDefn(log) => log.pretty(alloc, env),
-            Decl::Module(modl) => modl.pretty(alloc, env),
-            Decl::Scope(scope) => scope.pretty(alloc, env),
-            Decl::PredDecl(p) => p.pretty(alloc, env),
-            Decl::TyDecl(t) => t.pretty(alloc, env),
-            Decl::Clone(c) => c.pretty(alloc, env),
-            Decl::ValDecl(v) => v.pretty(alloc, env),
-            Decl::UseDecl(u) => u.pretty(alloc, env),
-            Decl::Axiom(a) => a.pretty(alloc, env),
-            Decl::Goal(g) => g.pretty(alloc, env),
-            Decl::Let(l) => l.pretty(alloc, env),
+            Decl::CfgDecl(fun) => fun.pretty(alloc),
+            Decl::LogicDefn(log) => log.pretty(alloc),
+            Decl::Module(modl) => modl.pretty(alloc),
+            Decl::Scope(scope) => scope.pretty(alloc),
+            Decl::PredDecl(p) => p.pretty(alloc),
+            Decl::TyDecl(t) => t.pretty(alloc),
+            Decl::Clone(c) => c.pretty(alloc),
+            Decl::ValDecl(v) => v.pretty(alloc),
+            Decl::UseDecl(u) => u.pretty(alloc),
+            Decl::Axiom(a) => a.pretty(alloc),
+            Decl::Goal(g) => g.pretty(alloc),
+            Decl::Let(l) => l.pretty(alloc),
+            Decl::ConstantDecl(c) => c.pretty(alloc),
         }
     }
 }
 
 impl Print for Module {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
-        env.scopes.push(self.name.clone());
         let doc = alloc
             .text("module ")
             .append(&*self.name)
             .append(alloc.hardline())
             .append(
                 alloc
-                    .intersperse(
-                        self.decls.iter().map(|decl| decl.pretty(alloc, env)),
-                        alloc.hardline(),
-                    )
+                    .intersperse(self.decls.iter().map(|decl| decl.pretty(alloc)), alloc.hardline())
                     .indent(2),
             )
             .append(alloc.hardline())
             .append("end");
-        env.scopes.pop();
         doc
     }
 }
 
 impl Print for Scope {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
-        env.scopes.push(self.name.clone());
         let doc = alloc
             .text("scope")
             .append(alloc.space())
@@ -149,59 +118,58 @@ impl Print for Scope {
             .append(alloc.hardline())
             .append(
                 alloc
-                    .intersperse(
-                        self.decls.iter().map(|decl| decl.pretty(alloc, env)),
-                        alloc.hardline(),
-                    )
+                    .intersperse(self.decls.iter().map(|decl| decl.pretty(alloc)), alloc.hardline())
                     .indent(2),
             )
             .append(alloc.hardline())
             .append("end");
-        env.scopes.pop();
         doc
     }
 }
 
 impl Print for Axiom {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
         alloc
             .text("axiom ")
-            .append(self.name.pretty(alloc, env))
+            .append(self.name.pretty(alloc))
             .append(if self.rewrite { " [@rewrite] : " } else { " : " })
-            .append(self.axiom.pretty(alloc, env))
+            .append(self.axiom.pretty(alloc))
     }
 }
 
 impl Print for Goal {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
         alloc
             .text("goal ")
-            .append(self.name.pretty(alloc, env))
+            .append(self.name.pretty(alloc))
+            .append(" : ")
+            .append(self.goal.pretty(alloc))
+    }
+}
+
+impl Print for declaration::Constant {
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
+    where
+        A::Doc: Clone,
+    {
+        alloc
+            .text("constant ")
+            .append(self.name.pretty(alloc))
             .append(" : ")
-            .append(self.goal.pretty(alloc, env))
+            .append(self.type_.pretty(alloc))
+            .append(" = ")
+            .append(self.body.pretty(alloc))
     }
 }
 
 impl Print for LetDecl {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
@@ -225,24 +193,20 @@ impl Print for LetDecl {
         doc = doc
             .append(
                 self.sig
-                    .pretty(alloc, env)
+                    .pretty(alloc)
                     .append(alloc.line_())
                     .append(alloc.text(" = [@vc:do_not_keep_trace] [@vc:sp]")),
             )
             .group()
             .append(alloc.line())
-            .append(self.body.pretty(alloc, env).indent(2));
+            .append(self.body.pretty(alloc).indent(2));
 
         doc
     }
 }
 
 impl Print for Attribute {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        _: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
@@ -265,91 +229,70 @@ impl Print for Attribute {
 }
 
 impl Print for Signature {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
         self.name
-            .pretty(alloc, env)
+            .pretty(alloc)
             .append(alloc.space())
             .append(alloc.intersperse(
-                self.attrs.iter().map(|a| a.pretty(alloc, env)).chain(once(alloc.nil())),
+                self.attrs.iter().map(|a| a.pretty(alloc)).chain(once(alloc.nil())),
                 alloc.space(),
             ))
-            .append(arg_list(alloc, env, &self.args))
+            .append(arg_list(alloc, &self.args))
             .append(
-                self.retty.as_ref().map_or_else(
-                    || alloc.nil(),
-                    |t| alloc.text(" : ").append(t.pretty(alloc, env)),
-                ),
+                self.retty
+                    .as_ref()
+                    .map_or_else(|| alloc.nil(), |t| alloc.text(" : ").append(t.pretty(alloc))),
             )
-            .append(alloc.line_().append(self.contract.pretty(alloc, env)))
+            .append(alloc.line_().append(self.contract.pretty(alloc)))
             .nest(2)
             .group()
         // .append(alloc.line())
-        // .append(self.contract.pretty(alloc, env).indent(2))
+        // .append(self.contract.pretty(alloc).indent(2))
     }
 }
 
 impl Print for Predicate {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
         alloc
             .text("predicate ")
-            .append(self.sig.pretty(alloc, env).append(alloc.line_()).append(alloc.text(" =")))
+            .append(self.sig.pretty(alloc).append(alloc.line_()).append(alloc.text(" =")))
             .group()
             .append(alloc.line())
-            .append(self.body.pretty(alloc, env).indent(2))
+            .append(self.body.pretty(alloc).indent(2))
     }
 }
 
-fn arg_list<'b: 'a, 'a, A: DocAllocator<'a>>(
-    alloc: &'a A,
-    env: &mut PrintEnv,
-    args: &'a [Binder],
-) -> DocBuilder<'a, A>
+fn arg_list<'b: 'a, 'a, A: DocAllocator<'a>>(alloc: &'a A, args: &'a [Binder]) -> DocBuilder<'a, A>
 where
     A::Doc: Clone,
 {
     {
-        alloc.intersperse(args.iter().map(|b| b.pretty(alloc, env)), alloc.space())
+        alloc.intersperse(args.iter().map(|b| b.pretty(alloc)), alloc.space())
     }
 }
 
 impl Print for Logic {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
         alloc
             .text("function ")
-            .append(self.sig.pretty(alloc, env).append(alloc.line_()).append(alloc.text(" =")))
+            .append(self.sig.pretty(alloc).append(alloc.line_()).append(alloc.text(" =")))
             .group()
             .append(alloc.line())
-            .append(self.body.pretty(alloc, env).indent(2))
+            .append(self.body.pretty(alloc).indent(2))
     }
 }
 
 impl Print for DeclClone {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
@@ -362,8 +305,7 @@ impl Print for DeclClone {
             _ => alloc.nil(),
         };
 
-        let doc =
-            alloc.text("clone ").append(kind).append(self.name.pretty(alloc, env)).append(as_doc);
+        let doc = alloc.text("clone ").append(kind).append(self.name.pretty(alloc)).append(as_doc);
 
         if self.subst.is_empty() {
             doc
@@ -371,7 +313,7 @@ impl Print for DeclClone {
             doc.append(" with").append(alloc.hardline()).append(
                 alloc
                     .intersperse(
-                        self.subst.iter().map(|s| s.pretty(alloc, env)),
+                        self.subst.iter().map(|s| s.pretty(alloc)),
                         alloc.text(",").append(alloc.hardline()),
                     )
                     .indent(2),
@@ -381,37 +323,29 @@ impl Print for DeclClone {
 }
 
 impl Print for CloneSubst {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
         match self {
-            CloneSubst::Type(id, ty) => alloc
-                .text("type ")
-                .append(id.pretty(alloc, env))
-                .append(" = ")
-                .append(ty.pretty(alloc, env)),
-            CloneSubst::Val(id, o) => alloc
-                .text("val ")
-                .append(id.pretty(alloc, env))
-                .append(" = ")
-                .append(o.pretty(alloc, env)),
+            CloneSubst::Type(id, ty) => {
+                alloc.text("type ").append(id.pretty(alloc)).append(" = ").append(ty.pretty(alloc))
+            }
+            CloneSubst::Val(id, o) => {
+                alloc.text("val ").append(id.pretty(alloc)).append(" = ").append(o.pretty(alloc))
+            }
             CloneSubst::Predicate(id, o) => alloc
                 .text("predicate ")
-                .append(id.pretty(alloc, env))
+                .append(id.pretty(alloc))
                 .append(" = ")
-                .append(o.pretty(alloc, env)),
+                .append(o.pretty(alloc)),
             CloneSubst::Function(id, o) => alloc
                 .text("function ")
-                .append(id.pretty(alloc, env))
+                .append(id.pretty(alloc))
                 .append(" = ")
-                .append(o.pretty(alloc, env)),
+                .append(o.pretty(alloc)),
             CloneSubst::Axiom(id) => match id {
-                Some(id) => alloc.text("axiom ").append(id.pretty(alloc, env)),
+                Some(id) => alloc.text("axiom ").append(id.pretty(alloc)),
                 None => alloc.text("axiom ."),
             },
         }
@@ -419,20 +353,16 @@ impl Print for CloneSubst {
 }
 
 impl Print for Use {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
         alloc
             .text("use ")
             .append(if self.export { alloc.text("export ") } else { alloc.nil() })
-            .append(self.name.pretty(alloc, env))
+            .append(self.name.pretty(alloc))
             .append(if let Some(as_) = &self.as_ {
-                alloc.text(" as ").append(as_.pretty(alloc, env))
+                alloc.text(" as ").append(as_.pretty(alloc))
             } else {
                 alloc.nil()
             })
@@ -440,11 +370,7 @@ impl Print for Use {
 }
 
 impl Print for ValDecl {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
@@ -465,17 +391,13 @@ impl Print for ValDecl {
             None => {}
         };
 
-        doc = doc.append(self.sig.pretty(alloc, env));
+        doc = doc.append(self.sig.pretty(alloc));
         doc
     }
 }
 
 impl Print for Contract {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
@@ -483,10 +405,7 @@ impl Print for Contract {
 
         for req in &self.requires {
             doc = doc.append(
-                alloc
-                    .text("requires ")
-                    .append(req.pretty(alloc, env).braces())
-                    .append(alloc.hardline()),
+                alloc.text("requires ").append(req.pretty(alloc).braces()).append(alloc.hardline()),
             )
         }
 
@@ -494,19 +413,14 @@ impl Print for Contract {
             doc = doc.append(
                 alloc
                     .text("ensures ")
-                    .append(
-                        alloc.space().append(req.pretty(alloc, env)).append(alloc.space()).braces(),
-                    )
+                    .append(alloc.space().append(req.pretty(alloc)).append(alloc.space()).braces())
                     .append(alloc.hardline()),
             )
         }
 
         for var in &self.variant {
             doc = doc.append(
-                alloc
-                    .text("variant ")
-                    .append(var.pretty(alloc, env).braces())
-                    .append(alloc.hardline()),
+                alloc.text("variant ").append(var.pretty(alloc).braces()).append(alloc.hardline()),
             )
         }
 
@@ -515,11 +429,7 @@ impl Print for Contract {
 }
 
 impl Print for CfgFunction {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
@@ -530,7 +440,7 @@ impl Print for CfgFunction {
             .append(if self.constant { "constant " } else { "" })
             .append(
                 self.sig
-                    .pretty(alloc, env)
+                    .pretty(alloc)
                     .append(alloc.line_())
                     .append(alloc.text(" = [@vc:do_not_keep_trace] [@vc:sp]")),
             )
@@ -542,9 +452,9 @@ impl Print for CfgFunction {
                     if *ghost { alloc.text("ghost var ") } else { alloc.text("var ") }
                         .append(alloc.as_string(&var.0))
                         .append(" : ")
-                        .append(ty.pretty(alloc, env))
+                        .append(ty.pretty(alloc))
                         .append(if let Some(init) = init {
-                            alloc.text(" = ").append(init.pretty(alloc, env))
+                            alloc.text(" = ").append(init.pretty(alloc))
                         } else {
                             alloc.nil()
                         })
@@ -552,11 +462,11 @@ impl Print for CfgFunction {
                 }),
                 alloc.hardline(),
             ))
-            .append(self.entry.pretty(alloc, env).append(alloc.hardline()))
+            .append(self.entry.pretty(alloc).append(alloc.hardline()))
             .append(sep_end_by(
                 alloc,
                 self.blocks.iter().map(|(id, block)| {
-                    id.pretty(alloc, env).append(alloc.space()).append(block.pretty(alloc, env))
+                    id.pretty(alloc).append(alloc.space()).append(block.pretty(alloc))
                 }),
                 alloc.hardline(),
             ))
@@ -564,22 +474,18 @@ impl Print for CfgFunction {
 }
 
 impl Print for Type {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
         use Type::*;
 
         macro_rules! ty_parens {
-            ($alloc:ident, $env:ident, $e:ident) => {
+            ($alloc:ident, $e:ident) => {
                 if $e.complex() {
-                    $e.pretty($alloc, $env).parens()
+                    $e.pretty($alloc).parens()
                 } else {
-                    $e.pretty($alloc, $env)
+                    $e.pretty($alloc)
                 }
             };
         }
@@ -587,145 +493,127 @@ impl Print for Type {
             Bool => alloc.text("bool"),
             Char => alloc.text("char"),
             Integer => alloc.text("int"),
-            MutableBorrow(box t) => alloc.text("borrowed ").append(ty_parens!(alloc, env, t)),
+            MutableBorrow(box t) => alloc.text("borrowed ").append(ty_parens!(alloc, t)),
             TVar(v) => alloc.text(format!("'{}", v.0)),
-            TConstructor(ty) => ty.pretty(alloc, env),
+            TConstructor(ty) => ty.pretty(alloc),
 
-            TFun(box a, box b) => {
-                ty_parens!(alloc, env, a).append(" -> ").append(ty_parens!(alloc, env, b))
-            }
+            TFun(box a, box b) => ty_parens!(alloc, a).append(" -> ").append(ty_parens!(alloc, b)),
             TApp(box tyf, args) => {
                 if args.is_empty() {
-                    tyf.pretty(alloc, env)
+                    tyf.pretty(alloc)
                 } else {
-                    tyf.pretty(alloc, env).append(alloc.space()).append(alloc.intersperse(
-                        args.iter().map(|arg| ty_parens!(alloc, env, arg)),
-                        alloc.space(),
-                    ))
+                    tyf.pretty(alloc).append(alloc.space()).append(
+                        alloc.intersperse(
+                            args.iter().map(|arg| ty_parens!(alloc, arg)),
+                            alloc.space(),
+                        ),
+                    )
                 }
             }
-            Tuple(tys) if tys.len() == 1 => tys[0].pretty(alloc, env),
-            Tuple(tys) => {
-                alloc.intersperse(tys.iter().map(|ty| ty.pretty(alloc, env)), ", ").parens()
-            }
+            Tuple(tys) if tys.len() == 1 => tys[0].pretty(alloc),
+            Tuple(tys) => alloc.intersperse(tys.iter().map(|ty| ty.pretty(alloc)), ", ").parens(),
         }
     }
 }
 
 impl Print for Trigger {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
         match &self.0 {
             None => alloc.nil(),
-            Some(exp) => exp.pretty(alloc, env).brackets(),
+            Some(exp) => exp.pretty(alloc).brackets(),
         }
     }
 }
 
 impl Print for Exp {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
         match self {
-            Exp::Any(ty) => alloc.text("any ").append(ty.pretty(alloc, env)),
-            Exp::Current(box e) => alloc.text(" * ").append(parens!(alloc, env, self, e)),
-            Exp::Final(box e) => alloc.text(" ^ ").append(parens!(alloc, env, self, e)),
+            Exp::Any(ty) => alloc.text("any ").append(ty.pretty(alloc)),
+            Exp::Current(box e) => alloc.text(" * ").append(parens!(alloc, self, e)),
+            Exp::Final(box e) => alloc.text(" ^ ").append(parens!(alloc, self, e)),
             // TODO parenthesization
             Exp::Let { pattern, box arg, box body } => alloc
                 .text("let ")
-                .append(pattern.pretty(alloc, env))
+                .append(pattern.pretty(alloc))
                 .append(" = ")
-                .append(arg.pretty(alloc, env))
+                .append(arg.pretty(alloc))
                 .append(" in ")
-                .append(body.pretty(alloc, env)),
-            Exp::Var(v, _) => v.pretty(alloc, env),
-            Exp::QVar(v, _) => v.pretty(alloc, env),
+                .append(body.pretty(alloc)),
+            Exp::Var(v) => v.pretty(alloc),
+            Exp::QVar(v) => v.pretty(alloc),
             Exp::RecUp { box record, updates } => {
                 let mut res = alloc
                     .space()
-                    .append(parens!(alloc, env, self.precedence().next(), record))
+                    .append(parens!(alloc, self.precedence().next(), record))
                     .append(" with ");
                 for (label, val) in updates {
                     res = res
                         .append(alloc.text(label))
                         .append(" = ")
-                        .append(parens!(alloc, env, self, val))
+                        .append(parens!(alloc, self, val))
                         .append(" ; ");
                 }
                 res.braces()
             }
-            Exp::RecField { box record, label } => {
-                record.pretty(alloc, env).append(".").append(label)
-            }
+            Exp::RecField { box record, label } => record.pretty(alloc).append(".").append(label),
 
             Exp::Tuple(args) => alloc
-                .intersperse(args.iter().map(|a| parens!(alloc, env, Precedence::Cast, a)), ", ")
+                .intersperse(args.iter().map(|a| parens!(alloc, Precedence::Cast, a)), ", ")
                 .parens(),
 
-            Exp::Constructor { ctor, args } => ctor.pretty(alloc, env).append(if args.is_empty() {
-                alloc.nil()
-            } else {
-                alloc.space().append(alloc.intersperse(
-                    args.iter().map(|a| parens!(alloc, env, Precedence::Brackets, a)),
-                    " ",
-                ))
-            }),
-            Exp::Const(c) => c.pretty(alloc, env),
-
-            Exp::UnaryOp(UnOp::Not, box op) => {
-                alloc.text("not ").append(parens!(alloc, env, self, op))
+            Exp::Constructor { ctor, args } => {
+                ctor.pretty(alloc).append(if args.is_empty() {
+                    alloc.nil()
+                } else {
+                    alloc.space().append(alloc.intersperse(
+                        args.iter().map(|a| parens!(alloc, Precedence::Brackets, a)),
+                        " ",
+                    ))
+                })
             }
+            Exp::Const(c) => c.pretty(alloc),
 
-            Exp::UnaryOp(UnOp::Neg, box op) => {
-                alloc.text("- ").append(parens!(alloc, env, self, op))
-            }
+            Exp::UnaryOp(UnOp::Not, box op) => alloc.text("not ").append(parens!(alloc, self, op)),
+
+            Exp::UnaryOp(UnOp::Neg, box op) => alloc.text("- ").append(parens!(alloc, self, op)),
             Exp::UnaryOp(UnOp::FloatNeg, box op) => {
-                alloc.text(".- ").append(parens!(alloc, env, self, op))
+                alloc.text(".- ").append(parens!(alloc, self, op))
             }
             Exp::BinaryOp(op, box l, box r) => match self.associativity() {
-                Some(AssocDir::Left) => parens!(alloc, env, self, l),
-                Some(AssocDir::Right) | None => parens!(alloc, env, self.precedence().next(), l),
+                Some(AssocDir::Left) => parens!(alloc, self, l),
+                Some(AssocDir::Right) | None => parens!(alloc, self.precedence().next(), l),
             }
             .append(alloc.space())
             .append(bin_op_to_string(op))
             .append(alloc.space())
             .append(match self.associativity() {
-                Some(AssocDir::Right) => parens!(alloc, env, self, r),
-                Some(AssocDir::Left) | None => parens!(alloc, env, self.precedence().next(), r),
+                Some(AssocDir::Right) => parens!(alloc, self, r),
+                Some(AssocDir::Left) | None => parens!(alloc, self.precedence().next(), r),
             }),
             Exp::Call(box fun, args) => {
-                parens!(alloc, env, self, fun).append(alloc.space()).append(alloc.intersperse(
-                    args.iter().map(|a| parens!(alloc, env, Precedence::App.next(), a)),
+                parens!(alloc, self, fun).append(alloc.space()).append(alloc.intersperse(
+                    args.iter().map(|a| parens!(alloc, Precedence::App.next(), a)),
                     alloc.space(),
                 ))
             }
 
             Exp::Verbatim(verb) => alloc.text(verb),
-            Exp::Attr(attr, e) => {
-                attr.pretty(alloc, env).append(alloc.space()).append(e.pretty(alloc, env))
-            }
+            Exp::Attr(attr, e) => attr.pretty(alloc).append(alloc.space()).append(e.pretty(alloc)),
             Exp::Abs(binders, box body) => alloc
                 .text("fun ")
-                .append(
-                    alloc.intersperse(binders.iter().map(|b| b.pretty(alloc, env)), alloc.space()),
-                )
+                .append(alloc.intersperse(binders.iter().map(|b| b.pretty(alloc)), alloc.space()))
                 .append(" -> ")
-                .append(body.pretty(alloc, env)),
+                .append(body.pretty(alloc)),
 
             Exp::Match(box scrut, brs) => alloc
                 .text("match ")
-                .append(scrut.pretty(alloc, env))
+                .append(scrut.pretty(alloc))
                 .append(" with")
                 .append(alloc.hardline())
                 .append(
@@ -734,9 +622,9 @@ impl Print for Exp {
                         brs.iter().map(|(pat, br)| {
                             alloc
                                 .text("| ")
-                                .append(pat.pretty(alloc, env))
+                                .append(pat.pretty(alloc))
                                 .append(" -> ")
-                                .append(br.pretty(alloc, env))
+                                .append(br.pretty(alloc))
                         }),
                         alloc.hardline(),
                     )
@@ -745,52 +633,60 @@ impl Print for Exp {
                 .append("end"),
             Exp::IfThenElse(s, i, e) => alloc
                 .text("if ")
-                .append(s.pretty(alloc, env))
+                .append(s.pretty(alloc))
                 .append(" then")
-                .append(alloc.line().append(i.pretty(alloc, env)).nest(2).append(alloc.line()))
+                .append(alloc.line().append(i.pretty(alloc)).nest(2).append(alloc.line()))
                 .append("else")
-                .append(alloc.line().append(e.pretty(alloc, env)).nest(2).append(alloc.line_()))
+                .append(alloc.line().append(e.pretty(alloc)).nest(2).append(alloc.line_()))
                 .group(),
             Exp::Forall(binders, trig, box exp) => alloc
                 .text("forall ")
-                .append(alloc.intersperse(
-                    binders.iter().map(|(b, t)| {
-                        b.pretty(alloc, env).append(" : ").append(t.pretty(alloc, env))
-                    }),
-                    ", ",
-                ))
-                .append(trig.pretty(alloc, env))
+                .append(
+                    alloc.intersperse(
+                        binders
+                            .iter()
+                            .map(|(b, t)| b.pretty(alloc).append(" : ").append(t.pretty(alloc))),
+                        ", ",
+                    ),
+                )
+                .append(trig.pretty(alloc))
                 .append(" . ")
-                .append(exp.pretty(alloc, env)),
+                .append(exp.pretty(alloc)),
             Exp::Exists(binders, trig, box exp) => alloc
                 .text("exists ")
-                .append(alloc.intersperse(
-                    binders.iter().map(|(b, t)| {
-                        b.pretty(alloc, env).append(" : ").append(t.pretty(alloc, env))
-                    }),
-                    ", ",
-                ))
-                .append(trig.pretty(alloc, env))
+                .append(
+                    alloc.intersperse(
+                        binders
+                            .iter()
+                            .map(|(b, t)| b.pretty(alloc).append(" : ").append(t.pretty(alloc))),
+                        ", ",
+                    ),
+                )
+                .append(trig.pretty(alloc))
                 .append(" . ")
-                .append(exp.pretty(alloc, env)),
+                .append(exp.pretty(alloc)),
             Exp::Impl(box hyp, box exp) => {
-                parens!(alloc, env, self, hyp).append(" -> ").append(parens!(alloc, env, self, exp))
+                let hyp = parens!(alloc, self, hyp);
+                let impl_ = alloc
+                    .line()
+                    .append(alloc.text(" -> "))
+                    .append(parens!(alloc, self, exp))
+                    .group();
+
+                hyp.append(impl_)
             }
             Exp::Ascribe(e, t) => {
-                parens!(alloc, env, self, e).append(" : ").append(t.pretty(alloc, env)).group()
-            }
-            Exp::Pure(e) => alloc.text("pure ").append(e.pretty(alloc, env).braces()),
-            Exp::Ghost(e) => {
-                alloc.text("ghost ").append(parens!(alloc, env, Precedence::App.next(), e))
+                parens!(alloc, self, e).append(" : ").append(t.pretty(alloc)).group()
             }
+            Exp::Pure(e) => alloc.text("pure ").append(e.pretty(alloc).braces()),
+            Exp::Ghost(e) => alloc.text("ghost ").append(parens!(alloc, Precedence::App.next(), e)),
             Exp::Absurd => alloc.text("absurd"),
-            Exp::Old(e) => alloc.text("old").append(e.pretty(alloc, env).parens()),
+            Exp::Old(e) => alloc.text("old").append(e.pretty(alloc).parens()),
             Exp::Record { fields } => alloc
                 .intersperse(
                     fields.iter().map(|(nm, a)| {
                         alloc.text(nm).append(" = ").append(parens!(
                             alloc,
-                            env,
                             Precedence::Attr.next(),
                             a
                         ))
@@ -798,36 +694,30 @@ impl Print for Exp {
                     "; ",
                 )
                 .braces(),
-            Exp::Chain(fields) => {
-                alloc.intersperse(fields.iter().map(|f| f.pretty(alloc, env)), "; ")
-            }
-            Exp::FnLit(e) => alloc.text("fun _ -> ").append(e.pretty(alloc, env)).parens(),
-            Exp::Assert(e) => alloc.text("assert ").append(e.pretty(alloc, env).braces()),
-            Exp::Assume(e) => alloc.text("assume ").append(e.pretty(alloc, env).braces()),
+            Exp::Chain(fields) => alloc.intersperse(fields.iter().map(|f| f.pretty(alloc)), "; "),
+            Exp::FnLit(e) => alloc.text("fun _ -> ").append(e.pretty(alloc)).parens(),
+            Exp::Assert(e) => alloc.text("assert ").append(e.pretty(alloc).braces()),
+            Exp::Assume(e) => alloc.text("assume ").append(e.pretty(alloc).braces()),
         }
     }
 }
 
 impl Print for Binder {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
         match self {
             Binder::Wild => alloc.text("_"),
-            Binder::UnNamed(ty) => ty.pretty(alloc, env),
-            Binder::Named(id) => id.pretty(alloc, env),
+            Binder::UnNamed(ty) => ty.pretty(alloc),
+            Binder::Named(id) => id.pretty(alloc),
             Binder::Typed(ghost, ids, ty) => {
                 (if *ghost { alloc.text("ghost ") } else { alloc.nil() })
                     .append(
                         alloc
-                            .intersperse(ids.iter().map(|id| id.pretty(alloc, env)), alloc.space())
+                            .intersperse(ids.iter().map(|id| id.pretty(alloc)), alloc.space())
                             .append(" : ")
-                            .append(ty.pretty(alloc, env)),
+                            .append(ty.pretty(alloc)),
                     )
                     .parens()
             }
@@ -838,52 +728,47 @@ impl Print for Binder {
 fn pretty_attr<'b, 'a: 'b, A: DocAllocator<'a>>(
     attr: &'a Option<Attribute>,
     alloc: &'a A,
-    env: &mut PrintEnv,
 ) -> DocBuilder<'a, A>
 where
     A::Doc: Clone,
 {
     match attr {
-        Some(attr) => attr.pretty(alloc, env).append(" "),
+        Some(attr) => attr.pretty(alloc).append(" "),
         None => alloc.nil(),
     }
 }
 
 impl Print for Statement {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
         match self {
-            Statement::Assign { attr, lhs, rhs } => pretty_attr(attr, alloc, env)
-                .append(lhs.pretty(alloc, env))
+            Statement::Assign { attr, lhs, rhs } => pretty_attr(attr, alloc)
+                .append(lhs.pretty(alloc))
                 .append(" <- ")
-                .append(parens!(alloc, env, Precedence::Impl, rhs)),
+                .append(parens!(alloc, Precedence::Impl, rhs)),
             Statement::Invariant(e) => {
-                let doc = alloc.text("invariant ").append(
-                    alloc.space().append(e.pretty(alloc, env)).append(alloc.space()).braces(),
-                );
+                let doc = alloc
+                    .text("invariant ")
+                    .append(alloc.space().append(e.pretty(alloc)).append(alloc.space()).braces());
                 doc
             }
             Statement::Variant(e) => {
-                let doc = alloc.text("variant ").append(
-                    alloc.space().append(e.pretty(alloc, env)).append(alloc.space()).braces(),
-                );
+                let doc = alloc
+                    .text("variant ")
+                    .append(alloc.space().append(e.pretty(alloc)).append(alloc.space()).braces());
                 doc
             }
             Statement::Assume(assump) => {
                 let doc = alloc.text("assume ").append(
-                    alloc.space().append(assump.pretty(alloc, env)).append(alloc.space()).braces(),
+                    alloc.space().append(assump.pretty(alloc)).append(alloc.space()).braces(),
                 );
                 doc
             }
             Statement::Assert(assert) => {
                 let doc = alloc.text("assert ").append(
-                    alloc.space().append(assert.pretty(alloc, env)).append(alloc.space()).braces(),
+                    alloc.space().append(assert.pretty(alloc)).append(alloc.space()).braces(),
                 );
                 doc
             }
@@ -892,22 +777,18 @@ impl Print for Statement {
 }
 
 impl Print for Terminator {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
         use Terminator::*;
         match self {
-            Goto(tgt) => alloc.text("goto ").append(tgt.pretty(alloc, env)),
+            Goto(tgt) => alloc.text("goto ").append(tgt.pretty(alloc)),
             Absurd => alloc.text("absurd"),
             Return => alloc.text("return _0"),
             Switch(discr, brs) => alloc
                 .text("switch ")
-                .append(discr.pretty(alloc, env).parens())
+                .append(discr.pretty(alloc).parens())
                 .append(alloc.hardline())
                 .append(
                     sep_end_by(
@@ -915,9 +796,9 @@ impl Print for Terminator {
                         brs.iter().map(|(pat, tgt)| {
                             alloc
                                 .text("| ")
-                                .append(pat.pretty(alloc, env))
+                                .append(pat.pretty(alloc))
                                 .append(" -> ")
-                                .append(tgt.pretty(alloc, env))
+                                .append(tgt.pretty(alloc))
                         }),
                         alloc.hardline(),
                     )
@@ -929,30 +810,26 @@ impl Print for Terminator {
 }
 
 impl Print for Pattern {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
         match self {
             Pattern::Wildcard => alloc.text("_"),
-            Pattern::VarP(v) => v.pretty(alloc, env),
+            Pattern::VarP(v) => v.pretty(alloc),
             Pattern::TupleP(pats) => {
-                alloc.intersperse(pats.iter().map(|p| p.pretty(alloc, env)), ", ").parens()
+                alloc.intersperse(pats.iter().map(|p| p.pretty(alloc)), ", ").parens()
             }
             Pattern::ConsP(c, pats) => {
-                let mut doc = c.pretty(alloc, env);
+                let mut doc = c.pretty(alloc);
 
                 if !pats.is_empty() {
                     doc = doc.append(alloc.space()).append(alloc.intersperse(
                         pats.iter().map(|p| {
                             if matches!(p, Pattern::ConsP(_, _)) {
-                                p.pretty(alloc, env).parens()
+                                p.pretty(alloc).parens()
                             } else {
-                                p.pretty(alloc, env)
+                                p.pretty(alloc)
                             }
                         }),
                         " ",
@@ -965,11 +842,7 @@ impl Print for Pattern {
 }
 
 impl Print for BlockId {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        _: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
@@ -996,11 +869,7 @@ where
 }
 
 impl Print for Block {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
@@ -1009,10 +878,10 @@ impl Print for Block {
             .append(
                 sep_end_by(
                     alloc,
-                    self.statements.iter().map(|stmt| stmt.pretty(alloc, env)),
+                    self.statements.iter().map(|stmt| stmt.pretty(alloc)),
                     alloc.text(";").append(alloc.line()),
                 )
-                .append(self.terminator.pretty(alloc, env)),
+                .append(self.terminator.pretty(alloc)),
             )
             .nest(2)
             .append(alloc.hardline())
@@ -1051,11 +920,7 @@ fn bin_op_to_string(op: &BinOp) -> &str {
 }
 
 impl Print for Constant {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
@@ -1069,11 +934,11 @@ impl Print for Constant {
                 }
             }
             Constant::Int(i, Some(t)) => {
-                alloc.as_string(i).append(" : ").append(t.pretty(alloc, env)).parens()
+                alloc.as_string(i).append(" : ").append(t.pretty(alloc)).parens()
             }
             Constant::Int(i, None) => alloc.as_string(i),
             Constant::Uint(i, Some(t)) => {
-                alloc.as_string(i).append(" : ").append(t.pretty(alloc, env)).parens()
+                alloc.as_string(i).append(" : ").append(t.pretty(alloc)).parens()
             }
             Constant::String(s) => alloc.text(format!("{s:?}")),
             Constant::Uint(i, None) => alloc.as_string(i),
@@ -1088,7 +953,7 @@ impl Print for Constant {
             Constant::Float(f, Some(t)) => {
                 assert!(f.is_finite());
                 let f_str = print_float(*f);
-                alloc.text(f_str).append(" : ").append(t.pretty(alloc, env)).parens()
+                alloc.text(f_str).append(" : ").append(t.pretty(alloc)).parens()
             }
         }
     }
@@ -1112,21 +977,17 @@ fn print_float(f: f64) -> String {
 }
 
 impl Print for TyDecl {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
         let ty_decl = match self {
             TyDecl::Opaque { ty_name, ty_params } => {
-                let mut decl = alloc.text("type ").append(ty_name.pretty(alloc, env));
+                let mut decl = alloc.text("type ").append(ty_name.pretty(alloc));
 
                 if !ty_params.is_empty() {
                     decl = decl.append(" ").append(alloc.intersperse(
-                        ty_params.iter().map(|p| alloc.text("'").append(p.pretty(alloc, env))),
+                        ty_params.iter().map(|p| alloc.text("'").append(p.pretty(alloc))),
                         alloc.space(),
                     ));
                 }
@@ -1134,14 +995,14 @@ impl Print for TyDecl {
             }
             TyDecl::Alias { ty_name, ty_params, alias } => alloc
                 .text("type ")
-                .append(ty_name.pretty(alloc, env))
+                .append(ty_name.pretty(alloc))
                 .append(" ")
                 .append(alloc.intersperse(
-                    ty_params.iter().map(|p| alloc.text("'").append(p.pretty(alloc, env))),
+                    ty_params.iter().map(|p| alloc.text("'").append(p.pretty(alloc))),
                     alloc.space(),
                 ))
                 .append(alloc.text(" =").append(alloc.hardline()))
-                .append(alias.pretty(alloc, env).indent(2)),
+                .append(alias.pretty(alloc).indent(2)),
             TyDecl::Adt { tys } => {
                 use std::iter::*;
                 let header = once("type").chain(repeat("with"));
@@ -1151,21 +1012,21 @@ impl Print for TyDecl {
                     decl = decl
                         .append(hdr)
                         .append(" ")
-                        .append(ty_decl.ty_name.pretty(alloc, env))
+                        .append(ty_decl.ty_name.pretty(alloc))
                         .append(" ")
                         .append(
                             alloc.intersperse(
                                 ty_decl
                                     .ty_params
                                     .iter()
-                                    .map(|p| alloc.text("'").append(p.pretty(alloc, env))),
+                                    .map(|p| alloc.text("'").append(p.pretty(alloc))),
                                 alloc.space(),
                             ),
                         );
 
                     let mut inner_doc = alloc.nil();
                     for cons in &ty_decl.constrs {
-                        let ty_cons = alloc.text("| ").append(cons.pretty(alloc, env));
+                        let ty_cons = alloc.text("| ").append(cons.pretty(alloc));
                         inner_doc = inner_doc.append(ty_cons.append(alloc.hardline()))
                     }
                     decl = decl
@@ -1177,9 +1038,9 @@ impl Print for TyDecl {
         };
 
         // let mut ty_decl =
-        //     alloc.text("type ").append(self.ty_name.pretty(alloc, env)).append(" ").append(
+        //     alloc.text("type ").append(self.ty_name.pretty(alloc)).append(" ").append(
         //         alloc.intersperse(
-        //             self.ty_params.iter().map(|p| alloc.text("'").append(p.pretty(alloc, env))),
+        //             self.ty_params.iter().map(|p| alloc.text("'").append(p.pretty(alloc))),
         //             alloc.space(),
         //         ),
         //     );
@@ -1188,24 +1049,20 @@ impl Print for TyDecl {
         //     ty_decl = ty_decl.append(alloc.text(" =").append(alloc.hardline()));
         // }
         ty_decl
-        // ty_decl.append(self.kind.pretty(alloc, env).indent(2))
+        // ty_decl.append(self.kind.pretty(alloc).indent(2))
     }
 }
 
 impl Print for ConstructorDecl {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
-        let mut cons_doc = self.name.pretty(alloc, env);
+        let mut cons_doc = self.name.pretty(alloc);
 
         if !self.fields.is_empty() {
             cons_doc = cons_doc.append(alloc.space()).append(
-                alloc.intersperse(self.fields.iter().map(|ty_arg| ty_arg.pretty(alloc, env)), " "),
+                alloc.intersperse(self.fields.iter().map(|ty_arg| ty_arg.pretty(alloc)), " "),
             );
         }
 
@@ -1214,17 +1071,13 @@ impl Print for ConstructorDecl {
 }
 
 impl Print for Field {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
         let parens = self.ghost || self.ty.complex();
         let doc = if self.ghost { alloc.text("ghost ") } else { alloc.nil() }
-            .append(self.ty.pretty(alloc, env));
+            .append(self.ty.pretty(alloc));
 
         if parens {
             doc.parens()
@@ -1234,11 +1087,7 @@ impl Print for Field {
     }
 }
 impl Print for Ident {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        _env: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
@@ -1247,11 +1096,7 @@ impl Print for Ident {
 }
 
 impl Print for QName {
-    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(
-        &'a self,
-        alloc: &'a A,
-        _: &mut PrintEnv,
-    ) -> DocBuilder<'a, A>
+    fn pretty<'b, 'a: 'b, A: DocAllocator<'a>>(&'a self, alloc: &'a A) -> DocBuilder<'a, A>
     where
         A::Doc: Clone,
     {
diff --git a/why3/src/name.rs b/why3/src/name.rs
index c45db84071..c1edf2e1c8 100644
--- a/why3/src/name.rs
+++ b/why3/src/name.rs
@@ -55,7 +55,7 @@ impl From<String> for Ident {
 
 impl From<QName> for Exp {
     fn from(q: QName) -> Self {
-        Exp::impure_qvar(q)
+        Exp::qvar(q)
     }
 }
 
diff --git a/why3tests/Cargo.toml b/why3tests/Cargo.toml
index 8f178c96cb..0dee81ac7f 100644
--- a/why3tests/Cargo.toml
+++ b/why3tests/Cargo.toml
@@ -11,6 +11,7 @@ termcolor = "1.1"
 git2 = "0.14.4"
 clap = { version = "4.2", features = ["env", "derive"]}
 roxmltree = "0.18.0"
+creusot-dev-config = { path = "../creusot-dev-config" }
 
 [[test]]
 test = false
diff --git a/why3tests/tests/why3.rs b/why3tests/tests/why3.rs
index d2879f6069..08084bba3a 100644
--- a/why3tests/tests/why3.rs
+++ b/why3tests/tests/why3.rs
@@ -5,7 +5,7 @@ use std::{
     fs::File,
     io::{BufRead, BufReader, Write},
     path::PathBuf,
-    process::{exit, Command},
+    process::exit,
 };
 use termcolor::*;
 
@@ -37,8 +37,7 @@ struct Args {
 
 fn main() {
     let args = Args::parse();
-    let why3_path = std::env::var("WHY3_PATH").unwrap_or_else(|_| "why3".into());
-    let config_path = std::env::var("WHY3_CONFIG");
+
     let mut out = StandardStream::stdout(ColorChoice::Always);
     let orange = Color::Ansi256(214);
 
@@ -93,9 +92,10 @@ fn main() {
         sessionfile.push("why3session.xml");
 
         let output;
-        let mut command = Command::new(why3_path.clone());
+        let mut command = creusot_dev_config::why3_command().unwrap();
         command.arg("--warn-off=unused_variable");
         command.arg("--warn-off=clone_not_abstract");
+        command.arg("--warn-off=axiom_abstract");
 
         if sessionfile.is_file() {
             let proved = BufReader::new(File::open(&sessionfile).unwrap())
@@ -139,10 +139,6 @@ fn main() {
                 ReplayLevel::All => {}
             };
 
-            if let Ok(ref config) = config_path {
-                command.args(&["-C", config]);
-                // command.arg(&format!("--extra-config={config}"));
-            }
             command.arg(sessiondir);
             output = command.ok();
             if output.is_ok() {