src/HOL/Tools/Nitpick/nitpick_kodkod.ML

added support for binary nat/int representation to Nitpick

(*  Title:      HOL/Tools/Nitpick/nitpick_kodkod.ML
    Author:     Jasmin Blanchette, TU Muenchen
    Copyright   2008, 2009

Kodkod problem generator part of Kodkod.
*)

signature NITPICK_KODKOD =
sig
  type extended_context = Nitpick_HOL.extended_context
  type dtype_spec = Nitpick_Scope.dtype_spec
  type kodkod_constrs = Nitpick_Peephole.kodkod_constrs
  type nut = Nitpick_Nut.nut
  type nfa_transition = Kodkod.rel_expr * typ
  type nfa_entry = typ * nfa_transition list
  type nfa_table = nfa_entry list

  structure NameTable : TABLE

  val univ_card :
    int -> int -> int -> Kodkod.bound list -> Kodkod.formula -> int
  val check_bits : int -> Kodkod.formula -> unit
  val check_arity : int -> int -> unit
  val kk_tuple : bool -> int -> int list -> Kodkod.tuple
  val tuple_set_from_atom_schema : (int * int) list -> Kodkod.tuple_set
  val sequential_int_bounds : int -> Kodkod.int_bound list
  val pow_of_two_int_bounds : int -> int -> int -> Kodkod.int_bound list
  val bounds_for_built_in_rels_in_formula :
    bool -> int -> int -> int -> int -> Kodkod.formula -> Kodkod.bound list
  val bound_for_plain_rel : Proof.context -> bool -> nut -> Kodkod.bound
  val bound_for_sel_rel :
    Proof.context -> bool -> dtype_spec list -> nut -> Kodkod.bound
  val merge_bounds : Kodkod.bound list -> Kodkod.bound list
  val declarative_axiom_for_plain_rel : kodkod_constrs -> nut -> Kodkod.formula
  val declarative_axioms_for_datatypes :
    extended_context -> int -> int Typtab.table -> kodkod_constrs
    -> nut NameTable.table -> dtype_spec list -> Kodkod.formula list
  val kodkod_formula_from_nut :
    int -> int Typtab.table -> bool -> kodkod_constrs -> nut -> Kodkod.formula
end;

structure Nitpick_Kodkod : NITPICK_KODKOD =
struct

open Nitpick_Util
open Nitpick_HOL
open Nitpick_Scope
open Nitpick_Peephole
open Nitpick_Rep
open Nitpick_Nut

type nfa_transition = Kodkod.rel_expr * typ
type nfa_entry = typ * nfa_transition list
type nfa_table = nfa_entry list

structure NfaGraph = Graph(type key = typ val ord = TermOrd.typ_ord)

(* int -> Kodkod.int_expr list *)
fun flip_nums n = index_seq 1 n @ [0] |> map Kodkod.Num

(* int -> int -> int -> Kodkod.bound list -> Kodkod.formula -> int *)
fun univ_card nat_card int_card main_j0 bounds formula =
  let
    (* Kodkod.rel_expr -> int -> int *)
    fun rel_expr_func r k =
      Int.max (k, case r of
                    Kodkod.Atom j => j + 1
                  | Kodkod.AtomSeq (k', j0) => j0 + k'
                  | _ => 0)
    (* Kodkod.tuple -> int -> int *)
    fun tuple_func t k =
      case t of
        Kodkod.Tuple js => fold Integer.max (map (Integer.add 1) js) k
      | _ => k
    (* Kodkod.tuple_set -> int -> int *)
    fun tuple_set_func ts k =
      Int.max (k, case ts of Kodkod.TupleAtomSeq (k', j0) => j0 + k' | _ => 0)
    val expr_F = {formula_func = K I, rel_expr_func = rel_expr_func,
                  int_expr_func = K I}
    val tuple_F = {tuple_func = tuple_func, tuple_set_func = tuple_set_func}
    val card = fold (Kodkod.fold_bound expr_F tuple_F) bounds 1
               |> Kodkod.fold_formula expr_F formula
  in Int.max (main_j0 + fold Integer.max [2, nat_card, int_card] 0, card) end

(* int -> Kodkod.formula -> unit *)
fun check_bits bits formula =
  let
    (* Kodkod.int_expr -> unit -> unit *)
    fun int_expr_func (Kodkod.Num k) () =
        if is_twos_complement_representable bits k then
          ()
        else
          raise TOO_SMALL ("Nitpick_Kodkod.check_bits",
                           "\"bits\" value " ^ string_of_int bits ^
                           " too small for problem")
      | int_expr_func _ () = ()
    val expr_F = {formula_func = K I, rel_expr_func = K I,
                  int_expr_func = int_expr_func}
  in Kodkod.fold_formula expr_F formula () end

(* int -> int -> unit *)
fun check_arity univ_card n =
  if n > Kodkod.max_arity univ_card then
    raise TOO_LARGE ("Nitpick_Kodkod.check_arity",
                     "arity " ^ string_of_int n ^ " too large for universe of \
                     \cardinality " ^ string_of_int univ_card)
  else
    ()

(* bool -> int -> int list -> Kodkod.tuple *)
fun kk_tuple debug univ_card js =
  if debug then
    Kodkod.Tuple js
  else
    Kodkod.TupleIndex (length js,
                       fold (fn j => fn accum => accum * univ_card + j) js 0)

(* (int * int) list -> Kodkod.tuple_set *)
val tuple_set_from_atom_schema =
  foldl1 Kodkod.TupleProduct o map Kodkod.TupleAtomSeq
(* rep -> Kodkod.tuple_set *)
val upper_bound_for_rep = tuple_set_from_atom_schema o atom_schema_of_rep

(* int -> Kodkod.tuple_set *)
val single_atom = Kodkod.TupleSet o single o Kodkod.Tuple o single
(* int -> Kodkod.int_bound list *)
fun sequential_int_bounds n = [(NONE, map single_atom (index_seq 0 n))]
(* int -> int -> Kodkod.int_bound list *)
fun pow_of_two_int_bounds bits j0 univ_card =
  let
    (* int -> int -> int -> Kodkod.int_bound list *)
    fun aux 0  _ _ = []
      | aux 1 pow_of_two j =
        if j < univ_card then [(SOME (~ pow_of_two), [single_atom j])] else []
      | aux iter pow_of_two j =
        (SOME pow_of_two, [single_atom j]) ::
        aux (iter - 1) (2 * pow_of_two) (j + 1)
  in aux (bits + 1) 1 j0 end

(* Kodkod.formula -> Kodkod.n_ary_index list *)
fun built_in_rels_in_formula formula =
  let
    (* Kodkod.rel_expr -> Kodkod.n_ary_index list -> Kodkod.n_ary_index list *)
    fun rel_expr_func (r as Kodkod.Rel (x as (n, j))) =
        if x = unsigned_bit_word_sel_rel orelse x = signed_bit_word_sel_rel then
          I
        else
          (case AList.lookup (op =) (#rels initial_pool) n of
             SOME k => j < k ? insert (op =) x
           | NONE => I)
      | rel_expr_func _ = I
    val expr_F = {formula_func = K I, rel_expr_func = rel_expr_func,
                  int_expr_func = K I}
  in Kodkod.fold_formula expr_F formula [] end

val max_table_size = 65536

(* int -> unit *)
fun check_table_size k =
  if k > max_table_size then
    raise TOO_LARGE ("Nitpick_Kodkod.check_table_size",
                     "precomputed table too large (" ^ string_of_int k ^ ")")
  else
    ()

(* bool -> int -> int * int -> (int -> int) -> Kodkod.tuple list *)
fun tabulate_func1 debug univ_card (k, j0) f =
  (check_table_size k;
   map_filter (fn j1 => let val j2 = f j1 in
                          if j2 >= 0 then
                            SOME (kk_tuple debug univ_card [j1 + j0, j2 + j0])
                          else
                            NONE
                        end) (index_seq 0 k))
(* bool -> int -> int * int -> int -> (int * int -> int) -> Kodkod.tuple list *)
fun tabulate_op2 debug univ_card (k, j0) res_j0 f =
  (check_table_size (k * k);
   map_filter (fn j => let
                         val j1 = j div k
                         val j2 = j - j1 * k
                         val j3 = f (j1, j2)
                       in
                         if j3 >= 0 then
                           SOME (kk_tuple debug univ_card
                                          [j1 + j0, j2 + j0, j3 + res_j0])
                         else
                           NONE
                       end) (index_seq 0 (k * k)))
(* bool -> int -> int * int -> int -> (int * int -> int * int)
   -> Kodkod.tuple list *)
fun tabulate_op2_2 debug univ_card (k, j0) res_j0 f =
  (check_table_size (k * k);
   map_filter (fn j => let
                         val j1 = j div k
                         val j2 = j - j1 * k
                         val (j3, j4) = f (j1, j2)
                       in
                         if j3 >= 0 andalso j4 >= 0 then
                           SOME (kk_tuple debug univ_card
                                          [j1 + j0, j2 + j0, j3 + res_j0,
                                           j4 + res_j0])
                         else
                           NONE
                       end) (index_seq 0 (k * k)))
(* bool -> int -> int * int -> (int * int -> int) -> Kodkod.tuple list *)
fun tabulate_nat_op2 debug univ_card (k, j0) f =
  tabulate_op2 debug univ_card (k, j0) j0 (atom_for_nat (k, 0) o f)
fun tabulate_int_op2 debug univ_card (k, j0) f =
  tabulate_op2 debug univ_card (k, j0) j0
               (atom_for_int (k, 0) o f o pairself (int_for_atom (k, 0)))
(* bool -> int -> int * int -> (int * int -> int * int) -> Kodkod.tuple list *)
fun tabulate_int_op2_2 debug univ_card (k, j0) f =
  tabulate_op2_2 debug univ_card (k, j0) j0
                 (pairself (atom_for_int (k, 0)) o f
                  o pairself (int_for_atom (k, 0)))

(* int * int -> int *)
fun isa_div (m, n) = m div n handle General.Div => 0
fun isa_mod (m, n) = m mod n handle General.Div => m
fun isa_gcd (m, 0) = m
  | isa_gcd (m, n) = isa_gcd (n, isa_mod (m, n))
fun isa_lcm (m, n) = isa_div (m * n, isa_gcd (m, n))
val isa_zgcd = isa_gcd o pairself abs
(* int * int -> int * int *)
fun isa_norm_frac (m, n) =
  if n < 0 then isa_norm_frac (~m, ~n)
  else if m = 0 orelse n = 0 then (0, 1)
  else let val p = isa_zgcd (m, n) in (isa_div (m, p), isa_div (n, p)) end

(* bool -> int -> int -> int -> int -> int * int
   -> string * bool * Kodkod.tuple list *)
fun tabulate_built_in_rel debug univ_card nat_card int_card j0 (x as (n, _)) =
  (check_arity univ_card n;
   if x = not3_rel then
     ("not3", tabulate_func1 debug univ_card (2, j0) (curry (op -) 1))
   else if x = suc_rel then
     ("suc", tabulate_func1 debug univ_card (univ_card - j0 - 1, j0)
                            (Integer.add 1))
   else if x = nat_add_rel then
     ("nat_add", tabulate_nat_op2 debug univ_card (nat_card, j0) (op +))
   else if x = int_add_rel then
     ("int_add", tabulate_int_op2 debug univ_card (int_card, j0) (op +))
   else if x = nat_subtract_rel then
     ("nat_subtract",
      tabulate_op2 debug univ_card (nat_card, j0) j0 (uncurry nat_minus))
   else if x = int_subtract_rel then
     ("int_subtract", tabulate_int_op2 debug univ_card (int_card, j0) (op -))
   else if x = nat_multiply_rel then
     ("nat_multiply", tabulate_nat_op2 debug univ_card (nat_card, j0) (op * ))
   else if x = int_multiply_rel then
     ("int_multiply", tabulate_int_op2 debug univ_card (int_card, j0) (op * ))
   else if x = nat_divide_rel then
     ("nat_divide", tabulate_nat_op2 debug univ_card (nat_card, j0) isa_div)
   else if x = int_divide_rel then
     ("int_divide", tabulate_int_op2 debug univ_card (int_card, j0) isa_div)
   else if x = nat_less_rel then
     ("nat_less", tabulate_nat_op2 debug univ_card (nat_card, j0)
                                   (int_for_bool o op <))
   else if x = int_less_rel then
     ("int_less", tabulate_int_op2 debug univ_card (int_card, j0)
                                   (int_for_bool o op <))
   else if x = gcd_rel then
     ("gcd", tabulate_nat_op2 debug univ_card (nat_card, j0) isa_gcd)
   else if x = lcm_rel then
     ("lcm", tabulate_nat_op2 debug univ_card (nat_card, j0) isa_lcm)
   else if x = norm_frac_rel then
     ("norm_frac", tabulate_int_op2_2 debug univ_card (int_card, j0)
                                      isa_norm_frac)
   else
     raise ARG ("Nitpick_Kodkod.tabulate_built_in_rel", "unknown relation"))

(* bool -> int -> int -> int -> int -> int * int -> Kodkod.rel_expr
   -> Kodkod.bound *)
fun bound_for_built_in_rel debug univ_card nat_card int_card j0 x =
  let
    val (nick, ts) = tabulate_built_in_rel debug univ_card nat_card int_card
                                           j0 x
  in ([(x, nick)], [Kodkod.TupleSet ts]) end

(* bool -> int -> int -> int -> int -> Kodkod.formula -> Kodkod.bound list *)
fun bounds_for_built_in_rels_in_formula debug univ_card nat_card int_card j0 =
  map (bound_for_built_in_rel debug univ_card nat_card int_card j0)
  o built_in_rels_in_formula

(* Proof.context -> bool -> string -> typ -> rep -> string *)
fun bound_comment ctxt debug nick T R =
  short_name nick ^
  (if debug then " :: " ^ plain_string_from_yxml (Syntax.string_of_typ ctxt T)
   else "") ^ " : " ^ string_for_rep R

(* Proof.context -> bool -> nut -> Kodkod.bound *)
fun bound_for_plain_rel ctxt debug (u as FreeRel (x, T, R, nick)) =
    ([(x, bound_comment ctxt debug nick T R)],
     if nick = @{const_name bisim_iterator_max} then
       case R of
         Atom (k, j0) => [single_atom (k - 1 + j0)]
       | _ => raise NUT ("Nitpick_Kodkod.bound_for_plain_rel", [u])
     else
       [Kodkod.TupleSet [], upper_bound_for_rep R])
  | bound_for_plain_rel _ _ u =
    raise NUT ("Nitpick_Kodkod.bound_for_plain_rel", [u])

(* Proof.context -> bool -> dtype_spec list -> nut -> Kodkod.bound *)
fun bound_for_sel_rel ctxt debug dtypes
        (FreeRel (x, T as Type ("fun", [T1, T2]), R as Func (Atom (_, j0), R2),
                  nick)) =
    let
      val constr as {delta, epsilon, exclusive, explicit_max, ...} =
        constr_spec dtypes (original_name nick, T1)
    in
      ([(x, bound_comment ctxt debug nick T R)],
       if explicit_max = 0 then
         [Kodkod.TupleSet []]
       else
         let val ts = Kodkod.TupleAtomSeq (epsilon - delta, delta + j0) in
           if R2 = Formula Neut then
             [ts] |> not exclusive ? cons (Kodkod.TupleSet [])
           else
             [Kodkod.TupleSet [],
              Kodkod.TupleProduct (ts, upper_bound_for_rep R2)]
         end)
    end
  | bound_for_sel_rel _ _ _ u =
    raise NUT ("Nitpick_Kodkod.bound_for_sel_rel", [u])

(* Kodkod.bound list -> Kodkod.bound list *)
fun merge_bounds bs =
  let
    (* Kodkod.bound -> int *)
    fun arity (zs, _) = fst (fst (hd zs))
    (* Kodkod.bound list -> Kodkod.bound -> Kodkod.bound list
       -> Kodkod.bound list *)
    fun add_bound ds b [] = List.revAppend (ds, [b])
      | add_bound ds b (c :: cs) =
        if arity b = arity c andalso snd b = snd c then
          List.revAppend (ds, (fst c @ fst b, snd c) :: cs)
        else
          add_bound (c :: ds) b cs
  in fold (add_bound []) bs [] end

(* int -> int -> Kodkod.rel_expr list *)
fun unary_var_seq j0 n = map (curry Kodkod.Var 1) (index_seq j0 n)

(* int list -> Kodkod.rel_expr *)
val singleton_from_combination = foldl1 Kodkod.Product o map Kodkod.Atom
(* rep -> Kodkod.rel_expr list *)
fun all_singletons_for_rep R =
  if is_lone_rep R then
    all_combinations_for_rep R |> map singleton_from_combination
  else
    raise REP ("Nitpick_Kodkod.all_singletons_for_rep", [R])

(* Kodkod.rel_expr -> Kodkod.rel_expr list *)
fun unpack_products (Kodkod.Product (r1, r2)) =
    unpack_products r1 @ unpack_products r2
  | unpack_products r = [r]
fun unpack_joins (Kodkod.Join (r1, r2)) = unpack_joins r1 @ unpack_joins r2
  | unpack_joins r = [r]

(* rep -> Kodkod.rel_expr *)
val empty_rel_for_rep = empty_n_ary_rel o arity_of_rep
fun full_rel_for_rep R =
  case atom_schema_of_rep R of
    [] => raise REP ("Nitpick_Kodkod.full_rel_for_rep", [R])
  | schema => foldl1 Kodkod.Product (map Kodkod.AtomSeq schema)

(* int -> int list -> Kodkod.decl list *)
fun decls_for_atom_schema j0 schema =
  map2 (fn j => fn x => Kodkod.DeclOne ((1, j), Kodkod.AtomSeq x))
       (index_seq j0 (length schema)) schema

(* The type constraint below is a workaround for a Poly/ML bug. *)

(* kodkod_constrs -> rep -> Kodkod.rel_expr -> Kodkod.formula *)
fun d_n_ary_function ({kk_all, kk_join, kk_lone, kk_one, ...} : kodkod_constrs)
                     R r =
  let val body_R = body_rep R in
    if is_lone_rep body_R then
      let
        val binder_schema = atom_schema_of_reps (binder_reps R)
        val body_schema = atom_schema_of_rep body_R
        val one = is_one_rep body_R
        val opt_x = case r of Kodkod.Rel x => SOME x | _ => NONE
      in
        if opt_x <> NONE andalso length binder_schema = 1
           andalso length body_schema = 1 then
          (if one then Kodkod.Function else Kodkod.Functional)
              (the opt_x, Kodkod.AtomSeq (hd binder_schema),
               Kodkod.AtomSeq (hd body_schema))
        else
          let
            val decls = decls_for_atom_schema ~1 binder_schema
            val vars = unary_var_seq ~1 (length binder_schema)
            val kk_xone = if one then kk_one else kk_lone
          in kk_all decls (kk_xone (fold kk_join vars r)) end
      end
    else
      Kodkod.True
  end
fun kk_n_ary_function kk R (r as Kodkod.Rel x) =
    if not (is_opt_rep R) then
      if x = suc_rel then
        Kodkod.False
      else if x = nat_add_rel then
        formula_for_bool (card_of_rep (body_rep R) = 1)
      else if x = nat_multiply_rel then
        formula_for_bool (card_of_rep (body_rep R) <= 2)
      else
        d_n_ary_function kk R r
    else if x = nat_subtract_rel then
      Kodkod.True
    else
      d_n_ary_function kk R r
  | kk_n_ary_function kk R r = d_n_ary_function kk R r

(* kodkod_constrs -> Kodkod.rel_expr list -> Kodkod.formula *)
fun kk_disjoint_sets _ [] = Kodkod.True
  | kk_disjoint_sets (kk as {kk_and, kk_no, kk_intersect, ...} : kodkod_constrs)
                     (r :: rs) =
    fold (kk_and o kk_no o kk_intersect r) rs (kk_disjoint_sets kk rs)

(* int -> kodkod_constrs -> (Kodkod.rel_expr -> Kodkod.rel_expr)
   -> Kodkod.rel_expr -> Kodkod.rel_expr *)
fun basic_rel_rel_let j ({kk_rel_let, ...} : kodkod_constrs) f r =
  if inline_rel_expr r then
    f r
  else
    let val x = (Kodkod.arity_of_rel_expr r, j) in
      kk_rel_let [Kodkod.AssignRelReg (x, r)] (f (Kodkod.RelReg x))
    end
(* kodkod_constrs -> (Kodkod.rel_expr -> Kodkod.rel_expr) -> Kodkod.rel_expr
   -> Kodkod.rel_expr *)
val single_rel_rel_let = basic_rel_rel_let 0
(* kodkod_constrs -> (Kodkod.rel_expr -> Kodkod.rel_expr -> Kodkod.rel_expr)
   -> Kodkod.rel_expr -> Kodkod.rel_expr -> Kodkod.rel_expr *)
fun double_rel_rel_let kk f r1 r2 =
  single_rel_rel_let kk (fn r1 => basic_rel_rel_let 1 kk (f r1) r2) r1
(* kodkod_constrs
   -> (Kodkod.rel_expr -> Kodkod.rel_expr -> Kodkod.rel_expr -> Kodkod.rel_expr)
   -> Kodkod.rel_expr -> Kodkod.rel_expr -> Kodkod.rel_expr
   -> Kodkod.rel_expr *)
fun tripl_rel_rel_let kk f r1 r2 r3 =
  double_rel_rel_let kk
      (fn r1 => fn r2 => basic_rel_rel_let 2 kk (f r1 r2) r3) r1 r2

(* kodkod_constrs -> int -> Kodkod.formula -> Kodkod.rel_expr *)
fun atom_from_formula ({kk_rel_if, ...} : kodkod_constrs) j0 f =
  kk_rel_if f (Kodkod.Atom (j0 + 1)) (Kodkod.Atom j0)
(* kodkod_constrs -> rep -> Kodkod.formula -> Kodkod.rel_expr *)
fun rel_expr_from_formula kk R f =
  case unopt_rep R of
    Atom (2, j0) => atom_from_formula kk j0 f
  | _ => raise REP ("Nitpick_Kodkod.rel_expr_from_formula", [R])

(* kodkod_cotrs -> int -> int -> Kodkod.rel_expr -> Kodkod.rel_expr list *)
fun unpack_vect_in_chunks ({kk_project_seq, ...} : kodkod_constrs) chunk_arity
                          num_chunks r =
  List.tabulate (num_chunks, fn j => kk_project_seq r (j * chunk_arity)
                                                    chunk_arity)

(* kodkod_constrs -> bool -> rep -> rep -> Kodkod.rel_expr -> Kodkod.rel_expr
   -> Kodkod.rel_expr *)
fun kk_n_fold_join
        (kk as {kk_intersect, kk_product, kk_join, kk_project_seq, ...}) one R1
        res_R r1 r2 =
  case arity_of_rep R1 of
    1 => kk_join r1 r2
  | arity1 =>
    let
      val unpacked_rs1 =
        if inline_rel_expr r1 then unpack_vect_in_chunks kk 1 arity1 r1
        else unpack_products r1
    in
      if one andalso length unpacked_rs1 = arity1 then
        fold kk_join unpacked_rs1 r2
      else
        kk_project_seq
            (kk_intersect (kk_product r1 (full_rel_for_rep res_R)) r2)
            arity1 (arity_of_rep res_R)
    end

(* kodkod_constrs -> rep -> rep -> Kodkod.rel_expr -> Kodkod.rel_expr list
   -> Kodkod.rel_expr list -> Kodkod.rel_expr *)
fun kk_case_switch (kk as {kk_union, kk_product, ...}) R1 R2 r rs1 rs2 =
  if rs1 = rs2 then r
  else kk_n_fold_join kk true R1 R2 r (fold1 kk_union (map2 kk_product rs1 rs2))

val lone_rep_fallback_max_card = 4096
val some_j0 = 0

(* kodkod_constrs -> rep -> rep -> Kodkod.rel_expr -> Kodkod.rel_expr *)
fun lone_rep_fallback kk new_R old_R r =
  if old_R = new_R then
    r
  else
    let val card = card_of_rep old_R in
      if is_lone_rep old_R andalso is_lone_rep new_R
         andalso card = card_of_rep new_R then
        if card >= lone_rep_fallback_max_card then
          raise TOO_LARGE ("Nitpick_Kodkod.lone_rep_fallback",
                           "too high cardinality (" ^ string_of_int card ^ ")")
        else
          kk_case_switch kk old_R new_R r (all_singletons_for_rep old_R)
                         (all_singletons_for_rep new_R)
      else
        raise REP ("Nitpick_Kodkod.lone_rep_fallback", [old_R, new_R])
    end
(* kodkod_constrs -> int * int -> rep -> Kodkod.rel_expr -> Kodkod.rel_expr *)
and atom_from_rel_expr kk (x as (k, j0)) old_R r =
  case old_R of
    Func (R1, R2) =>
    let
      val dom_card = card_of_rep R1
      val R2' = case R2 of Atom _ => R2 | _ => Atom (card_of_rep R2, some_j0)
    in
      atom_from_rel_expr kk x (Vect (dom_card, R2'))
                         (vect_from_rel_expr kk dom_card R2' old_R r)
    end
  | Opt _ => raise REP ("Nitpick_Kodkod.atom_from_rel_expr", [old_R])
  | _ => lone_rep_fallback kk (Atom x) old_R r
(* kodkod_constrs -> rep list -> rep -> Kodkod.rel_expr -> Kodkod.rel_expr *)
and struct_from_rel_expr kk Rs old_R r =
  case old_R of
    Atom _ => lone_rep_fallback kk (Struct Rs) old_R r
  | Struct Rs' =>
    let
      val Rs = filter (not_equal Unit) Rs
      val Rs' = filter (not_equal Unit) Rs'
    in
      if Rs' = Rs then
        r
      else if map card_of_rep Rs' = map card_of_rep Rs then
        let
          val old_arities = map arity_of_rep Rs'
          val old_offsets = offset_list old_arities
          val old_rs = map2 (#kk_project_seq kk r) old_offsets old_arities
        in
          fold1 (#kk_product kk)
                (map3 (rel_expr_from_rel_expr kk) Rs Rs' old_rs)
        end
      else
        lone_rep_fallback kk (Struct Rs) old_R r
    end
  | _ => raise REP ("Nitpick_Kodkod.struct_from_rel_expr", [old_R])
(* kodkod_constrs -> int -> rep -> rep -> Kodkod.rel_expr -> Kodkod.rel_expr *)
and vect_from_rel_expr kk k R old_R r =
  case old_R of
    Atom _ => lone_rep_fallback kk (Vect (k, R)) old_R r
  | Vect (k', R') =>
    if k = k' andalso R = R' then r
    else lone_rep_fallback kk (Vect (k, R)) old_R r
  | Func (R1, Formula Neut) =>
    if k = card_of_rep R1 then
      fold1 (#kk_product kk)
            (map (fn arg_r =>
                     rel_expr_from_formula kk R (#kk_subset kk arg_r r))
                 (all_singletons_for_rep R1))
    else
      raise REP ("Nitpick_Kodkod.vect_from_rel_expr", [old_R])
  | Func (Unit, R2) => rel_expr_from_rel_expr kk R R2 r
  | Func (R1, R2) =>
    fold1 (#kk_product kk)
          (map (fn arg_r =>
                   rel_expr_from_rel_expr kk R R2
                                         (kk_n_fold_join kk true R1 R2 arg_r r))
               (all_singletons_for_rep R1))
  | _ => raise REP ("Nitpick_Kodkod.vect_from_rel_expr", [old_R])
(* kodkod_constrs -> rep -> rep -> rep -> Kodkod.rel_expr -> Kodkod.rel_expr *)
and func_from_no_opt_rel_expr kk R1 R2 (Atom x) r =
    let
      val dom_card = card_of_rep R1
      val R2' = case R2 of Atom _ => R2 | _ => Atom (card_of_rep R2, some_j0)
    in
      func_from_no_opt_rel_expr kk R1 R2 (Vect (dom_card, R2'))
                                (vect_from_rel_expr kk dom_card R2' (Atom x) r)
    end
  | func_from_no_opt_rel_expr kk Unit R2 old_R r =
    (case old_R of
       Vect (k, R') => rel_expr_from_rel_expr kk R2 R' r
     | Func (Unit, R2') => rel_expr_from_rel_expr kk R2 R2' r
     | Func (Atom (1, _), Formula Neut) =>
       (case unopt_rep R2 of
          Atom (2, j0) => atom_from_formula kk j0 (#kk_some kk r)
        | _ => raise REP ("Nitpick_Kodkod.func_from_no_opt_rel_expr",
                          [old_R, Func (Unit, R2)]))
     | Func (R1', R2') =>
       rel_expr_from_rel_expr kk R2 R2' (#kk_project_seq kk r (arity_of_rep R1')
                              (arity_of_rep R2'))
     | _ => raise REP ("Nitpick_Kodkod.func_from_no_opt_rel_expr",
                       [old_R, Func (Unit, R2)]))
  | func_from_no_opt_rel_expr kk R1 (Formula Neut) old_R r =
    (case old_R of
       Vect (k, Atom (2, j0)) =>
       let
         val args_rs = all_singletons_for_rep R1
         val vals_rs = unpack_vect_in_chunks kk 1 k r
         (* Kodkod.rel_expr -> Kodkod.rel_expr -> Kodkod.rel_expr *)
         fun empty_or_singleton_set_for arg_r val_r =
           #kk_join kk val_r (#kk_product kk (Kodkod.Atom (j0 + 1)) arg_r)
       in
         fold1 (#kk_union kk) (map2 empty_or_singleton_set_for args_rs vals_rs)
       end
     | Func (R1', Formula Neut) =>
       if R1 = R1' then
         r
       else
         let
           val schema = atom_schema_of_rep R1
           val r1 = fold1 (#kk_product kk) (unary_var_seq ~1 (length schema))
                    |> rel_expr_from_rel_expr kk R1' R1
           val kk_xeq = (if is_one_rep R1' then #kk_subset else #kk_rel_eq) kk
         in
           #kk_comprehension kk (decls_for_atom_schema ~1 schema) (kk_xeq r1 r)
         end
     | Func (Unit, (Atom (2, j0))) =>
       #kk_rel_if kk (#kk_rel_eq kk r (Kodkod.Atom (j0 + 1)))
                  (full_rel_for_rep R1) (empty_rel_for_rep R1)
     | Func (R1', Atom (2, j0)) =>
       func_from_no_opt_rel_expr kk R1 (Formula Neut)
           (Func (R1', Formula Neut)) (#kk_join kk r (Kodkod.Atom (j0 + 1)))
     | _ => raise REP ("Nitpick_Kodkod.func_from_no_opt_rel_expr",
                       [old_R, Func (R1, Formula Neut)]))
  | func_from_no_opt_rel_expr kk R1 R2 old_R r =
    case old_R of
      Vect (k, R) =>
      let
        val args_rs = all_singletons_for_rep R1
        val vals_rs = unpack_vect_in_chunks kk (arity_of_rep R) k r
                      |> map (rel_expr_from_rel_expr kk R2 R)
      in fold1 (#kk_union kk) (map2 (#kk_product kk) args_rs vals_rs) end
    | Func (R1', Formula Neut) =>
      (case R2 of
         Atom (x as (2, j0)) =>
         let val schema = atom_schema_of_rep R1 in
           if length schema = 1 then
             #kk_override kk (#kk_product kk (Kodkod.AtomSeq (hd schema))
                                             (Kodkod.Atom j0))
                             (#kk_product kk r (Kodkod.Atom (j0 + 1)))
           else
             let
               val r1 = fold1 (#kk_product kk) (unary_var_seq ~1 (length schema))
                        |> rel_expr_from_rel_expr kk R1' R1
               val r2 = Kodkod.Var (1, ~(length schema) - 1)
               val r3 = atom_from_formula kk j0 (#kk_subset kk r1 r)
             in
               #kk_comprehension kk (decls_for_atom_schema ~1 (schema @ [x]))
                                 (#kk_subset kk r2 r3)
             end
           end
         | _ => raise REP ("Nitpick_Kodkod.func_from_no_opt_rel_expr",
                           [old_R, Func (R1, R2)]))
    | Func (Unit, R2') =>
      let val j0 = some_j0 in
        func_from_no_opt_rel_expr kk R1 R2 (Func (Atom (1, j0), R2'))
                                  (#kk_product kk (Kodkod.Atom j0) r)
      end
    | Func (R1', R2') =>
      if R1 = R1' andalso R2 = R2' then
        r
      else
        let
          val dom_schema = atom_schema_of_rep R1
          val ran_schema = atom_schema_of_rep R2
          val dom_prod = fold1 (#kk_product kk)
                               (unary_var_seq ~1 (length dom_schema))
                         |> rel_expr_from_rel_expr kk R1' R1
          val ran_prod = fold1 (#kk_product kk)
                               (unary_var_seq (~(length dom_schema) - 1)
                                              (length ran_schema))
                         |> rel_expr_from_rel_expr kk R2' R2
          val app = kk_n_fold_join kk true R1' R2' dom_prod r
          val kk_xeq = (if is_one_rep R2' then #kk_subset else #kk_rel_eq) kk
        in
          #kk_comprehension kk (decls_for_atom_schema ~1
                                                      (dom_schema @ ran_schema))
                               (kk_xeq ran_prod app)
        end
    | _ => raise REP ("Nitpick_Kodkod.func_from_no_opt_rel_expr",
                      [old_R, Func (R1, R2)])
(* kodkod_constrs -> rep -> rep -> Kodkod.rel_expr -> Kodkod.rel_expr *)
and rel_expr_from_rel_expr kk new_R old_R r =
  let
    val unopt_old_R = unopt_rep old_R
    val unopt_new_R = unopt_rep new_R
  in
    if unopt_old_R <> old_R andalso unopt_new_R = new_R then
      raise REP ("Nitpick_Kodkod.rel_expr_from_rel_expr", [old_R, new_R])
    else if unopt_new_R = unopt_old_R then
      r
    else
      (case unopt_new_R of
         Atom x => atom_from_rel_expr kk x
       | Struct Rs => struct_from_rel_expr kk Rs
       | Vect (k, R') => vect_from_rel_expr kk k R'
       | Func (R1, R2) => func_from_no_opt_rel_expr kk R1 R2
       | _ => raise REP ("Nitpick_Kodkod.rel_expr_from_rel_expr",
                         [old_R, new_R]))
          unopt_old_R r
  end
(* kodkod_constrs -> rep -> rep -> rep -> Kodkod.rel_expr -> Kodkod.rel_expr *)
and rel_expr_to_func kk R1 R2 = rel_expr_from_rel_expr kk (Func (R1, R2))

(* kodkod_constrs -> typ -> Kodkod.rel_expr -> Kodkod.rel_expr *)
fun bit_set_from_atom ({kk_join, ...} : kodkod_constrs) T r =
  kk_join r (Kodkod.Rel (if T = @{typ "unsigned_bit word"} then
                           unsigned_bit_word_sel_rel
                         else
                           signed_bit_word_sel_rel))
(* kodkod_constrs -> typ -> Kodkod.rel_expr -> Kodkod.int_expr *)
val int_expr_from_atom = Kodkod.SetSum ooo bit_set_from_atom
(* kodkod_constrs -> typ -> rep -> Kodkod.int_expr -> Kodkod.rel_expr *)
fun atom_from_int_expr (kk as {kk_rel_eq, kk_comprehension, ...}
                        : kodkod_constrs) T R i =
  kk_comprehension (decls_for_atom_schema ~1 (atom_schema_of_rep R))
                   (kk_rel_eq (bit_set_from_atom kk T (Kodkod.Var (1, ~1)))
                              (Kodkod.Bits i))

(* kodkod_constrs -> nut -> Kodkod.formula *)
fun declarative_axiom_for_plain_rel kk (FreeRel (x, _, R as Func _, nick)) =
    kk_n_ary_function kk (R |> nick = @{const_name List.set} ? unopt_rep)
                      (Kodkod.Rel x)
  | declarative_axiom_for_plain_rel ({kk_lone, kk_one, ...} : kodkod_constrs)
                                    (FreeRel (x, _, R, _)) =
    if is_one_rep R then kk_one (Kodkod.Rel x)
    else if is_lone_rep R andalso card_of_rep R > 1 then kk_lone (Kodkod.Rel x)
    else Kodkod.True
  | declarative_axiom_for_plain_rel _ u =
    raise NUT ("Nitpick_Kodkod.declarative_axiom_for_plain_rel", [u])

(* nut NameTable.table -> styp -> Kodkod.rel_expr * rep * int *)
fun const_triple rel_table (x as (s, T)) =
  case the_name rel_table (ConstName (s, T, Any)) of
    FreeRel ((n, j), _, R, _) => (Kodkod.Rel (n, j), R, n)
  | _ => raise TERM ("Nitpick_Kodkod.const_triple", [Const x])

(* nut NameTable.table -> styp -> Kodkod.rel_expr *)
fun discr_rel_expr rel_table = #1 o const_triple rel_table o discr_for_constr

(* extended_context -> kodkod_constrs -> nut NameTable.table -> dtype_spec list
   -> styp -> int -> nfa_transition list *)
fun nfa_transitions_for_sel ext_ctxt ({kk_project, ...} : kodkod_constrs)
                            rel_table (dtypes : dtype_spec list) constr_x n =
  let
    val x as (_, T) = boxed_nth_sel_for_constr ext_ctxt constr_x n
    val (r, R, arity) = const_triple rel_table x
    val type_schema = type_schema_of_rep T R
  in
    map_filter (fn (j, T) =>
                   if forall (not_equal T o #typ) dtypes then NONE
                   else SOME (kk_project r (map Kodkod.Num [0, j]), T))
               (index_seq 1 (arity - 1) ~~ tl type_schema)
  end
(* extended_context -> kodkod_constrs -> nut NameTable.table -> dtype_spec list
   -> styp -> nfa_transition list *)
fun nfa_transitions_for_constr ext_ctxt kk rel_table dtypes (x as (_, T)) =
  maps (nfa_transitions_for_sel ext_ctxt kk rel_table dtypes x)
       (index_seq 0 (num_sels_for_constr_type T))
(* extended_context -> kodkod_constrs -> nut NameTable.table -> dtype_spec list
   -> dtype_spec -> nfa_entry option *)
fun nfa_entry_for_datatype _ _ _ _ ({co = true, ...} : dtype_spec) = NONE
  | nfa_entry_for_datatype _ _ _ _ {shallow = true, ...} = NONE
  | nfa_entry_for_datatype ext_ctxt kk rel_table dtypes {typ, constrs, ...} =
    SOME (typ, maps (nfa_transitions_for_constr ext_ctxt kk rel_table dtypes
                     o #const) constrs)

val empty_rel = Kodkod.Product (Kodkod.None, Kodkod.None)

(* nfa_table -> typ -> typ -> Kodkod.rel_expr list *)
fun direct_path_rel_exprs nfa start final =
  case AList.lookup (op =) nfa final of
    SOME trans => map fst (filter (curry (op =) start o snd) trans)
  | NONE => []
(* kodkod_constrs -> nfa_table -> typ list -> typ -> typ -> Kodkod.rel_expr *)
and any_path_rel_expr ({kk_union, ...} : kodkod_constrs) nfa [] start final =
    fold kk_union (direct_path_rel_exprs nfa start final)
         (if start = final then Kodkod.Iden else empty_rel)
  | any_path_rel_expr (kk as {kk_union, ...}) nfa (q :: qs) start final =
    kk_union (any_path_rel_expr kk nfa qs start final)
             (knot_path_rel_expr kk nfa qs start q final)
(* kodkod_constrs -> nfa_table -> typ list -> typ -> typ -> typ
   -> Kodkod.rel_expr *)
and knot_path_rel_expr (kk as {kk_join, kk_reflexive_closure, ...}) nfa qs start
                       knot final =
  kk_join (kk_join (any_path_rel_expr kk nfa qs knot final)
                   (kk_reflexive_closure (loop_path_rel_expr kk nfa qs knot)))
          (any_path_rel_expr kk nfa qs start knot)
(* kodkod_constrs -> nfa_table -> typ list -> typ -> Kodkod.rel_expr *)
and loop_path_rel_expr ({kk_union, ...} : kodkod_constrs) nfa [] start =
    fold kk_union (direct_path_rel_exprs nfa start start) empty_rel
  | loop_path_rel_expr (kk as {kk_union, kk_closure, ...}) nfa (q :: qs) start =
    if start = q then
      kk_closure (loop_path_rel_expr kk nfa qs start)
    else
      kk_union (loop_path_rel_expr kk nfa qs start)
               (knot_path_rel_expr kk nfa qs start q start)

(* nfa_table -> unit NfaGraph.T *)
fun graph_for_nfa nfa =
  let
    (* typ -> unit NfaGraph.T -> unit NfaGraph.T *)
    fun new_node q = perhaps (try (NfaGraph.new_node (q, ())))
    (* nfa_table -> unit NfaGraph.T -> unit NfaGraph.T *)
    fun add_nfa [] = I
      | add_nfa ((_, []) :: nfa) = add_nfa nfa
      | add_nfa ((q, ((_, q') :: transitions)) :: nfa) =
        add_nfa ((q, transitions) :: nfa) o NfaGraph.add_edge (q, q') o
        new_node q' o new_node q
  in add_nfa nfa NfaGraph.empty end

(* nfa_table -> nfa_table list *)
fun strongly_connected_sub_nfas nfa =
  nfa |> graph_for_nfa |> NfaGraph.strong_conn
      |> map (fn keys => filter (member (op =) keys o fst) nfa)

(* dtype_spec list -> kodkod_constrs -> nfa_table -> typ -> Kodkod.formula *)
fun acyclicity_axiom_for_datatype dtypes kk nfa start =
  #kk_no kk (#kk_intersect kk
                 (loop_path_rel_expr kk nfa (map fst nfa) start) Kodkod.Iden)
(* extended_context -> kodkod_constrs -> nut NameTable.table -> dtype_spec list
   -> Kodkod.formula list *)
fun acyclicity_axioms_for_datatypes ext_ctxt kk rel_table dtypes =
  map_filter (nfa_entry_for_datatype ext_ctxt kk rel_table dtypes) dtypes
  |> strongly_connected_sub_nfas
  |> maps (fn nfa => map (acyclicity_axiom_for_datatype dtypes kk nfa o fst)
                         nfa)

(* extended_context -> int -> kodkod_constrs -> nut NameTable.table
   -> Kodkod.rel_expr -> constr_spec -> int -> Kodkod.formula *)
fun sel_axiom_for_sel ext_ctxt j0
        (kk as {kk_all, kk_implies, kk_formula_if, kk_subset, kk_rel_eq, kk_no,
                kk_join, ...}) rel_table dom_r
        ({const, delta, epsilon, exclusive, explicit_max, ...} : constr_spec)
        n =
  let
    val x as (_, T) = boxed_nth_sel_for_constr ext_ctxt const n
    val (r, R, arity) = const_triple rel_table x
    val R2 = dest_Func R |> snd
    val z = (epsilon - delta, delta + j0)
  in
    if exclusive then
      kk_n_ary_function kk (Func (Atom z, R2)) r
    else
      let val r' = kk_join (Kodkod.Var (1, 0)) r in
        kk_all [Kodkod.DeclOne ((1, 0), Kodkod.AtomSeq z)]
               (kk_formula_if (kk_subset (Kodkod.Var (1, 0)) dom_r)
                              (kk_n_ary_function kk R2 r')
                              (kk_no r'))
      end
  end
(* extended_context -> int -> int -> kodkod_constrs -> nut NameTable.table
   -> constr_spec -> Kodkod.formula list *)
fun sel_axioms_for_constr ext_ctxt bits j0 kk rel_table
        (constr as {const, delta, epsilon, explicit_max, ...}) =
  let
    val honors_explicit_max =
      explicit_max < 0 orelse epsilon - delta <= explicit_max
  in
    if explicit_max = 0 then
      [formula_for_bool honors_explicit_max]
    else
      let
        val ran_r = discr_rel_expr rel_table const
        val max_axiom =
          if honors_explicit_max then
            Kodkod.True
          else if is_twos_complement_representable bits (epsilon - delta) then
            Kodkod.LE (Kodkod.Cardinality ran_r, Kodkod.Num explicit_max)
          else
            raise TOO_SMALL ("Nitpick_Kodkod.sel_axioms_for_constr",
                             "\"bits\" value " ^ string_of_int bits ^
                             " too small for \"max\"")
      in
        max_axiom ::
        map (sel_axiom_for_sel ext_ctxt j0 kk rel_table ran_r constr)
            (index_seq 0 (num_sels_for_constr_type (snd const)))
      end
  end
(* extended_context -> int -> int -> kodkod_constrs -> nut NameTable.table
   -> dtype_spec -> Kodkod.formula list *)
fun sel_axioms_for_datatype ext_ctxt bits j0 kk rel_table
                            ({constrs, ...} : dtype_spec) =
  maps (sel_axioms_for_constr ext_ctxt bits j0 kk rel_table) constrs

(* extended_context -> kodkod_constrs -> nut NameTable.table -> constr_spec
   -> Kodkod.formula list *)
fun uniqueness_axiom_for_constr ext_ctxt
        ({kk_all, kk_implies, kk_and, kk_rel_eq, kk_lone, kk_join, ...}
         : kodkod_constrs) rel_table ({const, ...} : constr_spec) =
  let
    (* Kodkod.rel_expr -> Kodkod.formula *)
    fun conjunct_for_sel r =
      kk_rel_eq (kk_join (Kodkod.Var (1, 0)) r)
                (kk_join (Kodkod.Var (1, 1)) r)
    val num_sels = num_sels_for_constr_type (snd const)
    val triples = map (const_triple rel_table
                       o boxed_nth_sel_for_constr ext_ctxt const)
                      (~1 upto num_sels - 1)
    val j0 = case triples |> hd |> #2 of
               Func (Atom (_, j0), _) => j0
             | R => raise REP ("Nitpick_Kodkod.uniqueness_axiom_for_constr",
                               [R])
    val set_r = triples |> hd |> #1
  in
    if num_sels = 0 then
      kk_lone set_r
    else
      kk_all (map (Kodkod.DeclOne o rpair set_r o pair 1) [0, 1])
             (kk_implies
                  (fold1 kk_and (map (conjunct_for_sel o #1) (tl triples)))
                  (kk_rel_eq (Kodkod.Var (1, 0)) (Kodkod.Var (1, 1))))
  end
(* extended_context -> kodkod_constrs -> nut NameTable.table -> dtype_spec
   -> Kodkod.formula list *)
fun uniqueness_axioms_for_datatype ext_ctxt kk rel_table
                                   ({constrs, ...} : dtype_spec) =
  map (uniqueness_axiom_for_constr ext_ctxt kk rel_table) constrs

(* constr_spec -> int *)
fun effective_constr_max ({delta, epsilon, ...} : constr_spec) = epsilon - delta
(* int -> kodkod_constrs -> nut NameTable.table -> dtype_spec
   -> Kodkod.formula list *)
fun partition_axioms_for_datatype j0 (kk as {kk_rel_eq, kk_union, ...})
                                  rel_table
                                  ({card, constrs, ...} : dtype_spec) =
  if forall #exclusive constrs then
    [Integer.sum (map effective_constr_max constrs) = card |> formula_for_bool]
  else
    let val rs = map (discr_rel_expr rel_table o #const) constrs in
      [kk_rel_eq (fold1 kk_union rs) (Kodkod.AtomSeq (card, j0)),
       kk_disjoint_sets kk rs]
    end

(* extended_context -> int -> int Typtab.table -> kodkod_constrs
   -> nut NameTable.table -> dtype_spec -> Kodkod.formula list *)
fun other_axioms_for_datatype _ _ _ _ _ {shallow = true, ...} = []
  | other_axioms_for_datatype ext_ctxt bits ofs kk rel_table
                              (dtype as {typ, ...}) =
    let val j0 = offset_of_type ofs typ in
      sel_axioms_for_datatype ext_ctxt bits j0 kk rel_table dtype @
      uniqueness_axioms_for_datatype ext_ctxt kk rel_table dtype @
      partition_axioms_for_datatype j0 kk rel_table dtype
    end

(* extended_context -> int -> int Typtab.table -> kodkod_constrs
   -> nut NameTable.table -> dtype_spec list -> Kodkod.formula list *)
fun declarative_axioms_for_datatypes ext_ctxt bits ofs kk rel_table dtypes =
  acyclicity_axioms_for_datatypes ext_ctxt kk rel_table dtypes @
  maps (other_axioms_for_datatype ext_ctxt bits ofs kk rel_table) dtypes

(* int -> int Typtab.table -> bool -> kodkod_constrs -> nut -> Kodkod.formula *)
fun kodkod_formula_from_nut bits ofs liberal
        (kk as {kk_all, kk_exist, kk_formula_let, kk_formula_if, kk_or, kk_not,
                kk_iff, kk_implies, kk_and, kk_subset, kk_rel_eq, kk_no, kk_one,
                kk_some, kk_rel_let, kk_rel_if, kk_union, kk_difference,
                kk_intersect, kk_product, kk_join, kk_closure, kk_comprehension,
                kk_project, kk_project_seq, kk_not3, kk_nat_less, kk_int_less,
                ...}) u =
  let
    val main_j0 = offset_of_type ofs bool_T
    val bool_j0 = main_j0
    val bool_atom_R = Atom (2, main_j0)
    val false_atom = Kodkod.Atom bool_j0
    val true_atom = Kodkod.Atom (bool_j0 + 1)

    (* polarity -> int -> Kodkod.rel_expr -> Kodkod.formula *)
    fun formula_from_opt_atom polar j0 r =
      case polar of
        Neg => kk_not (kk_rel_eq r (Kodkod.Atom j0))
      | _ => kk_rel_eq r (Kodkod.Atom (j0 + 1))
    (* int -> Kodkod.rel_expr -> Kodkod.formula *)
    val formula_from_atom = formula_from_opt_atom Pos

    (* Kodkod.formula -> Kodkod.formula -> Kodkod.formula *)
    fun kk_notimplies f1 f2 = kk_and f1 (kk_not f2)
    (* Kodkod.rel_expr -> Kodkod.rel_expr -> Kodkod.rel_expr *)
    val kk_or3 =
      double_rel_rel_let kk
          (fn r1 => fn r2 =>
              kk_rel_if (kk_subset true_atom (kk_union r1 r2)) true_atom
                        (kk_intersect r1 r2))
    val kk_and3 =
      double_rel_rel_let kk
          (fn r1 => fn r2 =>
              kk_rel_if (kk_subset false_atom (kk_union r1 r2)) false_atom
                        (kk_intersect r1 r2))
    fun kk_notimplies3 r1 r2 = kk_and3 r1 (kk_not3 r2)

    (* int -> Kodkod.rel_expr -> Kodkod.formula list *)
    val unpack_formulas =
      map (formula_from_atom bool_j0) oo unpack_vect_in_chunks kk 1
    (* (Kodkod.formula -> Kodkod.formula -> Kodkod.formula) -> int
       -> Kodkod.rel_expr -> Kodkod.rel_expr -> Kodkod.rel_expr *)
    fun kk_vect_set_op connective k r1 r2 =
      fold1 kk_product (map2 (atom_from_formula kk bool_j0 oo connective)
                             (unpack_formulas k r1) (unpack_formulas k r2))
    (* (Kodkod.formula -> Kodkod.formula -> Kodkod.formula) -> int
       -> Kodkod.rel_expr -> Kodkod.rel_expr -> Kodkod.formula *)
    fun kk_vect_set_bool_op connective k r1 r2 =
      fold1 kk_and (map2 connective (unpack_formulas k r1)
                         (unpack_formulas k r2))

    (* nut -> Kodkod.formula *)
    fun to_f u =
      case rep_of u of
        Formula polar =>
        (case u of
           Cst (False, _, _) => Kodkod.False
         | Cst (True, _, _) => Kodkod.True
         | Op1 (Not, _, _, u1) =>
           kk_not (to_f_with_polarity (flip_polarity polar) u1)
         | Op1 (Finite, _, _, u1) =>
           let val opt1 = is_opt_rep (rep_of u1) in
             case polar of
               Neut => if opt1 then
                         raise NUT ("Nitpick_Kodkod.to_f (Finite)", [u])
                       else
                         Kodkod.True
             | Pos => formula_for_bool (not opt1)
             | Neg => Kodkod.True
           end
         | Op1 (Cast, _, _, u1) => to_f_with_polarity polar u1
         | Op2 (All, _, _, u1, u2) =>
           kk_all (untuple to_decl u1) (to_f_with_polarity polar u2)
         | Op2 (Exist, _, _, u1, u2) =>
           kk_exist (untuple to_decl u1) (to_f_with_polarity polar u2)
         | Op2 (Or, _, _, u1, u2) =>
           kk_or (to_f_with_polarity polar u1) (to_f_with_polarity polar u2)
         | Op2 (And, _, _, u1, u2) =>
           kk_and (to_f_with_polarity polar u1) (to_f_with_polarity polar u2)
         | Op2 (Less, T, Formula polar, u1, u2) =>
           formula_from_opt_atom polar bool_j0
               (to_r (Op2 (Less, T, Opt bool_atom_R, u1, u2)))
         | Op2 (Subset, _, _, u1, u2) =>
           let
             val dom_T = domain_type (type_of u1)
             val R1 = rep_of u1
             val R2 = rep_of u2
             val (dom_R, ran_R) =
               case min_rep R1 R2 of
                 Func (Unit, R') =>
                 (Atom (1, offset_of_type ofs dom_T), R')
               | Func Rp => Rp
               | R => (Atom (card_of_domain_from_rep 2 R,
                             offset_of_type ofs dom_T),
                       if is_opt_rep R then Opt bool_atom_R else Formula Neut)
             val set_R = Func (dom_R, ran_R)
           in
             if not (is_opt_rep ran_R) then
               to_set_bool_op kk_implies kk_subset u1 u2
             else if polar = Neut then
               raise NUT ("Nitpick_Kodkod.to_f (Subset)", [u])
             else
               let
                 (* FIXME: merge with similar code below *)
                 (* bool -> nut -> Kodkod.rel_expr *)
                 fun set_to_r widen u =
                   if widen then
                     kk_difference (full_rel_for_rep dom_R)
                                   (kk_join (to_rep set_R u) false_atom)
                   else
                     kk_join (to_rep set_R u) true_atom
                 val widen1 = (polar = Pos andalso is_opt_rep R1)
                 val widen2 = (polar = Neg andalso is_opt_rep R2)
               in kk_subset (set_to_r widen1 u1) (set_to_r widen2 u2) end
           end
         | Op2 (DefEq, _, _, u1, u2) =>
           (case min_rep (rep_of u1) (rep_of u2) of
              Unit => Kodkod.True
            | Formula polar =>
              kk_iff (to_f_with_polarity polar u1) (to_f_with_polarity polar u2)
            | min_R =>
              let
                (* nut -> nut list *)
                fun args (Op2 (Apply, _, _, u1, u2)) = u2 :: args u1
                  | args (Tuple (_, _, us)) = us
                  | args _ = []
                val opt_arg_us = filter (is_opt_rep o rep_of) (args u1)
              in
                if null opt_arg_us orelse not (is_Opt min_R)
                   orelse is_eval_name u1 then
                  fold (kk_or o (kk_no o to_r)) opt_arg_us
                       (kk_rel_eq (to_rep min_R u1) (to_rep min_R u2))
                else
                  kk_subset (to_rep min_R u1) (to_rep min_R u2)
              end)
         | Op2 (Eq, T, R, u1, u2) =>
           (case min_rep (rep_of u1) (rep_of u2) of
              Unit => Kodkod.True
            | Formula polar =>
              kk_iff (to_f_with_polarity polar u1) (to_f_with_polarity polar u2)
            | min_R =>
              if is_opt_rep min_R then
                if polar = Neut then
                  (* continuation of hackish optimization *)
                  kk_rel_eq (to_rep min_R u1) (to_rep min_R u2)
                else if is_Cst Unrep u1 then
                  to_could_be_unrep (polar = Neg) u2
                else if is_Cst Unrep u2 then
                  to_could_be_unrep (polar = Neg) u1
                else
                  let
                    val r1 = to_rep min_R u1
                    val r2 = to_rep min_R u2
                    val both_opt = forall (is_opt_rep o rep_of) [u1, u2]
                  in
                    (if polar = Pos then
                       if not both_opt then
                         kk_rel_eq r1 r2
                       else if is_lone_rep min_R
                               andalso arity_of_rep min_R = 1 then
                         kk_some (kk_intersect r1 r2)
                       else
                         raise SAME ()
                     else
                       if is_lone_rep min_R then
                         if arity_of_rep min_R = 1 then
                           kk_subset (kk_product r1 r2) Kodkod.Iden
                         else if not both_opt then
                           (r1, r2) |> is_opt_rep (rep_of u2) ? swap
                                    |-> kk_subset
                         else
                           raise SAME ()
                       else
                         raise SAME ())
                    handle SAME () =>
                           formula_from_opt_atom polar bool_j0
                               (to_guard [u1, u2] bool_atom_R
                                         (rel_expr_from_formula kk bool_atom_R
                                                            (kk_rel_eq r1 r2)))
                  end
              else
                let
                  val r1 = to_rep min_R u1
                  val r2 = to_rep min_R u2
                in
                  if is_one_rep min_R then
                    let
                      val rs1 = unpack_products r1
                      val rs2 = unpack_products r2
                    in
                      if length rs1 = length rs2
                         andalso map Kodkod.arity_of_rel_expr rs1
                                 = map Kodkod.arity_of_rel_expr rs2 then
                        fold1 kk_and (map2 kk_subset rs1 rs2)
                      else
                        kk_subset r1 r2
                    end
                  else
                    kk_rel_eq r1 r2
                end)
         | Op2 (The, T, _, u1, u2) =>
           to_f_with_polarity polar
                              (Op2 (The, T, Opt (Atom (2, bool_j0)), u1, u2))
         | Op2 (Eps, T, _, u1, u2) =>
           to_f_with_polarity polar
                              (Op2 (Eps, T, Opt (Atom (2, bool_j0)), u1, u2))
         | Op2 (Apply, T, _, u1, u2) =>
           (case (polar, rep_of u1) of
              (Neg, Func (R, Formula Neut)) => kk_subset (to_opt R u2) (to_r u1)
            | _ =>
              to_f_with_polarity polar
                 (Op2 (Apply, T, Opt (Atom (2, offset_of_type ofs T)), u1, u2)))
         | Op3 (Let, _, _, u1, u2, u3) =>
           kk_formula_let [to_expr_assign u1 u2] (to_f_with_polarity polar u3)
         | Op3 (If, _, _, u1, u2, u3) =>
           kk_formula_if (to_f u1) (to_f_with_polarity polar u2)
                         (to_f_with_polarity polar u3)
         | FormulaReg (j, _, _) => Kodkod.FormulaReg j
         | _ => raise NUT ("Nitpick_Kodkod.to_f", [u]))
      | Atom (2, j0) => formula_from_atom j0 (to_r u)
      | _ => raise NUT ("Nitpick_Kodkod.to_f", [u])
    (* polarity -> nut -> Kodkod.formula *)
    and to_f_with_polarity polar u =
      case rep_of u of
        Formula _ => to_f u
      | Atom (2, j0) => formula_from_atom j0 (to_r u)
      | Opt (Atom (2, j0)) => formula_from_opt_atom polar j0 (to_r u)
      | _ => raise NUT ("Nitpick_Kodkod.to_f_with_polarity", [u])
    (* nut -> Kodkod.rel_expr *)
    and to_r u =
      case u of
        Cst (False, _, Atom _) => false_atom
      | Cst (True, _, Atom _) => true_atom
      | Cst (Iden, T, Func (Struct [R1, R2], Formula Neut)) =>
        if R1 = R2 andalso arity_of_rep R1 = 1 then
          kk_intersect Kodkod.Iden (kk_product (full_rel_for_rep R1)
                                               Kodkod.Univ)
        else
          let
            val schema1 = atom_schema_of_rep R1
            val schema2 = atom_schema_of_rep R2
            val arity1 = length schema1
            val arity2 = length schema2
            val r1 = fold1 kk_product (unary_var_seq 0 arity1)
            val r2 = fold1 kk_product (unary_var_seq arity1 arity2)
            val min_R = min_rep R1 R2
          in
            kk_comprehension
                (decls_for_atom_schema 0 (schema1 @ schema2))
                (kk_rel_eq (rel_expr_from_rel_expr kk min_R R1 r1)
                           (rel_expr_from_rel_expr kk min_R R2 r2))
          end
      | Cst (Iden, T, Func (Atom (1, j0), Formula Neut)) => Kodkod.Atom j0
      | Cst (Iden, T as Type ("fun", [T1, _]), R as Func (R1, _)) =>
        to_rep R (Cst (Iden, T, Func (one_rep ofs T1 R1, Formula Neut)))
      | Cst (Num j, T, R) =>
        if is_word_type T then
          atom_from_int_expr kk T R (Kodkod.Num j)
        else if T = int_T then
          case atom_for_int (card_of_rep R, offset_of_type ofs int_T) j of
            ~1 => if is_opt_rep R then Kodkod.None
                  else raise NUT ("Nitpick_Kodkod.to_r (Num)", [u])
          | j' => Kodkod.Atom j'
        else
          if j < card_of_rep R then Kodkod.Atom (j + offset_of_type ofs T)
          else if is_opt_rep R then Kodkod.None
          else raise NUT ("Nitpick_Kodkod.to_r (Num)", [u])
      | Cst (Unknown, _, R) => empty_rel_for_rep R
      | Cst (Unrep, _, R) => empty_rel_for_rep R
      | Cst (Suc, T, Func (Atom x, _)) =>
        if domain_type T <> nat_T then
          Kodkod.Rel suc_rel
        else
          kk_intersect (Kodkod.Rel suc_rel)
                       (kk_product Kodkod.Univ (Kodkod.AtomSeq x))
      | Cst (Add, Type ("fun", [@{typ nat}, _]), _) => Kodkod.Rel nat_add_rel
      | Cst (Add, Type ("fun", [@{typ int}, _]), _) => Kodkod.Rel int_add_rel
      | Cst (Add, T as Type ("fun", [@{typ "unsigned_bit word"}, _]), R) =>
        to_bit_word_binary_op T R NONE (SOME (curry Kodkod.Add))
      | Cst (Add, T as Type ("fun", [@{typ "signed_bit word"}, _]), R) =>
        to_bit_word_binary_op T R
            (SOME (fn i1 => fn i2 => fn i3 =>
                 kk_implies (Kodkod.LE (Kodkod.Num 0, Kodkod.BitXor (i1, i2)))
                            (Kodkod.LE (Kodkod.Num 0, Kodkod.BitXor (i2, i3)))))
            (SOME (curry Kodkod.Add))
      | Cst (Subtract, Type ("fun", [@{typ nat}, _]), _) =>
        Kodkod.Rel nat_subtract_rel
      | Cst (Subtract, Type ("fun", [@{typ int}, _]), _) =>
        Kodkod.Rel int_subtract_rel
      | Cst (Subtract, T as Type ("fun", [@{typ "unsigned_bit word"}, _]), R) =>
        to_bit_word_binary_op T R NONE
            (SOME (fn i1 => fn i2 =>
                      Kodkod.IntIf (Kodkod.LE (i1, i2), Kodkod.Num 0,
                                    Kodkod.Sub (i1, i2))))
      | Cst (Subtract, T as Type ("fun", [@{typ "signed_bit word"}, _]), R) =>
        to_bit_word_binary_op T R
            (SOME (fn i1 => fn i2 => fn i3 =>
                 kk_implies (Kodkod.LT (Kodkod.BitXor (i1, i2), Kodkod.Num 0))
                            (Kodkod.LT (Kodkod.BitXor (i2, i3), Kodkod.Num 0))))
            (SOME (curry Kodkod.Sub))
      | Cst (Multiply, Type ("fun", [@{typ nat}, _]), _) =>
        Kodkod.Rel nat_multiply_rel
      | Cst (Multiply, Type ("fun", [@{typ int}, _]), _) =>
        Kodkod.Rel int_multiply_rel
      | Cst (Multiply,
             T as Type ("fun", [Type (@{type_name word}, [bit_T]), _]), R) =>
        to_bit_word_binary_op T R
            (SOME (fn i1 => fn i2 => fn i3 =>
                kk_or (Kodkod.IntEq (i2, Kodkod.Num 0))
                      (Kodkod.IntEq (Kodkod.Div (i3, i2), i1)
                       |> bit_T = @{typ signed_bit}
                          ? kk_and (Kodkod.LE (Kodkod.Num 0,
                                          foldl1 Kodkod.BitAnd [i1, i2, i3])))))
            (SOME (curry Kodkod.Mult))
      | Cst (Divide, Type ("fun", [@{typ nat}, _]), _) =>
        Kodkod.Rel nat_divide_rel
      | Cst (Divide, Type ("fun", [@{typ int}, _]), _) =>
        Kodkod.Rel int_divide_rel
      | Cst (Divide, T as Type ("fun", [@{typ "unsigned_bit word"}, _]), R) =>
        to_bit_word_binary_op T R NONE
            (SOME (fn i1 => fn i2 =>
                      Kodkod.IntIf (Kodkod.IntEq (i2, Kodkod.Num 0),
                                    Kodkod.Num 0, Kodkod.Div (i1, i2))))
      | Cst (Divide, T as Type ("fun", [@{typ "signed_bit word"}, _]), R) =>
        to_bit_word_binary_op T R
            (SOME (fn i1 => fn i2 => fn i3 =>
                Kodkod.LE (Kodkod.Num 0, foldl1 Kodkod.BitAnd [i1, i2, i3])))
            (SOME (fn i1 => fn i2 =>
                 Kodkod.IntIf (kk_and (Kodkod.LT (i1, Kodkod.Num 0))
                                      (Kodkod.LT (Kodkod.Num 0, i2)),
                     Kodkod.Sub (Kodkod.Div (Kodkod.Add (i1, Kodkod.Num 1), i2),
                                 Kodkod.Num 1),
                     Kodkod.IntIf (kk_and (Kodkod.LT (Kodkod.Num 0, i1))
                                          (Kodkod.LT (i2, Kodkod.Num 0)),
                         Kodkod.Sub (Kodkod.Div (Kodkod.Sub (i1, Kodkod.Num 1),
                                                 i2), Kodkod.Num 1),
                         Kodkod.IntIf (Kodkod.IntEq (i2, Kodkod.Num 0),
                                       Kodkod.Num 0, Kodkod.Div (i1, i2))))))
      | Cst (Gcd, _, _) => Kodkod.Rel gcd_rel
      | Cst (Lcm, _, _) => Kodkod.Rel lcm_rel
      | Cst (Fracs, _, Func (Atom (1, _), _)) => Kodkod.None
      | Cst (Fracs, _, Func (Struct _, _)) =>
        kk_project_seq (Kodkod.Rel norm_frac_rel) 2 2
      | Cst (NormFrac, _, _) => Kodkod.Rel norm_frac_rel
      | Cst (NatToInt, Type ("fun", [@{typ nat}, _]), Func (Atom _, Atom _)) =>
        Kodkod.Iden
      | Cst (NatToInt, Type ("fun", [@{typ nat}, _]),
             Func (Atom (nat_k, nat_j0), Opt (Atom (int_k, int_j0)))) =>
        if nat_j0 = int_j0 then
          kk_intersect Kodkod.Iden
              (kk_product (Kodkod.AtomSeq (max_int_for_card int_k + 1, nat_j0))
                          Kodkod.Univ)
        else
          raise BAD ("Nitpick_Kodkod.to_r (NatToInt)", "\"nat_j0 <> int_j0\"")
      | Cst (NatToInt, T as Type ("fun", [@{typ "unsigned_bit word"}, _]), R) =>
        to_bit_word_unary_op T R I
      | Cst (IntToNat, Type ("fun", [@{typ int}, _]),
             Func (Atom (int_k, int_j0), nat_R)) =>
        let
          val abs_card = max_int_for_card int_k + 1
          val (nat_k, nat_j0) = the_single (atom_schema_of_rep nat_R)
          val overlap = Int.min (nat_k, abs_card)
        in
          if nat_j0 = int_j0 then
            kk_union (kk_product (Kodkod.AtomSeq (int_k - abs_card,
                                                  int_j0 + abs_card))
                                 (Kodkod.Atom nat_j0))
                     (kk_intersect Kodkod.Iden
                          (kk_product (Kodkod.AtomSeq (overlap, int_j0))
                                      Kodkod.Univ))
          else
            raise BAD ("Nitpick_Kodkod.to_r (IntToNat)", "\"nat_j0 <> int_j0\"")