Desired properties of delete
No cell with value v afterwards
All cells with value v removed
- l.*next’ = l.*next-{c|c.val=v}
No cycles introduced
- no c:l.*next|c in c.+next -> no c:l.*next’|c in c.+next’
Running the tool shows that
- Properties 1, 4 and 5 appear to hold
- But not properties 2 and 3
- Property 2 fails because the first list cell cannot be deleted
- Even a simple fix shows another error, in which the last two cells share a value equal to v