Currently the verifier is not carefully handling the free variables introduced to represent the initial program state for symbolic execution. In particular the body of the 'SimSpec' underlying the 'AbstractDomain' is accessed directly rather than being bound via 'bindSpec'. This creates two problems: domains may include free variables which are unbound once interpreted in a subsequent slice, and domains may include free variables which are bound, but should actually be free (i.e. in a loop each iteration requires different formal variables to represent the initial state).