Library gen_lemmas

Require Import mathlib.
Require Import os_mutex.
Require Import OSMutex_common.
Open Scope code_scope.

Definition gen_mbox_pend_part0 := forall (
 i : int32
)(
  H1 : Int.unsigned i <= 65535
)(
  v´ : val
)(
  v´0 : val
)(
  v´1 : list vallist
)(
  v´2 : list vallist
)(
  v´3 : list vallist
)(
  v´4 : list EventData
)(
  v´5 : list EventCtr
)(
  v´6 : vallist
)(
  v´7 : val
)(
  v´8 : val
)(
  v´9 : list vallist
)(
  v´10 : vallist
)(
  v´11 : list vallist
)(
  v´12 : vallist
)(
  v´13 : val
)(
  v´14 : EcbMod.map
)(
  v´15 : TcbMod.map
)(
  v´16 : int32
)(
  v´17 : addrval
)(
  v´18 : addrval
)(
  v´19 : val
)(
  v´20 : list vallist
)(
  v´23 : list EventCtr
)(
  v´24 : list EventCtr
)(
  v´25 : list EventData
)(
  v´26 : list EventData
)(
  v´28 : vallist
)(
  v´29 : val
)(
  v´31 : list vallist
)(
  v´33 : list vallist
)(
  v´36 : EcbMod.map
)(
  v´37 : TcbMod.map
)(
  v´40 : val
)(
  v´44 : val
)(
  v´45 : EcbMod.map
)(
  v´46 : EcbMod.map
)(
  v´47 : EcbMod.map
)(
  w : waitset
)(
  v´49 : addrval
)(
  H4 : ECBList_P v´44 Vnull v´24 v´26 v´46 v´37
)(
  H17 : EcbMod.join v´45 v´47 v´36
)(
  H13 : length v´23 = length v´25
)(
  H16 : isptr v´44
)(
  H10 : val_inj
          (if Int.eq ($ 1) ($ 0)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) = Vint32 Int.zero \/
        val_inj
          (if Int.eq ($ 1) ($ 0)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) = Vnull
)(
  v´21 : addrval
)(
  v´27 : block
)(
  x3 : val
)(
  i2 : int32
)(
  H23 : Int.unsigned i2 <= 65535
)(
  H25 : isptr v´44
)(
  H3 : ECBList_P v´40 (Vptr (v´27, Int.zero)) v´23 v´25 v´45 v´37
)(
  H2 : Vptr (v´27, Int.zero) = Vnull \/
       (exists p, Vptr (v´27, Int.zero) = Vptr p)
)(
  H : val_inj (Some ( Vint32 Int.zero)) = Vint32 Int.zero \/
      val_inj (Some ( Vint32 Int.zero)) = Vnull
)(
  H15 : id_addrval´ (Vptr (v´27, Int.zero)) OSEventTbl OS_EVENT = Some v´21
)(
  v´22 : val
)(
  v´38 : val
)(
  v´41 : TcbMod.map
)(
  v´50 : TcbMod.map
)(
  v´51 : val
)(
  v´52 : block
)(
  H28 : v´29 <> Vnull
)(
  H29 : TcbMod.join v´41 v´50 v´37
)(
  H27 : Vptr (v´52, Int.zero) <> Vnull
)(
  x8 : val
)(
  x9 : val
)(
  H34 : isptr x9
)(
  H35 : isptr x8
)(
  i9 : int32
)(
  H36 : Int.unsigned i9 <= 65535
)(
  i8 : int32
)(
  H37 : Int.unsigned i8 <= 255
)(
  i7 : int32
)(
  H38 : Int.unsigned i7 <= 255
)(
  i6 : int32
)(
  H39 : Int.unsigned i6 <= 255
)(
  H33 : isptr v´22
)(
  H14 : isptr v´51
)(
  H8 : RH_TCBList_ECBList_P v´36 v´37 (v´52, Int.zero)
)(
  H9 : RH_CurTCB (v´52, Int.zero) v´37
)(
  H21 : Int.unsigned ($ OS_EVENT_TYPE_MBOX) <= 255
)(
  Heqb : false = Int.eq i7 ($ OS_IDLE_PRIO)
)(
  H11 : val_inj (Some ( Vint32 Int.zero)) = Vint32 Int.zero \/
        val_inj (Some ( Vint32 Int.zero)) = Vnull
)(
  H48 : Int.eq i8 ($ OS_STAT_RDY) = true
)(
  H49 : Int.eq i9 ($ 0) = true
)(
  H5 : TcbMod.get v´50 (v´52, Int.zero) = Some (i7, rdy, x8)
)(
  H50 : isr_is_prop empisr nil
)(
  v´30 : option val
)(
  v´39 : vallist
)(
  v´43 : int32
)(
  v´54 : vallist
)(
  v´58 : int32
)(
  v´61 : int32
)(
  v´62 : int32
)(
  v´63 : int32
)(
  v´64 : int32
)(
  v´65 : int32
)(
  v´66 : int32
)(
  H30 : TCBList_P v´29 v´31 v´39 v´41
)(
  H26 : array_type_vallist_match Int8u v´39
)(
  H46 : length v´39 = ∘OS_RDY_TBL_SIZE
)(
  H45 : prio_in_tbl ($ OS_IDLE_PRIO) v´39
)(
  H43 : Int.unsigned v´43 <= 255
)(
  H44 : RL_Tbl_Grp_P v´39 (Vint32 v´43)
)(
  H55 : nth_val ∘(Int.unsigned v´61) v´39 = Some (Vint32 v´64)
)(
  H57 : nth_val ∘(Int.unsigned v´61) v´54 = Some (Vint32 v´65)
)(
  H12 : array_type_vallist_match Int8u v´54
)(
  H20 : length v´54 = ∘OS_EVENT_TBL_SIZE
)(
  H41 : Int.unsigned v´62 <= 255
)(
  H40 : Int.unsigned v´61 <= 255
)(
  H42 : Int.unsigned v´63 <= 255
)(
  H31 : TCBList_P (Vptr (v´52, Int.zero))
          ((v´51
            :: v´22
               :: x9
                  :: x8
                     :: Vint32 i9
                        :: Vint32 i8
                           :: Vint32 i7
                              :: Vint32 i6
                                 :: Vint32 v´61
                                    :: Vint32 v´62 :: Vint32 v´63 :: nil)
           :: v´33) v´39 v´50
)(
  H22 : Int.unsigned v´66 <= 255
)(
  H19 : RL_Tbl_Grp_P v´54 (Vint32 v´66)
)(
  H24 : isptr Vnull
)(
  H47 : RH_ECB_P (absmbox Vnull, w)
)(
  H7 : EcbMod.joinsig (v´27, Int.zero) (absmbox Vnull, w) v´46 v´47
)(
  H32 : RH_ECB_P (absmbox Vnull, w)
)(
  H18 : val_inj (notint (val_inj (val_eq Vnull Vnull))) = Vint32 Int.zero \/
        val_inj (notint (val_inj (val_eq Vnull Vnull))) = Vnull
)(
  H0 : ECBList_P v´40 Vnull
         (v´23 ++
          ((V$OS_EVENT_TYPE_MBOX
            :: Vint32 v´66 :: Vint32 i2 :: Vnull :: x3 :: v´44 :: nil, v´54)
           :: nil) ++ v´24) (v´25 ++ (DMbox Vnull :: nil) ++ v´26) v´36 v´37
)(
  H6 : R_ECB_ETbl_P (v´27, Int.zero)
         (V$OS_EVENT_TYPE_MBOX
          :: Vint32 v´66 :: Vint32 i2 :: Vnull :: x3 :: v´44 :: nil, v´54)
         v´37)
,
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV timeout @ Int16u |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV message @ (Void) ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((timeout, Int16u)
       :: (pevent, OS_EVENT ∗)
          :: (message, (Void) ∗) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{ <||
     isched;;
     (mbox_pend_timeout_err (|Vptr (v´27, Int.zero) :: Vint32 i :: nil|)
      ?? mbox_pend_block_get_succ
         (|Vptr (v´27, Int.zero) :: Vint32 i :: nil|)) ||> **
     HECBList
       (EcbMod.set v´36 (v´27, Int.zero)
          (absmbox Vnull, (v´52, Int.zero) :: w)) **
     HTCBList
       (TcbMod.set v´37 (v´52, Int.zero)
          (i7, wait (os_stat_mbox (v´27, Int.zero)) i, Vnull)) **
     HTime v´16 **
     HCurTCB (v´52, Int.zero) **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSTCBCur @ OS_TCB ∗ |-> Vptr (v´52, Int.zero) **
     node (Vptr (v´52, Int.zero))
       (v´51
        :: v´22
           :: Vptr (v´27, Int.zero)
              :: Vnull
                 :: Vint32 i
                    :: V$OS_STAT_MBOX
                       :: Vint32 i7
                          :: Vint32 i6
                             :: Vint32 v´61
                                :: Vint32 v´62 :: Vint32 v´63 :: nil) OS_TCB **
     AOSRdyTblGrp
       (update_nth_val ∘(Int.unsigned v´61) v´39 (Vint32 (v´64&Int.not v´62)))
       (Vint32 v´58) **
     AEventNode (Vptr (v´27, Int.zero))
       (V$OS_EVENT_TYPE_MBOX
        :: Vint32 (Int.or v´66 v´63)
           :: Vint32 i2 :: Vnull :: x3 :: v´44 :: nil)
       (update_nth_val ∘(Int.unsigned v´61) v´54 (Vint32 (Int.or v´65 v´62)))
       (DMbox Vnull) **
     A_dom_lenv
       ((timeout, Int16u)
        :: (pevent, OS_EVENT ∗)
           :: (message, (Void) ∗) :: (legal, Int8u) :: nil) **
     LV message @ (Void) ∗ |-> Vnull **
     dllseg v´51 (Vptr (v´52, Int.zero)) v´38 Vnull v´33 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBList @ OS_TCB ∗ |-> v´29 **
     dllseg v´29 Vnull v´22 (Vptr (v´52, Int.zero)) v´31 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSEventList @ OS_EVENT ∗ |-> v´40 **
     evsllseg v´40 (Vptr (v´27, Int.zero)) v´23 v´25 **
     evsllseg v´44 Vnull v´24 v´26 **
     AOSTCBPrioTbl v´28 v´39 v´37 v´49 **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´1 **
     AOSQFreeList v´2 **
     AOSQFreeBlk v´3 **
     AOSMapTbl **
     AOSUnMapTbl **
     AOSIntNesting **
     AOSTCBFreeList v´19 v´20 **
     AOSTime (Vint32 v´16) **
     AGVars **
     atoy_inv´ **
     LV timeout @ Int16u |-> Vint32 i **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´27, Int.zero)}}
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
   ENTER_CRITICAL;ₛ
   message ′ =ₑ OSTCBCur ′ → OSTCBMsg;ₛ
   If(message ′ !=ₑ NULL)
        {EXIT_CRITICAL;ₛ
        RETURN ′MBOX_PEND_SUCC} ;ₛ
   EXIT_CRITICAL;ₛ
   RETURN ′MBOX_PEND_TIMEOUT_ERR {{Afalse}}
.
Definition gen_mbox_post_part1:= forall (x : addrval)
                              (v´ : val)
                              (H0 : val_inj (let (_, _) := x in Some (Vint32 Int.zero)) = Vint32 Int.zero \/
                                    val_inj (let (_, _) := x in Some (Vint32 Int.zero)) = Vnull)
                              (v´0 : list vallist)
                              (v´1 : list vallist)
                              (v´2 : list vallist)
                              (v´3 : list EventData)
                              (v´4 : list EventCtr)
                              (v´5 : vallist)
                              (v´6 : val)
                              (v´7 : val)
                              (v´8 : list vallist)
                              (v´9 : vallist)
                              (v´10 : list vallist)
                              (v´11 : vallist)
                              (v´12 : val)
                              (v´13 : EcbMod.map)
                              (v´14 : TcbMod.map)
                              (v´15 : int32)
                              (v´16 : addrval)
                              (v´17 : addrval)
                              (v´18 : val)
                              (v´19 : list vallist)
                              (H1 : RH_TCBList_ECBList_P v´13 v´14 v´16)
                              (H3 : RH_CurTCB v´16 v´14)
                              (v´22 : list EventCtr)
                              (v´23 : list EventCtr)
                              (v´24 : list EventData)
                              (v´25 : list EventData)
                              (v´27 : vallist)
                              (v´28 : val)
                              (v´29 : val)
                              (v´30 : list vallist)
                              (v´31 : vallist)
                              (v´32 : list vallist)
                              (v´33 : vallist)
                              (v´34 : val)
                              (v´35 : EcbMod.map)
                              (v´36 : TcbMod.map)
                              (v´38 : addrval)
                              (v´39 : val)
                              (v´41 : vallist)
                              (v´43 : val)
                              (v´44 : EcbMod.map)
                              (v´45 : EcbMod.map)
                              (v´46 : EcbMod.map)
                              (m0 : msg)
                              (w : waitset)
                              (v´48 : addrval)
                              (H6 : ECBList_P v´43 Vnull v´23 v´25 v´45 v´36)
                              (H19 : EcbMod.join v´44 v´46 v´35)
                              (H10 : RH_TCBList_ECBList_P v´35 v´36 v´38)
                              (H11 : RH_CurTCB v´38 v´36)
                              (H15 : length v´22 = length v´24)
                              (H18 : isptr v´43)
                              (H12 : val_inj
                                       (if Int.eq ($ 1) ($ 0)
                                        then Some (Vint32 Int.one)
                                        else Some (Vint32 Int.zero)) = Vint32 Int.zero \/
                                     val_inj
                                       (if Int.eq ($ 1) ($ 0)
                                        then Some (Vint32 Int.one)
                                        else Some (Vint32 Int.zero)) = Vnull)
                              (v´20 : addrval)
                              (v´26 : block)
                              (H14 : array_type_vallist_match Int8u v´41)
                              (H22 : length v´41 = ∘OS_EVENT_TBL_SIZE)
                              (x4 : val)
                              (i : int32)
                              (H24 : Int.unsigned i <= 255)
                              (i1 : int32)
                              (H25 : Int.unsigned i1 <= 65535)
                              (H21 : RL_Tbl_Grp_P v´41 (Vint32 i))
                              (H27 : isptr v´43)
                              (H5 : ECBList_P v´39 (Vptr (v´26, Int.zero)) v´22 v´24 v´44 v´36)
                              (H9 : EcbMod.joinsig (v´26, Int.zero) (absmbox m0, w) v´45 v´46)
                              (H2 : Vptr (v´26, Int.zero) = Vnull \/
                                    exists p, Vptr (v´26, Int.zero) = Vptr p)
                              (H : val_inj (Some (Vint32 Int.zero)) = Vint32 Int.zero \/
                                   val_inj (Some( Vint32 Int.zero)) = Vnull)
                              (H17 : id_addrval´ (Vptr (v´26, Int.zero)) OSEventTbl OS_EVENT = Some v´20)
                              (H23 : Int.unsigned ($ OS_EVENT_TYPE_MBOX) <= 255)
                              (H28 : RH_ECB_P (absmbox m0, w))
                              (H30 : RH_ECB_P (absmbox m0, w))
                              (H26 : isptr m0)
                              (H8 : R_ECB_ETbl_P (v´26, Int.zero)
                                                 (V$OS_EVENT_TYPE_MBOX
                                                   :: Vint32 i :: Vint32 i1 :: m0 :: x4 :: v´43 :: nil, v´41) v´36)
                              (H4 : ECBList_P v´39 Vnull
                                              (v´22 ++
                                                    ((V$OS_EVENT_TYPE_MBOX
                                                       :: Vint32 i :: Vint32 i1 :: m0 :: x4 :: v´43 :: nil, v´41) :: nil) ++
                                                    v´23) (v´24 ++ (DMbox m0 :: nil) ++ v´25) v´35 v´36)
                              (H16 : Int.eq i ($ 0) = false)
                              (v´21 : option val)
,
  {|OSQ_spec , GetHPrio , I,
   fun v : option val =>
   ((((EX v0 : val, LV message @ (Void) ∗ |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((message, (Void) ∗) :: (pevent, OS_EVENT ∗) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post1
       (Vptr (v´26, Int.zero) :: Vptr x :: V$OS_STAT_MBOX :: nil) v´21
       (logic_lv v´27
        :: logic_lv v´31
           :: logic_llv v´30
              :: logic_llv v´32
                 :: logic_lv v´33
                    :: logic_val v´34
                       :: logic_abstcb v´36
                          :: logic_val v´28
                             :: logic_val v´29
                                :: logic_val (Vptr v´38)
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_MBOX
                                         :: Vint32 i
                                            :: Vint32 i1
                                               :: m0 :: x4 :: v´43 :: nil)
                                      :: logic_lv v´41
                                         :: logic_leventd (DMbox m0 :: nil)
                                            :: logic_code
                                                 (mbox_post
                                                  (Vptr (v´26, Int.zero)
                                                  ::
                                                  Vptr x :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV legal @ Int8u |-> (V$OS_STAT_MBOX) **
     GV OSEventList @ OS_EVENT ∗ |-> v´39 **
     evsllseg v´39 (Vptr (v´26, Int.zero)) v´22 v´24 **
     evsllseg v´43 Vnull v´23 v´25 **
     HECBList v´35 **
     HTCBList v´36 **
     HCurTCB v´38 **
     AOSEventFreeList v´0 **
     AOSQFreeList v´1 **
     AOSQFreeBlk v´2 **
     AOSIntNesting **
     AOSTCBFreeList v´18 v´19 **
     AOSTime (Vint32 v´15) **
     HTime v´15 **
     AGVars **
     atoy_inv´ **
     LV message @ (Void) ∗ |-> Vptr x **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´26, Int.zero) **
     A_dom_lenv
       ((message, (Void) ∗) :: (pevent, OS_EVENT ∗) :: (legal, Int8u) :: nil)}}
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
   RETURN ′OS_NO_ERR {{Afalse}}
.

Definition gen_mbox_post_part2 := forall (x : addrval)
                               (v´ : val)
                               (H0 : val_inj (let (_, _) := x in Some (Vint32 Int.zero)) = Vint32 Int.zero \/ val_inj (let (_, _) := x in Some (Vint32 Int.zero)) = Vnull)
                               (v´0 : list vallist)
                               (v´1 : list vallist)
                               (v´2 : list vallist)
                               (v´3 : list EventData)
                               (v´4 : list EventCtr)
                               (v´5 : vallist)
                               (v´6 : val)
                               (v´7 : val)
                               (v´8 : list vallist)
                               (v´9 : vallist)
                               (v´10 : list vallist)
                               (v´11 : vallist)
                               (v´12 : val)
                               (v´13 : EcbMod.map)
                               (v´14 : TcbMod.map)
                               (v´15 : int32)
                               (v´16 : addrval)
                               (v´17 : addrval)
                               (v´18 : val)
                               (v´19 : list vallist)
                               (H1 : RH_TCBList_ECBList_P v´13 v´14 v´16)
                               (H3 : RH_CurTCB v´16 v´14)
                               (v´22 : list EventCtr)
                               (v´23 : list EventCtr)
                               (v´24 : list EventData)
                               (v´25 : list EventData)
                               (v´27 : vallist)
                               (v´28 : val)
                               (v´29 : val)
                               (v´30 : list vallist)
                               (v´31 : vallist)
                               (v´32 : list vallist)
                               (v´33 : vallist)
                               (v´34 : val)
                               (v´35 : EcbMod.map)
                               (v´36 : TcbMod.map)
                               (v´38 : addrval)
                               (v´39 : val)
                               (v´41 : vallist)
                               (v´43 : val)
                               (v´44 : EcbMod.map)
                               (v´45 : EcbMod.map)
                               (v´46 : EcbMod.map)
                               (m0 : msg)
                               (w : waitset)
                               (v´48 : addrval)
                               (H6 : ECBList_P v´43 Vnull v´23 v´25 v´45 v´36)
                               (H19 : EcbMod.join v´44 v´46 v´35)
                               (H10 : RH_TCBList_ECBList_P v´35 v´36 v´38)
                               (H11 : RH_CurTCB v´38 v´36)
                               (H15 : length v´22 = length v´24)
                               (H18 : isptr v´43)
                               (H12 : val_inj
                                        (if Int.eq ($ 1) ($ 0)
                                         then Some (Vint32 Int.one)
                                         else Some (Vint32 Int.zero)) = Vint32 Int.zero \/
                                      val_inj
                                        (if Int.eq ($ 1) ($ 0)
                                         then Some (Vint32 Int.one)
                                         else Some (Vint32 Int.zero)) = Vnull)
                               (v´20 : addrval)
                               (v´26 : block)
                               (H14 : array_type_vallist_match Int8u v´41)
                               (H22 : length v´41 = ∘OS_EVENT_TBL_SIZE)
                               (x4 : val)
                               (i : int32)
                               (H24 : Int.unsigned i <= 255)
                               (i1 : int32)
                               (H25 : Int.unsigned i1 <= 65535)
                               (H21 : RL_Tbl_Grp_P v´41 (Vint32 i))
                               (H27 : isptr v´43)
                               (H5 : ECBList_P v´39 (Vptr (v´26, Int.zero)) v´22 v´24 v´44 v´36)
                               (H9 : EcbMod.joinsig (v´26, Int.zero) (absmbox m0, w) v´45 v´46)
                               (H2 : Vptr (v´26, Int.zero) = Vnull \/
                                     (exists p, Vptr (v´26, Int.zero) = Vptr p))
                               (H : val_inj (Some (Vint32 Int.zero)) = Vint32 Int.zero \/ val_inj (Some (Vint32 Int.zero)) = Vnull)
                               (H17 : id_addrval´ (Vptr (v´26, Int.zero)) OSEventTbl OS_EVENT = Some v´20)
                               (H23 : Int.unsigned ($ OS_EVENT_TYPE_MBOX) <= 255)
                               (H28 : RH_ECB_P (absmbox m0, w))
                               (H30 : RH_ECB_P (absmbox m0, w))
                               (H26 : isptr m0)
                               (H8 : R_ECB_ETbl_P (v´26, Int.zero)
                                                  (V$OS_EVENT_TYPE_MBOX
                                                    :: Vint32 i :: Vint32 i1 :: m0 :: x4 :: v´43 :: nil, v´41) v´36)
                               (H4 : ECBList_P v´39 Vnull
                                               (v´22 ++
                                                     ((V$OS_EVENT_TYPE_MBOX
                                                        :: Vint32 i :: Vint32 i1 :: m0 :: x4 :: v´43 :: nil, v´41) :: nil) ++
                                                     v´23) (v´24 ++ (DMbox m0 :: nil) ++ v´25) v´35 v´36)
                               (H16 : Int.eq i ($ 0) = false)
                               (v´21 : option val),
   {|OSQ_spec , GetHPrio , I,
   fun v : option val =>
   ((((EX v0 : val, LV message @ (Void) ∗ |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((message, (Void) ∗) :: (pevent, OS_EVENT ∗) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post3
       (Vptr (v´26, Int.zero) :: Vptr x :: V$OS_STAT_MBOX :: nil) v´21
       (logic_lv v´27
        :: logic_lv v´31
           :: logic_llv v´30
              :: logic_llv v´32
                 :: logic_lv v´33
                    :: logic_val v´34
                       :: logic_abstcb v´36
                          :: logic_val v´28
                             :: logic_val v´29
                                :: logic_val (Vptr v´38)
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_MBOX
                                         :: Vint32 i
                                            :: Vint32 i1
                                               :: m0 :: x4 :: v´43 :: nil)
                                      :: logic_lv v´41
                                         :: logic_leventd (DMbox m0 :: nil)
                                           :: logic_code
                                                 (mbox_post
                                                  (Vptr (v´26, Int.zero)
                                                  ::
                                                  Vptr x :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV legal @ Int8u |-> (V$OS_STAT_MBOX) **
     GV OSEventList @ OS_EVENT ∗ |-> v´39 **
     evsllseg v´39 (Vptr (v´26, Int.zero)) v´22 v´24 **
     evsllseg v´43 Vnull v´23 v´25 **
     HECBList v´35 **
     HTCBList v´36 **
     HCurTCB v´38 **
     AOSEventFreeList v´0 **
     AOSQFreeList v´1 **
     AOSQFreeBlk v´2 **
     AOSIntNesting **
     AOSTCBFreeList v´18 v´19 **
     AOSTime (Vint32 v´15) **
     HTime v´15 **
     AGVars **
     atoy_inv´ **
     LV message @ (Void) ∗ |-> Vptr x **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´26, Int.zero) **
     A_dom_lenv
       ((message, (Void) ∗) :: (pevent, OS_EVENT ∗) :: (legal, Int8u) :: nil)}}
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
                 RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_mbox_post_part3:= forall
                         (x : addrval)
                         (v´ : val)
                         ( H0 : val_inj (let (_, _) := x in Some (Vint32 Int.zero)) = Vint32 Int.zero \/
                                val_inj (let (_, _) := x in Some (Vint32 Int.zero)) = Vnull)
                         (v´0 : list vallist)
                         (v´1 : list vallist)
                         (v´2 : list vallist)
                         (v´3 : list EventData)
                         (v´4 : list EventCtr)
                         (v´5 : vallist)
                         (v´6 : val)
                         (v´7 : val)
                         (v´8 : list vallist)
                         (v´9 : vallist)
                         (v´10 : list vallist)
                         (v´11 : vallist)
                         (v´12 : val)
                         (v´13 : EcbMod.map)
                         (v´14 : TcbMod.map)
                         (v´15 : int32)
                         (v´16 : addrval)
                         (v´17 : addrval)
                         (v´18 : val)
                         (v´19 : list vallist)
                         (H1 : RH_TCBList_ECBList_P v´13 v´14 v´16)
                         (H3 : RH_CurTCB v´16 v´14)
                         (v´22 : list EventCtr)
                         (v´23 : list EventCtr)
                         (v´24 : list EventData)
                         (v´25 : list EventData)
                         (v´27 : vallist)
                         (v´28 : val)
                         (v´29 : val)
                         (v´30 : list vallist)
                         (v´31 : vallist)
                         (v´32 : list vallist)
                         (v´33 : vallist)
                         (v´34 : val)
                         (v´35 : EcbMod.map)
                         (v´36 : TcbMod.map)
                         (v´38 : addrval)
                         (v´39 : val)
                         (v´41 : vallist)
                         (v´43 : val)
                         (v´44 : EcbMod.map)
                         (v´45 : EcbMod.map)
                         (v´46 : EcbMod.map)
                         (m0 : msg)
                         (w : waitset)
                         (v´48 : addrval)
                         (H6 : ECBList_P v´43 Vnull v´23 v´25 v´45 v´36)
                         (H19 : EcbMod.join v´44 v´46 v´35)
                         (H10 : RH_TCBList_ECBList_P v´35 v´36 v´38)
                         (H11 : RH_CurTCB v´38 v´36)
                         (H15 : length v´22 = length v´24)
                         (H18 : isptr v´43)
                         (H12 : val_inj
                                  (if Int.eq ($ 1) ($ 0)
                                   then Some (Vint32 Int.one)
                                   else Some (Vint32 Int.zero)) = Vint32 Int.zero \/
                                val_inj
                                  (if Int.eq ($ 1) ($ 0)
                                   then Some (Vint32 Int.one)
                                   else Some (Vint32 Int.zero)) = Vnull)
                         (v´20 : addrval)
                         (v´26 : block)
                         (H14 : array_type_vallist_match Int8u v´41)
                         (H22 : length v´41 = ∘OS_EVENT_TBL_SIZE)
                         (x4 : val)
                         (i : int32)
                         (H24 : Int.unsigned i <= 255)
                         (i1 : int32)
                         (H25 : Int.unsigned i1 <= 65535)
                         (H21 : RL_Tbl_Grp_P v´41 (Vint32 i))
                         (H27 : isptr v´43)
                         (H5 : ECBList_P v´39 (Vptr (v´26, Int.zero)) v´22 v´24 v´44 v´36)
                         (H9 : EcbMod.joinsig (v´26, Int.zero) (absmbox m0, w) v´45 v´46)
                         (H2 : Vptr (v´26, Int.zero) = Vnull \/
                               (exists p, Vptr (v´26, Int.zero) = Vptr p))
                         (H : val_inj (Some ( Vint32 Int.zero)) = Vint32 Int.zero \/
                              val_inj (Some ( Vint32 Int.zero)) = Vnull)
                         (H17 : id_addrval´ (Vptr (v´26, Int.zero)) OSEventTbl OS_EVENT = Some v´20)
                         (H23 : Int.unsigned ($ OS_EVENT_TYPE_MBOX) <= 255)
                         (H28 : RH_ECB_P (absmbox m0, w))
                         (H30 : RH_ECB_P (absmbox m0, w))
                         (H26 : isptr m0)
                         (H8 : R_ECB_ETbl_P (v´26, Int.zero)
                                            (V$OS_EVENT_TYPE_MBOX
                                              :: Vint32 i :: Vint32 i1 :: m0 :: x4 :: v´43 :: nil, v´41) v´36)
                         (H4 : ECBList_P v´39 Vnull
                                         (v´22 ++
                                               ((V$OS_EVENT_TYPE_MBOX
                                                  :: Vint32 i :: Vint32 i1 :: m0 :: x4 :: v´43 :: nil, v´41) :: nil) ++
                                               v´23) (v´24 ++ (DMbox m0 :: nil) ++ v´25) v´35 v´36)
                         (H16 : Int.eq i ($ 0) = false)
                         (v´21 : option val )
                       ,
   {|OSQ_spec , GetHPrio , I,
   fun v : option val =>
   ((((EX v0 : val, LV message @ (Void) ∗ |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((message, (Void) ∗) :: (pevent, OS_EVENT ∗) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post5
       (Vptr (v´26, Int.zero) :: Vptr x :: V$OS_STAT_MBOX :: nil) v´21
       (logic_lv v´27
        :: logic_lv v´31
           :: logic_llv v´30
              :: logic_llv v´32
                 :: logic_lv v´33
                    :: logic_val v´34
                       :: logic_abstcb v´36
                          :: logic_val v´28
                             :: logic_val v´29
                                :: logic_val (Vptr v´38)
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_MBOX
                                         :: Vint32 i
                                            :: Vint32 i1
                                               :: m0 :: x4 :: v´43 :: nil)
                                      :: logic_lv v´41
                                         :: logic_leventd (DMbox m0 :: nil)
                                                  :: logic_code
                                                 (mbox_post
                                                  (Vptr (v´26, Int.zero)
                                                  ::
                                                  Vptr x :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV legal @ Int8u |-> (V$OS_STAT_MBOX) **
     GV OSEventList @ OS_EVENT ∗ |-> v´39 **
     evsllseg v´39 (Vptr (v´26, Int.zero)) v´22 v´24 **
     evsllseg v´43 Vnull v´23 v´25 **
     HECBList v´35 **
     HTCBList v´36 **
     HCurTCB v´38 **
     AOSEventFreeList v´0 **
     AOSQFreeList v´1 **
     AOSQFreeBlk v´2 **
     AOSIntNesting **
     AOSTCBFreeList v´18 v´19 **
     AOSTime (Vint32 v´15) **
     HTime v´15 **
     AGVars **
     atoy_inv´ **
     LV message @ (Void) ∗ |-> Vptr x **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´26, Int.zero) **
     A_dom_lenv
       ((message, (Void) ∗) :: (pevent, OS_EVENT ∗) :: (legal, Int8u) :: nil)}}
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
   RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_mbox_post_part4:=forall (x : addrval)
                              (v´ : val)
                              (H0 : val_inj (let (_, _) := x in Some (Vint32 Int.zero)) = Vint32 Int.zero \/
                                    val_inj (let (_, _) := x in Some (Vint32 Int.zero)) = Vnull)
                              (v´0 : list vallist)
                              (v´1 : list vallist)
                              (v´2 : list vallist)
                              (v´3 : list EventData)
                              (v´4 : list EventCtr)
                              (v´5 : vallist)
                              (v´6 : val)
                              (v´7 : val)
                              (v´8 : list vallist)
                              (v´9 : vallist)
                              (v´10 : list vallist)
                              (v´11 : vallist)
                              (v´12 : val)
                              (v´13 : EcbMod.map)
                              (v´14 : TcbMod.map)
                              (v´15 : int32)
                              (v´16 : addrval)
                              (v´17 : addrval)
                              (v´18 : val)
                              (v´19 : list vallist)
                              (H1 : RH_TCBList_ECBList_P v´13 v´14 v´16)
                              (H3 : RH_CurTCB v´16 v´14)
                              (v´22 : list EventCtr)
                              (v´23 : list EventCtr)
                              (v´24 : list EventData)
                              (v´25 : list EventData)
                              (v´27 : vallist)
                              (v´28 : val)
                              (v´29 : val)
                              (v´30 : list vallist)
                              (v´31 : vallist)
                              (v´32 : list vallist)
                              (v´33 : vallist)
                              (v´34 : val)
                              (v´35 : EcbMod.map)
                              (v´36 : TcbMod.map)
                              (v´38 : addrval)
                              (v´39 : val)
                              (v´41 : vallist)
                              (v´43 : val)
                              (v´44 : EcbMod.map)
                              (v´45 : EcbMod.map)
                              (v´46 : EcbMod.map)
                              (m0 : msg)
                              (w : waitset)
                              (v´48 : addrval)
                              (H6 : ECBList_P v´43 Vnull v´23 v´25 v´45 v´36)
                              (H19 : EcbMod.join v´44 v´46 v´35)
                              (H10 : RH_TCBList_ECBList_P v´35 v´36 v´38)
                              (H11 : RH_CurTCB v´38 v´36)
                              (H15 : length v´22 = length v´24)
                              (H18 : isptr v´43)
                              (H12 : val_inj
                                       (if Int.eq ($ 1) ($ 0)
                                        then Some (Vint32 Int.one)
                                        else Some (Vint32 Int.zero)) = Vint32 Int.zero \/
                                     val_inj
                                       (if Int.eq ($ 1) ($ 0)
                                        then Some (Vint32 Int.one)
                                        else Some (Vint32 Int.zero)) = Vnull)
                              (v´20 : addrval)
                              (v´26 : block)
                              (H14 : array_type_vallist_match Int8u v´41)
                              (H22 : length v´41 = ∘OS_EVENT_TBL_SIZE)
                              (x4 : val)
                              (i : int32)
                              (H24 : Int.unsigned i <= 255)
                              (i1 : int32)
                              (H25 : Int.unsigned i1 <= 65535)
                              (H21 : RL_Tbl_Grp_P v´41 (Vint32 i))
                              (H27 : isptr v´43)
                              (H5 : ECBList_P v´39 (Vptr (v´26, Int.zero)) v´22 v´24 v´44 v´36)
                              (H9 : EcbMod.joinsig (v´26, Int.zero) (absmbox m0, w) v´45 v´46)
                              (H2 : Vptr (v´26, Int.zero) = Vnull \/
                                    (exists p, Vptr (v´26, Int.zero) = Vptr p))
                              (H : val_inj (Some ( Vint32 Int.zero)) = Vint32 Int.zero \/
                                   val_inj (Some ( Vint32 Int.zero)) = Vnull)
                              (H17 : id_addrval´ (Vptr (v´26, Int.zero)) OSEventTbl OS_EVENT = Some v´20)
                              (H23 : Int.unsigned ($ OS_EVENT_TYPE_MBOX) <= 255)
                              (H28 : RH_ECB_P (absmbox m0, w))
                              (H30 : RH_ECB_P (absmbox m0, w))
                              (H26 : isptr m0)
                              (H8 : R_ECB_ETbl_P (v´26, Int.zero)
                                                 (V$OS_EVENT_TYPE_MBOX
                                                   :: Vint32 i :: Vint32 i1 :: m0 :: x4 :: v´43 :: nil, v´41) v´36)
                              (H4 : ECBList_P v´39 Vnull
                                              (v´22 ++
                                                    ((V$OS_EVENT_TYPE_MBOX
                                                       :: Vint32 i :: Vint32 i1 :: m0 :: x4 :: v´43 :: nil, v´41) :: nil) ++
                                                    v´23) (v´24 ++ (DMbox m0 :: nil) ++ v´25) v´35 v´36)
                              (H16 : Int.eq i ($ 0) = false)
                              (v´21 : option val
                              ),
   {|OSQ_spec , GetHPrio , I,
   fun v : option val =>
   ((((EX v0 : val, LV message @ (Void) ∗ |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((message, (Void) ∗) :: (pevent, OS_EVENT ∗) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post1´
       (Vptr (v´26, Int.zero) :: Vptr x :: V$OS_STAT_MBOX :: nil) v´21
       (logic_lv v´27
        :: logic_lv v´31
           :: logic_llv v´30
              :: logic_llv v´32
                 :: logic_lv v´33
                    :: logic_val v´34
                       :: logic_abstcb v´36
                          :: logic_val v´28
                             :: logic_val v´29
                                :: logic_val (Vptr v´38)
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_MBOX
                                         :: Vint32 i
                                            :: Vint32 i1
                                               :: m0 :: x4 :: v´43 :: nil)
                                      :: logic_lv v´41
                                         :: logic_leventd (DMbox m0 :: nil)
                                                   :: logic_code
                                                 (mbox_post
                                                  (Vptr (v´26, Int.zero)
                                                  ::
                                                  Vptr x :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV legal @ Int8u |-> (V$OS_STAT_MBOX) **
     GV OSEventList @ OS_EVENT ∗ |-> v´39 **
     evsllseg v´39 (Vptr (v´26, Int.zero)) v´22 v´24 **
     evsllseg v´43 Vnull v´23 v´25 **
     HECBList v´35 **
     HTCBList v´36 **
     HCurTCB v´38 **
     AOSEventFreeList v´0 **
     AOSQFreeList v´1 **
     AOSQFreeBlk v´2 **
     AOSIntNesting **
     AOSTCBFreeList v´18 v´19 **
     AOSTime (Vint32 v´15) **
     HTime v´15 **
     AGVars **
     atoy_inv´ **
     LV message @ (Void) ∗ |-> Vptr x **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´26, Int.zero) **
     A_dom_lenv
       ((message, (Void) ∗) :: (pevent, OS_EVENT ∗) :: (legal, Int8u) :: nil)}}
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
   RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_mbox_post_part5:=forall (
                           x : addrval)
                              (v´ : val)
                              (H0 : val_inj (let (_, _) := x in Some (Vint32 Int.zero)) = Vint32 Int.zero \/
                                    val_inj (let (_, _) := x in Some (Vint32 Int.zero)) = Vnull)
                              (v´0 : list vallist)
                              (v´1 : list vallist)
                              (v´2 : list vallist)
                              (v´3 : list EventData)
                              (v´4 : list EventCtr)
                              (v´5 : vallist)
                              (v´6 : val)
                              (v´7 : val)
                              (v´8 : list vallist)
                              (v´9 : vallist)
                              (v´10 : list vallist)
                              (v´11 : vallist)
                              (v´12 : val)
                              (v´13 : EcbMod.map)
                              (v´14 : TcbMod.map)
                              (v´15 : int32)
                              (v´16 : addrval)
                              (v´17 : addrval)
                              (v´18 : val)
                              (v´19 : list vallist)
                              (H1 : RH_TCBList_ECBList_P v´13 v´14 v´16)
                              (H3 : RH_CurTCB v´16 v´14)
                              (v´22 : list EventCtr)
                              (v´23 : list EventCtr)
                              (v´24 : list EventData)
                              (v´25 : list EventData)
                              (v´27 : vallist)
                              (v´28 : val)
                              (v´29 : val)
                              (v´30 : list vallist)
                              (v´31 : vallist)
                              (v´32 : list vallist)
                              (v´33 : vallist)
                              (v´34 : val)
                              (v´35 : EcbMod.map)
                              (v´36 : TcbMod.map)
                              (v´38 : addrval)
                              (v´39 : val)
                              (v´41 : vallist)
                              (v´43 : val)
                              (v´44 : EcbMod.map)
                              (v´45 : EcbMod.map)
                              (v´46 : EcbMod.map)
                              (m0 : msg)
                              (w : waitset)
                              (v´48 : addrval)
                              (H6 : ECBList_P v´43 Vnull v´23 v´25 v´45 v´36)
                              (H19 : EcbMod.join v´44 v´46 v´35)
                              (H10 : RH_TCBList_ECBList_P v´35 v´36 v´38)
                              (H11 : RH_CurTCB v´38 v´36)
                              (H15 : length v´22 = length v´24)
                              (H18 : isptr v´43)
                              (H12 : val_inj
                                       (if Int.eq ($ 1) ($ 0)
                                        then Some (Vint32 Int.one)
                                        else Some (Vint32 Int.zero)) = Vint32 Int.zero \/
                                     val_inj
                                       (if Int.eq ($ 1) ($ 0)
                                        then Some (Vint32 Int.one)
                                        else Some (Vint32 Int.zero)) = Vnull)
                              (v´20 : addrval)
                              (v´26 : block)
                              (H14 : array_type_vallist_match Int8u v´41)
                              (H22 : length v´41 = ∘OS_EVENT_TBL_SIZE)
                              (x4 : val)
                              (i : int32)
                              (H24 : Int.unsigned i <= 255)
                              (i1 : int32)
                              (H25 : Int.unsigned i1 <= 65535)
                              (H21 : RL_Tbl_Grp_P v´41 (Vint32 i))
                              (H27 : isptr v´43)
                              (H5 : ECBList_P v´39 (Vptr (v´26, Int.zero)) v´22 v´24 v´44 v´36)
                              (H9 : EcbMod.joinsig (v´26, Int.zero) (absmbox m0, w) v´45 v´46)
                              (H2 : Vptr (v´26, Int.zero) = Vnull \/
                                    (exists p, Vptr (v´26, Int.zero) = Vptr p))
                              (H : val_inj (Some ( Vint32 Int.zero)) = Vint32 Int.zero \/
                                   val_inj (Some ( Vint32 Int.zero)) = Vnull)
                              (H17 : id_addrval´ (Vptr (v´26, Int.zero)) OSEventTbl OS_EVENT = Some v´20)
                              (H23 : Int.unsigned ($ OS_EVENT_TYPE_MBOX) <= 255)
                              (H28 : RH_ECB_P (absmbox m0, w))
                              (H30 : RH_ECB_P (absmbox m0, w))
                              (H26 : isptr m0)
                              (H8 : R_ECB_ETbl_P (v´26, Int.zero)
                                                 (V$OS_EVENT_TYPE_MBOX
                                                   :: Vint32 i :: Vint32 i1 :: m0 :: x4 :: v´43 :: nil, v´41) v´36)
                              (H4 : ECBList_P v´39 Vnull
                                              (v´22 ++
                                                    ((V$OS_EVENT_TYPE_MBOX
                                                       :: Vint32 i :: Vint32 i1 :: m0 :: x4 :: v´43 :: nil, v´41) :: nil) ++
                                                    v´23) (v´24 ++ (DMbox m0 :: nil) ++ v´25) v´35 v´36)
                              (H16 : Int.eq i ($ 0) = false)
                              (v´21 : option val
                              )
                       ,
   {|OSQ_spec , GetHPrio , I,
   fun v : option val =>
   ((((EX v0 : val, LV message @ (Void) ∗ |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((message, (Void) ∗) :: (pevent, OS_EVENT ∗) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post3´
       (Vptr (v´26, Int.zero) :: Vptr x :: V$OS_STAT_MBOX :: nil) v´21
       (logic_lv v´27
        :: logic_lv v´31
           :: logic_llv v´30
              :: logic_llv v´32
                 :: logic_lv v´33
                    :: logic_val v´34
                       :: logic_abstcb v´36
                          :: logic_val v´28
                             :: logic_val v´29
                                :: logic_val (Vptr v´38)
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_MBOX
                                         :: Vint32 i
                                            :: Vint32 i1
                                               :: m0 :: x4 :: v´43 :: nil)
                                      :: logic_lv v´41
                                         :: logic_leventd (DMbox m0 :: nil)
                                                  :: logic_code
                                                 (mbox_post
                                                  (Vptr (v´26, Int.zero)
                                                  ::
                                                  Vptr x :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV legal @ Int8u |-> (V$OS_STAT_MBOX) **
     GV OSEventList @ OS_EVENT ∗ |-> v´39 **
     evsllseg v´39 (Vptr (v´26, Int.zero)) v´22 v´24 **
     evsllseg v´43 Vnull v´23 v´25 **
     HECBList v´35 **
     HTCBList v´36 **
     HCurTCB v´38 **
     AOSEventFreeList v´0 **
     AOSQFreeList v´1 **
     AOSQFreeBlk v´2 **
     AOSIntNesting **
     AOSTCBFreeList v´18 v´19 **
     AOSTime (Vint32 v´15) **
     HTime v´15 **
     AGVars **
     atoy_inv´ **
     LV message @ (Void) ∗ |-> Vptr x **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´26, Int.zero) **
     A_dom_lenv
       ((message, (Void) ∗) :: (pevent, OS_EVENT ∗) :: (legal, Int8u) :: nil)}}
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
                 RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_mbox_post_part6:= forall (
                           x : addrval)
                              (v´ : val)
                              (H0 : val_inj (let (_, _) := x in Some (Vint32 Int.zero)) = Vint32 Int.zero \/
                                    val_inj (let (_, _) := x in Some (Vint32 Int.zero)) = Vnull)
                              (v´0 : list vallist)
                              (v´1 : list vallist)
                              (v´2 : list vallist)
                              (v´3 : list EventData)
                              (v´4 : list EventCtr)
                              (v´5 : vallist)
                              (v´6 : val)
                              (v´7 : val)
                              (v´8 : list vallist)
                              (v´9 : vallist)
                              (v´10 : list vallist)
                              (v´11 : vallist)
                              (v´12 : val)
                              (v´13 : EcbMod.map)
                              (v´14 : TcbMod.map)
                              (v´15 : int32)
                              (v´16 : addrval)
                              (v´17 : addrval)
                              (v´18 : val)
                              (v´19 : list vallist)
                              (H1 : RH_TCBList_ECBList_P v´13 v´14 v´16)
                              (H3 : RH_CurTCB v´16 v´14)
                              (v´22 : list EventCtr)
                              (v´23 : list EventCtr)
                              (v´24 : list EventData)
                              (v´25 : list EventData)
                              (v´27 : vallist)
                              (v´28 : val)
                              (v´29 : val)
                              (v´30 : list vallist)
                              (v´31 : vallist)
                              (v´32 : list vallist)
                              (v´33 : vallist)
                              (v´34 : val)
                              (v´35 : EcbMod.map)
                              (v´36 : TcbMod.map)
                              (v´38 : addrval)
                              (v´39 : val)
                              (v´41 : vallist)
                              (v´43 : val)
                              (v´44 : EcbMod.map)
                              (v´45 : EcbMod.map)
                              (v´46 : EcbMod.map)
                              (m0 : msg)
                              (w : waitset)
                              (v´48 : addrval)
                              (H6 : ECBList_P v´43 Vnull v´23 v´25 v´45 v´36)
                              (H19 : EcbMod.join v´44 v´46 v´35)
                              (H10 : RH_TCBList_ECBList_P v´35 v´36 v´38)
                              (H11 : RH_CurTCB v´38 v´36)
                              (H15 : length v´22 = length v´24)
                              (H18 : isptr v´43)
                              (H12 : val_inj
                                       (if Int.eq ($ 1) ($ 0)
                                        then Some (Vint32 Int.one)
                                        else Some (Vint32 Int.zero)) = Vint32 Int.zero \/
                                     val_inj
                                       (if Int.eq ($ 1) ($ 0)
                                        then Some (Vint32 Int.one)
                                        else Some (Vint32 Int.zero)) = Vnull)
                              (v´20 : addrval)
                              (v´26 : block)
                              (H14 : array_type_vallist_match Int8u v´41)
                              (H22 : length v´41 = ∘OS_EVENT_TBL_SIZE)
                              (x4 : val)
                              (i : int32)
                              (H24 : Int.unsigned i <= 255)
                              (i1 : int32)
                              (H25 : Int.unsigned i1 <= 65535)
                              (H21 : RL_Tbl_Grp_P v´41 (Vint32 i))
                              (H27 : isptr v´43)
                              (H5 : ECBList_P v´39 (Vptr (v´26, Int.zero)) v´22 v´24 v´44 v´36)
                              (H9 : EcbMod.joinsig (v´26, Int.zero) (absmbox m0, w) v´45 v´46)
                              (H2 : Vptr (v´26, Int.zero) = Vnull \/
                                    (exists p, Vptr (v´26, Int.zero) = Vptr p))
                              (H : val_inj (Some ( Vint32 Int.zero)) = Vint32 Int.zero \/
                                   val_inj (Some ( Vint32 Int.zero)) = Vnull)
                              (H17 : id_addrval´ (Vptr (v´26, Int.zero)) OSEventTbl OS_EVENT = Some v´20)
                              (H23 : Int.unsigned ($ OS_EVENT_TYPE_MBOX) <= 255)
                              (H28 : RH_ECB_P (absmbox m0, w))
                              (H30 : RH_ECB_P (absmbox m0, w))
                              (H26 : isptr m0)
                              (H8 : R_ECB_ETbl_P (v´26, Int.zero)
                                                 (V$OS_EVENT_TYPE_MBOX
                                                   :: Vint32 i :: Vint32 i1 :: m0 :: x4 :: v´43 :: nil, v´41) v´36)
                              (H4 : ECBList_P v´39 Vnull
                                              (v´22 ++
                                                    ((V$OS_EVENT_TYPE_MBOX
                                                       :: Vint32 i :: Vint32 i1 :: m0 :: x4 :: v´43 :: nil, v´41) :: nil) ++
                                                    v´23) (v´24 ++ (DMbox m0 :: nil) ++ v´25) v´35 v´36)
                              (H16 : Int.eq i ($ 0) = false)
                              (v´21 : option val),
   {|OSQ_spec , GetHPrio , I,
   fun v : option val =>
   ((((EX v0 : val, LV message @ (Void) ∗ |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((message, (Void) ∗) :: (pevent, OS_EVENT ∗) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post5´
       (Vptr (v´26, Int.zero) :: Vptr x :: V$OS_STAT_MBOX :: nil) v´21
       (logic_lv v´27
        :: logic_lv v´31
           :: logic_llv v´30
              :: logic_llv v´32
                 :: logic_lv v´33
                    :: logic_val v´34
                       :: logic_abstcb v´36
                          :: logic_val v´28
                             :: logic_val v´29
                                :: logic_val (Vptr v´38)
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_MBOX
                                         :: Vint32 i
                                            :: Vint32 i1
                                               :: m0 :: x4 :: v´43 :: nil)
                                      :: logic_lv v´41
                                         :: logic_leventd (DMbox m0 :: nil)
                                                  :: logic_code
                                                 (mbox_post
                                                  (Vptr (v´26, Int.zero)
                                                  ::
                                                  Vptr x :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV legal @ Int8u |-> (V$OS_STAT_MBOX) **
     GV OSEventList @ OS_EVENT ∗ |-> v´39 **
     evsllseg v´39 (Vptr (v´26, Int.zero)) v´22 v´24 **
     evsllseg v´43 Vnull v´23 v´25 **
     HECBList v´35 **
     HTCBList v´36 **
     HCurTCB v´38 **
     AOSEventFreeList v´0 **
     AOSQFreeList v´1 **
     AOSQFreeBlk v´2 **
     AOSIntNesting **
     AOSTCBFreeList v´18 v´19 **
     AOSTime (Vint32 v´15) **
     HTime v´15 **
     AGVars **
     atoy_inv´ **
     LV message @ (Void) ∗ |-> Vptr x **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´26, Int.zero) **
     A_dom_lenv
       ((message, (Void) ∗) :: (pevent, OS_EVENT ∗) :: (legal, Int8u) :: nil)}}
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
                 RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_mbox_post_part0 := forall (x : addrval)
                                (v´ : val)
                                (H0 : val_inj (let (_, _) := x in Some (Vint32 Int.zero)) = Vint32 Int.zero \/
                                      val_inj (let (_, _) := x in Some (Vint32 Int.zero)) = Vnull)
                                (v´0 : list vallist)
                                (v´1 : list vallist)
                                (v´2 : list vallist)
                                (v´3 : list EventData)
                                (v´4 : list EventCtr)
                                (v´5 : vallist)
                                (v´6 : val)
                                (v´7 : val)
                                (v´8 : list vallist)
                                (v´9 : vallist)
                                (v´10 : list vallist)
                                (v´11 : vallist)
                                (v´12 : val)
                                (v´13 : EcbMod.map)
                                (v´14 : TcbMod.map)
                                (v´15 : int32)
                                (v´16 : addrval)
                                (v´17 : addrval)
                                (v´18 : val)
                                (v´19 : list vallist)
                                (H1 : RH_TCBList_ECBList_P v´13 v´14 v´16)
                                (H3 : RH_CurTCB v´16 v´14)
                                (v´22 : list EventCtr)
                                (v´23 : list EventCtr)
                                (v´24 : list EventData)
                                (v´25 : list EventData)
                                (v´27 : vallist)
                                (v´28 : val)
                                (v´29 : val)
                                (v´30 : list vallist)
                                (v´31 : vallist)
                                (v´32 : list vallist)
                                (v´33 : vallist)
                                (v´34 : val)
                                (v´35 : EcbMod.map)
                                (v´36 : TcbMod.map)
                                (v´38 : addrval)
                                (v´39 : val)
                                (v´41 : vallist)
                                (v´43 : val)
                                (v´44 : EcbMod.map)
                                (v´45 : EcbMod.map)
                                (v´46 : EcbMod.map)
                                (m0 : msg)
                                (w : waitset)
                                (v´48 : addrval)
                                (H6 : ECBList_P v´43 Vnull v´23 v´25 v´45 v´36)
                                (H19 : EcbMod.join v´44 v´46 v´35)
                                (H10 : RH_TCBList_ECBList_P v´35 v´36 v´38)
                                (H11 : RH_CurTCB v´38 v´36)
                                (H15 : length v´22 = length v´24)
                                (H18 : isptr v´43)
                                (H12 : val_inj
                                         (if Int.eq ($ 1) ($ 0)
                                          then Some (Vint32 Int.one)
                                          else Some (Vint32 Int.zero)) = Vint32 Int.zero \/
                                       val_inj
                                         (if Int.eq ($ 1) ($ 0)
                                          then Some (Vint32 Int.one)
                                          else Some (Vint32 Int.zero)) = Vnull)
                                (v´20 : addrval)
                                (v´26 : block)
                                (H14 : array_type_vallist_match Int8u v´41)
                                (H22 : length v´41 = ∘OS_EVENT_TBL_SIZE)
                                (x4 : val)
                                (i : int32)
                                (H24 : Int.unsigned i <= 255)
                                (i1 : int32)
                                (H25 : Int.unsigned i1 <= 65535)
                                (H21 : RL_Tbl_Grp_P v´41 (Vint32 i))
                                (H27 : isptr v´43)
                                (H5 : ECBList_P v´39 (Vptr (v´26, Int.zero)) v´22 v´24 v´44 v´36)
                                (H9 : EcbMod.joinsig (v´26, Int.zero) (absmbox m0, w) v´45 v´46)
                                (H2 : Vptr (v´26, Int.zero) = Vnull \/
                                      (exists p, Vptr (v´26, Int.zero) = Vptr p))
                                (H : val_inj (Some ( Vint32 Int.zero)) = Vint32 Int.zero \/
                                     val_inj (Some ( Vint32 Int.zero)) = Vnull)
                                (H17 : id_addrval´ (Vptr (v´26, Int.zero)) OSEventTbl OS_EVENT = Some v´20)
                                (H23 : Int.unsigned ($ OS_EVENT_TYPE_MBOX) <= 255)
                                (H28 : RH_ECB_P (absmbox m0, w))
                                (H30 : RH_ECB_P (absmbox m0, w))
                                (H26 : isptr m0)
                                (H8 : R_ECB_ETbl_P (v´26, Int.zero)
                                                   (V$OS_EVENT_TYPE_MBOX
                                                     :: Vint32 i :: Vint32 i1 :: m0 :: x4 :: v´43 :: nil, v´41) v´36)
                                (H4 : ECBList_P v´39 Vnull
                                                (v´22 ++
                                                      ((V$OS_EVENT_TYPE_MBOX
                                                         :: Vint32 i :: Vint32 i1 :: m0 :: x4 :: v´43 :: nil, v´41) :: nil) ++
                                                      v´23) (v´24 ++ (DMbox m0 :: nil) ++ v´25) v´35 v´36)
                                (H16 : Int.eq i ($ 0) = false)
                        ,
    {|OSQ_spec , GetHPrio , I,
   fun v : option val =>
   ((((EX v0 : val, LV message @ (Void) ∗ |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((message, (Void) ∗) :: (pevent, OS_EVENT ∗) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{ <|| mbox_post (Vptr (v´26, Int.zero) :: Vptr x :: nil) ||> **
     LV legal @ Int8u |-> (V$OS_STAT_MBOX) **
     Astruct (v´26, Int.zero) OS_EVENT
       (V$OS_EVENT_TYPE_MBOX
        :: Vint32 i :: Vint32 i1 :: m0 :: x4 :: v´43 :: nil) **
     Aarray v´20 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´41 **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSEventList @ OS_EVENT ∗ |-> v´39 **
     evsllseg v´39 (Vptr (v´26, Int.zero)) v´22 v´24 **
     evsllseg v´43 Vnull v´23 v´25 **
     A_isr_is_prop **
     AOSTCBList v´28 v´29 v´30 (v´31 :: v´32) v´33 v´38 v´36 **
     AOSRdyTblGrp v´33 v´34 **
     AOSTCBPrioTbl v´27 v´33 v´36 v´48 **
     HECBList v´35 **
     HTCBList v´36 **
     HCurTCB v´38 **
     AOSEventFreeList v´0 **
     AOSQFreeList v´1 **
     AOSQFreeBlk v´2 **
     AOSMapTbl **
     AOSUnMapTbl **
     AOSIntNesting **
     AOSTCBFreeList v´18 v´19 **
     AOSTime (Vint32 v´15) **
     HTime v´15 **
     AGVars **
     atoy_inv´ **
     LV message @ (Void) ∗ |-> Vptr x **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´26, Int.zero) **
     A_dom_lenv
       ((message, (Void) ∗) :: (pevent, OS_EVENT ∗) :: (legal, Int8u) :: nil)}}
   OS_EventTaskRdy (­pevent ′, message ′, legal ′­);ₛ
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
   RETURN ′OS_NO_ERR {{Afalse}}
.

Definition gen_sempend_part1:=
forall
  (i : int32)
  (H1 : Int.unsigned i <= 65535)
  (v´ : val)
  (v´0 : list vallist)
  (v´1 : list vallist)
  (v´2 : list vallist)
  (v´3 : list EventData)
  (v´4 : list EventCtr)
  (v´5 : vallist)
  (v´6 : val)
  (v´7 : val)
  (v´8 : list vallist)
  (v´9 : vallist)
  (v´10 : list vallist)
  (v´11 : vallist)
  (v´12 : val)
  (v´13 : EcbMod.map)
  (v´14 : TcbMod.map)
  (v´15 : int32)
  (v´16 : addrval)
  (v´17 : addrval)
  (v´18 : val)
  (v´19 : list vallist)
  (H : RH_TCBList_ECBList_P v´13 v´14 v´16)
  (H0 : RH_CurTCB v´16 v´14)
  (v´22 : list EventCtr)
  (v´23 : list EventCtr)
  (v´24 : list EventData)
  (v´25 : list EventData)
  (v´27 : vallist)
  (v´28 : val)
  (v´30 : list vallist)
  (v´32 : list vallist)
  (v´33 : vallist)
  (v´34 : val)
  (v´35 : EcbMod.map)
  (v´36 : TcbMod.map)
  (v´39 : val)
  (v´41 : vallist)
  (v´43 : val)
  (v´44 : EcbMod.map)
  (v´45 : EcbMod.map)
  (v´46 : EcbMod.map)
  (v´48 : addrval)
  (H5 : ECBList_P v´43 Vnull v´23 v´25 v´45 v´36)
  (H19 : EcbMod.join v´44 v´46 v´35)
  (H14 : length v´22 = length v´24)
  (H18 : isptr v´43)
  (H11 : $ 1 <> $ 0)
  (v´20 : addrval)
  (v´26 : block)
  (H13 : array_type_vallist_match Int8u v´41)
  (H21 : length v´41 = ∘OS_EVENT_TBL_SIZE)
  (x2 : val)
  (x3 : val)
  (i0 : int32)
  (H23 : Int.unsigned i0 <= 255)
  (i2 : int32)
  (H24 : Int.unsigned i2 <= 65535)
  (H25 : isptr x2)
  (H20 : RL_Tbl_Grp_P v´41 (Vint32 i0))
  (H26 : isptr v´43)
  (H4 : ECBList_P v´39 (Vptr (v´26, Int.zero)) v´22 v´24 v´44 v´36)
  (H2 : isptr (Vptr (v´26, Int.zero)))
  (H16 : id_addrval´ (Vptr (v´26, Int.zero)) OSEventTbl OS_EVENT = Some v´20)
  (H22 : Int.unsigned ($ OS_EVENT_TYPE_SEM) <= 255)
  (x : waitset)
  (H8 : EcbMod.joinsig (v´26, Int.zero) (abssem i2, x) v´45 v´46)
  (Hget : EcbMod.get v´35 (v´26, Int.zero) = Some (abssem i2, x))
  (H6 : RLH_ECBData_P (DSem i2) (abssem i2, x))
  (v´21 : val)
  (v´37 : val)
  (v´40 : TcbMod.map)
  (v´42 : TcbMod.map)
  (v´47 : val)
  (v´49 : block)
  (H28 : v´28 <> Vnull)
  (H29 : TcbMod.join v´40 v´42 v´36)
  (H30 : TCBList_P v´28 v´30 v´33 v´40)
  (H27 : Vptr (v´49, Int.zero) <> Vnull)
  (x9 : val)
  (x10 : val)
  (H34 : isptr x10)
  (H35 : isptr x9)
  (i8 : int32)
  (H36 : Int.unsigned i8 <= 65535)
  (i7 : int32)
  (H37 : Int.unsigned i7 <= 255)
  (i6 : int32)
  (H38 : Int.unsigned i6 <= 255)
  (i5 : int32)
  (H39 : Int.unsigned i5 <= 255)
  (i4 : int32)
  (H40 : Int.unsigned i4 <= 255)
  (i3 : int32)
  (H41 : Int.unsigned i3 <= 255)
  (i1 : int32)
  (H42 : Int.unsigned i1 <= 255)
  (H33 : isptr v´21)
  (H12 : isptr v´47)
  (H9 : RH_TCBList_ECBList_P v´35 v´36 (v´49, Int.zero))
  (H10 : RH_CurTCB (v´49, Int.zero) v´36)
  (H15 : Int.eq i6 ($ OS_IDLE_PRIO) = false)
  (H17 : Int.eq i7 ($ OS_STAT_RDY) = true)
  (H32 : Int.eq i8 ($ 0) = true)
  (H43 : Int.ltu ($ 0) i2 = false)
  (H7 : R_ECB_ETbl_P (v´26, Int.zero)
         (V$OS_EVENT_TYPE_SEM
          :: Vint32 i0 :: Vint32 i2 :: x2 :: x3 :: v´43 :: nil, v´41) v´36)
  (H3 : ECBList_P v´39 Vnull
         (v´22 ++
          ((V$OS_EVENT_TYPE_SEM
            :: Vint32 i0 :: Vint32 i2 :: x2 :: x3 :: v´43 :: nil, v´41)
           :: nil) ++ v´23) (v´24 ++ (DSem i2 :: nil) ++ v´25) v´35 v´36)
  (H31 : TCBList_P (Vptr (v´49, Int.zero))
          ((v´47
            :: v´21
               :: x10
                  :: x9
                     :: Vint32 i8
                        :: Vint32 i7
                           :: Vint32 i6
                              :: Vint32 i5
                                 :: Vint32 i4
                                    :: Vint32 i3 :: Vint32 i1 :: nil) :: v´32)
          v´33 v´42),
   {|OSQ_spec, GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV timeout @ Int16u |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((timeout, Int16u) :: (pevent, OS_EVENT ∗) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{Astruct (v´49, Int.zero) OS_TCB
       (v´47
        :: v´21
           :: x10
              :: x9
                 :: Vint32 i8
                    :: Vint32 i7
                       :: Vint32 i6
                          :: Vint32 i5
                             :: Vint32 i4 :: Vint32 i3 :: Vint32 i1 :: nil) **
     dllseg v´47 (Vptr (v´49, Int.zero)) v´37 Vnull v´32 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBList @ OS_TCB ∗ |-> v´28 **
     dllseg v´28 Vnull v´21 (Vptr (v´49, Int.zero)) v´30 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBCur @ OS_TCB ∗ |-> Vptr (v´49, Int.zero) **
     AEventData
       (V$OS_EVENT_TYPE_SEM
        :: Vint32 i0 :: Vint32 i2 :: x2 :: x3 :: v´43 :: nil)
       (DSem i2) **
     Astruct (v´26, Int.zero) OS_EVENT
       (V$OS_EVENT_TYPE_SEM
        :: Vint32 i0 :: Vint32 i2 :: x2 :: x3 :: v´43 :: nil) **
     Aarray v´20 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´41 **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSEventList @ OS_EVENT ∗ |-> v´39 **
     evsllseg v´39 (Vptr (v´26, Int.zero)) v´22 v´24 **
     evsllseg v´43 Vnull v´23 v´25 **
     A_isr_is_prop **
     AOSRdyTblGrp v´33 v´34 **
     AOSTCBPrioTbl v´27 v´33 v´36 v´48 **
     HECBList v´35 **
     HTCBList v´36 **
     HCurTCB (v´49, Int.zero) **
      <|| sem_pend (Vptr (v´26, Int.zero) :: Vint32 i :: nil) ||> **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´0 **
     AOSQFreeList v´1 **
     AOSQFreeBlk v´2 **
     AOSMapTbl **
     AOSUnMapTbl **
     AOSIntNesting **
     AOSTCBFreeList v´18 v´19 **
     AOSTime (Vint32 v´15) **
     HTime v´15 **
     AGVars **
     atoy_inv´ **
     LV timeout @ Int16u |-> Vint32 i **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´26, Int.zero) **
     A_dom_lenv
       ((timeout, Int16u) :: (pevent, OS_EVENT ∗) :: (legal, Int8u) :: nil)}}
   If (OSTCBCur′→OSTCBMsg !=ₑ NULL) {
       EXIT_CRITICAL;ₛ
       RETURN ′OS_ERR_PEVENT_NULL
   };ₛ
   OSTCBCur ′ → OSTCBStat =ₑ ′OS_STAT_SEM;ₛ
   OSTCBCur ′ → OSTCBDly =ₑ timeout ′;ₛ
   OS_EventTaskWait (­ pevent ′­);ₛ
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
   ENTER_CRITICAL;ₛ
   If (OSTCBCur′→OSTCBMsg ==ₑ NULL)
   {EXIT_CRITICAL;ₛ
    RETURN ′OS_TIMEOUT} ;ₛ
   EXIT_CRITICAL;ₛ
   RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_sempost_part_1 := forall
  (v´ : val)
  (v´0 : val)
  (v´1 : list vallist)
  (v´2 : list vallist)
  (v´3 : list vallist)
  (v´4 : list EventData)
  (v´5 : list EventCtr)
  (v´6 : vallist)
  (v´7 : val)
  (v´8 : val)
  (v´9 : list vallist)
  (v´10 : vallist)
  (v´11 : list vallist)
  (v´12 : vallist)
  (v´13 : val)
  (v´14 : EcbMod.map)
  (v´15 : TcbMod.map)
  (v´16 : int32)
  (v´17 : addrval)
  (v´18 : addrval)
  (v´19 : val)
  (v´20 : list vallist)
  (H : RH_TCBList_ECBList_P v´14 v´15 v´17)
  (H0 : RH_CurTCB v´17 v´15)
  (v´23 : list EventCtr)
  (v´24 : list EventCtr)
  (v´25 : list EventData)
  (v´26 : list EventData)
  (v´28 : vallist)
  (v´29 : val)
  (v´30 : val)
  (v´31 : list vallist)
  (v´32 : vallist)
  (v´33 : list vallist)
  (v´34 : vallist)
  (v´35 : val)
  (v´36 : EcbMod.map)
  (v´37 : TcbMod.map)
  (v´39 : addrval)
  (v´40 : val)
  (v´42 : vallist)
  (v´44 : val)
  (v´45 : EcbMod.map)
  (v´46 : EcbMod.map)
  (v´47 : EcbMod.map)
  (v´49 : addrval)
  (H4 : ECBList_P v´44 Vnull v´24 v´26 v´46 v´37)
  (H18 : EcbMod.join v´45 v´47 v´36)
  (H8 : RH_TCBList_ECBList_P v´36 v´37 v´39)
  (H9 : RH_CurTCB v´39 v´37)
  (H13 : length v´23 = length v´25)
  (H17 : isptr v´44)
  (H10 : $ 1 <> $ 0)
  (v´21 : addrval)
  (v´27 : block)
  (H12 : array_type_vallist_match Int8u v´42)
  (H20 : length v´42 = ∘OS_EVENT_TBL_SIZE)
  (x2 : val)
  (x3 : val)
  (i : int32)
  (H22 : Int.unsigned i <= 255)
  (i1 : int32)
  (H23 : Int.unsigned i1 <= 65535)
  (H24 : isptr x2)
  (H19 : RL_Tbl_Grp_P v´42 (Vint32 i))
  (H25 : isptr v´44)
  (H3 : ECBList_P v´40 (Vptr (v´27, Int.zero)) v´23 v´25 v´45 v´37)
  (H1 : isptr (Vptr (v´27, Int.zero)))
  (H15 : id_addrval´ (Vptr (v´27, Int.zero)) OSEventTbl OS_EVENT = Some v´21)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_SEM) <= 255)
  (H6 : R_ECB_ETbl_P (v´27, Int.zero)
         (V$OS_EVENT_TYPE_SEM
          :: Vint32 i :: Vint32 i1 :: x2 :: x3 :: v´44 :: nil, v´42) v´37)
  (x : waitset)
  (H7 : EcbMod.joinsig (v´27, Int.zero) (abssem i1, x) v´46 v´47)
  (Hget : EcbMod.get v´36 (v´27, Int.zero) = Some (abssem i1, x))
  (H2 : ECBList_P v´40 Vnull
         (v´23 ++
          ((V$OS_EVENT_TYPE_SEM
            :: Vint32 i :: Vint32 i1 :: x2 :: x3 :: v´44 :: nil, v´42) :: nil) ++
          v´24) (v´25 ++ (DSem i1 :: nil) ++ v´26) v´36 v´37)
  (H5 : RLH_ECBData_P (DSem i1) (abssem i1, x))
  (H11 : Int.eq i ($ 0) = false)
  (v´22 : option val),
   {|OSQ_spec, GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (legal, Int8u) :: (os_code_defs.x, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post1 (Vptr (v´27, Int.zero) :: (Vptr (v´27, Int.zero)) :: V$OS_STAT_SEM :: nil)
       v´22
       (logic_lv v´28
        :: logic_lv v´32
           :: logic_llv v´31
              :: logic_llv v´33
                 :: logic_lv v´34
                    :: logic_val v´35
                       :: logic_abstcb v´37
                          :: logic_val v´29
                             :: logic_val v´30
                                :: logic_val (Vptr v´39)
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_SEM
                                         :: Vint32 i
                                            :: Vint32 i1
                                               :: x2 :: x3 :: v´44 :: nil)
                                      :: logic_lv v´42
                                         :: logic_leventd (DSem i1 :: nil)
                                            :: logic_code
                                                 (sem_post
                                                  (Vptr (v´27, Int.zero)
                                                  :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV os_code_defs.x @ Int8u |-> (V$OS_STAT_SEM) **
     GV OSEventList @ OS_EVENT ∗ |-> v´40 **
     evsllseg v´40 (Vptr (v´27, Int.zero)) v´23 v´25 **
     evsllseg v´44 Vnull v´24 v´26 **
     HECBList v´36 **
     HTCBList v´37 **
     HCurTCB v´39 **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´1 **
     AOSQFreeList v´2 **
     AOSQFreeBlk v´3 **
     AOSIntNesting **
     AOSTCBFreeList v´19 v´20 **
     AOSTime (Vint32 v´16) **
     HTime v´16 **
     AGVars **
     atoy_inv´ **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´27, Int.zero) **
     A_dom_lenv
       ((pevent, OS_EVENT ∗)
        :: (legal, Int8u) :: (os_code_defs.x, Int8u) :: nil)}}
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
   RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_sempost_part_2:= forall
  (v´ : val)
  (v´0 : val)
  (v´1 : list vallist)
  (v´2 : list vallist)
  (v´3 : list vallist)
  (v´4 : list EventData)
  (v´5 : list EventCtr)
  (v´6 : vallist)
  (v´7 : val)
  (v´8 : val)
  (v´9 : list vallist)
  (v´10 : vallist)
  (v´11 : list vallist)
  (v´12 : vallist)
  (v´13 : val)
  (v´14 : EcbMod.map)
  (v´15 : TcbMod.map)
  (v´16 : int32)
  (v´17 : addrval)
  (v´18 : addrval)
  (v´19 : val)
  (v´20 : list vallist)
  (H : RH_TCBList_ECBList_P v´14 v´15 v´17)
  (H0 : RH_CurTCB v´17 v´15)
  (v´23 : list EventCtr)
  (v´24 : list EventCtr)
  (v´25 : list EventData)
  (v´26 : list EventData)
  (v´28 : vallist)
  (v´29 : val)
  (v´30 : val)
  (v´31 : list vallist)
  (v´32 : vallist)
  (v´33 : list vallist)
  (v´34 : vallist)
  (v´35 : val)
  (v´36 : EcbMod.map)
  (v´37 : TcbMod.map)
  (v´39 : addrval)
  (v´40 : val)
  (v´42 : vallist)
  (v´44 : val)
  (v´45 : EcbMod.map)
  (v´46 : EcbMod.map)
  (v´47 : EcbMod.map)
  (v´49 : addrval)
  (H4 : ECBList_P v´44 Vnull v´24 v´26 v´46 v´37)
  (H18 : EcbMod.join v´45 v´47 v´36)
  (H8 : RH_TCBList_ECBList_P v´36 v´37 v´39)
  (H9 : RH_CurTCB v´39 v´37)
  (H13 : length v´23 = length v´25)
  (H17 : isptr v´44)
  (H10 : $ 1 <> $ 0)
  (v´21 : addrval)
  (v´27 : block)
  (H12 : array_type_vallist_match Int8u v´42)
  (H20 : length v´42 = ∘OS_EVENT_TBL_SIZE)
  (x2 : val)
  (x3 : val)
  (i : int32)
  (H22 : Int.unsigned i <= 255)
  (i1 : int32)
  (H23 : Int.unsigned i1 <= 65535)
  (H24 : isptr x2)
  (H19 : RL_Tbl_Grp_P v´42 (Vint32 i))
  (H25 : isptr v´44)
  (H3 : ECBList_P v´40 (Vptr (v´27, Int.zero)) v´23 v´25 v´45 v´37)
  (H1 : isptr (Vptr (v´27, Int.zero)))
  (H15 : id_addrval´ (Vptr (v´27, Int.zero)) OSEventTbl OS_EVENT = Some v´21)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_SEM) <= 255)
  (H6 : R_ECB_ETbl_P (v´27, Int.zero)
         (V$OS_EVENT_TYPE_SEM
          :: Vint32 i :: Vint32 i1 :: x2 :: x3 :: v´44 :: nil, v´42) v´37)
  (x : waitset)
  (H7 : EcbMod.joinsig (v´27, Int.zero) (abssem i1, x) v´46 v´47)
  (Hget : EcbMod.get v´36 (v´27, Int.zero) = Some (abssem i1, x))
  (H2 : ECBList_P v´40 Vnull
         (v´23 ++
          ((V$OS_EVENT_TYPE_SEM
            :: Vint32 i :: Vint32 i1 :: x2 :: x3 :: v´44 :: nil, v´42) :: nil) ++
          v´24) (v´25 ++ (DSem i1 :: nil) ++ v´26) v´36 v´37)
  (H5 : RLH_ECBData_P (DSem i1) (abssem i1, x))
  (H11 : Int.eq i ($ 0) = false)
  (v´22 : option val),
   {|OSQ_spec, GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (legal, Int8u) :: (os_code_defs.x, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post3 (Vptr (v´27, Int.zero) :: (Vptr (v´27, Int.zero)) :: V$OS_STAT_SEM :: nil)
       v´22
       (logic_lv v´28
        :: logic_lv v´32
           :: logic_llv v´31
              :: logic_llv v´33
                 :: logic_lv v´34
                    :: logic_val v´35
                       :: logic_abstcb v´37
                          :: logic_val v´29
                             :: logic_val v´30
                                :: logic_val (Vptr v´39)
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_SEM
                                         :: Vint32 i
                                            :: Vint32 i1
                                               :: x2 :: x3 :: v´44 :: nil)
                                      :: logic_lv v´42
                                         :: logic_leventd (DSem i1 :: nil)
                                            :: logic_code
                                                 (sem_post
                                                  (Vptr (v´27, Int.zero)
                                                  :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV os_code_defs.x @ Int8u |-> (V$OS_STAT_SEM) **
     GV OSEventList @ OS_EVENT ∗ |-> v´40 **
     evsllseg v´40 (Vptr (v´27, Int.zero)) v´23 v´25 **
     evsllseg v´44 Vnull v´24 v´26 **
     HECBList v´36 **
     HTCBList v´37 **
     HCurTCB v´39 **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´1 **
     AOSQFreeList v´2 **
     AOSQFreeBlk v´3 **
     AOSIntNesting **
     AOSTCBFreeList v´19 v´20 **
     AOSTime (Vint32 v´16) **
     HTime v´16 **
     AGVars **
     atoy_inv´ **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´27, Int.zero) **
     A_dom_lenv
       ((pevent, OS_EVENT ∗)
        :: (legal, Int8u) :: (os_code_defs.x, Int8u) :: nil)}}
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
                 RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_sempost_part_3 := forall
  (v´ : val)
  (v´0 : val)
  (v´1 : list vallist)
  (v´2 : list vallist)
  (v´3 : list vallist)
  (v´4 : list EventData)
  (v´5 : list EventCtr)
  (v´6 : vallist)
  (v´7 : val)
  (v´8 : val)
  (v´9 : list vallist)
  (v´10 : vallist)
  (v´11 : list vallist)
  (v´12 : vallist)
  (v´13 : val)
  (v´14 : EcbMod.map)
  (v´15 : TcbMod.map)
  (v´16 : int32)
  (v´17 : addrval)
  (v´18 : addrval)
  (v´19 : val)
  (v´20 : list vallist)
  (H : RH_TCBList_ECBList_P v´14 v´15 v´17)
  (H0 : RH_CurTCB v´17 v´15)
  (v´23 : list EventCtr)
  (v´24 : list EventCtr)
  (v´25 : list EventData)
  (v´26 : list EventData)
  (v´28 : vallist)
  (v´29 : val)
  (v´30 : val)
  (v´31 : list vallist)
  (v´32 : vallist)
  (v´33 : list vallist)
  (v´34 : vallist)
  (v´35 : val)
  (v´36 : EcbMod.map)
  (v´37 : TcbMod.map)
  (v´39 : addrval)
  (v´40 : val)
  (v´42 : vallist)
  (v´44 : val)
  (v´45 : EcbMod.map)
  (v´46 : EcbMod.map)
  (v´47 : EcbMod.map)
  (v´49 : addrval)
  (H4 : ECBList_P v´44 Vnull v´24 v´26 v´46 v´37)
  (H18 : EcbMod.join v´45 v´47 v´36)
  (H8 : RH_TCBList_ECBList_P v´36 v´37 v´39)
  (H9 : RH_CurTCB v´39 v´37)
  (H13 : length v´23 = length v´25)
  (H17 : isptr v´44)
  (H10 : $ 1 <> $ 0)
  (v´21 : addrval)
  (v´27 : block)
  (H12 : array_type_vallist_match Int8u v´42)
  (H20 : length v´42 = ∘OS_EVENT_TBL_SIZE)
  (x2 : val)
  (x3 : val)
  (i : int32)
  (H22 : Int.unsigned i <= 255)
  (i1 : int32)
  (H23 : Int.unsigned i1 <= 65535)
  (H24 : isptr x2)
  (H19 : RL_Tbl_Grp_P v´42 (Vint32 i))
  (H25 : isptr v´44)
  (H3 : ECBList_P v´40 (Vptr (v´27, Int.zero)) v´23 v´25 v´45 v´37)
  (H1 : isptr (Vptr (v´27, Int.zero)))
  (H15 : id_addrval´ (Vptr (v´27, Int.zero)) OSEventTbl OS_EVENT = Some v´21)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_SEM) <= 255)
  (H6 : R_ECB_ETbl_P (v´27, Int.zero)
         (V$OS_EVENT_TYPE_SEM
          :: Vint32 i :: Vint32 i1 :: x2 :: x3 :: v´44 :: nil, v´42) v´37)
  (x : waitset)
  (H7 : EcbMod.joinsig (v´27, Int.zero) (abssem i1, x) v´46 v´47)
  (Hget : EcbMod.get v´36 (v´27, Int.zero) = Some (abssem i1, x))
  (H2 : ECBList_P v´40 Vnull
         (v´23 ++
          ((V$OS_EVENT_TYPE_SEM
            :: Vint32 i :: Vint32 i1 :: x2 :: x3 :: v´44 :: nil, v´42) :: nil) ++
          v´24) (v´25 ++ (DSem i1 :: nil) ++ v´26) v´36 v´37)
  (H5 : RLH_ECBData_P (DSem i1) (abssem i1, x))
  (H11 : Int.eq i ($ 0) = false)
  (v´22 : option val),
   {|OSQ_spec, GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (legal, Int8u) :: (os_code_defs.x, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post5 (Vptr (v´27, Int.zero) :: (Vptr (v´27, Int.zero)) :: V$OS_STAT_SEM :: nil)
       v´22
       (logic_lv v´28
        :: logic_lv v´32
           :: logic_llv v´31
              :: logic_llv v´33
                 :: logic_lv v´34
                    :: logic_val v´35
                       :: logic_abstcb v´37
                          :: logic_val v´29
                             :: logic_val v´30
                                :: logic_val (Vptr v´39)
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_SEM
                                         :: Vint32 i
                                            :: Vint32 i1
                                               :: x2 :: x3 :: v´44 :: nil)
                                      :: logic_lv v´42
                                         :: logic_leventd (DSem i1 :: nil)
                                            :: logic_code
                                                 (sem_post
                                                  (Vptr (v´27, Int.zero)
                                                  :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV os_code_defs.x @ Int8u |-> (V$OS_STAT_SEM) **
     GV OSEventList @ OS_EVENT ∗ |-> v´40 **
     evsllseg v´40 (Vptr (v´27, Int.zero)) v´23 v´25 **
     evsllseg v´44 Vnull v´24 v´26 **
     HECBList v´36 **
     HTCBList v´37 **
     HCurTCB v´39 **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´1 **
     AOSQFreeList v´2 **
     AOSQFreeBlk v´3 **
     AOSIntNesting **
     AOSTCBFreeList v´19 v´20 **
     AOSTime (Vint32 v´16) **
     HTime v´16 **
     AGVars **
     atoy_inv´ **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´27, Int.zero) **
     A_dom_lenv
       ((pevent, OS_EVENT ∗)
        :: (legal, Int8u) :: (os_code_defs.x, Int8u) :: nil)}}
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
                 RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_sempost_part_4:= forall
  (v´ : val)
  (v´0 : val)
  (v´1 : list vallist)
  (v´2 : list vallist)
  (v´3 : list vallist)
  (v´4 : list EventData)
  (v´5 : list EventCtr)
  (v´6 : vallist)
  (v´7 : val)
  (v´8 : val)
  (v´9 : list vallist)
  (v´10 : vallist)
  (v´11 : list vallist)
  (v´12 : vallist)
  (v´13 : val)
  (v´14 : EcbMod.map)
  (v´15 : TcbMod.map)
  (v´16 : int32)
  (v´17 : addrval)
  (v´18 : addrval)
  (v´19 : val)
  (v´20 : list vallist)
  (H : RH_TCBList_ECBList_P v´14 v´15 v´17)
  (H0 : RH_CurTCB v´17 v´15)
  (v´23 : list EventCtr)
  (v´24 : list EventCtr)
  (v´25 : list EventData)
  (v´26 : list EventData)
  (v´28 : vallist)
  (v´29 : val)
  (v´30 : val)
  (v´31 : list vallist)
  (v´32 : vallist)
  (v´33 : list vallist)
  (v´34 : vallist)
  (v´35 : val)
  (v´36 : EcbMod.map)
  (v´37 : TcbMod.map)
  (v´39 : addrval)
  (v´40 : val)
  (v´42 : vallist)
  (v´44 : val)
  (v´45 : EcbMod.map)
  (v´46 : EcbMod.map)
  (v´47 : EcbMod.map)
  (v´49 : addrval)
  (H4 : ECBList_P v´44 Vnull v´24 v´26 v´46 v´37)
  (H18 : EcbMod.join v´45 v´47 v´36)
  (H8 : RH_TCBList_ECBList_P v´36 v´37 v´39)
  (H9 : RH_CurTCB v´39 v´37)
  (H13 : length v´23 = length v´25)
  (H17 : isptr v´44)
  (H10 : $ 1 <> $ 0)
  (v´21 : addrval)
  (v´27 : block)
  (H12 : array_type_vallist_match Int8u v´42)
  (H20 : length v´42 = ∘OS_EVENT_TBL_SIZE)
  (x2 : val)
  (x3 : val)
  (i : int32)
  (H22 : Int.unsigned i <= 255)
  (i1 : int32)
  (H23 : Int.unsigned i1 <= 65535)
  (H24 : isptr x2)
  (H19 : RL_Tbl_Grp_P v´42 (Vint32 i))
  (H25 : isptr v´44)
  (H3 : ECBList_P v´40 (Vptr (v´27, Int.zero)) v´23 v´25 v´45 v´37)
  (H1 : isptr (Vptr (v´27, Int.zero)))
  (H15 : id_addrval´ (Vptr (v´27, Int.zero)) OSEventTbl OS_EVENT = Some v´21)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_SEM) <= 255)
  (H6 : R_ECB_ETbl_P (v´27, Int.zero)
         (V$OS_EVENT_TYPE_SEM
          :: Vint32 i :: Vint32 i1 :: x2 :: x3 :: v´44 :: nil, v´42) v´37)
  (x : waitset)
  (H7 : EcbMod.joinsig (v´27, Int.zero) (abssem i1, x) v´46 v´47)
  (Hget : EcbMod.get v´36 (v´27, Int.zero) = Some (abssem i1, x))
  (H2 : ECBList_P v´40 Vnull
         (v´23 ++
          ((V$OS_EVENT_TYPE_SEM
            :: Vint32 i :: Vint32 i1 :: x2 :: x3 :: v´44 :: nil, v´42) :: nil) ++
          v´24) (v´25 ++ (DSem i1 :: nil) ++ v´26) v´36 v´37)
  (H5 : RLH_ECBData_P (DSem i1) (abssem i1, x))
  (H11 : Int.eq i ($ 0) = false)
  (v´22 : option val),
   {|OSQ_spec, GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (legal, Int8u) :: (os_code_defs.x, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post1´ (Vptr (v´27, Int.zero) :: (Vptr (v´27, Int.zero)) :: V$OS_STAT_SEM :: nil)
       v´22
       (logic_lv v´28
        :: logic_lv v´32
           :: logic_llv v´31
              :: logic_llv v´33
                 :: logic_lv v´34
                    :: logic_val v´35
                       :: logic_abstcb v´37
                          :: logic_val v´29
                             :: logic_val v´30
                                :: logic_val (Vptr v´39)
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_SEM
                                         :: Vint32 i
                                            :: Vint32 i1
                                               :: x2 :: x3 :: v´44 :: nil)
                                      :: logic_lv v´42
                                         :: logic_leventd (DSem i1 :: nil)
                                            :: logic_code
                                                 (sem_post
                                                  (Vptr (v´27, Int.zero)
                                                  :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV os_code_defs.x @ Int8u |-> (V$OS_STAT_SEM) **
     GV OSEventList @ OS_EVENT ∗ |-> v´40 **
     evsllseg v´40 (Vptr (v´27, Int.zero)) v´23 v´25 **
     evsllseg v´44 Vnull v´24 v´26 **
     HECBList v´36 **
     HTCBList v´37 **
     HCurTCB v´39 **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´1 **
     AOSQFreeList v´2 **
     AOSQFreeBlk v´3 **
     AOSIntNesting **
     AOSTCBFreeList v´19 v´20 **
     AOSTime (Vint32 v´16) **
     HTime v´16 **
     AGVars **
     atoy_inv´ **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´27, Int.zero) **
     A_dom_lenv
       ((pevent, OS_EVENT ∗)
        :: (legal, Int8u) :: (os_code_defs.x, Int8u) :: nil)}}
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
                 RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_sempost_part_5:= forall
  (v´ : val)
  (v´0 : val)
  (v´1 : list vallist)
  (v´2 : list vallist)
  (v´3 : list vallist)
  (v´4 : list EventData)
  (v´5 : list EventCtr)
  (v´6 : vallist)
  (v´7 : val)
  (v´8 : val)
  (v´9 : list vallist)
  (v´10 : vallist)
  (v´11 : list vallist)
  (v´12 : vallist)
  (v´13 : val)
  (v´14 : EcbMod.map)
  (v´15 : TcbMod.map)
  (v´16 : int32)
  (v´17 : addrval)
  (v´18 : addrval)
  (v´19 : val)
  (v´20 : list vallist)
  (H : RH_TCBList_ECBList_P v´14 v´15 v´17)
  (H0 : RH_CurTCB v´17 v´15)
  (v´23 : list EventCtr)
  (v´24 : list EventCtr)
  (v´25 : list EventData)
  (v´26 : list EventData)
  (v´28 : vallist)
  (v´29 : val)
  (v´30 : val)
  (v´31 : list vallist)
  (v´32 : vallist)
  (v´33 : list vallist)
  (v´34 : vallist)
  (v´35 : val)
  (v´36 : EcbMod.map)
  (v´37 : TcbMod.map)
  (v´39 : addrval)
  (v´40 : val)
  (v´42 : vallist)
  (v´44 : val)
  (v´45 : EcbMod.map)
  (v´46 : EcbMod.map)
  (v´47 : EcbMod.map)
  (v´49 : addrval)
  (H4 : ECBList_P v´44 Vnull v´24 v´26 v´46 v´37)
  (H18 : EcbMod.join v´45 v´47 v´36)
  (H8 : RH_TCBList_ECBList_P v´36 v´37 v´39)
  (H9 : RH_CurTCB v´39 v´37)
  (H13 : length v´23 = length v´25)
  (H17 : isptr v´44)
  (H10 : $ 1 <> $ 0)
  (v´21 : addrval)
  (v´27 : block)
  (H12 : array_type_vallist_match Int8u v´42)
  (H20 : length v´42 = ∘OS_EVENT_TBL_SIZE)
  (x2 : val)
  (x3 : val)
  (i : int32)
  (H22 : Int.unsigned i <= 255)
  (i1 : int32)
  (H23 : Int.unsigned i1 <= 65535)
  (H24 : isptr x2)
  (H19 : RL_Tbl_Grp_P v´42 (Vint32 i))
  (H25 : isptr v´44)
  (H3 : ECBList_P v´40 (Vptr (v´27, Int.zero)) v´23 v´25 v´45 v´37)
  (H1 : isptr (Vptr (v´27, Int.zero)))
  (H15 : id_addrval´ (Vptr (v´27, Int.zero)) OSEventTbl OS_EVENT = Some v´21)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_SEM) <= 255)
  (H6 : R_ECB_ETbl_P (v´27, Int.zero)
         (V$OS_EVENT_TYPE_SEM
          :: Vint32 i :: Vint32 i1 :: x2 :: x3 :: v´44 :: nil, v´42) v´37)
  (x : waitset)
  (H7 : EcbMod.joinsig (v´27, Int.zero) (abssem i1, x) v´46 v´47)
  (Hget : EcbMod.get v´36 (v´27, Int.zero) = Some (abssem i1, x))
  (H2 : ECBList_P v´40 Vnull
         (v´23 ++
          ((V$OS_EVENT_TYPE_SEM
            :: Vint32 i :: Vint32 i1 :: x2 :: x3 :: v´44 :: nil, v´42) :: nil) ++
          v´24) (v´25 ++ (DSem i1 :: nil) ++ v´26) v´36 v´37)
  (H5 : RLH_ECBData_P (DSem i1) (abssem i1, x))
  (H11 : Int.eq i ($ 0) = false)
  (v´22 : option val),
   {|OSQ_spec, GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (legal, Int8u) :: (os_code_defs.x, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post3´ (Vptr (v´27, Int.zero) :: (Vptr (v´27, Int.zero)) :: V$OS_STAT_SEM :: nil)
       v´22
       (logic_lv v´28
        :: logic_lv v´32
           :: logic_llv v´31
              :: logic_llv v´33
                 :: logic_lv v´34
                    :: logic_val v´35
                       :: logic_abstcb v´37
                          :: logic_val v´29
                             :: logic_val v´30
                                :: logic_val (Vptr v´39)
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_SEM
                                         :: Vint32 i
                                            :: Vint32 i1
                                               :: x2 :: x3 :: v´44 :: nil)
                                      :: logic_lv v´42
                                         :: logic_leventd (DSem i1 :: nil)
                                            :: logic_code
                                                 (sem_post
                                                  (Vptr (v´27, Int.zero)
                                                  :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV os_code_defs.x @ Int8u |-> (V$OS_STAT_SEM) **
     GV OSEventList @ OS_EVENT ∗ |-> v´40 **
     evsllseg v´40 (Vptr (v´27, Int.zero)) v´23 v´25 **
     evsllseg v´44 Vnull v´24 v´26 **
     HECBList v´36 **
     HTCBList v´37 **
     HCurTCB v´39 **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´1 **
     AOSQFreeList v´2 **
     AOSQFreeBlk v´3 **
     AOSIntNesting **
     AOSTCBFreeList v´19 v´20 **
     AOSTime (Vint32 v´16) **
     HTime v´16 **
     AGVars **
     atoy_inv´ **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´27, Int.zero) **
     A_dom_lenv
       ((pevent, OS_EVENT ∗)
        :: (legal, Int8u) :: (os_code_defs.x, Int8u) :: nil)}}
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
                 RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_sempost_part_6 := forall
  (v´ : val)
  (v´0 : val)
  (v´1 : list vallist)
  (v´2 : list vallist)
  (v´3 : list vallist)
  (v´4 : list EventData)
  (v´5 : list EventCtr)
  (v´6 : vallist)
  (v´7 : val)
  (v´8 : val)
  (v´9 : list vallist)
  (v´10 : vallist)
  (v´11 : list vallist)
  (v´12 : vallist)
  (v´13 : val)
  (v´14 : EcbMod.map)
  (v´15 : TcbMod.map)
  (v´16 : int32)
  (v´17 : addrval)
  (v´18 : addrval)
  (v´19 : val)
  (v´20 : list vallist)
  (H : RH_TCBList_ECBList_P v´14 v´15 v´17)
  (H0 : RH_CurTCB v´17 v´15)
  (v´23 : list EventCtr)
  (v´24 : list EventCtr)
  (v´25 : list EventData)
  (v´26 : list EventData)
  (v´28 : vallist)
  (v´29 : val)
  (v´30 : val)
  (v´31 : list vallist)
  (v´32 : vallist)
  (v´33 : list vallist)
  (v´34 : vallist)
  (v´35 : val)
  (v´36 : EcbMod.map)
  (v´37 : TcbMod.map)
  (v´39 : addrval)
  (v´40 : val)
  (v´42 : vallist)
  (v´44 : val)
  (v´45 : EcbMod.map)
  (v´46 : EcbMod.map)
  (v´47 : EcbMod.map)
  (v´49 : addrval)
  (H4 : ECBList_P v´44 Vnull v´24 v´26 v´46 v´37)
  (H18 : EcbMod.join v´45 v´47 v´36)
  (H8 : RH_TCBList_ECBList_P v´36 v´37 v´39)
  (H9 : RH_CurTCB v´39 v´37)
  (H13 : length v´23 = length v´25)
  (H17 : isptr v´44)
  (H10 : $ 1 <> $ 0)
  (v´21 : addrval)
  (v´27 : block)
  (H12 : array_type_vallist_match Int8u v´42)
  (H20 : length v´42 = ∘OS_EVENT_TBL_SIZE)
  (x2 : val)
  (x3 : val)
  (i : int32)
  (H22 : Int.unsigned i <= 255)
  (i1 : int32)
  (H23 : Int.unsigned i1 <= 65535)
  (H24 : isptr x2)
  (H19 : RL_Tbl_Grp_P v´42 (Vint32 i))
  (H25 : isptr v´44)
  (H3 : ECBList_P v´40 (Vptr (v´27, Int.zero)) v´23 v´25 v´45 v´37)
  (H1 : isptr (Vptr (v´27, Int.zero)))
  (H15 : id_addrval´ (Vptr (v´27, Int.zero)) OSEventTbl OS_EVENT = Some v´21)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_SEM) <= 255)
  (H6 : R_ECB_ETbl_P (v´27, Int.zero)
         (V$OS_EVENT_TYPE_SEM
          :: Vint32 i :: Vint32 i1 :: x2 :: x3 :: v´44 :: nil, v´42) v´37)
  (x : waitset)
  (H7 : EcbMod.joinsig (v´27, Int.zero) (abssem i1, x) v´46 v´47)
  (Hget : EcbMod.get v´36 (v´27, Int.zero) = Some (abssem i1, x))
  (H2 : ECBList_P v´40 Vnull
                  (v´23 ++
          ((V$OS_EVENT_TYPE_SEM
            :: Vint32 i :: Vint32 i1 :: x2 :: x3 :: v´44 :: nil, v´42) :: nil) ++
          v´24) (v´25 ++ (DSem i1 :: nil) ++ v´26) v´36 v´37)
  (H5 : RLH_ECBData_P (DSem i1) (abssem i1, x))
  (H11 : Int.eq i ($ 0) = false)
  (v´22 : option val),
   {|OSQ_spec, GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (legal, Int8u) :: (os_code_defs.x, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post5´ (Vptr (v´27, Int.zero) :: (Vptr (v´27, Int.zero)) :: V$OS_STAT_SEM :: nil)
       v´22
       (logic_lv v´28
        :: logic_lv v´32
           :: logic_llv v´31
              :: logic_llv v´33
                 :: logic_lv v´34
                    :: logic_val v´35
                       :: logic_abstcb v´37
                          :: logic_val v´29
                             :: logic_val v´30
                                :: logic_val (Vptr v´39)
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_SEM
                                         :: Vint32 i
                                            :: Vint32 i1
                                               :: x2 :: x3 :: v´44 :: nil)
                                      :: logic_lv v´42
                                      :: logic_leventd (DSem i1 :: nil)
                                            :: logic_code
                                                 (sem_post
                                                  (Vptr (v´27, Int.zero)
                                                  :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV os_code_defs.x @ Int8u |-> (V$OS_STAT_SEM) **
     GV OSEventList @ OS_EVENT ∗ |-> v´40 **
     evsllseg v´40 (Vptr (v´27, Int.zero)) v´23 v´25 **
     evsllseg v´44 Vnull v´24 v´26 **
     HECBList v´36 **
     HTCBList v´37 **
     HCurTCB v´39 **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´1 **
     AOSQFreeList v´2 **
     AOSQFreeBlk v´3 **
     AOSIntNesting **
     AOSTCBFreeList v´19 v´20 **
     AOSTime (Vint32 v´16) **
     HTime v´16 **
     AGVars **
     atoy_inv´ **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´27, Int.zero) **
     A_dom_lenv
       ((pevent, OS_EVENT ∗)
        :: (legal, Int8u) :: (os_code_defs.x, Int8u) :: nil)}}
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
                 RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_sempost_part_0:= forall
  (v´ : val)
  (v´0 : val)
  (v´1 : list vallist)
  (v´2 : list vallist)
  (v´3 : list vallist)
  (v´4 : list EventData)
  (v´5 : list EventCtr)
  (v´6 : vallist)
  (v´7 : val)
  (v´8 : val)
  (v´9 : list vallist)
  (v´10 : vallist)
  (v´11 : list vallist)
  (v´12 : vallist)
  (v´13 : val)
  (v´14 : EcbMod.map)
  (v´15 : TcbMod.map)
  (v´16 : int32)
  (v´17 : addrval)
  (v´18 : addrval)
  (v´19 : val)
  (v´20 : list vallist)
  (H : RH_TCBList_ECBList_P v´14 v´15 v´17)
  (H0 : RH_CurTCB v´17 v´15)
  (v´23 : list EventCtr)
  (v´24 : list EventCtr)
  (v´25 : list EventData)
  (v´26 : list EventData)
  (v´28 : vallist)
  (v´29 : val)
  (v´30 : val)
  (v´31 : list vallist)
  (v´32 : vallist)
  (v´33 : list vallist)
  (v´34 : vallist)
  (v´35 : val)
  (v´36 : EcbMod.map)
  (v´37 : TcbMod.map)
  (v´39 : addrval)
  (v´40 : val)
  (v´42 : vallist)
  (v´44 : val)
  (v´45 : EcbMod.map)
  (v´46 : EcbMod.map)
  (v´47 : EcbMod.map)
  (v´49 : addrval)
  (H4 : ECBList_P v´44 Vnull v´24 v´26 v´46 v´37)
  (H18 : EcbMod.join v´45 v´47 v´36)
  (H8 : RH_TCBList_ECBList_P v´36 v´37 v´39)
  (H9 : RH_CurTCB v´39 v´37)
  (H13 : length v´23 = length v´25)
  (H17 : isptr v´44)
  (H10 : $ 1 <> $ 0)
  (v´21 : addrval)
  (v´27 : block)
  (H12 : array_type_vallist_match Int8u v´42)
  (H20 : length v´42 = ∘OS_EVENT_TBL_SIZE)
  (x2 : val)
  (x3 : val)
  (i : int32)
  (H22 : Int.unsigned i <= 255)
  (i1 : int32)
  (H23 : Int.unsigned i1 <= 65535)
  (H24 : isptr x2)
  (H19 : RL_Tbl_Grp_P v´42 (Vint32 i))
  (H25 : isptr v´44)
  (H3 : ECBList_P v´40 (Vptr (v´27, Int.zero)) v´23 v´25 v´45 v´37)
  (H1 : isptr (Vptr (v´27, Int.zero)))
  (H15 : id_addrval´ (Vptr (v´27, Int.zero)) OSEventTbl OS_EVENT = Some v´21)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_SEM) <= 255)
  (H6 : R_ECB_ETbl_P (v´27, Int.zero)
         (V$OS_EVENT_TYPE_SEM
          :: Vint32 i :: Vint32 i1 :: x2 :: x3 :: v´44 :: nil, v´42) v´37)
  (x : waitset)
  (H7 : EcbMod.joinsig (v´27, Int.zero) (abssem i1, x) v´46 v´47)
  (Hget : EcbMod.get v´36 (v´27, Int.zero) = Some (abssem i1, x))
  (H2 : ECBList_P v´40 Vnull
         (v´23 ++
               ((V$OS_EVENT_TYPE_SEM
            :: Vint32 i :: Vint32 i1 :: x2 :: x3 :: v´44 :: nil, v´42) :: nil) ++
          v´24) (v´25 ++ (DSem i1 :: nil) ++ v´26) v´36 v´37)
  (H5 : RLH_ECBData_P (DSem i1) (abssem i1, x))
  (H11 : Int.eq i ($ 0) = false),
                        {|OSQ_spec, GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (legal, Int8u) :: (os_code_defs.x, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{AEventData
       (V$OS_EVENT_TYPE_SEM
        :: Vint32 i :: Vint32 i1 :: x2 :: x3 :: v´44 :: nil)
       (DSem i1) **
     Astruct (v´27, Int.zero) OS_EVENT
     (V$OS_EVENT_TYPE_SEM
        :: Vint32 i :: Vint32 i1 :: x2 :: x3 :: v´44 :: nil) **
     Aarray v´21 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´42 **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSEventList @ OS_EVENT ∗ |-> v´40 **
     evsllseg v´40 (Vptr (v´27, Int.zero)) v´23 v´25 **
     evsllseg v´44 Vnull v´24 v´26 **
     A_isr_is_prop **
     AOSTCBList v´29 v´30 v´31 (v´32 :: v´33) v´34 v´39 v´37 **
     AOSRdyTblGrp v´34 v´35 **
     AOSTCBPrioTbl v´28 v´34 v´37 v´49 **
     HECBList v´36 **
     HTCBList v´37 **
     HCurTCB v´39 **
      <|| sem_post (Vptr (v´27, Int.zero) :: nil) ||> **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´1 **
     AOSQFreeList v´2 **
     AOSQFreeBlk v´3 **
     AOSMapTbl **
     AOSUnMapTbl **
     AOSIntNesting **
     AOSTCBFreeList v´19 v´20 **
     AOSTime (Vint32 v´16) **
     HTime v´16 **
     AGVars **
     atoy_inv´ **
     LV os_code_defs.x @ Int8u |-> v´0 **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´27, Int.zero) **
     A_dom_lenv
       ((pevent, OS_EVENT ∗)
        :: (legal, Int8u) :: (os_code_defs.x, Int8u) :: nil)}}
     os_code_defs.x ′ =ₑ ′OS_STAT_SEM;ₛ
   OS_EventTaskRdy (­pevent′,〈Void ∗〉 pevent′, os_code_defs.x′­);ₛ
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
                 RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_OSQPendRightPart2 := forall (
    i : int32
)(
         H1 : Int.unsigned i <= 65535
)(
         v´ : val
)(
         v´0 : val
)(
         v´1 : val
)(
         v´2 : list vallist
)(
         v´3 : list vallist
)(
         v´4 : list vallist
)(
         v´5 : list EventData
)(
         v´6 : list EventCtr
)(
         v´7 : vallist
)(
         v´8 : val
)(
         v´9 : val
)(
         v´10 : list vallist
)(
         v´11 : vallist
)(
         v´12 : list vallist
)(
         v´13 : vallist
)(
         v´14 : val
)(
         v´15 : EcbMod.map
)(
         v´16 : TcbMod.map
)(
         v´17 : int32
)(
         v´18 : addrval
)(
         v´19 : addrval
)(
         v´20 : val
)(
         v´21 : list vallist
)(
         v´24 : list EventCtr
)(
         v´25 : list EventCtr
)(
         v´26 : list EventData
)(
         v´27 : list EventData
)(
         v´29 : vallist
)(
         v´30 : val
)(
         v´32 : list vallist
)(
         v´34 : list vallist
)(
         v´35 : vallist
)(
         v´36 : val
)(
         v´37 : EcbMod.map
)(
         v´38 : TcbMod.map
)(
         v´41 : val
)(
         v´43 : vallist
)(
         v2 : vallist
)(
         v´45 : val
)(
         v´46 : EcbMod.map
)(
         v´47 : EcbMod.map
)(
         v´48 : EcbMod.map
)(
         v´49 : absecb.B
)(
         v´50 : addrval
)(
         H2 : ECBList_P v´45 Vnull v´25 v´27 v´47 v´38
)(
         H22 : EcbMod.join v´46 v´48 v´37
)(
         H11 : length v´24 = length v´26
)(
         v´51 : addrval
)(
         v´53 : block
)(
         H15 : array_type_vallist_match Int8u v´43
)(
         H19 : length v´43 = ∘OS_EVENT_TBL_SIZE
)(
         H20 : isptr v´45
)(
         x3 : val
)(
         i0 : int32
)(
         H10 : Int.unsigned i0 <= 255
)(
         i2 : int32
)(
         H21 : Int.unsigned i2 <= 65535
)(
         H18 : RL_Tbl_Grp_P v´43 (Vint32 i0)
)(
         H24 : isptr v´45
)(
  H14 : val_inj (val_eq (V$1) (V$0)) = Vint32 Int.zero \/
        val_inj (val_eq (V$1) (V$0)) = Vnull
)(
         H0 : ECBList_P v´41 (Vptr (v´53, Int.zero)) v´24 v´26 v´46 v´38
)(
         H5 : EcbMod.joinsig (v´53, Int.zero) v´49 v´47 v´48
)(
         H16 : id_addrval´ (Vptr (v´53, Int.zero)) OSEventTbl OS_EVENT = Some v´51
)(
         v´22 : val
)(
         v´23 : val
)(
         v´28 : TcbMod.map
)(
         v´39 : TcbMod.map
)(
         v´42 : val
)(
         v´52 : block
)(
         H26 : v´30 <> Vnull
)(
         H27 : TcbMod.join v´28 v´39 v´38
)(
         H28 : TCBList_P v´30 v´32 v´35 v´28
)(
         H25 : Vptr (v´52, Int.zero) <> Vnull
)(
         x8 : val
)(
         x9 : val
)(
         H32 : isptr x9
)(
         H33 : isptr x8
)(
         i9 : int32
)(
         H34 : Int.unsigned i9 <= 65535
)(
         i8 : int32
)(
         H35 : Int.unsigned i8 <= 255
)(
         i7 : int32
)(
         H36 : Int.unsigned i7 <= 255
)(
         i6 : int32
)(
         H37 : Int.unsigned i6 <= 255
)(
         i5 : int32
)(
         H38 : Int.unsigned i5 <= 255
)(
         i4 : int32
)(
         H39 : Int.unsigned i4 <= 255
)(
         i3 : int32
)(
         H40 : Int.unsigned i3 <= 255
)(
         H31 : isptr v´22
)(
         H12 : isptr v´42
)(
  H29 : TCBList_P (Vptr (v´52, Int.zero))
          ((v´42
            :: v´22
               :: x9
                  :: x8
                     :: Vint32 i9
                        :: Vint32 i8
                           :: Vint32 i7
                              :: Vint32 i6
                                 :: Vint32 i5
                                    :: Vint32 i4 :: Vint32 i3 :: nil) :: v´34)
          v´35 v´39
)(
         H6 : RH_TCBList_ECBList_P v´37 v´38 (v´52, Int.zero)
)(
         H7 : RH_CurTCB (v´52, Int.zero) v´38
)(
         Hnidle : Int.eq i7 ($ OS_IDLE_PRIO) = false
)(
         Hstrdy : Int.eq i8 ($ OS_STAT_RDY) = true
)(
         Hdly0 : Int.eq i9 ($ 0) = true
)(
         v´33 : block
)(
         v´40 : block * int32
)(
         v´44 : block
)(
         H45 : length v2 = ∘OS_MAX_Q_SIZE
)(
  H41 : id_addrval´ (Vptr (v´44, Int.zero)) msgqueuetbl OS_Q_FREEBLK =
        Some v´40
)(
         x : val
)(
         x0 : val
)(
         x1 : val
)(
         x7 : val
)(
         x10 : val
)(
         H30 : isptr x10
)(
         H42 : isptr x7
)(
         H46 : isptr x
)(
         H48 : isptr x0
)(
         H49 : isptr x1
)(
         i11 : int32
)(
         H50 : Int.unsigned i11 <= 65535
)(
         i10 : int32
)(
         H51 : Int.unsigned i10 <= 65535
)(
         x11 : val
)(
         x12 : val
)(
         H47 : isptr x11
)(
         H52 : isptr (Vptr (v´44, Int.zero))
)(
  H43 : WellformedOSQ
          (x10
           :: x7
              :: x
                 :: x0
                    :: x1
                       :: Vint32 i11
                       :: Vint32 i10 :: Vptr (v´44, Int.zero) :: nil)
)(
  H3 : RLH_ECBData_P
         (DMsgQ (Vptr (v´33, Int.zero))
            (x10
             :: x7
                :: x
                   :: x0
                      :: x1
                         :: Vint32 i11
                            :: Vint32 i10 :: Vptr (v´44, Int.zero) :: nil)
            (x11 :: x12 :: nil) v2) v´49
)(
   H23 : isptr (Vptr (v´33, Int.zero))
)(
   H9 : Int.unsigned ($ OS_EVENT_TYPE_Q) <= 255
)(
  H8 : val_inj
         (notint
            (val_inj
               (if Int.eq ($ OS_EVENT_TYPE_Q) ($ OS_EVENT_TYPE_Q)
                then Some (Vint32 Int.one)
                else Some (Vint32 Int.zero)))) = Vint32 Int.zero \/
       val_inj
         (notint
            (val_inj
               (if Int.eq ($ OS_EVENT_TYPE_Q) ($ OS_EVENT_TYPE_Q)
                then Some (Vint32 Int.one)
                else Some (Vint32 Int.zero)))) = Vnull
)(
  H4 : R_ECB_ETbl_P (v´53, Int.zero)
         (V$OS_EVENT_TYPE_Q
          :: Vint32 i0
             :: Vint32 i2 :: Vptr (v´33, Int.zero) :: x3 :: v´45 :: nil,
          v´43) v´38
)(
  H : ECBList_P v´41 Vnull
        (v´24 ++
         ((V$OS_EVENT_TYPE_Q
           :: Vint32 i0
              :: Vint32 i2 :: Vptr (v´33, Int.zero) :: x3 :: v´45 :: nil,
          v´43) :: nil) ++ v´25)
        (v´26 ++
         (DMsgQ (Vptr (v´33, Int.zero))
            (x10
             :: x7
                :: x
                   :: x0
                      :: x1
                         :: Vint32 i11
                            :: Vint32 i10 :: Vptr (v´44, Int.zero) :: nil)
            (x11 :: x12 :: nil) v2 :: nil) ++ v´27) v´37 v´38
),
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV timeout @ Int16u |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV message @ (Void) ∗ |-> v0) **
      (EX v0 : val, LV pq @ OS_Q ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((timeout, Int16u)
       :: (pevent, OS_EVENT ∗)
          :: (message, (Void) ∗) :: (pq, OS_Q ∗) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{( <|| qpend (Vptr (v´53, Int.zero) :: Vint32 i :: nil) ||> **
      LV pq @ OS_Q ∗ |-> Vptr (v´33, Int.zero) **
      A_dom_lenv
        ((timeout, Int16u)
         :: (pevent, OS_EVENT ∗)
            :: (message, (Void) ∗) :: (pq, OS_Q ∗) :: (legal, Int8u) :: nil) **
      GV OSTCBCur @ OS_TCB ∗ |-> Vptr (v´52, Int.zero) **
      Astruct (v´52, Int.zero) OS_TCB
        (v´42
         :: v´22
            :: x9
               :: Vnull
                  :: Vint32 i9
                     :: Vint32 i8
                        :: Vint32 i7
                           :: Vint32 i6
                              :: Vint32 i5 :: Vint32 i4 :: Vint32 i3 :: nil) **
      Astruct (v´44, Int.zero) OS_Q_FREEBLK (x11 :: x12 :: nil) **
      Aarray v´40 (Tarray (Void) ∗ ∘OS_MAX_Q_SIZE) v2 **
      Astruct (v´33, Int.zero) OS_Q
        (x10
         :: x7
            :: x
               :: x0
                  :: x1
                     :: Vint32 i11
                        :: Vint32 i10 :: Vptr (v´44, Int.zero) :: nil) **
      dllseg v´42 (Vptr (v´52, Int.zero)) v´23 Vnull v´34 OS_TCB
        (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
      GV OSTCBList @ OS_TCB ∗ |-> v´30 **
      dllseg v´30 Vnull v´22 (Vptr (v´52, Int.zero)) v´32 OS_TCB
        (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
      Astruct (v´53, Int.zero) OS_EVENT
        (V$OS_EVENT_TYPE_Q
         :: Vint32 i0
            :: Vint32 i2 :: Vptr (v´33, Int.zero) :: x3 :: v´45 :: nil) **
      Aarray v´51 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´43 **
      Aie false **
      Ais nil **
      Acs (true :: nil) **
      Aisr empisr **
      GV OSEventList @ OS_EVENT ∗ |-> v´41 **
      evsllseg v´41 (Vptr (v´53, Int.zero)) v´24 v´26 **
      evsllseg v´45 Vnull v´25 v´27 **
      A_isr_is_prop **
      AOSRdyTblGrp v´35 v´36 **
      AOSTCBPrioTbl v´29 v´35 v´38 v´50 **
      HECBList v´37 **
      HTCBList v´38 **
      HCurTCB (v´52, Int.zero) **
      LV legal @ Int8u |-> (V$1) **
      AOSEventFreeList v´2 **
      AOSQFreeList v´3 **
      AOSQFreeBlk v´4 **
      AOSMapTbl **
      AOSUnMapTbl **
      AOSIntNesting **
      AOSTCBFreeList v´20 v´21 **
      AOSTime (Vint32 v´17) **
      HTime v´17 **
      AGVars **
      atoy_inv´ **
      LV message @ (Void) ∗ |-> v´ **
      LV timeout @ Int16u |-> Vint32 i **
      LV pevent @ OS_EVENT ∗ |-> Vptr (v´53, Int.zero)) **
     [|val_inj
         (if Int.ltu ($ 0) i10
          then Some (Vint32 Int.one)
          else Some (Vint32 Int.zero)) = Vint32 Int.zero \/
       val_inj
         (if Int.ltu ($ 0) i10
          then Some (Vint32 Int.one)
          else Some (Vint32 Int.zero)) = Vnull|]}}
   OSTCBCur ′ → OSTCBStat =ₑ ′OS_STAT_Q;ₛ
   OSTCBCur ′ → OSTCBDly =ₑ timeout ′;ₛ
   OS_EventTaskWait (­ pevent ′­);ₛ
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
   ENTER_CRITICAL;ₛ
   message ′ =ₑ OSTCBCur ′ → OSTCBMsg;ₛ
   If(message ′ !=ₑ NULL)
        {EXIT_CRITICAL;ₛ
        RETURN ′OS_NO_ERR} ;ₛ
   EXIT_CRITICAL;ₛ
   RETURN ′OS_TIMEOUT {{Afalse}}.

Definition gen_OSQPostProofPart1 := forall
( v´ : val
)(
  v´0 : val
)(
  v´1 : val
)(
  x0 : addrval
)(
  v´2 : list vallist
)(
  v´3 : list vallist
)(
  v´4 : list vallist
)(
  v´5 : list EventData
)(
  v´6 : list EventCtr
)(
  v´7 : vallist
)(
  v´8 : val
)(
  v´9 : val
)(
  v´10 : list vallist
)(
  v´11 : vallist
)(
  v´12 : list vallist
)(
  v´13 : vallist
)(
  v´14 : val
)(
  v´15 : EcbMod.map
)(
  v´16 : TcbMod.map
)(
  v´17 : int32
)(
  v´18 : addrval
)(
  v´19 : addrval
)(
  v´20 : val
)(
  v´21 : list vallist
)(
  H : RH_TCBList_ECBList_P v´15 v´16 v´18
)(
  H0 : RH_CurTCB v´18 v´16
)(
  v´24 : list EventCtr
)(
  v´25 : list EventCtr
)(
  v´26 : list EventData
)(
  v´27 : list EventData
)(
  v´29 : vallist
)(
  v´30 : val
)(
  v´31 : val
)(
  v´32 : list vallist
)(
  v´33 : vallist
)(
  v´34 : list vallist
)(
  v´35 : vallist
)(
  v´36 : val
)(
  v´37 : EcbMod.map
)(
  v´38 : TcbMod.map
)(
  v´40 : addrval
)(
  v´41 : val
)(
  v´43 : vallist
)(
  v : val
)(
  v0 : vallist
)(
  v1 : vallist
)(
  v2 : vallist
)(
  v´45 : val
)(
  v´46 : EcbMod.map
)(
  v´47 : EcbMod.map
)(
  v´48 : EcbMod.map
)(
  v´49 : absecb.B
)(
  v´50 : addrval
)(
  H3 : ECBList_P v´45 Vnull v´25 v´27 v´47 v´38
)(
  H4 : RLH_ECBData_P (DMsgQ v v0 v1 v2) v´49
)(
  H16 : EcbMod.join v´46 v´48 v´37
)(
  H7 : RH_TCBList_ECBList_P v´37 v´38 v´40
)(
  H8 : RH_CurTCB v´40 v´38
)(
  H12 : length v´24 = length v´26
)(
  H15 : isptr v´45
)(
  v´22 : addrval
)(
  v´28 : block
)(
  H10 : array_type_vallist_match Int8u v´43
)(
  H18 : length v´43 = ∘OS_EVENT_TBL_SIZE
)(
  x3 : val
)(
  x4 : val
)(
  i0 : int32
)(
  H19 : Int.unsigned i0 <= 255
)(
  i : int32
)(
  H20 : Int.unsigned i <= 255
)(
  i1 : int32
)(
  H21 : Int.unsigned i1 <= 65535
)(
  H22 : isptr x3
)(
  H17 : RL_Tbl_Grp_P v´43 (Vint32 i)
)(
  H23 : isptr v´45
)(
  H1 : ECBList_P v´41 Vnull
         (v´24 ++
          ((Vint32 i0 :: Vint32 i :: Vint32 i1 :: x3 :: x4 :: v´45 :: nil,
           v´43) :: nil) ++ v´25) (v´26 ++ (DMsgQ v v0 v1 v2 :: nil) ++ v´27)
         v´37 v´38
)(
  H2 : ECBList_P v´41 (Vptr (v´28, Int.zero)) v´24 v´26 v´46 v´38
)(
  H6 : EcbMod.joinsig (v´28, Int.zero) v´49 v´47 v´48
)(
  H11 : id_addrval´ (Vptr (v´28, Int.zero)) OSEventTbl OS_EVENT = Some v´22
)(
  H5 : R_ECB_ETbl_P (v´28, Int.zero)
         (Vint32 i0 :: Vint32 i :: Vint32 i1 :: x3 :: x4 :: v´45 :: nil,
          v´43) v´38
)(
  HeqX : true = Int.eq i0 ($ OS_EVENT_TYPE_Q)
)(
  H13 : Int.eq i ($ 0) = false
)(
  v´23 : option val
),
{|OSQ_spec , GetHPrio, I,
   fun v3 : option val =>
   ((((EX v4 : val, LV message @ (Void) ∗ |-> v4) **
      (EX v4 : val, LV pevent @ OS_EVENT ∗ |-> v4) **
      (EX v4 : val, LV pq @ OS_Q ∗ |-> v4) **
      (EX v4 : val, LV legal @ Int8u |-> v4) **
      (EX v4 : val, LV x @ Int8u |-> v4) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((message, (Void) ∗)
       :: (pevent, OS_EVENT ∗)
          :: (pq, OS_Q ∗) :: (legal, Int8u) :: (x, Int8u) :: nil)) **
    <|| END v3 ||> , Afalse|}|-
   {{event_rdy_post1´
       (Vptr (v´28, Int.zero) :: Vptr x0 :: V$OS_STAT_Q :: nil) v´23
       (logic_lv v´29
        :: logic_lv v´33
           :: logic_llv v´32
              :: logic_llv v´34
                 :: logic_lv v´35
                    :: logic_val v´36
                       :: logic_abstcb v´38
                          :: logic_val v´30
                             :: logic_val v´31
                                :: logic_val (Vptr v´40)
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_Q
                                         :: Vint32 i
                                            :: Vint32 i1
                                               :: x3 :: x4 :: v´45 :: nil)
                                      :: logic_lv v´43
                                         :: logic_leventd
                                              (DMsgQ v v0 v1 v2 :: nil)
                                            :: logic_code
                                                 (qpost
                                                  (Vptr (v´28, Int.zero)
                                                  ::
                                                  Vptr x0 :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV x @ Int8u |-> (V$OS_STAT_Q) **
     GV OSEventList @ OS_EVENT ∗ |-> v´41 **
     evsllseg v´41 (Vptr (v´28, Int.zero)) v´24 v´26 **
     evsllseg v´45 Vnull v´25 v´27 **
     HECBList v´37 **
     HTCBList v´38 **
     HCurTCB v´40 **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´2 **
     AOSQFreeList v´3 **
     AOSQFreeBlk v´4 **
     AOSIntNesting **
     AOSTCBFreeList v´20 v´21 **
     AOSTime (Vint32 v´17) **
     HTime v´17 **
     AGVars **
     atoy_inv´ **
     LV pq @ OS_Q ∗ |-> v´ **
     LV message @ (Void) ∗ |-> Vptr x0 **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´28, Int.zero) **
     A_dom_lenv
       ((message, (Void) ∗)
        :: (pevent, OS_EVENT ∗)
           :: (pq, OS_Q ∗) :: (legal, Int8u) :: (x, Int8u) :: nil) \\//
     event_rdy_post2´
       (Vptr (v´28, Int.zero) :: Vptr x0 :: V$OS_STAT_Q :: nil) v´23
       (logic_lv v´29
        :: logic_lv v´33
           :: logic_llv v´32
              :: logic_llv v´34
                 :: logic_lv v´35
                    :: logic_val v´36
                       :: logic_abstcb v´38
                          :: logic_val v´30
                             :: logic_val v´31
                                :: logic_val (Vptr v´40)
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_Q
                                         :: Vint32 i
                                            :: Vint32 i1
                                               :: x3 :: x4 :: v´45 :: nil)
                                      :: logic_lv v´43
                                         :: logic_leventd
                                              (DMsgQ v v0 v1 v2 :: nil)
                                            :: logic_code
                                                 (qpost
                                                  (Vptr (v´28, Int.zero)
                                                  ::
                                                  Vptr x0 :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV x @ Int8u |-> (V$OS_STAT_Q) **
     GV OSEventList @ OS_EVENT ∗ |-> v´41 **
     evsllseg v´41 (Vptr (v´28, Int.zero)) v´24 v´26 **
     evsllseg v´45 Vnull v´25 v´27 **
     HECBList v´37 **
     HTCBList v´38 **
     HCurTCB v´40 **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´2 **
     AOSQFreeList v´3 **
     AOSQFreeBlk v´4 **
     AOSIntNesting **
     AOSTCBFreeList v´20 v´21 **
     AOSTime (Vint32 v´17) **
     HTime v´17 **
     AGVars **
     atoy_inv´ **
     LV pq @ OS_Q ∗ |-> v´ **
     LV message @ (Void) ∗ |-> Vptr x0 **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´28, Int.zero) **
     A_dom_lenv
       ((message, (Void) ∗)
        :: (pevent, OS_EVENT ∗)
           :: (pq, OS_Q ∗) :: (legal, Int8u) :: (x, Int8u) :: nil) \\//
     event_rdy_post3´
       (Vptr (v´28, Int.zero) :: Vptr x0 :: V$OS_STAT_Q :: nil) v´23
       (logic_lv v´29
        :: logic_lv v´33
           :: logic_llv v´32
              :: logic_llv v´34
                 :: logic_lv v´35
                    :: logic_val v´36
                       :: logic_abstcb v´38
                          :: logic_val v´30
                             :: logic_val v´31
                                :: logic_val (Vptr v´40)
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_Q
                                         :: Vint32 i
                                            :: Vint32 i1
                                               :: x3 :: x4 :: v´45 :: nil)
                                      :: logic_lv v´43
                                         :: logic_leventd
                                              (DMsgQ v v0 v1 v2 :: nil)
                                            :: logic_code
                                                 (qpost
                                                  (Vptr (v´28, Int.zero)
                                                  ::
                                                  Vptr x0 :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV x @ Int8u |-> (V$OS_STAT_Q) **
     GV OSEventList @ OS_EVENT ∗ |-> v´41 **
     evsllseg v´41 (Vptr (v´28, Int.zero)) v´24 v´26 **
     evsllseg v´45 Vnull v´25 v´27 **
     HECBList v´37 **
     HTCBList v´38 **
     HCurTCB v´40 **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´2 **
     AOSQFreeList v´3 **
     AOSQFreeBlk v´4 **
     AOSIntNesting **
     AOSTCBFreeList v´20 v´21 **
     AOSTime (Vint32 v´17) **
     HTime v´17 **
     AGVars **
     atoy_inv´ **
     LV pq @ OS_Q ∗ |-> v´ **
     LV message @ (Void) ∗ |-> Vptr x0 **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´28, Int.zero) **
     A_dom_lenv
       ((message, (Void) ∗)
        :: (pevent, OS_EVENT ∗)
           :: (pq, OS_Q ∗) :: (legal, Int8u) :: (x, Int8u) :: nil) \\//
     event_rdy_post4´
       (Vptr (v´28, Int.zero) :: Vptr x0 :: V$OS_STAT_Q :: nil) v´23
       (logic_lv v´29
        :: logic_lv v´33
           :: logic_llv v´32
              :: logic_llv v´34
                 :: logic_lv v´35
                    :: logic_val v´36
                       :: logic_abstcb v´38
                          :: logic_val v´30
                             :: logic_val v´31
                                :: logic_val (Vptr v´40)
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_Q
                                         :: Vint32 i
                                            :: Vint32 i1
                                               :: x3 :: x4 :: v´45 :: nil)
                                      :: logic_lv v´43
                                         :: logic_leventd
                                              (DMsgQ v v0 v1 v2 :: nil)
                                            :: logic_code
                                                 (qpost
                                                  (Vptr (v´28, Int.zero)
                                                  ::
                                                  Vptr x0 :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV x @ Int8u |-> (V$OS_STAT_Q) **
     GV OSEventList @ OS_EVENT ∗ |-> v´41 **
     evsllseg v´41 (Vptr (v´28, Int.zero)) v´24 v´26 **
     evsllseg v´45 Vnull v´25 v´27 **
     HECBList v´37 **
     HTCBList v´38 **
     HCurTCB v´40 **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´2 **
     AOSQFreeList v´3 **
     AOSQFreeBlk v´4 **
     AOSIntNesting **
     AOSTCBFreeList v´20 v´21 **
     AOSTime (Vint32 v´17) **
     HTime v´17 **
     AGVars **
     atoy_inv´ **
     LV pq @ OS_Q ∗ |-> v´ **
     LV message @ (Void) ∗ |-> Vptr x0 **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´28, Int.zero) **
     A_dom_lenv
       ((message, (Void) ∗)
        :: (pevent, OS_EVENT ∗)
           :: (pq, OS_Q ∗) :: (legal, Int8u) :: (x, Int8u) :: nil) \\//
     event_rdy_post5´
       (Vptr (v´28, Int.zero) :: Vptr x0 :: V$OS_STAT_Q :: nil) v´23
       (logic_lv v´29
        :: logic_lv v´33
           :: logic_llv v´32
              :: logic_llv v´34
                 :: logic_lv v´35
                    :: logic_val v´36
                       :: logic_abstcb v´38
                          :: logic_val v´30
                             :: logic_val v´31
                                :: logic_val (Vptr v´40)
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_Q
                                         :: Vint32 i
                                            :: Vint32 i1
                                               :: x3 :: x4 :: v´45 :: nil)
                                      :: logic_lv v´43
                                         :: logic_leventd
                                              (DMsgQ v v0 v1 v2 :: nil)
                                            :: logic_code
                                                 (qpost
                                                  (Vptr (v´28, Int.zero)
                                                  ::
                                                  Vptr x0 :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV x @ Int8u |-> (V$OS_STAT_Q) **
     GV OSEventList @ OS_EVENT ∗ |-> v´41 **
     evsllseg v´41 (Vptr (v´28, Int.zero)) v´24 v´26 **
     evsllseg v´45 Vnull v´25 v´27 **
     HECBList v´37 **
     HTCBList v´38 **
     HCurTCB v´40 **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´2 **
     AOSQFreeList v´3 **
     AOSQFreeBlk v´4 **
     AOSIntNesting **
     AOSTCBFreeList v´20 v´21 **
     AOSTime (Vint32 v´17) **
     HTime v´17 **
     AGVars **
     atoy_inv´ **
     LV pq @ OS_Q ∗ |-> v´ **
     LV message @ (Void) ∗ |-> Vptr x0 **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´28, Int.zero) **
     A_dom_lenv
       ((message, (Void) ∗)
        :: (pevent, OS_EVENT ∗)
           :: (pq, OS_Q ∗) :: (legal, Int8u) :: (x, Int8u) :: nil) \\//
     event_rdy_post6´
       (Vptr (v´28, Int.zero) :: Vptr x0 :: V$OS_STAT_Q :: nil) v´23
       (logic_lv v´29
        :: logic_lv v´33
           :: logic_llv v´32
              :: logic_llv v´34
                 :: logic_lv v´35
                    :: logic_val v´36
                       :: logic_abstcb v´38
                          :: logic_val v´30
                             :: logic_val v´31
                                :: logic_val (Vptr v´40)
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_Q
                                         :: Vint32 i
                                            :: Vint32 i1
                                               :: x3 :: x4 :: v´45 :: nil)
                                      :: logic_lv v´43
                                         :: logic_leventd
                                              (DMsgQ v v0 v1 v2 :: nil)
                                            :: logic_code
                                                 (qpost
                                                  (Vptr (v´28, Int.zero)
                                                  ::
                                                  Vptr x0 :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV x @ Int8u |-> (V$OS_STAT_Q) **
     GV OSEventList @ OS_EVENT ∗ |-> v´41 **
     evsllseg v´41 (Vptr (v´28, Int.zero)) v´24 v´26 **
     evsllseg v´45 Vnull v´25 v´27 **
     HECBList v´37 **
     HTCBList v´38 **
     HCurTCB v´40 **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´2 **
     AOSQFreeList v´3 **
     AOSQFreeBlk v´4 **
     AOSIntNesting **
     AOSTCBFreeList v´20 v´21 **
     AOSTime (Vint32 v´17) **
     HTime v´17 **
     AGVars **
     atoy_inv´ **
     LV pq @ OS_Q ∗ |-> v´ **
     LV message @ (Void) ∗ |-> Vptr x0 **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´28, Int.zero) **
     A_dom_lenv
       ((message, (Void) ∗)
        :: (pevent, OS_EVENT ∗)
           :: (pq, OS_Q ∗) :: (legal, Int8u) :: (x, Int8u) :: nil)}}
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
   RETURN ′OS_NO_ERR {{Afalse}}
.

Definition gen_OSQPostProofPart2:= forall
( v´ : val
)(
   v´0 : val
)(
  v´1 : val
)(
  x0 : addrval
)(
  v´2 : list vallist
)(
  v´3 : list vallist
)(
  v´4 : list vallist
)(
  v´5 : list EventData
)(
  v´6 : list EventCtr
)(
  v´7 : vallist
)(
  v´8 : val
)(
  v´9 : val
)(
  v´10 : list vallist
)(
  v´11 : vallist
)(
  v´12 : list vallist
)(
  v´13 : vallist
)(
  v´14 : val
)(
  v´15 : EcbMod.map
)(
  v´16 : TcbMod.map
)(
  v´17 : int32
)(
  v´18 : addrval
)(
  v´19 : addrval
)(
  v´20 : val
)(
  v´21 : list vallist
)(
  H : RH_TCBList_ECBList_P v´15 v´16 v´18
)(
  H0 : RH_CurTCB v´18 v´16
)(
  v´24 : list EventCtr
)(
  v´25 : list EventCtr
)(
  v´26 : list EventData
)(
  v´27 : list EventData
)(
  v´29 : vallist
)(
  v´30 : val
)(
  v´31 : val
)(
  v´32 : list vallist
)(
  v´33 : vallist
)(
  v´34 : list vallist
)(
  v´35 : vallist
)(
  v´36 : val
)(
  v´37 : EcbMod.map
)(
  v´38 : TcbMod.map
)(
  v´40 : addrval
)(
  v´41 : val
)(
  v´43 : vallist
)(
  v : val
)(
  v0 : vallist
)(
  v1 : vallist
)(
  v2 : vallist
)(
  v´45 : val
)(
  v´46 : EcbMod.map
)(
  v´47 : EcbMod.map
)(
  v´48 : EcbMod.map
)(
  v´49 : absecb.B
)(
  v´50 : addrval
)(
  H3 : ECBList_P v´45 Vnull v´25 v´27 v´47 v´38
)(
  H4 : RLH_ECBData_P (DMsgQ v v0 v1 v2) v´49
)(
  H16 : EcbMod.join v´46 v´48 v´37
)(
  H7 : RH_TCBList_ECBList_P v´37 v´38 v´40
)(
  H8 : RH_CurTCB v´40 v´38
)(
  H12 : length v´24 = length v´26
)(
  H15 : isptr v´45
)(
  v´22 : addrval
)(
  v´28 : block
)(
  H10 : array_type_vallist_match Int8u v´43
)(
  H18 : length v´43 = ∘OS_EVENT_TBL_SIZE
)(
  x3 : val
)(
  x4 : val
)(
  i0 : int32
)(
  H19 : Int.unsigned i0 <= 255
)(
  i : int32
)(
  H20 : Int.unsigned i <= 255
)(
  i1 : int32
)(
  H21 : Int.unsigned i1 <= 65535
)(
  H22 : isptr x3
)(
  H17 : RL_Tbl_Grp_P v´43 (Vint32 i)
)(
  H23 : isptr v´45
)(
  H1 : ECBList_P v´41 Vnull
         (v´24 ++
          ((Vint32 i0 :: Vint32 i :: Vint32 i1 :: x3 :: x4 :: v´45 :: nil,
           v´43) :: nil) ++ v´25) (v´26 ++ (DMsgQ v v0 v1 v2 :: nil) ++ v´27)
         v´37 v´38
)(
  H2 : ECBList_P v´41 (Vptr (v´28, Int.zero)) v´24 v´26 v´46 v´38
)(
  H6 : EcbMod.joinsig (v´28, Int.zero) v´49 v´47 v´48
)(
  H11 : id_addrval´ (Vptr (v´28, Int.zero)) OSEventTbl OS_EVENT = Some v´22
)(
  H5 : R_ECB_ETbl_P (v´28, Int.zero)
         (Vint32 i0 :: Vint32 i :: Vint32 i1 :: x3 :: x4 :: v´45 :: nil,
          v´43) v´38
)(
  HeqX : true = Int.eq i0 ($ OS_EVENT_TYPE_Q)
)(
  H9 : Vint32 (Int.notbool Int.one) = Vint32 Int.zero
),
  
  {|OSQ_spec , GetHPrio, I,
   fun v3 : option val =>
   ((((EX v4 : val, LV message @ (Void) ∗ |-> v4) **
      (EX v4 : val, LV pevent @ OS_EVENT ∗ |-> v4) **
      (EX v4 : val, LV pq @ OS_Q ∗ |-> v4) **
      (EX v4 : val, LV legal @ Int8u |-> v4) **
      (EX v4 : val, LV x @ Int8u |-> v4) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((message, (Void) ∗)
       :: (pevent, OS_EVENT ∗)
          :: (pq, OS_Q ∗) :: (legal, Int8u) :: (x, Int8u) :: nil)) **
    <|| END v3 ||> , Afalse|}|-
   {{(Astruct (v´28, Int.zero) OS_EVENT
        (Vint32 i0 :: Vint32 i :: Vint32 i1 :: x3 :: x4 :: v´45 :: nil) **
      Aarray v´22 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´43 **
      Aie false **
      Ais nil **
      Acs (true :: nil) **
      Aisr empisr **
      GV OSEventList @ OS_EVENT ∗ |-> v´41 **
      AEventData
        (Vint32 i0 :: Vint32 i :: Vint32 i1 :: x3 :: x4 :: v´45 :: nil)
        (DMsgQ v v0 v1 v2) **
      evsllseg v´41 (Vptr (v´28, Int.zero)) v´24 v´26 **
      evsllseg v´45 Vnull v´25 v´27 **
      A_isr_is_prop **
      AOSTCBList v´30 v´31 v´32 (v´33 :: v´34) v´35 v´40 v´38 **
      AOSRdyTblGrp v´35 v´36 **
      AOSTCBPrioTbl v´29 v´35 v´38 v´50 **
      HECBList v´37 **
      HTCBList v´38 **
      HCurTCB v´40 **
       <|| qpost (Vptr (v´28, Int.zero) :: Vptr x0 :: nil) ||> **
      LV legal @ Int8u |-> (V$1) **
      AOSEventFreeList v´2 **
      AOSQFreeList v´3 **
      AOSQFreeBlk v´4 **
      AOSMapTbl **
      AOSUnMapTbl **
      AOSIntNesting **
      AOSTCBFreeList v´20 v´21 **
      AOSTime (Vint32 v´17) **
      HTime v´17 **
      AGVars **
      atoy_inv´ **
      LV x @ Int8u |-> v´1 **
      LV pq @ OS_Q ∗ |-> v´ **
      LV message @ (Void) ∗ |-> Vptr x0 **
      LV pevent @ OS_EVENT ∗ |-> Vptr (v´28, Int.zero) **
      A_dom_lenv
        ((message, (Void) ∗)
         :: (pevent, OS_EVENT ∗)
            :: (pq, OS_Q ∗) :: (legal, Int8u) :: (x, Int8u) :: nil)) **
     [|val_inj
         (notint
            (val_inj
               (if Int.eq i ($ 0)
                then Some (Vint32 Int.one)
                else Some (Vint32 Int.zero)))) = Vint32 Int.zero \/
       val_inj
         (notint
            (val_inj
               (if Int.eq i ($ 0)
                then Some (Vint32 Int.one)
                else Some (Vint32 Int.zero)))) = Vnull|]}}
   pq ′ =ₑ pevent ′ → OSEventPtr;ₛ
   If(pq ′ → OSQEntries ≥ pq ′ → OSQSize)
        {EXIT_CRITICAL;ₛ
        RETURN ′OS_Q_FULL} ;ₛ
   ∗pq ′ → OSQIn =ₑ message ′;ₛ
   pq ′ → OSQIn =ₑ pq ′ → OSQIn +ₑ ′1;ₛ
   pq ′ → OSQEntries =ₑ pq ′ → OSQEntries +ₑ ′1;ₛ
   If(pq ′ → OSQIn ==ₑ pq ′ → OSQEnd)
        {pq ′ → OSQIn =ₑ pq ′ → OSQStart} ;ₛ
   EXIT_CRITICAL;ₛ
                   RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_mutex_pend_ptcb_is_rdy_left_to_cur´:= forall
             (i : int32)
  (H1 : Int.unsigned i <= 65535)
  (v´ : val)
  (v´0 : val)
  (v´1 : val)
  (v´2 : val)
  (v´3 : val)
  (v´4 : val)
  (v´5 : list vallist)
  (v´6 : list vallist)
  (v´7 : list vallist)
  (v´8 : list EventData)
  (v´9 : list EventCtr)
  (v´10 : vallist)
  (v´11 : val)
  (v´12 : val)
  (v´13 : list vallist)
  (v´14 : vallist)
  (v´15 : list vallist)
  (v´16 : vallist)
  (v´17 : val)
  (v´18 : EcbMod.map)
  (v´19 : TcbMod.map)
  (v´20 : int32)
  (v´21 : addrval)
  (v´22 : addrval)
  (v´23 : val)
  (v´24 : list vallist)
  (H0 : RH_CurTCB v´21 v´19)
  (v´27 : list EventCtr)
  (v´28 : list EventCtr)
  (v´29 : list EventData)
  (v´30 : list EventData)
  (v´32 : vallist)
  (v´33 : val)
  (v´37 : list vallist)
  (os_rdy_tbl : vallist)
  (v´39 : val)
  (v´40 : EcbMod.map)
  (tcbls : TcbMod.map)
  (v´44 : val)
  (v´46 : vallist)
  (v´48 : val)
  (v´49 : EcbMod.map)
  (v´50 : EcbMod.map)
  (v´51 : EcbMod.map)
  (v´53 : addrval)
  (H5 : ECBList_P v´48 Vnull v´28 v´30 v´50 tcbls)
  (H11 : EcbMod.join v´49 v´51 v´40)
  (H14 : length v´27 = length v´29)
  (v´25 : addrval)
  (pevent_addr : block)
  (H13 : array_type_vallist_match Int8u v´46)
  (H19 : length v´46 = ∘OS_EVENT_TBL_SIZE)
  (H20 : isptr v´48)
  (x3 : val)
  (i0 : int32)
  (H22 : Int.unsigned i0 <= 255)
  (H18 : RL_Tbl_Grp_P v´46 (Vint32 i0))
  (H25 : isptr v´48)
  (H4 : ECBList_P v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 v´49 tcbls)
  (H2 : isptr (Vptr (pevent_addr, Int.zero)))
  (H16 : id_addrval´ (Vptr (pevent_addr, Int.zero)) OSEventTbl OS_EVENT =
        Some v´25)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255)
  (wls : waitset)
  (v´26 : val)
  (v´42 : val)
  (tcbls_l : TcbMod.map)
  (tcbls_r : TcbMod.map)
  (cur_addr : block)
  (H29 : v´33 <> Vnull)
  (Htcbjoin_whole : TcbMod.join tcbls_l tcbls_r tcbls)
  (H28 : Vptr (cur_addr, Int.zero) <> Vnull)
  (x12 : val)
  (H35 : isptr x12)
  (cur_prio : int32)
  (H39 : Int.unsigned cur_prio <= 255)
  (i5 : int32)
  (H40 : Int.unsigned i5 <= 255)
  (i4 : int32)
  (H41 : Int.unsigned i4 <= 255)
  (i3 : int32)
  (H42 : Int.unsigned i3 <= 255)
  (i1 : int32)
  (H43 : Int.unsigned i1 <= 255)
  (H34 : isptr v´26)
  (H : RH_TCBList_ECBList_P v´40 tcbls (cur_addr, Int.zero))
  (H10 : RH_CurTCB (cur_addr, Int.zero) tcbls)
  (st : taskstatus)
  (Hneq_idle : cur_prio <> $ OS_IDLE_PRIO)
  (H37 : Int.unsigned ($ 0) <= 65535)
  (H38 : Int.unsigned ($ OS_STAT_RDY) <= 255)
  (H36 : isptr Vnull)
  (Hgetcur_subr : TcbMod.get tcbls_r (cur_addr, Int.zero) =
                 Some (cur_prio, st, Vnull))
  (Hgetcur : TcbMod.get tcbls (cur_addr, Int.zero) =
            Some (cur_prio, st, Vnull))
  (x0 : val)
  (x2 : TcbMod.map)
  (Htcblist_subr : TCBList_P x0 v´37 os_rdy_tbl x2)
  (x : int32)
  (F2 : Int.unsigned x <= 65535)
  (H23 : Int.unsigned x <= 65535)
  (Hmutex_not_avail : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE)
  (Hcur_prio : Int.ltu (x>>ᵢ$ 8) cur_prio = true)
  (ptcb_prio : priority)
  (xm : msg)
  (xs : taskstatus)
  (H12 : isptr x0)
  (Hcurnode : TCBNode_P
               (x0
                :: v´26
                   :: x12
                      :: Vnull
                         :: V$0
                            :: V$OS_STAT_RDY
                               :: Vint32 cur_prio
                                  :: Vint32 i5
                                     :: Vint32 i4
                                        :: Vint32 i3 :: Vint32 i1 :: nil)
               os_rdy_tbl (cur_prio, st, Vnull))
  (Htcbjoin_right : TcbJoin (cur_addr, Int.zero) (cur_prio, st, Vnull) x2
                     tcbls_r)
  (v´34 : list vallist)
  (v´36 : list vallist)
  (v´43 : val)
  (v´45 : val)
  (tcbls_sub_l : TcbMod.map)
  (v´52 : TcbMod.map)
  (tcbls_sub_r : TcbMod.map)
  (Htcbjoin_sub_whole : TcbMod.join tcbls_sub_l v´52 tcbls_l)
  (Htcblist_sub_left : TCBList_P v´33 v´34 os_rdy_tbl tcbls_sub_l)
  (Htcblist_sub_right : TCBList_P v´45 v´36 os_rdy_tbl tcbls_sub_r)
  (ptcb_addr : block)
  (x11 : val)
  (H31 : isptr x11)
  (i11 : int32)
  (H33 : Int.unsigned i11 <= 65535)
  (i10 : int32)
  (H44 : Int.unsigned i10 <= 255)
  (i8 : int32)
  (H46 : Int.unsigned i8 <= 255)
  (ptcb_tcby : int32)
  (H47 : Int.unsigned ptcb_tcby <= 255)
  (ptcb_bitx : int32)
  (H48 : Int.unsigned ptcb_bitx <= 255)
  (i2 : int32)
  (H49 : Int.unsigned i2 <= 255)
  (H30 : isptr v´43)
  (H27 : isptr v´45)
  (H24 : isptr (Vptr (ptcb_addr, Int.zero)))
  (H7 : R_ECB_ETbl_P (pevent_addr, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i0
             :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
         v´46) tcbls)
  (H3 : ECBList_P v´44 Vnull
         (v´27 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i0
               :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
           v´46) :: nil) ++ v´28)
         (v´29 ++
          (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)) :: nil) ++ v´30)
         v´40 tcbls)
  (H8 : EcbMod.joinsig (pevent_addr, Int.zero)
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls)
         v´50 v´51)
  (Hget : EcbMod.get v´40 (pevent_addr, Int.zero) =
         Some
           (absmutexsem (x>>ᵢ$ 8)
              (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H26 : RH_ECB_P
          (absmutexsem (x>>ᵢ$ 8)
             (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H6 : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)))
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H_ptcb : TcbMod.get tcbls (ptcb_addr, Int.zero) = Some (ptcb_prio, xs, xm))
  (H_ptcb_not_cur : (ptcb_addr, Int.zero) <> (cur_addr, Int.zero))
  (H_ptcb_in_left : TcbMod.get tcbls_l (ptcb_addr, Int.zero) =
                   Some (ptcb_prio, xs, xm))
  (Htcbjoin_sub_right : TcbMod.joinsig (ptcb_addr, Int.zero)
                         (ptcb_prio, xs, xm) tcbls_sub_r v´52)
  (H32 : isptr xm)
  (H45 : Int.unsigned ptcb_prio <= 255)
  (H17 : RL_TCBblk_P
          (v´45
           :: v´43
              :: x11
                 :: xm
                    :: Vint32 i11
                       :: Vint32 i10
                          :: Vint32 ptcb_prio
                             :: Vint32 i8
                                :: Vint32 ptcb_tcby
                                   :: Vint32 ptcb_bitx :: Vint32 i2 :: nil))
  (H50 : R_TCB_Status_P
          (v´45
           :: v´43
              :: x11
                 :: xm
                    :: Vint32 i11
                       :: Vint32 i10
                          :: Vint32 ptcb_prio
                             :: Vint32 i8
                                :: Vint32 ptcb_tcby
                                   :: Vint32 ptcb_bitx :: Vint32 i2 :: nil)
          os_rdy_tbl (ptcb_prio, xs, xm))
  (Htcblist_subl : TCBList_P v´33
                    (v´34 ++
                     (v´45
                      :: v´43
                         :: x11
                            :: xm
                               :: Vint32 i11
                                  :: Vint32 i10
                                     :: Vint32 ptcb_prio
                                        :: Vint32 i8
                                           :: Vint32 ptcb_tcby
                                              :: Vint32 ptcb_bitx
                                                 ::
                                                 Vint32 i2 :: nil) :: v´36)
                    os_rdy_tbl tcbls_l)
  (Hif_can_lift : ptcb_prio <> x>>ᵢ$ 8 /\
                 Int.ltu cur_prio (x&$ OS_MUTEX_KEEP_LOWER_8) = true)
  (v´31 : val)
  (H9 : array_type_vallist_match OS_TCB ∗ v´32)
  (H52 : length v´32 = 64%nat)
  (H15 : RL_RTbl_PrioTbl_P os_rdy_tbl v´32 v´53)
  (H51 : R_PrioTbl_P v´32 tcbls v´53)
  (H_pip_is_hold : nth_val´ (Z.to_nat (Int.unsigned (x>>ᵢ$ 8))) v´32 =
                  Vptr v´53)
  (H53 : array_type_vallist_match Int8u os_rdy_tbl)
  (H56 : length os_rdy_tbl = ∘OS_RDY_TBL_SIZE)
  (H54 : rule_type_val_match Int8u v´39 = true)
  (H55 : RL_Tbl_Grp_P os_rdy_tbl v´39)
  (H57 : prio_in_tbl ($ OS_IDLE_PRIO) os_rdy_tbl)
  (Hownernidle : ptcb_prio <> $ OS_IDLE_PRIO)
  (Hptcbstrdy : i10 = $ OS_STAT_RDY)
  (Hptcbdly0 : i11 = $ 0)
  (Hrange_py : 0 <= Int.unsigned ptcb_tcby <= 7)
  (v0 : int32)
  (Hif_ptcb_rdy1 : nth_val´ (Z.to_nat (Int.unsigned ptcb_tcby)) os_rdy_tbl =
                  Vint32 v0)
  (Hif_ptcb_rdy2 : v0&ptcb_bitx <> Int.zero)
  (Hrangev : Int.unsigned v0 <= 255)
  (Hfx : exists x1,
        nth_val´ (Z.to_nat (Int.unsigned ptcb_tcby))
          (update_nth_val (Z.to_nat (Int.unsigned ptcb_tcby)) os_rdy_tbl
             (Vint32 (v0&Int.not ptcb_bitx))) = Vint32 x1 /\
        Int.unsigned x1 <= 255)
  (Hif_false : val_inj
                (val_eq
                   (nth_val´ (Z.to_nat (Int.unsigned ptcb_tcby))
                      (update_nth_val (Z.to_nat (Int.unsigned ptcb_tcby))
                         os_rdy_tbl
                         (val_inj
                            (and (Vint32 v0) (Vint32 (Int.not ptcb_bitx))))))
                   (V$0)) = Vint32 Int.zero \/
              val_inj
                (val_eq
                   (nth_val´ (Z.to_nat (Int.unsigned ptcb_tcby))
                      (update_nth_val (Z.to_nat (Int.unsigned ptcb_tcby))
                         os_rdy_tbl
                         (val_inj
                            (and (Vint32 v0) (Vint32 (Int.not ptcb_bitx))))))
                   (V$0)) = Vnull)
  (Hgetlast:
     get_last_tcb_ptr v´34 v´33 = Some (Vptr (ptcb_addr,Int.zero)))
,
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v1 : val, LV timeout @ Int16u |-> v1) **
      (EX v1 : val, LV pevent @ OS_EVENT ∗ |-> v1) **
      (EX v1 : val, LV legal @ Int8u |-> v1) **
      (EX v1 : val, LV pip @ Int8u |-> v1) **
      (EX v1 : val, LV mprio @ Int8u |-> v1) **
      (EX v1 : val, LV isrdy @ Int8u |-> v1) **
      (EX v1 : val, LV ptcb @ OS_TCB ∗ |-> v1) **
      (EX v1 : val, LV pevent2 @ OS_EVENT ∗ |-> v1) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((timeout, Int16u)
       :: (pevent, OS_EVENT ∗)
          :: (legal, Int8u)
             :: (pip, Int8u)
                :: (mprio, Int8u)
                   :: (isrdy, Int8u)
                      :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{ <|| mutexpend (Vptr (pevent_addr, Int.zero) :: Vint32 i :: nil) ||> **
     A_dom_lenv
       ((timeout, Int16u)
        :: (pevent, OS_EVENT ∗)
           :: (legal, Int8u)
              :: (pip, Int8u)
                 :: (mprio, Int8u)
                    :: (isrdy, Int8u)
                       :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil) **
     GAarray OSRdyTbl (Tarray Int8u ∘OS_RDY_TBL_SIZE)
       (update_nth_val (Z.to_nat (Int.unsigned ptcb_tcby)) os_rdy_tbl
          (val_inj (and (Vint32 v0) (Vint32 (Int.not ptcb_bitx))))) **
     GAarray OSTCBPrioTbl (Tarray OS_TCB ∗ 64)
       (update_nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8)))
          (update_nth_val (Z.to_nat (Int.unsigned ptcb_prio)) v´32
             (Vptr v´53)) (Vptr (ptcb_addr, Int.zero))) **
     PV v´53 @ Int8u |-> v´31 **
     Astruct (ptcb_addr, Int.zero) OS_TCB
       (v´45
        :: v´43
           :: x11
              :: xm
                 :: Vint32 i11
                    :: Vint32 i10
                       :: Vint32 ptcb_prio
                          :: Vint32 i8
                             :: Vint32 ptcb_tcby
                                :: Vint32 ptcb_bitx :: Vint32 i2 :: nil) **
     dllseg v´33 Vnull v´43 (Vptr (ptcb_addr, Int.zero)) v´34 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     dllseg v´45 (Vptr (ptcb_addr, Int.zero)) v´26
       (Vptr (cur_addr, Int.zero)) v´36 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     LV ptcb @ OS_TCB ∗ |-> Vptr (ptcb_addr, Int.zero) **
     LV mprio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     Astruct (cur_addr, Int.zero) OS_TCB
       (x0
        :: v´26
           :: x12
              :: Vnull
                 :: V$0
                    :: V$OS_STAT_RDY
                       :: Vint32 cur_prio
                          :: Vint32 i5
                             :: Vint32 i4 :: Vint32 i3 :: Vint32 i1 :: nil) **
     dllseg x0 (Vptr (cur_addr, Int.zero)) v´42 Vnull v´37 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBList @ OS_TCB ∗ |-> v´33 **
     GV OSTCBCur @ OS_TCB ∗ |-> Vptr (cur_addr, Int.zero) **
     AEventData
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil)
       (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero))) **
     Astruct (pevent_addr, Int.zero) OS_EVENT
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil) **
     Aarray v´25 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´46 **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSEventList @ OS_EVENT ∗ |-> v´44 **
     evsllseg v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 **
     evsllseg v´48 Vnull v´28 v´30 **
     A_isr_is_prop **
     GV OSRdyGrp @ Int8u |-> v´39 **
     G&OSPlaceHolder @ Int8u == v´53 **
     HECBList v´40 **
     HTCBList tcbls **
     HCurTCB (cur_addr, Int.zero) **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´5 **
     AOSQFreeList v´6 **
     AOSQFreeBlk v´7 **
     AOSMapTbl **
     AOSUnMapTbl **
     AOSIntNesting **
     AOSTCBFreeList v´23 v´24 **
     AOSTime (Vint32 v´20) **
     HTime v´20 **
     AGVars **
     atoy_inv´ **
     LV pevent2 @ OS_EVENT ∗ |-> v´4 **
     LV isrdy @ Int8u |-> v´2 **
     LV timeout @ Int16u |-> Vint32 i **
     LV pevent @ OS_EVENT ∗ |-> Vptr (pevent_addr, Int.zero)}}
   ptcb ′ → OSTCBPrio =ₑ pip ′;ₛ
   ptcb ′ → OSTCBY =ₑ ptcb ′ → OSTCBPrio ≫ ′3;ₛ
   ptcb ′ → OSTCBBitY =ₑ OSMapTbl ′ [ptcb ′ → OSTCBY];ₛ
   ptcb ′ → OSTCBX =ₑ ptcb ′ → OSTCBPrio &ₑ ′7;ₛ
   ptcb ′ → OSTCBBitX =ₑ OSMapTbl ′ [ptcb ′ → OSTCBX];ₛ
   OSRdyGrp ′ =ₑ OSRdyGrp ′ |ₑ ptcb ′ → OSTCBBitY;ₛ
   OSRdyTbl ′ [ptcb ′ → OSTCBY] =ₑ
   OSRdyTbl ′ [ptcb ′ → OSTCBY] |ₑ ptcb ′ → OSTCBBitX;ₛ
   OSTCBCur ′ → OSTCBStat =ₑ ′OS_STAT_MUTEX;ₛ
   OSTCBCur ′ → OSTCBDly =ₑ timeout ′;ₛ
   OS_EventTaskWait (­ pevent ′­);ₛ
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
   ENTER_CRITICAL;ₛ
   If(OSTCBCur ′ → OSTCBMsg !=ₑ NULL)
        {EXIT_CRITICAL;ₛ
        RETURN ′OS_NO_ERR} ;ₛ
   EXIT_CRITICAL;ₛ
   RETURN ′OS_TIMEOUT {{Afalse}}
.

Definition gen_mutex_pend_ptcb_is_rdy_left_to_cur :=
  forall
  (i : int32)
  (H1 : Int.unsigned i <= 65535)
  (v´ : val)
  (v´0 : val)
  (v´1 : val)
  (v´2 : val)
  (v´3 : val)
  (v´4 : val)
  (v´5 : list vallist)
  (v´6 : list vallist)
  (v´7 : list vallist)
  (v´8 : list EventData)
  (v´9 : list EventCtr)
  (v´10 : vallist)
  (v´11 : val)
  (v´12 : val)
  (v´13 : list vallist)
  (v´14 : vallist)
  (v´15 : list vallist)
  (v´16 : vallist)
  (v´17 : val)
  (v´18 : EcbMod.map)
  (v´19 : TcbMod.map)
  (v´20 : int32)
  (v´21 : addrval)
  (v´22 : addrval)
  (v´23 : val)
  (v´24 : list vallist)
  (H0 : RH_CurTCB v´21 v´19)
  (v´27 : list EventCtr)
  (v´28 : list EventCtr)
  (v´29 : list EventData)
  (v´30 : list EventData)
  (v´32 : vallist)
  (v´33 : val)
  (v´37 : list vallist)
  (os_rdy_tbl : vallist)
  (v´39 : val)
  (v´40 : EcbMod.map)
  (tcbls : TcbMod.map)
  (v´44 : val)
  (v´46 : vallist)
  (v´48 : val)
  (v´49 : EcbMod.map)
  (v´50 : EcbMod.map)
  (v´51 : EcbMod.map)
  (v´53 : addrval)
  (H5 : ECBList_P v´48 Vnull v´28 v´30 v´50 tcbls)
  (H11 : EcbMod.join v´49 v´51 v´40)
  (H14 : length v´27 = length v´29)
  (v´25 : addrval)
  (pevent_addr : block)
  (H13 : array_type_vallist_match Int8u v´46)
  (H19 : length v´46 = ∘OS_EVENT_TBL_SIZE)
  (H20 : isptr v´48)
  (x3 : val)
  (i0 : int32)
  (H22 : Int.unsigned i0 <= 255)
  (H18 : RL_Tbl_Grp_P v´46 (Vint32 i0))
  (H25 : isptr v´48)
  (H4 : ECBList_P v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 v´49 tcbls)
  (H2 : isptr (Vptr (pevent_addr, Int.zero)))
  (H16 : id_addrval´ (Vptr (pevent_addr, Int.zero)) OSEventTbl OS_EVENT =
        Some v´25)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255)
  (wls : waitset)
  (v´26 : val)
  (v´42 : val)
  (tcbls_l : TcbMod.map)
  (tcbls_r : TcbMod.map)
  (cur_addr : block)
  (H29 : v´33 <> Vnull)
  (Htcbjoin_whole : TcbMod.join tcbls_l tcbls_r tcbls)
  (H28 : Vptr (cur_addr, Int.zero) <> Vnull)
  (x12 : val)
  (H35 : isptr x12)
  (cur_prio : int32)
  (H39 : Int.unsigned cur_prio <= 255)
  (i5 : int32)
  (H40 : Int.unsigned i5 <= 255)
  (i4 : int32)
  (H41 : Int.unsigned i4 <= 255)
  (i3 : int32)
  (H42 : Int.unsigned i3 <= 255)
  (i1 : int32)
  (H43 : Int.unsigned i1 <= 255)
  (H34 : isptr v´26)
  (H : RH_TCBList_ECBList_P v´40 tcbls (cur_addr, Int.zero))
  (H10 : RH_CurTCB (cur_addr, Int.zero) tcbls)
  (st : taskstatus)
  (Hneq_idle : cur_prio <> $ OS_IDLE_PRIO)
  (H37 : Int.unsigned ($ 0) <= 65535)
  (H38 : Int.unsigned ($ OS_STAT_RDY) <= 255)
  (H36 : isptr Vnull)
  (Hgetcur_subr : TcbMod.get tcbls_r (cur_addr, Int.zero) =
                 Some (cur_prio, st, Vnull))
  (Hgetcur : TcbMod.get tcbls (cur_addr, Int.zero) =
            Some (cur_prio, st, Vnull))
  (x0 : val)
  (x2 : TcbMod.map)
  (Htcblist_subr : TCBList_P x0 v´37 os_rdy_tbl x2)
  (x : int32)
  (F2 : Int.unsigned x <= 65535)
  (H23 : Int.unsigned x <= 65535)
  (Hmutex_not_avail : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE)
  (Hcur_prio : Int.ltu (x>>ᵢ$ 8) cur_prio = true)
  (ptcb_prio : priority)
  (xm : msg)
  (xs : taskstatus)
  (H12 : isptr x0)
  (Hcurnode : TCBNode_P
               (x0
                :: v´26
                   :: x12
                      :: Vnull
                         :: V$0
                            :: V$OS_STAT_RDY
                               :: Vint32 cur_prio
                                  :: Vint32 i5
                                     :: Vint32 i4
                                        :: Vint32 i3 :: Vint32 i1 :: nil)
               os_rdy_tbl (cur_prio, st, Vnull))
  (Htcbjoin_right : TcbJoin (cur_addr, Int.zero) (cur_prio, st, Vnull) x2
                     tcbls_r)
  (v´34 : list vallist)
  (v´36 : list vallist)
  (v´43 : val)
  (v´45 : val)
  (tcbls_sub_l : TcbMod.map)
  (v´52 : TcbMod.map)
  (tcbls_sub_r : TcbMod.map)
  (Htcbjoin_sub_whole : TcbMod.join tcbls_sub_l v´52 tcbls_l)
  (Htcblist_sub_left : TCBList_P v´33 v´34 os_rdy_tbl tcbls_sub_l)
  (Htcblist_sub_right : TCBList_P v´45 v´36 os_rdy_tbl tcbls_sub_r)
  (ptcb_addr : block)
  (x11 : val)
  (H31 : isptr x11)
  (i11 : int32)
  (H33 : Int.unsigned i11 <= 65535)
  (i10 : int32)
  (H44 : Int.unsigned i10 <= 255)
  (i8 : int32)
  (H46 : Int.unsigned i8 <= 255)
  (ptcb_tcby : int32)
  (H47 : Int.unsigned ptcb_tcby <= 255)
  (ptcb_bitx : int32)
  (H48 : Int.unsigned ptcb_bitx <= 255)
  (i2 : int32)
  (H49 : Int.unsigned i2 <= 255)
  (H30 : isptr v´43)
  (H27 : isptr v´45)
  (H24 : isptr (Vptr (ptcb_addr, Int.zero)))
  (H7 : R_ECB_ETbl_P (pevent_addr, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i0
             :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
         v´46) tcbls)
  (H3 : ECBList_P v´44 Vnull
         (v´27 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i0
               :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
           v´46) :: nil) ++ v´28)
         (v´29 ++
          (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)) :: nil) ++ v´30)
         v´40 tcbls)
  (H8 : EcbMod.joinsig (pevent_addr, Int.zero)
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls)
         v´50 v´51)
  (Hget : EcbMod.get v´40 (pevent_addr, Int.zero) =
         Some
           (absmutexsem (x>>ᵢ$ 8)
              (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H26 : RH_ECB_P
          (absmutexsem (x>>ᵢ$ 8)
             (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H6 : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)))
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H_ptcb : TcbMod.get tcbls (ptcb_addr, Int.zero) = Some (ptcb_prio, xs, xm))
  (H_ptcb_not_cur : (ptcb_addr, Int.zero) <> (cur_addr, Int.zero))
  (H_ptcb_in_left : TcbMod.get tcbls_l (ptcb_addr, Int.zero) =
                   Some (ptcb_prio, xs, xm))
  (Htcbjoin_sub_right : TcbMod.joinsig (ptcb_addr, Int.zero)
                         (ptcb_prio, xs, xm) tcbls_sub_r v´52)
  (H32 : isptr xm)
  (H45 : Int.unsigned ptcb_prio <= 255)
  (H17 : RL_TCBblk_P
          (v´45
           :: v´43
              :: x11
                 :: xm
                    :: Vint32 i11
                       :: Vint32 i10
                          :: Vint32 ptcb_prio
                             :: Vint32 i8
                                :: Vint32 ptcb_tcby
                                   :: Vint32 ptcb_bitx :: Vint32 i2 :: nil))
  (H50 : R_TCB_Status_P
          (v´45
           :: v´43
              :: x11
                 :: xm
                    :: Vint32 i11
                       :: Vint32 i10
                          :: Vint32 ptcb_prio
                             :: Vint32 i8
                                :: Vint32 ptcb_tcby
                                   :: Vint32 ptcb_bitx :: Vint32 i2 :: nil)
          os_rdy_tbl (ptcb_prio, xs, xm))
  (Htcblist_subl : TCBList_P v´33
                    (v´34 ++
                     (v´45
                      :: v´43
                         :: x11
                            :: xm
                               :: Vint32 i11
                                  :: Vint32 i10
                                     :: Vint32 ptcb_prio
                                        :: Vint32 i8
                                           :: Vint32 ptcb_tcby
                                              :: Vint32 ptcb_bitx
                                                 ::
                                                 Vint32 i2 :: nil) :: v´36)
                    os_rdy_tbl tcbls_l)
  (Hif_can_lift : ptcb_prio <> x>>ᵢ$ 8 /\
                 Int.ltu cur_prio (x&$ OS_MUTEX_KEEP_LOWER_8) = true)
  (v´31 : val)
  (H9 : array_type_vallist_match OS_TCB ∗ v´32)
  (H52 : length v´32 = 64%nat)
  (H15 : RL_RTbl_PrioTbl_P os_rdy_tbl v´32 v´53)
  (H51 : R_PrioTbl_P v´32 tcbls v´53)
  (H_pip_is_hold : (nth_val´ (Z.to_nat (Int.unsigned (x>>ᵢ$ 8)))
                                v´32) = (Vptr v´53) )
  (H53 : array_type_vallist_match Int8u os_rdy_tbl)
  (H56 : length os_rdy_tbl = ∘OS_RDY_TBL_SIZE)
  (H54 : rule_type_val_match Int8u v´39 = true)
  (H55 : RL_Tbl_Grp_P os_rdy_tbl v´39)
  (H57 : prio_in_tbl ($ OS_IDLE_PRIO) os_rdy_tbl)
  (Hif_false : val_inj
                (val_eq
                   (val_inj
                      (and
                         (nth_val´ (Z.to_nat (Int.unsigned ptcb_tcby))
                            os_rdy_tbl) (Vint32 ptcb_bitx)))
                   (V$0)) = Vint32 Int.zero \/
              val_inj
                (val_eq
                   (val_inj
                      (and
                         (nth_val´ (Z.to_nat (Int.unsigned ptcb_tcby))
                            os_rdy_tbl) (Vint32 ptcb_bitx)))
                   (V$0)) = Vnull)
  (Hownernidle: ptcb_prio <> $ OS_IDLE_PRIO)
  (Hptcbstrdy: i10 = $ OS_STAT_RDY)
  (Hptcbdly0: i11 = $ 0 )
  (Hgetlast: get_last_tcb_ptr v´34 v´33 = Some (Vptr (ptcb_addr,Int.zero)))
,
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV timeout @ Int16u |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV mprio @ Int8u |-> v0) **
      (EX v0 : val, LV isrdy @ Int8u |-> v0) **
      (EX v0 : val, LV ptcb @ OS_TCB ∗ |-> v0) **
      (EX v0 : val, LV pevent2 @ OS_EVENT ∗ |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((timeout, Int16u)
       :: (pevent, OS_EVENT ∗)
          :: (legal, Int8u)
             :: (pip, Int8u)
                :: (mprio, Int8u)
                   :: (isrdy, Int8u)
                      :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{ <|| mutexpend (Vptr (pevent_addr, Int.zero) :: Vint32 i :: nil) ||> **
     A_dom_lenv
       ((timeout, Int16u)
        :: (pevent, OS_EVENT ∗)
           :: (legal, Int8u)
              :: (pip, Int8u)
                 :: (mprio, Int8u)
                    :: (isrdy, Int8u)
                       :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil) **
     GAarray OSTCBPrioTbl (Tarray OS_TCB ∗ 64)
       (update_nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8)))
          (update_nth_val (Z.to_nat (Int.unsigned ptcb_prio)) v´32
             (Vptr v´53)) (Vptr (ptcb_addr, Int.zero))) **
     PV v´53 @ Int8u |-> v´31 **
     Astruct (ptcb_addr, Int.zero) OS_TCB
       (v´45
        :: v´43
           :: x11
              :: xm
                 :: Vint32 i11
                    :: Vint32 i10
                       :: Vint32 ptcb_prio
                          :: Vint32 i8
                             :: Vint32 ptcb_tcby
                                :: Vint32 ptcb_bitx :: Vint32 i2 :: nil) **
     dllseg v´33 Vnull v´43 (Vptr (ptcb_addr, Int.zero)) v´34 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     dllseg v´45 (Vptr (ptcb_addr, Int.zero)) v´26
       (Vptr (cur_addr, Int.zero)) v´36 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     LV ptcb @ OS_TCB ∗ |-> Vptr (ptcb_addr, Int.zero) **
     LV mprio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     Astruct (cur_addr, Int.zero) OS_TCB
       (x0
        :: v´26
           :: x12
              :: Vnull
                 :: V$0
                    :: V$OS_STAT_RDY
                       :: Vint32 cur_prio
                          :: Vint32 i5
                             :: Vint32 i4 :: Vint32 i3 :: Vint32 i1 :: nil) **
     dllseg x0 (Vptr (cur_addr, Int.zero)) v´42 Vnull v´37 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBList @ OS_TCB ∗ |-> v´33 **
     GV OSTCBCur @ OS_TCB ∗ |-> Vptr (cur_addr, Int.zero) **
     AEventData
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil)
       (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero))) **
     Astruct (pevent_addr, Int.zero) OS_EVENT
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil) **
     Aarray v´25 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´46 **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSEventList @ OS_EVENT ∗ |-> v´44 **
     evsllseg v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 **
     evsllseg v´48 Vnull v´28 v´30 **
     A_isr_is_prop **
     GAarray OSRdyTbl (Tarray Int8u ∘OS_RDY_TBL_SIZE) os_rdy_tbl **
     GV OSRdyGrp @ Int8u |-> v´39 **
     G&OSPlaceHolder @ Int8u == v´53 **
     HECBList v´40 **
     HTCBList tcbls **
     HCurTCB (cur_addr, Int.zero) **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´5 **
     AOSQFreeList v´6 **
     AOSQFreeBlk v´7 **
     AOSMapTbl **
     AOSUnMapTbl **
     AOSIntNesting **
     AOSTCBFreeList v´23 v´24 **
     AOSTime (Vint32 v´20) **
     HTime v´20 **
     AGVars **
     atoy_inv´ **
     LV pevent2 @ OS_EVENT ∗ |-> v´4 **
     LV isrdy @ Int8u |-> v´2 **
     LV timeout @ Int16u |-> Vint32 i **
     LV pevent @ OS_EVENT ∗ |-> Vptr (pevent_addr, Int.zero)}}
   OSRdyTbl ′ [ptcb ′ → OSTCBY] &= ∼ ptcb ′ → OSTCBBitX;ₛ
   If(OSRdyTbl ′ [ptcb ′ → OSTCBY] ==ₑ ′0)
        {OSRdyGrp ′ &= ∼ ptcb ′ → OSTCBBitY} ;ₛ
   ptcb ′ → OSTCBPrio =ₑ pip ′;ₛ
   ptcb ′ → OSTCBY =ₑ ptcb ′ → OSTCBPrio ≫ ′3;ₛ
   ptcb ′ → OSTCBBitY =ₑ OSMapTbl ′ [ptcb ′ → OSTCBY];ₛ
   ptcb ′ → OSTCBX =ₑ ptcb ′ → OSTCBPrio &ₑ ′7;ₛ
   ptcb ′ → OSTCBBitX =ₑ OSMapTbl ′ [ptcb ′ → OSTCBX];ₛ
   OSRdyGrp ′ =ₑ OSRdyGrp ′ |ₑ ptcb ′ → OSTCBBitY;ₛ
   OSRdyTbl ′ [ptcb ′ → OSTCBY] =ₑ
   OSRdyTbl ′ [ptcb ′ → OSTCBY] |ₑ ptcb ′ → OSTCBBitX;ₛ
   OSTCBCur ′ → OSTCBStat =ₑ ′OS_STAT_MUTEX;ₛ
   OSTCBCur ′ → OSTCBDly =ₑ timeout ′;ₛ
   OS_EventTaskWait (­ pevent ′­);ₛ
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
   ENTER_CRITICAL;ₛ
   If(OSTCBCur ′ → OSTCBMsg !=ₑ NULL)
        {EXIT_CRITICAL;ₛ
        RETURN ′OS_NO_ERR} ;ₛ
   EXIT_CRITICAL;ₛ
                   RETURN ′OS_TIMEOUT {{Afalse}}.

Definition gen_mutex_pend_can_not_lift_left_to_cur:= forall
  (i : int32)
  (H1 : Int.unsigned i <= 65535)
  (v´ : val)
  (v´0 : val)
  (v´1 : val)
  (v´2 : val)
  (v´3 : val)
  (v´4 : val)
  (v´5 : list vallist)
  (v´6 : list vallist)
  (v´7 : list vallist)
  (v´8 : list EventData)
  (v´9 : list EventCtr)
  (v´10 : vallist)
  (v´11 : val)
  (v´12 : val)
  (v´13 : list vallist)
  (v´14 : vallist)
  (v´15 : list vallist)
  (v´16 : vallist)
  (v´17 : val)
  (v´18 : EcbMod.map)
  (v´19 : TcbMod.map)
  (v´20 : int32)
  (v´21 : addrval)
  (v´22 : addrval)
  (v´23 : val)
  (v´24 : list vallist)
  (H0 : RH_CurTCB v´21 v´19)
  (v´27 : list EventCtr)
  (v´28 : list EventCtr)
  (v´29 : list EventData)
  (v´30 : list EventData)
  (v´32 : vallist)
  (v´33 : val)
  (v´37 : list vallist)
  (v´38 : vallist)
  (v´39 : val)
  (v´40 : EcbMod.map)
  (tcbls : TcbMod.map)
  (v´44 : val)
  (v´46 : vallist)
  (v´48 : val)
  (v´49 : EcbMod.map)
  (v´50 : EcbMod.map)
  (v´51 : EcbMod.map)
  (v´53 : addrval)
  (H5 : ECBList_P v´48 Vnull v´28 v´30 v´50 tcbls)
  (H11 : EcbMod.join v´49 v´51 v´40)
  (H14 : length v´27 = length v´29)
  (v´25 : addrval)
  (pevent_addr : block)
  (H13 : array_type_vallist_match Int8u v´46)
  (H19 : length v´46 = ∘OS_EVENT_TBL_SIZE)
  (H20 : isptr v´48)
  (x3 : val)
  (i0 : int32)
  (H22 : Int.unsigned i0 <= 255)
  (H18 : RL_Tbl_Grp_P v´46 (Vint32 i0))
  (H25 : isptr v´48)
  (H4 : ECBList_P v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 v´49 tcbls)
  (H2 : isptr (Vptr (pevent_addr, Int.zero)))
  (H16 : id_addrval´ (Vptr (pevent_addr, Int.zero)) OSEventTbl OS_EVENT =
        Some v´25)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255)
  (wls : waitset)
  (v´26 : val)
  (v´42 : val)
  (tcbls_l : TcbMod.map)
  (tcbls_r : TcbMod.map)
  (cur_addr : block)
  (H29 : v´33 <> Vnull)
  (Htcbjoin_whole : TcbMod.join tcbls_l tcbls_r tcbls)
  (H28 : Vptr (cur_addr, Int.zero) <> Vnull)
  (x12 : val)
  (H35 : isptr x12)
  (cur_prio : int32)
  (H39 : Int.unsigned cur_prio <= 255)
  (i5 : int32)
  (H40 : Int.unsigned i5 <= 255)
  (i4 : int32)
  (H41 : Int.unsigned i4 <= 255)
  (i3 : int32)
  (H42 : Int.unsigned i3 <= 255)
  (i1 : int32)
  (H43 : Int.unsigned i1 <= 255)
  (H34 : isptr v´26)
  (H : RH_TCBList_ECBList_P v´40 tcbls (cur_addr, Int.zero))
  (H10 : RH_CurTCB (cur_addr, Int.zero) tcbls)
  (st : taskstatus)
  (Hneq_idle : cur_prio <> $ OS_IDLE_PRIO)
  (H37 : Int.unsigned ($ 0) <= 65535)
  (H38 : Int.unsigned ($ OS_STAT_RDY) <= 255)
  (H36 : isptr Vnull)
  (Hgetcur_subr : TcbMod.get tcbls_r (cur_addr, Int.zero) =
                 Some (cur_prio, rdy, Vnull))
  (Hgetcur : TcbMod.get tcbls (cur_addr, Int.zero) =
            Some (cur_prio, rdy, Vnull))
  (x0 : val)
  (x2 : TcbMod.map)
  (Htcblist_subr : TCBList_P x0 v´37 v´38 x2)
  (x : int32)
  (F2 : Int.unsigned x <= 65535)
  (H23 : Int.unsigned x <= 65535)
  (Hmutex_not_avail : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE)
  (Hcur_prio : Int.ltu (x>>ᵢ$ 8) cur_prio = true)
  (ptcb_prio : priority)
  (xm : msg)
  (H12 : isptr x0)
  (Hcurnode : TCBNode_P
               (x0
                :: v´26
                   :: x12
                      :: Vnull
                         :: V$0
                            :: V$OS_STAT_RDY
                               :: Vint32 cur_prio
                                  :: Vint32 i5
                                     :: Vint32 i4
                                        :: Vint32 i3 :: Vint32 i1 :: nil)
               v´38 (cur_prio, rdy, Vnull))
  (Htcbjoin_right : TcbJoin (cur_addr, Int.zero) (cur_prio, rdy, Vnull) x2
                     tcbls_r)
  (v´34 : list vallist)
  (v´36 : list vallist)
  (v´43 : val)
  (v´45 : val)
  (tcbls_sub_l : TcbMod.map)
  (v´52 : TcbMod.map)
  (tcbls_sub_r : TcbMod.map)
  (Htcbjoin_sub_whole : TcbMod.join tcbls_sub_l v´52 tcbls_l)
  (Htcblist_sub_left : TCBList_P v´33 v´34 v´38 tcbls_sub_l)
  (Htcblist_sub_right : TCBList_P v´45 v´36 v´38 tcbls_sub_r)
  (ptcb_addr : block)
  (x11 : val)
  (H31 : isptr x11)
  (i11 : int32)
  (H33 : Int.unsigned i11 <= 65535)
  (i10 : int32)
  (H44 : Int.unsigned i10 <= 255)
  (i8 : int32)
  (H46 : Int.unsigned i8 <= 255)
  (i7 : int32)
  (H47 : Int.unsigned i7 <= 255)
  (i6 : int32)
  (H48 : Int.unsigned i6 <= 255)
  (i2 : int32)
  (H49 : Int.unsigned i2 <= 255)
  (H30 : isptr v´43)
  (H27 : isptr v´45)
  (H24 : isptr (Vptr (ptcb_addr, Int.zero)))
  (H7 : R_ECB_ETbl_P (pevent_addr, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i0
             :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
         v´46) tcbls)
  (H3 : ECBList_P v´44 Vnull
         (v´27 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i0
               :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
           v´46) :: nil) ++ v´28)
         (v´29 ++
          (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)) :: nil) ++ v´30)
         v´40 tcbls)
  (H8 : EcbMod.joinsig (pevent_addr, Int.zero)
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls)
         v´50 v´51)
  (Hget : EcbMod.get v´40 (pevent_addr, Int.zero) =
         Some
           (absmutexsem (x>>ᵢ$ 8)
              (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H26 : RH_ECB_P
          (absmutexsem (x>>ᵢ$ 8)
             (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H6 : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)))
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H_ptcb : TcbMod.get tcbls (ptcb_addr, Int.zero) = Some (ptcb_prio, rdy, xm))
  (H_ptcb_not_cur : (ptcb_addr, Int.zero) <> (cur_addr, Int.zero))
  (H_ptcb_in_left : TcbMod.get tcbls_l (ptcb_addr, Int.zero) =
                   Some (ptcb_prio, rdy, xm))
  (Htcbjoin_sub_right : TcbMod.joinsig (ptcb_addr, Int.zero)
                         (ptcb_prio, rdy, xm) tcbls_sub_r v´52)
  (H32 : isptr xm)
  (H45 : Int.unsigned ptcb_prio <= 255)
  (H17 : RL_TCBblk_P
          (v´45
           :: v´43
              :: x11
                 :: xm
                    :: Vint32 i11
                       :: Vint32 i10
                          :: Vint32 ptcb_prio
                             :: Vint32 i8
                                :: Vint32 i7 :: Vint32 i6 :: Vint32 i2 :: nil))
  (H50 : R_TCB_Status_P
          (v´45
           :: v´43
              :: x11
                 :: xm
                    :: Vint32 i11
                       :: Vint32 i10
                          :: Vint32 ptcb_prio
                             :: Vint32 i8
                                :: Vint32 i7 :: Vint32 i6 :: Vint32 i2 :: nil)
          v´38 (ptcb_prio, rdy, xm))
  (Htcblist_subl : TCBList_P v´33
                    (v´34 ++
                     (v´45
                      :: v´43
                         :: x11
                            :: xm
                               :: Vint32 i11
                                  :: Vint32 i10
                                     :: Vint32 ptcb_prio
                                        :: Vint32 i8
                                           :: Vint32 i7
                                              :: Vint32 i6
                                                 ::
                                                 Vint32 i2 :: nil) :: v´36)
                    v´38 tcbls_l)
  (LHif_false : val_inj
                 (bool_and
                    (val_inj
                       (notint
                          (val_inj
                             (if Int.eq ptcb_prio (x>>ᵢ$ 8)
                              then Some (Vint32 Int.one)
                              else Some (Vint32 Int.zero)))))
                    (val_inj
                       (if Int.ltu cur_prio (x&$ OS_MUTEX_KEEP_LOWER_8)
                        then Some (Vint32 Int.one)
                        else Some (Vint32 Int.zero)))) =
               Vint32 Int.zero \/
               val_inj
                 (bool_and
                    (val_inj
                       (notint
                          (val_inj
                             (if Int.eq ptcb_prio (x>>ᵢ$ 8)
                              then Some (Vint32 Int.one)
                              else Some (Vint32 Int.zero)))))
                    (val_inj
                       (if Int.ltu cur_prio (x&$ OS_MUTEX_KEEP_LOWER_8)
                        then Some (Vint32 Int.one)
                        else Some (Vint32 Int.zero)))) = Vnull)

  (Hnocur: (Int.eq cur_prio (x&$ OS_MUTEX_KEEP_LOWER_8) = false))
,
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV timeout @ Int16u |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV mprio @ Int8u |-> v0) **
      (EX v0 : val, LV isrdy @ Int8u |-> v0) **
      (EX v0 : val, LV ptcb @ OS_TCB ∗ |-> v0) **
      (EX v0 : val, LV pevent2 @ OS_EVENT ∗ |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((timeout, Int16u)
       :: (pevent, OS_EVENT ∗)
          :: (legal, Int8u)
             :: (pip, Int8u)
                :: (mprio, Int8u)
                   :: (isrdy, Int8u)
                      :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{Astruct (ptcb_addr, Int.zero) OS_TCB
       (v´45
        :: v´43
           :: x11
              :: xm
                 :: Vint32 i11
                    :: Vint32 i10
                       :: Vint32 ptcb_prio
                          :: Vint32 i8
                             :: Vint32 i7 :: Vint32 i6 :: Vint32 i2 :: nil) **
     dllseg v´33 Vnull v´43 (Vptr (ptcb_addr, Int.zero)) v´34 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     dllseg v´45 (Vptr (ptcb_addr, Int.zero)) v´26
       (Vptr (cur_addr, Int.zero)) v´36 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
      <|| mutexpend (Vptr (pevent_addr, Int.zero) :: Vint32 i :: nil) ||> **
     LV ptcb @ OS_TCB ∗ |-> Vptr (ptcb_addr, Int.zero) **
     LV mprio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     Astruct (cur_addr, Int.zero) OS_TCB
       (x0
        :: v´26
           :: x12
              :: Vnull
                 :: V$0
                    :: V$OS_STAT_RDY
                       :: Vint32 cur_prio
                          :: Vint32 i5
                             :: Vint32 i4 :: Vint32 i3 :: Vint32 i1 :: nil) **
     dllseg x0 (Vptr (cur_addr, Int.zero)) v´42 Vnull v´37 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBList @ OS_TCB ∗ |-> v´33 **
     GV OSTCBCur @ OS_TCB ∗ |-> Vptr (cur_addr, Int.zero) **
     AEventData
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil)
       (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero))) **
     Astruct (pevent_addr, Int.zero) OS_EVENT
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil) **
     Aarray v´25 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´46 **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSEventList @ OS_EVENT ∗ |-> v´44 **
     evsllseg v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 **
     evsllseg v´48 Vnull v´28 v´30 **
     A_isr_is_prop **
     AOSRdyTblGrp v´38 v´39 **
     AOSTCBPrioTbl v´32 v´38 tcbls v´53 **
     HECBList v´40 **
     HTCBList tcbls **
     HCurTCB (cur_addr, Int.zero) **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´5 **
     AOSQFreeList v´6 **
     AOSQFreeBlk v´7 **
     AOSMapTbl **
     AOSUnMapTbl **
     AOSIntNesting **
     AOSTCBFreeList v´23 v´24 **
     AOSTime (Vint32 v´20) **
     HTime v´20 **
     AGVars **
     atoy_inv´ **
     LV pevent2 @ OS_EVENT ∗ |-> v´4 **
     LV isrdy @ Int8u |-> v´2 **
     LV timeout @ Int16u |-> Vint32 i **
     LV pevent @ OS_EVENT ∗ |-> Vptr (pevent_addr, Int.zero) **
     A_dom_lenv
       ((timeout, Int16u)
        :: (pevent, OS_EVENT ∗)
           :: (legal, Int8u)
              :: (pip, Int8u)
                 :: (mprio, Int8u)
                    :: (isrdy, Int8u)
                       :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)}}
   OSTCBCur ′ → OSTCBStat =ₑ ′OS_STAT_MUTEX;ₛ
   OSTCBCur ′ → OSTCBDly =ₑ timeout ′;ₛ
   OS_EventTaskWait (­ pevent ′­);ₛ
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
   ENTER_CRITICAL;ₛ
   If(OSTCBCur ′ → OSTCBMsg !=ₑ NULL)
        {EXIT_CRITICAL;ₛ
        RETURN ′OS_NO_ERR} ;ₛ
   EXIT_CRITICAL;ₛ
   RETURN ′OS_TIMEOUT {{Afalse}}
.

Definition gen_mutex_pend_ptcb_is_rdy_right_to_cur´:=
   forall
                                              (i : int32)
  (H1 : Int.unsigned i <= 65535)
  (v´ : val)
  (v´0 : val)
  (v´1 : val)
  (v´2 : val)
  (v´3 : val)
  (v´4 : val)
  (v´5 : list vallist)
  (v´6 : list vallist)
  (v´7 : list vallist)
  (v´8 : list EventData)
  (v´9 : list EventCtr)
  (v´10 : vallist)
  (v´11 : val)
  (v´12 : val)
  (v´13 : list vallist)
  (v´14 : vallist)
  (v´15 : list vallist)
  (v´16 : vallist)
  (v´17 : val)
  (v´18 : EcbMod.map)
  (v´19 : TcbMod.map)
  (v´20 : int32)
  (v´21 : addrval)
  (v´22 : addrval)
  (v´23 : val)
  (v´24 : list vallist)
  (H0 : RH_CurTCB v´21 v´19)
  (v´27 : list EventCtr)
  (v´28 : list EventCtr)
  (v´29 : list EventData)
  (v´30 : list EventData)
  (ptbl : vallist)
  (v´33 : val)
  (v´35 : list vallist)
  (os_rdy_tbl : vallist)
  (v´39 : val)
  (v´40 : EcbMod.map)
  (tcbls : TcbMod.map)
  (v´44 : val)
  (v´46 : vallist)
  (v´48 : val)
  (v´49 : EcbMod.map)
  (v´50 : EcbMod.map)
  (v´51 : EcbMod.map)
  (v´53 : addrval)
  (H5 : ECBList_P v´48 Vnull v´28 v´30 v´50 tcbls)
  (H11 : EcbMod.join v´49 v´51 v´40)
  (H14 : length v´27 = length v´29)
  (v´25 : addrval)
  (pevent_addr : block)
  (H13 : array_type_vallist_match Int8u v´46)
  (H19 : length v´46 = ∘OS_EVENT_TBL_SIZE)
  (H20 : isptr v´48)
  (x3 : val)
  (i0 : int32)
  (H22 : Int.unsigned i0 <= 255)
  (H18 : RL_Tbl_Grp_P v´46 (Vint32 i0))
  (H25 : isptr v´48)
  (H4 : ECBList_P v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 v´49 tcbls)
  (H2 : isptr (Vptr (pevent_addr, Int.zero)))
  (H16 : id_addrval´ (Vptr (pevent_addr, Int.zero)) OSEventTbl OS_EVENT =
        Some v´25)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255)
  (wls : waitset)
  (v´26 : val)
  (v´42 : val)
  (tcbls_l : TcbMod.map)
  (tcbls_r : TcbMod.map)
  (cur_addr : block)
  (H29 : v´33 <> Vnull)
  (Htcbjoin_whole : TcbMod.join tcbls_l tcbls_r tcbls)
  (Htcblist_subl : TCBList_P v´33 v´35 os_rdy_tbl tcbls_l)
  (H28 : Vptr (cur_addr, Int.zero) <> Vnull)
  (x12 : val)
  (H35 : isptr x12)
  (cur_prio : int32)
  (H39 : Int.unsigned cur_prio <= 255)
  (i5 : int32)
  (H40 : Int.unsigned i5 <= 255)
  (i4 : int32)
  (H41 : Int.unsigned i4 <= 255)
  (i3 : int32)
  (H42 : Int.unsigned i3 <= 255)
  (i1 : int32)
  (H43 : Int.unsigned i1 <= 255)
  (H34 : isptr v´26)
  (H : RH_TCBList_ECBList_P v´40 tcbls (cur_addr, Int.zero))
  (H10 : RH_CurTCB (cur_addr, Int.zero) tcbls)
  (Hneq_idle : cur_prio <> $ OS_IDLE_PRIO)
  (H37 : Int.unsigned ($ 0) <= 65535)
  (H38 : Int.unsigned ($ OS_STAT_RDY) <= 255)
  (H36 : isptr Vnull)
  (x0 : val)
  (tcbls_r´ : TcbMod.map)
  (x : int32)
  (F2 : Int.unsigned x <= 65535)
  (H23 : Int.unsigned x <= 65535)
  (Fneq_i2_1 : Int.unsigned (x>>ᵢ$ 8) <= 255)
  (Fneq_i2_2 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) <= 255)
  (Hmutex_not_avail : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE)
  (Feq_i2_1 : x>>ᵢ$ 8 = Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
  (Hcur_prio : Int.ltu (x>>ᵢ$ 8) cur_prio = true)
  (ptcb_prio : priority)
  (xm : msg)
  (H12 : isptr x0)
  (v´34 : list vallist)
  (v´36 : list vallist)
  (v´43 : val)
  (v´45 : val)
  (tcbls_sub_l : TcbMod.map)
  (v´52 : TcbMod.map)
  (tcbls_sub_r : TcbMod.map)
  (Htcbjoin_sub_whole : TcbMod.join tcbls_sub_l v´52 tcbls_r´)
  (Htcblist_sub_left : TCBList_P x0 v´34 os_rdy_tbl tcbls_sub_l)
  (Htcblist_sub_right : TCBList_P v´45 v´36 os_rdy_tbl tcbls_sub_r)
  (ptcb_addr : block)
  (x10 : val)
  (H31 : isptr x10)
  (i8 : int32)
  (H46 : Int.unsigned i8 <= 255)
  (i2 : int32)
  (H49 : Int.unsigned i2 <= 255)
  (H30 : isptr v´43)
  (H27 : isptr v´45)
  (H24 : isptr (Vptr (ptcb_addr, Int.zero)))
  (H7 : R_ECB_ETbl_P (pevent_addr, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i0
             :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
         v´46) tcbls)
  (H3 : ECBList_P v´44 Vnull
         (v´27 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i0
               :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
           v´46) :: nil) ++ v´28)
         (v´29 ++
          (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)) :: nil) ++ v´30)
         v´40 tcbls)
  (H8 : EcbMod.joinsig (pevent_addr, Int.zero)
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls)
         v´50 v´51)
  (Hget : EcbMod.get v´40 (pevent_addr, Int.zero) =
         Some
           (absmutexsem (x>>ᵢ$ 8)
              (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H26 : RH_ECB_P
          (absmutexsem (x>>ᵢ$ 8)
             (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H6 : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)))
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H_ptcb_not_cur : (ptcb_addr, Int.zero) <> (cur_addr, Int.zero))
  (H32 : isptr xm)
  (H45 : Int.unsigned ptcb_prio <= 255)
  (Hptcb_prio_not_idle : ptcb_prio <> $ OS_IDLE_PRIO)
  (Hptcb_prio_scope_obv : 0 <= Int.unsigned ptcb_prio)
  (Hptcb_prio_scope : Int.unsigned ptcb_prio < 64)
  (H_ptcb : TcbMod.get tcbls (ptcb_addr, Int.zero) = Some (ptcb_prio, rdy, xm))
  (H_ptcb_in_right : TcbMod.get tcbls_r´ (ptcb_addr, Int.zero) =
                    Some (ptcb_prio, rdy, xm))
  (Htcbjoin_sub_right : TcbMod.joinsig (ptcb_addr, Int.zero)
                         (ptcb_prio, rdy, xm) tcbls_sub_r v´52)
  (Hgetcur_subr : TcbMod.get tcbls_r (cur_addr, Int.zero) =
                 Some (cur_prio, rdy, Vnull))
  (Hgetcur : TcbMod.get tcbls (cur_addr, Int.zero) =
            Some (cur_prio, rdy, Vnull))
  (Hcurnode : TCBNode_P
               (x0
                :: v´26
                   :: x12
                      :: Vnull
                         :: V$0
                            :: V$OS_STAT_RDY
                               :: Vint32 cur_prio
                                  :: Vint32 i5
                                     :: Vint32 i4
                                        :: Vint32 i3 :: Vint32 i1 :: nil)
               os_rdy_tbl (cur_prio, rdy, Vnull))
  (Htcbjoin_right : TcbJoin (cur_addr, Int.zero) (cur_prio, rdy, Vnull)
                     tcbls_r´ tcbls_r)
  (Hif_false : Int.eq (x&$ OS_MUTEX_KEEP_LOWER_8) cur_prio = false)
  (Hnocur : Int.eq cur_prio (x&$ OS_MUTEX_KEEP_LOWER_8) = false)
  (H_cur_prio_scope : Int.unsigned cur_prio < 64)
  (Hx_scope1 : Int.unsigned (x>>ᵢ$ 8) < 64)
  (Hif_can_lift1 : ptcb_prio <> x>>ᵢ$ 8)
  (Hif_can_lift2 : Int.ltu cur_prio (x&$ OS_MUTEX_KEEP_LOWER_8) = true)
  (v´31 : val)
  (Hptbl_1 : array_type_vallist_match OS_TCB ∗ ptbl)
  (Hptbl_2 : length ptbl = 64%nat)
  (H15 : RL_RTbl_PrioTbl_P os_rdy_tbl ptbl v´53)
  (H51 : R_PrioTbl_P ptbl tcbls v´53)
  (H_pip_is_hold : val_inj
                    (uop_eval
                       (val_inj
                          (bop_eval
                             (nth_val´ (Z.to_nat (Int.unsigned (x>>ᵢ$ 8)))
                                ptbl) (Vptr v´53) OS_TCB ∗
                             OS_TCB ∗ oeq)) oppsite) =
                  Vint32 Int.zero \/
                  val_inj
                    (uop_eval
                       (val_inj
                          (bop_eval
                             (nth_val´ (Z.to_nat (Int.unsigned (x>>ᵢ$ 8)))
                                ptbl) (Vptr v´53) OS_TCB ∗
                             OS_TCB ∗ oeq)) oppsite) = Vnull)
  (H9 : array_type_vallist_match Int8u os_rdy_tbl)
  (H54 : length os_rdy_tbl = ∘OS_RDY_TBL_SIZE)
  (H52 : rule_type_val_match Int8u v´39 = true)
  (H53 : RL_Tbl_Grp_P os_rdy_tbl v´39)
  (H55 : prio_in_tbl ($ OS_IDLE_PRIO) os_rdy_tbl)
  (Hptcb_tcby_scope : Int.unsigned (ptcb_prio>>ᵢ$ 3) < 8)
  (v0 : int32)
  (Hrangev : Int.unsigned v0 <= 255)
  (H48 : Int.unsigned ($ 1<<(ptcb_prio&$ 7)) <= 255)
  (Hif_ptcb_rdy2 : v0&($ 1<<(ptcb_prio&$ 7)) <> Int.zero)
  (H47 : Int.unsigned (ptcb_prio>>ᵢ$ 3) <= 255)
  (Hrange_py : 0 <= Int.unsigned (ptcb_prio>>ᵢ$ 3) <= 7)
  (Hif_ptcb_rdy1 : nth_val´ (Z.to_nat (Int.unsigned (ptcb_prio>>ᵢ$ 3)))
                    os_rdy_tbl = Vint32 v0)
  (H33 : Int.unsigned ($ 0) <= 65535)
  (H44 : Int.unsigned ($ OS_STAT_RDY) <= 255)
  (Htcblist_subr : TCBList_P x0
                    (v´34 ++
                     (v´45
                      :: v´43
                         :: x10
                            :: xm
                               :: V$0
                                  :: V$OS_STAT_RDY
                                     :: Vint32 ptcb_prio
                                        :: Vint32 i8
                                           :: Vint32 (ptcb_prio>>ᵢ$ 3)
                                              :: Vint32
                                                  ($ 1<<(ptcb_prio&$ 7))
                                                 ::
                                                 Vint32 i2 :: nil) :: v´36)
                    os_rdy_tbl tcbls_r´)
  (H17 : RL_TCBblk_P
          (v´45
           :: v´43
              :: x10
                 :: xm
                    :: V$0
                       :: V$OS_STAT_RDY
                          :: Vint32 ptcb_prio
                             :: Vint32 i8
                                :: Vint32 (ptcb_prio>>ᵢ$ 3)
                                   :: Vint32 ($ 1<<(ptcb_prio&$ 7))
                                      :: Vint32 i2 :: nil))
  (Hptcb_node : TCBNode_P
                 (v´45
                  :: v´43
                     :: x10
                        :: xm
                           :: V$0
                              :: V$OS_STAT_RDY
                                 :: Vint32 ptcb_prio
                                    :: Vint32 i8
                                       :: Vint32 (ptcb_prio>>ᵢ$ 3)
                                          :: Vint32 ($ 1<<(ptcb_prio&$ 7))
                                             :: Vint32 i2 :: nil) os_rdy_tbl
                 (ptcb_prio, rdy, xm))
  (H50 : R_TCB_Status_P
          (v´45
           :: v´43
              :: x10
                 :: xm
                    :: V$0
                       :: V$OS_STAT_RDY
                          :: Vint32 ptcb_prio
                             :: Vint32 i8
                                :: Vint32 (ptcb_prio>>ᵢ$ 3)
                                   :: Vint32 ($ 1<<(ptcb_prio&$ 7))
                                      :: Vint32 i2 :: nil) os_rdy_tbl
          (ptcb_prio, rdy, xm))
  (Hfx : exists x1,
        nth_val´ (Z.to_nat (Int.unsigned (ptcb_prio>>ᵢ$ 3)))
          (update_nth_val (Z.to_nat (Int.unsigned (ptcb_prio>>ᵢ$ 3)))
             os_rdy_tbl (Vint32 (v0&Int.not ($ 1<<(ptcb_prio&$ 7))))) =
        Vint32 x1 /\ Int.unsigned x1 <= 255)
  (Hif_false0 : val_inj
                 (val_eq
                    (nth_val´ (Z.to_nat (Int.unsigned (ptcb_prio>>ᵢ$ 3)))
                       (update_nth_val
                          (Z.to_nat (Int.unsigned (ptcb_prio>>ᵢ$ 3)))
                          os_rdy_tbl
                          (val_inj
                             (and (Vint32 v0)
                                (Vint32 (Int.not ($ 1<<(ptcb_prio&$ 7))))))))
                    (V$0)) = Vint32 Int.zero \/
               val_inj
                 (val_eq
                    (nth_val´ (Z.to_nat (Int.unsigned (ptcb_prio>>ᵢ$ 3)))
                       (update_nth_val
                          (Z.to_nat (Int.unsigned (ptcb_prio>>ᵢ$ 3)))
                          os_rdy_tbl
                          (val_inj
                             (and (Vint32 v0)
                                (Vint32 (Int.not ($ 1<<(ptcb_prio&$ 7))))))))
                    (V$0)) = Vnull)
  (Hgetlast: get_last_tcb_ptr v´34 x0 = Some (Vptr (ptcb_addr,Int.zero)))
,
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v1 : val, LV timeout @ Int16u |-> v1) **
      (EX v1 : val, LV pevent @ OS_EVENT ∗ |-> v1) **
      (EX v1 : val, LV legal @ Int8u |-> v1) **
      (EX v1 : val, LV pip @ Int8u |-> v1) **
      (EX v1 : val, LV mprio @ Int8u |-> v1) **
      (EX v1 : val, LV isrdy @ Int8u |-> v1) **
      (EX v1 : val, LV ptcb @ OS_TCB ∗ |-> v1) **
      (EX v1 : val, LV pevent2 @ OS_EVENT ∗ |-> v1) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((timeout, Int16u)
       :: (pevent, OS_EVENT ∗)
          :: (legal, Int8u)
             :: (pip, Int8u)
                :: (mprio, Int8u)
                   :: (isrdy, Int8u)
                      :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{ <|| mutexpend (Vptr (pevent_addr, Int.zero) :: Vint32 i :: nil) ||> **
     A_dom_lenv
       ((timeout, Int16u)
        :: (pevent, OS_EVENT ∗)
           :: (legal, Int8u)
              :: (pip, Int8u)
                 :: (mprio, Int8u)
                    :: (isrdy, Int8u)
                       :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil) **
     GAarray OSRdyTbl (Tarray Int8u ∘OS_RDY_TBL_SIZE)
       (update_nth_val (Z.to_nat (Int.unsigned (ptcb_prio>>ᵢ$ 3))) os_rdy_tbl
          (val_inj
             (and (Vint32 v0) (Vint32 (Int.not ($ 1<<(ptcb_prio&$ 7))))))) **
     GAarray OSTCBPrioTbl (Tarray OS_TCB ∗ 64)
       (update_nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8)))
          (update_nth_val (Z.to_nat (Int.unsigned ptcb_prio)) ptbl
             (Vptr v´53)) (Vptr (ptcb_addr, Int.zero))) **
     PV v´53 @ Int8u |-> v´31 **
     Astruct (ptcb_addr, Int.zero) OS_TCB
       (v´45
        :: v´43
           :: x10
              :: xm
                 :: V$0
                    :: V$OS_STAT_RDY
                       :: Vint32 ptcb_prio
                          :: Vint32 i8
                             :: Vint32 (ptcb_prio>>ᵢ$ 3)
                                :: Vint32 ($ 1<<(ptcb_prio&$ 7))
                                   :: Vint32 i2 :: nil) **
     tcbdllseg x0 (Vptr (cur_addr, Int.zero)) v´43
       (Vptr (ptcb_addr, Int.zero)) v´34 **
     tcbdllseg v´45 (Vptr (ptcb_addr, Int.zero)) v´42 Vnull v´36 **
     LV ptcb @ OS_TCB ∗ |-> Vptr (ptcb_addr, Int.zero) **
     LV mprio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     Astruct (cur_addr, Int.zero) OS_TCB
       (x0
        :: v´26
           :: x12
              :: Vnull
                 :: V$0
                    :: V$OS_STAT_RDY
                       :: Vint32 cur_prio
                          :: Vint32 i5
                             :: Vint32 i4 :: Vint32 i3 :: Vint32 i1 :: nil) **
     GV OSTCBList @ OS_TCB ∗ |-> v´33 **
     dllseg v´33 Vnull v´26 (Vptr (cur_addr, Int.zero)) v´35 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBCur @ OS_TCB ∗ |-> Vptr (cur_addr, Int.zero) **
     AEventData
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil)
       (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero))) **
     Astruct (pevent_addr, Int.zero) OS_EVENT
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil) **
     Aarray v´25 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´46 **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSEventList @ OS_EVENT ∗ |-> v´44 **
     evsllseg v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 **
     evsllseg v´48 Vnull v´28 v´30 **
     A_isr_is_prop **
     GV OSRdyGrp @ Int8u |-> v´39 **
     G&OSPlaceHolder @ Int8u == v´53 **
     HECBList v´40 **
     HTCBList tcbls **
     HCurTCB (cur_addr, Int.zero) **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´5 **
     AOSQFreeList v´6 **
     AOSQFreeBlk v´7 **
     AOSMapTbl **
     AOSUnMapTbl **
     AOSIntNesting **
     AOSTCBFreeList v´23 v´24 **
     AOSTime (Vint32 v´20) **
     HTime v´20 **
     AGVars **
     atoy_inv´ **
     LV pevent2 @ OS_EVENT ∗ |-> v´4 **
     LV isrdy @ Int8u |-> v´2 **
     LV timeout @ Int16u |-> Vint32 i **
     LV pevent @ OS_EVENT ∗ |-> Vptr (pevent_addr, Int.zero)}}
   ptcb ′ → OSTCBPrio =ₑ pip ′;ₛ
   ptcb ′ → OSTCBY =ₑ ptcb ′ → OSTCBPrio ≫ ′3;ₛ
   ptcb ′ → OSTCBBitY =ₑ OSMapTbl ′ [ptcb ′ → OSTCBY];ₛ
   ptcb ′ → OSTCBX =ₑ ptcb ′ → OSTCBPrio &ₑ ′7;ₛ
   ptcb ′ → OSTCBBitX =ₑ OSMapTbl ′ [ptcb ′ → OSTCBX];ₛ
   OSRdyGrp ′ =ₑ OSRdyGrp ′ |ₑ ptcb ′ → OSTCBBitY;ₛ
   OSRdyTbl ′ [ptcb ′ → OSTCBY] =ₑ
   OSRdyTbl ′ [ptcb ′ → OSTCBY] |ₑ ptcb ′ → OSTCBBitX;ₛ
   OSTCBCur ′ → OSTCBStat =ₑ ′OS_STAT_MUTEX;ₛ
   OSTCBCur ′ → OSTCBDly =ₑ timeout ′;ₛ
   OS_EventTaskWait (­ pevent ′­);ₛ
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
   ENTER_CRITICAL;ₛ
   If(OSTCBCur ′ → OSTCBMsg !=ₑ NULL)
        {EXIT_CRITICAL;ₛ
        RETURN ′OS_NO_ERR} ;ₛ
   EXIT_CRITICAL;ₛ
   RETURN ′OS_TIMEOUT {{Afalse}}

.

Definition gen_mutex_pend_ptcb_is_rdy_right_to_cur:= forall
  (i : int32)
  (H1 : Int.unsigned i <= 65535)
  (v´ : val)
  (v´0 : val)
  (v´1 : val)
  (v´2 : val)
  (v´3 : val)
  (v´4 : val)
  (v´5 : list vallist)
  (v´6 : list vallist)
  (v´7 : list vallist)
  (v´8 : list EventData)
  (v´9 : list EventCtr)
  (v´10 : vallist)
  (v´11 : val)
  (v´12 : val)
  (v´13 : list vallist)
  (v´14 : vallist)
  (v´15 : list vallist)
  (v´16 : vallist)
  (v´17 : val)
  (v´18 : EcbMod.map)
  (v´19 : TcbMod.map)
  (v´20 : int32)
  (v´21 : addrval)
  (v´22 : addrval)
  (v´23 : val)
  (v´24 : list vallist)
  (H0 : RH_CurTCB v´21 v´19)
  (v´27 : list EventCtr)
  (v´28 : list EventCtr)
  (v´29 : list EventData)
  (v´30 : list EventData)
  (ptbl : vallist)
  (v´33 : val)
  (v´35 : list vallist)
  (os_rdy_tbl : vallist)
  (v´39 : val)
  (v´40 : EcbMod.map)
  (tcbls : TcbMod.map)
  (v´44 : val)
  (v´46 : vallist)
  (v´48 : val)
  (v´49 : EcbMod.map)
  (v´50 : EcbMod.map)
  (v´51 : EcbMod.map)
  (v´53 : addrval)
  (H5 : ECBList_P v´48 Vnull v´28 v´30 v´50 tcbls)
  (H11 : EcbMod.join v´49 v´51 v´40)
  (H14 : length v´27 = length v´29)
  (v´25 : addrval)
  (pevent_addr : block)
  (H13 : array_type_vallist_match Int8u v´46)
  (H19 : length v´46 = ∘OS_EVENT_TBL_SIZE)
  (H20 : isptr v´48)
  (x3 : val)
  (i0 : int32)
  (H22 : Int.unsigned i0 <= 255)
  (H18 : RL_Tbl_Grp_P v´46 (Vint32 i0))
  (H25 : isptr v´48)
  (H4 : ECBList_P v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 v´49 tcbls)
  (H2 : isptr (Vptr (pevent_addr, Int.zero)))
  (H16 : id_addrval´ (Vptr (pevent_addr, Int.zero)) OSEventTbl OS_EVENT =
        Some v´25)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255)
  (wls : waitset)
  (v´26 : val)
  (v´42 : val)
  (tcbls_l : TcbMod.map)
  (tcbls_r : TcbMod.map)
  (cur_addr : block)
  (H29 : v´33 <> Vnull)
  (Htcbjoin_whole : TcbMod.join tcbls_l tcbls_r tcbls)
  (Htcblist_subl : TCBList_P v´33 v´35 os_rdy_tbl tcbls_l)
  (H28 : Vptr (cur_addr, Int.zero) <> Vnull)
  (x12 : val)
  (H35 : isptr x12)
  (cur_prio : int32)
  (H39 : Int.unsigned cur_prio <= 255)
  (i5 : int32)
  (H40 : Int.unsigned i5 <= 255)
  (i4 : int32)
  (H41 : Int.unsigned i4 <= 255)
  (i3 : int32)
  (H42 : Int.unsigned i3 <= 255)
  (i1 : int32)
  (H43 : Int.unsigned i1 <= 255)
  (H34 : isptr v´26)
  (H : RH_TCBList_ECBList_P v´40 tcbls (cur_addr, Int.zero))
  (H10 : RH_CurTCB (cur_addr, Int.zero) tcbls)
  (Hneq_idle : cur_prio <> $ OS_IDLE_PRIO)
  (H37 : Int.unsigned ($ 0) <= 65535)
  (H38 : Int.unsigned ($ OS_STAT_RDY) <= 255)
  (H36 : isptr Vnull)
  (x0 : val)
  (tcbls_r´ : TcbMod.map)
  (x : int32)
  (F2 : Int.unsigned x <= 65535)
  (H23 : Int.unsigned x <= 65535)
  (Fneq_i2_1 : Int.unsigned (x>>ᵢ$ 8) <= 255)
  (Fneq_i2_2 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) <= 255)
  (Hmutex_not_avail : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE)
  (Feq_i2_1 : x>>ᵢ$ 8 = Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
  (Hcur_prio : Int.ltu (x>>ᵢ$ 8) cur_prio = true)
  (ptcb_prio : priority)
  (xm : msg)
  (H12 : isptr x0)
  (v´34 : list vallist)
  (v´36 : list vallist)
  (v´43 : val)
  (v´45 : val)
  (tcbls_sub_l : TcbMod.map)
  (v´52 : TcbMod.map)
  (tcbls_sub_r : TcbMod.map)
  (Htcbjoin_sub_whole : TcbMod.join tcbls_sub_l v´52 tcbls_r´)
  (Htcblist_sub_left : TCBList_P x0 v´34 os_rdy_tbl tcbls_sub_l)
  (Htcblist_sub_right : TCBList_P v´45 v´36 os_rdy_tbl tcbls_sub_r)
  (ptcb_addr : block)
  (x10 : val)
  (H31 : isptr x10)
  (i11 : int32)
  (H33 : Int.unsigned i11 <= 65535)
  (ptcb_stat : int32)
  (H44 : Int.unsigned ptcb_stat <= 255)
  (i8 : int32)
  (H46 : Int.unsigned i8 <= 255)
  (ptcb_tcby : int32)
  (H47 : Int.unsigned ptcb_tcby <= 255)
  (ptcb_bitx : int32)
  (H48 : Int.unsigned ptcb_bitx <= 255)
  (i2 : int32)
  (H49 : Int.unsigned i2 <= 255)
  (H30 : isptr v´43)
  (H27 : isptr v´45)
  (H24 : isptr (Vptr (ptcb_addr, Int.zero)))
  (H7 : R_ECB_ETbl_P (pevent_addr, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i0
             :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
         v´46) tcbls)
  (H3 : ECBList_P v´44 Vnull
         (v´27 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i0
               :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
           v´46) :: nil) ++ v´28)
         (v´29 ++
          (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)) :: nil) ++ v´30)
         v´40 tcbls)
  (H8 : EcbMod.joinsig (pevent_addr, Int.zero)
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls)
         v´50 v´51)
  (Hget : EcbMod.get v´40 (pevent_addr, Int.zero) =
         Some
           (absmutexsem (x>>ᵢ$ 8)
              (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H26 : RH_ECB_P
          (absmutexsem (x>>ᵢ$ 8)
             (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H6 : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)))
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H_ptcb_not_cur : (ptcb_addr, Int.zero) <> (cur_addr, Int.zero))
  (H32 : isptr xm)
  (H45 : Int.unsigned ptcb_prio <= 255)
  (Htcblist_subr : TCBList_P x0
                    (v´34 ++
                     (v´45
                      :: v´43
                         :: x10
                            :: xm
                               :: Vint32 i11
                                  :: Vint32 ptcb_stat
                                     :: Vint32 ptcb_prio
                                        :: Vint32 i8
                                           :: Vint32 ptcb_tcby
                                              :: Vint32 ptcb_bitx
                                                 ::
                                                 Vint32 i2 :: nil) :: v´36)
                    os_rdy_tbl tcbls_r´)
  (H17 : RL_TCBblk_P
          (v´45
           :: v´43
              :: x10
                 :: xm
                    :: Vint32 i11
                       :: Vint32 ptcb_stat
                          :: Vint32 ptcb_prio
                             :: Vint32 i8
                                :: Vint32 ptcb_tcby
                                   :: Vint32 ptcb_bitx :: Vint32 i2 :: nil))
  (Hptcb_prio_not_idle : ptcb_prio <> $ OS_IDLE_PRIO)
  (Hptcb_prio_scope_obv : 0 <= Int.unsigned ptcb_prio)
  (Hptcb_prio_scope : Int.unsigned ptcb_prio < 64)
  (Hif_ptcb_is_rdy1 : ptcb_stat = $ OS_STAT_RDY)
  (Hif_ptcb_is_rdy2 : i11 = $ 0)
  (H_ptcb : TcbMod.get tcbls (ptcb_addr, Int.zero) = Some (ptcb_prio, rdy, xm))
  (H_ptcb_in_right : TcbMod.get tcbls_r´ (ptcb_addr, Int.zero) =
                    Some (ptcb_prio, rdy, xm))
  (Htcbjoin_sub_right : TcbMod.joinsig (ptcb_addr, Int.zero)
                         (ptcb_prio, rdy, xm) tcbls_sub_r v´52)
  (Hptcb_node : TCBNode_P
                 (v´45
                  :: v´43
                     :: x10
                        :: xm
                           :: Vint32 i11
                              :: Vint32 ptcb_stat
                                 :: Vint32 ptcb_prio
                                    :: Vint32 i8
                                       :: Vint32 ptcb_tcby
                                          :: Vint32 ptcb_bitx
                                             :: Vint32 i2 :: nil) os_rdy_tbl
                 (ptcb_prio, rdy, xm))
  (H50 : R_TCB_Status_P
          (v´45
           :: v´43
              :: x10
                 :: xm
                    :: Vint32 i11
                       :: Vint32 ptcb_stat
                          :: Vint32 ptcb_prio
                             :: Vint32 i8
                                :: Vint32 ptcb_tcby
                                   :: Vint32 ptcb_bitx :: Vint32 i2 :: nil)
          os_rdy_tbl (ptcb_prio, rdy, xm))
  (Hgetcur_subr : TcbMod.get tcbls_r (cur_addr, Int.zero) =
                 Some (cur_prio, rdy, Vnull))
  (Hgetcur : TcbMod.get tcbls (cur_addr, Int.zero) =
            Some (cur_prio, rdy, Vnull))
  (Hcurnode : TCBNode_P
               (x0
                :: v´26
                   :: x12
                      :: Vnull
                         :: V$0
                            :: V$OS_STAT_RDY
                               :: Vint32 cur_prio
                                  :: Vint32 i5
                                     :: Vint32 i4
                                        :: Vint32 i3 :: Vint32 i1 :: nil)
               os_rdy_tbl (cur_prio, rdy, Vnull))
  (Htcbjoin_right : TcbJoin (cur_addr, Int.zero) (cur_prio, rdy, Vnull)
                     tcbls_r´ tcbls_r)
  (Hif_false : Int.eq (x&$ OS_MUTEX_KEEP_LOWER_8) cur_prio = false)
  (Hnocur : Int.eq cur_prio (x&$ OS_MUTEX_KEEP_LOWER_8) = false)
  (H_cur_prio_scope : Int.unsigned cur_prio < 64)
  (Hx_scope1 : Int.unsigned (x>>ᵢ$ 8) < 64)
  (Hif_can_lift1 : ptcb_prio <> x>>ᵢ$ 8)
  (Hif_can_lift2 : Int.ltu cur_prio (x&$ OS_MUTEX_KEEP_LOWER_8) = true)
  (v´31 : val)
  (Hptbl_1 : array_type_vallist_match OS_TCB ∗ ptbl)
  (Hptbl_2 : length ptbl = 64%nat)
  (H15 : RL_RTbl_PrioTbl_P os_rdy_tbl ptbl v´53)
  (H51 : R_PrioTbl_P ptbl tcbls v´53)
  (H_pip_is_hold : val_inj
                    (uop_eval
                       (val_inj
                          (bop_eval
                             (nth_val´ (Z.to_nat (Int.unsigned (x>>ᵢ$ 8)))
                                ptbl) (Vptr v´53) OS_TCB ∗
                             OS_TCB ∗ oeq)) oppsite) =
                  Vint32 Int.zero \/
                  val_inj
                    (uop_eval
                       (val_inj
                          (bop_eval
                             (nth_val´ (Z.to_nat (Int.unsigned (x>>ᵢ$ 8)))
                                ptbl) (Vptr v´53) OS_TCB ∗
                             OS_TCB ∗ oeq)) oppsite) = Vnull)
  (H9 : array_type_vallist_match Int8u os_rdy_tbl)
  (H54 : length os_rdy_tbl = ∘OS_RDY_TBL_SIZE)
  (H52 : rule_type_val_match Int8u v´39 = true)
  (H53 : RL_Tbl_Grp_P os_rdy_tbl v´39)
  (H55 : prio_in_tbl ($ OS_IDLE_PRIO) os_rdy_tbl)
  (Hptcb_tcby : ptcb_tcby = ptcb_prio>>ᵢ$ 3)
  (Hptcb_bitx : ptcb_bitx = $ 1<<(ptcb_prio&$ 7))
  (Hptcb_tcby_scope : Int.unsigned (ptcb_prio>>ᵢ$ 3) < 8)
  (Hptcb_bitx_scope : Int.unsigned (ptcb_prio>>ᵢ$ 3) < 8)
  (Hif_false : val_inj
                (val_eq
                   (val_inj
                      (and
                         (nth_val´ (Z.to_nat (Int.unsigned ptcb_tcby))
                            os_rdy_tbl) (Vint32 ptcb_bitx)))
                   (V$0)) = Vint32 Int.zero \/
              val_inj
                (val_eq
                   (val_inj
                      (and
                         (nth_val´ (Z.to_nat (Int.unsigned ptcb_tcby))
                            os_rdy_tbl) (Vint32 ptcb_bitx)))
                   (V$0)) = Vnull)
  (Hgetlast:
     get_last_tcb_ptr v´34 x0 = Some (Vptr (ptcb_addr,Int.zero)))
,
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV timeout @ Int16u |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV mprio @ Int8u |-> v0) **
      (EX v0 : val, LV isrdy @ Int8u |-> v0) **
      (EX v0 : val, LV ptcb @ OS_TCB ∗ |-> v0) **
      (EX v0 : val, LV pevent2 @ OS_EVENT ∗ |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((timeout, Int16u)
       :: (pevent, OS_EVENT ∗)
          :: (legal, Int8u)
             :: (pip, Int8u)
                :: (mprio, Int8u)
                   :: (isrdy, Int8u)
                      :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{ <|| mutexpend (Vptr (pevent_addr, Int.zero) :: Vint32 i :: nil) ||> **
     A_dom_lenv
       ((timeout, Int16u)
        :: (pevent, OS_EVENT ∗)
           :: (legal, Int8u)
              :: (pip, Int8u)
                 :: (mprio, Int8u)
                    :: (isrdy, Int8u)
                       :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil) **
     GAarray OSTCBPrioTbl (Tarray OS_TCB ∗ 64)
       (update_nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8)))
          (update_nth_val (Z.to_nat (Int.unsigned ptcb_prio)) ptbl
             (Vptr v´53)) (Vptr (ptcb_addr, Int.zero))) **
     PV v´53 @ Int8u |-> v´31 **
     Astruct (ptcb_addr, Int.zero) OS_TCB
       (v´45
        :: v´43
           :: x10
              :: xm
                 :: Vint32 i11
                    :: Vint32 ptcb_stat
                       :: Vint32 ptcb_prio
                          :: Vint32 i8
                             :: Vint32 ptcb_tcby
                                :: Vint32 ptcb_bitx :: Vint32 i2 :: nil) **
     tcbdllseg x0 (Vptr (cur_addr, Int.zero)) v´43
       (Vptr (ptcb_addr, Int.zero)) v´34 **
     tcbdllseg v´45 (Vptr (ptcb_addr, Int.zero)) v´42 Vnull v´36 **
     LV ptcb @ OS_TCB ∗ |-> Vptr (ptcb_addr, Int.zero) **
     LV mprio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     Astruct (cur_addr, Int.zero) OS_TCB
       (x0
        :: v´26
           :: x12
              :: Vnull
                 :: V$0
                    :: V$OS_STAT_RDY
                       :: Vint32 cur_prio
                          :: Vint32 i5
                             :: Vint32 i4 :: Vint32 i3 :: Vint32 i1 :: nil) **
     GV OSTCBList @ OS_TCB ∗ |-> v´33 **
     dllseg v´33 Vnull v´26 (Vptr (cur_addr, Int.zero)) v´35 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBCur @ OS_TCB ∗ |-> Vptr (cur_addr, Int.zero) **
     AEventData
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil)
       (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero))) **
     Astruct (pevent_addr, Int.zero) OS_EVENT
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil) **
     Aarray v´25 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´46 **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSEventList @ OS_EVENT ∗ |-> v´44 **
     evsllseg v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 **
     evsllseg v´48 Vnull v´28 v´30 **
     A_isr_is_prop **
     GAarray OSRdyTbl (Tarray Int8u ∘OS_RDY_TBL_SIZE) os_rdy_tbl **
     GV OSRdyGrp @ Int8u |-> v´39 **
     G&OSPlaceHolder @ Int8u == v´53 **
     HECBList v´40 **
     HTCBList tcbls **
     HCurTCB (cur_addr, Int.zero) **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´5 **
     AOSQFreeList v´6 **
     AOSQFreeBlk v´7 **
     AOSMapTbl **
     AOSUnMapTbl **
     AOSIntNesting **
     AOSTCBFreeList v´23 v´24 **
     AOSTime (Vint32 v´20) **
     HTime v´20 **
     AGVars **
     atoy_inv´ **
     LV pevent2 @ OS_EVENT ∗ |-> v´4 **
     LV isrdy @ Int8u |-> v´2 **
     LV timeout @ Int16u |-> Vint32 i **
     LV pevent @ OS_EVENT ∗ |-> Vptr (pevent_addr, Int.zero)}}
   OSRdyTbl ′ [ptcb ′ → OSTCBY] &= ∼ ptcb ′ → OSTCBBitX;ₛ
   If(OSRdyTbl ′ [ptcb ′ → OSTCBY] ==ₑ ′0)
        {OSRdyGrp ′ &= ∼ ptcb ′ → OSTCBBitY} ;ₛ
   ptcb ′ → OSTCBPrio =ₑ pip ′;ₛ
   ptcb ′ → OSTCBY =ₑ ptcb ′ → OSTCBPrio ≫ ′3;ₛ
   ptcb ′ → OSTCBBitY =ₑ OSMapTbl ′ [ptcb ′ → OSTCBY];ₛ
   ptcb ′ → OSTCBX =ₑ ptcb ′ → OSTCBPrio &ₑ ′7;ₛ
   ptcb ′ → OSTCBBitX =ₑ OSMapTbl ′ [ptcb ′ → OSTCBX];ₛ
   OSRdyGrp ′ =ₑ OSRdyGrp ′ |ₑ ptcb ′ → OSTCBBitY;ₛ
   OSRdyTbl ′ [ptcb ′ → OSTCBY] =ₑ
   OSRdyTbl ′ [ptcb ′ → OSTCBY] |ₑ ptcb ′ → OSTCBBitX;ₛ
   OSTCBCur ′ → OSTCBStat =ₑ ′OS_STAT_MUTEX;ₛ
   OSTCBCur ′ → OSTCBDly =ₑ timeout ′;ₛ
   OS_EventTaskWait (­ pevent ′­);ₛ
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
   ENTER_CRITICAL;ₛ
   If(OSTCBCur ′ → OSTCBMsg !=ₑ NULL)
        {EXIT_CRITICAL;ₛ
        RETURN ′OS_NO_ERR} ;ₛ
   EXIT_CRITICAL;ₛ
   RETURN ′OS_TIMEOUT {{Afalse}}
.

Definition gen_mutex_pend_can_not_lift_right_to_cur:= forall
  (i : int32)
  (H1 : Int.unsigned i <= 65535)
  (v´ : val)
  (v´0 : val)
  (v´1 : val)
  (v´2 : val)
  (v´3 : val)
  (v´4 : val)
  (v´5 : list vallist)
  (v´6 : list vallist)
  (v´7 : list vallist)
  (v´8 : list EventData)
  (v´9 : list EventCtr)
  (v´10 : vallist)
  (v´11 : val)
  (v´12 : val)
  (v´13 : list vallist)
  (v´14 : vallist)
  (v´15 : list vallist)
  (v´16 : vallist)
  (v´17 : val)
  (v´18 : EcbMod.map)
  (v´19 : TcbMod.map)
  (v´20 : int32)
  (v´21 : addrval)
  (v´22 : addrval)
  (v´23 : val)
  (v´24 : list vallist)
  (H0 : RH_CurTCB v´21 v´19)
  (v´27 : list EventCtr)
  (v´28 : list EventCtr)
  (v´29 : list EventData)
  (v´30 : list EventData)
  (v´32 : vallist)
  (v´33 : val)
  (v´35 : list vallist)
  (v´38 : vallist)
  (v´39 : val)
  (v´40 : EcbMod.map)
  (tcbls : TcbMod.map)
  (v´44 : val)
  (v´46 : vallist)
  (v´48 : val)
  (v´49 : EcbMod.map)
  (v´50 : EcbMod.map)
  (v´51 : EcbMod.map)
  (v´53 : addrval)
  (H5 : ECBList_P v´48 Vnull v´28 v´30 v´50 tcbls)
  (H11 : EcbMod.join v´49 v´51 v´40)
  (H14 : length v´27 = length v´29)
  (v´25 : addrval)
  (pevent_addr : block)
  (H13 : array_type_vallist_match Int8u v´46)
  (H19 : length v´46 = ∘OS_EVENT_TBL_SIZE)
  (H20 : isptr v´48)
  (x3 : val)
  (i0 : int32)
  (H22 : Int.unsigned i0 <= 255)
  (H18 : RL_Tbl_Grp_P v´46 (Vint32 i0))
  (H25 : isptr v´48)
  (H4 : ECBList_P v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 v´49 tcbls)
  (H2 : isptr (Vptr (pevent_addr, Int.zero)))
  (H16 : id_addrval´ (Vptr (pevent_addr, Int.zero)) OSEventTbl OS_EVENT =
        Some v´25)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255)
  (wls : waitset)
  (v´26 : val)
  (v´42 : val)
  (tcbls_l : TcbMod.map)
  (tcbls_r : TcbMod.map)
  (cur_addr : block)
  (H29 : v´33 <> Vnull)
  (Htcbjoin_whole : TcbMod.join tcbls_l tcbls_r tcbls)
  (Htcblist_subl : TCBList_P v´33 v´35 v´38 tcbls_l)
  (H28 : Vptr (cur_addr, Int.zero) <> Vnull)
  (x12 : val)
  (H35 : isptr x12)
  (cur_prio : int32)
  (H39 : Int.unsigned cur_prio <= 255)
  (i5 : int32)
  (H40 : Int.unsigned i5 <= 255)
  (i4 : int32)
  (H41 : Int.unsigned i4 <= 255)
  (i3 : int32)
  (H42 : Int.unsigned i3 <= 255)
  (i1 : int32)
  (H43 : Int.unsigned i1 <= 255)
  (H34 : isptr v´26)
  (H : RH_TCBList_ECBList_P v´40 tcbls (cur_addr, Int.zero))
  (H10 : RH_CurTCB (cur_addr, Int.zero) tcbls)
  (Hneq_idle : cur_prio <> $ OS_IDLE_PRIO)
  (H37 : Int.unsigned ($ 0) <= 65535)
  (H38 : Int.unsigned ($ OS_STAT_RDY) <= 255)
  (H36 : isptr Vnull)
  (x0 : val)
  (tcbls_r´ : TcbMod.map)
  (x : int32)
  (F2 : Int.unsigned x <= 65535)
  (H23 : Int.unsigned x <= 65535)
  (Fneq_i2_1 : Int.unsigned (x>>ᵢ$ 8) <= 255)
  (Fneq_i2_2 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) <= 255)
  (Hmutex_not_avail : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE)
  (Feq_i2_1 : x>>ᵢ$ 8 = Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
  (Hcur_prio : Int.ltu (x>>ᵢ$ 8) cur_prio = true)
  (ptcb_prio : priority)
  (xm : msg)
  (H12 : isptr x0)
  (v´34 : list vallist)
  (v´36 : list vallist)
  (v´43 : val)
  (v´45 : val)
  (tcbls_sub_l : TcbMod.map)
  (v´52 : TcbMod.map)
  (tcbls_sub_r : TcbMod.map)
  (Htcbjoin_sub_whole : TcbMod.join tcbls_sub_l v´52 tcbls_r´)
  (Htcblist_sub_left : TCBList_P x0 v´34 v´38 tcbls_sub_l)
  (Htcblist_sub_right : TCBList_P v´45 v´36 v´38 tcbls_sub_r)
  (ptcb_addr : block)
  (x10 : val)
  (H31 : isptr x10)
  (i11 : int32)
  (H33 : Int.unsigned i11 <= 65535)
  (ptcb_stat : int32)
  (H44 : Int.unsigned ptcb_stat <= 255)
  (i8 : int32)
  (H46 : Int.unsigned i8 <= 255)
  (i7 : int32)
  (H47 : Int.unsigned i7 <= 255)
  (i6 : int32)
  (H48 : Int.unsigned i6 <= 255)
  (i2 : int32)
  (H49 : Int.unsigned i2 <= 255)
  (H30 : isptr v´43)
  (H27 : isptr v´45)
  (H24 : isptr (Vptr (ptcb_addr, Int.zero)))
  (H7 : R_ECB_ETbl_P (pevent_addr, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i0
             :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
         v´46) tcbls)
  (H3 : ECBList_P v´44 Vnull
         (v´27 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i0
               :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
           v´46) :: nil) ++ v´28)
         (v´29 ++
          (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)) :: nil) ++ v´30)
         v´40 tcbls)
  (H8 : EcbMod.joinsig (pevent_addr, Int.zero)
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls)
         v´50 v´51)
  (Hget : EcbMod.get v´40 (pevent_addr, Int.zero) =
         Some
           (absmutexsem (x>>ᵢ$ 8)
              (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H26 : RH_ECB_P
          (absmutexsem (x>>ᵢ$ 8)
             (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H6 : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)))
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H_ptcb_not_cur : (ptcb_addr, Int.zero) <> (cur_addr, Int.zero))
  (H32 : isptr xm)
  (H45 : Int.unsigned ptcb_prio <= 255)
  (Htcblist_subr : TCBList_P x0
                    (v´34 ++
                     (v´45
                      :: v´43
                         :: x10
                            :: xm
                               :: Vint32 i11
                                  :: Vint32 ptcb_stat
                                     :: Vint32 ptcb_prio
                                        :: Vint32 i8
                                           :: Vint32 i7
                                              :: Vint32 i6
                                                 ::
                                                 Vint32 i2 :: nil) :: v´36)
                    v´38 tcbls_r´)
  (H17 : RL_TCBblk_P
          (v´45
           :: v´43
              :: x10
                 :: xm
                    :: Vint32 i11
                       :: Vint32 ptcb_stat
                          :: Vint32 ptcb_prio
                             :: Vint32 i8
                                :: Vint32 i7 :: Vint32 i6 :: Vint32 i2 :: nil))
  (Hptcb_prio_not_idle : ptcb_prio <> $ OS_IDLE_PRIO)
  (Hptcb_prio_scope_obv : 0 <= Int.unsigned ptcb_prio)
  (Hptcb_prio_scope : Int.unsigned ptcb_prio < 64)
  (Hif_ptcb_is_rdy1 : ptcb_stat = $ OS_STAT_RDY)
  (Hif_ptcb_is_rdy2 : i11 = $ 0)
  (H_ptcb : TcbMod.get tcbls (ptcb_addr, Int.zero) = Some (ptcb_prio, rdy, xm))
  (H_ptcb_in_right : TcbMod.get tcbls_r´ (ptcb_addr, Int.zero) =
                    Some (ptcb_prio, rdy, xm))
  (Htcbjoin_sub_right : TcbMod.joinsig (ptcb_addr, Int.zero)
                         (ptcb_prio, rdy, xm) tcbls_sub_r v´52)
  (Hptcb_node : TCBNode_P
                 (v´45
                  :: v´43
                     :: x10
                        :: xm
                           :: Vint32 i11
                              :: Vint32 ptcb_stat
                                 :: Vint32 ptcb_prio
                                    :: Vint32 i8
                                       :: Vint32 i7
                                          :: Vint32 i6 :: Vint32 i2 :: nil)
                 v´38 (ptcb_prio, rdy, xm))
  (H50 : R_TCB_Status_P
          (v´45
           :: v´43
              :: x10
                 :: xm
                    :: Vint32 i11
                       :: Vint32 ptcb_stat
                          :: Vint32 ptcb_prio
                             :: Vint32 i8
                                :: Vint32 i7 :: Vint32 i6 :: Vint32 i2 :: nil)
          v´38 (ptcb_prio, rdy, xm))
  (Hgetcur_subr : TcbMod.get tcbls_r (cur_addr, Int.zero) =
                 Some (cur_prio, rdy, Vnull))
  (Hgetcur : TcbMod.get tcbls (cur_addr, Int.zero) =
            Some (cur_prio, rdy, Vnull))
  (Hcurnode : TCBNode_P
               (x0
                :: v´26
                   :: x12
                      :: Vnull
                         :: V$0
                            :: V$OS_STAT_RDY
                               :: Vint32 cur_prio
                                  :: Vint32 i5
                                     :: Vint32 i4
                                        :: Vint32 i3 :: Vint32 i1 :: nil)
               v´38 (cur_prio, rdy, Vnull))
  (Htcbjoin_right : TcbJoin (cur_addr, Int.zero) (cur_prio, rdy, Vnull)
                     tcbls_r´ tcbls_r)
  (Hif_false : Int.eq (x&$ OS_MUTEX_KEEP_LOWER_8) cur_prio = false)
  (Hnocur : Int.eq cur_prio (x&$ OS_MUTEX_KEEP_LOWER_8) = false)
  (H_cur_prio_scope : Int.unsigned cur_prio < 64)
  (Hx_scope1 : Int.unsigned (x>>ᵢ$ 8) < 64)
  (LHif_false : val_inj
                 (bool_and
                    (val_inj
                       (notint
                          (val_inj
                             (if Int.eq ptcb_prio (x>>ᵢ$ 8)
                              then Some (Vint32 Int.one)
                              else Some (Vint32 Int.zero)))))
                    (val_inj
                       (if Int.ltu cur_prio (x&$ OS_MUTEX_KEEP_LOWER_8)
                        then Some (Vint32 Int.one)
                        else Some (Vint32 Int.zero)))) =
               Vint32 Int.zero \/
               val_inj
                 (bool_and
                    (val_inj
                       (notint
                          (val_inj
                             (if Int.eq ptcb_prio (x>>ᵢ$ 8)
                              then Some (Vint32 Int.one)
                              else Some (Vint32 Int.zero)))))
                    (val_inj
                       (if Int.ltu cur_prio (x&$ OS_MUTEX_KEEP_LOWER_8)
                        then Some (Vint32 Int.one)
                        else Some (Vint32 Int.zero)))) = Vnull)
,
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV timeout @ Int16u |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV mprio @ Int8u |-> v0) **
      (EX v0 : val, LV isrdy @ Int8u |-> v0) **
      (EX v0 : val, LV ptcb @ OS_TCB ∗ |-> v0) **
      (EX v0 : val, LV pevent2 @ OS_EVENT ∗ |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((timeout, Int16u)
       :: (pevent, OS_EVENT ∗)
          :: (legal, Int8u)
             :: (pip, Int8u)
                :: (mprio, Int8u)
                   :: (isrdy, Int8u)
                      :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{Astruct (ptcb_addr, Int.zero) OS_TCB
       (v´45
        :: v´43
           :: x10
              :: xm
                 :: Vint32 i11
                    :: Vint32 ptcb_stat
                       :: Vint32 ptcb_prio
                          :: Vint32 i8
                             :: Vint32 i7 :: Vint32 i6 :: Vint32 i2 :: nil) **
     tcbdllseg x0 (Vptr (cur_addr, Int.zero)) v´43
       (Vptr (ptcb_addr, Int.zero)) v´34 **
     tcbdllseg v´45 (Vptr (ptcb_addr, Int.zero)) v´42 Vnull v´36 **
      <|| mutexpend (Vptr (pevent_addr, Int.zero) :: Vint32 i :: nil) ||> **
     LV ptcb @ OS_TCB ∗ |-> Vptr (ptcb_addr, Int.zero) **
     LV mprio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     Astruct (cur_addr, Int.zero) OS_TCB
       (x0
        :: v´26
           :: x12
              :: Vnull
                 :: V$0
                    :: V$OS_STAT_RDY
                       :: Vint32 cur_prio
                          :: Vint32 i5
                             :: Vint32 i4 :: Vint32 i3 :: Vint32 i1 :: nil) **
     GV OSTCBList @ OS_TCB ∗ |-> v´33 **
     dllseg v´33 Vnull v´26 (Vptr (cur_addr, Int.zero)) v´35 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBCur @ OS_TCB ∗ |-> Vptr (cur_addr, Int.zero) **
     AEventData
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil)
       (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero))) **
     Astruct (pevent_addr, Int.zero) OS_EVENT
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil) **
     Aarray v´25 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´46 **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSEventList @ OS_EVENT ∗ |-> v´44 **
     evsllseg v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 **
     evsllseg v´48 Vnull v´28 v´30 **
     A_isr_is_prop **
     AOSRdyTblGrp v´38 v´39 **
     AOSTCBPrioTbl v´32 v´38 tcbls v´53 **
     HECBList v´40 **
     HTCBList tcbls **
     HCurTCB (cur_addr, Int.zero) **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´5 **
     AOSQFreeList v´6 **
     AOSQFreeBlk v´7 **
     AOSMapTbl **
     AOSUnMapTbl **
     AOSIntNesting **
     AOSTCBFreeList v´23 v´24 **
     AOSTime (Vint32 v´20) **
     HTime v´20 **
     AGVars **
     atoy_inv´ **
     LV pevent2 @ OS_EVENT ∗ |-> v´4 **
     LV isrdy @ Int8u |-> v´2 **
     LV timeout @ Int16u |-> Vint32 i **
     LV pevent @ OS_EVENT ∗ |-> Vptr (pevent_addr, Int.zero) **
     A_dom_lenv
       ((timeout, Int16u)
        :: (pevent, OS_EVENT ∗)
           :: (legal, Int8u)
              :: (pip, Int8u)
                 :: (mprio, Int8u)
                    :: (isrdy, Int8u)
                       :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)}}
   OSTCBCur ′ → OSTCBStat =ₑ ′OS_STAT_MUTEX;ₛ
   OSTCBCur ′ → OSTCBDly =ₑ timeout ′;ₛ
   OS_EventTaskWait (­ pevent ′­);ₛ
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
   ENTER_CRITICAL;ₛ
   If(OSTCBCur ′ → OSTCBMsg !=ₑ NULL)
        {EXIT_CRITICAL;ₛ
        RETURN ′OS_NO_ERR} ;ₛ
   EXIT_CRITICAL;ₛ
   RETURN ′OS_TIMEOUT {{Afalse}}
 .

Definition gen_mutex_pend_part_0:=
  forall
  (i : int32)
  (H1 : Int.unsigned i <= 65535)
  (v´ : val)
  (v´0 : val)
  (v´1 : val)
  (v´2 : val)
  (v´3 : val)
  (v´4 : val)
  (v´5 : list vallist)
  (v´6 : list vallist)
  (v´7 : list vallist)
  (v´8 : list EventData)
  (v´9 : list EventCtr)
  (v´10 : vallist)
  (v´11 : val)
  (v´12 : val)
  (v´13 : list vallist)
  (v´14 : vallist)
  (v´15 : list vallist)
  (v´16 : vallist)
  (v´17 : val)
  (v´18 : EcbMod.map)
  (v´19 : TcbMod.map)
  (v´20 : int32)
  (v´21 : addrval)
  (v´22 : addrval)
  (v´23 : val)
  (v´24 : list vallist)
  (H : RH_TCBList_ECBList_P v´18 v´19 v´21)
  (H0 : RH_CurTCB v´21 v´19)
  (v´27 : list EventCtr)
  (v´28 : list EventCtr)
  (v´29 : list EventData)
  (v´30 : list EventData)
  (v´32 : vallist)
  (v´33 : val)
  (v´35 : list vallist)
  (v´37 : list vallist)
  (v´38 : vallist)
  (v´39 : val)
  (v´40 : EcbMod.map)
  (v´41 : TcbMod.map)
  (v´44 : val)
  (v´46 : vallist)
  (v´48 : val)
  (v´49 : EcbMod.map)
  (v´50 : EcbMod.map)
  (v´51 : EcbMod.map)
  (v´53 : addrval)
  (H5 : ECBList_P v´48 Vnull v´28 v´30 v´50 v´41)
  (H11 : EcbMod.join v´49 v´51 v´40)
  (H14 : length v´27 = length v´29)
  (v´25 : addrval)
  (v´31 : block)
  (H13 : array_type_vallist_match Int8u v´46)
  (H19 : length v´46 = ∘OS_EVENT_TBL_SIZE)
  (H20 : isptr v´48)
  (x2 : val)
  (x3 : val)
  (i0 : int32)
  (H22 : Int.unsigned i0 <= 255)
  (i2 : int32)
  (H23 : Int.unsigned i2 <= 65535)
  (H24 : isptr x2)
  (H18 : RL_Tbl_Grp_P v´46 (Vint32 i0))
  (H25 : isptr v´48)
  (H4 : ECBList_P v´44 (Vptr (v´31, Int.zero)) v´27 v´29 v´49 v´41)
  (H2 : isptr (Vptr (v´31, Int.zero)))
  (H16 : id_addrval´ (Vptr (v´31, Int.zero)) OSEventTbl OS_EVENT = Some v´25)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255)
  (x : int32)
  (x0 : owner)
  (x1 : waitset)
  (H17 : MatchMutexSem (Vint32 i2) x2 x x0)
  (H8 : EcbMod.joinsig (v´31, Int.zero) (absmutexsem x x0, x1) v´50 v´51)
  (Hget : EcbMod.get v´40 (v´31, Int.zero) = Some (absmutexsem x x0, x1))
  (H26 : RH_ECB_P (absmutexsem x x0, x1))
  (H6 : RLH_ECBData_P (DMutex (Vint32 i2) x2) (absmutexsem x x0, x1))
  (v´26 : val)
  (v´42 : val)
  (v´45 : TcbMod.map)
  (v´47 : TcbMod.map)
  (v´52 : val)
  (v´54 : block)
  (H29 : v´33 <> Vnull)
  (H30 : TcbMod.join v´45 v´47 v´41)
  (H31 : TCBList_P v´33 v´35 v´38 v´45)
  (H28 : Vptr (v´54, Int.zero) <> Vnull)
  (x11 : val)
  (x12 : val)
  (H35 : isptr x12)
  (H36 : isptr x11)
  (i6 : int32)
  (H39 : Int.unsigned i6 <= 255)
  (i5 : int32)
  (H40 : Int.unsigned i5 <= 255)
  (i4 : int32)
  (H41 : Int.unsigned i4 <= 255)
  (i3 : int32)
  (H42 : Int.unsigned i3 <= 255)
  (i1 : int32)
  (H43 : Int.unsigned i1 <= 255)
  (H34 : isptr v´26)
  (H12 : isptr v´52)
  (H9 : RH_TCBList_ECBList_P v´40 v´41 (v´54, Int.zero))
  (H10 : RH_CurTCB (v´54, Int.zero) v´41)
  (st : taskstatus)
  (Hgetcur_subr : TcbMod.get v´47 (v´54, Int.zero) = Some (i6, st, x11))
  (Hgetcur : TcbMod.get v´41 (v´54, Int.zero) = Some (i6, st, x11))
  (Hneq_idle : i6 <> $ OS_IDLE_PRIO)
  (H37 : Int.unsigned ($ 0) <= 65535)
  (H38 : Int.unsigned ($ OS_STAT_RDY) <= 255)
  (H15 : x11 = Vnull)
  (H7 : R_ECB_ETbl_P (v´31, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i0 :: Vint32 i2 :: x2 :: x3 :: v´48 :: nil, v´46) v´41)
  (H3 : ECBList_P v´44 Vnull
         (v´27 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i0 :: Vint32 i2 :: x2 :: x3 :: v´48 :: nil, v´46)
           :: nil) ++ v´28) (v´29 ++ (DMutex (Vint32 i2) x2 :: nil) ++ v´30)
         v´40 v´41)
  (H32 : TCBList_P (Vptr (v´54, Int.zero))
          ((v´52
            :: v´26
               :: x12
                  :: x11
                     :: V$0
                        :: V$OS_STAT_RDY
                           :: Vint32 i6
                              :: Vint32 i5
                                 :: Vint32 i4
                                    :: Vint32 i3 :: Vint32 i1 :: nil) :: v´37)
          v´38 v´47)
  (Hcurnode : TCBNode_P
               (v´52
                :: v´26
                   :: x12
                      :: x11
                         :: V$0
                            :: V$OS_STAT_RDY
                               :: Vint32 i6
                                  :: Vint32 i5
                                     :: Vint32 i4
                                        :: Vint32 i3 :: Vint32 i1 :: nil)
               v´38 (i6, st, x11)),
   {|OSQ_spec, GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV timeout @ Int16u |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV mprio @ Int8u |-> v0) **
      (EX v0 : val, LV isrdy @ Int8u |-> v0) **
      (EX v0 : val, LV ptcb @ OS_TCB ∗ |-> v0) **
      (EX v0 : val, LV pevent2 @ OS_EVENT ∗ |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((timeout, Int16u)
       :: (pevent, OS_EVENT ∗)
          :: (legal, Int8u)
             :: (pip, Int8u)
                :: (mprio, Int8u)
                   :: (isrdy, Int8u)
                      :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{Astruct (v´54, Int.zero) OS_TCB
       (v´52
        :: v´26
           :: x12
              :: x11
                 :: V$0
                    :: V$OS_STAT_RDY
                       :: Vint32 i6
                          :: Vint32 i5
                             :: Vint32 i4 :: Vint32 i3 :: Vint32 i1 :: nil) **
     dllseg v´52 (Vptr (v´54, Int.zero)) v´42 Vnull v´37 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBList @ OS_TCB ∗ |-> v´33 **
     dllseg v´33 Vnull v´26 (Vptr (v´54, Int.zero)) v´35 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBCur @ OS_TCB ∗ |-> Vptr (v´54, Int.zero) **
     AEventData
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0 :: Vint32 i2 :: x2 :: x3 :: v´48 :: nil)
       (DMutex (Vint32 i2) x2) **
     Astruct (v´31, Int.zero) OS_EVENT
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0 :: Vint32 i2 :: x2 :: x3 :: v´48 :: nil) **
     Aarray v´25 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´46 **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSEventList @ OS_EVENT ∗ |-> v´44 **
     evsllseg v´44 (Vptr (v´31, Int.zero)) v´27 v´29 **
     evsllseg v´48 Vnull v´28 v´30 **
     A_isr_is_prop **
     AOSRdyTblGrp v´38 v´39 **
     AOSTCBPrioTbl v´32 v´38 v´41 v´53 **
     HECBList v´40 **
     HTCBList v´41 **
     HCurTCB (v´54, Int.zero) **
      <|| mutexpend (Vptr (v´31, Int.zero) :: Vint32 i :: nil) ||> **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´5 **
     AOSQFreeList v´6 **
     AOSQFreeBlk v´7 **
     AOSMapTbl **
     AOSUnMapTbl **
     AOSIntNesting **
     AOSTCBFreeList v´23 v´24 **
     AOSTime (Vint32 v´20) **
     HTime v´20 **
     AGVars **
     atoy_inv´ **
     LV pevent2 @ OS_EVENT ∗ |-> v´4 **
     LV ptcb @ OS_TCB ∗ |-> v´3 **
     LV isrdy @ Int8u |-> v´2 **
     LV mprio @ Int8u |-> v´1 **
     LV pip @ Int8u |-> v´0 **
     LV timeout @ Int16u |-> Vint32 i **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´31, Int.zero) **
     A_dom_lenv
     ((timeout, Int16u)
        :: (pevent, OS_EVENT ∗)
        :: (legal, Int8u)
        :: (pip, Int8u)
        :: (mprio, Int8u)
        :: (isrdy, Int8u)
        :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)}}
        pip′ =ₑ 〈Int8u〉(pevent′→OSEventCnt ≫ ′8);ₛ
        If (OSTCBCur′→OSTCBPrio <ₑ pip′ ||ₑ (OSTCBCur′→OSTCBPrio ==ₑ pip′)){
            EXIT_CRITICAL;ₛ
            RETURN ′OS_ERR_MUTEX_PRIO
        };ₛ
        mprio′ =ₑ 〈Int8u〉(pevent′→OSEventCnt &ₑ ′OS_MUTEX_KEEP_LOWER_8);ₛ
        ptcb′ =ₑ pevent′→OSEventPtr;ₛ
       
        If (mprio′ ==ₑ ′OS_MUTEX_AVAILABLE) {
            pevent′→OSEventCnt =ₑ pevent′→OSEventCnt &ₑ ′OS_MUTEX_KEEP_UPPER_8;ₛ
            pevent′→OSEventCnt =ₑ pevent′→OSEventCnt |ₑ OSTCBCur′→OSTCBPrio;ₛ
            pevent′→OSEventPtr =ₑ OSTCBCur′;ₛ
            
            EXIT_CRITICAL;ₛ
            RETURN ′OS_NO_ERR
        };ₛ

        If(ptcb′ ==ₑ OSTCBCur′){
          EXIT_CRITICAL;ₛ
          RETURN ′OS_ERR_MUTEX_DEADLOCK
        };ₛ
        If(ptcb′→OSTCBPrio ==ₑ ′OS_IDLE_PRIO){
          EXIT_CRITICAL;ₛ
          RETURN ′OS_ERR_MUTEX_IDLE
        };ₛ
        If ( (ptcb′→OSTCBStat !=ₑ ′OS_STAT_RDY) ||ₑ (ptcb′→OSTCBDly !=ₑ ′0)){
            EXIT_CRITICAL;ₛ
            RETURN ′OS_ERR_NEST
        };ₛ
        If(mprio′ ==ₑ (OSTCBCur′→OSTCBPrio)){
          EXIT_CRITICAL;ₛ
          RETURN ′OS_ERR_MUTEX_DEADLOCK
        };ₛ

        IF ((ptcb′→OSTCBPrio !=ₑ pip′) &&ₑ (mprio′ >ₑ (OSTCBCur′→OSTCBPrio))){
            If ( OSTCBPrioTbl′[pip′] !=ₑ 〈OS_TCB ∗〉 PlaceHolder){
                EXIT_CRITICAL;ₛ
                RETURN ′OS_ERR_MUTEXPR_NOT_HOLDER
            };ₛ
            OSTCBPrioTbl′[ ptcb′→OSTCBPrio ] =ₑ 〈OS_TCB ∗〉 PlaceHolder;ₛ
            OSTCBPrioTbl′[pip′] =ₑ 〈OS_TCB ∗〉 ptcb′;ₛ

            OSRdyTbl′[ptcb′→OSTCBY] =ₑ OSRdyTbl′[ptcb′→OSTCBY]&ₑ(∼ptcb′→OSTCBBitX);ₛ
            If (OSRdyTbl′[ptcb′→OSTCBY] ==ₑ ′0)
            {
                OSRdyGrp′ =ₑ OSRdyGrp′ &ₑ (∼ptcb′→OSTCBBitY)
            };ₛ
            ptcb′→OSTCBPrio =ₑ pip′;ₛ
            ptcb′→OSTCBY =ₑ ptcb′→OSTCBPrio ≫ ′3;ₛ
            ptcb′→OSTCBBitY =ₑ OSMapTbl′[ptcb′→OSTCBY];ₛ
            ptcb′→OSTCBX =ₑ (ptcb′→OSTCBPrio) &ₑ ′7;ₛ
            ptcb′→OSTCBBitX =ₑ OSMapTbl′[ptcb′→OSTCBX];ₛ
            OSRdyGrp′ =ₑ OSRdyGrp′ |ₑ ptcb′→OSTCBBitY;ₛ
            OSRdyTbl′[ptcb′→OSTCBY] =ₑ OSRdyTbl′[ptcb′→OSTCBY] |ₑ ptcb′→OSTCBBitX;ₛ

            OSTCBCur′→OSTCBStat =ₑ ′OS_STAT_MUTEX;ₛ
            OSTCBCur′→OSTCBDly =ₑ timeout′;ₛ
            OS_EventTaskWait(­pevent′­);ₛ
            EXIT_CRITICAL;ₛ

            OS_Sched(­);ₛ
            ENTER_CRITICAL;ₛ
            If (OSTCBCur′→OSTCBMsg !=ₑ NULL){
                EXIT_CRITICAL;ₛ
                RETURN ′OS_NO_ERR
            };ₛ
            EXIT_CRITICAL;ₛ
            RETURN ′OS_TIMEOUT
        } ELSE {
            OSTCBCur′→OSTCBStat =ₑ ′OS_STAT_MUTEX;ₛ
            OSTCBCur′→OSTCBDly =ₑ timeout′;ₛ
            OS_EventTaskWait(­pevent′­);ₛ
            EXIT_CRITICAL;ₛ
            OS_Sched(­);ₛ
            ENTER_CRITICAL;ₛ
            If (OSTCBCur′→OSTCBMsg !=ₑ NULL){
                EXIT_CRITICAL;ₛ
                RETURN ′OS_NO_ERR
            };ₛ
            EXIT_CRITICAL;ₛ
            RETURN ′OS_TIMEOUT
        } {{Afalse}}.

Definition gen_mutex_pend_ptcb_is_cur_err:= forall
  (i : int32)
  (H1 : Int.unsigned i <= 65535)
  (v´ : val)
  (v´0 : val)
  (v´1 : val)
  (v´2 : val)
  (v´3 : val)
  (v´4 : val)
  (v´5 : list vallist)
  (v´6 : list vallist)
  (v´7 : list vallist)
  (v´8 : list EventData)
  (v´9 : list EventCtr)
  (v´10 : vallist)
  (v´11 : val)
  (v´12 : val)
  (v´13 : list vallist)
  (v´14 : vallist)
  (v´15 : list vallist)
  (v´16 : vallist)
  (v´17 : val)
  (v´18 : EcbMod.map)
  (v´19 : TcbMod.map)
  (v´20 : int32)
  (v´21 : addrval)
  (v´22 : addrval)
  (v´23 : val)
  (v´24 : list vallist)
  (H0 : RH_CurTCB v´21 v´19)
  (v´27 : list EventCtr)
  (v´28 : list EventCtr)
  (v´29 : list EventData)
  (v´30 : list EventData)
  (v´32 : vallist)
  (v´33 : val)
  (v´35 : list vallist)
  (v´37 : list vallist)
  (v´38 : vallist)
  (v´39 : val)
  (v´40 : EcbMod.map)
  (tcbls : TcbMod.map)
  (v´44 : val)
  (v´46 : vallist)
  (v´48 : val)
  (v´49 : EcbMod.map)
  (v´50 : EcbMod.map)
  (v´51 : EcbMod.map)
  (v´53 : addrval)
  (H5 : ECBList_P v´48 Vnull v´28 v´30 v´50 tcbls)
  (H11 : EcbMod.join v´49 v´51 v´40)
  (H14 : length v´27 = length v´29)
  (v´25 : addrval)
  (pevent_addr : block)
  (H13 : array_type_vallist_match Int8u v´46)
  (H19 : length v´46 = ∘OS_EVENT_TBL_SIZE)
  (H20 : isptr v´48)
  (x3 : val)
  (i0 : int32)
  (H22 : Int.unsigned i0 <= 255)
  (H18 : RL_Tbl_Grp_P v´46 (Vint32 i0))
  (H25 : isptr v´48)
  (H4 : ECBList_P v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 v´49 tcbls)
  (H2 : isptr (Vptr (pevent_addr, Int.zero)))
  (H16 : id_addrval´ (Vptr (pevent_addr, Int.zero)) OSEventTbl OS_EVENT =
        Some v´25)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255)
  (wls : waitset)
  (v´26 : val)
  (v´42 : val)
  (tcbls_l : TcbMod.map)
  (tcbls_r : TcbMod.map)
  (cur_addr : block)
  (H29 : v´33 <> Vnull)
  (Htcbjoin_whole : TcbMod.join tcbls_l tcbls_r tcbls)
  (Htcblist_subl : TCBList_P v´33 v´35 v´38 tcbls_l)
  (H28 : Vptr (cur_addr, Int.zero) <> Vnull)
  (x12 : val)
  (H35 : isptr x12)
  (cur_prio : int32)
  (H39 : Int.unsigned cur_prio <= 255)
  (i5 : int32)
  (H40 : Int.unsigned i5 <= 255)
  (i4 : int32)
  (H41 : Int.unsigned i4 <= 255)
  (i3 : int32)
  (H42 : Int.unsigned i3 <= 255)
  (i1 : int32)
  (H43 : Int.unsigned i1 <= 255)
  (H34 : isptr v´26)
  (H : RH_TCBList_ECBList_P v´40 tcbls (cur_addr, Int.zero))
  (H10 : RH_CurTCB (cur_addr, Int.zero) tcbls)
  (st : taskstatus)
  (Hneq_idle : cur_prio <> $ OS_IDLE_PRIO)
  (H37 : Int.unsigned ($ 0) <= 65535)
  (H38 : Int.unsigned ($ OS_STAT_RDY) <= 255)
  (H36 : isptr Vnull)
  (Hgetcur_subr : TcbMod.get tcbls_r (cur_addr, Int.zero) =
                 Some (cur_prio, st, Vnull))
  (Hgetcur : TcbMod.get tcbls (cur_addr, Int.zero) =
            Some (cur_prio, st, Vnull))
  (x0 : val)
  (x2 : TcbMod.map)
  (Htcblist_subr : TCBList_P x0 v´37 v´38 x2)
  (x : int32)
  (F2 : Int.unsigned x <= 65535)
  (H23 : Int.unsigned x <= 65535)
  (Fneq_i2_1 : Int.unsigned (x>>ᵢ$ 8) <= 255)
  (Fneq_i2_2 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) <= 255)
  (Hmutex_not_avail : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE)
  (Feq_i2_1 : x>>ᵢ$ 8 = Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
  (Hcur_prio : Int.ltu (x>>ᵢ$ 8) cur_prio = true)
  (ptcb_tid : addrval)
  (H24 : isptr (Vptr ptcb_tid))
  (H7 : R_ECB_ETbl_P (pevent_addr, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i0 :: Vint32 x :: Vptr ptcb_tid :: x3 :: v´48 :: nil,
         v´46) tcbls)
  (H3 : ECBList_P v´44 Vnull
         (v´27 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i0 :: Vint32 x :: Vptr ptcb_tid :: x3 :: v´48 :: nil,
           v´46) :: nil) ++ v´28)
         (v´29 ++ (DMutex (Vint32 x) (Vptr ptcb_tid) :: nil) ++ v´30) v´40
         tcbls)
  (H8 : EcbMod.joinsig (pevent_addr, Int.zero)
         (absmutexsem (x>>ᵢ$ 8) (Some (ptcb_tid, x&$ OS_MUTEX_KEEP_LOWER_8)),
         wls) v´50 v´51)
  (Hget : EcbMod.get v´40 (pevent_addr, Int.zero) =
         Some
           (absmutexsem (x>>ᵢ$ 8)
              (Some (ptcb_tid, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H26 : RH_ECB_P
          (absmutexsem (x>>ᵢ$ 8) (Some (ptcb_tid, x&$ OS_MUTEX_KEEP_LOWER_8)),
          wls))
  (H6 : RLH_ECBData_P (DMutex (Vint32 x) (Vptr ptcb_tid))
         (absmutexsem (x>>ᵢ$ 8) (Some (ptcb_tid, x&$ OS_MUTEX_KEEP_LOWER_8)),
         wls))
  (ptcb_prio : priority)
  (xm : msg)
  (xs : taskstatus)
  (H_ptcb : TcbMod.get tcbls ptcb_tid = Some (ptcb_prio, xs, xm))
  (H12 : isptr x0)
  (Hcurnode : TCBNode_P
               (x0
                :: v´26
                   :: x12
                      :: Vnull
                         :: V$0
                            :: V$OS_STAT_RDY
                               :: Vint32 cur_prio
                                  :: Vint32 i5
                                     :: Vint32 i4
                                        :: Vint32 i3 :: Vint32 i1 :: nil)
               v´38 (cur_prio, st, Vnull))
  (Htcbjoin_right : TcbJoin (cur_addr, Int.zero) (cur_prio, st, Vnull) x2
                     tcbls_r)
  (LHift_true : val_inj
                 (let (b, ofs) := ptcb_tid in
                  if peq b cur_addr
                  then
                   if Int.eq ofs Int.zero
                   then Some (Vint32 Int.one)
                   else Some (Vint32 Int.zero)
                  else Some (Vint32 Int.zero)) <> Vint32 Int.zero /\
               val_inj
                 (let (b, ofs) := ptcb_tid in
                  if peq b cur_addr
                  then
                   if Int.eq ofs Int.zero
                   then Some (Vint32 Int.one)
                   else Some (Vint32 Int.zero)
                  else Some (Vint32 Int.zero)) <> Vnull /\
               val_inj
                 (let (b, ofs) := ptcb_tid in
                  if peq b cur_addr
                  then
                   if Int.eq ofs Int.zero
                   then Some (Vint32 Int.one)
                   else Some (Vint32 Int.zero)
                  else Some (Vint32 Int.zero)) <> Vundef)
,
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV timeout @ Int16u |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV mprio @ Int8u |-> v0) **
      (EX v0 : val, LV isrdy @ Int8u |-> v0) **
      (EX v0 : val, LV ptcb @ OS_TCB ∗ |-> v0) **
      (EX v0 : val, LV pevent2 @ OS_EVENT ∗ |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((timeout, Int16u)
       :: (pevent, OS_EVENT ∗)
          :: (legal, Int8u)
             :: (pip, Int8u)
                :: (mprio, Int8u)
                   :: (isrdy, Int8u)
                      :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{ <|| mutexpend (Vptr (pevent_addr, Int.zero) :: Vint32 i :: nil) ||> **
     LV ptcb @ OS_TCB ∗ |-> Vptr ptcb_tid **
     LV mprio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     Astruct (cur_addr, Int.zero) OS_TCB
       (x0
        :: v´26
           :: x12
              :: Vnull
                 :: V$0
                    :: V$OS_STAT_RDY
                       :: Vint32 cur_prio
                          :: Vint32 i5
                             :: Vint32 i4 :: Vint32 i3 :: Vint32 i1 :: nil) **
     dllseg x0 (Vptr (cur_addr, Int.zero)) v´42 Vnull v´37 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBList @ OS_TCB ∗ |-> v´33 **
     dllseg v´33 Vnull v´26 (Vptr (cur_addr, Int.zero)) v´35 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBCur @ OS_TCB ∗ |-> Vptr (cur_addr, Int.zero) **
     AEventData
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0 :: Vint32 x :: Vptr ptcb_tid :: x3 :: v´48 :: nil)
       (DMutex (Vint32 x) (Vptr ptcb_tid)) **
     Astruct (pevent_addr, Int.zero) OS_EVENT
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0 :: Vint32 x :: Vptr ptcb_tid :: x3 :: v´48 :: nil) **
     Aarray v´25 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´46 **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSEventList @ OS_EVENT ∗ |-> v´44 **
     evsllseg v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 **
     evsllseg v´48 Vnull v´28 v´30 **
     A_isr_is_prop **
     AOSRdyTblGrp v´38 v´39 **
     AOSTCBPrioTbl v´32 v´38 tcbls v´53 **
     HECBList v´40 **
     HTCBList tcbls **
     HCurTCB (cur_addr, Int.zero) **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´5 **
     AOSQFreeList v´6 **
     AOSQFreeBlk v´7 **
     AOSMapTbl **
     AOSUnMapTbl **
     AOSIntNesting **
     AOSTCBFreeList v´23 v´24 **
     AOSTime (Vint32 v´20) **
     HTime v´20 **
     AGVars **
     atoy_inv´ **
     LV pevent2 @ OS_EVENT ∗ |-> v´4 **
     LV isrdy @ Int8u |-> v´2 **
     LV timeout @ Int16u |-> Vint32 i **
     LV pevent @ OS_EVENT ∗ |-> Vptr (pevent_addr, Int.zero) **
     A_dom_lenv
       ((timeout, Int16u)
        :: (pevent, OS_EVENT ∗)
           :: (legal, Int8u)
              :: (pip, Int8u)
                 :: (mprio, Int8u)
                    :: (isrdy, Int8u)
                       :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)}}
   EXIT_CRITICAL;ₛ
   RETURN ′OS_ERR_MUTEX_DEADLOCK {{Afalse}}
.

Definition gen_mutex_pend_ptcb_is_idle_err_left_to_cur:= forall
  (i : int32)
  (H1 : Int.unsigned i <= 65535)
  (v´ : val)
  (v´0 : val)
  (v´1 : val)
  (v´2 : val)
  (v´3 : val)
  (v´4 : val)
  (v´5 : list vallist)
  (v´6 : list vallist)
  (v´7 : list vallist)
  (v´8 : list EventData)
  (v´9 : list EventCtr)
  (v´10 : vallist)
  (v´11 : val)
  (v´12 : val)
  (v´13 : list vallist)
  (v´14 : vallist)
  (v´15 : list vallist)
  (v´16 : vallist)
  (v´17 : val)
  (v´18 : EcbMod.map)
  (v´19 : TcbMod.map)
  (v´20 : int32)
  (v´21 : addrval)
  (v´22 : addrval)
  (v´23 : val)
  (v´24 : list vallist)
  (H0 : RH_CurTCB v´21 v´19)
  (v´27 : list EventCtr)
  (v´28 : list EventCtr)
  (v´29 : list EventData)
  (v´30 : list EventData)
  (v´32 : vallist)
  (v´33 : val)
  (v´37 : list vallist)
  (v´38 : vallist)
  (v´39 : val)
  (v´40 : EcbMod.map)
  (tcbls : TcbMod.map)
  (v´44 : val)
  (v´46 : vallist)
  (v´48 : val)
  (v´49 : EcbMod.map)
  (v´50 : EcbMod.map)
  (v´51 : EcbMod.map)
  (v´53 : addrval)
  (H5 : ECBList_P v´48 Vnull v´28 v´30 v´50 tcbls)
  (H11 : EcbMod.join v´49 v´51 v´40)
  (H14 : length v´27 = length v´29)
  (v´25 : addrval)
  (pevent_addr : block)
  (H13 : array_type_vallist_match Int8u v´46)
  (H19 : length v´46 = ∘OS_EVENT_TBL_SIZE)
  (H20 : isptr v´48)
  (x3 : val)
  (i0 : int32)
  (H22 : Int.unsigned i0 <= 255)
  (H18 : RL_Tbl_Grp_P v´46 (Vint32 i0))
  (H25 : isptr v´48)
  (H4 : ECBList_P v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 v´49 tcbls)
  (H2 : isptr (Vptr (pevent_addr, Int.zero)))
  (H16 : id_addrval´ (Vptr (pevent_addr, Int.zero)) OSEventTbl OS_EVENT =
        Some v´25)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255)
  (wls : waitset)
  (v´26 : val)
  (v´42 : val)
  (tcbls_l : TcbMod.map)
  (tcbls_r : TcbMod.map)
  (cur_addr : block)
  (H29 : v´33 <> Vnull)
  (Htcbjoin_whole : TcbMod.join tcbls_l tcbls_r tcbls)
  (H28 : Vptr (cur_addr, Int.zero) <> Vnull)
  (x12 : val)
  (H35 : isptr x12)
  (cur_prio : int32)
  (H39 : Int.unsigned cur_prio <= 255)
  (i5 : int32)
  (H40 : Int.unsigned i5 <= 255)
  (i4 : int32)
  (H41 : Int.unsigned i4 <= 255)
  (i3 : int32)
  (H42 : Int.unsigned i3 <= 255)
  (i1 : int32)
  (H43 : Int.unsigned i1 <= 255)
  (H34 : isptr v´26)
  (H : RH_TCBList_ECBList_P v´40 tcbls (cur_addr, Int.zero))
  (H10 : RH_CurTCB (cur_addr, Int.zero) tcbls)
  (st : taskstatus)
  (Hneq_idle : cur_prio <> $ OS_IDLE_PRIO)
  (H37 : Int.unsigned ($ 0) <= 65535)
  (H38 : Int.unsigned ($ OS_STAT_RDY) <= 255)
  (H36 : isptr Vnull)
  (Hgetcur_subr : TcbMod.get tcbls_r (cur_addr, Int.zero) =
                 Some (cur_prio, st, Vnull))
  (Hgetcur : TcbMod.get tcbls (cur_addr, Int.zero) =
            Some (cur_prio, st, Vnull))
  (x0 : val)
  (x2 : TcbMod.map)
  (Htcblist_subr : TCBList_P x0 v´37 v´38 x2)
  (x : int32)
  (F2 : Int.unsigned x <= 65535)
  (H23 : Int.unsigned x <= 65535)
  (Fneq_i2_1 : Int.unsigned (x>>ᵢ$ 8) <= 255)
  (Fneq_i2_2 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) <= 255)
  (Hmutex_not_avail : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE)
  (Feq_i2_1 : x>>ᵢ$ 8 = Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
  (Hcur_prio : Int.ltu (x>>ᵢ$ 8) cur_prio = true)
  (ptcb_prio : priority)
  (xm : msg)
  (xs : taskstatus)
  (H12 : isptr x0)
  (Hcurnode : TCBNode_P
               (x0
                :: v´26
                   :: x12
                      :: Vnull
                         :: V$0
                            :: V$OS_STAT_RDY
                               :: Vint32 cur_prio
                                  :: Vint32 i5
                                     :: Vint32 i4
                                        :: Vint32 i3 :: Vint32 i1 :: nil)
               v´38 (cur_prio, st, Vnull))
  (Htcbjoin_right : TcbJoin (cur_addr, Int.zero) (cur_prio, st, Vnull) x2
                     tcbls_r)
  (v´34 : list vallist)
  (v´36 : list vallist)
  (v´43 : val)
  (v´45 : val)
  (tcbls_sub_l : TcbMod.map)
  (v´52 : TcbMod.map)
  (tcbls_sub_r : TcbMod.map)
  (Htcbjoin_sub_whole : TcbMod.join tcbls_sub_l v´52 tcbls_l)
  (Htcblist_sub_left : TCBList_P v´33 v´34 v´38 tcbls_sub_l)
  (Htcblist_sub_right : TCBList_P v´45 v´36 v´38 tcbls_sub_r)
  (ptcb_addr : block)
  (x11 : val)
  (H31 : isptr x11)
  (i11 : int32)
  (H33 : Int.unsigned i11 <= 65535)
  (i10 : int32)
  (H44 : Int.unsigned i10 <= 255)
  (i8 : int32)
  (H46 : Int.unsigned i8 <= 255)
  (i7 : int32)
  (H47 : Int.unsigned i7 <= 255)
  (i6 : int32)
  (H48 : Int.unsigned i6 <= 255)
  (i2 : int32)
  (H49 : Int.unsigned i2 <= 255)
  (H30 : isptr v´43)
  (H17 : isptr v´45)
  (H24 : isptr (Vptr (ptcb_addr, Int.zero)))
  (H7 : R_ECB_ETbl_P (pevent_addr, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i0
             :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
         v´46) tcbls)
  (H3 : ECBList_P v´44 Vnull
         (v´27 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i0
               :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
           v´46) :: nil) ++ v´28)
         (v´29 ++
          (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)) :: nil) ++ v´30)
         v´40 tcbls)
  (H8 : EcbMod.joinsig (pevent_addr, Int.zero)
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls)
         v´50 v´51)
  (Hget : EcbMod.get v´40 (pevent_addr, Int.zero) =
         Some
           (absmutexsem (x>>ᵢ$ 8)
              (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H26 : RH_ECB_P
          (absmutexsem (x>>ᵢ$ 8)
             (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H6 : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)))
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H_ptcb : TcbMod.get tcbls (ptcb_addr, Int.zero) = Some (ptcb_prio, xs, xm))
  (H_ptcb_not_cur : (ptcb_addr, Int.zero) <> (cur_addr, Int.zero))
  (H_ptcb_in_left : TcbMod.get tcbls_l (ptcb_addr, Int.zero) =
                   Some (ptcb_prio, xs, xm))
  (Htcbjoin_sub_right : TcbMod.joinsig (ptcb_addr, Int.zero)
                         (ptcb_prio, xs, xm) tcbls_sub_r v´52)
  (Hget_last_tcb : get_last_tcb_ptr v´34 v´33 =
                  Some (Vptr (ptcb_addr, Int.zero)))
  (H32 : isptr xm)
  (H45 : Int.unsigned ptcb_prio <= 255)
  (Hptcb_node : TCBNode_P
                 (v´45
                  :: v´43
                     :: x11
                        :: xm
                           :: Vint32 i11
                              :: Vint32 i10
                                 :: Vint32 ptcb_prio
                                    :: Vint32 i8
                                       :: Vint32 i7
                                          :: Vint32 i6 :: Vint32 i2 :: nil)
                 v´38 (ptcb_prio, xs, xm))
  (Htcblist_subl : TCBList_P v´33
                    (v´34 ++
                     (v´45
                      :: v´43
                         :: x11
                            :: xm
                               :: Vint32 i11
                                  :: Vint32 i10
                                     :: Vint32 ptcb_prio
                                        :: Vint32 i8
                                           :: Vint32 i7
                                              :: Vint32 i6
                                                 ::
                                                 Vint32 i2 :: nil) :: v´36)
                    v´38 tcbls_l)
  (Hptcb_blk : RL_TCBblk_P
                (v´45
                 :: v´43
                    :: x11
                       :: xm
                          :: Vint32 i11
                             :: Vint32 i10
                                :: Vint32 ptcb_prio
                                   :: Vint32 i8
                                      :: Vint32 i7
                                         :: Vint32 i6 :: Vint32 i2 :: nil))
  (Hptcb_stat : R_TCB_Status_P
                 (v´45
                  :: v´43
                     :: x11
                        :: xm
                           :: Vint32 i11
                              :: Vint32 i10
                                 :: Vint32 ptcb_prio
                                    :: Vint32 i8
                                       :: Vint32 i7
                                          :: Vint32 i6 :: Vint32 i2 :: nil)
                 v´38 (ptcb_prio, xs, xm))
  (LHift_true : Int.eq ptcb_prio ($ OS_IDLE_PRIO) = true)
,
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV timeout @ Int16u |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV mprio @ Int8u |-> v0) **
      (EX v0 : val, LV isrdy @ Int8u |-> v0) **
      (EX v0 : val, LV ptcb @ OS_TCB ∗ |-> v0) **
      (EX v0 : val, LV pevent2 @ OS_EVENT ∗ |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((timeout, Int16u)
       :: (pevent, OS_EVENT ∗)
          :: (legal, Int8u)
             :: (pip, Int8u)
                :: (mprio, Int8u)
                   :: (isrdy, Int8u)
                      :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{Astruct (ptcb_addr, Int.zero) OS_TCB
       (v´45
        :: v´43
           :: x11
              :: xm
                 :: Vint32 i11
                    :: Vint32 i10
                       :: Vint32 ptcb_prio
                          :: Vint32 i8
                             :: Vint32 i7 :: Vint32 i6 :: Vint32 i2 :: nil) **
     tcbdllseg v´33 Vnull v´43 (Vptr (ptcb_addr, Int.zero)) v´34 **
     tcbdllseg v´45 (Vptr (ptcb_addr, Int.zero)) v´26
       (Vptr (cur_addr, Int.zero)) v´36 **
      <|| mutexpend (Vptr (pevent_addr, Int.zero) :: Vint32 i :: nil) ||> **
     LV ptcb @ OS_TCB ∗ |-> Vptr (ptcb_addr, Int.zero) **
     LV mprio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     Astruct (cur_addr, Int.zero) OS_TCB
       (x0
        :: v´26
           :: x12
              :: Vnull
                 :: V$0
                    :: V$OS_STAT_RDY
                       :: Vint32 cur_prio
                          :: Vint32 i5
                             :: Vint32 i4 :: Vint32 i3 :: Vint32 i1 :: nil) **
     dllseg x0 (Vptr (cur_addr, Int.zero)) v´42 Vnull v´37 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBList @ OS_TCB ∗ |-> v´33 **
     GV OSTCBCur @ OS_TCB ∗ |-> Vptr (cur_addr, Int.zero) **
     AEventData
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil)
       (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero))) **
     Astruct (pevent_addr, Int.zero) OS_EVENT
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil) **
     Aarray v´25 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´46 **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSEventList @ OS_EVENT ∗ |-> v´44 **
     evsllseg v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 **
     evsllseg v´48 Vnull v´28 v´30 **
     A_isr_is_prop **
     AOSRdyTblGrp v´38 v´39 **
     AOSTCBPrioTbl v´32 v´38 tcbls v´53 **
     HECBList v´40 **
     HTCBList tcbls **
     HCurTCB (cur_addr, Int.zero) **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´5 **
     AOSQFreeList v´6 **
     AOSQFreeBlk v´7 **
     AOSMapTbl **
     AOSUnMapTbl **
     AOSIntNesting **
     AOSTCBFreeList v´23 v´24 **
     AOSTime (Vint32 v´20) **
     HTime v´20 **
     AGVars **
     atoy_inv´ **
     LV pevent2 @ OS_EVENT ∗ |-> v´4 **
     LV isrdy @ Int8u |-> v´2 **
     LV timeout @ Int16u |-> Vint32 i **
     LV pevent @ OS_EVENT ∗ |-> Vptr (pevent_addr, Int.zero) **
     A_dom_lenv
       ((timeout, Int16u)
        :: (pevent, OS_EVENT ∗)
           :: (legal, Int8u)
              :: (pip, Int8u)
                 :: (mprio, Int8u)
                    :: (isrdy, Int8u)
                       :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)}}
   EXIT_CRITICAL;ₛ
   RETURN ′OS_ERR_MUTEX_IDLE {{Afalse}}
.

Definition gen_mutex_pend_ptcb_is_not_rdy_left_to_cur:= forall
  (i : int32)
  (H1 : Int.unsigned i <= 65535)
  (v´ : val)
  (v´0 : val)
  (v´1 : val)
  (v´2 : val)
  (v´3 : val)
  (v´4 : val)
  (v´5 : list vallist)
  (v´6 : list vallist)
  (v´7 : list vallist)
  (v´8 : list EventData)
  (v´9 : list EventCtr)
  (v´10 : vallist)
  (v´11 : val)
  (v´12 : val)
  (v´13 : list vallist)
  (v´14 : vallist)
  (v´15 : list vallist)
  (v´16 : vallist)
  (v´17 : val)
  (v´18 : EcbMod.map)
  (v´19 : TcbMod.map)
  (v´20 : int32)
  (v´21 : addrval)
  (v´22 : addrval)
  (v´23 : val)
  (v´24 : list vallist)
  (H0 : RH_CurTCB v´21 v´19)
  (v´27 : list EventCtr)
  (v´28 : list EventCtr)
  (v´29 : list EventData)
  (v´30 : list EventData)
  (v´32 : vallist)
  (v´33 : val)
  (v´37 : list vallist)
  (v´38 : vallist)
  (v´39 : val)
  (v´40 : EcbMod.map)
  (tcbls : TcbMod.map)
  (v´44 : val)
  (v´46 : vallist)
  (v´48 : val)
  (v´49 : EcbMod.map)
  (v´50 : EcbMod.map)
  (v´51 : EcbMod.map)
  (v´53 : addrval)
  (H5 : ECBList_P v´48 Vnull v´28 v´30 v´50 tcbls)
  (H11 : EcbMod.join v´49 v´51 v´40)
  (H14 : length v´27 = length v´29)
  (v´25 : addrval)
  (pevent_addr : block)
  (H13 : array_type_vallist_match Int8u v´46)
  (H19 : length v´46 = ∘OS_EVENT_TBL_SIZE)
  (H20 : isptr v´48)
  (x3 : val)
  (i0 : int32)
  (H22 : Int.unsigned i0 <= 255)
  (H18 : RL_Tbl_Grp_P v´46 (Vint32 i0))
  (H25 : isptr v´48)
  (H4 : ECBList_P v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 v´49 tcbls)
  (H2 : isptr (Vptr (pevent_addr, Int.zero)))
  (H16 : id_addrval´ (Vptr (pevent_addr, Int.zero)) OSEventTbl OS_EVENT =
        Some v´25)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255)
  (wls : waitset)
  (v´26 : val)
  (v´42 : val)
  (tcbls_l : TcbMod.map)
  (tcbls_r : TcbMod.map)
  (cur_addr : block)
  (H29 : v´33 <> Vnull)
  (Htcbjoin_whole : TcbMod.join tcbls_l tcbls_r tcbls)
  (H28 : Vptr (cur_addr, Int.zero) <> Vnull)
  (x12 : val)
  (H35 : isptr x12)
  (cur_prio : int32)
  (H39 : Int.unsigned cur_prio <= 255)
  (i5 : int32)
  (H40 : Int.unsigned i5 <= 255)
  (i4 : int32)
  (H41 : Int.unsigned i4 <= 255)
  (i3 : int32)
  (H42 : Int.unsigned i3 <= 255)
  (i1 : int32)
  (H43 : Int.unsigned i1 <= 255)
  (H34 : isptr v´26)
  (H : RH_TCBList_ECBList_P v´40 tcbls (cur_addr, Int.zero))
  (H10 : RH_CurTCB (cur_addr, Int.zero) tcbls)
  (st : taskstatus)
  (Hneq_idle : cur_prio <> $ OS_IDLE_PRIO)
  (H37 : Int.unsigned ($ 0) <= 65535)
  (H38 : Int.unsigned ($ OS_STAT_RDY) <= 255)
  (H36 : isptr Vnull)
  (Hgetcur_subr : TcbMod.get tcbls_r (cur_addr, Int.zero) =
                 Some (cur_prio, st, Vnull))
  (Hgetcur : TcbMod.get tcbls (cur_addr, Int.zero) =
            Some (cur_prio, st, Vnull))
  (x0 : val)
  (x2 : TcbMod.map)
  (Htcblist_subr : TCBList_P x0 v´37 v´38 x2)
  (x : int32)
  (F2 : Int.unsigned x <= 65535)
  (H23 : Int.unsigned x <= 65535)
  (Fneq_i2_1 : Int.unsigned (x>>ᵢ$ 8) <= 255)
  (Fneq_i2_2 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) <= 255)
  (Hmutex_not_avail : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE)
  (Feq_i2_1 : x>>ᵢ$ 8 = Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
  (Hcur_prio : Int.ltu (x>>ᵢ$ 8) cur_prio = true)
  (ptcb_prio : priority)
  (xm : msg)
  (xs : taskstatus)
  (H12 : isptr x0)
  (Hcurnode : TCBNode_P
               (x0
                :: v´26
                   :: x12
                      :: Vnull
                         :: V$0
                            :: V$OS_STAT_RDY
                               :: Vint32 cur_prio
                                  :: Vint32 i5
                                     :: Vint32 i4
                                        :: Vint32 i3 :: Vint32 i1 :: nil)
               v´38 (cur_prio, st, Vnull))
  (Htcbjoin_right : TcbJoin (cur_addr, Int.zero) (cur_prio, st, Vnull) x2
                     tcbls_r)
  (v´34 : list vallist)
  (v´36 : list vallist)
  (v´43 : val)
  (v´45 : val)
  (tcbls_sub_l : TcbMod.map)
  (v´52 : TcbMod.map)
  (tcbls_sub_r : TcbMod.map)
  (Htcbjoin_sub_whole : TcbMod.join tcbls_sub_l v´52 tcbls_l)
  (Htcblist_sub_left : TCBList_P v´33 v´34 v´38 tcbls_sub_l)
  (Htcblist_sub_right : TCBList_P v´45 v´36 v´38 tcbls_sub_r)
  (ptcb_addr : block)
  (x11 : val)
  (H31 : isptr x11)
  (i11 : int32)
  (H33 : Int.unsigned i11 <= 65535)
  (ptcb_stat : int32)
  (H44 : Int.unsigned ptcb_stat <= 255)
  (i8 : int32)
  (H46 : Int.unsigned i8 <= 255)
  (i7 : int32)
  (H47 : Int.unsigned i7 <= 255)
  (i6 : int32)
  (H48 : Int.unsigned i6 <= 255)
  (i2 : int32)
  (H49 : Int.unsigned i2 <= 255)
  (H30 : isptr v´43)
  (H17 : isptr v´45)
  (H24 : isptr (Vptr (ptcb_addr, Int.zero)))
  (H7 : R_ECB_ETbl_P (pevent_addr, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i0
             :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
         v´46) tcbls)
  (H3 : ECBList_P v´44 Vnull
         (v´27 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i0
               :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
           v´46) :: nil) ++ v´28)
         (v´29 ++
          (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)) :: nil) ++ v´30)
         v´40 tcbls)
  (H8 : EcbMod.joinsig (pevent_addr, Int.zero)
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls)
         v´50 v´51)
  (Hget : EcbMod.get v´40 (pevent_addr, Int.zero) =
         Some
           (absmutexsem (x>>ᵢ$ 8)
              (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H26 : RH_ECB_P
          (absmutexsem (x>>ᵢ$ 8)
             (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H6 : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)))
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H_ptcb : TcbMod.get tcbls (ptcb_addr, Int.zero) = Some (ptcb_prio, xs, xm))
  (H_ptcb_not_cur : (ptcb_addr, Int.zero) <> (cur_addr, Int.zero))
  (H_ptcb_in_left : TcbMod.get tcbls_l (ptcb_addr, Int.zero) =
                   Some (ptcb_prio, xs, xm))
  (Htcbjoin_sub_right : TcbMod.joinsig (ptcb_addr, Int.zero)
                         (ptcb_prio, xs, xm) tcbls_sub_r v´52)
  (Hget_last_tcb : get_last_tcb_ptr v´34 v´33 =
                  Some (Vptr (ptcb_addr, Int.zero)))
  (H32 : isptr xm)
  (H45 : Int.unsigned ptcb_prio <= 255)
  (Hptcb_node : TCBNode_P
                 (v´45
                  :: v´43
                     :: x11
                        :: xm
                           :: Vint32 i11
                              :: Vint32 ptcb_stat
                                 :: Vint32 ptcb_prio
                                    :: Vint32 i8
                                       :: Vint32 i7
                                          :: Vint32 i6 :: Vint32 i2 :: nil)
                 v´38 (ptcb_prio, xs, xm))
  (Htcblist_subl : TCBList_P v´33
                    (v´34 ++
                     (v´45
                      :: v´43
                         :: x11
                            :: xm
                               :: Vint32 i11
                                  :: Vint32 ptcb_stat
                                     :: Vint32 ptcb_prio
                                        :: Vint32 i8
                                           :: Vint32 i7
                                              :: Vint32 i6
                                                 ::
                                                 Vint32 i2 :: nil) :: v´36)
                    v´38 tcbls_l)
  (Hptcb_blk : RL_TCBblk_P
                (v´45
                 :: v´43
                    :: x11
                       :: xm
                          :: Vint32 i11
                             :: Vint32 ptcb_stat
                                :: Vint32 ptcb_prio
                                   :: Vint32 i8
                                      :: Vint32 i7
                                         :: Vint32 i6 :: Vint32 i2 :: nil))
  (Hptcb_stat : R_TCB_Status_P
                 (v´45
                  :: v´43
                     :: x11
                        :: xm
                           :: Vint32 i11
                              :: Vint32 ptcb_stat
                                 :: Vint32 ptcb_prio
                                    :: Vint32 i8
                                       :: Vint32 i7
                                          :: Vint32 i6 :: Vint32 i2 :: nil)
                 v´38 (ptcb_prio, xs, xm))
  (Hptcb_prio_not_idle : ptcb_prio <> $ OS_IDLE_PRIO)
  (Hptcb_prio_scope_obv : 0 <= Int.unsigned ptcb_prio)
  (Hptcb_prio_scope : Int.unsigned ptcb_prio < 64)
  (Hif_ptcb_is_not_rdy : ptcb_stat <> $ OS_STAT_RDY \/ i11 <> $ 0)
,
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV timeout @ Int16u |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV mprio @ Int8u |-> v0) **
      (EX v0 : val, LV isrdy @ Int8u |-> v0) **
      (EX v0 : val, LV ptcb @ OS_TCB ∗ |-> v0) **
      (EX v0 : val, LV pevent2 @ OS_EVENT ∗ |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((timeout, Int16u)
       :: (pevent, OS_EVENT ∗)
          :: (legal, Int8u)
             :: (pip, Int8u)
                :: (mprio, Int8u)
                   :: (isrdy, Int8u)
                      :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{Astruct (ptcb_addr, Int.zero) OS_TCB
       (v´45
        :: v´43
           :: x11
              :: xm
                 :: Vint32 i11
                    :: Vint32 ptcb_stat
                       :: Vint32 ptcb_prio
                          :: Vint32 i8
                             :: Vint32 i7 :: Vint32 i6 :: Vint32 i2 :: nil) **
     tcbdllseg v´33 Vnull v´43 (Vptr (ptcb_addr, Int.zero)) v´34 **
     tcbdllseg v´45 (Vptr (ptcb_addr, Int.zero)) v´26
       (Vptr (cur_addr, Int.zero)) v´36 **
      <|| mutexpend (Vptr (pevent_addr, Int.zero) :: Vint32 i :: nil) ||> **
     LV ptcb @ OS_TCB ∗ |-> Vptr (ptcb_addr, Int.zero) **
     LV mprio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     Astruct (cur_addr, Int.zero) OS_TCB
       (x0
        :: v´26
           :: x12
              :: Vnull
                 :: V$0
                    :: V$OS_STAT_RDY
                       :: Vint32 cur_prio
                          :: Vint32 i5
                             :: Vint32 i4 :: Vint32 i3 :: Vint32 i1 :: nil) **
     dllseg x0 (Vptr (cur_addr, Int.zero)) v´42 Vnull v´37 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBList @ OS_TCB ∗ |-> v´33 **
     GV OSTCBCur @ OS_TCB ∗ |-> Vptr (cur_addr, Int.zero) **
     AEventData
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil)
       (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero))) **
     Astruct (pevent_addr, Int.zero) OS_EVENT
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil) **
     Aarray v´25 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´46 **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSEventList @ OS_EVENT ∗ |-> v´44 **
     evsllseg v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 **
     evsllseg v´48 Vnull v´28 v´30 **
     A_isr_is_prop **
     AOSRdyTblGrp v´38 v´39 **
     AOSTCBPrioTbl v´32 v´38 tcbls v´53 **
     HECBList v´40 **
     HTCBList tcbls **
     HCurTCB (cur_addr, Int.zero) **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´5 **
     AOSQFreeList v´6 **
     AOSQFreeBlk v´7 **
     AOSMapTbl **
     AOSUnMapTbl **
     AOSIntNesting **
     AOSTCBFreeList v´23 v´24 **
     AOSTime (Vint32 v´20) **
     HTime v´20 **
     AGVars **
     atoy_inv´ **
     LV pevent2 @ OS_EVENT ∗ |-> v´4 **
     LV isrdy @ Int8u |-> v´2 **
     LV timeout @ Int16u |-> Vint32 i **
     LV pevent @ OS_EVENT ∗ |-> Vptr (pevent_addr, Int.zero) **
     A_dom_lenv
       ((timeout, Int16u)
        :: (pevent, OS_EVENT ∗)
           :: (legal, Int8u)
              :: (pip, Int8u)
                 :: (mprio, Int8u)
                    :: (isrdy, Int8u)
                       :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)}}
   EXIT_CRITICAL;ₛ
   RETURN ′OS_ERR_NEST {{Afalse}}
.

Definition gen_mutex_pend_cur_prio_eql_mprio_left_to_cur:= forall
  (i : int32)
  (H1 : Int.unsigned i <= 65535)
  (v´ : val)
  (v´0 : val)
  (v´1 : val)
  (v´2 : val)
  (v´3 : val)
  (v´4 : val)
  (v´5 : list vallist)
  (v´6 : list vallist)
  (v´7 : list vallist)
  (v´8 : list EventData)
  (v´9 : list EventCtr)
  (v´10 : vallist)
  (v´11 : val)
  (v´12 : val)
  (v´13 : list vallist)
  (v´14 : vallist)
  (v´15 : list vallist)
  (v´16 : vallist)
  (v´17 : val)
  (v´18 : EcbMod.map)
  (v´19 : TcbMod.map)
  (v´20 : int32)
  (v´21 : addrval)
  (v´22 : addrval)
  (v´23 : val)
  (v´24 : list vallist)
  (H0 : RH_CurTCB v´21 v´19)
  (v´27 : list EventCtr)
  (v´28 : list EventCtr)
  (v´29 : list EventData)
  (v´30 : list EventData)
  (v´32 : vallist)
  (v´33 : val)
  (v´37 : list vallist)
  (os_rdy_tbl : vallist)
  (v´39 : val)
  (v´40 : EcbMod.map)
  (tcbls : TcbMod.map)
  (v´44 : val)
  (v´46 : vallist)
  (v´48 : val)
  (v´49 : EcbMod.map)
  (v´50 : EcbMod.map)
  (v´51 : EcbMod.map)
  (v´53 : addrval)
  (H5 : ECBList_P v´48 Vnull v´28 v´30 v´50 tcbls)
  (H11 : EcbMod.join v´49 v´51 v´40)
  (H14 : length v´27 = length v´29)
  (v´25 : addrval)
  (pevent_addr : block)
  (H13 : array_type_vallist_match Int8u v´46)
  (H19 : length v´46 = ∘OS_EVENT_TBL_SIZE)
  (H20 : isptr v´48)
  (x3 : val)
  (i0 : int32)
  (H22 : Int.unsigned i0 <= 255)
  (H18 : RL_Tbl_Grp_P v´46 (Vint32 i0))
  (H25 : isptr v´48)
  (H4 : ECBList_P v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 v´49 tcbls)
  (H2 : isptr (Vptr (pevent_addr, Int.zero)))
  (H16 : id_addrval´ (Vptr (pevent_addr, Int.zero)) OSEventTbl OS_EVENT =
        Some v´25)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255)
  (wls : waitset)
  (v´26 : val)
  (v´42 : val)
  (tcbls_l : TcbMod.map)
  (tcbls_r : TcbMod.map)
  (cur_addr : block)
  (H29 : v´33 <> Vnull)
  (Htcbjoin_whole : TcbMod.join tcbls_l tcbls_r tcbls)
  (H28 : Vptr (cur_addr, Int.zero) <> Vnull)
  (x12 : val)
  (H35 : isptr x12)
  (cur_prio : int32)
  (H39 : Int.unsigned cur_prio <= 255)
  (i5 : int32)
  (H40 : Int.unsigned i5 <= 255)
  (i4 : int32)
  (H41 : Int.unsigned i4 <= 255)
  (i3 : int32)
  (H42 : Int.unsigned i3 <= 255)
  (i1 : int32)
  (H43 : Int.unsigned i1 <= 255)
  (H34 : isptr v´26)
  (H : RH_TCBList_ECBList_P v´40 tcbls (cur_addr, Int.zero))
  (H10 : RH_CurTCB (cur_addr, Int.zero) tcbls)
  (Hneq_idle : cur_prio <> $ OS_IDLE_PRIO)
  (H37 : Int.unsigned ($ 0) <= 65535)
  (H38 : Int.unsigned ($ OS_STAT_RDY) <= 255)
  (H36 : isptr Vnull)
  (x0 : val)
  (x2 : TcbMod.map)
  (Htcblist_subr : TCBList_P x0 v´37 os_rdy_tbl x2)
  (x : int32)
  (F2 : Int.unsigned x <= 65535)
  (H23 : Int.unsigned x <= 65535)
  (Fneq_i2_1 : Int.unsigned (x>>ᵢ$ 8) <= 255)
  (Fneq_i2_2 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) <= 255)
  (Hmutex_not_avail : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE)
  (Feq_i2_1 : x>>ᵢ$ 8 = Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
  (Hcur_prio : Int.ltu (x>>ᵢ$ 8) cur_prio = true)
  (ptcb_prio : priority)
  (xm : msg)
  (H12 : isptr x0)
  (v´34 : list vallist)
  (v´36 : list vallist)
  (v´43 : val)
  (v´45 : val)
  (tcbls_sub_l : TcbMod.map)
  (v´52 : TcbMod.map)
  (tcbls_sub_r : TcbMod.map)
  (Htcbjoin_sub_whole : TcbMod.join tcbls_sub_l v´52 tcbls_l)
  (Htcblist_sub_left : TCBList_P v´33 v´34 os_rdy_tbl tcbls_sub_l)
  (Htcblist_sub_right : TCBList_P v´45 v´36 os_rdy_tbl tcbls_sub_r)
  (ptcb_addr : block)
  (x11 : val)
  (H31 : isptr x11)
  (i11 : int32)
  (H33 : Int.unsigned i11 <= 65535)
  (ptcb_stat : int32)
  (H44 : Int.unsigned ptcb_stat <= 255)
  (i8 : int32)
  (H46 : Int.unsigned i8 <= 255)
  (ptcb_tcby : int32)
  (H47 : Int.unsigned ptcb_tcby <= 255)
  (ptcb_bitx : int32)
  (H48 : Int.unsigned ptcb_bitx <= 255)
  (i2 : int32)
  (H49 : Int.unsigned i2 <= 255)
  (H30 : isptr v´43)
  (H17 : isptr v´45)
  (H24 : isptr (Vptr (ptcb_addr, Int.zero)))
  (H7 : R_ECB_ETbl_P (pevent_addr, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i0
             :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
         v´46) tcbls)
  (H3 : ECBList_P v´44 Vnull
         (v´27 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i0
               :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
           v´46) :: nil) ++ v´28)
         (v´29 ++
          (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)) :: nil) ++ v´30)
         v´40 tcbls)
  (H8 : EcbMod.joinsig (pevent_addr, Int.zero)
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls)
         v´50 v´51)
  (Hget : EcbMod.get v´40 (pevent_addr, Int.zero) =
         Some
           (absmutexsem (x>>ᵢ$ 8)
              (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H26 : RH_ECB_P
          (absmutexsem (x>>ᵢ$ 8)
             (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H6 : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)))
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H_ptcb_not_cur : (ptcb_addr, Int.zero) <> (cur_addr, Int.zero))
  (Hget_last_tcb : get_last_tcb_ptr v´34 v´33 =
                  Some (Vptr (ptcb_addr, Int.zero)))
  (H32 : isptr xm)
  (H45 : Int.unsigned ptcb_prio <= 255)
  (Htcblist_subl : TCBList_P v´33
                    (v´34 ++
                     (v´45
                      :: v´43
                         :: x11
                            :: xm
                               :: Vint32 i11
                                  :: Vint32 ptcb_stat
                                     :: Vint32 ptcb_prio
                                        :: Vint32 i8
                                           :: Vint32 ptcb_tcby
                                              :: Vint32 ptcb_bitx
                                                 ::
                                                 Vint32 i2 :: nil) :: v´36)
                    os_rdy_tbl tcbls_l)
  (Hptcb_blk : RL_TCBblk_P
                (v´45
                 :: v´43
                    :: x11
                       :: xm
                          :: Vint32 i11
                             :: Vint32 ptcb_stat
                                :: Vint32 ptcb_prio
                                   :: Vint32 i8
                                      :: Vint32 ptcb_tcby
                                         :: Vint32 ptcb_bitx
                                            :: Vint32 i2 :: nil))
  (Hptcb_prio_not_idle : ptcb_prio <> $ OS_IDLE_PRIO)
  (Hptcb_prio_scope_obv : 0 <= Int.unsigned ptcb_prio)
  (Hptcb_prio_scope : Int.unsigned ptcb_prio < 64)
  (Hif_ptcb_is_rdy1 : ptcb_stat = $ OS_STAT_RDY)
  (Hif_ptcb_is_rdy2 : i11 = $ 0)
  (Hrtbl_type : array_type_vallist_match Int8u os_rdy_tbl)
  (Hrtbl_len : length os_rdy_tbl = ∘OS_RDY_TBL_SIZE)
  (Hgrp1 : RL_Tbl_Grp_P os_rdy_tbl v´39)
  (Hgrp2 : prio_in_tbl ($ OS_IDLE_PRIO) os_rdy_tbl)
  (H_ptcb : TcbMod.get tcbls (ptcb_addr, Int.zero) = Some (ptcb_prio, rdy, xm))
  (H_ptcb_in_left : TcbMod.get tcbls_l (ptcb_addr, Int.zero) =
                   Some (ptcb_prio, rdy, xm))
  (Htcbjoin_sub_right : TcbMod.joinsig (ptcb_addr, Int.zero)
                         (ptcb_prio, rdy, xm) tcbls_sub_r v´52)
  (Hptcb_node : TCBNode_P
                 (v´45
                  :: v´43
                     :: x11
                        :: xm
                           :: Vint32 i11
                              :: Vint32 ptcb_stat
                                 :: Vint32 ptcb_prio
                                    :: Vint32 i8
                                       :: Vint32 ptcb_tcby
                                          :: Vint32 ptcb_bitx
                                             :: Vint32 i2 :: nil) os_rdy_tbl
                 (ptcb_prio, rdy, xm))
  (Hptcb_stat : R_TCB_Status_P
                 (v´45
                  :: v´43
                     :: x11
                        :: xm
                           :: Vint32 i11
                              :: Vint32 ptcb_stat
                                 :: Vint32 ptcb_prio
                                    :: Vint32 i8
                                       :: Vint32 ptcb_tcby
                                          :: Vint32 ptcb_bitx
                                             :: Vint32 i2 :: nil) os_rdy_tbl
                 (ptcb_prio, rdy, xm))
  (Hgetcur_subr : TcbMod.get tcbls_r (cur_addr, Int.zero) =
                 Some (cur_prio, rdy, Vnull))
  (Hgetcur : TcbMod.get tcbls (cur_addr, Int.zero) =
            Some (cur_prio, rdy, Vnull))
  (Hcurnode : TCBNode_P
               (x0
                :: v´26
                   :: x12
                      :: Vnull
                         :: V$0
                            :: V$OS_STAT_RDY
                               :: Vint32 cur_prio
                                  :: Vint32 i5
                                     :: Vint32 i4
                                        :: Vint32 i3 :: Vint32 i1 :: nil)
               os_rdy_tbl (cur_prio, rdy, Vnull))
  (Htcbjoin_right : TcbJoin (cur_addr, Int.zero) (cur_prio, rdy, Vnull) x2
                     tcbls_r)
  (Hcur_prio_eql_mprio : Int.eq (x&$ OS_MUTEX_KEEP_LOWER_8) cur_prio = true)
,
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV timeout @ Int16u |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV mprio @ Int8u |-> v0) **
      (EX v0 : val, LV isrdy @ Int8u |-> v0) **
      (EX v0 : val, LV ptcb @ OS_TCB ∗ |-> v0) **
      (EX v0 : val, LV pevent2 @ OS_EVENT ∗ |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((timeout, Int16u)
       :: (pevent, OS_EVENT ∗)
          :: (legal, Int8u)
             :: (pip, Int8u)
                :: (mprio, Int8u)
                   :: (isrdy, Int8u)
                      :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{Astruct (ptcb_addr, Int.zero) OS_TCB
       (v´45
        :: v´43
           :: x11
              :: xm
                 :: Vint32 i11
                    :: Vint32 ptcb_stat
                       :: Vint32 ptcb_prio
                          :: Vint32 i8
                             :: Vint32 ptcb_tcby
                                :: Vint32 ptcb_bitx :: Vint32 i2 :: nil) **
     tcbdllseg v´33 Vnull v´43 (Vptr (ptcb_addr, Int.zero)) v´34 **
     tcbdllseg v´45 (Vptr (ptcb_addr, Int.zero)) v´26
       (Vptr (cur_addr, Int.zero)) v´36 **
      <|| mutexpend (Vptr (pevent_addr, Int.zero) :: Vint32 i :: nil) ||> **
     LV ptcb @ OS_TCB ∗ |-> Vptr (ptcb_addr, Int.zero) **
     LV mprio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     Astruct (cur_addr, Int.zero) OS_TCB
       (x0
        :: v´26
           :: x12
              :: Vnull
                 :: V$0
                    :: V$OS_STAT_RDY
                       :: Vint32 cur_prio
                          :: Vint32 i5
                             :: Vint32 i4 :: Vint32 i3 :: Vint32 i1 :: nil) **
     dllseg x0 (Vptr (cur_addr, Int.zero)) v´42 Vnull v´37 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBList @ OS_TCB ∗ |-> v´33 **
     GV OSTCBCur @ OS_TCB ∗ |-> Vptr (cur_addr, Int.zero) **
     AEventData
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil)
       (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero))) **
     Astruct (pevent_addr, Int.zero) OS_EVENT
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil) **
     Aarray v´25 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´46 **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSEventList @ OS_EVENT ∗ |-> v´44 **
     evsllseg v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 **
     evsllseg v´48 Vnull v´28 v´30 **
     A_isr_is_prop **
     AOSRdyTblGrp os_rdy_tbl v´39 **
     AOSTCBPrioTbl v´32 os_rdy_tbl tcbls v´53 **
     HECBList v´40 **
     HTCBList tcbls **
     HCurTCB (cur_addr, Int.zero) **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´5 **
     AOSQFreeList v´6 **
     AOSQFreeBlk v´7 **
     AOSMapTbl **
     AOSUnMapTbl **
     AOSIntNesting **
     AOSTCBFreeList v´23 v´24 **
     AOSTime (Vint32 v´20) **
     HTime v´20 **
     AGVars **
     atoy_inv´ **
     LV pevent2 @ OS_EVENT ∗ |-> v´4 **
     LV isrdy @ Int8u |-> v´2 **
     LV timeout @ Int16u |-> Vint32 i **
     LV pevent @ OS_EVENT ∗ |-> Vptr (pevent_addr, Int.zero) **
     A_dom_lenv
       ((timeout, Int16u)
        :: (pevent, OS_EVENT ∗)
           :: (legal, Int8u)
              :: (pip, Int8u)
                 :: (mprio, Int8u)
                    :: (isrdy, Int8u)
                       :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)}}
   EXIT_CRITICAL;ₛ
   RETURN ′OS_ERR_MUTEX_DEADLOCK {{Afalse}}
.

Definition gen_mutex_pend_pip_is_not_hold_left_to_cur:= forall
  (i : int32)
  (H1 : Int.unsigned i <= 65535)
  (v´ : val)
  (v´0 : val)
  (v´1 : val)
  (v´2 : val)
  (v´3 : val)
  (v´4 : val)
  (v´5 : list vallist)
  (v´6 : list vallist)
  (v´7 : list vallist)
  (v´8 : list EventData)
  (v´9 : list EventCtr)
  (v´10 : vallist)
  (v´11 : val)
  (v´12 : val)
  (v´13 : list vallist)
  (v´14 : vallist)
  (v´15 : list vallist)
  (v´16 : vallist)
  (v´17 : val)
  (v´18 : EcbMod.map)
  (v´19 : TcbMod.map)
  (v´20 : int32)
  (v´21 : addrval)
  (v´22 : addrval)
  (v´23 : val)
  (v´24 : list vallist)
  (H0 : RH_CurTCB v´21 v´19)
  (v´27 : list EventCtr)
  (v´28 : list EventCtr)
  (v´29 : list EventData)
  (v´30 : list EventData)
  (ptbl : vallist)
  (v´33 : val)
  (v´37 : list vallist)
  (os_rdy_tbl : vallist)
  (v´39 : val)
  (v´40 : EcbMod.map)
  (tcbls : TcbMod.map)
  (v´44 : val)
  (v´46 : vallist)
  (v´48 : val)
  (v´49 : EcbMod.map)
  (v´50 : EcbMod.map)
  (v´51 : EcbMod.map)
  (v´53 : addrval)
  (H5 : ECBList_P v´48 Vnull v´28 v´30 v´50 tcbls)
  (H11 : EcbMod.join v´49 v´51 v´40)
  (H14 : length v´27 = length v´29)
  (v´25 : addrval)
  (pevent_addr : block)
  (H13 : array_type_vallist_match Int8u v´46)
  (H19 : length v´46 = ∘OS_EVENT_TBL_SIZE)
  (H20 : isptr v´48)
  (x3 : val)
  (i0 : int32)
  (H22 : Int.unsigned i0 <= 255)
  (H18 : RL_Tbl_Grp_P v´46 (Vint32 i0))
  (H25 : isptr v´48)
  (H4 : ECBList_P v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 v´49 tcbls)
  (H2 : isptr (Vptr (pevent_addr, Int.zero)))
  (H16 : id_addrval´ (Vptr (pevent_addr, Int.zero)) OSEventTbl OS_EVENT =
        Some v´25)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255)
  (wls : waitset)
  (v´26 : val)
  (v´42 : val)
  (tcbls_l : TcbMod.map)
  (tcbls_r : TcbMod.map)
  (cur_addr : block)
  (H29 : v´33 <> Vnull)
  (Htcbjoin_whole : TcbMod.join tcbls_l tcbls_r tcbls)
  (H28 : Vptr (cur_addr, Int.zero) <> Vnull)
  (x12 : val)
  (H35 : isptr x12)
  (cur_prio : int32)
  (H39 : Int.unsigned cur_prio <= 255)
  (i5 : int32)
  (H40 : Int.unsigned i5 <= 255)
  (i4 : int32)
  (H41 : Int.unsigned i4 <= 255)
  (i3 : int32)
  (H42 : Int.unsigned i3 <= 255)
  (i1 : int32)
  (H43 : Int.unsigned i1 <= 255)
  (H34 : isptr v´26)
  (H : RH_TCBList_ECBList_P v´40 tcbls (cur_addr, Int.zero))
  (H10 : RH_CurTCB (cur_addr, Int.zero) tcbls)
  (Hneq_idle : cur_prio <> $ OS_IDLE_PRIO)
  (H37 : Int.unsigned ($ 0) <= 65535)
  (H38 : Int.unsigned ($ OS_STAT_RDY) <= 255)
  (H36 : isptr Vnull)
  (x0 : val)
  (x2 : TcbMod.map)
  (Htcblist_subr : TCBList_P x0 v´37 os_rdy_tbl x2)
  (x : int32)
  (F2 : Int.unsigned x <= 65535)
  (H23 : Int.unsigned x <= 65535)
  (Fneq_i2_1 : Int.unsigned (x>>ᵢ$ 8) <= 255)
  (Fneq_i2_2 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) <= 255)
  (Hmutex_not_avail : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE)
  (Feq_i2_1 : x>>ᵢ$ 8 = Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
  (Hcur_prio : Int.ltu (x>>ᵢ$ 8) cur_prio = true)
  (ptcb_prio : priority)
  (xm : msg)
  (H12 : isptr x0)
  (v´34 : list vallist)
  (v´36 : list vallist)
  (v´43 : val)
  (v´45 : val)
  (tcbls_sub_l : TcbMod.map)
  (v´52 : TcbMod.map)
  (tcbls_sub_r : TcbMod.map)
  (Htcbjoin_sub_whole : TcbMod.join tcbls_sub_l v´52 tcbls_l)
  (Htcblist_sub_left : TCBList_P v´33 v´34 os_rdy_tbl tcbls_sub_l)
  (Htcblist_sub_right : TCBList_P v´45 v´36 os_rdy_tbl tcbls_sub_r)
  (ptcb_addr : block)
  (x11 : val)
  (H31 : isptr x11)
  (i11 : int32)
  (H33 : Int.unsigned i11 <= 65535)
  (ptcb_stat : int32)
  (H44 : Int.unsigned ptcb_stat <= 255)
  (i8 : int32)
  (H46 : Int.unsigned i8 <= 255)
  (ptcb_tcby : int32)
  (H47 : Int.unsigned ptcb_tcby <= 255)
  (ptcb_bitx : int32)
  (H48 : Int.unsigned ptcb_bitx <= 255)
  (i2 : int32)
  (H49 : Int.unsigned i2 <= 255)
  (H30 : isptr v´43)
  (H17 : isptr v´45)
  (H24 : isptr (Vptr (ptcb_addr, Int.zero)))
  (H7 : R_ECB_ETbl_P (pevent_addr, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i0
             :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
         v´46) tcbls)
  (H3 : ECBList_P v´44 Vnull
         (v´27 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i0
               :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
           v´46) :: nil) ++ v´28)
         (v´29 ++
          (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)) :: nil) ++ v´30)
         v´40 tcbls)
  (H8 : EcbMod.joinsig (pevent_addr, Int.zero)
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls)
         v´50 v´51)
  (Hget : EcbMod.get v´40 (pevent_addr, Int.zero) =
         Some
           (absmutexsem (x>>ᵢ$ 8)
              (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H26 : RH_ECB_P
          (absmutexsem (x>>ᵢ$ 8)
             (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H6 : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)))
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H_ptcb_not_cur : (ptcb_addr, Int.zero) <> (cur_addr, Int.zero))
  (Hget_last_tcb : get_last_tcb_ptr v´34 v´33 =
                  Some (Vptr (ptcb_addr, Int.zero)))
  (H32 : isptr xm)
  (H45 : Int.unsigned ptcb_prio <= 255)
  (Htcblist_subl : TCBList_P v´33
                    (v´34 ++
                     (v´45
                      :: v´43
                         :: x11
                            :: xm
                               :: Vint32 i11
                                  :: Vint32 ptcb_stat
                                     :: Vint32 ptcb_prio
                                        :: Vint32 i8
                                           :: Vint32 ptcb_tcby
                                              :: Vint32 ptcb_bitx
                                                 ::
                                                 Vint32 i2 :: nil) :: v´36)
                    os_rdy_tbl tcbls_l)
  (Hptcb_blk : RL_TCBblk_P
                (v´45
                 :: v´43
                    :: x11
                       :: xm
                          :: Vint32 i11
                             :: Vint32 ptcb_stat
                                :: Vint32 ptcb_prio
                                   :: Vint32 i8
                                      :: Vint32 ptcb_tcby
                                         :: Vint32 ptcb_bitx
                                            :: Vint32 i2 :: nil))
  (Hptcb_prio_not_idle : ptcb_prio <> $ OS_IDLE_PRIO)
  (Hptcb_prio_scope_obv : 0 <= Int.unsigned ptcb_prio)
  (Hptcb_prio_scope : Int.unsigned ptcb_prio < 64)
  (Hif_ptcb_is_rdy1 : ptcb_stat = $ OS_STAT_RDY)
  (Hif_ptcb_is_rdy2 : i11 = $ 0)
  (Hrtbl_type : array_type_vallist_match Int8u os_rdy_tbl)
  (Hrtbl_len : length os_rdy_tbl = ∘OS_RDY_TBL_SIZE)
  (Hgrp1 : RL_Tbl_Grp_P os_rdy_tbl v´39)
  (Hgrp2 : prio_in_tbl ($ OS_IDLE_PRIO) os_rdy_tbl)
  (H_ptcb : TcbMod.get tcbls (ptcb_addr, Int.zero) = Some (ptcb_prio, rdy, xm))
  (H_ptcb_in_left : TcbMod.get tcbls_l (ptcb_addr, Int.zero) =
                   Some (ptcb_prio, rdy, xm))
  (Htcbjoin_sub_right : TcbMod.joinsig (ptcb_addr, Int.zero)
                         (ptcb_prio, rdy, xm) tcbls_sub_r v´52)
  (Hptcb_node : TCBNode_P
                 (v´45
                  :: v´43
                     :: x11
                        :: xm
                           :: Vint32 i11
                              :: Vint32 ptcb_stat
                                 :: Vint32 ptcb_prio
                                    :: Vint32 i8
                                       :: Vint32 ptcb_tcby
                                          :: Vint32 ptcb_bitx
                                             :: Vint32 i2 :: nil) os_rdy_tbl
                 (ptcb_prio, rdy, xm))
  (Hptcb_stat : R_TCB_Status_P
                 (v´45
                  :: v´43
                     :: x11
                        :: xm
                           :: Vint32 i11
                              :: Vint32 ptcb_stat
                                 :: Vint32 ptcb_prio
                                    :: Vint32 i8
                                       :: Vint32 ptcb_tcby
                                          :: Vint32 ptcb_bitx
                                             :: Vint32 i2 :: nil) os_rdy_tbl
                 (ptcb_prio, rdy, xm))
  (Hgetcur_subr : TcbMod.get tcbls_r (cur_addr, Int.zero) =
                 Some (cur_prio, rdy, Vnull))
  (Hgetcur : TcbMod.get tcbls (cur_addr, Int.zero) =
            Some (cur_prio, rdy, Vnull))
  (Hcurnode : TCBNode_P
               (x0
                :: v´26
                   :: x12
                      :: Vnull
                         :: V$0
                            :: V$OS_STAT_RDY
                               :: Vint32 cur_prio
                                  :: Vint32 i5
                                     :: Vint32 i4
                                        :: Vint32 i3 :: Vint32 i1 :: nil)
               os_rdy_tbl (cur_prio, rdy, Vnull))
  (Htcbjoin_right : TcbJoin (cur_addr, Int.zero) (cur_prio, rdy, Vnull) x2
                     tcbls_r)
  (Hif_false : Int.eq (x&$ OS_MUTEX_KEEP_LOWER_8) cur_prio = false)
  (Hnocur : Int.eq cur_prio (x&$ OS_MUTEX_KEEP_LOWER_8) = false)
  (H_cur_prio_scope : Int.unsigned cur_prio < 64)
  (Hx_scope1 : Int.unsigned (x>>ᵢ$ 8) < 64)
  (Hif_can_lift1 : ptcb_prio <> x>>ᵢ$ 8)
  (Hif_can_lift2 : Int.ltu cur_prio (x&$ OS_MUTEX_KEEP_LOWER_8) = true)
  (v´31 : val)
  (Hptbl_1 : array_type_vallist_match OS_TCB ∗ ptbl)
  (Hptbl_2 : length ptbl = 64%nat)
  (H15 : RL_RTbl_PrioTbl_P os_rdy_tbl ptbl v´53)
  (H27 : R_PrioTbl_P ptbl tcbls v´53)
  (Hif_true : val_inj
               (uop_eval
                  (val_inj
                     (bop_eval
                        (nth_val´ (Z.to_nat (Int.unsigned (x>>ᵢ$ 8))) ptbl)
                        (Vptr v´53) OS_TCB ∗ OS_TCB ∗ oeq)) oppsite) <>
             Vint32 Int.zero /\
             val_inj
               (uop_eval
                  (val_inj
                     (bop_eval
                        (nth_val´ (Z.to_nat (Int.unsigned (x>>ᵢ$ 8))) ptbl)
                        (Vptr v´53) OS_TCB ∗ OS_TCB ∗ oeq)) oppsite) <> Vnull /\
             val_inj
               (uop_eval
                  (val_inj
                     (bop_eval
                        (nth_val´ (Z.to_nat (Int.unsigned (x>>ᵢ$ 8))) ptbl)
                        (Vptr v´53) OS_TCB ∗ OS_TCB ∗ oeq)) oppsite) <>
             Vundef)
,
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV timeout @ Int16u |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV mprio @ Int8u |-> v0) **
      (EX v0 : val, LV isrdy @ Int8u |-> v0) **
      (EX v0 : val, LV ptcb @ OS_TCB ∗ |-> v0) **
      (EX v0 : val, LV pevent2 @ OS_EVENT ∗ |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((timeout, Int16u)
       :: (pevent, OS_EVENT ∗)
          :: (legal, Int8u)
             :: (pip, Int8u)
                :: (mprio, Int8u)
                   :: (isrdy, Int8u)
                      :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{PV v´53 @ Int8u |-> v´31 **
     Astruct (ptcb_addr, Int.zero) OS_TCB
       (v´45
        :: v´43
           :: x11
              :: xm
                 :: Vint32 i11
                    :: Vint32 ptcb_stat
                       :: Vint32 ptcb_prio
                          :: Vint32 i8
                             :: Vint32 ptcb_tcby
                                :: Vint32 ptcb_bitx :: Vint32 i2 :: nil) **
     tcbdllseg v´33 Vnull v´43 (Vptr (ptcb_addr, Int.zero)) v´34 **
     tcbdllseg v´45 (Vptr (ptcb_addr, Int.zero)) v´26
       (Vptr (cur_addr, Int.zero)) v´36 **
      <|| mutexpend (Vptr (pevent_addr, Int.zero) :: Vint32 i :: nil) ||> **
     LV ptcb @ OS_TCB ∗ |-> Vptr (ptcb_addr, Int.zero) **
     LV mprio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     Astruct (cur_addr, Int.zero) OS_TCB
       (x0
        :: v´26
           :: x12
              :: Vnull
                 :: V$0
                    :: V$OS_STAT_RDY
                       :: Vint32 cur_prio
                          :: Vint32 i5
                             :: Vint32 i4 :: Vint32 i3 :: Vint32 i1 :: nil) **
     dllseg x0 (Vptr (cur_addr, Int.zero)) v´42 Vnull v´37 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBList @ OS_TCB ∗ |-> v´33 **
     GV OSTCBCur @ OS_TCB ∗ |-> Vptr (cur_addr, Int.zero) **
     AEventData
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil)
       (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero))) **
     Astruct (pevent_addr, Int.zero) OS_EVENT
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil) **
     Aarray v´25 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´46 **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSEventList @ OS_EVENT ∗ |-> v´44 **
     evsllseg v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 **
     evsllseg v´48 Vnull v´28 v´30 **
     A_isr_is_prop **
     AOSRdyTblGrp os_rdy_tbl v´39 **
     GAarray OSTCBPrioTbl (Tarray OS_TCB ∗ 64) ptbl **
     G&OSPlaceHolder @ Int8u == v´53 **
     HECBList v´40 **
     HTCBList tcbls **
     HCurTCB (cur_addr, Int.zero) **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´5 **
     AOSQFreeList v´6 **
     AOSQFreeBlk v´7 **
     AOSMapTbl **
     AOSUnMapTbl **
     AOSIntNesting **
     AOSTCBFreeList v´23 v´24 **
     AOSTime (Vint32 v´20) **
     HTime v´20 **
     AGVars **
     atoy_inv´ **
     LV pevent2 @ OS_EVENT ∗ |-> v´4 **
     LV isrdy @ Int8u |-> v´2 **
     LV timeout @ Int16u |-> Vint32 i **
     LV pevent @ OS_EVENT ∗ |-> Vptr (pevent_addr, Int.zero) **
     A_dom_lenv
       ((timeout, Int16u)
        :: (pevent, OS_EVENT ∗)
           :: (legal, Int8u)
              :: (pip, Int8u)
                 :: (mprio, Int8u)
                    :: (isrdy, Int8u)
                       :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)}}
   EXIT_CRITICAL;ₛ
   RETURN ′OS_ERR_MUTEXPR_NOT_HOLDER {{Afalse}}
.

Definition gen_mutex_pend_ptcb_is_idle_err_right_to_cur:= forall
  (i : int32)
  (H1 : Int.unsigned i <= 65535)
  (v´ : val)
  (v´0 : val)
  (v´1 : val)
  (v´2 : val)
  (v´3 : val)
  (v´4 : val)
  (v´5 : list vallist)
  (v´6 : list vallist)
  (v´7 : list vallist)
  (v´8 : list EventData)
  (v´9 : list EventCtr)
  (v´10 : vallist)
  (v´11 : val)
  (v´12 : val)
  (v´13 : list vallist)
  (v´14 : vallist)
  (v´15 : list vallist)
  (v´16 : vallist)
  (v´17 : val)
  (v´18 : EcbMod.map)
  (v´19 : TcbMod.map)
  (v´20 : int32)
  (v´21 : addrval)
  (v´22 : addrval)
  (v´23 : val)
  (v´24 : list vallist)
  (H0 : RH_CurTCB v´21 v´19)
  (v´27 : list EventCtr)
  (v´28 : list EventCtr)
  (v´29 : list EventData)
  (v´30 : list EventData)
  (v´32 : vallist)
  (v´33 : val)
  (v´35 : list vallist)
  (v´38 : vallist)
  (v´39 : val)
  (v´40 : EcbMod.map)
  (tcbls : TcbMod.map)
  (v´44 : val)
  (v´46 : vallist)
  (v´48 : val)
  (v´49 : EcbMod.map)
  (v´50 : EcbMod.map)
  (v´51 : EcbMod.map)
  (v´53 : addrval)
  (H5 : ECBList_P v´48 Vnull v´28 v´30 v´50 tcbls)
  (H11 : EcbMod.join v´49 v´51 v´40)
  (H14 : length v´27 = length v´29)
  (v´25 : addrval)
  (pevent_addr : block)
  (H13 : array_type_vallist_match Int8u v´46)
  (H19 : length v´46 = ∘OS_EVENT_TBL_SIZE)
  (H20 : isptr v´48)
  (x3 : val)
  (i0 : int32)
  (H22 : Int.unsigned i0 <= 255)
  (H18 : RL_Tbl_Grp_P v´46 (Vint32 i0))
  (H25 : isptr v´48)
  (H4 : ECBList_P v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 v´49 tcbls)
  (H2 : isptr (Vptr (pevent_addr, Int.zero)))
  (H16 : id_addrval´ (Vptr (pevent_addr, Int.zero)) OSEventTbl OS_EVENT =
        Some v´25)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255)
  (wls : waitset)
  (v´26 : val)
  (v´42 : val)
  (tcbls_l : TcbMod.map)
  (tcbls_r : TcbMod.map)
  (cur_addr : block)
  (H29 : v´33 <> Vnull)
  (Htcbjoin_whole : TcbMod.join tcbls_l tcbls_r tcbls)
  (Htcblist_subl : TCBList_P v´33 v´35 v´38 tcbls_l)
  (H28 : Vptr (cur_addr, Int.zero) <> Vnull)
  (x12 : val)
  (H35 : isptr x12)
  (cur_prio : int32)
  (H39 : Int.unsigned cur_prio <= 255)
  (i5 : int32)
  (H40 : Int.unsigned i5 <= 255)
  (i4 : int32)
  (H41 : Int.unsigned i4 <= 255)
  (i3 : int32)
  (H42 : Int.unsigned i3 <= 255)
  (i1 : int32)
  (H43 : Int.unsigned i1 <= 255)
  (H34 : isptr v´26)
  (H : RH_TCBList_ECBList_P v´40 tcbls (cur_addr, Int.zero))
  (H10 : RH_CurTCB (cur_addr, Int.zero) tcbls)
  (st : taskstatus)
  (Hneq_idle : cur_prio <> $ OS_IDLE_PRIO)
  (H37 : Int.unsigned ($ 0) <= 65535)
  (H38 : Int.unsigned ($ OS_STAT_RDY) <= 255)
  (H36 : isptr Vnull)
  (Hgetcur_subr : TcbMod.get tcbls_r (cur_addr, Int.zero) =
                 Some (cur_prio, st, Vnull))
  (Hgetcur : TcbMod.get tcbls (cur_addr, Int.zero) =
            Some (cur_prio, st, Vnull))
  (x0 : val)
  (tcbls_r´ : TcbMod.map)
  (x : int32)
  (F2 : Int.unsigned x <= 65535)
  (H23 : Int.unsigned x <= 65535)
  (Fneq_i2_1 : Int.unsigned (x>>ᵢ$ 8) <= 255)
  (Fneq_i2_2 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) <= 255)
  (Hmutex_not_avail : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE)
  (Feq_i2_1 : x>>ᵢ$ 8 = Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
  (Hcur_prio : Int.ltu (x>>ᵢ$ 8) cur_prio = true)
  (ptcb_prio : priority)
  (xm : msg)
  (xs : taskstatus)
  (H12 : isptr x0)
  (Hcurnode : TCBNode_P
               (x0
                :: v´26
                   :: x12
                      :: Vnull
                         :: V$0
                            :: V$OS_STAT_RDY
                               :: Vint32 cur_prio
                                  :: Vint32 i5
                                     :: Vint32 i4
                                        :: Vint32 i3 :: Vint32 i1 :: nil)
               v´38 (cur_prio, st, Vnull))
  (Htcbjoin_right : TcbJoin (cur_addr, Int.zero) (cur_prio, st, Vnull)
                     tcbls_r´ tcbls_r)
  (v´34 : list vallist)
  (v´36 : list vallist)
  (v´43 : val)
  (v´45 : val)
  (tcbls_sub_l : TcbMod.map)
  (v´52 : TcbMod.map)
  (tcbls_sub_r : TcbMod.map)
  (Htcbjoin_sub_whole : TcbMod.join tcbls_sub_l v´52 tcbls_r´)
  (Htcblist_sub_left : TCBList_P x0 v´34 v´38 tcbls_sub_l)
  (Htcblist_sub_right : TCBList_P v´45 v´36 v´38 tcbls_sub_r)
  (ptcb_addr : block)
  (x10 : val)
  (H31 : isptr x10)
  (i11 : int32)
  (H33 : Int.unsigned i11 <= 65535)
  (i10 : int32)
  (H44 : Int.unsigned i10 <= 255)
  (i8 : int32)
  (H46 : Int.unsigned i8 <= 255)
  (i7 : int32)
  (H47 : Int.unsigned i7 <= 255)
  (i6 : int32)
  (H48 : Int.unsigned i6 <= 255)
  (i2 : int32)
  (H49 : Int.unsigned i2 <= 255)
  (H30 : isptr v´43)
  (H17 : isptr v´45)
  (H24 : isptr (Vptr (ptcb_addr, Int.zero)))
  (H7 : R_ECB_ETbl_P (pevent_addr, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i0
             :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
         v´46) tcbls)
  (H3 : ECBList_P v´44 Vnull
         (v´27 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i0
               :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
           v´46) :: nil) ++ v´28)
         (v´29 ++
          (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)) :: nil) ++ v´30)
         v´40 tcbls)
  (H8 : EcbMod.joinsig (pevent_addr, Int.zero)
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls)
         v´50 v´51)
  (Hget : EcbMod.get v´40 (pevent_addr, Int.zero) =
         Some
           (absmutexsem (x>>ᵢ$ 8)
              (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H26 : RH_ECB_P
          (absmutexsem (x>>ᵢ$ 8)
             (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H6 : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)))
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H_ptcb : TcbMod.get tcbls (ptcb_addr, Int.zero) = Some (ptcb_prio, xs, xm))
  (H_ptcb_not_cur : (ptcb_addr, Int.zero) <> (cur_addr, Int.zero))
  (H_ptcb_in_right : TcbMod.get tcbls_r´ (ptcb_addr, Int.zero) =
                    Some (ptcb_prio, xs, xm))
  (Htcbjoin_sub_right : TcbMod.joinsig (ptcb_addr, Int.zero)
                         (ptcb_prio, xs, xm) tcbls_sub_r v´52)
  (Hget_last_tcb : get_last_tcb_ptr v´34 x0 =
                  Some (Vptr (ptcb_addr, Int.zero)))
  (H32 : isptr xm)
  (H45 : Int.unsigned ptcb_prio <= 255)
  (Hptcb_node : TCBNode_P
                 (v´45
                  :: v´43
                     :: x10
                        :: xm
                           :: Vint32 i11
                              :: Vint32 i10
                                 :: Vint32 ptcb_prio
                                    :: Vint32 i8
                                       :: Vint32 i7
                                          :: Vint32 i6 :: Vint32 i2 :: nil)
                 v´38 (ptcb_prio, xs, xm))
  (Htcblist_subr : TCBList_P x0
                    (v´34 ++
                     (v´45
                      :: v´43
                         :: x10
                            :: xm
                               :: Vint32 i11
                                  :: Vint32 i10
                                     :: Vint32 ptcb_prio
                                        :: Vint32 i8
                                           :: Vint32 i7
                                              :: Vint32 i6
                                                 ::
                                                 Vint32 i2 :: nil) :: v´36)
                    v´38 tcbls_r´)
  (Hptcb_blk : RL_TCBblk_P
                (v´45
                 :: v´43
                    :: x10
                       :: xm
                          :: Vint32 i11
                             :: Vint32 i10
                                :: Vint32 ptcb_prio
                                   :: Vint32 i8
                                      :: Vint32 i7
                                         :: Vint32 i6 :: Vint32 i2 :: nil))
  (Hptcb_stat : R_TCB_Status_P
                 (v´45
                  :: v´43
                     :: x10
                        :: xm
                           :: Vint32 i11
                              :: Vint32 i10
                                 :: Vint32 ptcb_prio
                                    :: Vint32 i8
                                       :: Vint32 i7
                                          :: Vint32 i6 :: Vint32 i2 :: nil)
                 v´38 (ptcb_prio, xs, xm))
  (LHift_true : Int.eq ptcb_prio ($ OS_IDLE_PRIO) = true)
,
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV timeout @ Int16u |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV mprio @ Int8u |-> v0) **
      (EX v0 : val, LV isrdy @ Int8u |-> v0) **
      (EX v0 : val, LV ptcb @ OS_TCB ∗ |-> v0) **
      (EX v0 : val, LV pevent2 @ OS_EVENT ∗ |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((timeout, Int16u)
       :: (pevent, OS_EVENT ∗)
          :: (legal, Int8u)
             :: (pip, Int8u)
                :: (mprio, Int8u)
                   :: (isrdy, Int8u)
                      :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{Astruct (ptcb_addr, Int.zero) OS_TCB
       (v´45
        :: v´43
           :: x10
              :: xm
                 :: Vint32 i11
                    :: Vint32 i10
                       :: Vint32 ptcb_prio
                          :: Vint32 i8
                             :: Vint32 i7 :: Vint32 i6 :: Vint32 i2 :: nil) **
     tcbdllseg x0 (Vptr (cur_addr, Int.zero)) v´43
       (Vptr (ptcb_addr, Int.zero)) v´34 **
     tcbdllseg v´45 (Vptr (ptcb_addr, Int.zero)) v´42 Vnull v´36 **
      <|| mutexpend (Vptr (pevent_addr, Int.zero) :: Vint32 i :: nil) ||> **
     LV ptcb @ OS_TCB ∗ |-> Vptr (ptcb_addr, Int.zero) **
     LV mprio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     Astruct (cur_addr, Int.zero) OS_TCB
       (x0
        :: v´26
           :: x12
              :: Vnull
                 :: V$0
                    :: V$OS_STAT_RDY
                       :: Vint32 cur_prio
                          :: Vint32 i5
                             :: Vint32 i4 :: Vint32 i3 :: Vint32 i1 :: nil) **
     GV OSTCBList @ OS_TCB ∗ |-> v´33 **
     dllseg v´33 Vnull v´26 (Vptr (cur_addr, Int.zero)) v´35 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBCur @ OS_TCB ∗ |-> Vptr (cur_addr, Int.zero) **
     AEventData
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil)
       (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero))) **
     Astruct (pevent_addr, Int.zero) OS_EVENT
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil) **
     Aarray v´25 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´46 **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSEventList @ OS_EVENT ∗ |-> v´44 **
     evsllseg v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 **
     evsllseg v´48 Vnull v´28 v´30 **
     A_isr_is_prop **
     AOSRdyTblGrp v´38 v´39 **
     AOSTCBPrioTbl v´32 v´38 tcbls v´53 **
     HECBList v´40 **
     HTCBList tcbls **
     HCurTCB (cur_addr, Int.zero) **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´5 **
     AOSQFreeList v´6 **
     AOSQFreeBlk v´7 **
     AOSMapTbl **
     AOSUnMapTbl **
     AOSIntNesting **
     AOSTCBFreeList v´23 v´24 **
     AOSTime (Vint32 v´20) **
     HTime v´20 **
     AGVars **
     atoy_inv´ **
     LV pevent2 @ OS_EVENT ∗ |-> v´4 **
     LV isrdy @ Int8u |-> v´2 **
     LV timeout @ Int16u |-> Vint32 i **
     LV pevent @ OS_EVENT ∗ |-> Vptr (pevent_addr, Int.zero) **
     A_dom_lenv
       ((timeout, Int16u)
        :: (pevent, OS_EVENT ∗)
           :: (legal, Int8u)
              :: (pip, Int8u)
                 :: (mprio, Int8u)
                    :: (isrdy, Int8u)
                       :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)}}
   EXIT_CRITICAL;ₛ
   RETURN ′OS_ERR_MUTEX_IDLE {{Afalse}}
.

Definition gen_mutex_pend_ptcb_is_not_rdy_right_to_cur:= forall
  (i : int32)
  (H1 : Int.unsigned i <= 65535)
  (v´ : val)
  (v´0 : val)
  (v´1 : val)
  (v´2 : val)
  (v´3 : val)
  (v´4 : val)
  (v´5 : list vallist)
  (v´6 : list vallist)
  (v´7 : list vallist)
  (v´8 : list EventData)
  (v´9 : list EventCtr)
  (v´10 : vallist)
  (v´11 : val)
  (v´12 : val)
  (v´13 : list vallist)
  (v´14 : vallist)
  (v´15 : list vallist)
  (v´16 : vallist)
  (v´17 : val)
  (v´18 : EcbMod.map)
  (v´19 : TcbMod.map)
  (v´20 : int32)
  (v´21 : addrval)
  (v´22 : addrval)
  (v´23 : val)
  (v´24 : list vallist)
  (H0 : RH_CurTCB v´21 v´19)
  (v´27 : list EventCtr)
  (v´28 : list EventCtr)
  (v´29 : list EventData)
  (v´30 : list EventData)
  (v´32 : vallist)
  (v´33 : val)
  (v´35 : list vallist)
  (v´38 : vallist)
  (v´39 : val)
  (v´40 : EcbMod.map)
  (tcbls : TcbMod.map)
  (v´44 : val)
  (v´46 : vallist)
  (v´48 : val)
  (v´49 : EcbMod.map)
  (v´50 : EcbMod.map)
  (v´51 : EcbMod.map)
  (v´53 : addrval)
  (H5 : ECBList_P v´48 Vnull v´28 v´30 v´50 tcbls)
  (H11 : EcbMod.join v´49 v´51 v´40)
  (H14 : length v´27 = length v´29)
  (v´25 : addrval)
  (pevent_addr : block)
  (H13 : array_type_vallist_match Int8u v´46)
  (H19 : length v´46 = ∘OS_EVENT_TBL_SIZE)
  (H20 : isptr v´48)
  (x3 : val)
  (i0 : int32)
  (H22 : Int.unsigned i0 <= 255)
  (H18 : RL_Tbl_Grp_P v´46 (Vint32 i0))
  (H25 : isptr v´48)
  (H4 : ECBList_P v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 v´49 tcbls)
  (H2 : isptr (Vptr (pevent_addr, Int.zero)))
  (H16 : id_addrval´ (Vptr (pevent_addr, Int.zero)) OSEventTbl OS_EVENT =
        Some v´25)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255)
  (wls : waitset)
  (v´26 : val)
  (v´42 : val)
  (tcbls_l : TcbMod.map)
  (tcbls_r : TcbMod.map)
  (cur_addr : block)
  (H29 : v´33 <> Vnull)
  (Htcbjoin_whole : TcbMod.join tcbls_l tcbls_r tcbls)
  (Htcblist_subl : TCBList_P v´33 v´35 v´38 tcbls_l)
  (H28 : Vptr (cur_addr, Int.zero) <> Vnull)
  (x12 : val)
  (H35 : isptr x12)
  (cur_prio : int32)
  (H39 : Int.unsigned cur_prio <= 255)
  (i5 : int32)
  (H40 : Int.unsigned i5 <= 255)
  (i4 : int32)
  (H41 : Int.unsigned i4 <= 255)
  (i3 : int32)
  (H42 : Int.unsigned i3 <= 255)
  (i1 : int32)
  (H43 : Int.unsigned i1 <= 255)
  (H34 : isptr v´26)
  (H : RH_TCBList_ECBList_P v´40 tcbls (cur_addr, Int.zero))
  (H10 : RH_CurTCB (cur_addr, Int.zero) tcbls)
  (st : taskstatus)
  (Hneq_idle : cur_prio <> $ OS_IDLE_PRIO)
  (H37 : Int.unsigned ($ 0) <= 65535)
  (H38 : Int.unsigned ($ OS_STAT_RDY) <= 255)
  (H36 : isptr Vnull)
  (Hgetcur_subr : TcbMod.get tcbls_r (cur_addr, Int.zero) =
                 Some (cur_prio, st, Vnull))
  (Hgetcur : TcbMod.get tcbls (cur_addr, Int.zero) =
            Some (cur_prio, st, Vnull))
  (x0 : val)
  (tcbls_r´ : TcbMod.map)
  (x : int32)
  (F2 : Int.unsigned x <= 65535)
  (H23 : Int.unsigned x <= 65535)
  (Fneq_i2_1 : Int.unsigned (x>>ᵢ$ 8) <= 255)
  (Fneq_i2_2 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) <= 255)
  (Hmutex_not_avail : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE)
  (Feq_i2_1 : x>>ᵢ$ 8 = Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
  (Hcur_prio : Int.ltu (x>>ᵢ$ 8) cur_prio = true)
  (ptcb_prio : priority)
  (xm : msg)
  (xs : taskstatus)
  (H12 : isptr x0)
  (Hcurnode : TCBNode_P
               (x0
                :: v´26
                   :: x12
                      :: Vnull
                         :: V$0
                            :: V$OS_STAT_RDY
                               :: Vint32 cur_prio
                                  :: Vint32 i5
                                     :: Vint32 i4
                                        :: Vint32 i3 :: Vint32 i1 :: nil)
               v´38 (cur_prio, st, Vnull))
  (Htcbjoin_right : TcbJoin (cur_addr, Int.zero) (cur_prio, st, Vnull)
                     tcbls_r´ tcbls_r)
  (v´34 : list vallist)
  (v´36 : list vallist)
  (v´43 : val)
  (v´45 : val)
  (tcbls_sub_l : TcbMod.map)
  (v´52 : TcbMod.map)
  (tcbls_sub_r : TcbMod.map)
  (Htcbjoin_sub_whole : TcbMod.join tcbls_sub_l v´52 tcbls_r´)
  (Htcblist_sub_left : TCBList_P x0 v´34 v´38 tcbls_sub_l)
  (Htcblist_sub_right : TCBList_P v´45 v´36 v´38 tcbls_sub_r)
  (ptcb_addr : block)
  (x10 : val)
  (H31 : isptr x10)
  (i11 : int32)
  (H33 : Int.unsigned i11 <= 65535)
  (ptcb_stat : int32)
  (H44 : Int.unsigned ptcb_stat <= 255)
  (i8 : int32)
  (H46 : Int.unsigned i8 <= 255)
  (i7 : int32)
  (H47 : Int.unsigned i7 <= 255)
  (i6 : int32)
  (H48 : Int.unsigned i6 <= 255)
  (i2 : int32)
  (H49 : Int.unsigned i2 <= 255)
  (H30 : isptr v´43)
  (H17 : isptr v´45)
  (H24 : isptr (Vptr (ptcb_addr, Int.zero)))
  (H7 : R_ECB_ETbl_P (pevent_addr, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i0
             :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
         v´46) tcbls)
  (H3 : ECBList_P v´44 Vnull
         (v´27 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i0
               :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
           v´46) :: nil) ++ v´28)
         (v´29 ++
          (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)) :: nil) ++ v´30)
         v´40 tcbls)
  (H8 : EcbMod.joinsig (pevent_addr, Int.zero)
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls)
         v´50 v´51)
  (Hget : EcbMod.get v´40 (pevent_addr, Int.zero) =
         Some
           (absmutexsem (x>>ᵢ$ 8)
              (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H26 : RH_ECB_P
          (absmutexsem (x>>ᵢ$ 8)
             (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H6 : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)))
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H_ptcb : TcbMod.get tcbls (ptcb_addr, Int.zero) = Some (ptcb_prio, xs, xm))
  (H_ptcb_not_cur : (ptcb_addr, Int.zero) <> (cur_addr, Int.zero))
  (H_ptcb_in_right : TcbMod.get tcbls_r´ (ptcb_addr, Int.zero) =
                    Some (ptcb_prio, xs, xm))
  (Htcbjoin_sub_right : TcbMod.joinsig (ptcb_addr, Int.zero)
                         (ptcb_prio, xs, xm) tcbls_sub_r v´52)
  (Hget_last_tcb : get_last_tcb_ptr v´34 x0 =
                  Some (Vptr (ptcb_addr, Int.zero)))
  (H32 : isptr xm)
  (H45 : Int.unsigned ptcb_prio <= 255)
  (Hptcb_node : TCBNode_P
                 (v´45
                  :: v´43
                     :: x10
                        :: xm
                           :: Vint32 i11
                              :: Vint32 ptcb_stat
                                 :: Vint32 ptcb_prio
                                    :: Vint32 i8
                                       :: Vint32 i7
                                          :: Vint32 i6 :: Vint32 i2 :: nil)
                 v´38 (ptcb_prio, xs, xm))
  (Htcblist_subr : TCBList_P x0
                    (v´34 ++
                     (v´45
                      :: v´43
                         :: x10
                            :: xm
                               :: Vint32 i11
                                  :: Vint32 ptcb_stat
                                     :: Vint32 ptcb_prio
                                        :: Vint32 i8
                                           :: Vint32 i7
                                              :: Vint32 i6
                                                 ::
                                                 Vint32 i2 :: nil) :: v´36)
                    v´38 tcbls_r´)
  (Hptcb_blk : RL_TCBblk_P
                (v´45
                 :: v´43
                    :: x10
                       :: xm
                          :: Vint32 i11
                             :: Vint32 ptcb_stat
                                :: Vint32 ptcb_prio
                                   :: Vint32 i8
                                      :: Vint32 i7
                                         :: Vint32 i6 :: Vint32 i2 :: nil))
  (Hptcb_stat : R_TCB_Status_P
                 (v´45
                  :: v´43
                     :: x10
                        :: xm
                           :: Vint32 i11
                              :: Vint32 ptcb_stat
                                 :: Vint32 ptcb_prio
                                    :: Vint32 i8
                                       :: Vint32 i7
                                          :: Vint32 i6 :: Vint32 i2 :: nil)
                 v´38 (ptcb_prio, xs, xm))
  (Hptcb_prio_not_idle : ptcb_prio <> $ OS_IDLE_PRIO)
  (Hptcb_prio_scope_obv : 0 <= Int.unsigned ptcb_prio)
  (Hptcb_prio_scope : Int.unsigned ptcb_prio < 64)
  (Hif_ptcb_is_not_rdy : ptcb_stat <> $ OS_STAT_RDY \/ i11 <> $ 0)
,
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV timeout @ Int16u |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV mprio @ Int8u |-> v0) **
      (EX v0 : val, LV isrdy @ Int8u |-> v0) **
      (EX v0 : val, LV ptcb @ OS_TCB ∗ |-> v0) **
      (EX v0 : val, LV pevent2 @ OS_EVENT ∗ |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((timeout, Int16u)
       :: (pevent, OS_EVENT ∗)
          :: (legal, Int8u)
             :: (pip, Int8u)
                :: (mprio, Int8u)
                   :: (isrdy, Int8u)
                      :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{Astruct (ptcb_addr, Int.zero) OS_TCB
       (v´45
        :: v´43
           :: x10
              :: xm
                 :: Vint32 i11
                    :: Vint32 ptcb_stat
                       :: Vint32 ptcb_prio
                          :: Vint32 i8
                             :: Vint32 i7 :: Vint32 i6 :: Vint32 i2 :: nil) **
     tcbdllseg x0 (Vptr (cur_addr, Int.zero)) v´43
       (Vptr (ptcb_addr, Int.zero)) v´34 **
     tcbdllseg v´45 (Vptr (ptcb_addr, Int.zero)) v´42 Vnull v´36 **
      <|| mutexpend (Vptr (pevent_addr, Int.zero) :: Vint32 i :: nil) ||> **
     LV ptcb @ OS_TCB ∗ |-> Vptr (ptcb_addr, Int.zero) **
     LV mprio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     Astruct (cur_addr, Int.zero) OS_TCB
       (x0
        :: v´26
           :: x12
              :: Vnull
                 :: V$0
                    :: V$OS_STAT_RDY
                       :: Vint32 cur_prio
                          :: Vint32 i5
                             :: Vint32 i4 :: Vint32 i3 :: Vint32 i1 :: nil) **
     GV OSTCBList @ OS_TCB ∗ |-> v´33 **
     dllseg v´33 Vnull v´26 (Vptr (cur_addr, Int.zero)) v´35 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBCur @ OS_TCB ∗ |-> Vptr (cur_addr, Int.zero) **
     AEventData
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil)
       (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero))) **
     Astruct (pevent_addr, Int.zero) OS_EVENT
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil) **
     Aarray v´25 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´46 **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSEventList @ OS_EVENT ∗ |-> v´44 **
     evsllseg v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 **
     evsllseg v´48 Vnull v´28 v´30 **
     A_isr_is_prop **
     AOSRdyTblGrp v´38 v´39 **
     AOSTCBPrioTbl v´32 v´38 tcbls v´53 **
     HECBList v´40 **
     HTCBList tcbls **
     HCurTCB (cur_addr, Int.zero) **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´5 **
     AOSQFreeList v´6 **
     AOSQFreeBlk v´7 **
     AOSMapTbl **
     AOSUnMapTbl **
     AOSIntNesting **
     AOSTCBFreeList v´23 v´24 **
     AOSTime (Vint32 v´20) **
     HTime v´20 **
     AGVars **
     atoy_inv´ **
     LV pevent2 @ OS_EVENT ∗ |-> v´4 **
     LV isrdy @ Int8u |-> v´2 **
     LV timeout @ Int16u |-> Vint32 i **
     LV pevent @ OS_EVENT ∗ |-> Vptr (pevent_addr, Int.zero) **
     A_dom_lenv
       ((timeout, Int16u)
        :: (pevent, OS_EVENT ∗)
           :: (legal, Int8u)
              :: (pip, Int8u)
                 :: (mprio, Int8u)
                    :: (isrdy, Int8u)
                       :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)}}
   EXIT_CRITICAL;ₛ
   RETURN ′OS_ERR_NEST {{Afalse}}
.

Definition gen_mutex_pend_cur_prio_eql_mprio_right_to_cur:= forall
  (i : int32)
  (H1 : Int.unsigned i <= 65535)
  (v´ : val)
  (v´0 : val)
  (v´1 : val)
  (v´2 : val)
  (v´3 : val)
  (v´4 : val)
  (v´5 : list vallist)
  (v´6 : list vallist)
  (v´7 : list vallist)
  (v´8 : list EventData)
  (v´9 : list EventCtr)
  (v´10 : vallist)
  (v´11 : val)
  (v´12 : val)
  (v´13 : list vallist)
  (v´14 : vallist)
  (v´15 : list vallist)
  (v´16 : vallist)
  (v´17 : val)
  (v´18 : EcbMod.map)
  (v´19 : TcbMod.map)
  (v´20 : int32)
  (v´21 : addrval)
  (v´22 : addrval)
  (v´23 : val)
  (v´24 : list vallist)
  (H0 : RH_CurTCB v´21 v´19)
  (v´27 : list EventCtr)
  (v´28 : list EventCtr)
  (v´29 : list EventData)
  (v´30 : list EventData)
  (v´32 : vallist)
  (v´33 : val)
  (v´35 : list vallist)
  (os_rdy_tbl : vallist)
  (v´39 : val)
  (v´40 : EcbMod.map)
  (tcbls : TcbMod.map)
  (v´44 : val)
  (v´46 : vallist)
  (v´48 : val)
  (v´49 : EcbMod.map)
  (v´50 : EcbMod.map)
  (v´51 : EcbMod.map)
  (v´53 : addrval)
  (H5 : ECBList_P v´48 Vnull v´28 v´30 v´50 tcbls)
  (H11 : EcbMod.join v´49 v´51 v´40)
  (H14 : length v´27 = length v´29)
  (v´25 : addrval)
  (pevent_addr : block)
  (H13 : array_type_vallist_match Int8u v´46)
  (H19 : length v´46 = ∘OS_EVENT_TBL_SIZE)
  (H20 : isptr v´48)
  (x3 : val)
  (i0 : int32)
  (H22 : Int.unsigned i0 <= 255)
  (H18 : RL_Tbl_Grp_P v´46 (Vint32 i0))
  (H25 : isptr v´48)
  (H4 : ECBList_P v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 v´49 tcbls)
  (H2 : isptr (Vptr (pevent_addr, Int.zero)))
  (H16 : id_addrval´ (Vptr (pevent_addr, Int.zero)) OSEventTbl OS_EVENT =
        Some v´25)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255)
  (wls : waitset)
  (v´26 : val)
  (v´42 : val)
  (tcbls_l : TcbMod.map)
  (tcbls_r : TcbMod.map)
  (cur_addr : block)
  (H29 : v´33 <> Vnull)
  (Htcbjoin_whole : TcbMod.join tcbls_l tcbls_r tcbls)
  (Htcblist_subl : TCBList_P v´33 v´35 os_rdy_tbl tcbls_l)
  (H28 : Vptr (cur_addr, Int.zero) <> Vnull)
  (x12 : val)
  (H35 : isptr x12)
  (cur_prio : int32)
  (H39 : Int.unsigned cur_prio <= 255)
  (i5 : int32)
  (H40 : Int.unsigned i5 <= 255)
  (i4 : int32)
  (H41 : Int.unsigned i4 <= 255)
  (i3 : int32)
  (H42 : Int.unsigned i3 <= 255)
  (i1 : int32)
  (H43 : Int.unsigned i1 <= 255)
  (H34 : isptr v´26)
  (H : RH_TCBList_ECBList_P v´40 tcbls (cur_addr, Int.zero))
  (H10 : RH_CurTCB (cur_addr, Int.zero) tcbls)
  (Hneq_idle : cur_prio <> $ OS_IDLE_PRIO)
  (H37 : Int.unsigned ($ 0) <= 65535)
  (H38 : Int.unsigned ($ OS_STAT_RDY) <= 255)
  (H36 : isptr Vnull)
  (x0 : val)
  (tcbls_r´ : TcbMod.map)
  (x : int32)
  (F2 : Int.unsigned x <= 65535)
  (H23 : Int.unsigned x <= 65535)
  (Fneq_i2_1 : Int.unsigned (x>>ᵢ$ 8) <= 255)
  (Fneq_i2_2 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) <= 255)
  (Hmutex_not_avail : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE)
  (Feq_i2_1 : x>>ᵢ$ 8 = Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
  (Hcur_prio : Int.ltu (x>>ᵢ$ 8) cur_prio = true)
  (ptcb_prio : priority)
  (xm : msg)
  (H12 : isptr x0)
  (v´34 : list vallist)
  (v´36 : list vallist)
  (v´43 : val)
  (v´45 : val)
  (tcbls_sub_l : TcbMod.map)
  (v´52 : TcbMod.map)
  (tcbls_sub_r : TcbMod.map)
  (Htcbjoin_sub_whole : TcbMod.join tcbls_sub_l v´52 tcbls_r´)
  (Htcblist_sub_left : TCBList_P x0 v´34 os_rdy_tbl tcbls_sub_l)
  (Htcblist_sub_right : TCBList_P v´45 v´36 os_rdy_tbl tcbls_sub_r)
  (ptcb_addr : block)
  (x10 : val)
  (H31 : isptr x10)
  (i11 : int32)
  (H33 : Int.unsigned i11 <= 65535)
  (ptcb_stat : int32)
  (H44 : Int.unsigned ptcb_stat <= 255)
  (i8 : int32)
  (H46 : Int.unsigned i8 <= 255)
  (ptcb_tcby : int32)
  (H47 : Int.unsigned ptcb_tcby <= 255)
  (ptcb_bitx : int32)
  (H48 : Int.unsigned ptcb_bitx <= 255)
  (i2 : int32)
  (H49 : Int.unsigned i2 <= 255)
  (H30 : isptr v´43)
  (H17 : isptr v´45)
  (H24 : isptr (Vptr (ptcb_addr, Int.zero)))
  (H7 : R_ECB_ETbl_P (pevent_addr, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i0
             :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
         v´46) tcbls)
  (H3 : ECBList_P v´44 Vnull
         (v´27 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i0
               :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
           v´46) :: nil) ++ v´28)
         (v´29 ++
          (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)) :: nil) ++ v´30)
         v´40 tcbls)
  (H8 : EcbMod.joinsig (pevent_addr, Int.zero)
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls)
         v´50 v´51)
  (Hget : EcbMod.get v´40 (pevent_addr, Int.zero) =
         Some
           (absmutexsem (x>>ᵢ$ 8)
              (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H26 : RH_ECB_P
          (absmutexsem (x>>ᵢ$ 8)
             (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H6 : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)))
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H_ptcb_not_cur : (ptcb_addr, Int.zero) <> (cur_addr, Int.zero))
  (Hget_last_tcb : get_last_tcb_ptr v´34 x0 =
                  Some (Vptr (ptcb_addr, Int.zero)))
  (H32 : isptr xm)
  (H45 : Int.unsigned ptcb_prio <= 255)
  (Htcblist_subr : TCBList_P x0
                    (v´34 ++
                     (v´45
                      :: v´43
                         :: x10
                            :: xm
                               :: Vint32 i11
                                  :: Vint32 ptcb_stat
                                     :: Vint32 ptcb_prio
                                        :: Vint32 i8
                                           :: Vint32 ptcb_tcby
                                              :: Vint32 ptcb_bitx
                                                 ::
                                                 Vint32 i2 :: nil) :: v´36)
                    os_rdy_tbl tcbls_r´)
  (Hptcb_blk : RL_TCBblk_P
                (v´45
                 :: v´43
                    :: x10
                       :: xm
                          :: Vint32 i11
                             :: Vint32 ptcb_stat
                                :: Vint32 ptcb_prio
                                   :: Vint32 i8
                                      :: Vint32 ptcb_tcby
                                         :: Vint32 ptcb_bitx
                                            :: Vint32 i2 :: nil))
  (Hptcb_prio_not_idle : ptcb_prio <> $ OS_IDLE_PRIO)
  (Hptcb_prio_scope_obv : 0 <= Int.unsigned ptcb_prio)
  (Hptcb_prio_scope : Int.unsigned ptcb_prio < 64)
  (Hif_ptcb_is_rdy1 : ptcb_stat = $ OS_STAT_RDY)
  (Hif_ptcb_is_rdy2 : i11 = $ 0)
  (Hrtbl_type : array_type_vallist_match Int8u os_rdy_tbl)
  (Hrtbl_len : length os_rdy_tbl = ∘OS_RDY_TBL_SIZE)
  (Hgrp1 : RL_Tbl_Grp_P os_rdy_tbl v´39)
  (Hgrp2 : prio_in_tbl ($ OS_IDLE_PRIO) os_rdy_tbl)
  (H_ptcb : TcbMod.get tcbls (ptcb_addr, Int.zero) = Some (ptcb_prio, rdy, xm))
  (H_ptcb_in_right : TcbMod.get tcbls_r´ (ptcb_addr, Int.zero) =
                    Some (ptcb_prio, rdy, xm))
  (Htcbjoin_sub_right : TcbMod.joinsig (ptcb_addr, Int.zero)
                         (ptcb_prio, rdy, xm) tcbls_sub_r v´52)
  (Hptcb_node : TCBNode_P
                 (v´45
                  :: v´43
                     :: x10
                        :: xm
                           :: Vint32 i11
                              :: Vint32 ptcb_stat
                                 :: Vint32 ptcb_prio
                                    :: Vint32 i8
                                       :: Vint32 ptcb_tcby
                                          :: Vint32 ptcb_bitx
                                             :: Vint32 i2 :: nil) os_rdy_tbl
                 (ptcb_prio, rdy, xm))
  (Hptcb_stat : R_TCB_Status_P
                 (v´45
                  :: v´43
                     :: x10
                        :: xm
                           :: Vint32 i11
                              :: Vint32 ptcb_stat
                                 :: Vint32 ptcb_prio
                                    :: Vint32 i8
                                       :: Vint32 ptcb_tcby
                                          :: Vint32 ptcb_bitx
                                             :: Vint32 i2 :: nil) os_rdy_tbl
                 (ptcb_prio, rdy, xm))
  (Hgetcur_subr : TcbMod.get tcbls_r (cur_addr, Int.zero) =
                 Some (cur_prio, rdy, Vnull))
  (Hgetcur : TcbMod.get tcbls (cur_addr, Int.zero) =
            Some (cur_prio, rdy, Vnull))
  (Hcurnode : TCBNode_P
               (x0
                :: v´26
                   :: x12
                      :: Vnull
                         :: V$0
                            :: V$OS_STAT_RDY
                               :: Vint32 cur_prio
                                  :: Vint32 i5
                                     :: Vint32 i4
                                        :: Vint32 i3 :: Vint32 i1 :: nil)
               os_rdy_tbl (cur_prio, rdy, Vnull))
  (Htcbjoin_right : TcbJoin (cur_addr, Int.zero) (cur_prio, rdy, Vnull)
                     tcbls_r´ tcbls_r)
  (Hcur_prio_eql_mprio : Int.eq (x&$ OS_MUTEX_KEEP_LOWER_8) cur_prio = true)
,
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV timeout @ Int16u |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV mprio @ Int8u |-> v0) **
      (EX v0 : val, LV isrdy @ Int8u |-> v0) **
      (EX v0 : val, LV ptcb @ OS_TCB ∗ |-> v0) **
      (EX v0 : val, LV pevent2 @ OS_EVENT ∗ |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((timeout, Int16u)
       :: (pevent, OS_EVENT ∗)
          :: (legal, Int8u)
             :: (pip, Int8u)
                :: (mprio, Int8u)
                   :: (isrdy, Int8u)
                      :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{Astruct (ptcb_addr, Int.zero) OS_TCB
       (v´45
        :: v´43
           :: x10
              :: xm
                 :: Vint32 i11
                    :: Vint32 ptcb_stat
                       :: Vint32 ptcb_prio
                          :: Vint32 i8
                             :: Vint32 ptcb_tcby
                                :: Vint32 ptcb_bitx :: Vint32 i2 :: nil) **
     tcbdllseg x0 (Vptr (cur_addr, Int.zero)) v´43
       (Vptr (ptcb_addr, Int.zero)) v´34 **
     tcbdllseg v´45 (Vptr (ptcb_addr, Int.zero)) v´42 Vnull v´36 **
      <|| mutexpend (Vptr (pevent_addr, Int.zero) :: Vint32 i :: nil) ||> **
     LV ptcb @ OS_TCB ∗ |-> Vptr (ptcb_addr, Int.zero) **
     LV mprio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     Astruct (cur_addr, Int.zero) OS_TCB
       (x0
        :: v´26
           :: x12
              :: Vnull
                 :: V$0
                    :: V$OS_STAT_RDY
                       :: Vint32 cur_prio
                          :: Vint32 i5
                             :: Vint32 i4 :: Vint32 i3 :: Vint32 i1 :: nil) **
     GV OSTCBList @ OS_TCB ∗ |-> v´33 **
     dllseg v´33 Vnull v´26 (Vptr (cur_addr, Int.zero)) v´35 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBCur @ OS_TCB ∗ |-> Vptr (cur_addr, Int.zero) **
     AEventData
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil)
       (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero))) **
     Astruct (pevent_addr, Int.zero) OS_EVENT
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil) **
     Aarray v´25 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´46 **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSEventList @ OS_EVENT ∗ |-> v´44 **
     evsllseg v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 **
     evsllseg v´48 Vnull v´28 v´30 **
     A_isr_is_prop **
     AOSRdyTblGrp os_rdy_tbl v´39 **
     AOSTCBPrioTbl v´32 os_rdy_tbl tcbls v´53 **
     HECBList v´40 **
     HTCBList tcbls **
     HCurTCB (cur_addr, Int.zero) **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´5 **
     AOSQFreeList v´6 **
     AOSQFreeBlk v´7 **
     AOSMapTbl **
     AOSUnMapTbl **
     AOSIntNesting **
     AOSTCBFreeList v´23 v´24 **
     AOSTime (Vint32 v´20) **
     HTime v´20 **
     AGVars **
     atoy_inv´ **
     LV pevent2 @ OS_EVENT ∗ |-> v´4 **
     LV isrdy @ Int8u |-> v´2 **
     LV timeout @ Int16u |-> Vint32 i **
     LV pevent @ OS_EVENT ∗ |-> Vptr (pevent_addr, Int.zero) **
     A_dom_lenv
       ((timeout, Int16u)
        :: (pevent, OS_EVENT ∗)
           :: (legal, Int8u)
              :: (pip, Int8u)
                 :: (mprio, Int8u)
                    :: (isrdy, Int8u)
                       :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)}}
   EXIT_CRITICAL;ₛ
   RETURN ′OS_ERR_MUTEX_DEADLOCK {{Afalse}}
.

Definition gen_mutex_pend_pip_is_not_hold_right_to_cur:= forall
  (i : int32)
  (H1 : Int.unsigned i <= 65535)
  (v´ : val)
  (v´0 : val)
  (v´1 : val)
  (v´2 : val)
  (v´3 : val)
  (v´4 : val)
  (v´5 : list vallist)
  (v´6 : list vallist)
  (v´7 : list vallist)
  (v´8 : list EventData)
  (v´9 : list EventCtr)
  (v´10 : vallist)
  (v´11 : val)
  (v´12 : val)
  (v´13 : list vallist)
  (v´14 : vallist)
  (v´15 : list vallist)
  (v´16 : vallist)
  (v´17 : val)
  (v´18 : EcbMod.map)
  (v´19 : TcbMod.map)
  (v´20 : int32)
  (v´21 : addrval)
  (v´22 : addrval)
  (v´23 : val)
  (v´24 : list vallist)
  (H0 : RH_CurTCB v´21 v´19)
  (v´27 : list EventCtr)
  (v´28 : list EventCtr)
  (v´29 : list EventData)
  (v´30 : list EventData)
  (ptbl : vallist)
  (v´33 : val)
  (v´35 : list vallist)
  (os_rdy_tbl : vallist)
  (v´39 : val)
  (v´40 : EcbMod.map)
  (tcbls : TcbMod.map)
  (v´44 : val)
  (v´46 : vallist)
  (v´48 : val)
  (v´49 : EcbMod.map)
  (v´50 : EcbMod.map)
  (v´51 : EcbMod.map)
  (v´53 : addrval)
  (H5 : ECBList_P v´48 Vnull v´28 v´30 v´50 tcbls)
  (H11 : EcbMod.join v´49 v´51 v´40)
  (H14 : length v´27 = length v´29)
  (v´25 : addrval)
  (pevent_addr : block)
  (H13 : array_type_vallist_match Int8u v´46)
  (H19 : length v´46 = ∘OS_EVENT_TBL_SIZE)
  (H20 : isptr v´48)
  (x3 : val)
  (i0 : int32)
  (H22 : Int.unsigned i0 <= 255)
  (H18 : RL_Tbl_Grp_P v´46 (Vint32 i0))
  (H25 : isptr v´48)
  (H4 : ECBList_P v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 v´49 tcbls)
  (H2 : isptr (Vptr (pevent_addr, Int.zero)))
  (H16 : id_addrval´ (Vptr (pevent_addr, Int.zero)) OSEventTbl OS_EVENT =
        Some v´25)
  (H21 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255)
  (wls : waitset)
  (v´26 : val)
  (v´42 : val)
  (tcbls_l : TcbMod.map)
  (tcbls_r : TcbMod.map)
  (cur_addr : block)
  (H29 : v´33 <> Vnull)
  (Htcbjoin_whole : TcbMod.join tcbls_l tcbls_r tcbls)
  (Htcblist_subl : TCBList_P v´33 v´35 os_rdy_tbl tcbls_l)
  (H28 : Vptr (cur_addr, Int.zero) <> Vnull)
  (x12 : val)
  (H35 : isptr x12)
  (cur_prio : int32)
  (H39 : Int.unsigned cur_prio <= 255)
  (i5 : int32)
  (H40 : Int.unsigned i5 <= 255)
  (i4 : int32)
  (H41 : Int.unsigned i4 <= 255)
  (i3 : int32)
  (H42 : Int.unsigned i3 <= 255)
  (i1 : int32)
  (H43 : Int.unsigned i1 <= 255)
  (H34 : isptr v´26)
  (H : RH_TCBList_ECBList_P v´40 tcbls (cur_addr, Int.zero))
  (H10 : RH_CurTCB (cur_addr, Int.zero) tcbls)
  (Hneq_idle : cur_prio <> $ OS_IDLE_PRIO)
  (H37 : Int.unsigned ($ 0) <= 65535)
  (H38 : Int.unsigned ($ OS_STAT_RDY) <= 255)
  (H36 : isptr Vnull)
  (x0 : val)
  (tcbls_r´ : TcbMod.map)
  (x : int32)
  (F2 : Int.unsigned x <= 65535)
  (H23 : Int.unsigned x <= 65535)
  (Fneq_i2_1 : Int.unsigned (x>>ᵢ$ 8) <= 255)
  (Fneq_i2_2 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) <= 255)
  (Hmutex_not_avail : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE)
  (Feq_i2_1 : x>>ᵢ$ 8 = Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
  (Hcur_prio : Int.ltu (x>>ᵢ$ 8) cur_prio = true)
  (ptcb_prio : priority)
  (xm : msg)
  (H12 : isptr x0)
  (v´34 : list vallist)
  (v´36 : list vallist)
  (v´43 : val)
  (v´45 : val)
  (tcbls_sub_l : TcbMod.map)
  (v´52 : TcbMod.map)
  (tcbls_sub_r : TcbMod.map)
  (Htcbjoin_sub_whole : TcbMod.join tcbls_sub_l v´52 tcbls_r´)
  (Htcblist_sub_left : TCBList_P x0 v´34 os_rdy_tbl tcbls_sub_l)
  (Htcblist_sub_right : TCBList_P v´45 v´36 os_rdy_tbl tcbls_sub_r)
  (ptcb_addr : block)
  (x10 : val)
  (H31 : isptr x10)
  (i11 : int32)
  (H33 : Int.unsigned i11 <= 65535)
  (ptcb_stat : int32)
  (H44 : Int.unsigned ptcb_stat <= 255)
  (i8 : int32)
  (H46 : Int.unsigned i8 <= 255)
  (ptcb_tcby : int32)
  (H47 : Int.unsigned ptcb_tcby <= 255)
  (ptcb_bitx : int32)
  (H48 : Int.unsigned ptcb_bitx <= 255)
  (i2 : int32)
  (H49 : Int.unsigned i2 <= 255)
  (H30 : isptr v´43)
  (H17 : isptr v´45)
  (H24 : isptr (Vptr (ptcb_addr, Int.zero)))
  (H7 : R_ECB_ETbl_P (pevent_addr, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i0
             :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
         v´46) tcbls)
  (H3 : ECBList_P v´44 Vnull
         (v´27 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i0
               :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil,
           v´46) :: nil) ++ v´28)
         (v´29 ++
          (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)) :: nil) ++ v´30)
         v´40 tcbls)
  (H8 : EcbMod.joinsig (pevent_addr, Int.zero)
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls)
         v´50 v´51)
  (Hget : EcbMod.get v´40 (pevent_addr, Int.zero) =
         Some
           (absmutexsem (x>>ᵢ$ 8)
              (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H26 : RH_ECB_P
          (absmutexsem (x>>ᵢ$ 8)
             (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H6 : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero)))
         (absmutexsem (x>>ᵢ$ 8)
            (Some (ptcb_addr, Int.zero, x&$ OS_MUTEX_KEEP_LOWER_8)), wls))
  (H_ptcb_not_cur : (ptcb_addr, Int.zero) <> (cur_addr, Int.zero))
  (Hget_last_tcb : get_last_tcb_ptr v´34 x0 =
                  Some (Vptr (ptcb_addr, Int.zero)))
  (H32 : isptr xm)
  (H45 : Int.unsigned ptcb_prio <= 255)
  (Htcblist_subr : TCBList_P x0
                    (v´34 ++
                     (v´45
                      :: v´43
                         :: x10
                            :: xm
                               :: Vint32 i11
                                  :: Vint32 ptcb_stat
                                     :: Vint32 ptcb_prio
                                        :: Vint32 i8
                                           :: Vint32 ptcb_tcby
                                              :: Vint32 ptcb_bitx
                                                 ::
                                                 Vint32 i2 :: nil) :: v´36)
                    os_rdy_tbl tcbls_r´)
  (Hptcb_blk : RL_TCBblk_P
                (v´45
                 :: v´43
                    :: x10
                       :: xm
                          :: Vint32 i11
                             :: Vint32 ptcb_stat
                                :: Vint32 ptcb_prio
                                   :: Vint32 i8
                                      :: Vint32 ptcb_tcby
                                         :: Vint32 ptcb_bitx
                                            :: Vint32 i2 :: nil))
  (Hptcb_prio_not_idle : ptcb_prio <> $ OS_IDLE_PRIO)
  (Hptcb_prio_scope_obv : 0 <= Int.unsigned ptcb_prio)
  (Hptcb_prio_scope : Int.unsigned ptcb_prio < 64)
  (Hif_ptcb_is_rdy1 : ptcb_stat = $ OS_STAT_RDY)
  (Hif_ptcb_is_rdy2 : i11 = $ 0)
  (Hrtbl_type : array_type_vallist_match Int8u os_rdy_tbl)
  (Hrtbl_len : length os_rdy_tbl = ∘OS_RDY_TBL_SIZE)
  (Hgrp1 : RL_Tbl_Grp_P os_rdy_tbl v´39)
  (Hgrp2 : prio_in_tbl ($ OS_IDLE_PRIO) os_rdy_tbl)
  (H_ptcb : TcbMod.get tcbls (ptcb_addr, Int.zero) = Some (ptcb_prio, rdy, xm))
  (H_ptcb_in_right : TcbMod.get tcbls_r´ (ptcb_addr, Int.zero) =
                    Some (ptcb_prio, rdy, xm))
  (Htcbjoin_sub_right : TcbMod.joinsig (ptcb_addr, Int.zero)
                         (ptcb_prio, rdy, xm) tcbls_sub_r v´52)
  (Hptcb_node : TCBNode_P
                 (v´45
                  :: v´43
                     :: x10
                        :: xm
                           :: Vint32 i11
                              :: Vint32 ptcb_stat
                                 :: Vint32 ptcb_prio
                                    :: Vint32 i8
                                       :: Vint32 ptcb_tcby
                                          :: Vint32 ptcb_bitx
                                             :: Vint32 i2 :: nil) os_rdy_tbl
                 (ptcb_prio, rdy, xm))
  (Hptcb_stat : R_TCB_Status_P
                 (v´45
                  :: v´43
                     :: x10
                        :: xm
                           :: Vint32 i11
                              :: Vint32 ptcb_stat
                                 :: Vint32 ptcb_prio
                                    :: Vint32 i8
                                       :: Vint32 ptcb_tcby
                                          :: Vint32 ptcb_bitx
                                             :: Vint32 i2 :: nil) os_rdy_tbl
                 (ptcb_prio, rdy, xm))
  (Hgetcur_subr : TcbMod.get tcbls_r (cur_addr, Int.zero) =
                 Some (cur_prio, rdy, Vnull))
  (Hgetcur : TcbMod.get tcbls (cur_addr, Int.zero) =
            Some (cur_prio, rdy, Vnull))
  (Hcurnode : TCBNode_P
               (x0
                :: v´26
                   :: x12
                      :: Vnull
                         :: V$0
                            :: V$OS_STAT_RDY
                               :: Vint32 cur_prio
                                  :: Vint32 i5
                                     :: Vint32 i4
                                        :: Vint32 i3 :: Vint32 i1 :: nil)
               os_rdy_tbl (cur_prio, rdy, Vnull))
  (Htcbjoin_right : TcbJoin (cur_addr, Int.zero) (cur_prio, rdy, Vnull)
                     tcbls_r´ tcbls_r)
  (Hif_false : Int.eq (x&$ OS_MUTEX_KEEP_LOWER_8) cur_prio = false)
  (Hnocur : Int.eq cur_prio (x&$ OS_MUTEX_KEEP_LOWER_8) = false)
  (H_cur_prio_scope : Int.unsigned cur_prio < 64)
  (Hx_scope1 : Int.unsigned (x>>ᵢ$ 8) < 64)
  (Hif_can_lift1 : ptcb_prio <> x>>ᵢ$ 8)
  (Hif_can_lift2 : Int.ltu cur_prio (x&$ OS_MUTEX_KEEP_LOWER_8) = true)
  (v´31 : val)
  (Hptbl_1 : array_type_vallist_match OS_TCB ∗ ptbl)
  (Hptbl_2 : length ptbl = 64%nat)
  (H15 : RL_RTbl_PrioTbl_P os_rdy_tbl ptbl v´53)
  (H27 : R_PrioTbl_P ptbl tcbls v´53)
  (Hif_true : val_inj
               (uop_eval
                  (val_inj
                     (bop_eval
                        (nth_val´ (Z.to_nat (Int.unsigned (x>>ᵢ$ 8))) ptbl)
                        (Vptr v´53) OS_TCB ∗ OS_TCB ∗ oeq)) oppsite) <>
             Vint32 Int.zero /\
             val_inj
               (uop_eval
                  (val_inj
                     (bop_eval
                        (nth_val´ (Z.to_nat (Int.unsigned (x>>ᵢ$ 8))) ptbl)
                        (Vptr v´53) OS_TCB ∗ OS_TCB ∗ oeq)) oppsite) <> Vnull /\
             val_inj
               (uop_eval
                  (val_inj
                     (bop_eval
                        (nth_val´ (Z.to_nat (Int.unsigned (x>>ᵢ$ 8))) ptbl)
                        (Vptr v´53) OS_TCB ∗ OS_TCB ∗ oeq)) oppsite) <>
             Vundef)
,
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV timeout @ Int16u |-> v0) **
      (EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV mprio @ Int8u |-> v0) **
      (EX v0 : val, LV isrdy @ Int8u |-> v0) **
      (EX v0 : val, LV ptcb @ OS_TCB ∗ |-> v0) **
      (EX v0 : val, LV pevent2 @ OS_EVENT ∗ |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((timeout, Int16u)
       :: (pevent, OS_EVENT ∗)
          :: (legal, Int8u)
             :: (pip, Int8u)
                :: (mprio, Int8u)
                   :: (isrdy, Int8u)
                      :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{PV v´53 @ Int8u |-> v´31 **
     Astruct (ptcb_addr, Int.zero) OS_TCB
       (v´45
        :: v´43
           :: x10
              :: xm
                 :: Vint32 i11
                    :: Vint32 ptcb_stat
                       :: Vint32 ptcb_prio
                          :: Vint32 i8
                             :: Vint32 ptcb_tcby
                                :: Vint32 ptcb_bitx :: Vint32 i2 :: nil) **
     tcbdllseg x0 (Vptr (cur_addr, Int.zero)) v´43
       (Vptr (ptcb_addr, Int.zero)) v´34 **
     tcbdllseg v´45 (Vptr (ptcb_addr, Int.zero)) v´42 Vnull v´36 **
      <|| mutexpend (Vptr (pevent_addr, Int.zero) :: Vint32 i :: nil) ||> **
     LV ptcb @ OS_TCB ∗ |-> Vptr (ptcb_addr, Int.zero) **
     LV mprio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     Astruct (cur_addr, Int.zero) OS_TCB
       (x0
        :: v´26
           :: x12
              :: Vnull
                 :: V$0
                    :: V$OS_STAT_RDY
                       :: Vint32 cur_prio
                          :: Vint32 i5
                             :: Vint32 i4 :: Vint32 i3 :: Vint32 i1 :: nil) **
     GV OSTCBList @ OS_TCB ∗ |-> v´33 **
     dllseg v´33 Vnull v´26 (Vptr (cur_addr, Int.zero)) v´35 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBCur @ OS_TCB ∗ |-> Vptr (cur_addr, Int.zero) **
     AEventData
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil)
       (DMutex (Vint32 x) (Vptr (ptcb_addr, Int.zero))) **
     Astruct (pevent_addr, Int.zero) OS_EVENT
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i0
           :: Vint32 x :: Vptr (ptcb_addr, Int.zero) :: x3 :: v´48 :: nil) **
     Aarray v´25 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´46 **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSEventList @ OS_EVENT ∗ |-> v´44 **
     evsllseg v´44 (Vptr (pevent_addr, Int.zero)) v´27 v´29 **
     evsllseg v´48 Vnull v´28 v´30 **
     A_isr_is_prop **
     AOSRdyTblGrp os_rdy_tbl v´39 **
     GAarray OSTCBPrioTbl (Tarray OS_TCB ∗ 64) ptbl **
     G&OSPlaceHolder @ Int8u == v´53 **
     HECBList v´40 **
     HTCBList tcbls **
     HCurTCB (cur_addr, Int.zero) **
     LV legal @ Int8u |-> (V$1) **
     AOSEventFreeList v´5 **
     AOSQFreeList v´6 **
     AOSQFreeBlk v´7 **
     AOSMapTbl **
     AOSUnMapTbl **
     AOSIntNesting **
     AOSTCBFreeList v´23 v´24 **
     AOSTime (Vint32 v´20) **
     HTime v´20 **
     AGVars **
     atoy_inv´ **
     LV pevent2 @ OS_EVENT ∗ |-> v´4 **
     LV isrdy @ Int8u |-> v´2 **
     LV timeout @ Int16u |-> Vint32 i **
     LV pevent @ OS_EVENT ∗ |-> Vptr (pevent_addr, Int.zero) **
     A_dom_lenv
       ((timeout, Int16u)
        :: (pevent, OS_EVENT ∗)
           :: (legal, Int8u)
              :: (pip, Int8u)
                 :: (mprio, Int8u)
                    :: (isrdy, Int8u)
                       :: (ptcb, OS_TCB ∗) :: (pevent2, OS_EVENT ∗) :: nil)}}
   EXIT_CRITICAL;ₛ
   RETURN ′OS_ERR_MUTEXPR_NOT_HOLDER {{Afalse}}
.

Definition gen_MutexPostPart1:= forall (
  v´ : val
)(
  v´0 : val
)(
  v´1 : val
)(
  v´2 : val
)(
  v´3 : list vallist
)(
  v´4 : list vallist
)(
  v´5 : list vallist
)(
  v´6 : list EventData
)(
  v´7 : list EventCtr
)(
  v´8 : vallist
)(
  v´9 : val
)(
  v´10 : val
)(
  v´11 : list vallist
)(
  v´12 : vallist
)(
  v´13 : list vallist
)(
  v´14 : vallist
)(
  v´15 : val
)(
  v´16 : EcbMod.map
)(
  v´17 : TcbMod.map
)(
  v´18 : int32
)(
  v´19 : addrval
)(
  v´20 : addrval
)(
  v´21 : val
)(
  v´22 : list vallist
)(
  H : RH_TCBList_ECBList_P v´16 v´17 v´19
)(
  H0 : RH_CurTCB v´19 v´17
)(
  v´25 : list EventCtr
)(
  v´26 : list EventCtr
)(
  v´27 : list EventData
)(
  v´28 : list EventData
)(
  v´30 : vallist
)(
  v´31 : val
)(
  v´33 : list vallist
)(
  v´35 : list vallist
)(
  v´36 : vallist
)(
  v´38 : EcbMod.map
)(
  v´39 : TcbMod.map
)(
  v´42 : val
)(
  v´44 : vallist
)(
  v´46 : val
)(
  v´47 : EcbMod.map
)(
  v´48 : EcbMod.map
)(
  v´49 : EcbMod.map
)(
  w : waitset
)(
  v´51 : addrval
)(
  H3 : ECBList_P v´46 Vnull v´26 v´28 v´48 v´39
)(
  H17 : EcbMod.join v´47 v´49 v´38
)(
  H12 : length v´25 = length v´27
)(
  H16 : isptr v´46
)(
  v´23 : addrval
)(
  v´29 : block
)(
  H11 : array_type_vallist_match Int8u v´44
)(
  H19 : length v´44 = ∘OS_EVENT_TBL_SIZE
)(
  x3 : val
)(
  i : int32
)(
  H21 : Int.unsigned i <= 255
)(
  H18 : RL_Tbl_Grp_P v´44 (Vint32 i)
)(
  H24 : isptr v´46
)(
  H2 : ECBList_P v´42 (Vptr (v´29, Int.zero)) v´25 v´27 v´47 v´39
)(
  H14 : id_addrval´ (Vptr (v´29, Int.zero)) OSEventTbl OS_EVENT = Some v´23
)(
  H20 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255
)(
  x : int32
)(
  H10 : Int.unsigned x <= 65535
)(
  H15 : Int.unsigned (Int.shru x ($ 8)) < 64
)(
  H22 : Int.unsigned x <= 65535
)(
  v´24 : val
)(
  v´40 : val
)(
  v´43 : TcbMod.map
)(
  v´45 : TcbMod.map
)(
  v´50 : val
)(
  v´52 : block
)(
  H31 : v´31 <> Vnull
)(
  H32 : TcbMod.join v´43 v´45 v´39
)(
  H33 : TCBList_P v´31 v´33 v´36 v´43
)(
  H30 : Vptr (v´52, Int.zero) <> Vnull
)(
  x8 : val
)(
  x9 : val
)(
  H37 : isptr x9
)(
  H38 : isptr x8
)(
  i6 : int32
)(
  H39 : Int.unsigned i6 <= 65535
)(
  i5 : int32
)(
  H40 : Int.unsigned i5 <= 255
)(
  i4 : int32
)(
  H41 : Int.unsigned i4 <= 255
)(
  i3 : int32
)(
  H42 : Int.unsigned i3 <= 255
)(
  i2 : int32
)(
  H43 : Int.unsigned i2 <= 255
)(
  i1 : int32
)(
  H44 : Int.unsigned i1 <= 255
)(
  i0 : int32
)(
  H45 : Int.unsigned i0 <= 255
)(
  H36 : isptr v´24
)(
  H27 : isptr v´50
)(
  H34 : TCBList_P (Vptr (v´52, Int.zero))
          ((v´50
            :: v´24
               :: x9
                  :: x8
                     :: Vint32 i6
                        :: Vint32 i5
                           :: Vint32 i4
                              :: Vint32 i3
                                 :: Vint32 i2
                                    :: Vint32 i1 :: Vint32 i0 :: nil) :: v´35)
          v´36 v´45
)(
  H7 : RH_TCBList_ECBList_P v´38 v´39 (v´52, Int.zero)
)(
  H8 : RH_CurTCB (v´52, Int.zero) v´39
)(
  H23 : isptr (Vptr (v´52, $ 0))
)(
  H5 : R_ECB_ETbl_P (v´29, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
         v´44) v´39
)(
  H1 : ECBList_P v´42 Vnull
         (v´25 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
           v´44) :: nil) ++ v´26)
         (v´27 ++ (DMutex (Vint32 x) (Vptr (v´52, $ 0)) :: nil) ++ v´28) v´38
         v´39
)(
  H28 : Int.ltu i4 (Int.shru x ($ 8)) = false
)(
  H29 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE \/
        x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H35 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H47 : Int.ltu (Int.shru x ($ 8)) (x&$ OS_MUTEX_KEEP_LOWER_8) = true
)(
  H48 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) < 64
)(
  H6 : EcbMod.joinsig (v´29, Int.zero)
         (absmutexsem (Int.shru x ($ 8)) (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)),
         w) v´48 v´49
)(
  H4 : Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None -> w = nil
)(
  H9 : forall (tid : tid) (opr : int32),
       Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = Some (tid, opr) ->
       Int.ltu (Int.shru x ($ 8)) opr = true /\ Int.unsigned opr < 64
)(
  H13 : w <> nil -> Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) <> None
)(
  H25 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE ->
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None /\
        Vptr (v´52, $ 0) = Vnull
)(
  H26 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE ->
        exists tid,
        Vptr (v´52, $ 0) = Vptr tid /\
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) =
        Some (tid, x&$ OS_MUTEX_KEEP_LOWER_8)
)(
  backup : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (v´52, $ 0)))
             (absmutexsem (Int.shru x ($ 8))
                (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)), w)
)(
  v´32 : val
)(
  H46 : array_type_vallist_match OS_TCB ∗ v´30
)(
  H51 : length v´30 = 64%nat
)(
  H49 : RL_RTbl_PrioTbl_P v´36 v´30 v´51
)(
  H50 : R_PrioTbl_P v´30 v´39 v´51
)(
  x1 : val
)(
  H52 : nth_val (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30 =
        Some x1
)(
  x0 : val
)(
  H53 : nth_val (Z.to_nat (Int.unsigned (Int.shru x ($ 8)))) v´30 = Some x0
)(
  H54 : array_type_vallist_match Int8u v´36
)(
  H58 : length v´36 = ∘OS_RDY_TBL_SIZE
)(
  i7 : int32
)(
  H55 : Int.unsigned i7 <= 255
)(
  H57 : prio_in_tbl ($ OS_IDLE_PRIO) v´36
)(
  H56 : RL_Tbl_Grp_P v´36 (Vint32 i7)
)(
  x2 : int32
)(
  fffa : length OSUnMapVallist = 256%nat ->
         (Z.to_nat (Int.unsigned i) < 256)%nat ->
         exists x4,
         Vint32 x2 = Vint32 x4 /\
         true = rule_type_val_match Int8u (Vint32 x4)
)(
  H59 : length OSUnMapVallist = 256%nat
)(
  H60 : (Z.to_nat (Int.unsigned i) < 256)%nat
)(
  H61 : nth_val´ (Z.to_nat (Int.unsigned i)) OSUnMapVallist = Vint32 x2
)(
  H62 : true = rule_type_val_match Int8u (Vint32 x2)
)(
  fffbb : Int.unsigned x2 < 8
)(
  fffbb2 : (Z.to_nat (Int.unsigned x2) < length v´44)%nat
)(
  H19´´ : length v´44 = Z.to_nat 8
)(
  x4 : int32
)(
  H63 : nth_val´ (Z.to_nat (Int.unsigned x2)) v´44 = Vint32 x4
)(
  H64 : Int.unsigned x4 <= 255
)(
  H65 : (Z.to_nat (Int.unsigned x4) < length OSUnMapVallist)%nat
)(
  x5 : int32
)(
  H66 : nth_val´ (Z.to_nat (Int.unsigned x4)) OSUnMapVallist = Vint32 x5
)(
  H67 : Int.unsigned x5 <= 255
)(
  ttfasd : Int.unsigned x5 < 8
)(
  H68 : val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5)
                            (Int.modu (Int.shru x ($ 8)) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5)
                            (Int.modu (Int.shru x ($ 8)) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) =
        Vint32 Int.zero \/
        val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5)
                            (Int.modu (Int.shru x ($ 8)) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5)
                            (Int.modu (Int.shru x ($ 8)) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) = Vnull
)
(last_condition : i5 = $ OS_STAT_RDY /\ i6 = $ 0 )

,
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV prio @ Int8u |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (os_code_defs.x, Int8u)
          :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{ <|| mutexpost (Vptr (v´29, Int.zero) :: nil) ||> **
     LV os_code_defs.x @ Int8u |-> Vint32 ((x2<<$ 3)+ᵢx5) **
     LV legal @ Int8u |-> Vint32 x2 **
     PV v´51 @ Int8u |-> v´32 **
     Astruct (v´52, Int.zero) OS_TCB
       (v´50
        :: v´24
           :: x9
              :: x8
                 :: Vint32 i6
                    :: Vint32 i5
                       :: Vint32 i4
                          :: Vint32 i3
                             :: Vint32 i2 :: Vint32 i1 :: Vint32 i0 :: nil) **
     dllseg v´50 (Vptr (v´52, Int.zero)) v´40 Vnull v´35 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBList @ OS_TCB ∗ |-> v´31 **
     dllseg v´31 Vnull v´24 (Vptr (v´52, Int.zero)) v´33 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBCur @ OS_TCB ∗ |-> Vptr (v´52, Int.zero) **
     LV prio @ Int8u
     |-> Vint32 (Int.modu (x&$ OS_MUTEX_KEEP_LOWER_8) ($ Byte.modulus)) **
     LV pip @ Int8u |-> Vint32 (Int.modu (Int.shru x ($ 8)) ($ Byte.modulus)) **
     Astruct (v´29, Int.zero) OS_EVENT
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil) **
     Aarray v´23 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´44 **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSEventList @ OS_EVENT ∗ |-> v´42 **
     evsllseg v´42 (Vptr (v´29, Int.zero)) v´25 v´27 **
     evsllseg v´46 Vnull v´26 v´28 **
     A_isr_is_prop **
     GAarray OSRdyTbl (Tarray Int8u ∘OS_RDY_TBL_SIZE) v´36 **
     GV OSRdyGrp @ Int8u |-> Vint32 i7 **
     GAarray OSTCBPrioTbl (Tarray OS_TCB ∗ 64) v´30 **
     G&OSPlaceHolder @ Int8u == v´51 **
     HECBList v´38 **
     HTCBList v´39 **
     HCurTCB (v´52, Int.zero) **
     AOSEventFreeList v´3 **
     AOSQFreeList v´4 **
     AOSQFreeBlk v´5 **
     AOSMapTbl **
     GAarray OSUnMapTbl (Tarray Int8u 256) OSUnMapVallist **
     AOSIntNesting **
     AOSTCBFreeList v´21 v´22 **
     AOSTime (Vint32 v´18) **
     HTime v´18 **
     AGVars **
     atoy_inv´ **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´29, Int.zero) **
     A_dom_lenv
       ((pevent, OS_EVENT ∗)
        :: (os_code_defs.x, Int8u)
           :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)}}
   If(OSTCBCur ′ → OSTCBPrio ==ₑ pip ′)
        {If(OSTCBPrioTbl ′ [prio ′] !=ₑ 〈OS_TCB ∗ 〉 os_mutex.PlaceHolder)
              {EXIT_CRITICAL;ₛ
              RETURN ′OS_ERR_ORIGINAL_NOT_HOLDER} ;ₛ
        OSRdyTbl ′ [OSTCBCur ′ → OSTCBY] &= ∼ OSTCBCur ′ → OSTCBBitX;ₛ
        If(OSRdyTbl ′ [OSTCBCur ′ → OSTCBY] ==ₑ ′0)
             {OSRdyGrp ′ &= ∼ OSTCBCur ′ → OSTCBBitY} ;ₛ
        OSTCBCur ′ → OSTCBPrio =ₑ prio ′;ₛ
        OSTCBCur ′ → OSTCBY =ₑ prio ′ ≫ ′3;ₛ
        OSTCBCur ′ → OSTCBBitY =ₑ OSMapTbl ′ [OSTCBCur ′ → OSTCBY];ₛ
        OSTCBCur ′ → OSTCBX =ₑ prio ′ &ₑ ′7;ₛ
        OSTCBCur ′ → OSTCBBitX =ₑ OSMapTbl ′ [OSTCBCur ′ → OSTCBX];ₛ
        OSRdyGrp ′ =ₑ OSRdyGrp ′ |ₑ OSTCBCur ′ → OSTCBBitY;ₛ
        OSRdyTbl ′ [OSTCBCur ′ → OSTCBY] =ₑ
        OSRdyTbl ′ [OSTCBCur ′ → OSTCBY] |ₑ OSTCBCur ′ → OSTCBBitX;ₛ
        OSTCBPrioTbl ′ [prio ′] =ₑ 〈OS_TCB ∗ 〉 OSTCBCur ′;ₛ
        OSTCBPrioTbl ′ [pip ′] =ₑ 〈OS_TCB ∗ 〉 os_mutex.PlaceHolder} ;ₛ
   If(pevent ′ → OSEventGrp !=ₑ ′0)
        {os_code_defs.x ′ =ₑ ′OS_STAT_MUTEX;ₛ
        prio ′ =ᶠ OS_EventTaskRdy (·pevent ′, 〈(Void) ∗ 〉 pevent ′,
        os_code_defs.x ′·);ₛ
        pevent ′ → OSEventCnt &= ′OS_MUTEX_KEEP_UPPER_8;ₛ
        pevent ′ → OSEventCnt =ₑ pevent ′ → OSEventCnt |ₑ prio ′;ₛ
        pevent ′ → OSEventPtr =ₑ OSTCBPrioTbl ′ [prio ′];ₛ
        EXIT_CRITICAL;ₛ
        OS_Sched(­);ₛ
        RETURN ′OS_NO_ERR} ;ₛ
   pevent ′ → OSEventCnt =ₑ pevent ′ → OSEventCnt |ₑ ′OS_MUTEX_AVAILABLE;ₛ
   pevent ′ → OSEventPtr =ₑ NULL;ₛ
   EXIT_CRITICAL;ₛ
   RETURN ′OS_NO_ERR {{Afalse}}
.

Definition gen_MutexPostPart3133:= forall
(
  v´ : val
)(
  v´0 : val
)(
  v´1 : val
)(
  v´2 : val
)(
  v´3 : list vallist
)(
  v´4 : list vallist
)(
  v´5 : list vallist
)(
  v´6 : list EventData
)(
  v´7 : list EventCtr
)(
  v´8 : vallist
)(
  v´9 : val
)(
  v´10 : val
)(
  v´11 : list vallist
)(
  v´12 : vallist
)(
  v´13 : list vallist
)(
  v´14 : vallist
)(
  v´15 : val
)(
  v´16 : EcbMod.map
)(
  v´17 : TcbMod.map
)(
  v´18 : int32
)(
  v´19 : addrval
)(
  v´20 : addrval
)(
  v´21 : val
)(
  v´22 : list vallist
)(
  H : RH_TCBList_ECBList_P v´16 v´17 v´19
)(
  H0 : RH_CurTCB v´19 v´17
)(
  v´25 : list EventCtr
)(
  v´26 : list EventCtr
)(
  v´27 : list EventData
)(
  v´28 : list EventData
)(
  v´30 : vallist
)(
  v´31 : val
)(
  v´33 : list vallist
)(
  v´35 : list vallist
)(
  v´36 : vallist
)(
  v´38 : EcbMod.map
)(
  v´39 : TcbMod.map
)(
  v´42 : val
)(
  v´44 : vallist
)(
  v´46 : val
)(
  v´47 : EcbMod.map
)(
  v´48 : EcbMod.map
)(
  v´49 : EcbMod.map
)(
  w : waitset
)(
  v´51 : addrval
)(
  H3 : ECBList_P v´46 Vnull v´26 v´28 v´48 v´39
)(
  H17 : EcbMod.join v´47 v´49 v´38
)(
  H12 : length v´25 = length v´27
)(
  H16 : isptr v´46
)(
  v´23 : addrval
)(
  v´29 : block
)(
  H11 : array_type_vallist_match Int8u v´44
)(
  H19 : length v´44 = ∘OS_EVENT_TBL_SIZE
)(
  x3 : val
)(
  i : int32
)(
  H21 : Int.unsigned i <= 255
)(
  H18 : RL_Tbl_Grp_P v´44 (Vint32 i)
)(
  H24 : isptr v´46
)(
  H2 : ECBList_P v´42 (Vptr (v´29, Int.zero)) v´25 v´27 v´47 v´39
)(
  H14 : id_addrval´ (Vptr (v´29, Int.zero)) OSEventTbl OS_EVENT = Some v´23
)(
  H20 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255
)(
  x : int32
)(
  H10 : Int.unsigned x <= 65535
)(
  H22 : Int.unsigned x <= 65535
)(
  v´24 : val
)(
  v´40 : val
)(
  v´43 : TcbMod.map
)(
  v´45 : TcbMod.map
)(
  v´52 : block
)(
  H31 : v´31 <> Vnull
)(
  H32 : TcbMod.join v´43 v´45 v´39
)(
  H33 : TCBList_P v´31 v´33 v´36 v´43
)(
  H30 : Vptr (v´52, Int.zero) <> Vnull
)(
  i6 : int32
)(
  H39 : Int.unsigned i6 <= 65535
)(
  H36 : isptr v´24
)(
  x7 : val
)(
  x10 : TcbMod.map
)(
  t : taskstatus
)(
  m : msg
)(
  H72 : TCBList_P x7 v´35 v´36 x10
)(
  H7 : RH_TCBList_ECBList_P v´38 v´39 (v´52, Int.zero)
)(
  H8 : RH_CurTCB (v´52, Int.zero) v´39
)(
  H23 : isptr (Vptr (v´52, $ 0))
)(
  H5 : R_ECB_ETbl_P (v´29, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
         v´44) v´39
)(
  H1 : ECBList_P v´42 Vnull
         (v´25 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
           v´44) :: nil) ++ v´26)
         (v´27 ++ (DMutex (Vint32 x) (Vptr (v´52, $ 0)) :: nil) ++ v´28) v´38
         v´39
)(
  H29 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE \/
        x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H35 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H48 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) < 64
)(
  H4 : Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None -> w = nil
)(
  H13 : w <> nil -> Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) <> None
)(
  H25 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE ->
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None /\
        Vptr (v´52, $ 0) = Vnull
)(
  H26 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE ->
        exists tid,
        Vptr (v´52, $ 0) = Vptr tid /\
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) =
        Some (tid, x&$ OS_MUTEX_KEEP_LOWER_8)
)(
  v´32 : val
)(
  H46 : array_type_vallist_match OS_TCB ∗ v´30
)(
  H51 : length v´30 = 64%nat
)(
  H49 : RL_RTbl_PrioTbl_P v´36 v´30 v´51
)(
  H50 : R_PrioTbl_P v´30 v´39 v´51
)(
  x0 : val
)(
  H54 : array_type_vallist_match Int8u v´36
)(
  H58 : length v´36 = ∘OS_RDY_TBL_SIZE
)(
  i7 : int32
)(
  H55 : Int.unsigned i7 <= 255
)(
  H57 : prio_in_tbl ($ OS_IDLE_PRIO) v´36
)(
  H56 : RL_Tbl_Grp_P v´36 (Vint32 i7)
)(
  x2 : int32
)(
  fffa : length OSUnMapVallist = 256%nat ->
         (Z.to_nat (Int.unsigned i) < 256)%nat ->
         exists x4,
         Vint32 x2 = Vint32 x4 /\
         true = rule_type_val_match Int8u (Vint32 x4)
)(
  H59 : length OSUnMapVallist = 256%nat
)(
  H60 : (Z.to_nat (Int.unsigned i) < 256)%nat
)(
  H61 : nth_val´ (Z.to_nat (Int.unsigned i)) OSUnMapVallist = Vint32 x2
)(
  H62 : true = rule_type_val_match Int8u (Vint32 x2)
)(
  fffbb : Int.unsigned x2 < 8
)(
  fffbb2 : (Z.to_nat (Int.unsigned x2) < length v´44)%nat
)(
  H19´´ : length v´44 = Z.to_nat 8
)(
  x4 : int32
)(
  H63 : nth_val´ (Z.to_nat (Int.unsigned x2)) v´44 = Vint32 x4
)(
  H64 : Int.unsigned x4 <= 255
)(
  H65 : (Z.to_nat (Int.unsigned x4) < length OSUnMapVallist)%nat
)(
  x5 : int32
)(
  H66 : nth_val´ (Z.to_nat (Int.unsigned x4)) OSUnMapVallist = Vint32 x5
)(
  H67 : Int.unsigned x5 <= 255
)(
  ttfasd : Int.unsigned x5 < 8
)(
  H27 : isptr x7
)(
  H38 : isptr m
)(
  x14 : int32
)(
  H82 : x14 = $ OS_STAT_RDY \/
        x14 = $ OS_STAT_SEM \/
        x14 = $ OS_STAT_Q \/ x14 = $ OS_STAT_MBOX \/ x14 = $ OS_STAT_MUTEX
)(
  x15 : val
)(
  H84 : x14 = $ OS_STAT_RDY -> x15 = Vnull
)(
  H37 : isptr x15
)(
  H40 : Int.unsigned x14 <= 255
)(
  r2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) < 8
)(
  r3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) < 8
)(
  H34 : array_type_vallist_match Int8u OSMapVallist
)(
  H69 : length OSMapVallist = 8%nat
)(
  H71 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) < 8)%nat
)(
  x8 : int32
)(
  H74 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
          OSMapVallist = Vint32 x8
)(
  H75 : true = rule_type_val_match Int8u (Vint32 x8)
)(
  H76 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
  x9 : int32
)(
  H78 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
          OSMapVallist = Vint32 x9
)(
  H79 : true = rule_type_val_match Int8u (Vint32 x9)
)(
  H80 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
  x11 : int32
)(
  H81 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
          OSMapVallist = Vint32 x11
)(
  H83 : true = rule_type_val_match Int8u (Vint32 x11)
)(
  rr2 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) <
         length v´36)%nat
)(
  rr3 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) <
         length v´36)%nat
)(
  rrr2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) <
         Z.of_nat (length v´36)
)(
  rrr3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) <
         Z.of_nat (length v´36)
)(
  HH58 : length v´36 = Z.to_nat 8
)(
  aa2 : rule_type_val_match Int8u
          (nth_val´
             (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
             v´36) = true
)(
  x16 : int32
)(
  H91 : Int.unsigned x16 <= 255
)(
  x13 : int32
)(
  H87 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3))) v´36 =
        Vint32 x13
)(
  H90 : Int.unsigned x13 <= 255
)(
  x12 : int32
)(
  H89 : Int.unsigned x12 <= 255
)(
  t1 : int32
)(
  t3 : Int.unsigned t1 <= 255
)(
  t11 : int32
)(
  t13 : Int.unsigned t11 <= 255
)(
  v´34 : val
)(
  H52 : nth_val (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30 =
        Some (Vptr v´51)
)(
  H99 : i <> Int.zero
)(
  H100 : val_inj
           (notint
              (val_inj
                 (if Int.eq i ($ 0)
                  then Some (Vint32 Int.one)
                  else Some (Vint32 Int.zero)))) <> Vnull
)(
  H101 : val_inj
           (notint
              (val_inj
                 (if Int.eq i ($ 0)
                  then Some (Vint32 Int.one)
                  else Some (Vint32 Int.zero)))) <> Vundef
)(
  H15 : Int.unsigned (x>>ᵢ$ 8) < 64
)(
  H47 : Int.ltu (x>>ᵢ$ 8) (x&$ OS_MUTEX_KEEP_LOWER_8) = true
)(
  H6 : EcbMod.joinsig (v´29, Int.zero)
         (absmutexsem (x>>ᵢ$ 8) (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)),
         w) v´48 v´49
)(
  H9 : forall (tid : tid) (opr : int32),
       Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = Some (tid, opr) ->
       Int.ltu (x>>ᵢ$ 8) opr = true /\ Int.unsigned opr < 64
)(
  backup : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (v´52, $ 0)))
             (absmutexsem (x>>ᵢ$ 8)
                (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)), w)
)(
  H53 : nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8))) v´30 = Some x0
)(
  H68 : Int.ltu (x>>ᵢ$ 8) ((x2<<$ 3)+ᵢx5) = true
)(
  H77 : 0 <= Int.unsigned (x>>ᵢ$ 8)
)(
  H85 : Int.unsigned (x>>ᵢ$ 8) < 64
)(
  H43 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) <= 255
)(
  H45 : Int.unsigned ($ 1<<((x>>ᵢ$ 8)>>ᵢ$ 3)) <= 255
)(
  H44 : Int.unsigned ($ 1<<((x>>ᵢ$ 8)&$ 7)) <= 255
)(
  H42 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) <= 255
)(
  H70 : TcbJoin (v´52, Int.zero) (x>>ᵢ$ 8, t, m) x10 v´45
)(
  H41 : Int.unsigned (x>>ᵢ$ 8) <= 255
)(
  H28 : Int.ltu (x>>ᵢ$ 8) (x>>ᵢ$ 8) = false
)(
  H73 : R_TCB_Status_P
          (x7
           :: v´24
              :: x15
                 :: m
                    :: Vint32 i6
                       :: Vint32 x14
                          :: Vint32 (x>>ᵢ$ 8)
                             :: Vint32 ((x>>ᵢ$ 8)&$ 7)
                                :: Vint32 ((x>>ᵢ$ 8)>>ᵢ$ 3)
                                   :: Vint32 ($ 1<<((x>>ᵢ$ 8)&$ 7))
                                      :: Vint32 ($ 1<<((x>>ᵢ$ 8)>>ᵢ$ 3))
                                         :: nil) v´36
          (x>>ᵢ$ 8, t, m)
)(
  backup2 : TCBList_P (Vptr (v´52, Int.zero))
              ((x7
                :: v´24
                   :: x15
                      :: m
                         :: Vint32 i6
                            :: Vint32 x14
                               :: Vint32 (x>>ᵢ$ 8)
                                  :: Vint32 ((x>>ᵢ$ 8)&$ 7)
                                     :: Vint32 ((x>>ᵢ$ 8)>>ᵢ$ 3)
                                        :: Vint32 ($ 1<<((x>>ᵢ$ 8)&$ 7))
                                           :: Vint32 ($ 1<<((x>>ᵢ$ 8)>>ᵢ$ 3))
                                              :: nil) :: v´35) v´36 v´45
)(
  r1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < 8
)(
  r4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < 8
)(
  r5 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < 8
)(
  r6 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < 8
)(
  rr1 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) < length v´36)%nat
)(
  rr4 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)&$ 7)) < length v´36)%nat
)(
  rr5 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) < length v´36)%nat
)(
  rr6 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)&$ 7)) < length v´36)%nat
)(
  rrr1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < Z.of_nat (length v´36)
)(
  rrr5 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr6 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < Z.of_nat (length v´36)
)(
  aa : rule_type_val_match Int8u
         (nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36) = true
)(
  aa3 : rule_type_val_match Int8u
          (nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36) = true
)(
  H88 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36 =
        Vint32 x16
)(
  H86 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36 =
        Vint32 x12
)(
  H92 : Int.unsigned (x>>ᵢ$ 8) < Int.unsigned ($ Byte.modulus)
)(
  H94 : val_inj
          (if Int.eq (x>>ᵢ$ 8) (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) <> Vnull
)(
  H95 : val_inj
          (if Int.eq (x>>ᵢ$ 8) (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) <> Vundef
)(
  H96 : array_type_vallist_match Int8u
          (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
             (val_inj
                (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7)))))))
)(
  H97 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) <
         length
           (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
              (val_inj
                 (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))))%nat
)(
  t2 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
         (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
            (val_inj
               (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))) =
       Vint32 t1
)(
  H98 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) <
         length
           (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
              (val_inj
                 (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))))%nat
)(
  t12 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)))
          (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
             (val_inj
                (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))) =
        Vint32 t11
)(
  v´37 : val
)
( last_condition : ProtectWrapper (x14 = $ OS_STAT_RDY /\ i6 = $ 0))
,
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV prio @ Int8u |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (os_code_defs.x, Int8u)
          :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post1
       (Vptr (v´29, Int.zero)
        :: Vptr (v´29, Int.zero) :: V$OS_STAT_MUTEX :: nil)
       (Some v´37)
       (logic_lv
          (update_nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8)))
             (update_nth_val
                (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30
                (Vptr (v´52, Int.zero))) (Vptr v´51))
        :: logic_lv
             (x7
              :: v´24
                 :: x15
                    :: m
                       :: Vint32 i6
                          :: Vint32 x14
                             :: Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8)
                                :: Vint32 ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)
                                   :: Vint32
                                        ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)
                                      :: Vint32 x11 :: Vint32 x8 :: nil)
           :: logic_llv v´33
              :: logic_llv v´35
                 :: logic_lv
                      (update_nth_val
                         (Z.to_nat
                            (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
                         (update_nth_val
                            (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
                            (val_inj
                               (and (Vint32 x12)
                                  (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7)))))))
                         (val_inj (or (Vint32 t1) (Vint32 x11))))
                    :: logic_val v´34
                       :: logic_abstcb
                            (TcbMod.set v´39 (v´52, Int.zero)
                               (x&$ OS_MUTEX_KEEP_LOWER_8, t, m))
                          :: logic_val v´31
                             :: logic_val (Vptr (v´52, Int.zero))
                                :: logic_val (Vptr (v´52, Int.zero))
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_MUTEX
                                         :: Vint32 i
                                            :: Vint32 x
                                               :: Vptr (v´52, $ 0)
                                                  ::
                                                  x3 :: v´46 :: nil)
                                      :: logic_lv v´44
                                         :: logic_leventd
                                              (DMutex
                                                 (Vint32 x)
                                                 (Vptr (v´52, $ 0)) :: nil)
                                            :: logic_code
                                                 (mutexpost
                                                  (Vptr (v´29, Int.zero)
                                                  :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV prio @ Int8u |-> v´37 **
     LV os_code_defs.x @ Int8u |-> (V$OS_STAT_MUTEX) **
     LV legal @ Int8u |-> Vint32 x2 **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     GV OSEventList @ OS_EVENT ∗ |-> v´42 **
     evsllseg v´42 (Vptr (v´29, Int.zero)) v´25 v´27 **
     evsllseg v´46 Vnull v´26 v´28 **
     HECBList v´38 **
     HTCBList v´39 **
     HCurTCB (v´52, Int.zero) **
     AOSEventFreeList v´3 **
     AOSQFreeList v´4 **
     AOSQFreeBlk v´5 **
     AOSIntNesting **
     AOSTCBFreeList v´21 v´22 **
     AOSTime (Vint32 v´18) **
     HTime v´18 **
     AGVars **
     atoy_inv´ **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´29, Int.zero) **
     A_dom_lenv
       ((pevent, OS_EVENT ∗)
        :: (os_code_defs.x, Int8u)
           :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)}}
   pevent ′ → OSEventCnt &= ′OS_MUTEX_KEEP_UPPER_8;ₛ
   pevent ′ → OSEventCnt =ₑ pevent ′ → OSEventCnt |ₑ prio ′;ₛ
   pevent ′ → OSEventPtr =ₑ OSTCBPrioTbl ′ [prio ′];ₛ
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
                 RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_MutexPostPart10 :=forall (
  v´ : val
)(
  v´0 : val
)(
  v´1 : val
)(
  v´2 : val
)(
  v´3 : list vallist
)(
  v´4 : list vallist
)(
  v´5 : list vallist
)(
  v´6 : list EventData
)(
  v´7 : list EventCtr
)(
  v´8 : vallist
)(
  v´9 : val
)(
  v´10 : val
)(
  v´11 : list vallist
)(
  v´12 : vallist
)(
  v´13 : list vallist
)(
  v´14 : vallist
)(
  v´15 : val
)(
  v´16 : EcbMod.map
)(
  v´17 : TcbMod.map
)(
  v´18 : Int.int
)(
  v´19 : addrval
)(
  v´20 : addrval
)(
  v´21 : val
)(
  v´22 : list vallist
)(
  H : RH_TCBList_ECBList_P v´16 v´17 v´19
)(
  H0 : RH_CurTCB v´19 v´17
)(
  v´25 : list EventCtr
)(
  v´26 : list EventCtr
)(
  v´27 : list EventData
)(
  v´28 : list EventData
)(
  v´30 : vallist
)(
  v´31 : val
)(
  v´33 : list vallist
)(
  v´35 : list vallist
)(
  v´36 : vallist
)(
  v´38 : EcbMod.map
)(
  v´39 : TcbMod.map
)(
  v´42 : val
)(
  v´44 : vallist
)(
  v´46 : val
)(
  v´47 : EcbMod.map
)(
  v´48 : EcbMod.map
)(
  v´49 : EcbMod.map
)(
  w : waitset
)(
  v´51 : addrval
)(
  H3 : ECBList_P v´46 Vnull v´26 v´28 v´48 v´39
)(
  H17 : EcbMod.join v´47 v´49 v´38
)(
  H12 : @eq nat (@length EventCtr v´25) (@length EventData v´27)
)(
  H16 : isptr v´46
)(
  v´23 : addrval
)(
  v´29 : block
)(
  H11 : array_type_vallist_match Tint8 v´44
)(
  H19 : @eq nat (@length val v´44) (nat_of_Z OS_EVENT_TBL_SIZE)
)(
  x3 : val
)(
  i : Int.int
)(
  H21 : Z.le (Int.unsigned i) (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  H18 : RL_Tbl_Grp_P v´44 (Vint32 i)
)(
  H24 : isptr v´46
)(
  H2 : ECBList_P v´42 (Vptr (@pair block Int.int v´29 Int.zero)) v´25 v´27
         v´47 v´39
)(
  H14 : @eq (option (prod block Int.int))
          (id_addrval´ (Vptr (@pair block Int.int v´29 Int.zero)) OSEventTbl
             OS_EVENT) (@Some addrval v´23)
)(
  H20 : Z.le (Int.unsigned (Int.repr OS_EVENT_TYPE_MUTEX))
          (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  x : Int.int
)(
  H10 : Z.le (Int.unsigned x)
          (Zpos
             (xI
                (xI
                   (xI
                      (xI
                         (xI
                            (xI
                               (xI (xI (xI (xI (xI (xI (xI (xI (xI xH))))))))))))))))
)(
  H15 : Z.lt (Int.unsigned (Int.shru x (Int.repr (Zpos (xO (xO (xO xH)))))))
          (Zpos (xO (xO (xO (xO (xO (xO xH)))))))
)(
  H22 : Z.le (Int.unsigned x)
          (Zpos
             (xI
                (xI
                   (xI
                      (xI
                         (xI
                            (xI
                               (xI (xI (xI (xI (xI (xI (xI (xI (xI xH))))))))))))))))
)(
  v´24 : val
)(
  v´40 : val
)(
  v´43 : TcbMod.map
)(
  v´45 : TcbMod.map
)(
  v´52 : block
)(
  H31 : not (@eq val v´31 Vnull)
)(
  H32 : TcbMod.join v´43 v´45 v´39
)(
  H33 : TCBList_P v´31 v´33 v´36 v´43
)(
  H30 : not (@eq val (Vptr (@pair block Int.int v´52 Int.zero)) Vnull)
)(
  i6 : Int.int
)(
  H39 : Z.le (Int.unsigned i6)
          (Zpos
             (xI
                (xI
                   (xI
                      (xI
                         (xI
                            (xI
                               (xI (xI (xI (xI (xI (xI (xI (xI (xI xH))))))))))))))))
)(
  H36 : isptr v´24
)(
  x7 : val
)(
  x10 : TcbMod.map
)(
  t : taskstatus
)(
  m : msg
)(
  H72 : TCBList_P x7 v´35 v´36 x10
)(
  H7 : RH_TCBList_ECBList_P v´38 v´39 (@pair block Int.int v´52 Int.zero)
)(
  H8 : RH_CurTCB (@pair block Int.int v´52 Int.zero) v´39
)(
  H23 : isptr (Vptr (@pair block Int.int v´52 (Int.repr Z0)))
)(
  H5 : R_ECB_ETbl_P (@pair block Int.int v´29 Int.zero)
         (@pair (list val) vallist
            (@cons val (Vint32 (Int.repr OS_EVENT_TYPE_MUTEX))
               (@cons val (Vint32 i)
                  (@cons val (Vint32 x)
                     (@cons val
                        (Vptr (@pair block Int.int v´52 (Int.repr Z0)))
                        (@cons val x3 (@cons val v´46 (@nil val))))))) v´44)
         v´39
)(
  H1 : ECBList_P v´42 Vnull
         (@app EventCtr v´25
            (@app (prod (list val) vallist)
               (@cons (prod (list val) vallist)
                  (@pair (list val) vallist
                     (@cons val (Vint32 (Int.repr OS_EVENT_TYPE_MUTEX))
                        (@cons val (Vint32 i)
                           (@cons val (Vint32 x)
                              (@cons val
                                 (Vptr
                                    (@pair block Int.int v´52 (Int.repr Z0)))
                                 (@cons val x3 (@cons val v´46 (@nil val)))))))
                     v´44) (@nil (prod (list val) vallist))) v´26))
         (@app EventData v´27
            (@app EventData
               (@cons EventData
                  (DMutex (Vint32 x)
                     (Vptr (@pair block Int.int v´52 (Int.repr Z0))))
                  (@nil EventData)) v´28)) v´38 v´39
)(
  H29 : Logic.or
          (@eq Int.int (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
             (Int.repr OS_MUTEX_AVAILABLE))
          (not
             (@eq Int.int (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                (Int.repr OS_MUTEX_AVAILABLE)))
)(
  H35 : not
          (@eq Int.int (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
             (Int.repr OS_MUTEX_AVAILABLE))
)(
  H47 : @eq bool
          (Int.ltu (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))
             (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))) true
)(
  H48 : Z.lt (Int.unsigned (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8)))
          (Zpos (xO (xO (xO (xO (xO (xO xH)))))))
)(
  H6 : EcbMod.joinsig (@pair block Int.int v´29 Int.zero)
         (@pair edata waitset
            (absmutexsem (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))
               (@Some (prod (prod block Int.int) Int.int)
                  (@pair (prod block Int.int) Int.int
                     (@pair block Int.int v´52 (Int.repr Z0))
                     (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))))) w) v´48
         v´49
)(
  H4 : @eq (option (prod (prod block Int.int) Int.int))
         (@Some (prod (prod block Int.int) Int.int)
            (@pair (prod block Int.int) Int.int
               (@pair block Int.int v´52 (Int.repr Z0))
               (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))))
         (@None (prod (prod block Int.int) Int.int)) ->
       @eq waitset w (@nil tid)
)(
  H9 : forall (tid : tid) (opr : Int.int),
       @eq (option (prod (prod block Int.int) Int.int))
         (@Some (prod (prod block Int.int) Int.int)
            (@pair (prod block Int.int) Int.int
               (@pair block Int.int v´52 (Int.repr Z0))
               (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))))
         (@Some (prod language.tid Int.int)
            (@pair language.tid Int.int tid opr)) ->
       Logic.and
         (@eq bool
            (Int.ltu (Int.shru x (Int.repr (Zpos (xO (xO (xO xH)))))) opr)
            true)
         (Z.lt (Int.unsigned opr) (Zpos (xO (xO (xO (xO (xO (xO xH))))))))
)(
  H13 : not (@eq waitset w (@nil tid)) ->
        not
          (@eq (option (prod (prod block Int.int) Int.int))
             (@Some (prod (prod block Int.int) Int.int)
                (@pair (prod block Int.int) Int.int
                   (@pair block Int.int v´52 (Int.repr Z0))
                   (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))))
             (@None (prod (prod block Int.int) Int.int)))
)(
  H25 : @eq Int.int (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
          (Int.repr OS_MUTEX_AVAILABLE) ->
        Logic.and
          (@eq (option (prod (prod block Int.int) Int.int))
             (@Some (prod (prod block Int.int) Int.int)
                (@pair (prod block Int.int) Int.int
                   (@pair block Int.int v´52 (Int.repr Z0))
                   (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))))
             (@None (prod (prod block Int.int) Int.int)))
          (@eq val (Vptr (@pair block Int.int v´52 (Int.repr Z0))) Vnull)
)(
  H26 : not
          (@eq Int.int (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
             (Int.repr OS_MUTEX_AVAILABLE)) ->
        @ex addrval
          (fun tid : addrval =>
           Logic.and
             (@eq val (Vptr (@pair block Int.int v´52 (Int.repr Z0)))
                (Vptr tid))
             (@eq (option (prod (prod block Int.int) Int.int))
                (@Some (prod (prod block Int.int) Int.int)
                   (@pair (prod block Int.int) Int.int
                      (@pair block Int.int v´52 (Int.repr Z0))
                      (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))))
                (@Some (prod addrval Int.int)
                   (@pair addrval Int.int tid
                      (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))))))
)(
  backup : RLH_ECBData_P
             (DMutex (Vint32 x)
                (Vptr (@pair block Int.int v´52 (Int.repr Z0))))
             (@pair edata waitset
                (absmutexsem (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))
                   (@Some (prod (prod block Int.int) Int.int)
                      (@pair (prod block Int.int) Int.int
                         (@pair block Int.int v´52 (Int.repr Z0))
                         (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))))) w)
)(
  v´32 : val
)(
  H46 : array_type_vallist_match (Tptr OS_TCB) v´30
)(
  H51 : @eq nat (@length val v´30)
          64%nat
)(
  H49 : RL_RTbl_PrioTbl_P v´36 v´30 v´51
)(
  H50 : R_PrioTbl_P v´30 v´39 v´51
)(
  x1 : val
)(
  H52 : @eq (option val)
          (nth_val
             (Z.to_nat
                (Int.unsigned (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))))
             v´30) (@Some val x1)
)(
  x0 : val
)(
  H53 : @eq (option val)
          (nth_val
             (Z.to_nat
                (Int.unsigned
                   (Int.shru x (Int.repr (Zpos (xO (xO (xO xH)))))))) v´30)
          (@Some val x0)
)(
  H54 : array_type_vallist_match Tint8 v´36
)(
  H58 : @eq nat (@length val v´36) (nat_of_Z OS_RDY_TBL_SIZE)
)(
  i7 : Int.int
)(
  H55 : Z.le (Int.unsigned i7) (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  H57 : prio_in_tbl (Int.repr OS_IDLE_PRIO) v´36
)(
  H56 : RL_Tbl_Grp_P v´36 (Vint32 i7)
)(
  x2 : Int.int
)(
  fffa : @eq nat (@length val OSUnMapVallist)
          256%nat ->
         lt (Z.to_nat (Int.unsigned i))
           256%nat ->
         @ex Int.int
           (fun x4 : Int.int =>
            Logic.and (@eq val (Vint32 x2) (Vint32 x4))
              (@eq bool true (rule_type_val_match Tint8 (Vint32 x4))))
)(
  H59 : @eq nat (@length val OSUnMapVallist)
         256%nat
)(
  H60 : lt (Z.to_nat (Int.unsigned i))
          256%nat
)(
  H61 : @eq val (nth_val´ (Z.to_nat (Int.unsigned i)) OSUnMapVallist)
          (Vint32 x2)
)(
  H62 : @eq bool true (rule_type_val_match Tint8 (Vint32 x2))
)(
  fffbb : Z.lt (Int.unsigned x2) (Zpos (xO (xO (xO xH))))
)(
  fffbb2 : lt (Z.to_nat (Int.unsigned x2)) (@length val v´44)
)(
  H19´´ : @eq nat (@length val v´44) (Z.to_nat (Zpos (xO (xO (xO xH)))))
)(
  x4 : Int.int
)(
  H63 : @eq val (nth_val´ (Z.to_nat (Int.unsigned x2)) v´44) (Vint32 x4)
)(
  H64 : Z.le (Int.unsigned x4) (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  H65 : lt (Z.to_nat (Int.unsigned x4)) (@length val OSUnMapVallist)
)(
  x5 : Int.int
)(
  H66 : @eq val (nth_val´ (Z.to_nat (Int.unsigned x4)) OSUnMapVallist)
          (Vint32 x5)
)(
  H67 : Z.le (Int.unsigned x5) (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  ttfasd : Z.lt (Int.unsigned x5) (Zpos (xO (xO (xO xH))))
)(
  H68 : val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5)
                            (Int.modu (Int.shru x ($ 8)) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5)
                            (Int.modu (Int.shru x ($ 8)) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) =
        Vint32 Int.zero \/
        val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5)
                            (Int.modu (Int.shru x ($ 8)) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5)
                            (Int.modu (Int.shru x ($ 8)) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) = Vnull
)(
  H27 : isptr x7
)(
  H38 : isptr m
)(
  x6 : Int.int
)(
  x14 : Int.int
)(
  H77 : Z.le Z0 (Int.unsigned x6)
)(
  H85 : Z.lt (Int.unsigned x6) (Zpos (xO (xO (xO (xO (xO (xO xH)))))))
)(
  H82 : Logic.or (@eq Int.int x14 (Int.repr OS_STAT_RDY))
          (Logic.or (@eq Int.int x14 (Int.repr OS_STAT_SEM))
             (Logic.or (@eq Int.int x14 (Int.repr OS_STAT_Q))
                (Logic.or (@eq Int.int x14 (Int.repr OS_STAT_MBOX))
                   (@eq Int.int x14 (Int.repr OS_STAT_MUTEX)))))
)(
  x15 : val
)(
  H84 : @eq Int.int x14 (Int.repr OS_STAT_RDY) -> @eq val x15 Vnull
)(
  H43 : Z.le (Int.unsigned (Int.shru x6 (Int.repr (Zpos (xI xH)))))
          (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  H45 : Z.le
          (Int.unsigned
             (Int.shl (Int.repr (Zpos xH))
                (Int.shru x6 (Int.repr (Zpos (xI xH))))))
          (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  H44 : Z.le
          (Int.unsigned
             (Int.shl (Int.repr (Zpos xH))
                (Int.and x6 (Int.repr (Zpos (xI (xI xH)))))))
          (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  H42 : Z.le (Int.unsigned (Int.and x6 (Int.repr (Zpos (xI (xI xH))))))
          (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  H70 : TcbJoin (@pair block Int.int v´52 Int.zero)
          (@pair (prod priority taskstatus) msg
             (@pair priority taskstatus x6 t) m) x10 v´45
)(
  H41 : Z.le (Int.unsigned x6) (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  H28 : @eq bool
          (Int.ltu x6 (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))) false
)(
  H37 : isptr x15
)(
  H40 : Z.le (Int.unsigned x14) (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  H73 : R_TCB_Status_P
          (@cons val x7
             (@cons val v´24
                (@cons val x15
                   (@cons val m
                      (@cons val (Vint32 i6)
                         (@cons val (Vint32 x14)
                            (@cons val (Vint32 x6)
                               (@cons val
                                  (Vint32
                                     (Int.and x6
                                        (Int.repr (Zpos (xI (xI xH))))))
                                  (@cons val
                                     (Vint32
                                        (Int.shru x6
                                           (Int.repr (Zpos (xI xH)))))
                                     (@cons val
                                        (Vint32
                                           (Int.shl
                                              (Int.repr (Zpos xH))
                                              (Int.and x6
                                                 (Int.repr
                                                  (Zpos (xI (xI xH)))))))
                                        (@cons val
                                           (Vint32
                                              (Int.shl
                                                 (Int.repr (Zpos xH))
                                                 (Int.shru x6
                                                  (Int.repr (Zpos (xI xH))))))
                                           (@nil val)))))))))))) v´36
          (@pair (prod priority taskstatus) msg
             (@pair priority taskstatus x6 t) m)
)(
  backup2 : TCBList_P (Vptr (@pair block Int.int v´52 Int.zero))
              (@cons (list val)
                 (@cons val x7
                    (@cons val v´24
                       (@cons val x15
                          (@cons val m
                             (@cons val (Vint32 i6)
                                (@cons val (Vint32 x14)
                                   (@cons val (Vint32 x6)
                                      (@cons val
                                         (Vint32
                                            (Int.and x6
                                               (Int.repr (Zpos (xI (xI xH))))))
                                         (@cons val
                                            (Vint32
                                               (Int.shru x6
                                                  (Int.repr (Zpos (xI xH)))))
                                            (@cons val
                                               (Vint32
                                                  (Int.shl
                                                  (Int.repr (Zpos xH))
                                                  (Int.and x6
                                                  (Int.repr
                                                  (Zpos (xI (xI xH)))))))
                                               (@cons val
                                                  (Vint32
                                                  (Int.shl
                                                  (Int.repr (Zpos xH))
                                                  (Int.shru x6
                                                  (Int.repr (Zpos (xI xH))))))
                                                  (@nil val)))))))))))) v´35)
              v´36 v´45
)(
  r1 : Z.lt
         (Int.unsigned
            (Int.shru (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))
               (Int.repr (Zpos (xI xH))))) (Zpos (xO (xO (xO xH))))
)(
  r2 : Z.lt
         (Int.unsigned
            (Int.and (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
               (Int.repr (Zpos (xI (xI xH)))))) (Zpos (xO (xO (xO xH))))
)(
  r3 : Z.lt
         (Int.unsigned
            (Int.shru (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
               (Int.repr (Zpos (xI xH))))) (Zpos (xO (xO (xO xH))))
)(
  r4 : Z.lt
         (Int.unsigned
            (Int.and (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))
               (Int.repr (Zpos (xI (xI xH)))))) (Zpos (xO (xO (xO xH))))
)(
  H34 : array_type_vallist_match Tint8 OSMapVallist
)(
  H69 : @eq nat (@length val OSMapVallist) (S (S (S (S (S (S (S (S O))))))))
)(
  H71 : lt
          (Z.to_nat
             (Int.unsigned
                (Int.shru (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                   (Int.repr (Zpos (xI xH))))))
          (S (S (S (S (S (S (S (S O))))))))
)(
  x8 : Int.int
)(
  H74 : @eq val
          (nth_val´
             (Z.to_nat
                (Int.unsigned
                   (Int.shru (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                      (Int.repr (Zpos (xI xH)))))) OSMapVallist)
          (Vint32 x8)
)(
  H75 : @eq bool true (rule_type_val_match Tint8 (Vint32 x8))
)(
  H76 : lt
          (Z.to_nat
             (Int.unsigned
                (Int.and (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                   (Int.repr (Zpos (xI (xI xH)))))))
          (S (S (S (S (S (S (S (S O))))))))
)(
  x9 : Int.int
)(
  H78 : @eq val
          (nth_val´
             (Z.to_nat
                (Int.unsigned
                   (Int.and (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                      (Int.repr (Zpos (xI (xI xH))))))) OSMapVallist)
          (Vint32 x9)
)(
  H79 : @eq bool true (rule_type_val_match Tint8 (Vint32 x9))
)(
  H80 : lt
          (Z.to_nat
             (Int.unsigned
                (Int.and (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                   (Int.repr (Zpos (xI (xI xH)))))))
          (S (S (S (S (S (S (S (S O))))))))
)(
  x11 : Int.int
)(
  H81 : @eq val
          (nth_val´
             (Z.to_nat
                (Int.unsigned
                   (Int.and (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                      (Int.repr (Zpos (xI (xI xH))))))) OSMapVallist)
          (Vint32 x11)
)(
  H83 : @eq bool true (rule_type_val_match Tint8 (Vint32 x11))
)(
  r5 : Z.lt (Int.unsigned (Int.shru x6 (Int.repr (Zpos (xI xH)))))
         (Zpos (xO (xO (xO xH))))
)(
  r6 : Z.lt (Int.unsigned (Int.and x6 (Int.repr (Zpos (xI (xI xH))))))
         (Zpos (xO (xO (xO xH))))
)(
  rr1 : lt
          (Z.to_nat
             (Int.unsigned
                (Int.shru (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))
                   (Int.repr (Zpos (xI xH)))))) (@length val v´36)
)(
  rr2 : lt
          (Z.to_nat
             (Int.unsigned
                (Int.and (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                   (Int.repr (Zpos (xI (xI xH)))))))
          (@length val v´36)
)(
  rr3 : lt
          (Z.to_nat
             (Int.unsigned
                (Int.shru (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                   (Int.repr (Zpos (xI xH)))))) (@length val v´36)
)(
  rr4 : lt
          (Z.to_nat
             (Int.unsigned
                (Int.and (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))
                   (Int.repr (Zpos (xI (xI xH)))))))
          (@length val v´36)
)(
  rr5 : lt (Z.to_nat (Int.unsigned (Int.shru x6 (Int.repr (Zpos (xI xH))))))
          (@length val v´36)
)(
  rr6 : lt
          (Z.to_nat
             (Int.unsigned (Int.and x6 (Int.repr (Zpos (xI (xI xH)))))))
          (@length val v´36)
)(
  rrr1 : Z.lt
           (Int.unsigned
              (Int.shru (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))
                 (Int.repr (Zpos (xI xH))))) (Z.of_nat (@length val v´36))
)(
  rrr2 : Z.lt
           (Int.unsigned
              (Int.and (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                 (Int.repr (Zpos (xI (xI xH))))))
           (Z.of_nat (@length val v´36))
)(
  rrr3 : Z.lt
           (Int.unsigned
              (Int.shru (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                 (Int.repr (Zpos (xI xH))))) (Z.of_nat (@length val v´36))
)(
  rrr4 : Z.lt
           (Int.unsigned
              (Int.and (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))
                 (Int.repr (Zpos (xI (xI xH))))))
           (Z.of_nat (@length val v´36))
)(
  rrr5 : Z.lt (Int.unsigned (Int.shru x6 (Int.repr (Zpos (xI xH)))))
           (Z.of_nat (@length val v´36))
)(
  rrr6 : Z.lt (Int.unsigned (Int.and x6 (Int.repr (Zpos (xI (xI xH))))))
           (Z.of_nat (@length val v´36))
)(
  HH58 : @eq nat (@length val v´36) (Z.to_nat (Zpos (xO (xO (xO xH)))))
)(
  aa : @eq bool
         (rule_type_val_match Tint8
            (nth_val´
               (Z.to_nat
                  (Int.unsigned
                     (Int.shru
                        (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))
                        (Int.repr (Zpos (xI xH)))))) v´36)) true
)(
  aa2 : @eq bool
          (rule_type_val_match Tint8
             (nth_val´
                (Z.to_nat
                   (Int.unsigned
                      (Int.shru (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                         (Int.repr (Zpos (xI xH)))))) v´36)) true
)(
  aa3 : @eq bool
          (rule_type_val_match Tint8
             (nth_val´
                (Z.to_nat
                   (Int.unsigned (Int.shru x6 (Int.repr (Zpos (xI xH))))))
                v´36)) true
)(
  x16 : Int.int
)(
  H88 : @eq val
          (nth_val´
             (Z.to_nat
                (Int.unsigned
                   (Int.shru (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))
                      (Int.repr (Zpos (xI xH)))))) v´36)
          (Vint32 x16)
)(
  H91 : Z.le (Int.unsigned x16) (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  x13 : Int.int
)(
  H87 : @eq val
          (nth_val´
             (Z.to_nat
                (Int.unsigned
                   (Int.shru (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                      (Int.repr (Zpos (xI xH)))))) v´36)
          (Vint32 x13)
)(
  H90 : Z.le (Int.unsigned x13) (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  x12 : Int.int
)(
  H86 : @eq val
          (nth_val´
             (Z.to_nat (Int.unsigned (Int.shru x6 (Int.repr (Zpos (xI xH))))))
             v´36) (Vint32 x12)
)(
  H89 : Z.le (Int.unsigned x12) (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  H92 : @eq val x1 (Vptr v´51)
),
   InfRules OSQ_spec GetHPrio I
     (fun v : option val =>
      Astar
        (Astar
           (Astar
              (Astar
                 (@Aexists val
                    (fun v0 : val => Alvarmapsto pevent (Tptr OS_EVENT) v0))
                 (Astar
                    (@Aexists val
                       (fun v0 : val => Alvarmapsto os_code_defs.x Tint8 v0))
                    (Astar
                       (@Aexists val
                          (fun v0 : val => Alvarmapsto pip Tint8 v0))
                       (Astar
                          (@Aexists val
                             (fun v0 : val => Alvarmapsto prio Tint8 v0))
                          (Astar
                             (@Aexists val
                                (fun v0 : val => Alvarmapsto legal Tint8 v0))
                             Aemp)))))
              (Astar (Aie true)
                 (Astar (Ais (@nil hid))
                    (Astar (Acs (@nil ie)) (Aisr empisr)))))
           (A_dom_lenv
              (@cons (prod ident type)
                 (@pair ident type pevent (Tptr OS_EVENT))
                 (@cons (prod ident type)
                    (@pair ident type os_code_defs.x Tint8)
                    (@cons (prod ident type) (@pair ident type pip Tint8)
                       (@cons (prod ident type) (@pair ident type prio Tint8)
                          (@cons (prod ident type)
                             (@pair ident type legal Tint8)
                             (@nil (prod ident type)))))))))
        (Aop´ (spec_done v))) Afalse
     (Astar
        (Aop´
           (mutexpost
              (@cons val (Vptr (@pair block Int.int v´29 Int.zero))
                 (@nil val))))
        (Astar
           (A_dom_lenv
              (@cons (prod ident type)
                 (@pair ident type pevent (Tptr OS_EVENT))
                 (@cons (prod ident type)
                    (@pair ident type os_code_defs.x Tint8)
                    (@cons (prod ident type) (@pair ident type pip Tint8)
                       (@cons (prod ident type) (@pair ident type prio Tint8)
                          (@cons (prod ident type)
                             (@pair ident type legal Tint8)
                             (@nil (prod ident type))))))))
           (Astar
              (GAarray OSRdyTbl (Tarray Tint8 (nat_of_Z OS_RDY_TBL_SIZE))
                 (update_nth_val
                    (Z.to_nat
                       (Int.unsigned (Int.shru x6 (Int.repr (Zpos (xI xH))))))
                    v´36
                    (val_inj
                       (and
                          (nth_val´
                             (Z.to_nat
                                (Int.unsigned
                                   (Int.shru x6 (Int.repr (Zpos (xI xH))))))
                             v´36)
                          (Vint32
                             (Int.not
                                (Int.shl (Int.repr (Zpos xH))
                                   (Int.and x6 (Int.repr (Zpos (xI (xI xH))))))))))))
              (Astar
                 (Alvarmapsto os_code_defs.x Tint8
                    (Vint32
                       (Int.add (Int.shl x2 (Int.repr (Zpos (xI xH)))) x5)))
                 (Astar (Alvarmapsto legal Tint8 (Vint32 x2))
                    (Astar (Aptrmapsto v´51 Tint8 v´32)
                       (Astar
                          (Astruct (@pair block Int.int v´52 Int.zero) OS_TCB
                             (@cons val x7
                                (@cons val v´24
                                   (@cons val x15
                                      (@cons val m
                                         (@cons val
                                            (Vint32 i6)
                                            (@cons val
                                               (Vint32 x14)
                                               (@cons val
                                                  (Vint32 x6)
                                                  (@cons val
                                                  (Vint32
                                                  (Int.and x6
                                                  (Int.repr
                                                  (Zpos (xI (xI xH))))))
                                                  (@cons val
                                                  (Vint32
                                                  (Int.shru x6
                                                  (Int.repr (Zpos (xI xH)))))
                                                  (@cons val
                                                  (Vint32
                                                  (Int.shl
                                                  (Int.repr (Zpos xH))
                                                  (Int.and x6
                                                  (Int.repr
                                                  (Zpos (xI (xI xH)))))))
                                                  (@cons val
                                                  (Vint32
                                                  (Int.shl
                                                  (Int.repr (Zpos xH))
                                                  (Int.shru x6
                                                  (Int.repr (Zpos (xI xH))))))
                                                  (@nil val)))))))))))))
                          (Astar
                             (dllseg x7
                                (Vptr (@pair block Int.int v´52 Int.zero))
                                v´40 Vnull v´35 OS_TCB
                                (fun vl : vallist => nth_val (S O) vl)
                                (fun vl : vallist => nth_val O vl))
                             (Astar
                                (Agvarmapsto OSTCBList (Tptr OS_TCB) v´31)
                                (Astar
                                   (dllseg v´31 Vnull v´24
                                      (Vptr
                                         (@pair block Int.int v´52 Int.zero))
                                      v´33 OS_TCB
                                      (fun vl : vallist => nth_val (S O) vl)
                                      (fun vl : vallist => nth_val O vl))
                                   (Astar
                                      (Agvarmapsto OSTCBCur
                                         (Tptr OS_TCB)
                                         (Vptr
                                            (@pair block Int.int v´52
                                               Int.zero)))
                                      (Astar
                                         (Alvarmapsto prio Tint8
                                            (Vint32
                                               (Int.and x
                                                  (Int.repr
                                                  OS_MUTEX_KEEP_LOWER_8))))
                                         (Astar
                                            (Alvarmapsto pip Tint8
                                               (Vint32
                                                  (Int.shru x
                                                  (Int.repr
                                                  (Zpos (xO (xO (xO xH))))))))
                                            (Astar
                                               (Astruct
                                                  (@pair block Int.int v´29
                                                  Int.zero) OS_EVENT
                                                  (@cons val
                                                  (Vint32
                                                  (Int.repr
                                                  OS_EVENT_TYPE_MUTEX))
                                                  (@cons val
                                                  (Vint32 i)
                                                  (@cons val
                                                  (Vint32 x)
                                                  (@cons val
                                                  (Vptr
                                                  (@pair block Int.int v´52
                                                  (Int.repr Z0)))
                                                  (@cons val x3
                                                  (@cons val v´46 (@nil val))))))))
                                               (Astar
                                                  (Aarray v´23
                                                  (Tarray Tint8
                                                  (nat_of_Z OS_EVENT_TBL_SIZE))
                                                  v´44)
                                                  (Astar
                                                  (Aie false)
                                                  (Astar
                                                  (Ais (@nil hid))
                                                  (Astar
                                                  (Acs
                                                  (@cons bool true
                                                  (@nil bool)))
                                                  (Astar
                                                  (Aisr empisr)
                                                  (Astar
                                                  (Agvarmapsto OSEventList
                                                  (Tptr OS_EVENT) v´42)
                                                  (Astar
                                                  (evsllseg v´42
                                                  (Vptr
                                                  (@pair block Int.int v´29
                                                  Int.zero)) v´25 v´27)
                                                  (Astar
                                                  (evsllseg v´46 Vnull v´26
                                                  v´28)
                                                  (Astar A_isr_is_prop
                                                  (Astar
                                                  (Agvarmapsto OSRdyGrp Tint8
                                                  (Vint32 i7))
                                                  (Astar
                                                  (GAarray OSTCBPrioTbl
                                                  (Tarray
                                                  (Tptr OS_TCB)
                                                  64)
                                                  v´30)
                                                  (Astar
                                                  (Agvarenv´ OSPlaceHolder
                                                  Tint8 v´51)
                                                  (Astar
                                                  (Aabsdata absecblsid
                                                  (absecblist v´38))
                                                  (Astar
                                                  (Aabsdata abstcblsid
                                                  (abstcblist v´39))
                                                  (Astar
                                                  (Aabsdata curtid
                                                  (oscurt
                                                  (@pair block Int.int v´52
                                                  Int.zero)))
                                                  (Astar
                                                  (AOSEventFreeList v´3)
                                                  (Astar
                                                  (AOSQFreeList v´4)
                                                  (Astar
                                                  (AOSQFreeBlk v´5)
                                                  (Astar
                                                  (GAarray OSMapTbl
                                                  (Tarray Tint8
                                                  (S
                                                  (S
                                                  (S (S (S (S (S (S O)))))))))
                                                  OSMapVallist)
                                                  (Astar
                                                  (GAarray OSUnMapTbl
                                                  (Tarray Tint8
                                                256)
                                                  OSUnMapVallist)
                                                  (Astar AOSIntNesting
                                                  (Astar
                                                  (AOSTCBFreeList v´21 v´22)
                                                  (Astar
                                                  (AOSTime (Vint32 v´18))
                                                  (Astar
                                                  (Aabsdata ostmid
                                                  (ostm v´18))
                                                  (Astar AGVars
                                                  (Astar atoy_inv´
                                                  (Alvarmapsto pevent
                                                  (Tptr OS_EVENT)
                                                  (Vptr
                                                  (@pair block Int.int v´29
                                                  Int.zero)))))))))))))))))))))))))))))))))))))))))))
     (sseq
        (sifthen
           (ebinop oeq
              (earrayelem (evar OSRdyTbl)
                 (efield (ederef (evar OSTCBCur)) OSTCBY))
              (econst32 (Int.repr Z0)))
           (sassign (evar OSRdyGrp)
              (ebinop obitand (evar OSRdyGrp)
                 (eunop negation (efield (ederef (evar OSTCBCur)) OSTCBBitY)))))
        (sseq
           (sassign (efield (ederef (evar OSTCBCur)) OSTCBPrio) (evar prio))
           (sseq
              (sassign (efield (ederef (evar OSTCBCur)) OSTCBY)
                 (ebinop orshift (evar prio)
                    (econst32 (Int.repr (Zpos (xI xH))))))
              (sseq
                 (sassign (efield (ederef (evar OSTCBCur)) OSTCBBitY)
                    (earrayelem (evar OSMapTbl)
                       (efield (ederef (evar OSTCBCur)) OSTCBY)))
                 (sseq
                    (sassign (efield (ederef (evar OSTCBCur)) OSTCBX)
                       (ebinop obitand (evar prio)
                          (econst32 (Int.repr (Zpos (xI (xI xH)))))))
                    (sseq
                       (sassign (efield (ederef (evar OSTCBCur)) OSTCBBitX)
                          (earrayelem (evar OSMapTbl)
                             (efield (ederef (evar OSTCBCur)) OSTCBX)))
                       (sseq
                          (sassign (evar OSRdyGrp)
                             (ebinop obitor (evar OSRdyGrp)
                                (efield (ederef (evar OSTCBCur)) OSTCBBitY)))
                          (sseq
                             (sassign
                                (earrayelem (evar OSRdyTbl)
                                   (efield (ederef (evar OSTCBCur)) OSTCBY))
                                (ebinop obitor
                                   (earrayelem (evar OSRdyTbl)
                                      (efield (ederef (evar OSTCBCur)) OSTCBY))
                                   (efield (ederef (evar OSTCBCur)) OSTCBBitX)))
                             (sseq
                                (sassign
                                   (earrayelem (evar OSTCBPrioTbl)
                                      (evar prio))
                                   (ecast (evar OSTCBCur) (Tptr OS_TCB)))
                                (sassign
                                   (earrayelem (evar OSTCBPrioTbl) (evar pip))
                                   (ecast os_mutex.PlaceHolder (Tptr OS_TCB))))))))))))
     ( (
    <|| mutexpost (Vptr (v´29, Int.zero) :: nil) ||> **
   A_dom_lenv
     ((pevent, OS_EVENT ∗)
      :: (os_code_defs.x, Int8u)
         :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil) **
   GAarray OSTCBPrioTbl (Tarray OS_TCB ∗ 64)
     (update_nth_val (Z.to_nat (Int.unsigned (Int.shru x ($ 8))))
        (update_nth_val (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8)))
           v´30 (Vptr (v´52, Int.zero))) (Vptr v´51)) **
   GAarray OSRdyTbl (Tarray Int8u ∘OS_RDY_TBL_SIZE)
     (update_nth_val
        (Z.to_nat (Int.unsigned (Int.shru (x&$ OS_MUTEX_KEEP_LOWER_8) ($ 3))))
        (update_nth_val (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3)))) v´36
           (val_inj (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7)))))))
        (val_inj
           (or
              (nth_val´
                 (Z.to_nat (Int.unsigned (Int.shru (x&$ OS_MUTEX_KEEP_LOWER_8) ($ 3))))
                 (update_nth_val (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3)))) v´36
                    (val_inj
                       (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
              (Vint32 x11)))) **
   GV OSRdyGrp @ Int8u |-> Vint32 (Int.or (i7&Int.not ($ 1<<(Int.shru x6 ($ 3)))) x8) **
   GV OSTCBCur @ OS_TCB ∗ |-> Vptr (v´52, Int.zero) **
   Astruct (v´52, Int.zero) OS_TCB
     (x7
      :: v´24
         :: x15
            :: m
               :: Vint32 i6
                  :: Vint32 x14
                     :: Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8)
                        :: Vint32 ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)
                           :: Vint32 (Int.shru (x&$ OS_MUTEX_KEEP_LOWER_8) ($ 3))
                              :: Vint32 x11 :: Vint32 x8 :: nil) **
   LV os_code_defs.x @ Int8u |-> Vint32 ((x2<<$ 3)+ᵢx5) **
   LV legal @ Int8u |-> Vint32 x2 **
   PV v´51 @ Int8u |-> v´32 **
   dllseg x7 (Vptr (v´52, Int.zero)) v´40 Vnull v´35 OS_TCB
     (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
   GV OSTCBList @ OS_TCB ∗ |-> v´31 **
   dllseg v´31 Vnull v´24 (Vptr (v´52, Int.zero)) v´33 OS_TCB
     (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
   LV prio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
   LV pip @ Int8u |-> Vint32 (Int.shru x ($ 8)) **
   Astruct (v´29, Int.zero) OS_EVENT
     (V$OS_EVENT_TYPE_MUTEX
      :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil) **
   Aarray v´23 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´44 **
   Aie false **
   Ais nil **
   Acs (true :: nil) **
   Aisr empisr **
   GV OSEventList @ OS_EVENT ∗ |-> v´42 **
   evsllseg v´42 (Vptr (v´29, Int.zero)) v´25 v´27 **
   evsllseg v´46 Vnull v´26 v´28 **
   A_isr_is_prop **
   G&OSPlaceHolder @ Int8u == v´51 **
   HECBList v´38 **
   HTCBList v´39 **
   HCurTCB (v´52, Int.zero) **
   AOSEventFreeList v´3 **
   AOSQFreeList v´4 **
   AOSQFreeBlk v´5 **
   GAarray OSMapTbl (Tarray Int8u 8) OSMapVallist **
   GAarray OSUnMapTbl (Tarray Int8u 256) OSUnMapVallist **
   AOSIntNesting **
   AOSTCBFreeList v´21 v´22 **
   AOSTime (Vint32 v´18) **
   HTime v´18 **
   AGVars **
   atoy_inv´ **
   LV pevent @ OS_EVENT ∗ |-> Vptr (v´29, Int.zero) **
   [|val_inj
       (val_eq
          (nth_val´ (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3))))
             (update_nth_val (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3)))) v´36
                (val_inj
                   (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
          (V$0)) <> Vint32 Int.zero /\
     val_inj
       (val_eq
          (nth_val´ (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3))))
             (update_nth_val (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3)))) v´36
                (val_inj
                   (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
          (V$0)) <> Vnull /\
     val_inj
       (val_eq
          (nth_val´ (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3))))
             (update_nth_val (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3)))) v´36
                (val_inj
                   (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
          (V$0)) <> Vundef|] **
   [|val_inj
       (val_eq
          (nth_val´ (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3))))
             (update_nth_val (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3)))) v´36
                (val_inj
                   (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
          (V$0)) <> Vint32 Int.zero /\
     val_inj
       (val_eq
          (nth_val´ (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3))))
             (update_nth_val (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3)))) v´36
                (val_inj
                   (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
          (V$0)) <> Vnull /\
     val_inj
       (val_eq
          (nth_val´ (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3))))
             (update_nth_val (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3)))) v´36
                (val_inj
                   (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
          (V$0)) <> Vundef|]
          ) **
          [| x1 = Vptr v´51 |]
          \\// (
              <|| mutexpost (Vptr (v´29, Int.zero) :: nil) ||> **
   A_dom_lenv
     ((pevent, OS_EVENT ∗)
      :: (os_code_defs.x, Int8u)
         :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil) **
   GAarray OSTCBPrioTbl (Tarray OS_TCB ∗ 64)
     (update_nth_val (Z.to_nat (Int.unsigned (Int.shru x ($ 8))))
        (update_nth_val (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8)))
           v´30 (Vptr (v´52, Int.zero))) (Vptr v´51)) **
   GAarray OSRdyTbl (Tarray Int8u ∘OS_RDY_TBL_SIZE)
     (update_nth_val
        (Z.to_nat (Int.unsigned (Int.shru (x&$ OS_MUTEX_KEEP_LOWER_8) ($ 3))))
        (update_nth_val (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3)))) v´36
           (val_inj (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7)))))))
        (val_inj
           (or
              (nth_val´
                 (Z.to_nat (Int.unsigned (Int.shru (x&$ OS_MUTEX_KEEP_LOWER_8) ($ 3))))
                 (update_nth_val (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3)))) v´36
                    (val_inj
                       (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
              (Vint32 x11)))) **
   GV OSRdyGrp @ Int8u |-> Vint32 (Int.or i7 x8) **
   GV OSTCBCur @ OS_TCB ∗ |-> Vptr (v´52, Int.zero) **
   Astruct (v´52, Int.zero) OS_TCB
     (x7
      :: v´24
         :: x15
            :: m
               :: Vint32 i6
                  :: Vint32 x14
                     :: Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8)
                        :: Vint32 ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)
                           :: Vint32 (Int.shru (x&$ OS_MUTEX_KEEP_LOWER_8) ($ 3))
                              :: Vint32 x11 :: Vint32 x8 :: nil) **
   LV os_code_defs.x @ Int8u |-> Vint32 ((x2<<$ 3)+ᵢx5) **
   LV legal @ Int8u |-> Vint32 x2 **
   PV v´51 @ Int8u |-> v´32 **
   dllseg x7 (Vptr (v´52, Int.zero)) v´40 Vnull v´35 OS_TCB
     (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
   GV OSTCBList @ OS_TCB ∗ |-> v´31 **
   dllseg v´31 Vnull v´24 (Vptr (v´52, Int.zero)) v´33 OS_TCB
     (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
   LV prio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
   LV pip @ Int8u |-> Vint32 (Int.shru x ($ 8)) **
   Astruct (v´29, Int.zero) OS_EVENT
     (V$OS_EVENT_TYPE_MUTEX
      :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil) **
   Aarray v´23 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´44 **
   Aie false **
   Ais nil **
   Acs (true :: nil) **
   Aisr empisr **
   GV OSEventList @ OS_EVENT ∗ |-> v´42 **
   evsllseg v´42 (Vptr (v´29, Int.zero)) v´25 v´27 **
   evsllseg v´46 Vnull v´26 v´28 **
   A_isr_is_prop **
   G&OSPlaceHolder @ Int8u == v´51 **
   HECBList v´38 **
   HTCBList v´39 **
   HCurTCB (v´52, Int.zero) **
   AOSEventFreeList v´3 **
   AOSQFreeList v´4 **
   AOSQFreeBlk v´5 **
   GAarray OSMapTbl (Tarray Int8u 8) OSMapVallist **
   GAarray OSUnMapTbl (Tarray Int8u 256) OSUnMapVallist **
   AOSIntNesting **
   AOSTCBFreeList v´21 v´22 **
   AOSTime (Vint32 v´18) **
   HTime v´18 **
   AGVars **
   atoy_inv´ **
   LV pevent @ OS_EVENT ∗ |-> Vptr (v´29, Int.zero) **
   [|val_inj
       (val_eq
          (nth_val´ (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3))))
             (update_nth_val (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3)))) v´36
                (val_inj
                   (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
          (V$0)) = Vint32 Int.zero \/
     val_inj
       (val_eq
          (nth_val´ (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3))))
             (update_nth_val (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3)))) v´36
                (val_inj
                   (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
          (V$0)) = Vnull|] **
          [| x1 = Vptr v´51 |]
          )
).

Definition gen_MutexPostPIRdyTable2:= forall(
  v´ : val
)(
  v´0 : val
)(
  v´1 : val
)(
  v´2 : val
)(
  v´3 : list vallist
)(
  v´4 : list vallist
)(
  v´5 : list vallist
)(
  v´6 : list EventData
)(
  v´7 : list EventCtr
)(
  v´8 : vallist
)(
  v´9 : val
)(
  v´10 : val
)(
  v´11 : list vallist
)(
  v´12 : vallist
)(
  v´13 : list vallist
)(
  v´14 : vallist
)(
  v´15 : val
)(
  v´16 : EcbMod.map
)(
  v´17 : TcbMod.map
)(
  v´18 : int32
)(
  v´19 : addrval
)(
  v´20 : addrval
)(
  v´21 : val
)(
  v´22 : list vallist
)(
  H : RH_TCBList_ECBList_P v´16 v´17 v´19
)(
  H0 : RH_CurTCB v´19 v´17
)(
  v´25 : list EventCtr
)(
  v´26 : list EventCtr
)(
  v´27 : list EventData
)(
  v´28 : list EventData
)(
  v´30 : vallist
)(
  v´31 : val
)(
  v´33 : list vallist
)(
  v´35 : list vallist
)(
  v´36 : vallist
)(
  v´38 : EcbMod.map
)(
  v´39 : TcbMod.map
)(
  v´42 : val
)(
  v´44 : vallist
)(
  v´46 : val
)(
  v´47 : EcbMod.map
)(
  v´48 : EcbMod.map
)(
  v´49 : EcbMod.map
)(
  w : waitset
)(
  v´51 : addrval
)(
  H3 : ECBList_P v´46 Vnull v´26 v´28 v´48 v´39
)(
  H17 : EcbMod.join v´47 v´49 v´38
)(
  H12 : length v´25 = length v´27
)(
  H16 : isptr v´46
)(
  v´23 : addrval
)(
  v´29 : block
)(
  H11 : array_type_vallist_match Int8u v´44
)(
  H19 : length v´44 = ∘OS_EVENT_TBL_SIZE
)(
  x3 : val
)(
  i : int32
)(
  H21 : Int.unsigned i <= 255
)(
  H18 : RL_Tbl_Grp_P v´44 (Vint32 i)
)(
  H24 : isptr v´46
)(
  H2 : ECBList_P v´42 (Vptr (v´29, Int.zero)) v´25 v´27 v´47 v´39
)(
  H14 : id_addrval´ (Vptr (v´29, Int.zero)) OSEventTbl OS_EVENT = Some v´23
)(
  H20 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255
)(
  x : int32
)(
  H10 : Int.unsigned x <= 65535
)(
  H15 : Int.unsigned (Int.shru x ($ 8)) < 64
)(
  H22 : Int.unsigned x <= 65535
)(
  v´24 : val
)(
  v´40 : val
)(
  v´43 : TcbMod.map
)(
  v´45 : TcbMod.map
)(
  v´52 : block
)(
  H31 : v´31 <> Vnull
)(
  H32 : TcbMod.join v´43 v´45 v´39
)(
  H33 : TCBList_P v´31 v´33 v´36 v´43
)(
  H30 : Vptr (v´52, Int.zero) <> Vnull
)(
  i6 : int32
)(
  H39 : Int.unsigned i6 <= 65535
)(
  H36 : isptr v´24
)(
  x7 : val
)(
  x10 : TcbMod.map
)(
  t : taskstatus
)(
  m : msg
)(
  H72 : TCBList_P x7 v´35 v´36 x10
)(
  H7 : RH_TCBList_ECBList_P v´38 v´39 (v´52, Int.zero)
)(
  H8 : RH_CurTCB (v´52, Int.zero) v´39
)(
  H23 : isptr (Vptr (v´52, $ 0))
)(
  H5 : R_ECB_ETbl_P (v´29, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
         v´44) v´39
)(
  H1 : ECBList_P v´42 Vnull
         (v´25 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
           v´44) :: nil) ++ v´26)
         (v´27 ++ (DMutex (Vint32 x) (Vptr (v´52, $ 0)) :: nil) ++ v´28) v´38
         v´39
)(
  H29 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE \/
        x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H35 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H47 : Int.ltu (Int.shru x ($ 8)) (x&$ OS_MUTEX_KEEP_LOWER_8) = true
)(
  H48 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) < 64
)(
  H6 : EcbMod.joinsig (v´29, Int.zero)
         (absmutexsem (Int.shru x ($ 8)) (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)),
         w) v´48 v´49
)(
  H4 : Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None -> w = nil
)(
  H9 : forall (tid : tid) (opr : int32),
       Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = Some (tid, opr) ->
       Int.ltu (Int.shru x ($ 8)) opr = true /\ Int.unsigned opr < 64
)(
  H13 : w <> nil -> Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) <> None
)(
  H25 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE ->
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None /\
        Vptr (v´52, $ 0) = Vnull
)(
  H26 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE ->
        exists tid,
        Vptr (v´52, $ 0) = Vptr tid /\
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) =
        Some (tid, x&$ OS_MUTEX_KEEP_LOWER_8)
)(
  backup : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (v´52, $ 0)))
             (absmutexsem (Int.shru x ($ 8))
                (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)), w)
)(
  v´32 : val
)(
  H46 : array_type_vallist_match OS_TCB ∗ v´30
)(
  H51 : length v´30 = 64%nat
)(
  H49 : RL_RTbl_PrioTbl_P v´36 v´30 v´51
)(
  H50 : R_PrioTbl_P v´30 v´39 v´51
)(
  x1 : val
)(
  H52 : nth_val (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30 =
        Some x1
)(
  x0 : val
)(
  H53 : nth_val (Z.to_nat (Int.unsigned (Int.shru x ($ 8)))) v´30 = Some x0
)(
  H54 : array_type_vallist_match Int8u v´36
)(
  H58 : length v´36 = ∘OS_RDY_TBL_SIZE
)(
  i7 : int32
)(
  H55 : Int.unsigned i7 <= 255
)(
  H57 : prio_in_tbl ($ OS_IDLE_PRIO) v´36
)(
  H56 : RL_Tbl_Grp_P v´36 (Vint32 i7)
)(
  x2 : int32
)(
  fffa : length OSUnMapVallist = 256%nat ->
         (Z.to_nat (Int.unsigned i) < 256)%nat ->
         exists x4,
         Vint32 x2 = Vint32 x4 /\
         true = rule_type_val_match Int8u (Vint32 x4)
)(
  H59 : length OSUnMapVallist = 256%nat
)(
  H60 : (Z.to_nat (Int.unsigned i) < 256)%nat
)(
  H61 : nth_val´ (Z.to_nat (Int.unsigned i)) OSUnMapVallist = Vint32 x2
)(
  H62 : true = rule_type_val_match Int8u (Vint32 x2)
)(
  fffbb : Int.unsigned x2 < 8
)(
  fffbb2 : (Z.to_nat (Int.unsigned x2) < length v´44)%nat
)(
  H19´´ : length v´44 = Z.to_nat 8
)(
  x4 : int32
)(
  H63 : nth_val´ (Z.to_nat (Int.unsigned x2)) v´44 = Vint32 x4
)(
  H64 : Int.unsigned x4 <= 255
)(
  H65 : (Z.to_nat (Int.unsigned x4) < length OSUnMapVallist)%nat
)(
  x5 : int32
)(
  H66 : nth_val´ (Z.to_nat (Int.unsigned x4)) OSUnMapVallist = Vint32 x5
)(
  H67 : Int.unsigned x5 <= 255
)(
  ttfasd : Int.unsigned x5 < 8
)(
  H68 : val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5)
                            (Int.modu (Int.shru x ($ 8)) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5)
                            (Int.modu (Int.shru x ($ 8)) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) =
        Vint32 Int.zero \/
        val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5)
                            (Int.modu (Int.shru x ($ 8)) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5)
                            (Int.modu (Int.shru x ($ 8)) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) = Vnull
)(
  H27 : isptr x7
)(
  H38 : isptr m
)(
  x6 : int32
)(
  x14 : int32
)(
  H77 : 0 <= Int.unsigned x6
)(
  H85 : Int.unsigned x6 < 64
)(
  H82 : x14 = $ OS_STAT_RDY \/
        x14 = $ OS_STAT_SEM \/
        x14 = $ OS_STAT_Q \/ x14 = $ OS_STAT_MBOX \/ x14 = $ OS_STAT_MUTEX
)(
  x15 : val
)(
  H84 : x14 = $ OS_STAT_RDY -> x15 = Vnull
)(
  H43 : Int.unsigned (Int.shru x6 ($ 3)) <= 255
)(
  H45 : Int.unsigned ($ 1<<(Int.shru x6 ($ 3))) <= 255
)(
  H44 : Int.unsigned ($ 1<<(x6&$ 7)) <= 255
)(
  H42 : Int.unsigned (x6&$ 7) <= 255
)(
  H70 : TcbJoin (v´52, Int.zero) (x6, t, m) x10 v´45
)(
  H41 : Int.unsigned x6 <= 255
)(
  H28 : Int.ltu x6 (Int.shru x ($ 8)) = false
)(
  H37 : isptr x15
)(
  H40 : Int.unsigned x14 <= 255
)(
  H73 : R_TCB_Status_P
          (x7
           :: v´24
              :: x15
                 :: m
                    :: Vint32 i6
                       :: Vint32 x14
                          :: Vint32 x6
                             :: Vint32 (x6&$ 7)
                                :: Vint32 (Int.shru x6 ($ 3))
                                   :: Vint32 ($ 1<<(x6&$ 7))
                                      :: Vint32 ($ 1<<(Int.shru x6 ($ 3))) :: nil) v´36
          (x6, t, m)
)(
  backup2 : TCBList_P (Vptr (v´52, Int.zero))
              ((x7
                :: v´24
                   :: x15
                      :: m
                         :: Vint32 i6
                            :: Vint32 x14
                               :: Vint32 x6
                                  :: Vint32 (x6&$ 7)
                                     :: Vint32 (Int.shru x6 ($ 3))
                                        :: Vint32 ($ 1<<(x6&$ 7))
                                           :: Vint32 ($ 1<<(Int.shru x6 ($ 3))) :: nil)
               :: v´35) v´36 v´45
)(
  r1 : Int.unsigned (Int.shru (Int.shru x ($ 8)) ($ 3)) < 8
)(
  r2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) < 8
)(
  r3 : Int.unsigned (Int.shru (x&$ OS_MUTEX_KEEP_LOWER_8) ($ 3)) < 8
)(
  r4 : Int.unsigned ((Int.shru x ($ 8))&$ 7) < 8
)(
  H34 : array_type_vallist_match Int8u OSMapVallist
)(
  H69 : length OSMapVallist = 8%nat
)(
  H71 : (Z.to_nat (Int.unsigned (Int.shru (x&$ OS_MUTEX_KEEP_LOWER_8) ($ 3))) < 8)%nat
)(
  x8 : int32
)(
  H74 : nth_val´ (Z.to_nat (Int.unsigned (Int.shru (x&$ OS_MUTEX_KEEP_LOWER_8) ($ 3))))
          OSMapVallist = Vint32 x8
)(
  H75 : true = rule_type_val_match Int8u (Vint32 x8)
)(
  H76 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
  x9 : int32
)(
  H78 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
          OSMapVallist = Vint32 x9
)(
  H79 : true = rule_type_val_match Int8u (Vint32 x9)
)(
  H80 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
  x11 : int32
)(
  H81 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
          OSMapVallist = Vint32 x11
)(
  H83 : true = rule_type_val_match Int8u (Vint32 x11)
)(
  r5 : Int.unsigned (Int.shru x6 ($ 3)) < 8
)(
  r6 : Int.unsigned (x6&$ 7) < 8
)(
  rr1 : (Z.to_nat (Int.unsigned (Int.shru (Int.shru x ($ 8)) ($ 3))) < length v´36)%nat
)(
  rr2 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) <
         length v´36)%nat
)(
  rr3 : (Z.to_nat (Int.unsigned (Int.shru (x&$ OS_MUTEX_KEEP_LOWER_8) ($ 3))) <
         length v´36)%nat
)(
  rr4 : (Z.to_nat (Int.unsigned ((Int.shru x ($ 8))&$ 7)) < length v´36)%nat
)(
  rr5 : (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3))) < length v´36)%nat
)(
  rr6 : (Z.to_nat (Int.unsigned (x6&$ 7)) < length v´36)%nat
)(
  rrr1 : Int.unsigned (Int.shru (Int.shru x ($ 8)) ($ 3)) < Z.of_nat (length v´36)
)(
  rrr2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) <
         Z.of_nat (length v´36)
)(
  rrr3 : Int.unsigned (Int.shru (x&$ OS_MUTEX_KEEP_LOWER_8) ($ 3)) <
         Z.of_nat (length v´36)
)(
  rrr4 : Int.unsigned ((Int.shru x ($ 8))&$ 7) < Z.of_nat (length v´36)
)(
  rrr5 : Int.unsigned (Int.shru x6 ($ 3)) < Z.of_nat (length v´36)
)(
  rrr6 : Int.unsigned (x6&$ 7) < Z.of_nat (length v´36)
)(
  HH58 : length v´36 = Z.to_nat 8
)(
  aa : rule_type_val_match Int8u
         (nth_val´ (Z.to_nat (Int.unsigned (Int.shru (Int.shru x ($ 8)) ($ 3)))) v´36) = true
)(
  aa2 : rule_type_val_match Int8u
          (nth_val´
             (Z.to_nat (Int.unsigned (Int.shru (x&$ OS_MUTEX_KEEP_LOWER_8) ($ 3))))
             v´36) = true
)(
  aa3 : rule_type_val_match Int8u
          (nth_val´ (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3)))) v´36) = true
)(
  x16 : int32
)(
  H88 : nth_val´ (Z.to_nat (Int.unsigned (Int.shru (Int.shru x ($ 8)) ($ 3)))) v´36 = Vint32 x16
)(
  H91 : Int.unsigned x16 <= 255
)(
  x13 : int32
)(
  H87 : nth_val´ (Z.to_nat (Int.unsigned (Int.shru (x&$ OS_MUTEX_KEEP_LOWER_8) ($ 3))))
          v´36 = Vint32 x13
)(
  H90 : Int.unsigned x13 <= 255
)(
  x12 : int32
)(
  H86 : nth_val´ (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3)))) v´36 = Vint32 x12
)(
  H89 : Int.unsigned x12 <= 255
)(
  H92 : x1 = Vptr v´51
),
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV prio @ Int8u |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (os_code_defs.x, Int8u)
          :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{( <|| mutexpost (Vptr (v´29, Int.zero) :: nil) ||> **
      A_dom_lenv
        ((pevent, OS_EVENT ∗)
         :: (os_code_defs.x, Int8u)
            :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil) **
      GAarray OSRdyTbl (Tarray Int8u ∘OS_RDY_TBL_SIZE)
        (update_nth_val (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3)))) v´36
           (val_inj
              (and (nth_val´ (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3)))) v´36)
                 (Vint32 (Int.not ($ 1<<(x6&$ 7))))))) **
      LV os_code_defs.x @ Int8u |-> Vint32 ((x2<<$ 3)+ᵢx5) **
      LV legal @ Int8u |-> Vint32 x2 **
      PV v´51 @ Int8u |-> v´32 **
      Astruct (v´52, Int.zero) OS_TCB
        (x7
         :: v´24
            :: x15
               :: m
                  :: Vint32 i6
                     :: Vint32 x14
                        :: Vint32 x6
                           :: Vint32 (x6&$ 7)
                              :: Vint32 (Int.shru x6 ($ 3))
                                 :: Vint32 ($ 1<<(x6&$ 7))
                                    :: Vint32 ($ 1<<(Int.shru x6 ($ 3))) :: nil) **
      dllseg x7 (Vptr (v´52, Int.zero)) v´40 Vnull v´35 OS_TCB
        (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
      GV OSTCBList @ OS_TCB ∗ |-> v´31 **
      dllseg v´31 Vnull v´24 (Vptr (v´52, Int.zero)) v´33 OS_TCB
        (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
      GV OSTCBCur @ OS_TCB ∗ |-> Vptr (v´52, Int.zero) **
      LV prio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
      LV pip @ Int8u |-> Vint32 (Int.shru x ($ 8)) **
      Astruct (v´29, Int.zero) OS_EVENT
        (V$OS_EVENT_TYPE_MUTEX
         :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil) **
      Aarray v´23 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´44 **
      Aie false **
      Ais nil **
      Acs (true :: nil) **
      Aisr empisr **
      GV OSEventList @ OS_EVENT ∗ |-> v´42 **
      evsllseg v´42 (Vptr (v´29, Int.zero)) v´25 v´27 **
      evsllseg v´46 Vnull v´26 v´28 **
      A_isr_is_prop **
      GV OSRdyGrp @ Int8u |-> Vint32 i7 **
      GAarray OSTCBPrioTbl (Tarray OS_TCB ∗ 64) v´30 **
      G&OSPlaceHolder @ Int8u == v´51 **
      HECBList v´38 **
      HTCBList v´39 **
      HCurTCB (v´52, Int.zero) **
      AOSEventFreeList v´3 **
      AOSQFreeList v´4 **
      AOSQFreeBlk v´5 **
      GAarray OSMapTbl (Tarray Int8u 8) OSMapVallist **
      GAarray OSUnMapTbl (Tarray Int8u 256) OSUnMapVallist **
      AOSIntNesting **
      AOSTCBFreeList v´21 v´22 **
      AOSTime (Vint32 v´18) **
      HTime v´18 **
      AGVars ** atoy_inv´ ** LV pevent @ OS_EVENT ∗ |-> Vptr (v´29, Int.zero)) **
     [|val_inj
         (val_eq
            (nth_val´ (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3))))
               (update_nth_val (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3)))) v´36
                  (val_inj
                     (and (nth_val´ (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3)))) v´36)
                        (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
            (V$0)) = Vint32 Int.zero \/
       val_inj
         (val_eq
            (nth_val´ (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3))))
               (update_nth_val (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3)))) v´36
                  (val_inj
                     (and (nth_val´ (Z.to_nat (Int.unsigned (Int.shru x6 ($ 3)))) v´36)
                        (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
            (V$0)) = Vnull|]}}
   OSTCBCur ′ → OSTCBPrio =ₑ prio ′;ₛ
   OSTCBCur ′ → OSTCBY =ₑ prio ′ ≫ ′3;ₛ
   OSTCBCur ′ → OSTCBBitY =ₑ OSMapTbl ′ [OSTCBCur ′ → OSTCBY];ₛ
   OSTCBCur ′ → OSTCBX =ₑ prio ′ &ₑ ′7;ₛ
   OSTCBCur ′ → OSTCBBitX =ₑ OSMapTbl ′ [OSTCBCur ′ → OSTCBX];ₛ
   OSRdyGrp ′ =ₑ OSRdyGrp ′ |ₑ OSTCBCur ′ → OSTCBBitY;ₛ
   OSRdyTbl ′ [OSTCBCur ′ → OSTCBY] =ₑ
   OSRdyTbl ′ [OSTCBCur ′ → OSTCBY] |ₑ OSTCBCur ′ → OSTCBBitX;ₛ
   OSTCBPrioTbl ′ [prio ′] =ₑ 〈OS_TCB ∗ 〉 OSTCBCur ′;ₛ
   OSTCBPrioTbl ′ [pip ′] =ₑ 〈OS_TCB ∗ 〉 os_mutex.PlaceHolder {{(
     (Astar
        (Aop´
           (mutexpost
              (@cons val (Vptr (@pair block Int.int v´29 Int.zero))
                 (@nil val))))
        (Astar
           (A_dom_lenv
              (@cons (prod ident type)
                 (@pair ident type pevent (Tptr OS_EVENT))
                 (@cons (prod ident type)
                    (@pair ident type os_code_defs.x Tint8)
                    (@cons (prod ident type) (@pair ident type pip Tint8)
                       (@cons (prod ident type) (@pair ident type prio Tint8)
                          (@cons (prod ident type)
                             (@pair ident type legal Tint8)
                             (@nil (prod ident type))))))))
           (Astar
              (GAarray OSTCBPrioTbl
                 (Tarray (Tptr OS_TCB)
                    (S
                       (S
                          (S
                             (S
                                (S
                                   (S
                                      (S
                                         (S
                                            (S
                                               (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S (S (S (S (S (S O)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
                 (update_nth_val
                    (Z.to_nat
                       (Int.unsigned
                          (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))))
                    (update_nth_val
                       (Z.to_nat
                          (Int.unsigned
                             (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))))
                       v´30 (Vptr (@pair block Int.int v´52 Int.zero)))
                    (Vptr v´51)))
              (Astar
                 (GAarray OSRdyTbl (Tarray Tint8 (nat_of_Z OS_RDY_TBL_SIZE))
                    (update_nth_val
                       (Z.to_nat
                          (Int.unsigned
                             (Int.shru
                                (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                                (Int.repr (Zpos (xI xH))))))
                       (update_nth_val
                          (Z.to_nat
                             (Int.unsigned
                                (Int.shru x6 (Int.repr (Zpos (xI xH))))))
                          v´36
                          (val_inj
                             (and (Vint32 x12)
                                (Vint32
                                   (Int.not
                                      (Int.shl (Int.repr (Zpos xH))
                                         (Int.and x6
                                            (Int.repr (Zpos (xI (xI xH)))))))))))
                       (val_inj
                          (or
                             (nth_val´
                                (Z.to_nat
                                   (Int.unsigned
                                      (Int.shru
                                         (Int.and x
                                            (Int.repr OS_MUTEX_KEEP_LOWER_8))
                                         (Int.repr (Zpos (xI xH))))))
                                (update_nth_val
                                   (Z.to_nat
                                      (Int.unsigned
                                         (Int.shru x6
                                            (Int.repr (Zpos (xI xH)))))) v´36
                                   (val_inj
                                      (and (Vint32 x12)
                                         (Vint32
                                            (Int.not
                                               (Int.shl
                                                  (Int.repr (Zpos xH))
                                                  (Int.and x6
                                                  (Int.repr
                                                  (Zpos (xI (xI xH))))))))))))
                             (Vint32 x11)))))
                 (Astar (Agvarmapsto OSRdyGrp Tint8 (Vint32 (Int.or i7 x8)))
                    (Astar
                       (Agvarmapsto OSTCBCur (Tptr OS_TCB)
                          (Vptr (@pair block Int.int v´52 Int.zero)))
                       (Astar
                          (Astruct (@pair block Int.int v´52 Int.zero) OS_TCB
                             (@cons val x7
                                (@cons val v´24
                                   (@cons val x15
                                      (@cons val m
                                         (@cons val
                                            (Vint32 i6)
                                            (@cons val
                                               (Vint32 x14)
                                               (@cons val
                                                  (Vint32
                                                  (Int.and x
                                                  (Int.repr
                                                  OS_MUTEX_KEEP_LOWER_8)))
                                                  (@cons val
                                                  (Vint32
                                                  (Int.and
                                                  (Int.and x
                                                  (Int.repr
                                                  OS_MUTEX_KEEP_LOWER_8))
                                                  (Int.repr
                                                  (Zpos (xI (xI xH))))))
                                                  (@cons val
                                                  (Vint32
                                                  (Int.shru
                                                  (Int.and x
                                                  (Int.repr
                                                  OS_MUTEX_KEEP_LOWER_8))
                                                  (Int.repr (Zpos (xI xH)))))
                                                  (@cons val
                                                  (Vint32 x11)
                                                  (@cons val
                                                  (Vint32 x8)
                                                  (@nil val)))))))))))))
                          (Astar
                             (Alvarmapsto os_code_defs.x Tint8
                                (Vint32
                                   (Int.add
                                      (Int.shl x2 (Int.repr (Zpos (xI xH))))
                                      x5)))
                             (Astar (Alvarmapsto legal Tint8 (Vint32 x2))
                                (Astar (Aptrmapsto v´51 Tint8 v´32)
                                   (Astar
                                      (dllseg x7
                                         (Vptr
                                            (@pair block Int.int v´52
                                               Int.zero)) v´40 Vnull v´35
                                         OS_TCB
                                         (fun vl : vallist =>
                                          nth_val (S O) vl)
                                         (fun vl : vallist => nth_val O vl))
                                      (Astar
                                         (Agvarmapsto OSTCBList
                                            (Tptr OS_TCB) v´31)
                                         (Astar
                                            (dllseg v´31 Vnull v´24
                                               (Vptr
                                                  (@pair block Int.int v´52
                                                  Int.zero)) v´33 OS_TCB
                                               (fun vl : vallist =>
                                                nth_val (S O) vl)
                                               (fun vl : vallist =>
                                                nth_val O vl))
                                            (Astar
                                               (Alvarmapsto prio Tint8
                                                  (Vint32
                                                  (Int.and x
                                                  (Int.repr
                                                  OS_MUTEX_KEEP_LOWER_8))))
                                               (Astar
                                                  (Alvarmapsto pip Tint8
                                                  (Vint32
                                                  (Int.shru x
                                                  (Int.repr
                                                  (Zpos (xO (xO (xO xH))))))))
                                                  (Astar
                                                  (Astruct
                                                  (@pair block Int.int v´29
                                                  Int.zero) OS_EVENT
                                                  (@cons val
                                                  (Vint32
                                                  (Int.repr
                                                  OS_EVENT_TYPE_MUTEX))
                                                  (@cons val
                                                  (Vint32 i)
                                                  (@cons val
                                                  (Vint32 x)
                                                  (@cons val
                                                  (Vptr
                                                  (@pair block Int.int v´52
                                                  (Int.repr Z0)))
                                                  (@cons val x3
                                                  (@cons val v´46 (@nil val))))))))
                                                  (Astar
                                                  (Aarray v´23
                                                  (Tarray Tint8
                                                  (nat_of_Z OS_EVENT_TBL_SIZE))
                                                  v´44)
                                                  (Astar
                                                  (Aie false)
                                                  (Astar
                                                  (Ais (@nil hid))
                                                  (Astar
                                                  (Acs
                                                  (@cons bool true
                                                  (@nil bool)))
                                                  (Astar
                                                  (Aisr empisr)
                                                  (Astar
                                                  (Agvarmapsto OSEventList
                                                  (Tptr OS_EVENT) v´42)
                                                  (Astar
                                                  (evsllseg v´42
                                                  (Vptr
                                                  (@pair block Int.int v´29
                                                  Int.zero)) v´25 v´27)
                                                  (Astar
                                                  (evsllseg v´46 Vnull v´26
                                                  v´28)
                                                  (Astar A_isr_is_prop
                                                  (Astar
                                                  (Agvarenv´ OSPlaceHolder
                                                  Tint8 v´51)
                                                  (Astar
                                                  (Aabsdata absecblsid
                                                  (absecblist v´38))
                                                  (Astar
                                                  (Aabsdata abstcblsid
                                                  (abstcblist v´39))
                                                  (Astar
                                                  (Aabsdata curtid
                                                  (oscurt
                                                  (@pair block Int.int v´52
                                                  Int.zero)))
                                                  (Astar
                                                  (AOSEventFreeList v´3)
                                                  (Astar
                                                  (AOSQFreeList v´4)
                                                  (Astar
                                                  (AOSQFreeBlk v´5)
                                                  (Astar
                                                  (GAarray OSMapTbl
                                                  (Tarray Tint8
                                                  (S
                                                  (S
                                                  (S (S (S (S (S (S O)))))))))
                                                  OSMapVallist)
                                                  (Astar
                                                  (GAarray OSUnMapTbl
                                                  (Tarray Tint8
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S (S (S (S (S (S O)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
                                                  OSUnMapVallist)
                                                  (Astar AOSIntNesting
                                                  (Astar
                                                  (AOSTCBFreeList v´21 v´22)
                                                  (Astar
                                                  (AOSTime (Vint32 v´18))
                                                  (Astar
                                                  (Aabsdata ostmid
                                                  (ostm v´18))
                                                  (Astar AGVars
                                                  (Astar atoy_inv´
                                                  (Astar
                                                  (Alvarmapsto pevent
                                                  (Tptr OS_EVENT)
                                                  (Vptr
                                                  (@pair block Int.int v´29
                                                  Int.zero)))
                                                  (Apure
                                                  (Logic.or
                                                  (@eq val
                                                  (val_inj
                                                  (val_eq
                                                  (nth_val´
                                                  (Z.to_nat
                                                  (Int.unsigned
                                                  (Int.shru x6
                                                  (Int.repr (Zpos (xI xH))))))
                                                  (update_nth_val
                                                  (Z.to_nat
                                                  (Int.unsigned
                                                  (Int.shru x6
                                                  (Int.repr (Zpos (xI xH))))))
                                                  v´36
                                                  (val_inj
                                                  (and
                                                  (Vint32 x12)
                                                  (Vint32
                                                  (Int.not
                                                  (Int.shl
                                                  (Int.repr (Zpos xH))
                                                  (Int.and x6
                                                  (Int.repr
                                                  (Zpos (xI (xI xH))))))))))))
                                                  (Vint32 (Int.repr Z0))))
                                                  (Vint32 Int.zero))
                                                  (@eq val
                                                  (val_inj
                                                  (val_eq
                                                  (nth_val´
                                                  (Z.to_nat
                                                  (Int.unsigned
                                                  (Int.shru x6
                                                  (Int.repr (Zpos (xI xH))))))
                                                  (update_nth_val
                                                  (Z.to_nat
                                                  (Int.unsigned
                                                  (Int.shru x6
                                                  (Int.repr (Zpos (xI xH))))))
                                                  v´36
                                                  (val_inj
                                                  (and
                                                  (Vint32 x12)
                                                  (Vint32
                                                  (Int.not
                                                  (Int.shl
                                                  (Int.repr (Zpos xH))
                                                  (Int.and x6
                                                  (Int.repr
                                                  (Zpos (xI (xI xH))))))))))))
                                                  (Vint32 (Int.repr Z0))))
                                                  Vnull)))))))))))))))))))))))))))))))))))))))))))))}}
.

Definition gen_tmp:= forall
(
  v´ : val
)(
  v´0 : val
)(
  v´1 : val
)(
  v´2 : val
)(
  v´3 : list vallist
)(
  v´4 : list vallist
)(
  v´5 : list vallist
)(
  v´6 : list EventData
)(
  v´7 : list EventCtr
)(
  v´8 : vallist
)(
  v´9 : val
)(
  v´10 : val
)(
  v´11 : list vallist
)(
  v´12 : vallist
)(
  v´13 : list vallist
)(
  v´14 : vallist
)(
  v´15 : val
)(
  v´16 : EcbMod.map
)(
  v´17 : TcbMod.map
)(
  v´18 : Int.int
)(
  v´19 : addrval
)(
  v´20 : addrval
)(
  v´21 : val
)(
  v´22 : list vallist
)(
  H : RH_TCBList_ECBList_P v´16 v´17 v´19
)(
  H0 : RH_CurTCB v´19 v´17
)(
  v´25 : list EventCtr
)(
  v´26 : list EventCtr
)(
  v´27 : list EventData
)(
  v´28 : list EventData
)(
  v´30 : vallist
)(
  v´31 : val
)(
  v´33 : list vallist
)(
  v´35 : list vallist
)(
  v´36 : vallist
)(
  v´38 : EcbMod.map
)(
  v´39 : TcbMod.map
)(
  v´42 : val
)(
  v´44 : vallist
)(
  v´46 : val
)(
  v´47 : EcbMod.map
)(
  v´48 : EcbMod.map
)(
  v´49 : EcbMod.map
)(
  w : waitset
)(
  v´51 : addrval
)(
  H3 : ECBList_P v´46 Vnull v´26 v´28 v´48 v´39
)(
  H17 : EcbMod.join v´47 v´49 v´38
)(
  H12 : @eq nat (@length EventCtr v´25) (@length EventData v´27)
)(
  H16 : isptr v´46
)(
  v´23 : addrval
)(
  v´29 : block
)(
  H11 : array_type_vallist_match Tint8 v´44
)(
  H19 : @eq nat (@length val v´44) (nat_of_Z OS_EVENT_TBL_SIZE)
)(
  x3 : val
)(
  i : Int.int
)(
  H21 : Z.le (Int.unsigned i) (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  H18 : RL_Tbl_Grp_P v´44 (Vint32 i)
)(
  H24 : isptr v´46
)(
  H2 : ECBList_P v´42 (Vptr (@pair block Int.int v´29 Int.zero)) v´25 v´27
         v´47 v´39
)(
  H14 : @eq (option (prod block Int.int))
          (id_addrval´ (Vptr (@pair block Int.int v´29 Int.zero)) OSEventTbl
             OS_EVENT) (@Some addrval v´23)
)(
  H20 : Z.le (Int.unsigned (Int.repr OS_EVENT_TYPE_MUTEX))
          (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  x : Int.int
)(
  H10 : Z.le (Int.unsigned x)
          (Zpos
             (xI
                (xI
                   (xI
                      (xI
                         (xI
                            (xI
                               (xI (xI (xI (xI (xI (xI (xI (xI (xI xH))))))))))))))))
)(
  H15 : Z.lt (Int.unsigned (Int.shru x (Int.repr (Zpos (xO (xO (xO xH)))))))
          (Zpos (xO (xO (xO (xO (xO (xO xH)))))))
)(
  H22 : Z.le (Int.unsigned x)
          (Zpos
             (xI
                (xI
                   (xI
                      (xI
                         (xI
                            (xI
                               (xI (xI (xI (xI (xI (xI (xI (xI (xI xH))))))))))))))))
)(
  v´24 : val
)(
  v´40 : val
)(
  v´43 : TcbMod.map
)(
  v´45 : TcbMod.map
)(
  v´52 : block
)(
  H31 : not (@eq val v´31 Vnull)
)(
  H32 : TcbMod.join v´43 v´45 v´39
)(
  H33 : TCBList_P v´31 v´33 v´36 v´43
)(
  H30 : not (@eq val (Vptr (@pair block Int.int v´52 Int.zero)) Vnull)
)(
  i6 : Int.int
)(
  H39 : Z.le (Int.unsigned i6)
          (Zpos
             (xI
                (xI
                   (xI
                      (xI
                         (xI
                            (xI
                               (xI (xI (xI (xI (xI (xI (xI (xI (xI xH))))))))))))))))
)(
  H36 : isptr v´24
)(
  x7 : val
)(
  x10 : TcbMod.map
)(
  t : taskstatus
)(
  m : msg
)(
  H72 : TCBList_P x7 v´35 v´36 x10
)(
  H7 : RH_TCBList_ECBList_P v´38 v´39 (@pair block Int.int v´52 Int.zero)
)(
  H8 : RH_CurTCB (@pair block Int.int v´52 Int.zero) v´39
)(
  H23 : isptr (Vptr (@pair block Int.int v´52 (Int.repr Z0)))
)(
  H5 : R_ECB_ETbl_P (@pair block Int.int v´29 Int.zero)
         (@pair (list val) vallist
            (@cons val (Vint32 (Int.repr OS_EVENT_TYPE_MUTEX))
               (@cons val (Vint32 i)
                  (@cons val (Vint32 x)
                     (@cons val
                        (Vptr (@pair block Int.int v´52 (Int.repr Z0)))
                        (@cons val x3 (@cons val v´46 (@nil val))))))) v´44)
         v´39
)(
  H1 : ECBList_P v´42 Vnull
         (@app EventCtr v´25
            (@app (prod (list val) vallist)
               (@cons (prod (list val) vallist)
                  (@pair (list val) vallist
                     (@cons val (Vint32 (Int.repr OS_EVENT_TYPE_MUTEX))
                        (@cons val (Vint32 i)
                           (@cons val (Vint32 x)
                              (@cons val
                                 (Vptr
                                    (@pair block Int.int v´52 (Int.repr Z0)))
                                 (@cons val x3 (@cons val v´46 (@nil val)))))))
                     v´44) (@nil (prod (list val) vallist))) v´26))
         (@app EventData v´27
            (@app EventData
               (@cons EventData
                  (DMutex (Vint32 x)
                     (Vptr (@pair block Int.int v´52 (Int.repr Z0))))
                  (@nil EventData)) v´28)) v´38 v´39
)(
  H29 : Logic.or
          (@eq Int.int (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
             (Int.repr OS_MUTEX_AVAILABLE))
          (not
             (@eq Int.int (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                (Int.repr OS_MUTEX_AVAILABLE)))
)(
  H35 : not
          (@eq Int.int (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
             (Int.repr OS_MUTEX_AVAILABLE))
)(
  H47 : @eq bool
          (Int.ltu (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))
             (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))) true
)(
  H48 : Z.lt (Int.unsigned (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8)))
          (Zpos (xO (xO (xO (xO (xO (xO xH)))))))
)(
  H6 : EcbMod.joinsig (@pair block Int.int v´29 Int.zero)
         (@pair edata waitset
            (absmutexsem (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))
               (@Some (prod (prod block Int.int) Int.int)
                  (@pair (prod block Int.int) Int.int
                     (@pair block Int.int v´52 (Int.repr Z0))
                     (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))))) w) v´48
         v´49
)(
  H4 : @eq (option (prod (prod block Int.int) Int.int))
         (@Some (prod (prod block Int.int) Int.int)
            (@pair (prod block Int.int) Int.int
               (@pair block Int.int v´52 (Int.repr Z0))
               (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))))
         (@None (prod (prod block Int.int) Int.int)) ->
       @eq waitset w (@nil tid)
)(
  H9 : forall (tid : tid) (opr : Int.int),
       @eq (option (prod (prod block Int.int) Int.int))
         (@Some (prod (prod block Int.int) Int.int)
            (@pair (prod block Int.int) Int.int
               (@pair block Int.int v´52 (Int.repr Z0))
               (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))))
         (@Some (prod language.tid Int.int)
            (@pair language.tid Int.int tid opr)) ->
       Logic.and
         (@eq bool
            (Int.ltu (Int.shru x (Int.repr (Zpos (xO (xO (xO xH)))))) opr)
            true)
         (Z.lt (Int.unsigned opr) (Zpos (xO (xO (xO (xO (xO (xO xH))))))))
)(
  H13 : not (@eq waitset w (@nil tid)) ->
        not
          (@eq (option (prod (prod block Int.int) Int.int))
             (@Some (prod (prod block Int.int) Int.int)
                (@pair (prod block Int.int) Int.int
                   (@pair block Int.int v´52 (Int.repr Z0))
                   (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))))
             (@None (prod (prod block Int.int) Int.int)))
)(
  H25 : @eq Int.int (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
          (Int.repr OS_MUTEX_AVAILABLE) ->
        Logic.and
          (@eq (option (prod (prod block Int.int) Int.int))
             (@Some (prod (prod block Int.int) Int.int)
                (@pair (prod block Int.int) Int.int
                   (@pair block Int.int v´52 (Int.repr Z0))
                   (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))))
             (@None (prod (prod block Int.int) Int.int)))
          (@eq val (Vptr (@pair block Int.int v´52 (Int.repr Z0))) Vnull)
)(
  H26 : not
          (@eq Int.int (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
             (Int.repr OS_MUTEX_AVAILABLE)) ->
        @ex addrval
          (fun tid : addrval =>
           Logic.and
             (@eq val (Vptr (@pair block Int.int v´52 (Int.repr Z0)))
                (Vptr tid))
             (@eq (option (prod (prod block Int.int) Int.int))
                (@Some (prod (prod block Int.int) Int.int)
                   (@pair (prod block Int.int) Int.int
                      (@pair block Int.int v´52 (Int.repr Z0))
                      (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))))
                (@Some (prod addrval Int.int)
                   (@pair addrval Int.int tid
                      (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))))))
)(
  backup : RLH_ECBData_P
             (DMutex (Vint32 x)
                (Vptr (@pair block Int.int v´52 (Int.repr Z0))))
             (@pair edata waitset
                (absmutexsem (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))
                   (@Some (prod (prod block Int.int) Int.int)
                      (@pair (prod block Int.int) Int.int
                         (@pair block Int.int v´52 (Int.repr Z0))
                         (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))))) w)
)(
  v´32 : val
)(
  H46 : array_type_vallist_match (Tptr OS_TCB) v´30
)(
  H51 : @eq nat (@length val v´30)
          (S
             (S
                (S
                   (S
                      (S
                         (S
                            (S
                               (S
                                  (S
                                     (S
                                        (S
                                           (S
                                              (S
                                                 (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S (S (S (S (S (S O))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
)(
  H49 : RL_RTbl_PrioTbl_P v´36 v´30 v´51
)(
  H50 : R_PrioTbl_P v´30 v´39 v´51
)(
  x1 : val
)(
  H52 : @eq (option val)
          (nth_val
             (Z.to_nat
                (Int.unsigned (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))))
             v´30) (@Some val x1)
)(
  x0 : val
)(
  H53 : @eq (option val)
          (nth_val
             (Z.to_nat
                (Int.unsigned
                   (Int.shru x (Int.repr (Zpos (xO (xO (xO xH)))))))) v´30)
          (@Some val x0)
)(
  H54 : array_type_vallist_match Tint8 v´36
)(
  H58 : @eq nat (@length val v´36) (nat_of_Z OS_RDY_TBL_SIZE)
)(
  i7 : Int.int
)(
  H55 : Z.le (Int.unsigned i7) (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  H57 : prio_in_tbl (Int.repr OS_IDLE_PRIO) v´36
)(
  H56 : RL_Tbl_Grp_P v´36 (Vint32 i7)
)(
  x2 : Int.int
)(
  fffa : @eq nat (@length val OSUnMapVallist)
           (S
              (S
                 (S
                    (S
                       (S
                          (S
                             (S
                                (S
                                   (S
                                      (S
                                         (S
                                            (S
                                               (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S (S (S (S (S (S O)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ->
         lt (Z.to_nat (Int.unsigned i))
           (S
              (S
                 (S
                    (S
                       (S
                          (S
                             (S
                                (S
                                   (S
                                      (S
                                         (S
                                            (S
                                               (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S (S (S (S (S (S O)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ->
         @ex Int.int
           (fun x4 : Int.int =>
            Logic.and (@eq val (Vint32 x2) (Vint32 x4))
              (@eq bool true (rule_type_val_match Tint8 (Vint32 x4))))
)(
  H59 : @eq nat (@length val OSUnMapVallist)
          (S
             (S
                (S
                   (S
                      (S
                         (S
                            (S
                               (S
                                  (S
                                     (S
                                        (S
                                           (S
                                              (S
                                                 (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S (S (S (S (S (S O))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
)(
  H60 : lt (Z.to_nat (Int.unsigned i))
          (S
             (S
                (S
                   (S
                      (S
                         (S
                            (S
                               (S
                                  (S
                                     (S
                                        (S
                                           (S
                                              (S
                                                 (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S (S (S (S (S (S O))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
)(
  H61 : @eq val (nth_val´ (Z.to_nat (Int.unsigned i)) OSUnMapVallist)
          (Vint32 x2)
)(
  H62 : @eq bool true (rule_type_val_match Tint8 (Vint32 x2))
)(
  fffbb : Z.lt (Int.unsigned x2) (Zpos (xO (xO (xO xH))))
)(
  fffbb2 : lt (Z.to_nat (Int.unsigned x2)) (@length val v´44)
)(
  H19´´ : @eq nat (@length val v´44) (Z.to_nat (Zpos (xO (xO (xO xH)))))
)(
  x4 : Int.int
)(
  H63 : @eq val (nth_val´ (Z.to_nat (Int.unsigned x2)) v´44) (Vint32 x4)
)(
  H64 : Z.le (Int.unsigned x4) (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  H65 : lt (Z.to_nat (Int.unsigned x4)) (@length val OSUnMapVallist)
)(
  x5 : Int.int
)(
  H66 : @eq val (nth_val´ (Z.to_nat (Int.unsigned x4)) OSUnMapVallist)
          (Vint32 x5)
)(
  H67 : Z.le (Int.unsigned x5) (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  ttfasd : Z.lt (Int.unsigned x5) (Zpos (xO (xO (xO xH))))
)(
  H68 : val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5)
                            (Int.modu (Int.shru x ($ 8)) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5)
                            (Int.modu (Int.shru x ($ 8)) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) =
        Vint32 Int.zero \/
        val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5)
                            (Int.modu (Int.shru x ($ 8)) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5)
                            (Int.modu (Int.shru x ($ 8)) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) = Vnull
)(
  H27 : isptr x7
)(
  H38 : isptr m
)(
  x6 : Int.int
)(
  x14 : Int.int
)(
  H77 : Z.le Z0 (Int.unsigned x6)
)(
  H85 : Z.lt (Int.unsigned x6) (Zpos (xO (xO (xO (xO (xO (xO xH)))))))
)(
  H82 : Logic.or (@eq Int.int x14 (Int.repr OS_STAT_RDY))
          (Logic.or (@eq Int.int x14 (Int.repr OS_STAT_SEM))
             (Logic.or (@eq Int.int x14 (Int.repr OS_STAT_Q))
                (Logic.or (@eq Int.int x14 (Int.repr OS_STAT_MBOX))
                   (@eq Int.int x14 (Int.repr OS_STAT_MUTEX)))))
)(
  x15 : val
)(
  H84 : @eq Int.int x14 (Int.repr OS_STAT_RDY) -> @eq val x15 Vnull
)(
  H43 : Z.le (Int.unsigned (Int.shru x6 (Int.repr (Zpos (xI xH)))))
          (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  H45 : Z.le
          (Int.unsigned
             (Int.shl (Int.repr (Zpos xH))
                (Int.shru x6 (Int.repr (Zpos (xI xH))))))
          (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  H44 : Z.le
          (Int.unsigned
             (Int.shl (Int.repr (Zpos xH))
                (Int.and x6 (Int.repr (Zpos (xI (xI xH)))))))
          (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  H42 : Z.le (Int.unsigned (Int.and x6 (Int.repr (Zpos (xI (xI xH))))))
          (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  H70 : TcbJoin (@pair block Int.int v´52 Int.zero)
          (@pair (prod Int.int taskstatus) msg
             (@pair Int.int taskstatus x6 t) m) x10 v´45
)(
  H41 : Z.le (Int.unsigned x6) (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  H28 : @eq bool
          (Int.ltu x6 (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))) false
)(
  H37 : isptr x15
)(
  H40 : Z.le (Int.unsigned x14) (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  H73 : R_TCB_Status_P
          (@cons val x7
             (@cons val v´24
                (@cons val x15
                   (@cons msg m
                      (@cons val (Vint32 i6)
                         (@cons val (Vint32 x14)
                            (@cons val (Vint32 x6)
                               (@cons val
                                  (Vint32
                                     (Int.and x6
                                        (Int.repr (Zpos (xI (xI xH))))))
                                  (@cons val
                                     (Vint32
                                        (Int.shru x6
                                           (Int.repr (Zpos (xI xH)))))
                                     (@cons val
                                        (Vint32
                                           (Int.shl
                                              (Int.repr (Zpos xH))
                                              (Int.and x6
                                                 (Int.repr
                                                  (Zpos (xI (xI xH)))))))
                                        (@cons val
                                           (Vint32
                                              (Int.shl
                                                 (Int.repr (Zpos xH))
                                                 (Int.shru x6
                                                  (Int.repr (Zpos (xI xH))))))
                                           (@nil val)))))))))))) v´36
          (@pair (prod Int.int taskstatus) msg
             (@pair Int.int taskstatus x6 t) m)
)(
  backup2 : TCBList_P (Vptr (@pair block Int.int v´52 Int.zero))
              (@cons (list val)
                 (@cons val x7
                    (@cons val v´24
                       (@cons val x15
                          (@cons msg m
                             (@cons val (Vint32 i6)
                                (@cons val (Vint32 x14)
                                   (@cons val (Vint32 x6)
                                      (@cons val
                                         (Vint32
                                            (Int.and x6
                                               (Int.repr (Zpos (xI (xI xH))))))
                                         (@cons val
                                            (Vint32
                                               (Int.shru x6
                                                  (Int.repr (Zpos (xI xH)))))
                                            (@cons val
                                               (Vint32
                                                  (Int.shl
                                                  (Int.repr (Zpos xH))
                                                  (Int.and x6
                                                  (Int.repr
                                                  (Zpos (xI (xI xH)))))))
                                               (@cons val
                                                  (Vint32
                                                  (Int.shl
                                                  (Int.repr (Zpos xH))
                                                  (Int.shru x6
                                                  (Int.repr (Zpos (xI xH))))))
                                                  (@nil val)))))))))))) v´35)
              v´36 v´45
)(
  r1 : Z.lt
         (Int.unsigned
            (Int.shru (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))
               (Int.repr (Zpos (xI xH))))) (Zpos (xO (xO (xO xH))))
)(
  r2 : Z.lt
         (Int.unsigned
            (Int.and (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
               (Int.repr (Zpos (xI (xI xH)))))) (Zpos (xO (xO (xO xH))))
)(
  r3 : Z.lt
         (Int.unsigned
            (Int.shru (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
               (Int.repr (Zpos (xI xH))))) (Zpos (xO (xO (xO xH))))
)(
  r4 : Z.lt
         (Int.unsigned
            (Int.and (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))
               (Int.repr (Zpos (xI (xI xH)))))) (Zpos (xO (xO (xO xH))))
)(
  H34 : array_type_vallist_match Tint8 OSMapVallist
)(
  H69 : @eq nat (@length val OSMapVallist) (S (S (S (S (S (S (S (S O))))))))
)(
  H71 : lt
          (Z.to_nat
             (Int.unsigned
                (Int.shru (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                   (Int.repr (Zpos (xI xH))))))
          (S (S (S (S (S (S (S (S O))))))))
)(
  x8 : Int.int
)(
  H74 : @eq val
          (nth_val´
             (Z.to_nat
                (Int.unsigned
                   (Int.shru (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                      (Int.repr (Zpos (xI xH)))))) OSMapVallist)
          (Vint32 x8)
)(
  H75 : @eq bool true (rule_type_val_match Tint8 (Vint32 x8))
)(
  H76 : lt
          (Z.to_nat
             (Int.unsigned
                (Int.and (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                   (Int.repr (Zpos (xI (xI xH)))))))
          (S (S (S (S (S (S (S (S O))))))))
)(
  x9 : Int.int
)(
  H78 : @eq val
          (nth_val´
             (Z.to_nat
                (Int.unsigned
                   (Int.and (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                      (Int.repr (Zpos (xI (xI xH))))))) OSMapVallist)
          (Vint32 x9)
)(
  H79 : @eq bool true (rule_type_val_match Tint8 (Vint32 x9))
)(
  H80 : lt
          (Z.to_nat
             (Int.unsigned
                (Int.and (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                   (Int.repr (Zpos (xI (xI xH)))))))
          (S (S (S (S (S (S (S (S O))))))))
)(
  x11 : Int.int
)(
  H81 : @eq val
          (nth_val´
             (Z.to_nat
                (Int.unsigned
                   (Int.and (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                      (Int.repr (Zpos (xI (xI xH))))))) OSMapVallist)
          (Vint32 x11)
)(
  H83 : @eq bool true (rule_type_val_match Tint8 (Vint32 x11))
)(
  r5 : Z.lt (Int.unsigned (Int.shru x6 (Int.repr (Zpos (xI xH)))))
         (Zpos (xO (xO (xO xH))))
)(
  r6 : Z.lt (Int.unsigned (Int.and x6 (Int.repr (Zpos (xI (xI xH))))))
         (Zpos (xO (xO (xO xH))))
)(
  rr1 : lt
          (Z.to_nat
             (Int.unsigned
                (Int.shru (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))
                   (Int.repr (Zpos (xI xH)))))) (@length val v´36)
)(
  rr2 : lt
          (Z.to_nat
             (Int.unsigned
                (Int.and (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                   (Int.repr (Zpos (xI (xI xH)))))))
          (@length val v´36)
)(
  rr3 : lt
          (Z.to_nat
             (Int.unsigned
                (Int.shru (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                   (Int.repr (Zpos (xI xH)))))) (@length val v´36)
)(
  rr4 : lt
          (Z.to_nat
             (Int.unsigned
                (Int.and (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))
                   (Int.repr (Zpos (xI (xI xH)))))))
          (@length val v´36)
)(
  rr5 : lt (Z.to_nat (Int.unsigned (Int.shru x6 (Int.repr (Zpos (xI xH))))))
          (@length val v´36)
)(
  rr6 : lt
          (Z.to_nat
             (Int.unsigned (Int.and x6 (Int.repr (Zpos (xI (xI xH)))))))
          (@length val v´36)
)(
  rrr1 : Z.lt
           (Int.unsigned
              (Int.shru (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))
                 (Int.repr (Zpos (xI xH))))) (Z.of_nat (@length val v´36))
)(
  rrr2 : Z.lt
           (Int.unsigned
              (Int.and (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                 (Int.repr (Zpos (xI (xI xH))))))
           (Z.of_nat (@length val v´36))
)(
  rrr3 : Z.lt
           (Int.unsigned
              (Int.shru (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                 (Int.repr (Zpos (xI xH))))) (Z.of_nat (@length val v´36))
)(
  rrr4 : Z.lt
           (Int.unsigned
              (Int.and (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))
                 (Int.repr (Zpos (xI (xI xH))))))
           (Z.of_nat (@length val v´36))
)(
  rrr5 : Z.lt (Int.unsigned (Int.shru x6 (Int.repr (Zpos (xI xH)))))
           (Z.of_nat (@length val v´36))
)(
  rrr6 : Z.lt (Int.unsigned (Int.and x6 (Int.repr (Zpos (xI (xI xH))))))
           (Z.of_nat (@length val v´36))
)(
  HH58 : @eq nat (@length val v´36) (Z.to_nat (Zpos (xO (xO (xO xH)))))
)(
  aa : @eq bool
         (rule_type_val_match Tint8
            (nth_val´
               (Z.to_nat
                  (Int.unsigned
                     (Int.shru
                        (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))
                        (Int.repr (Zpos (xI xH)))))) v´36)) true
)(
  aa2 : @eq bool
          (rule_type_val_match Tint8
             (nth_val´
                (Z.to_nat
                   (Int.unsigned
                      (Int.shru (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                         (Int.repr (Zpos (xI xH)))))) v´36)) true
)(
  aa3 : @eq bool
          (rule_type_val_match Tint8
             (nth_val´
                (Z.to_nat
                   (Int.unsigned (Int.shru x6 (Int.repr (Zpos (xI xH))))))
                v´36)) true
)(
  x16 : Int.int
)(
  H88 : @eq val
          (nth_val´
             (Z.to_nat
                (Int.unsigned
                   (Int.shru (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))
                      (Int.repr (Zpos (xI xH)))))) v´36)
          (Vint32 x16)
)(
  H91 : Z.le (Int.unsigned x16) (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  x13 : Int.int
)(
  H87 : @eq val
          (nth_val´
             (Z.to_nat
                (Int.unsigned
                   (Int.shru (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                      (Int.repr (Zpos (xI xH)))))) v´36)
          (Vint32 x13)
)(
  H90 : Z.le (Int.unsigned x13) (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  x12 : Int.int
)(
  H86 : @eq val
          (nth_val´
             (Z.to_nat (Int.unsigned (Int.shru x6 (Int.repr (Zpos (xI xH))))))
             v´36) (Vint32 x12)
)(
  H89 : Z.le (Int.unsigned x12) (Zpos (xI (xI (xI (xI (xI (xI (xI xH))))))))
)(
  H92 : @eq val x1 (Vptr v´51)
),
   InfRules OSQ_spec GetHPrio I
     (fun v : option val =>
      Astar
        (Astar
           (Astar
              (Astar
                 (@Aexists val
                    (fun v0 : val => Alvarmapsto pevent (Tptr OS_EVENT) v0))
                 (Astar
                    (@Aexists val
                       (fun v0 : val => Alvarmapsto os_code_defs.x Tint8 v0))
                    (Astar
                       (@Aexists val
                          (fun v0 : val => Alvarmapsto pip Tint8 v0))
                       (Astar
                          (@Aexists val
                             (fun v0 : val => Alvarmapsto prio Tint8 v0))
                          (Astar
                             (@Aexists val
                                (fun v0 : val => Alvarmapsto legal Tint8 v0))
                             Aemp)))))
              (Astar (Aie true)
                 (Astar (Ais (@nil hid))
                    (Astar (Acs (@nil ie)) (Aisr empisr)))))
           (A_dom_lenv
              (@cons (prod ident type)
                 (@pair ident type pevent (Tptr OS_EVENT))
                 (@cons (prod ident type)
                    (@pair ident type os_code_defs.x Tint8)
                    (@cons (prod ident type) (@pair ident type pip Tint8)
                       (@cons (prod ident type) (@pair ident type prio Tint8)
                          (@cons (prod ident type)
                             (@pair ident type legal Tint8)
                             (@nil (prod ident type)))))))))
        (Aop´ (spec_done v))) Afalse
     (Astar
        (Aop´
           (mutexpost
              (@cons val (Vptr (@pair block Int.int v´29 Int.zero))
                 (@nil val))))
        (Astar
           (A_dom_lenv
              (@cons (prod ident type)
                 (@pair ident type pevent (Tptr OS_EVENT))
                 (@cons (prod ident type)
                    (@pair ident type os_code_defs.x Tint8)
                    (@cons (prod ident type) (@pair ident type pip Tint8)
                       (@cons (prod ident type) (@pair ident type prio Tint8)
                          (@cons (prod ident type)
                             (@pair ident type legal Tint8)
                             (@nil (prod ident type))))))))
           (Astar
              (GAarray OSRdyTbl (Tarray Tint8 (nat_of_Z OS_RDY_TBL_SIZE))
                 (update_nth_val
                    (Z.to_nat
                       (Int.unsigned
                          (Int.shru
                             (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                             (Int.repr (Zpos (xI xH))))))
                    (update_nth_val
                       (Z.to_nat
                          (Int.unsigned
                             (Int.shru x6 (Int.repr (Zpos (xI xH)))))) v´36
                       (val_inj
                          (and (Vint32 x12)
                             (Vint32
                                (Int.not
                                   (Int.shl (Int.repr (Zpos xH))
                                      (Int.and x6
                                         (Int.repr (Zpos (xI (xI xH)))))))))))
                    (val_inj
                       (or
                          (nth_val´
                             (Z.to_nat
                                (Int.unsigned
                                   (Int.shru
                                      (Int.and x
                                         (Int.repr OS_MUTEX_KEEP_LOWER_8))
                                      (Int.repr (Zpos (xI xH))))))
                             (update_nth_val
                                (Z.to_nat
                                   (Int.unsigned
                                      (Int.shru x6 (Int.repr (Zpos (xI xH))))))
                                v´36
                                (val_inj
                                   (and (Vint32 x12)
                                      (Vint32
                                         (Int.not
                                            (Int.shl
                                               (Int.repr (Zpos xH))
                                               (Int.and x6
                                                  (Int.repr
                                                  (Zpos (xI (xI xH))))))))))))
                          (Vint32 x11)))))
              (Astar (Agvarmapsto OSRdyGrp Tint8 (Vint32 (Int.or i7 x8)))
                 (Astar
                    (Agvarmapsto OSTCBCur (Tptr OS_TCB)
                       (Vptr (@pair block Int.int v´52 Int.zero)))
                    (Astar
                       (Astruct (@pair block Int.int v´52 Int.zero) OS_TCB
                          (@cons val x7
                             (@cons val v´24
                                (@cons val x15
                                   (@cons val m
                                      (@cons val (Vint32 i6)
                                         (@cons val
                                            (Vint32 x14)
                                            (@cons val
                                               (Vint32
                                                  (Int.and x
                                                  (Int.repr
                                                  OS_MUTEX_KEEP_LOWER_8)))
                                               (@cons val
                                                  (Vint32
                                                  (Int.and
                                                  (Int.and x
                                                  (Int.repr
                                                  OS_MUTEX_KEEP_LOWER_8))
                                                  (Int.repr
                                                  (Zpos (xI (xI xH))))))
                                                  (@cons val
                                                  (Vint32
                                                  (Int.shru
                                                  (Int.and x
                                                  (Int.repr
                                                  OS_MUTEX_KEEP_LOWER_8))
                                                  (Int.repr (Zpos (xI xH)))))
                                                  (@cons val
                                                  (Vint32 x11)
                                                  (@cons val
                                                  (Vint32 x8)
                                                  (@nil val)))))))))))))
                       (Astar
                          (Alvarmapsto os_code_defs.x Tint8
                             (Vint32
                                (Int.add
                                   (Int.shl x2 (Int.repr (Zpos (xI xH)))) x5)))
                          (Astar (Alvarmapsto legal Tint8 (Vint32 x2))
                             (Astar (Aptrmapsto v´51 Tint8 v´32)
                                (Astar
                                   (dllseg x7
                                      (Vptr
                                         (@pair block Int.int v´52 Int.zero))
                                      v´40 Vnull v´35 OS_TCB
                                      (fun vl : vallist => nth_val (S O) vl)
                                      (fun vl : vallist => nth_val O vl))
                                   (Astar
                                      (Agvarmapsto OSTCBList
                                         (Tptr OS_TCB) v´31)
                                      (Astar
                                         (dllseg v´31 Vnull v´24
                                            (Vptr
                                               (@pair block Int.int v´52
                                                  Int.zero)) v´33 OS_TCB
                                            (fun vl : vallist =>
                                             nth_val (S O) vl)
                                            (fun vl : vallist => nth_val O vl))
                                         (Astar
                                            (Alvarmapsto prio Tint8
                                               (Vint32
                                                  (Int.and x
                                                  (Int.repr
                                                  OS_MUTEX_KEEP_LOWER_8))))
                                            (Astar
                                               (Alvarmapsto pip Tint8
                                                  (Vint32
                                                  (Int.shru x
                                                  (Int.repr
                                                  (Zpos (xO (xO (xO xH))))))))
                                               (Astar
                                                  (Astruct
                                                  (@pair block Int.int v´29
                                                  Int.zero) OS_EVENT
                                                  (@cons val
                                                  (Vint32
                                                  (Int.repr
                                                  OS_EVENT_TYPE_MUTEX))
                                                  (@cons val
                                                  (Vint32 i)
                                                  (@cons val
                                                  (Vint32 x)
                                                  (@cons val
                                                  (Vptr
                                                  (@pair block Int.int v´52
                                                  (Int.repr Z0)))
                                                  (@cons val x3
                                                  (@cons val v´46 (@nil val))))))))
                                                  (Astar
                                                  (Aarray v´23
                                                  (Tarray Tint8
                                                  (nat_of_Z OS_EVENT_TBL_SIZE))
                                                  v´44)
                                                  (Astar
                                                  (Aie false)
                                                  (Astar
                                                  (Ais (@nil hid))
                                                  (Astar
                                                  (Acs
                                                  (@cons bool true
                                                  (@nil bool)))
                                                  (Astar
                                                  (Aisr empisr)
                                                  (Astar
                                                  (Agvarmapsto OSEventList
                                                  (Tptr OS_EVENT) v´42)
                                                  (Astar
                                                  (evsllseg v´42
                                                  (Vptr
                                                  (@pair block Int.int v´29
                                                  Int.zero)) v´25 v´27)
                                                  (Astar
                                                  (evsllseg v´46 Vnull v´26
                                                  v´28)
                                                  (Astar A_isr_is_prop
                                                  (Astar
                                                  (GAarray OSTCBPrioTbl
                                                  (Tarray
                                                  (Tptr OS_TCB)
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S (S (S (S (S (S O)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
                                                  v´30)
                                                  (Astar
                                                  (Agvarenv´ OSPlaceHolder
                                                  Tint8 v´51)
                                                  (Astar
                                                  (Aabsdata absecblsid
                                                  (absecblist v´38))
                                                  (Astar
                                                  (Aabsdata abstcblsid
                                                  (abstcblist v´39))
                                                  (Astar
                                                  (Aabsdata curtid
                                                  (oscurt
                                                  (@pair block Int.int v´52
                                                  Int.zero)))
                                                  (Astar
                                                  (AOSEventFreeList v´3)
                                                  (Astar
                                                  (AOSQFreeList v´4)
                                                  (Astar
                                                  (AOSQFreeBlk v´5)
                                                  (Astar
                                                  (GAarray OSMapTbl
                                                  (Tarray Tint8
                                                  (S
                                                  (S
                                                  (S (S (S (S (S (S O)))))))))
                                                  OSMapVallist)
                                                  (Astar
                                                  (GAarray OSUnMapTbl
                                                  (Tarray Tint8
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S (S (S (S (S (S O)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
                                                  OSUnMapVallist)
                                                  (Astar AOSIntNesting
                                                  (Astar
                                                  (AOSTCBFreeList v´21 v´22)
                                                  (Astar
                                                  (AOSTime (Vint32 v´18))
                                                  (Astar
                                                  (Aabsdata ostmid
                                                  (ostm v´18))
                                                  (Astar AGVars
                                                  (Astar atoy_inv´
                                                  (Astar
                                                  (Alvarmapsto pevent
                                                  (Tptr OS_EVENT)
                                                  (Vptr
                                                  (@pair block Int.int v´29
                                                  Int.zero)))
                                                  (Apure
                                                  (Logic.or
                                                  (@eq val
                                                  (val_inj
                                                  (val_eq
                                                  (nth_val´
                                                  (Z.to_nat
                                                  (Int.unsigned
                                                  (Int.shru x6
                                                  (Int.repr (Zpos (xI xH))))))
                                                  (update_nth_val
                                                  (Z.to_nat
                                                  (Int.unsigned
                                                  (Int.shru x6
                                                  (Int.repr (Zpos (xI xH))))))
                                                  v´36
                                                  (val_inj
                                                  (and
                                                  (Vint32 x12)
                                                  (Vint32
                                                  (Int.not
                                                  (Int.shl
                                                  (Int.repr (Zpos xH))
                                                  (Int.and x6
                                                  (Int.repr
                                                  (Zpos (xI (xI xH))))))))))))
                                                  (Vint32 (Int.repr Z0))))
                                                  (Vint32 Int.zero))
                                                  (@eq val
                                                  (val_inj
                                                  (val_eq
                                                  (nth_val´
                                                  (Z.to_nat
                                                  (Int.unsigned
                                                  (Int.shru x6
                                                  (Int.repr (Zpos (xI xH))))))
                                                  (update_nth_val
                                                  (Z.to_nat
                                                  (Int.unsigned
                                                  (Int.shru x6
                                                  (Int.repr (Zpos (xI xH))))))
                                                  v´36
                                                  (val_inj
                                                  (and
                                                  (Vint32 x12)
                                                  (Vint32
                                                  (Int.not
                                                  (Int.shl
                                                  (Int.repr (Zpos xH))
                                                  (Int.and x6
                                                  (Int.repr
                                                  (Zpos (xI (xI xH))))))))))))
                                                  (Vint32 (Int.repr Z0))))
                                                  Vnull))))))))))))))))))))))))))))))))))))))))))))
     (sseq
        (sassign (earrayelem (evar OSTCBPrioTbl) (evar prio))
           (ecast (evar OSTCBCur) (Tptr OS_TCB)))
        (sassign (earrayelem (evar OSTCBPrioTbl) (evar pip))
           (ecast os_mutex.PlaceHolder (Tptr OS_TCB)))) (
     (Astar
        (Aop´
           (mutexpost
              (@cons val (Vptr (@pair block Int.int v´29 Int.zero))
                 (@nil val))))
        (Astar
           (A_dom_lenv
              (@cons (prod ident type)
                 (@pair ident type pevent (Tptr OS_EVENT))
                 (@cons (prod ident type)
                    (@pair ident type os_code_defs.x Tint8)
                    (@cons (prod ident type) (@pair ident type pip Tint8)
                       (@cons (prod ident type) (@pair ident type prio Tint8)
                          (@cons (prod ident type)
                             (@pair ident type legal Tint8)
                             (@nil (prod ident type))))))))
           (Astar
              (GAarray OSTCBPrioTbl
                 (Tarray (Tptr OS_TCB)
                    (S
                       (S
                          (S
                             (S
                                (S
                                   (S
                                      (S
                                         (S
                                            (S
                                               (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S (S (S (S (S (S O)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
                 (update_nth_val
                    (Z.to_nat
                       (Int.unsigned
                          (Int.shru x (Int.repr (Zpos (xO (xO (xO xH))))))))
                    (update_nth_val
                       (Z.to_nat
                          (Int.unsigned
                             (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))))
                       v´30 (Vptr (@pair block Int.int v´52 Int.zero)))
                    (Vptr v´51)))
              (Astar
                 (GAarray OSRdyTbl (Tarray Tint8 (nat_of_Z OS_RDY_TBL_SIZE))
                    (update_nth_val
                       (Z.to_nat
                          (Int.unsigned
                             (Int.shru
                                (Int.and x (Int.repr OS_MUTEX_KEEP_LOWER_8))
                                (Int.repr (Zpos (xI xH))))))
                       (update_nth_val
                          (Z.to_nat
                             (Int.unsigned
                                (Int.shru x6 (Int.repr (Zpos (xI xH))))))
                          v´36
                          (val_inj
                             (and (Vint32 x12)
                                (Vint32
                                   (Int.not
                                      (Int.shl (Int.repr (Zpos xH))
                                         (Int.and x6
                                            (Int.repr (Zpos (xI (xI xH)))))))))))
                       (val_inj
                          (or
                             (nth_val´
                                (Z.to_nat
                                   (Int.unsigned
                                      (Int.shru
                                         (Int.and x
                                            (Int.repr OS_MUTEX_KEEP_LOWER_8))
                                         (Int.repr (Zpos (xI xH))))))
                                (update_nth_val
                                   (Z.to_nat
                                      (Int.unsigned
                                         (Int.shru x6
                                            (Int.repr (Zpos (xI xH)))))) v´36
                                   (val_inj
                                      (and (Vint32 x12)
                                         (Vint32
                                            (Int.not
                                               (Int.shl
                                                  (Int.repr (Zpos xH))
                                                  (Int.and x6
                                                  (Int.repr
                                                  (Zpos (xI (xI xH))))))))))))
                             (Vint32 x11)))))
                 (Astar (Agvarmapsto OSRdyGrp Tint8 (Vint32 (Int.or i7 x8)))
                    (Astar
                       (Agvarmapsto OSTCBCur (Tptr OS_TCB)
                          (Vptr (@pair block Int.int v´52 Int.zero)))
                       (Astar
                          (Astruct (@pair block Int.int v´52 Int.zero) OS_TCB
                             (@cons val x7
                                (@cons val v´24
                                   (@cons val x15
                                      (@cons val m
                                         (@cons val
                                            (Vint32 i6)
                                            (@cons val
                                               (Vint32 x14)
                                               (@cons val
                                                  (Vint32
                                                  (Int.and x
                                                  (Int.repr
                                                  OS_MUTEX_KEEP_LOWER_8)))
                                                  (@cons val
                                                  (Vint32
                                                  (Int.and
                                                  (Int.and x
                                                  (Int.repr
                                                  OS_MUTEX_KEEP_LOWER_8))
                                                  (Int.repr
                                                  (Zpos (xI (xI xH))))))
                                                  (@cons val
                                                  (Vint32
                                                  (Int.shru
                                                  (Int.and x
                                                  (Int.repr
                                                  OS_MUTEX_KEEP_LOWER_8))
                                                  (Int.repr (Zpos (xI xH)))))
                                                  (@cons val
                                                  (Vint32 x11)
                                                  (@cons val
                                                  (Vint32 x8)
                                                  (@nil val)))))))))))))
                          (Astar
                             (Alvarmapsto os_code_defs.x Tint8
                                (Vint32
                                   (Int.add
                                      (Int.shl x2 (Int.repr (Zpos (xI xH))))
                                      x5)))
                             (Astar (Alvarmapsto legal Tint8 (Vint32 x2))
                                (Astar (Aptrmapsto v´51 Tint8 v´32)
                                   (Astar
                                      (dllseg x7
                                         (Vptr
                                            (@pair block Int.int v´52
                                               Int.zero)) v´40 Vnull v´35
                                         OS_TCB
                                         (fun vl : vallist =>
                                          nth_val (S O) vl)
                                         (fun vl : vallist => nth_val O vl))
                                      (Astar
                                         (Agvarmapsto OSTCBList
                                            (Tptr OS_TCB) v´31)
                                         (Astar
                                            (dllseg v´31 Vnull v´24
                                               (Vptr
                                                  (@pair block Int.int v´52
                                                  Int.zero)) v´33 OS_TCB
                                               (fun vl : vallist =>
                                                nth_val (S O) vl)
                                               (fun vl : vallist =>
                                                nth_val O vl))
                                            (Astar
                                               (Alvarmapsto prio Tint8
                                                  (Vint32
                                                  (Int.and x
                                                  (Int.repr
                                                  OS_MUTEX_KEEP_LOWER_8))))
                                               (Astar
                                                  (Alvarmapsto pip Tint8
                                                  (Vint32
                                                  (Int.shru x
                                                  (Int.repr
                                                  (Zpos (xO (xO (xO xH))))))))
                                                  (Astar
                                                  (Astruct
                                                  (@pair block Int.int v´29
                                                  Int.zero) OS_EVENT
                                                  (@cons val
                                                  (Vint32
                                                  (Int.repr
                                                  OS_EVENT_TYPE_MUTEX))
                                                  (@cons val
                                                  (Vint32 i)
                                                  (@cons val
                                                  (Vint32 x)
                                                  (@cons val
                                                  (Vptr
                                                  (@pair block Int.int v´52
                                                  (Int.repr Z0)))
                                                  (@cons val x3
                                                  (@cons val v´46 (@nil val))))))))
                                                  (Astar
                                                  (Aarray v´23
                                                  (Tarray Tint8
                                                  (nat_of_Z OS_EVENT_TBL_SIZE))
                                                  v´44)
                                                  (Astar
                                                  (Aie false)
                                                  (Astar
                                                  (Ais (@nil hid))
                                                  (Astar
                                                  (Acs
                                                  (@cons bool true
                                                  (@nil bool)))
                                                  (Astar
                                                  (Aisr empisr)
                                                  (Astar
                                                  (Agvarmapsto OSEventList
                                                  (Tptr OS_EVENT) v´42)
                                                  (Astar
                                                  (evsllseg v´42
                                                  (Vptr
                                                  (@pair block Int.int v´29
                                                  Int.zero)) v´25 v´27)
                                                  (Astar
                                                  (evsllseg v´46 Vnull v´26
                                                  v´28)
                                                  (Astar A_isr_is_prop
                                                  (Astar
                                                  (Agvarenv´ OSPlaceHolder
                                                  Tint8 v´51)
                                                  (Astar
                                                  (Aabsdata absecblsid
                                                  (absecblist v´38))
                                                  (Astar
                                                  (Aabsdata abstcblsid
                                                  (abstcblist v´39))
                                                  (Astar
                                                  (Aabsdata curtid
                                                  (oscurt
                                                  (@pair block Int.int v´52
                                                  Int.zero)))
                                                  (Astar
                                                  (AOSEventFreeList v´3)
                                                  (Astar
                                                  (AOSQFreeList v´4)
                                                  (Astar
                                                  (AOSQFreeBlk v´5)
                                                  (Astar
                                                  (GAarray OSMapTbl
                                                  (Tarray Tint8
                                                  (S
                                                  (S
                                                  (S (S (S (S (S (S O)))))))))
                                                  OSMapVallist)
                                                  (Astar
                                                  (GAarray OSUnMapTbl
                                                  (Tarray Tint8
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S
                                                  (S (S (S (S (S (S O)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
                                                  OSUnMapVallist)
                                                  (Astar AOSIntNesting
                                                  (Astar
                                                  (AOSTCBFreeList v´21 v´22)
                                                  (Astar
                                                  (AOSTime (Vint32 v´18))
                                                  (Astar
                                                  (Aabsdata ostmid
                                                  (ostm v´18))
                                                  (Astar AGVars
                                                  (Astar atoy_inv´
                                                  (Astar
                                                  (Alvarmapsto pevent
                                                  (Tptr OS_EVENT)
                                                  (Vptr
                                                  (@pair block Int.int v´29
                                                  Int.zero)))
                                                  (Apure
                                                  (Logic.or
                                                  (@eq val
                                                  (val_inj
                                                  (val_eq
                                                  (nth_val´
                                                  (Z.to_nat
                                                  (Int.unsigned
                                                  (Int.shru x6
                                                  (Int.repr (Zpos (xI xH))))))
                                                  (update_nth_val
                                                  (Z.to_nat
                                                  (Int.unsigned
                                                  (Int.shru x6
                                                  (Int.repr (Zpos (xI xH))))))
                                                  v´36
                                                  (val_inj
                                                  (and
                                                  (Vint32 x12)
                                                  (Vint32
                                                  (Int.not
                                                  (Int.shl
                                                  (Int.repr (Zpos xH))
                                                  (Int.and x6
                                                  (Int.repr
                                                  (Zpos (xI (xI xH))))))))))))
                                                  (Vint32 (Int.repr Z0))))
                                                  (Vint32 Int.zero))
                                                  (@eq val
                                                  (val_inj
                                                  (val_eq
                                                  (nth_val´
                                                  (Z.to_nat
                                                  (Int.unsigned
                                                  (Int.shru x6
                                                  (Int.repr (Zpos (xI xH))))))
                                                  (update_nth_val
                                                  (Z.to_nat
                                                  (Int.unsigned
                                                  (Int.shru x6
                                                  (Int.repr (Zpos (xI xH))))))
                                                  v´36
                                                  (val_inj
                                                  (and
                                                  (Vint32 x12)
                                                  (Vint32
                                                  (Int.not
                                                  (Int.shl
                                                  (Int.repr (Zpos xH))
                                                  (Int.and x6
                                                  (Int.repr
                                                  (Zpos (xI (xI xH))))))))))))
                                                  (Vint32 (Int.repr Z0))))
                                                  Vnull)))))))))))))))))))))))))))))))))))))))))))))
.

Definition gen_tmp2:= forall
(
  v´ : val
)(
  v´0 : val
)(
  v´1 : val
)(
  v´2 : val
)(
  v´3 : list vallist
)(
  v´4 : list vallist
)(
  v´5 : list vallist
)(
  v´6 : list EventData
)(
  v´7 : list EventCtr
)(
  v´8 : vallist
)(
  v´9 : val
)(
  v´10 : val
)(
  v´11 : list vallist
)(
  v´12 : vallist
)(
  v´13 : list vallist
)(
  v´14 : vallist
)(
  v´15 : val
)(
  v´16 : EcbMod.map
)(
  v´17 : TcbMod.map
)(
  v´18 : int32
)(
  v´19 : addrval
)(
  v´20 : addrval
)(
  v´21 : val
)(
  v´22 : list vallist
)(
  H : RH_TCBList_ECBList_P v´16 v´17 v´19
)(
  H0 : RH_CurTCB v´19 v´17
)(
  v´25 : list EventCtr
)(
  v´26 : list EventCtr
)(
  v´27 : list EventData
)(
  v´28 : list EventData
)(
  v´30 : vallist
)(
  v´31 : val
)(
  v´33 : list vallist
)(
  v´35 : list vallist
)(
  v´36 : vallist
)(
  v´38 : EcbMod.map
)(
  v´39 : TcbMod.map
)(
  v´42 : val
)(
  v´44 : vallist
)(
  v´46 : val
)(
  v´47 : EcbMod.map
)(
  v´48 : EcbMod.map
)(
  v´49 : EcbMod.map
)(
  w : waitset
)(
  v´51 : addrval
)(
  H3 : ECBList_P v´46 Vnull v´26 v´28 v´48 v´39
)(
  H17 : EcbMod.join v´47 v´49 v´38
)(
  H12 : length v´25 = length v´27
)(
  H16 : isptr v´46
)(
  v´23 : addrval
)(
  v´29 : block
)(
  H11 : array_type_vallist_match Int8u v´44
)(
  H19 : length v´44 = ∘OS_EVENT_TBL_SIZE
)(
  x3 : val
)(
  i : int32
)(
  H21 : Int.unsigned i <= 255
)(
  H18 : RL_Tbl_Grp_P v´44 (Vint32 i)
)(
  H24 : isptr v´46
)(
  H2 : ECBList_P v´42 (Vptr (v´29, Int.zero)) v´25 v´27 v´47 v´39
)(
  H14 : id_addrval´ (Vptr (v´29, Int.zero)) OSEventTbl OS_EVENT = Some v´23
)(
  H20 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255
)(
  x : int32
)(
  H10 : Int.unsigned x <= 65535
)(
  H15 : Int.unsigned (x>>ᵢ$ 8) < 64
)(
  H22 : Int.unsigned x <= 65535
)(
  v´24 : val
)(
  v´40 : val
)(
  v´43 : TcbMod.map
)(
  v´45 : TcbMod.map
)(
  v´52 : block
)(
  H31 : v´31 <> Vnull
)(
  H32 : TcbMod.join v´43 v´45 v´39
)(
  H33 : TCBList_P v´31 v´33 v´36 v´43
)(
  H30 : Vptr (v´52, Int.zero) <> Vnull
)(
  i6 : int32
)(
  H39 : Int.unsigned i6 <= 65535
)(
  H36 : isptr v´24
)(
  x7 : val
)(
  x10 : TcbMod.map
)(
  t : taskstatus
)(
  m : msg
)(
  H72 : TCBList_P x7 v´35 v´36 x10
)(
  H7 : RH_TCBList_ECBList_P v´38 v´39 (v´52, Int.zero)
)(
  H8 : RH_CurTCB (v´52, Int.zero) v´39
)(
  H23 : isptr (Vptr (v´52, $ 0))
)(
  H5 : R_ECB_ETbl_P (v´29, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
         v´44) v´39
)(
  H1 : ECBList_P v´42 Vnull
         (v´25 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
           v´44) :: nil) ++ v´26)
         (v´27 ++ (DMutex (Vint32 x) (Vptr (v´52, $ 0)) :: nil) ++ v´28) v´38
         v´39
)(
  H29 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE \/
        x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H35 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H47 : Int.ltu (x>>ᵢ$ 8) (x&$ OS_MUTEX_KEEP_LOWER_8) = true
)(
  H48 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) < 64
)(
  H6 : EcbMod.joinsig (v´29, Int.zero)
         (absmutexsem (x>>ᵢ$ 8) (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)),
         w) v´48 v´49
)(
  H4 : Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None -> w = nil
)(
  H9 : forall (tid : tid) (opr : int32),
       Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = Some (tid, opr) ->
       Int.ltu (x>>ᵢ$ 8) opr = true /\ Int.unsigned opr < 64
)(
  H13 : w <> nil -> Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) <> None
)(
  H25 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE ->
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None /\
        Vptr (v´52, $ 0) = Vnull
)(
  H26 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE ->
        exists tid,
        Vptr (v´52, $ 0) = Vptr tid /\
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) =
        Some (tid, x&$ OS_MUTEX_KEEP_LOWER_8)
)(
  backup : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (v´52, $ 0)))
             (absmutexsem (x>>ᵢ$ 8)
                (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)), w)
)(
  v´32 : val
)(
  H46 : array_type_vallist_match OS_TCB ∗ v´30
)(
  H51 : length v´30 = 64%nat
)(
  H49 : RL_RTbl_PrioTbl_P v´36 v´30 v´51
)(
  H50 : R_PrioTbl_P v´30 v´39 v´51
)(
  x1 : val
)(
  H52 : nth_val (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30 =
        Some x1
)(
  x0 : val
)(
  H53 : nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8))) v´30 = Some x0
)(
  H54 : array_type_vallist_match Int8u v´36
)(
  H58 : length v´36 = ∘OS_RDY_TBL_SIZE
)(
  i7 : int32
)(
  H55 : Int.unsigned i7 <= 255
)(
  H57 : prio_in_tbl ($ OS_IDLE_PRIO) v´36
)(
  H56 : RL_Tbl_Grp_P v´36 (Vint32 i7)
)(
  x2 : int32
)(
  fffa : length OSUnMapVallist = 256%nat ->
         (Z.to_nat (Int.unsigned i) < 256)%nat ->
         exists x4,
         Vint32 x2 = Vint32 x4 /\
         true = rule_type_val_match Int8u (Vint32 x4)
)(
  H59 : length OSUnMapVallist = 256%nat
)(
  H60 : (Z.to_nat (Int.unsigned i) < 256)%nat
)(
  H61 : nth_val´ (Z.to_nat (Int.unsigned i)) OSUnMapVallist = Vint32 x2
)(
  H62 : true = rule_type_val_match Int8u (Vint32 x2)
)(
  fffbb : Int.unsigned x2 < 8
)(
  fffbb2 : (Z.to_nat (Int.unsigned x2) < length v´44)%nat
)(
  H19´´ : length v´44 = Z.to_nat 8
)(
  x4 : int32
)(
  H63 : nth_val´ (Z.to_nat (Int.unsigned x2)) v´44 = Vint32 x4
)(
  H64 : Int.unsigned x4 <= 255
)(
  H65 : (Z.to_nat (Int.unsigned x4) < length OSUnMapVallist)%nat
)(
  x5 : int32
)(
  H66 : nth_val´ (Z.to_nat (Int.unsigned x4)) OSUnMapVallist = Vint32 x5
)(
  H67 : Int.unsigned x5 <= 255
)(
  ttfasd : Int.unsigned x5 < 8
)(
  H68 : val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5)
                            (Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5)
                            (Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) =
        Vint32 Int.zero \/
        val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5)
                            (Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5)
                            (Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) = Vnull
)(
  H27 : isptr x7
)(
  H38 : isptr m
)(
  x6 : int32
)(
  x14 : int32
)(
  H77 : 0 <= Int.unsigned x6
)(
  H85 : Int.unsigned x6 < 64
)(
  H82 : x14 = $ OS_STAT_RDY \/
        x14 = $ OS_STAT_SEM \/
        x14 = $ OS_STAT_Q \/ x14 = $ OS_STAT_MBOX \/ x14 = $ OS_STAT_MUTEX
)(
  x15 : val
)(
  H84 : x14 = $ OS_STAT_RDY -> x15 = Vnull
)(
  H43 : Int.unsigned (x6>>ᵢ$ 3) <= 255
)(
  H45 : Int.unsigned ($ 1<<(x6>>ᵢ$ 3)) <= 255
)(
  H44 : Int.unsigned ($ 1<<(x6&$ 7)) <= 255
)(
  H42 : Int.unsigned (x6&$ 7) <= 255
)(
  H70 : TcbJoin (v´52, Int.zero) (x6, t, m) x10 v´45
)(
  H41 : Int.unsigned x6 <= 255
)(
  H28 : Int.ltu x6 (x>>ᵢ$ 8) = false
)(
  H37 : isptr x15
)(
  H40 : Int.unsigned x14 <= 255
)(
  H73 : R_TCB_Status_P
          (x7
           :: v´24
              :: x15
                 :: m
                    :: Vint32 i6
                       :: Vint32 x14
                          :: Vint32 x6
                             :: Vint32 (x6&$ 7)
                                :: Vint32 (x6>>ᵢ$ 3)
                                   :: Vint32 ($ 1<<(x6&$ 7))
                                      :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
          v´36 (x6, t, m)
)(
  backup2 : TCBList_P (Vptr (v´52, Int.zero))
              ((x7
                :: v´24
                   :: x15
                      :: m
                         :: Vint32 i6
                            :: Vint32 x14
                               :: Vint32 x6
                                  :: Vint32 (x6&$ 7)
                                     :: Vint32 (x6>>ᵢ$ 3)
                                        :: Vint32 ($ 1<<(x6&$ 7))
                                           :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
               :: v´35) v´36 v´45
)(
  r1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < 8
)(
  r2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) < 8
)(
  r3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) < 8
)(
  r4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < 8
)(
  H34 : array_type_vallist_match Int8u OSMapVallist
)(
  H69 : length OSMapVallist = 8%nat
)(
  H71 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) < 8)%nat
)(
  x8 : int32
)(
  H74 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
          OSMapVallist = Vint32 x8
)(
  H75 : true = rule_type_val_match Int8u (Vint32 x8)
)(
  H76 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
  x9 : int32
)(
  H78 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
          OSMapVallist = Vint32 x9
)(
  H79 : true = rule_type_val_match Int8u (Vint32 x9)
)(
  H80 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
  x11 : int32
)(
  H81 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
          OSMapVallist = Vint32 x11
)(
  H83 : true = rule_type_val_match Int8u (Vint32 x11)
)(
  r5 : Int.unsigned (x6>>ᵢ$ 3) < 8
)(
  r6 : Int.unsigned (x6&$ 7) < 8
)(
  rr1 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) < length v´36)%nat
)(
  rr2 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) <
         length v´36)%nat
)(
  rr3 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) <
         length v´36)%nat
)(
  rr4 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)&$ 7)) < length v´36)%nat
)(
  rr5 : (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3)) < length v´36)%nat
)(
  rr6 : (Z.to_nat (Int.unsigned (x6&$ 7)) < length v´36)%nat
)(
  rrr1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) <
         Z.of_nat (length v´36)
)(
  rrr3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) <
         Z.of_nat (length v´36)
)(
  rrr4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < Z.of_nat (length v´36)
)(
  rrr5 : Int.unsigned (x6>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr6 : Int.unsigned (x6&$ 7) < Z.of_nat (length v´36)
)(
  HH58 : length v´36 = Z.to_nat 8
)(
  aa : rule_type_val_match Int8u
         (nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36) = true
)(
  aa2 : rule_type_val_match Int8u
          (nth_val´
             (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
             v´36) = true
)(
  aa3 : rule_type_val_match Int8u
          (nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36) = true
)(
  x16 : int32
)(
  H88 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36 =
        Vint32 x16
)(
  H91 : Int.unsigned x16 <= 255
)(
  x13 : int32
)(
  H87 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3))) v´36 =
        Vint32 x13
)(
  H90 : Int.unsigned x13 <= 255
)(
  x12 : int32
)(
  H86 : nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36 = Vint32 x12
)(
  H89 : Int.unsigned x12 <= 255
)(
  H92 : x1 = Vptr v´51
),
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV prio @ Int8u |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (os_code_defs.x, Int8u)
          :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{ <|| mutexpost (Vptr (v´29, Int.zero) :: nil) ||> **
     A_dom_lenv
       ((pevent, OS_EVENT ∗)
        :: (os_code_defs.x, Int8u)
           :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil) **
     GV OSTCBCur @ OS_TCB ∗ |-> Vptr (v´52, Int.zero) **
     Astruct (v´52, Int.zero) OS_TCB
       (x7
        :: v´24
           :: x15
              :: m
                 :: Vint32 i6
                    :: Vint32 x14
                       :: Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8)
                          :: Vint32 ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)
                             :: Vint32 ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)
                                :: Vint32 ($ 1<<(x6&$ 7)) :: Vint32 x8 :: nil) **
     GAarray OSRdyTbl (Tarray Int8u ∘OS_RDY_TBL_SIZE)
       (update_nth_val (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36
          (val_inj (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))) **
     LV os_code_defs.x @ Int8u |-> Vint32 ((x2<<$ 3)+ᵢx5) **
     LV legal @ Int8u |-> Vint32 x2 **
     PV v´51 @ Int8u |-> v´32 **
     dllseg x7 (Vptr (v´52, Int.zero)) v´40 Vnull v´35 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBList @ OS_TCB ∗ |-> v´31 **
     dllseg v´31 Vnull v´24 (Vptr (v´52, Int.zero)) v´33 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     LV prio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     Astruct (v´29, Int.zero) OS_EVENT
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil) **
     Aarray v´23 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´44 **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSEventList @ OS_EVENT ∗ |-> v´42 **
     evsllseg v´42 (Vptr (v´29, Int.zero)) v´25 v´27 **
     evsllseg v´46 Vnull v´26 v´28 **
     A_isr_is_prop **
     GV OSRdyGrp @ Int8u |-> Vint32 i7 **
     GAarray OSTCBPrioTbl (Tarray OS_TCB ∗ 64) v´30 **
     G&OSPlaceHolder @ Int8u == v´51 **
     HECBList v´38 **
     HTCBList v´39 **
     HCurTCB (v´52, Int.zero) **
     AOSEventFreeList v´3 **
     AOSQFreeList v´4 **
     AOSQFreeBlk v´5 **
     GAarray OSMapTbl (Tarray Int8u 8) OSMapVallist **
     GAarray OSUnMapTbl (Tarray Int8u 256) OSUnMapVallist **
     AOSIntNesting **
     AOSTCBFreeList v´21 v´22 **
     AOSTime (Vint32 v´18) **
     HTime v´18 **
     AGVars **
     atoy_inv´ **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´29, Int.zero) **
     [|val_inj
         (val_eq
            (nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3)))
               (update_nth_val (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36
                  (val_inj
                     (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
            (V$0)) = Vint32 Int.zero \/
       val_inj
         (val_eq
            (nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3)))
               (update_nth_val (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36
                  (val_inj
                     (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
            (V$0)) = Vnull|]}}
   OSTCBCur ′ → OSTCBBitX =ₑ OSMapTbl ′ [OSTCBCur ′ → OSTCBX];ₛ
   OSRdyGrp ′ =ₑ OSRdyGrp ′ |ₑ OSTCBCur ′ → OSTCBBitY;ₛ
   OSRdyTbl ′ [OSTCBCur ′ → OSTCBY] =ₑ
   OSRdyTbl ′ [OSTCBCur ′ → OSTCBY] |ₑ OSTCBCur ′ → OSTCBBitX;ₛ
   OSTCBPrioTbl ′ [prio ′] =ₑ 〈OS_TCB ∗ 〉 OSTCBCur ′;ₛ
   OSTCBPrioTbl ′ [pip ′] =ₑ 〈OS_TCB ∗ 〉 os_mutex.PlaceHolder
   {{ <|| mutexpost (Vptr (v´29, Int.zero) :: nil) ||> **
     A_dom_lenv
       ((pevent, OS_EVENT ∗)
        :: (os_code_defs.x, Int8u)
           :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil) **
     GAarray OSTCBPrioTbl (Tarray OS_TCB ∗ 64)
       (update_nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8)))
          (update_nth_val
             (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30
             (Vptr (v´52, Int.zero))) (Vptr v´51)) **
     GAarray OSRdyTbl (Tarray Int8u ∘OS_RDY_TBL_SIZE)
       (update_nth_val
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
          (update_nth_val (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36
             (val_inj (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7)))))))
          (val_inj
             (or
                (nth_val´
                   (Z.to_nat
                      (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
                   (update_nth_val (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36
                      (val_inj
                         (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
                (Vint32 x11)))) **
     GV OSRdyGrp @ Int8u |-> Vint32 (Int.or i7 x8) **
     GV OSTCBCur @ OS_TCB ∗ |-> Vptr (v´52, Int.zero) **
     Astruct (v´52, Int.zero) OS_TCB
       (x7
        :: v´24
           :: x15
              :: m
                 :: Vint32 i6
                    :: Vint32 x14
                       :: Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8)
                          :: Vint32 ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)
                             :: Vint32 ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)
                                :: Vint32 x11 :: Vint32 x8 :: nil) **
     LV os_code_defs.x @ Int8u |-> Vint32 ((x2<<$ 3)+ᵢx5) **
     LV legal @ Int8u |-> Vint32 x2 **
     PV v´51 @ Int8u |-> v´32 **
     dllseg x7 (Vptr (v´52, Int.zero)) v´40 Vnull v´35 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     GV OSTCBList @ OS_TCB ∗ |-> v´31 **
     dllseg v´31 Vnull v´24 (Vptr (v´52, Int.zero)) v´33 OS_TCB
       (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
     LV prio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     Astruct (v´29, Int.zero) OS_EVENT
       (V$OS_EVENT_TYPE_MUTEX
        :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil) **
     Aarray v´23 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´44 **
     Aie false **
     Ais nil **
     Acs (true :: nil) **
     Aisr empisr **
     GV OSEventList @ OS_EVENT ∗ |-> v´42 **
     evsllseg v´42 (Vptr (v´29, Int.zero)) v´25 v´27 **
     evsllseg v´46 Vnull v´26 v´28 **
     A_isr_is_prop **
     G&OSPlaceHolder @ Int8u == v´51 **
     HECBList v´38 **
     HTCBList v´39 **
     HCurTCB (v´52, Int.zero) **
     AOSEventFreeList v´3 **
     AOSQFreeList v´4 **
     AOSQFreeBlk v´5 **
     GAarray OSMapTbl (Tarray Int8u 8) OSMapVallist **
     GAarray OSUnMapTbl (Tarray Int8u 256) OSUnMapVallist **
     AOSIntNesting **
     AOSTCBFreeList v´21 v´22 **
     AOSTime (Vint32 v´18) **
     HTime v´18 **
     AGVars **
     atoy_inv´ **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´29, Int.zero) **
     [|val_inj
         (val_eq
            (nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3)))
               (update_nth_val (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36
                  (val_inj
                     (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
            (V$0)) = Vint32 Int.zero \/
       val_inj
         (val_eq
            (nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3)))
               (update_nth_val (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36
                  (val_inj
                     (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
            (V$0)) = Vnull|]}}.

Definition gen_post3:= forall
(
  v´ : val
)(
  v´0 : val
)(
  v´1 : val
)(
  v´2 : val
)(
  v´3 : list vallist
)(
  v´4 : list vallist
)(
  v´5 : list vallist
)(
  v´6 : list EventData
)(
  v´7 : list EventCtr
)(
  v´8 : vallist
)(
  v´9 : val
)(
  v´10 : val
)(
  v´11 : list vallist
)(
  v´12 : vallist
)(
  v´13 : list vallist
)(
  v´14 : vallist
)(
  v´15 : val
)(
  v´16 : EcbMod.map
)(
  v´17 : TcbMod.map
)(
  v´18 : int32
)(
  v´19 : addrval
)(
  v´20 : addrval
)(
  v´21 : val
)(
  v´22 : list vallist
)(
  H : RH_TCBList_ECBList_P v´16 v´17 v´19
)(
  H0 : RH_CurTCB v´19 v´17
)(
  v´25 : list EventCtr
)(
  v´26 : list EventCtr
)(
  v´27 : list EventData
)(
  v´28 : list EventData
)(
  v´30 : vallist
)(
  v´31 : val
)(
  v´33 : list vallist
)(
  v´35 : list vallist
)(
  v´36 : vallist
)(
  v´38 : EcbMod.map
)(
  v´39 : TcbMod.map
)(
  v´42 : val
)(
  v´44 : vallist
)(
  v´46 : val
)(
  v´47 : EcbMod.map
)(
  v´48 : EcbMod.map
)(
  v´49 : EcbMod.map
)(
  w : waitset
)(
  v´51 : addrval
)(
  H3 : ECBList_P v´46 Vnull v´26 v´28 v´48 v´39
)(
  H17 : EcbMod.join v´47 v´49 v´38
)(
  H12 : length v´25 = length v´27
)(
  H16 : isptr v´46
)(
  v´23 : addrval
)(
  v´29 : block
)(
  H11 : array_type_vallist_match Int8u v´44
)(
  H19 : length v´44 = ∘OS_EVENT_TBL_SIZE
)(
  x3 : val
)(
  i : int32
)(
  H21 : Int.unsigned i <= 255
)(
  H18 : RL_Tbl_Grp_P v´44 (Vint32 i)
)(
  H24 : isptr v´46
)(
  H2 : ECBList_P v´42 (Vptr (v´29, Int.zero)) v´25 v´27 v´47 v´39
)(
  H14 : id_addrval´ (Vptr (v´29, Int.zero)) OSEventTbl OS_EVENT = Some v´23
)(
  H20 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255
)(
  x : int32
)(
  H10 : Int.unsigned x <= 65535
)(
  H22 : Int.unsigned x <= 65535
)(
  v´24 : val
)(
  v´40 : val
)(
  v´43 : TcbMod.map
)(
  v´45 : TcbMod.map
)(
  v´52 : block
)(
  H31 : v´31 <> Vnull
)(
  H32 : TcbMod.join v´43 v´45 v´39
)(
  H33 : TCBList_P v´31 v´33 v´36 v´43
)(
  H30 : Vptr (v´52, Int.zero) <> Vnull
)(
  i6 : int32
)(
  H39 : Int.unsigned i6 <= 65535
)(
  H36 : isptr v´24
)(
  x7 : val
)(
  x10 : TcbMod.map
)(
  t : taskstatus
)(
  m : msg
)(
  H72 : TCBList_P x7 v´35 v´36 x10
)(
  H7 : RH_TCBList_ECBList_P v´38 v´39 (v´52, Int.zero)
)(
  H8 : RH_CurTCB (v´52, Int.zero) v´39
)(
  H23 : isptr (Vptr (v´52, $ 0))
)(
  H5 : R_ECB_ETbl_P (v´29, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
         v´44) v´39
)(
  H1 : ECBList_P v´42 Vnull
         (v´25 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
           v´44) :: nil) ++ v´26)
         (v´27 ++ (DMutex (Vint32 x) (Vptr (v´52, $ 0)) :: nil) ++ v´28) v´38
         v´39
)(
  H29 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE \/
        x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H35 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H48 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) < 64
)(
  H4 : Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None -> w = nil
)(
  H13 : w <> nil -> Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) <> None
)(
  H25 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE ->
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None /\
        Vptr (v´52, $ 0) = Vnull
)(
  H26 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE ->
        exists tid,
        Vptr (v´52, $ 0) = Vptr tid /\
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) =
        Some (tid, x&$ OS_MUTEX_KEEP_LOWER_8)
)(
  v´32 : val
)(
  H46 : array_type_vallist_match OS_TCB ∗ v´30
)(
  H51 : length v´30 = 64%nat
)(
  H49 : RL_RTbl_PrioTbl_P v´36 v´30 v´51
)(
  H50 : R_PrioTbl_P v´30 v´39 v´51
)(
  x0 : val
)(
  H54 : array_type_vallist_match Int8u v´36
)(
  H58 : length v´36 = ∘OS_RDY_TBL_SIZE
)(
  i7 : int32
)(
  H55 : Int.unsigned i7 <= 255
)(
  H57 : prio_in_tbl ($ OS_IDLE_PRIO) v´36
)(
  H56 : RL_Tbl_Grp_P v´36 (Vint32 i7)
)(
  x2 : int32
)(
  fffa : length OSUnMapVallist = 256%nat ->
         (Z.to_nat (Int.unsigned i) < 256)%nat ->
         exists x4,
         Vint32 x2 = Vint32 x4 /\
         true = rule_type_val_match Int8u (Vint32 x4)
)(
  H59 : length OSUnMapVallist = 256%nat
)(
  H60 : (Z.to_nat (Int.unsigned i) < 256)%nat
)(
  H61 : nth_val´ (Z.to_nat (Int.unsigned i)) OSUnMapVallist = Vint32 x2
)(
  H62 : true = rule_type_val_match Int8u (Vint32 x2)
)(
  fffbb : Int.unsigned x2 < 8
)(
  fffbb2 : (Z.to_nat (Int.unsigned x2) < length v´44)%nat
)(
  H19´´ : length v´44 = Z.to_nat 8
)(
  x4 : int32
)(
  H63 : nth_val´ (Z.to_nat (Int.unsigned x2)) v´44 = Vint32 x4
)(
  H64 : Int.unsigned x4 <= 255
)(
  H65 : (Z.to_nat (Int.unsigned x4) < length OSUnMapVallist)%nat
)(
  x5 : int32
)(
  H66 : nth_val´ (Z.to_nat (Int.unsigned x4)) OSUnMapVallist = Vint32 x5
)(
  H67 : Int.unsigned x5 <= 255
)(
  ttfasd : Int.unsigned x5 < 8
)(
  H27 : isptr x7
)(
  H38 : isptr m
)(
  x14 : int32
)(
  H82 : x14 = $ OS_STAT_RDY \/
        x14 = $ OS_STAT_SEM \/
        x14 = $ OS_STAT_Q \/ x14 = $ OS_STAT_MBOX \/ x14 = $ OS_STAT_MUTEX
)(
  x15 : val
)(
  H84 : x14 = $ OS_STAT_RDY -> x15 = Vnull
)(
  H37 : isptr x15
)(
  H40 : Int.unsigned x14 <= 255
)(
  r2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) < 8
)(
  r3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) < 8
)(
  H34 : array_type_vallist_match Int8u OSMapVallist
)(
  H69 : length OSMapVallist = 8%nat
)(
  H71 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) < 8)%nat
)(
  x8 : int32
)(
  H74 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
          OSMapVallist = Vint32 x8
)(
  H75 : true = rule_type_val_match Int8u (Vint32 x8)
)(
  H76 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
  x9 : int32
)(
  H78 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
          OSMapVallist = Vint32 x9
)(
  H79 : true = rule_type_val_match Int8u (Vint32 x9)
)(
  H80 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
  x11 : int32
)(
  H81 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
          OSMapVallist = Vint32 x11
)(
  H83 : true = rule_type_val_match Int8u (Vint32 x11)
)(
  rr2 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) <
         length v´36)%nat
)(
  rr3 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) <
         length v´36)%nat
)(
  rrr2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) <
         Z.of_nat (length v´36)
)(
  rrr3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) <
         Z.of_nat (length v´36)
)(
  HH58 : length v´36 = Z.to_nat 8
)(
  aa2 : rule_type_val_match Int8u
          (nth_val´
             (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
             v´36) = true
)(
  x16 : int32
)(
  H91 : Int.unsigned x16 <= 255
)(
  x13 : int32
)(
  H87 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3))) v´36 =
        Vint32 x13
)(
  H90 : Int.unsigned x13 <= 255
)(
  x12 : int32
)(
  H89 : Int.unsigned x12 <= 255
)(
  last_condition : ProtectWrapper (x14 = $ OS_STAT_RDY /\ i6 = $ 0)
)(
  t1 : int32
)(
  t3 : Int.unsigned t1 <= 255
)(
  t11 : int32
)(
  t13 : Int.unsigned t11 <= 255
)(
  v´34 : val
)(
  H52 : nth_val (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30 =
        Some (Vptr v´51)
)(
  H99 : i <> Int.zero
)(
  H100 : val_inj
           (notint
              (val_inj
                 (if Int.eq i ($ 0)
                  then Some (Vint32 Int.one)
                  else Some (Vint32 Int.zero)))) <> Vnull
)(
  H101 : val_inj
           (notint
              (val_inj
                 (if Int.eq i ($ 0)
                  then Some (Vint32 Int.one)
                  else Some (Vint32 Int.zero)))) <> Vundef
)(
  H15 : Int.unsigned (x>>ᵢ$ 8) < 64
)(
  H47 : Int.ltu (x>>ᵢ$ 8) (x&$ OS_MUTEX_KEEP_LOWER_8) = true
)(
  H6 : EcbMod.joinsig (v´29, Int.zero)
         (absmutexsem (x>>ᵢ$ 8) (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)),
         w) v´48 v´49
)(
  H9 : forall (tid : tid) (opr : int32),
       Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = Some (tid, opr) ->
       Int.ltu (x>>ᵢ$ 8) opr = true /\ Int.unsigned opr < 64
)(
  backup : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (v´52, $ 0)))
             (absmutexsem (x>>ᵢ$ 8)
                (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)), w)
)(
  H53 : nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8))) v´30 = Some x0
)(
  H68 : Int.ltu (x>>ᵢ$ 8) ((x2<<$ 3)+ᵢx5) = true
)(
  H77 : 0 <= Int.unsigned (x>>ᵢ$ 8)
)(
  H85 : Int.unsigned (x>>ᵢ$ 8) < 64
)(
  H43 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) <= 255
)(
  H45 : Int.unsigned ($ 1<<((x>>ᵢ$ 8)>>ᵢ$ 3)) <= 255
)(
  H44 : Int.unsigned ($ 1<<((x>>ᵢ$ 8)&$ 7)) <= 255
)(
  H42 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) <= 255
)(
  H70 : TcbJoin (v´52, Int.zero) (x>>ᵢ$ 8, t, m) x10 v´45
)(
  H41 : Int.unsigned (x>>ᵢ$ 8) <= 255
)(
  H28 : Int.ltu (x>>ᵢ$ 8) (x>>ᵢ$ 8) = false
)(
  H73 : R_TCB_Status_P
          (x7
           :: v´24
              :: x15
                 :: m
                    :: Vint32 i6
                       :: Vint32 x14
                          :: Vint32 (x>>ᵢ$ 8)
                             :: Vint32 ((x>>ᵢ$ 8)&$ 7)
                                :: Vint32 ((x>>ᵢ$ 8)>>ᵢ$ 3)
                                   :: Vint32 ($ 1<<((x>>ᵢ$ 8)&$ 7))
                                      :: Vint32 ($ 1<<((x>>ᵢ$ 8)>>ᵢ$ 3))
                                         :: nil) v´36
          (x>>ᵢ$ 8, t, m)
)(
  backup2 : TCBList_P (Vptr (v´52, Int.zero))
              ((x7
                :: v´24
                   :: x15
                      :: m
                         :: Vint32 i6
                            :: Vint32 x14
                               :: Vint32 (x>>ᵢ$ 8)
                                  :: Vint32 ((x>>ᵢ$ 8)&$ 7)
                                     :: Vint32 ((x>>ᵢ$ 8)>>ᵢ$ 3)
                                        :: Vint32 ($ 1<<((x>>ᵢ$ 8)&$ 7))
                                           :: Vint32 ($ 1<<((x>>ᵢ$ 8)>>ᵢ$ 3))
                                              :: nil) :: v´35) v´36 v´45
)(
  r1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < 8
)(
  r4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < 8
)(
  r5 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < 8
)(
  r6 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < 8
)(
  rr1 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) < length v´36)%nat
)(
  rr4 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)&$ 7)) < length v´36)%nat
)(
  rr5 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) < length v´36)%nat
)(
  rr6 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)&$ 7)) < length v´36)%nat
)(
  rrr1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < Z.of_nat (length v´36)
)(
  rrr5 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr6 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < Z.of_nat (length v´36)
)(
  aa : rule_type_val_match Int8u
         (nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36) = true
)(
  aa3 : rule_type_val_match Int8u
          (nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36) = true
)(
  H88 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36 =
        Vint32 x16
)(
  H86 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36 =
        Vint32 x12
)(
  H92 : Int.unsigned (x>>ᵢ$ 8) < Int.unsigned ($ Byte.modulus)
)(
  H94 : val_inj
          (if Int.eq (x>>ᵢ$ 8) (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) <> Vnull
)(
  H95 : val_inj
          (if Int.eq (x>>ᵢ$ 8) (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) <> Vundef
)(
  H96 : array_type_vallist_match Int8u
          (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
             (val_inj
                (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7)))))))
)(
  H97 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) <
         length
           (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
              (val_inj
                 (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))))%nat
)(
  t2 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
         (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
            (val_inj
               (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))) =
       Vint32 t1
)(
  H98 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) <
         length
           (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
              (val_inj
                 (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))))%nat
)(
  t12 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)))
          (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
             (val_inj
                (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))) =
        Vint32 t11
)(
  v´37 : val
),
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV prio @ Int8u |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (os_code_defs.x, Int8u)
          :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post3
       (Vptr (v´29, Int.zero)
        :: Vptr (v´29, Int.zero) :: V$OS_STAT_MUTEX :: nil)
       (Some v´37)
       (logic_lv
          (update_nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8)))
             (update_nth_val
                (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30
                (Vptr (v´52, Int.zero))) (Vptr v´51))
        :: logic_lv
             (x7
              :: v´24
                 :: x15
                    :: m
                       :: Vint32 i6
                          :: Vint32 x14
                             :: Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8)
                                :: Vint32 ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)
                                   :: Vint32
                                        ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)
                                      :: Vint32 x11 :: Vint32 x8 :: nil)
           :: logic_llv v´33
              :: logic_llv v´35
                 :: logic_lv
                      (update_nth_val
                         (Z.to_nat
                            (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
                         (update_nth_val
                            (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
                            (val_inj
                               (and (Vint32 x12)
                                  (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7)))))))
                         (val_inj (or (Vint32 t1) (Vint32 x11))))
                    :: logic_val v´34
                       :: logic_abstcb
                            (TcbMod.set v´39 (v´52, Int.zero)
                               (x&$ OS_MUTEX_KEEP_LOWER_8, t, m))
                          :: logic_val v´31
                             :: logic_val (Vptr (v´52, Int.zero))
                                :: logic_val (Vptr (v´52, Int.zero))
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_MUTEX
                                         :: Vint32 i
                                            :: Vint32 x
                                               :: Vptr (v´52, $ 0)
                                                  ::
                                                  x3 :: v´46 :: nil)
                                      :: logic_lv v´44
                                         :: logic_leventd
                                              (DMutex
                                                 (Vint32 x)
                                                 (Vptr (v´52, $ 0)) :: nil)
                                            :: logic_code
                                                 (mutexpost
                                                  (Vptr (v´29, Int.zero)
                                                  :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV prio @ Int8u |-> v´37 **
     LV os_code_defs.x @ Int8u |-> (V$OS_STAT_MUTEX) **
     LV legal @ Int8u |-> Vint32 x2 **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     GV OSEventList @ OS_EVENT ∗ |-> v´42 **
     evsllseg v´42 (Vptr (v´29, Int.zero)) v´25 v´27 **
     evsllseg v´46 Vnull v´26 v´28 **
     HECBList v´38 **
     HTCBList v´39 **
     HCurTCB (v´52, Int.zero) **
     AOSEventFreeList v´3 **
     AOSQFreeList v´4 **
     AOSQFreeBlk v´5 **
     AOSIntNesting **
     AOSTCBFreeList v´21 v´22 **
     AOSTime (Vint32 v´18) **
     HTime v´18 **
     AGVars **
     atoy_inv´ **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´29, Int.zero) **
     A_dom_lenv
       ((pevent, OS_EVENT ∗)
        :: (os_code_defs.x, Int8u)
           :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)}}
   pevent ′ → OSEventCnt &= ′OS_MUTEX_KEEP_UPPER_8;ₛ
   pevent ′ → OSEventCnt =ₑ pevent ′ → OSEventCnt |ₑ prio ′;ₛ
   pevent ′ → OSEventPtr =ₑ OSTCBPrioTbl ′ [prio ′];ₛ
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
                 RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_post5:= forall
(
  v´ : val
)(
  v´0 : val
)(
  v´1 : val
)(
  v´2 : val
)(
  v´3 : list vallist
)(
  v´4 : list vallist
)(
  v´5 : list vallist
)(
  v´6 : list EventData
)(
  v´7 : list EventCtr
)(
  v´8 : vallist
)(
  v´9 : val
)(
  v´10 : val
)(
  v´11 : list vallist
)(
  v´12 : vallist
)(
  v´13 : list vallist
)(
  v´14 : vallist
)(
  v´15 : val
)(
  v´16 : EcbMod.map
)(
  v´17 : TcbMod.map
)(
  v´18 : int32
)(
  v´19 : addrval
)(
  v´20 : addrval
)(
  v´21 : val
)(
  v´22 : list vallist
)(
  H : RH_TCBList_ECBList_P v´16 v´17 v´19
)(
  H0 : RH_CurTCB v´19 v´17
)(
  v´25 : list EventCtr
)(
  v´26 : list EventCtr
)(
  v´27 : list EventData
)(
  v´28 : list EventData
)(
  v´30 : vallist
)(
  v´31 : val
)(
  v´33 : list vallist
)(
  v´35 : list vallist
)(
  v´36 : vallist
)(
  v´38 : EcbMod.map
)(
  v´39 : TcbMod.map
)(
  v´42 : val
)(
  v´44 : vallist
)(
  v´46 : val
)(
  v´47 : EcbMod.map
)(
  v´48 : EcbMod.map
)(
  v´49 : EcbMod.map
)(
  w : waitset
)(
  v´51 : addrval
)(
  H3 : ECBList_P v´46 Vnull v´26 v´28 v´48 v´39
)(
  H17 : EcbMod.join v´47 v´49 v´38
)(
  H12 : length v´25 = length v´27
)(
  H16 : isptr v´46
)(
  v´23 : addrval
)(
  v´29 : block
)(
  H11 : array_type_vallist_match Int8u v´44
)(
  H19 : length v´44 = ∘OS_EVENT_TBL_SIZE
)(
  x3 : val
)(
  i : int32
)(
  H21 : Int.unsigned i <= 255
)(
  H18 : RL_Tbl_Grp_P v´44 (Vint32 i)
)(
  H24 : isptr v´46
)(
  H2 : ECBList_P v´42 (Vptr (v´29, Int.zero)) v´25 v´27 v´47 v´39
)(
  H14 : id_addrval´ (Vptr (v´29, Int.zero)) OSEventTbl OS_EVENT = Some v´23
)(
  H20 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255
)(
  x : int32
)(
  H10 : Int.unsigned x <= 65535
)(
  H22 : Int.unsigned x <= 65535
)(
  v´24 : val
)(
  v´40 : val
)(
  v´43 : TcbMod.map
)(
  v´45 : TcbMod.map
)(
  v´52 : block
)(
  H31 : v´31 <> Vnull
)(
  H32 : TcbMod.join v´43 v´45 v´39
)(
  H33 : TCBList_P v´31 v´33 v´36 v´43
)(
  H30 : Vptr (v´52, Int.zero) <> Vnull
)(
  i6 : int32
)(
  H39 : Int.unsigned i6 <= 65535
)(
  H36 : isptr v´24
)(
  x7 : val
)(
  x10 : TcbMod.map
)(
  t : taskstatus
)(
  m : msg
)(
  H72 : TCBList_P x7 v´35 v´36 x10
)(
  H7 : RH_TCBList_ECBList_P v´38 v´39 (v´52, Int.zero)
)(
  H8 : RH_CurTCB (v´52, Int.zero) v´39
)(
  H23 : isptr (Vptr (v´52, $ 0))
)(
  H5 : R_ECB_ETbl_P (v´29, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
         v´44) v´39
)(
  H1 : ECBList_P v´42 Vnull
         (v´25 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
           v´44) :: nil) ++ v´26)
         (v´27 ++ (DMutex (Vint32 x) (Vptr (v´52, $ 0)) :: nil) ++ v´28) v´38
         v´39
)(
  H29 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE \/
        x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H35 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H48 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) < 64
)(
  H4 : Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None -> w = nil
)(
  H13 : w <> nil -> Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) <> None
)(
  H25 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE ->
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None /\
        Vptr (v´52, $ 0) = Vnull
)(
  H26 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE ->
        exists tid,
        Vptr (v´52, $ 0) = Vptr tid /\
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) =
        Some (tid, x&$ OS_MUTEX_KEEP_LOWER_8)
)(
  v´32 : val
)(
  H46 : array_type_vallist_match OS_TCB ∗ v´30
)(
  H51 : length v´30 = 64%nat
)(
  H49 : RL_RTbl_PrioTbl_P v´36 v´30 v´51
)(
  H50 : R_PrioTbl_P v´30 v´39 v´51
)(
  x0 : val
)(
  H54 : array_type_vallist_match Int8u v´36
)(
  H58 : length v´36 = ∘OS_RDY_TBL_SIZE
)(
  i7 : int32
)(
  H55 : Int.unsigned i7 <= 255
)(
  H57 : prio_in_tbl ($ OS_IDLE_PRIO) v´36
)(
  H56 : RL_Tbl_Grp_P v´36 (Vint32 i7)
)(
  x2 : int32
)(
  fffa : length OSUnMapVallist = 256%nat ->
         (Z.to_nat (Int.unsigned i) < 256)%nat ->
         exists x4,
         Vint32 x2 = Vint32 x4 /\
         true = rule_type_val_match Int8u (Vint32 x4)
)(
  H59 : length OSUnMapVallist = 256%nat
)(
  H60 : (Z.to_nat (Int.unsigned i) < 256)%nat
)(
  H61 : nth_val´ (Z.to_nat (Int.unsigned i)) OSUnMapVallist = Vint32 x2
)(
  H62 : true = rule_type_val_match Int8u (Vint32 x2)
)(
  fffbb : Int.unsigned x2 < 8
)(
  fffbb2 : (Z.to_nat (Int.unsigned x2) < length v´44)%nat
)(
  H19´´ : length v´44 = Z.to_nat 8
)(
  x4 : int32
)(
  H63 : nth_val´ (Z.to_nat (Int.unsigned x2)) v´44 = Vint32 x4
)(
  H64 : Int.unsigned x4 <= 255
)(
  H65 : (Z.to_nat (Int.unsigned x4) < length OSUnMapVallist)%nat
)(
  x5 : int32
)(
  H66 : nth_val´ (Z.to_nat (Int.unsigned x4)) OSUnMapVallist = Vint32 x5
)(
  H67 : Int.unsigned x5 <= 255
)(
  ttfasd : Int.unsigned x5 < 8
)(
  H27 : isptr x7
)(
  H38 : isptr m
)(
  x14 : int32
)(
  H82 : x14 = $ OS_STAT_RDY \/
        x14 = $ OS_STAT_SEM \/
        x14 = $ OS_STAT_Q \/ x14 = $ OS_STAT_MBOX \/ x14 = $ OS_STAT_MUTEX
)(
  x15 : val
)(
  H84 : x14 = $ OS_STAT_RDY -> x15 = Vnull
)(
  H37 : isptr x15
)(
  H40 : Int.unsigned x14 <= 255
)(
  r2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) < 8
)(
  r3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) < 8
)(
  H34 : array_type_vallist_match Int8u OSMapVallist
)(
  H69 : length OSMapVallist = 8%nat
)(
  H71 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) < 8)%nat
)(
  x8 : int32
)(
  H74 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
          OSMapVallist = Vint32 x8
)(
  H75 : true = rule_type_val_match Int8u (Vint32 x8)
)(
  H76 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
  x9 : int32
)(
  H78 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
          OSMapVallist = Vint32 x9
)(
  H79 : true = rule_type_val_match Int8u (Vint32 x9)
)(
  H80 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
  x11 : int32
)(
  H81 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
          OSMapVallist = Vint32 x11
)(
  H83 : true = rule_type_val_match Int8u (Vint32 x11)
)(
  rr2 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) <
         length v´36)%nat
)(
  rr3 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) <
         length v´36)%nat
)(
  rrr2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) <
         Z.of_nat (length v´36)
)(
  rrr3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) <
         Z.of_nat (length v´36)
)(
  HH58 : length v´36 = Z.to_nat 8
)(
  aa2 : rule_type_val_match Int8u
          (nth_val´
             (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
             v´36) = true
)(
  x16 : int32
)(
  H91 : Int.unsigned x16 <= 255
)(
  x13 : int32
)(
  H87 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3))) v´36 =
        Vint32 x13
)(
  H90 : Int.unsigned x13 <= 255
)(
  x12 : int32
)(
  H89 : Int.unsigned x12 <= 255
)(
  last_condition : ProtectWrapper (x14 = $ OS_STAT_RDY /\ i6 = $ 0)
)(
  t1 : int32
)(
  t3 : Int.unsigned t1 <= 255
)(
  t11 : int32
)(
  t13 : Int.unsigned t11 <= 255
)(
  v´34 : val
)(
  H52 : nth_val (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30 =
        Some (Vptr v´51)
)(
  H99 : i <> Int.zero
)(
  H100 : val_inj
           (notint
              (val_inj
                 (if Int.eq i ($ 0)
                  then Some (Vint32 Int.one)
                  else Some (Vint32 Int.zero)))) <> Vnull
)(
  H101 : val_inj
           (notint
              (val_inj
                 (if Int.eq i ($ 0)
                  then Some (Vint32 Int.one)
                  else Some (Vint32 Int.zero)))) <> Vundef
)(
  H15 : Int.unsigned (x>>ᵢ$ 8) < 64
)(
  H47 : Int.ltu (x>>ᵢ$ 8) (x&$ OS_MUTEX_KEEP_LOWER_8) = true
)(
  H6 : EcbMod.joinsig (v´29, Int.zero)
         (absmutexsem (x>>ᵢ$ 8) (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)),
         w) v´48 v´49
)(
  H9 : forall (tid : tid) (opr : int32),
       Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = Some (tid, opr) ->
       Int.ltu (x>>ᵢ$ 8) opr = true /\ Int.unsigned opr < 64
)(
  backup : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (v´52, $ 0)))
             (absmutexsem (x>>ᵢ$ 8)
                (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)), w)
)(
  H53 : nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8))) v´30 = Some x0
)(
  H68 : Int.ltu (x>>ᵢ$ 8) ((x2<<$ 3)+ᵢx5) = true
)(
  H77 : 0 <= Int.unsigned (x>>ᵢ$ 8)
)(
  H85 : Int.unsigned (x>>ᵢ$ 8) < 64
)(
  H43 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) <= 255
)(
  H45 : Int.unsigned ($ 1<<((x>>ᵢ$ 8)>>ᵢ$ 3)) <= 255
)(
  H44 : Int.unsigned ($ 1<<((x>>ᵢ$ 8)&$ 7)) <= 255
)(
  H42 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) <= 255
)(
  H70 : TcbJoin (v´52, Int.zero) (x>>ᵢ$ 8, t, m) x10 v´45
)(
  H41 : Int.unsigned (x>>ᵢ$ 8) <= 255
)(
  H28 : Int.ltu (x>>ᵢ$ 8) (x>>ᵢ$ 8) = false
)(
  H73 : R_TCB_Status_P
          (x7
           :: v´24
              :: x15
                 :: m
                    :: Vint32 i6
                       :: Vint32 x14
                          :: Vint32 (x>>ᵢ$ 8)
                             :: Vint32 ((x>>ᵢ$ 8)&$ 7)
                                :: Vint32 ((x>>ᵢ$ 8)>>ᵢ$ 3)
                                   :: Vint32 ($ 1<<((x>>ᵢ$ 8)&$ 7))
                                      :: Vint32 ($ 1<<((x>>ᵢ$ 8)>>ᵢ$ 3))
                                         :: nil) v´36
          (x>>ᵢ$ 8, t, m)
)(
  backup2 : TCBList_P (Vptr (v´52, Int.zero))
              ((x7
                :: v´24
                   :: x15
                      :: m
                         :: Vint32 i6
                            :: Vint32 x14
                               :: Vint32 (x>>ᵢ$ 8)
                                  :: Vint32 ((x>>ᵢ$ 8)&$ 7)
                                     :: Vint32 ((x>>ᵢ$ 8)>>ᵢ$ 3)
                                        :: Vint32 ($ 1<<((x>>ᵢ$ 8)&$ 7))
                                           :: Vint32 ($ 1<<((x>>ᵢ$ 8)>>ᵢ$ 3))
                                              :: nil) :: v´35) v´36 v´45
)(
  r1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < 8
)(
  r4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < 8
)(
  r5 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < 8
)(
  r6 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < 8
)(
  rr1 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) < length v´36)%nat
)(
  rr4 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)&$ 7)) < length v´36)%nat
)(
  rr5 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) < length v´36)%nat
)(
  rr6 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)&$ 7)) < length v´36)%nat
)(
  rrr1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < Z.of_nat (length v´36)
)(
  rrr5 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr6 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < Z.of_nat (length v´36)
)(
  aa : rule_type_val_match Int8u
         (nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36) = true
)(
  aa3 : rule_type_val_match Int8u
          (nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36) = true
)(
  H88 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36 =
        Vint32 x16
)(
  H86 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36 =
        Vint32 x12
)(
  H92 : Int.unsigned (x>>ᵢ$ 8) < Int.unsigned ($ Byte.modulus)
)(
  H94 : val_inj
          (if Int.eq (x>>ᵢ$ 8) (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) <> Vnull
)(
  H95 : val_inj
          (if Int.eq (x>>ᵢ$ 8) (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) <> Vundef
)(
  H96 : array_type_vallist_match Int8u
          (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
             (val_inj
                (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7)))))))
)(
  H97 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) <
         length
           (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
              (val_inj
                 (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))))%nat
)(
  t2 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
         (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
            (val_inj
               (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))) =
       Vint32 t1
)(
  H98 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) <
         length
           (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
              (val_inj
                 (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))))%nat
)(
  t12 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)))
          (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
             (val_inj
                (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))) =
        Vint32 t11
)(
  v´37 : val
),
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV prio @ Int8u |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (os_code_defs.x, Int8u)
          :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post5
       (Vptr (v´29, Int.zero)
        :: Vptr (v´29, Int.zero) :: V$OS_STAT_MUTEX :: nil)
       (Some v´37)
       (logic_lv
          (update_nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8)))
             (update_nth_val
                (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30
                (Vptr (v´52, Int.zero))) (Vptr v´51))
        :: logic_lv
             (x7
              :: v´24
                 :: x15
                    :: m
                       :: Vint32 i6
                          :: Vint32 x14
                             :: Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8)
                                :: Vint32 ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)
                                   :: Vint32
                                        ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)
                                      :: Vint32 x11 :: Vint32 x8 :: nil)
           :: logic_llv v´33
              :: logic_llv v´35
                 :: logic_lv
                      (update_nth_val
                         (Z.to_nat
                            (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
                         (update_nth_val
                            (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
                            (val_inj
                               (and (Vint32 x12)
                                  (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7)))))))
                         (val_inj (or (Vint32 t1) (Vint32 x11))))
                    :: logic_val v´34
                       :: logic_abstcb
                            (TcbMod.set v´39 (v´52, Int.zero)
                               (x&$ OS_MUTEX_KEEP_LOWER_8, t, m))
                          :: logic_val v´31
                             :: logic_val (Vptr (v´52, Int.zero))
                                :: logic_val (Vptr (v´52, Int.zero))
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_MUTEX
                                         :: Vint32 i
                                            :: Vint32 x
                                               :: Vptr (v´52, $ 0)
                                                  ::
                                                  x3 :: v´46 :: nil)
                                      :: logic_lv v´44
                                         :: logic_leventd
                                              (DMutex
                                                 (Vint32 x)
                                                 (Vptr (v´52, $ 0)) :: nil)
                                            :: logic_code
                                                 (mutexpost
                                                  (Vptr (v´29, Int.zero)
                                                  :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV prio @ Int8u |-> v´37 **
     LV os_code_defs.x @ Int8u |-> (V$OS_STAT_MUTEX) **
     LV legal @ Int8u |-> Vint32 x2 **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     GV OSEventList @ OS_EVENT ∗ |-> v´42 **
     evsllseg v´42 (Vptr (v´29, Int.zero)) v´25 v´27 **
     evsllseg v´46 Vnull v´26 v´28 **
     HECBList v´38 **
     HTCBList v´39 **
     HCurTCB (v´52, Int.zero) **
     AOSEventFreeList v´3 **
     AOSQFreeList v´4 **
     AOSQFreeBlk v´5 **
     AOSIntNesting **
     AOSTCBFreeList v´21 v´22 **
     AOSTime (Vint32 v´18) **
     HTime v´18 **
     AGVars **
     atoy_inv´ **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´29, Int.zero) **
     A_dom_lenv
       ((pevent, OS_EVENT ∗)
        :: (os_code_defs.x, Int8u)
           :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)}}
   pevent ′ → OSEventCnt &= ′OS_MUTEX_KEEP_UPPER_8;ₛ
   pevent ′ → OSEventCnt =ₑ pevent ′ → OSEventCnt |ₑ prio ′;ₛ
   pevent ′ → OSEventPtr =ₑ OSTCBPrioTbl ′ [prio ′];ₛ
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
                 RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_post1´:= forall
(
  v´ : val
)(
  v´0 : val
)(
  v´1 : val
)(
  v´2 : val
)(
  v´3 : list vallist
)(
  v´4 : list vallist
)(
  v´5 : list vallist
)(
  v´6 : list EventData
)(
  v´7 : list EventCtr
)(
  v´8 : vallist
)(
  v´9 : val
)(
  v´10 : val
)(
  v´11 : list vallist
)(
  v´12 : vallist
)(
  v´13 : list vallist
)(
  v´14 : vallist
)(
  v´15 : val
)(
  v´16 : EcbMod.map
)(
  v´17 : TcbMod.map
)(
  v´18 : int32
)(
  v´19 : addrval
)(
  v´20 : addrval
)(
  v´21 : val
)(
  v´22 : list vallist
)(
  H : RH_TCBList_ECBList_P v´16 v´17 v´19
)(
  H0 : RH_CurTCB v´19 v´17
)(
  v´25 : list EventCtr
)(
  v´26 : list EventCtr
)(
  v´27 : list EventData
)(
  v´28 : list EventData
)(
  v´30 : vallist
)(
  v´31 : val
)(
  v´33 : list vallist
)(
  v´35 : list vallist
)(
  v´36 : vallist
)(
  v´38 : EcbMod.map
)(
  v´39 : TcbMod.map
)(
  v´42 : val
)(
  v´44 : vallist
)(
  v´46 : val
)(
  v´47 : EcbMod.map
)(
  v´48 : EcbMod.map
)(
  v´49 : EcbMod.map
)(
  w : waitset
)(
  v´51 : addrval
)(
  H3 : ECBList_P v´46 Vnull v´26 v´28 v´48 v´39
)(
  H17 : EcbMod.join v´47 v´49 v´38
)(
  H12 : length v´25 = length v´27
)(
  H16 : isptr v´46
)(
  v´23 : addrval
)(
  v´29 : block
)(
  H11 : array_type_vallist_match Int8u v´44
)(
  H19 : length v´44 = ∘OS_EVENT_TBL_SIZE
)(
  x3 : val
)(
  i : int32
)(
  H21 : Int.unsigned i <= 255
)(
  H18 : RL_Tbl_Grp_P v´44 (Vint32 i)
)(
  H24 : isptr v´46
)(
  H2 : ECBList_P v´42 (Vptr (v´29, Int.zero)) v´25 v´27 v´47 v´39
)(
  H14 : id_addrval´ (Vptr (v´29, Int.zero)) OSEventTbl OS_EVENT = Some v´23
)(
  H20 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255
)(
  x : int32
)(
  H10 : Int.unsigned x <= 65535
)(
  H22 : Int.unsigned x <= 65535
)(
  v´24 : val
)(
  v´40 : val
)(
  v´43 : TcbMod.map
)(
  v´45 : TcbMod.map
)(
  v´52 : block
)(
  H31 : v´31 <> Vnull
)(
  H32 : TcbMod.join v´43 v´45 v´39
)(
  H33 : TCBList_P v´31 v´33 v´36 v´43
)(
  H30 : Vptr (v´52, Int.zero) <> Vnull
)(
  i6 : int32
)(
  H39 : Int.unsigned i6 <= 65535
)(
  H36 : isptr v´24
)(
  x7 : val
)(
  x10 : TcbMod.map
)(
  t : taskstatus
)(
  m : msg
)(
  H72 : TCBList_P x7 v´35 v´36 x10
)(
  H7 : RH_TCBList_ECBList_P v´38 v´39 (v´52, Int.zero)
)(
  H8 : RH_CurTCB (v´52, Int.zero) v´39
)(
  H23 : isptr (Vptr (v´52, $ 0))
)(
  H5 : R_ECB_ETbl_P (v´29, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
         v´44) v´39
)(
  H1 : ECBList_P v´42 Vnull
         (v´25 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
           v´44) :: nil) ++ v´26)
         (v´27 ++ (DMutex (Vint32 x) (Vptr (v´52, $ 0)) :: nil) ++ v´28) v´38
         v´39
)(
  H29 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE \/
        x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H35 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H48 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) < 64
)(
  H4 : Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None -> w = nil
)(
  H13 : w <> nil -> Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) <> None
)(
  H25 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE ->
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None /\
        Vptr (v´52, $ 0) = Vnull
)(
  H26 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE ->
        exists tid,
        Vptr (v´52, $ 0) = Vptr tid /\
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) =
        Some (tid, x&$ OS_MUTEX_KEEP_LOWER_8)
)(
  v´32 : val
)(
  H46 : array_type_vallist_match OS_TCB ∗ v´30
)(
  H51 : length v´30 = 64%nat
)(
  H49 : RL_RTbl_PrioTbl_P v´36 v´30 v´51
)(
  H50 : R_PrioTbl_P v´30 v´39 v´51
)(
  x0 : val
)(
  H54 : array_type_vallist_match Int8u v´36
)(
  H58 : length v´36 = ∘OS_RDY_TBL_SIZE
)(
  i7 : int32
)(
  H55 : Int.unsigned i7 <= 255
)(
  H57 : prio_in_tbl ($ OS_IDLE_PRIO) v´36
)(
  H56 : RL_Tbl_Grp_P v´36 (Vint32 i7)
)(
  x2 : int32
)(
  fffa : length OSUnMapVallist = 256%nat ->
         (Z.to_nat (Int.unsigned i) < 256)%nat ->
         exists x4,
         Vint32 x2 = Vint32 x4 /\
         true = rule_type_val_match Int8u (Vint32 x4)
)(
  H59 : length OSUnMapVallist = 256%nat
)(
  H60 : (Z.to_nat (Int.unsigned i) < 256)%nat
)(
  H61 : nth_val´ (Z.to_nat (Int.unsigned i)) OSUnMapVallist = Vint32 x2
)(
  H62 : true = rule_type_val_match Int8u (Vint32 x2)
)(
  fffbb : Int.unsigned x2 < 8
)(
  fffbb2 : (Z.to_nat (Int.unsigned x2) < length v´44)%nat
)(
  H19´´ : length v´44 = Z.to_nat 8
)(
  x4 : int32
)(
  H63 : nth_val´ (Z.to_nat (Int.unsigned x2)) v´44 = Vint32 x4
)(
  H64 : Int.unsigned x4 <= 255
)(
  H65 : (Z.to_nat (Int.unsigned x4) < length OSUnMapVallist)%nat
)(
  x5 : int32
)(
  H66 : nth_val´ (Z.to_nat (Int.unsigned x4)) OSUnMapVallist = Vint32 x5
)(
  H67 : Int.unsigned x5 <= 255
)(
  ttfasd : Int.unsigned x5 < 8
)(
  H27 : isptr x7
)(
  H38 : isptr m
)(
  x14 : int32
)(
  H82 : x14 = $ OS_STAT_RDY \/
        x14 = $ OS_STAT_SEM \/
        x14 = $ OS_STAT_Q \/ x14 = $ OS_STAT_MBOX \/ x14 = $ OS_STAT_MUTEX
)(
  x15 : val
)(
  H84 : x14 = $ OS_STAT_RDY -> x15 = Vnull
)(
  H37 : isptr x15
)(
  H40 : Int.unsigned x14 <= 255
)(
  r2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) < 8
)(
  r3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) < 8
)(
  H34 : array_type_vallist_match Int8u OSMapVallist
)(
  H69 : length OSMapVallist = 8%nat
)(
  H71 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) < 8)%nat
)(
  x8 : int32
)(
  H74 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
          OSMapVallist = Vint32 x8
)(
  H75 : true = rule_type_val_match Int8u (Vint32 x8)
)(
  H76 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
  x9 : int32
)(
  H78 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
          OSMapVallist = Vint32 x9
)(
  H79 : true = rule_type_val_match Int8u (Vint32 x9)
)(
  H80 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
  x11 : int32
)(
  H81 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
          OSMapVallist = Vint32 x11
)(
  H83 : true = rule_type_val_match Int8u (Vint32 x11)
)(
  rr2 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) <
         length v´36)%nat
)(
  rr3 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) <
         length v´36)%nat
)(
  rrr2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) <
         Z.of_nat (length v´36)
)(
  rrr3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) <
         Z.of_nat (length v´36)
)(
  HH58 : length v´36 = Z.to_nat 8
)(
  aa2 : rule_type_val_match Int8u
          (nth_val´
             (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
             v´36) = true
)(
  x16 : int32
)(
  H91 : Int.unsigned x16 <= 255
)(
  x13 : int32
)(
  H87 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3))) v´36 =
        Vint32 x13
)(
  H90 : Int.unsigned x13 <= 255
)(
  x12 : int32
)(
  H89 : Int.unsigned x12 <= 255
)(
  last_condition : ProtectWrapper (x14 = $ OS_STAT_RDY /\ i6 = $ 0)
)(
  t1 : int32
)(
  t3 : Int.unsigned t1 <= 255
)(
  t11 : int32
)(
  t13 : Int.unsigned t11 <= 255
)(
  v´34 : val
)(
  H52 : nth_val (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30 =
        Some (Vptr v´51)
)(
  H99 : i <> Int.zero
)(
  H100 : val_inj
           (notint
              (val_inj
                 (if Int.eq i ($ 0)
                  then Some (Vint32 Int.one)
                  else Some (Vint32 Int.zero)))) <> Vnull
)(
  H101 : val_inj
           (notint
              (val_inj
                 (if Int.eq i ($ 0)
                  then Some (Vint32 Int.one)
                  else Some (Vint32 Int.zero)))) <> Vundef
)(
  H15 : Int.unsigned (x>>ᵢ$ 8) < 64
)(
  H47 : Int.ltu (x>>ᵢ$ 8) (x&$ OS_MUTEX_KEEP_LOWER_8) = true
)(
  H6 : EcbMod.joinsig (v´29, Int.zero)
         (absmutexsem (x>>ᵢ$ 8) (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)),
         w) v´48 v´49
)(
  H9 : forall (tid : tid) (opr : int32),
       Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = Some (tid, opr) ->
       Int.ltu (x>>ᵢ$ 8) opr = true /\ Int.unsigned opr < 64
)(
  backup : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (v´52, $ 0)))
             (absmutexsem (x>>ᵢ$ 8)
                (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)), w)
)(
  H53 : nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8))) v´30 = Some x0
)(
  H68 : Int.ltu (x>>ᵢ$ 8) ((x2<<$ 3)+ᵢx5) = true
)(
  H77 : 0 <= Int.unsigned (x>>ᵢ$ 8)
)(
  H85 : Int.unsigned (x>>ᵢ$ 8) < 64
)(
  H43 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) <= 255
)(
  H45 : Int.unsigned ($ 1<<((x>>ᵢ$ 8)>>ᵢ$ 3)) <= 255
)(
  H44 : Int.unsigned ($ 1<<((x>>ᵢ$ 8)&$ 7)) <= 255
)(
  H42 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) <= 255
)(
  H70 : TcbJoin (v´52, Int.zero) (x>>ᵢ$ 8, t, m) x10 v´45
)(
  H41 : Int.unsigned (x>>ᵢ$ 8) <= 255
)(
  H28 : Int.ltu (x>>ᵢ$ 8) (x>>ᵢ$ 8) = false
)(
  H73 : R_TCB_Status_P
          (x7
           :: v´24
              :: x15
                 :: m
                    :: Vint32 i6
                       :: Vint32 x14
                          :: Vint32 (x>>ᵢ$ 8)
                             :: Vint32 ((x>>ᵢ$ 8)&$ 7)
                                :: Vint32 ((x>>ᵢ$ 8)>>ᵢ$ 3)
                                   :: Vint32 ($ 1<<((x>>ᵢ$ 8)&$ 7))
                                      :: Vint32 ($ 1<<((x>>ᵢ$ 8)>>ᵢ$ 3))
                                         :: nil) v´36
          (x>>ᵢ$ 8, t, m)
)(
  backup2 : TCBList_P (Vptr (v´52, Int.zero))
              ((x7
                :: v´24
                   :: x15
                      :: m
                         :: Vint32 i6
                            :: Vint32 x14
                               :: Vint32 (x>>ᵢ$ 8)
                                  :: Vint32 ((x>>ᵢ$ 8)&$ 7)
                                     :: Vint32 ((x>>ᵢ$ 8)>>ᵢ$ 3)
                                        :: Vint32 ($ 1<<((x>>ᵢ$ 8)&$ 7))
                                           :: Vint32 ($ 1<<((x>>ᵢ$ 8)>>ᵢ$ 3))
                                              :: nil) :: v´35) v´36 v´45
)(
  r1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < 8
)(
  r4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < 8
)(
  r5 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < 8
)(
  r6 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < 8
)(
  rr1 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) < length v´36)%nat
)(
  rr4 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)&$ 7)) < length v´36)%nat
)(
  rr5 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) < length v´36)%nat
)(
  rr6 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)&$ 7)) < length v´36)%nat
)(
  rrr1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < Z.of_nat (length v´36)
)(
  rrr5 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr6 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < Z.of_nat (length v´36)
)(
  aa : rule_type_val_match Int8u
         (nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36) = true
)(
  aa3 : rule_type_val_match Int8u
          (nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36) = true
)(
  H88 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36 =
        Vint32 x16
)(
  H86 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36 =
        Vint32 x12
)(
  H92 : Int.unsigned (x>>ᵢ$ 8) < Int.unsigned ($ Byte.modulus)
)(
  H94 : val_inj
          (if Int.eq (x>>ᵢ$ 8) (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) <> Vnull
)(
  H95 : val_inj
          (if Int.eq (x>>ᵢ$ 8) (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) <> Vundef
)(
  H96 : array_type_vallist_match Int8u
          (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
             (val_inj
                (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7)))))))
)(
  H97 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) <
         length
           (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
              (val_inj
                 (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))))%nat
)(
  t2 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
         (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
            (val_inj
               (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))) =
       Vint32 t1
)(
  H98 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) <
         length
           (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
              (val_inj
                 (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))))%nat
)(
  t12 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)))
          (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
             (val_inj
                (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))) =
        Vint32 t11
)(
  v´37 : val
),
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV prio @ Int8u |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (os_code_defs.x, Int8u)
          :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post1´
       (Vptr (v´29, Int.zero)
        :: Vptr (v´29, Int.zero) :: V$OS_STAT_MUTEX :: nil)
       (Some v´37)
       (logic_lv
          (update_nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8)))
             (update_nth_val
                (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30
                (Vptr (v´52, Int.zero))) (Vptr v´51))
        :: logic_lv
             (x7
              :: v´24
                 :: x15
                    :: m
                       :: Vint32 i6
                          :: Vint32 x14
                             :: Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8)
                                :: Vint32 ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)
                                   :: Vint32
                                        ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)
                                      :: Vint32 x11 :: Vint32 x8 :: nil)
           :: logic_llv v´33
              :: logic_llv v´35
                 :: logic_lv
                      (update_nth_val
                         (Z.to_nat
                            (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
                         (update_nth_val
                            (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
                            (val_inj
                               (and (Vint32 x12)
                                  (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7)))))))
                         (val_inj (or (Vint32 t1) (Vint32 x11))))
                    :: logic_val v´34
                       :: logic_abstcb
                            (TcbMod.set v´39 (v´52, Int.zero)
                               (x&$ OS_MUTEX_KEEP_LOWER_8, t, m))
                          :: logic_val v´31
                             :: logic_val (Vptr (v´52, Int.zero))
                                :: logic_val (Vptr (v´52, Int.zero))
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_MUTEX
                                         :: Vint32 i
                                            :: Vint32 x
                                               :: Vptr (v´52, $ 0)
                                                  ::
                                                  x3 :: v´46 :: nil)
                                      :: logic_lv v´44
                                         :: logic_leventd
                                              (DMutex
                                                 (Vint32 x)
                                                 (Vptr (v´52, $ 0)) :: nil)
                                            :: logic_code
                                                 (mutexpost
                                                  (Vptr (v´29, Int.zero)
                                                  :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV prio @ Int8u |-> v´37 **
     LV os_code_defs.x @ Int8u |-> (V$OS_STAT_MUTEX) **
     LV legal @ Int8u |-> Vint32 x2 **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     GV OSEventList @ OS_EVENT ∗ |-> v´42 **
     evsllseg v´42 (Vptr (v´29, Int.zero)) v´25 v´27 **
     evsllseg v´46 Vnull v´26 v´28 **
     HECBList v´38 **
     HTCBList v´39 **
     HCurTCB (v´52, Int.zero) **
     AOSEventFreeList v´3 **
     AOSQFreeList v´4 **
     AOSQFreeBlk v´5 **
     AOSIntNesting **
     AOSTCBFreeList v´21 v´22 **
     AOSTime (Vint32 v´18) **
     HTime v´18 **
     AGVars **
     atoy_inv´ **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´29, Int.zero) **
     A_dom_lenv
       ((pevent, OS_EVENT ∗)
        :: (os_code_defs.x, Int8u)
           :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)}}
   pevent ′ → OSEventCnt &= ′OS_MUTEX_KEEP_UPPER_8;ₛ
   pevent ′ → OSEventCnt =ₑ pevent ′ → OSEventCnt |ₑ prio ′;ₛ
   pevent ′ → OSEventPtr =ₑ OSTCBPrioTbl ′ [prio ′];ₛ
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
                 RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_post3´:= forall
(
  v´ : val
)(
  v´0 : val
)(
  v´1 : val
)(
  v´2 : val
)(
  v´3 : list vallist
)(
  v´4 : list vallist
)(
  v´5 : list vallist
)(
  v´6 : list EventData
)(
  v´7 : list EventCtr
)(
  v´8 : vallist
)(
  v´9 : val
)(
  v´10 : val
)(
  v´11 : list vallist
)(
  v´12 : vallist
)(
  v´13 : list vallist
)(
  v´14 : vallist
)(
  v´15 : val
)(
  v´16 : EcbMod.map
)(
  v´17 : TcbMod.map
)(
  v´18 : int32
)(
  v´19 : addrval
)(
  v´20 : addrval
)(
  v´21 : val
)(
  v´22 : list vallist
)(
  H : RH_TCBList_ECBList_P v´16 v´17 v´19
)(
  H0 : RH_CurTCB v´19 v´17
)(
  v´25 : list EventCtr
)(
  v´26 : list EventCtr
)(
  v´27 : list EventData
)(
  v´28 : list EventData
)(
  v´30 : vallist
)(
  v´31 : val
)(
  v´33 : list vallist
)(
  v´35 : list vallist
)(
  v´36 : vallist
)(
  v´38 : EcbMod.map
)(
  v´39 : TcbMod.map
)(
  v´42 : val
)(
  v´44 : vallist
)(
  v´46 : val
)(
  v´47 : EcbMod.map
)(
  v´48 : EcbMod.map
)(
  v´49 : EcbMod.map
)(
  w : waitset
)(
  v´51 : addrval
)(
  H3 : ECBList_P v´46 Vnull v´26 v´28 v´48 v´39
)(
  H17 : EcbMod.join v´47 v´49 v´38
)(
  H12 : length v´25 = length v´27
)(
  H16 : isptr v´46
)(
  v´23 : addrval
)(
  v´29 : block
)(
  H11 : array_type_vallist_match Int8u v´44
)(
  H19 : length v´44 = ∘OS_EVENT_TBL_SIZE
)(
  x3 : val
)(
  i : int32
)(
  H21 : Int.unsigned i <= 255
)(
  H18 : RL_Tbl_Grp_P v´44 (Vint32 i)
)(
  H24 : isptr v´46
)(
  H2 : ECBList_P v´42 (Vptr (v´29, Int.zero)) v´25 v´27 v´47 v´39
)(
  H14 : id_addrval´ (Vptr (v´29, Int.zero)) OSEventTbl OS_EVENT = Some v´23
)(
  H20 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255
)(
  x : int32
)(
  H10 : Int.unsigned x <= 65535
)(
  H22 : Int.unsigned x <= 65535
)(
  v´24 : val
)(
  v´40 : val
)(
  v´43 : TcbMod.map
)(
  v´45 : TcbMod.map
)(
  v´52 : block
)(
  H31 : v´31 <> Vnull
)(
  H32 : TcbMod.join v´43 v´45 v´39
)(
  H33 : TCBList_P v´31 v´33 v´36 v´43
)(
  H30 : Vptr (v´52, Int.zero) <> Vnull
)(
  i6 : int32
)(
  H39 : Int.unsigned i6 <= 65535
)(
  H36 : isptr v´24
)(
  x7 : val
)(
  x10 : TcbMod.map
)(
  t : taskstatus
)(
  m : msg
)(
  H72 : TCBList_P x7 v´35 v´36 x10
)(
  H7 : RH_TCBList_ECBList_P v´38 v´39 (v´52, Int.zero)
)(
  H8 : RH_CurTCB (v´52, Int.zero) v´39
)(
  H23 : isptr (Vptr (v´52, $ 0))
)(
  H5 : R_ECB_ETbl_P (v´29, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
         v´44) v´39
)(
  H1 : ECBList_P v´42 Vnull
         (v´25 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
           v´44) :: nil) ++ v´26)
         (v´27 ++ (DMutex (Vint32 x) (Vptr (v´52, $ 0)) :: nil) ++ v´28) v´38
         v´39
)(
  H29 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE \/
        x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H35 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H48 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) < 64
)(
  H4 : Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None -> w = nil
)(
  H13 : w <> nil -> Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) <> None
)(
  H25 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE ->
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None /\
        Vptr (v´52, $ 0) = Vnull
)(
  H26 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE ->
        exists tid,
        Vptr (v´52, $ 0) = Vptr tid /\
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) =
        Some (tid, x&$ OS_MUTEX_KEEP_LOWER_8)
)(
  v´32 : val
)(
  H46 : array_type_vallist_match OS_TCB ∗ v´30
)(
  H51 : length v´30 = 64%nat
)(
  H49 : RL_RTbl_PrioTbl_P v´36 v´30 v´51
)(
  H50 : R_PrioTbl_P v´30 v´39 v´51
)(
  x0 : val
)(
  H54 : array_type_vallist_match Int8u v´36
)(
  H58 : length v´36 = ∘OS_RDY_TBL_SIZE
)(
  i7 : int32
)(
  H55 : Int.unsigned i7 <= 255
)(
  H57 : prio_in_tbl ($ OS_IDLE_PRIO) v´36
)(
  H56 : RL_Tbl_Grp_P v´36 (Vint32 i7)
)(
  x2 : int32
)(
  fffa : length OSUnMapVallist = 256%nat ->
         (Z.to_nat (Int.unsigned i) < 256)%nat ->
         exists x4,
         Vint32 x2 = Vint32 x4 /\
         true = rule_type_val_match Int8u (Vint32 x4)
)(
  H59 : length OSUnMapVallist = 256%nat
)(
  H60 : (Z.to_nat (Int.unsigned i) < 256)%nat
)(
  H61 : nth_val´ (Z.to_nat (Int.unsigned i)) OSUnMapVallist = Vint32 x2
)(
  H62 : true = rule_type_val_match Int8u (Vint32 x2)
)(
  fffbb : Int.unsigned x2 < 8
)(
  fffbb2 : (Z.to_nat (Int.unsigned x2) < length v´44)%nat
)(
  H19´´ : length v´44 = Z.to_nat 8
)(
  x4 : int32
)(
  H63 : nth_val´ (Z.to_nat (Int.unsigned x2)) v´44 = Vint32 x4
)(
  H64 : Int.unsigned x4 <= 255
)(
  H65 : (Z.to_nat (Int.unsigned x4) < length OSUnMapVallist)%nat
)(
  x5 : int32
)(
  H66 : nth_val´ (Z.to_nat (Int.unsigned x4)) OSUnMapVallist = Vint32 x5
)(
  H67 : Int.unsigned x5 <= 255
)(
  ttfasd : Int.unsigned x5 < 8
)(
  H27 : isptr x7
)(
  H38 : isptr m
)(
  x14 : int32
)(
  H82 : x14 = $ OS_STAT_RDY \/
        x14 = $ OS_STAT_SEM \/
        x14 = $ OS_STAT_Q \/ x14 = $ OS_STAT_MBOX \/ x14 = $ OS_STAT_MUTEX
)(
  x15 : val
)(
  H84 : x14 = $ OS_STAT_RDY -> x15 = Vnull
)(
  H37 : isptr x15
)(
  H40 : Int.unsigned x14 <= 255
)(
  r2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) < 8
)(
  r3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) < 8
)(
  H34 : array_type_vallist_match Int8u OSMapVallist
)(
  H69 : length OSMapVallist = 8%nat
)(
  H71 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) < 8)%nat
)(
  x8 : int32
)(
  H74 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
          OSMapVallist = Vint32 x8
)(
  H75 : true = rule_type_val_match Int8u (Vint32 x8)
)(
  H76 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
  x9 : int32
)(
  H78 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
          OSMapVallist = Vint32 x9
)(
  H79 : true = rule_type_val_match Int8u (Vint32 x9)
)(
  H80 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
  x11 : int32
)(
  H81 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
          OSMapVallist = Vint32 x11
)(
  H83 : true = rule_type_val_match Int8u (Vint32 x11)
)(
  rr2 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) <
         length v´36)%nat
)(
  rr3 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) <
         length v´36)%nat
)(
  rrr2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) <
         Z.of_nat (length v´36)
)(
  rrr3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) <
         Z.of_nat (length v´36)
)(
  HH58 : length v´36 = Z.to_nat 8
)(
  aa2 : rule_type_val_match Int8u
          (nth_val´
             (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
             v´36) = true
)(
  x16 : int32
)(
  H91 : Int.unsigned x16 <= 255
)(
  x13 : int32
)(
  H87 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3))) v´36 =
        Vint32 x13
)(
  H90 : Int.unsigned x13 <= 255
)(
  x12 : int32
)(
  H89 : Int.unsigned x12 <= 255
)(
  last_condition : ProtectWrapper (x14 = $ OS_STAT_RDY /\ i6 = $ 0)
)(
  t1 : int32
)(
  t3 : Int.unsigned t1 <= 255
)(
  t11 : int32
)(
  t13 : Int.unsigned t11 <= 255
)(
  v´34 : val
)(
  H52 : nth_val (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30 =
        Some (Vptr v´51)
)(
  H99 : i <> Int.zero
)(
  H100 : val_inj
           (notint
              (val_inj
                 (if Int.eq i ($ 0)
                  then Some (Vint32 Int.one)
                  else Some (Vint32 Int.zero)))) <> Vnull
)(
  H101 : val_inj
           (notint
              (val_inj
                 (if Int.eq i ($ 0)
                  then Some (Vint32 Int.one)
                  else Some (Vint32 Int.zero)))) <> Vundef
)(
  H15 : Int.unsigned (x>>ᵢ$ 8) < 64
)(
  H47 : Int.ltu (x>>ᵢ$ 8) (x&$ OS_MUTEX_KEEP_LOWER_8) = true
)(
  H6 : EcbMod.joinsig (v´29, Int.zero)
         (absmutexsem (x>>ᵢ$ 8) (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)),
         w) v´48 v´49
)(
  H9 : forall (tid : tid) (opr : int32),
       Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = Some (tid, opr) ->
       Int.ltu (x>>ᵢ$ 8) opr = true /\ Int.unsigned opr < 64
)(
  backup : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (v´52, $ 0)))
             (absmutexsem (x>>ᵢ$ 8)
                (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)), w)
)(
  H53 : nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8))) v´30 = Some x0
)(
  H68 : Int.ltu (x>>ᵢ$ 8) ((x2<<$ 3)+ᵢx5) = true
)(
  H77 : 0 <= Int.unsigned (x>>ᵢ$ 8)
)(
  H85 : Int.unsigned (x>>ᵢ$ 8) < 64
)(
  H43 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) <= 255
)(
  H45 : Int.unsigned ($ 1<<((x>>ᵢ$ 8)>>ᵢ$ 3)) <= 255
)(
  H44 : Int.unsigned ($ 1<<((x>>ᵢ$ 8)&$ 7)) <= 255
)(
  H42 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) <= 255
)(
  H70 : TcbJoin (v´52, Int.zero) (x>>ᵢ$ 8, t, m) x10 v´45
)(
  H41 : Int.unsigned (x>>ᵢ$ 8) <= 255
)(
  H28 : Int.ltu (x>>ᵢ$ 8) (x>>ᵢ$ 8) = false
)(
  H73 : R_TCB_Status_P
          (x7
           :: v´24
              :: x15
                 :: m
                    :: Vint32 i6
                       :: Vint32 x14
                          :: Vint32 (x>>ᵢ$ 8)
                             :: Vint32 ((x>>ᵢ$ 8)&$ 7)
                                :: Vint32 ((x>>ᵢ$ 8)>>ᵢ$ 3)
                                   :: Vint32 ($ 1<<((x>>ᵢ$ 8)&$ 7))
                                      :: Vint32 ($ 1<<((x>>ᵢ$ 8)>>ᵢ$ 3))
                                         :: nil) v´36
          (x>>ᵢ$ 8, t, m)
)(
  backup2 : TCBList_P (Vptr (v´52, Int.zero))
              ((x7
                :: v´24
                   :: x15
                      :: m
                         :: Vint32 i6
                            :: Vint32 x14
                               :: Vint32 (x>>ᵢ$ 8)
                                  :: Vint32 ((x>>ᵢ$ 8)&$ 7)
                                     :: Vint32 ((x>>ᵢ$ 8)>>ᵢ$ 3)
                                        :: Vint32 ($ 1<<((x>>ᵢ$ 8)&$ 7))
                                           :: Vint32 ($ 1<<((x>>ᵢ$ 8)>>ᵢ$ 3))
                                              :: nil) :: v´35) v´36 v´45
)(
  r1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < 8
)(
  r4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < 8
)(
  r5 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < 8
)(
  r6 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < 8
)(
  rr1 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) < length v´36)%nat
)(
  rr4 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)&$ 7)) < length v´36)%nat
)(
  rr5 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) < length v´36)%nat
)(
  rr6 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)&$ 7)) < length v´36)%nat
)(
  rrr1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < Z.of_nat (length v´36)
)(
  rrr5 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr6 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < Z.of_nat (length v´36)
)(
  aa : rule_type_val_match Int8u
         (nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36) = true
)(
  aa3 : rule_type_val_match Int8u
          (nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36) = true
)(
  H88 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36 =
        Vint32 x16
)(
  H86 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36 =
        Vint32 x12
)(
  H92 : Int.unsigned (x>>ᵢ$ 8) < Int.unsigned ($ Byte.modulus)
)(
  H94 : val_inj
          (if Int.eq (x>>ᵢ$ 8) (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) <> Vnull
)(
  H95 : val_inj
          (if Int.eq (x>>ᵢ$ 8) (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) <> Vundef
)(
  H96 : array_type_vallist_match Int8u
          (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
             (val_inj
                (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7)))))))
)(
  H97 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) <
         length
           (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
              (val_inj
                 (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))))%nat
)(
  t2 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
         (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
            (val_inj
               (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))) =
       Vint32 t1
)(
  H98 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) <
         length
           (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
              (val_inj
                 (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))))%nat
)(
  t12 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)))
          (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
             (val_inj
                (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))) =
        Vint32 t11
)(
  v´37 : val
),
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV prio @ Int8u |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (os_code_defs.x, Int8u)
          :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post3´
       (Vptr (v´29, Int.zero)
        :: Vptr (v´29, Int.zero) :: V$OS_STAT_MUTEX :: nil)
       (Some v´37)
       (logic_lv
          (update_nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8)))
             (update_nth_val
                (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30
                (Vptr (v´52, Int.zero))) (Vptr v´51))
        :: logic_lv
             (x7
              :: v´24
                 :: x15
                    :: m
                       :: Vint32 i6
                          :: Vint32 x14
                             :: Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8)
                                :: Vint32 ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)
                                   :: Vint32
                                        ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)
                                      :: Vint32 x11 :: Vint32 x8 :: nil)
           :: logic_llv v´33
              :: logic_llv v´35
                 :: logic_lv
                      (update_nth_val
                         (Z.to_nat
                            (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
                         (update_nth_val
                            (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
                            (val_inj
                               (and (Vint32 x12)
                                  (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7)))))))
                         (val_inj (or (Vint32 t1) (Vint32 x11))))
                    :: logic_val v´34
                       :: logic_abstcb
                            (TcbMod.set v´39 (v´52, Int.zero)
                               (x&$ OS_MUTEX_KEEP_LOWER_8, t, m))
                          :: logic_val v´31
                             :: logic_val (Vptr (v´52, Int.zero))
                                :: logic_val (Vptr (v´52, Int.zero))
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_MUTEX
                                         :: Vint32 i
                                            :: Vint32 x
                                               :: Vptr (v´52, $ 0)
                                                  ::
                                                  x3 :: v´46 :: nil)
                                      :: logic_lv v´44
                                         :: logic_leventd
                                              (DMutex
                                                 (Vint32 x)
                                                 (Vptr (v´52, $ 0)) :: nil)
                                            :: logic_code
                                                 (mutexpost
                                                  (Vptr (v´29, Int.zero)
                                                  :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV prio @ Int8u |-> v´37 **
     LV os_code_defs.x @ Int8u |-> (V$OS_STAT_MUTEX) **
     LV legal @ Int8u |-> Vint32 x2 **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     GV OSEventList @ OS_EVENT ∗ |-> v´42 **
     evsllseg v´42 (Vptr (v´29, Int.zero)) v´25 v´27 **
     evsllseg v´46 Vnull v´26 v´28 **
     HECBList v´38 **
     HTCBList v´39 **
     HCurTCB (v´52, Int.zero) **
     AOSEventFreeList v´3 **
     AOSQFreeList v´4 **
     AOSQFreeBlk v´5 **
     AOSIntNesting **
     AOSTCBFreeList v´21 v´22 **
     AOSTime (Vint32 v´18) **
     HTime v´18 **
     AGVars **
     atoy_inv´ **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´29, Int.zero) **
     A_dom_lenv
       ((pevent, OS_EVENT ∗)
        :: (os_code_defs.x, Int8u)
           :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)}}
   pevent ′ → OSEventCnt &= ′OS_MUTEX_KEEP_UPPER_8;ₛ
   pevent ′ → OSEventCnt =ₑ pevent ′ → OSEventCnt |ₑ prio ′;ₛ
   pevent ′ → OSEventPtr =ₑ OSTCBPrioTbl ′ [prio ′];ₛ
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
                 RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_post5´:= forall
(
  v´ : val
)(
  v´0 : val
)(
  v´1 : val
)(
  v´2 : val
)(
  v´3 : list vallist
)(
  v´4 : list vallist
)(
  v´5 : list vallist
)(
  v´6 : list EventData
)(
  v´7 : list EventCtr
)(
  v´8 : vallist
)(
  v´9 : val
)(
  v´10 : val
)(
  v´11 : list vallist
)(
  v´12 : vallist
)(
  v´13 : list vallist
)(
  v´14 : vallist
)(
  v´15 : val
)(
  v´16 : EcbMod.map
)(
  v´17 : TcbMod.map
)(
  v´18 : int32
)(
  v´19 : addrval
)(
  v´20 : addrval
)(
  v´21 : val
)(
  v´22 : list vallist
)(
  H : RH_TCBList_ECBList_P v´16 v´17 v´19
)(
  H0 : RH_CurTCB v´19 v´17
)(
  v´25 : list EventCtr
)(
  v´26 : list EventCtr
)(
  v´27 : list EventData
)(
  v´28 : list EventData
)(
  v´30 : vallist
)(
  v´31 : val
)(
  v´33 : list vallist
)(
  v´35 : list vallist
)(
  v´36 : vallist
)(
  v´38 : EcbMod.map
)(
  v´39 : TcbMod.map
)(
  v´42 : val
)(
  v´44 : vallist
)(
  v´46 : val
)(
  v´47 : EcbMod.map
)(
  v´48 : EcbMod.map
)(
  v´49 : EcbMod.map
)(
  w : waitset
)(
  v´51 : addrval
)(
  H3 : ECBList_P v´46 Vnull v´26 v´28 v´48 v´39
)(
  H17 : EcbMod.join v´47 v´49 v´38
)(
  H12 : length v´25 = length v´27
)(
  H16 : isptr v´46
)(
  v´23 : addrval
)(
  v´29 : block
)(
  H11 : array_type_vallist_match Int8u v´44
)(
  H19 : length v´44 = ∘OS_EVENT_TBL_SIZE
)(
  x3 : val
)(
  i : int32
)(
  H21 : Int.unsigned i <= 255
)(
  H18 : RL_Tbl_Grp_P v´44 (Vint32 i)
)(
  H24 : isptr v´46
)(
  H2 : ECBList_P v´42 (Vptr (v´29, Int.zero)) v´25 v´27 v´47 v´39
)(
  H14 : id_addrval´ (Vptr (v´29, Int.zero)) OSEventTbl OS_EVENT = Some v´23
)(
  H20 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255
)(
  x : int32
)(
  H10 : Int.unsigned x <= 65535
)(
  H22 : Int.unsigned x <= 65535
)(
  v´24 : val
)(
  v´40 : val
)(
  v´43 : TcbMod.map
)(
  v´45 : TcbMod.map
)(
  v´52 : block
)(
  H31 : v´31 <> Vnull
)(
  H32 : TcbMod.join v´43 v´45 v´39
)(
  H33 : TCBList_P v´31 v´33 v´36 v´43
)(
  H30 : Vptr (v´52, Int.zero) <> Vnull
)(
  i6 : int32
)(
  H39 : Int.unsigned i6 <= 65535
)(
  H36 : isptr v´24
)(
  x7 : val
)(
  x10 : TcbMod.map
)(
  t : taskstatus
)(
  m : msg
)(
  H72 : TCBList_P x7 v´35 v´36 x10
)(
  H7 : RH_TCBList_ECBList_P v´38 v´39 (v´52, Int.zero)
)(
  H8 : RH_CurTCB (v´52, Int.zero) v´39
)(
  H23 : isptr (Vptr (v´52, $ 0))
)(
  H5 : R_ECB_ETbl_P (v´29, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
         v´44) v´39
)(
  H1 : ECBList_P v´42 Vnull
         (v´25 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
           v´44) :: nil) ++ v´26)
         (v´27 ++ (DMutex (Vint32 x) (Vptr (v´52, $ 0)) :: nil) ++ v´28) v´38
         v´39
)(
  H29 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE \/
        x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H35 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H48 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) < 64
)(
  H4 : Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None -> w = nil
)(
  H13 : w <> nil -> Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) <> None
)(
  H25 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE ->
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None /\
        Vptr (v´52, $ 0) = Vnull
)(
  H26 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE ->
        exists tid,
        Vptr (v´52, $ 0) = Vptr tid /\
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) =
        Some (tid, x&$ OS_MUTEX_KEEP_LOWER_8)
)(
  v´32 : val
)(
  H46 : array_type_vallist_match OS_TCB ∗ v´30
)(
  H51 : length v´30 = 64%nat
)(
  H49 : RL_RTbl_PrioTbl_P v´36 v´30 v´51
)(
  H50 : R_PrioTbl_P v´30 v´39 v´51
)(
  x0 : val
)(
  H54 : array_type_vallist_match Int8u v´36
)(
  H58 : length v´36 = ∘OS_RDY_TBL_SIZE
)(
  i7 : int32
)(
  H55 : Int.unsigned i7 <= 255
)(
  H57 : prio_in_tbl ($ OS_IDLE_PRIO) v´36
)(
  H56 : RL_Tbl_Grp_P v´36 (Vint32 i7)
)(
  x2 : int32
)(
  fffa : length OSUnMapVallist = 256%nat ->
         (Z.to_nat (Int.unsigned i) < 256)%nat ->
         exists x4,
         Vint32 x2 = Vint32 x4 /\
         true = rule_type_val_match Int8u (Vint32 x4)
)(
  H59 : length OSUnMapVallist = 256%nat
)(
  H60 : (Z.to_nat (Int.unsigned i) < 256)%nat
)(
  H61 : nth_val´ (Z.to_nat (Int.unsigned i)) OSUnMapVallist = Vint32 x2
)(
  H62 : true = rule_type_val_match Int8u (Vint32 x2)
)(
  fffbb : Int.unsigned x2 < 8
)(
  fffbb2 : (Z.to_nat (Int.unsigned x2) < length v´44)%nat
)(
  H19´´ : length v´44 = Z.to_nat 8
)(
  x4 : int32
)(
  H63 : nth_val´ (Z.to_nat (Int.unsigned x2)) v´44 = Vint32 x4
)(
  H64 : Int.unsigned x4 <= 255
)(
  H65 : (Z.to_nat (Int.unsigned x4) < length OSUnMapVallist)%nat
)(
  x5 : int32
)(
  H66 : nth_val´ (Z.to_nat (Int.unsigned x4)) OSUnMapVallist = Vint32 x5
)(
  H67 : Int.unsigned x5 <= 255
)(
  ttfasd : Int.unsigned x5 < 8
)(
  H27 : isptr x7
)(
  H38 : isptr m
)(
  x14 : int32
)(
  H82 : x14 = $ OS_STAT_RDY \/
        x14 = $ OS_STAT_SEM \/
        x14 = $ OS_STAT_Q \/ x14 = $ OS_STAT_MBOX \/ x14 = $ OS_STAT_MUTEX
)(
  x15 : val
)(
  H84 : x14 = $ OS_STAT_RDY -> x15 = Vnull
)(
  H37 : isptr x15
)(
  H40 : Int.unsigned x14 <= 255
)(
  r2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) < 8
)(
  r3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) < 8
)(
  H34 : array_type_vallist_match Int8u OSMapVallist
)(
  H69 : length OSMapVallist = 8%nat
)(
  H71 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) < 8)%nat
)(
  x8 : int32
)(
  H74 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
          OSMapVallist = Vint32 x8
)(
  H75 : true = rule_type_val_match Int8u (Vint32 x8)
)(
  H76 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
  x9 : int32
)(
  H78 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
          OSMapVallist = Vint32 x9
)(
  H79 : true = rule_type_val_match Int8u (Vint32 x9)
)(
  H80 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
  x11 : int32
)(
  H81 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
          OSMapVallist = Vint32 x11
)(
  H83 : true = rule_type_val_match Int8u (Vint32 x11)
)(
  rr2 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) <
         length v´36)%nat
)(
  rr3 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) <
         length v´36)%nat
)(
  rrr2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) <
         Z.of_nat (length v´36)
)(
  rrr3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) <
         Z.of_nat (length v´36)
)(
  HH58 : length v´36 = Z.to_nat 8
)(
  aa2 : rule_type_val_match Int8u
          (nth_val´
             (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
             v´36) = true
)(
  x16 : int32
)(
  H91 : Int.unsigned x16 <= 255
)(
  x13 : int32
)(
  H87 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3))) v´36 =
        Vint32 x13
)(
  H90 : Int.unsigned x13 <= 255
)(
  x12 : int32
)(
  H89 : Int.unsigned x12 <= 255
)(
  last_condition : ProtectWrapper (x14 = $ OS_STAT_RDY /\ i6 = $ 0)
)(
  t1 : int32
)(
  t3 : Int.unsigned t1 <= 255
)(
  t11 : int32
)(
  t13 : Int.unsigned t11 <= 255
)(
  v´34 : val
)(
  H52 : nth_val (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30 =
        Some (Vptr v´51)
)(
  H99 : i <> Int.zero
)(
  H100 : val_inj
           (notint
              (val_inj
                 (if Int.eq i ($ 0)
                  then Some (Vint32 Int.one)
                  else Some (Vint32 Int.zero)))) <> Vnull
)(
  H101 : val_inj
           (notint
              (val_inj
                 (if Int.eq i ($ 0)
                  then Some (Vint32 Int.one)
                  else Some (Vint32 Int.zero)))) <> Vundef
)(
  H15 : Int.unsigned (x>>ᵢ$ 8) < 64
)(
  H47 : Int.ltu (x>>ᵢ$ 8) (x&$ OS_MUTEX_KEEP_LOWER_8) = true
)(
  H6 : EcbMod.joinsig (v´29, Int.zero)
         (absmutexsem (x>>ᵢ$ 8) (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)),
         w) v´48 v´49
)(
  H9 : forall (tid : tid) (opr : int32),
       Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = Some (tid, opr) ->
       Int.ltu (x>>ᵢ$ 8) opr = true /\ Int.unsigned opr < 64
)(
  backup : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (v´52, $ 0)))
             (absmutexsem (x>>ᵢ$ 8)
                (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)), w)
)(
  H53 : nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8))) v´30 = Some x0
)(
  H68 : Int.ltu (x>>ᵢ$ 8) ((x2<<$ 3)+ᵢx5) = true
)(
  H77 : 0 <= Int.unsigned (x>>ᵢ$ 8)
)(
  H85 : Int.unsigned (x>>ᵢ$ 8) < 64
)(
  H43 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) <= 255
)(
  H45 : Int.unsigned ($ 1<<((x>>ᵢ$ 8)>>ᵢ$ 3)) <= 255
)(
  H44 : Int.unsigned ($ 1<<((x>>ᵢ$ 8)&$ 7)) <= 255
)(
  H42 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) <= 255
)(
  H70 : TcbJoin (v´52, Int.zero) (x>>ᵢ$ 8, t, m) x10 v´45
)(
  H41 : Int.unsigned (x>>ᵢ$ 8) <= 255
)(
  H28 : Int.ltu (x>>ᵢ$ 8) (x>>ᵢ$ 8) = false
)(
  H73 : R_TCB_Status_P
          (x7
           :: v´24
              :: x15
                 :: m
                    :: Vint32 i6
                       :: Vint32 x14
                          :: Vint32 (x>>ᵢ$ 8)
                             :: Vint32 ((x>>ᵢ$ 8)&$ 7)
                                :: Vint32 ((x>>ᵢ$ 8)>>ᵢ$ 3)
                                   :: Vint32 ($ 1<<((x>>ᵢ$ 8)&$ 7))
                                      :: Vint32 ($ 1<<((x>>ᵢ$ 8)>>ᵢ$ 3))
                                         :: nil) v´36
          (x>>ᵢ$ 8, t, m)
)(
  backup2 : TCBList_P (Vptr (v´52, Int.zero))
              ((x7
                :: v´24
                   :: x15
                      :: m
                         :: Vint32 i6
                            :: Vint32 x14
                               :: Vint32 (x>>ᵢ$ 8)
                                  :: Vint32 ((x>>ᵢ$ 8)&$ 7)
                                     :: Vint32 ((x>>ᵢ$ 8)>>ᵢ$ 3)
                                        :: Vint32 ($ 1<<((x>>ᵢ$ 8)&$ 7))
                                           :: Vint32 ($ 1<<((x>>ᵢ$ 8)>>ᵢ$ 3))
                                              :: nil) :: v´35) v´36 v´45
)(
  r1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < 8
)(
  r4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < 8
)(
  r5 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < 8
)(
  r6 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < 8
)(
  rr1 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) < length v´36)%nat
)(
  rr4 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)&$ 7)) < length v´36)%nat
)(
  rr5 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) < length v´36)%nat
)(
  rr6 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)&$ 7)) < length v´36)%nat
)(
  rrr1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < Z.of_nat (length v´36)
)(
  rrr5 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr6 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < Z.of_nat (length v´36)
)(
  aa : rule_type_val_match Int8u
         (nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36) = true
)(
  aa3 : rule_type_val_match Int8u
          (nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36) = true
)(
  H88 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36 =
        Vint32 x16
)(
  H86 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36 =
        Vint32 x12
)(
  H92 : Int.unsigned (x>>ᵢ$ 8) < Int.unsigned ($ Byte.modulus)
)(
  H94 : val_inj
          (if Int.eq (x>>ᵢ$ 8) (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) <> Vnull
)(
  H95 : val_inj
          (if Int.eq (x>>ᵢ$ 8) (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) <> Vundef
)(
  H96 : array_type_vallist_match Int8u
          (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
             (val_inj
                (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7)))))))
)(
  H97 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) <
         length
           (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
              (val_inj
                 (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))))%nat
)(
  t2 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
         (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
            (val_inj
               (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))) =
       Vint32 t1
)(
  H98 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) <
         length
           (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
              (val_inj
                 (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))))%nat
)(
  t12 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)))
          (update_nth_val (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
             (val_inj
                (and (Vint32 x12) (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7))))))) =
        Vint32 t11
)(
  v´37 : val
),
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV prio @ Int8u |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (os_code_defs.x, Int8u)
          :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post5´
       (Vptr (v´29, Int.zero)
        :: Vptr (v´29, Int.zero) :: V$OS_STAT_MUTEX :: nil)
       (Some v´37)
       (logic_lv
          (update_nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8)))
             (update_nth_val
                (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30
                (Vptr (v´52, Int.zero))) (Vptr v´51))
        :: logic_lv
             (x7
              :: v´24
                 :: x15
                    :: m
                       :: Vint32 i6
                          :: Vint32 x14
                             :: Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8)
                                :: Vint32 ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)
                                   :: Vint32
                                        ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)
                                      :: Vint32 x11 :: Vint32 x8 :: nil)
           :: logic_llv v´33
              :: logic_llv v´35
                 :: logic_lv
                      (update_nth_val
                         (Z.to_nat
                            (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
                         (update_nth_val
                            (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36
                            (val_inj
                               (and (Vint32 x12)
                                  (Vint32 (Int.not ($ 1<<((x>>ᵢ$ 8)&$ 7)))))))
                         (val_inj (or (Vint32 t1) (Vint32 x11))))
                    :: logic_val v´34
                       :: logic_abstcb
                            (TcbMod.set v´39 (v´52, Int.zero)
                               (x&$ OS_MUTEX_KEEP_LOWER_8, t, m))
                          :: logic_val v´31
                             :: logic_val (Vptr (v´52, Int.zero))
                                :: logic_val (Vptr (v´52, Int.zero))
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_MUTEX
                                         :: Vint32 i
                                            :: Vint32 x
                                               :: Vptr (v´52, $ 0)
                                                  ::
                                                  x3 :: v´46 :: nil)
                                      :: logic_lv v´44
                                         :: logic_leventd
                                              (DMutex
                                                 (Vint32 x)
                                                 (Vptr (v´52, $ 0)) :: nil)
                                            :: logic_code
                                                 (mutexpost
                                                  (Vptr (v´29, Int.zero)
                                                  :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV prio @ Int8u |-> v´37 **
     LV os_code_defs.x @ Int8u |-> (V$OS_STAT_MUTEX) **
     LV legal @ Int8u |-> Vint32 x2 **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     GV OSEventList @ OS_EVENT ∗ |-> v´42 **
     evsllseg v´42 (Vptr (v´29, Int.zero)) v´25 v´27 **
     evsllseg v´46 Vnull v´26 v´28 **
     HECBList v´38 **
     HTCBList v´39 **
     HCurTCB (v´52, Int.zero) **
     AOSEventFreeList v´3 **
     AOSQFreeList v´4 **
     AOSQFreeBlk v´5 **
     AOSIntNesting **
     AOSTCBFreeList v´21 v´22 **
     AOSTime (Vint32 v´18) **
     HTime v´18 **
     AGVars **
     atoy_inv´ **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´29, Int.zero) **
     A_dom_lenv
       ((pevent, OS_EVENT ∗)
        :: (os_code_defs.x, Int8u)
           :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)}}
   pevent ′ → OSEventCnt &= ′OS_MUTEX_KEEP_UPPER_8;ₛ
   pevent ′ → OSEventCnt =ₑ pevent ′ → OSEventCnt |ₑ prio ′;ₛ
   pevent ′ → OSEventPtr =ₑ OSTCBPrioTbl ′ [prio ′];ₛ
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
                 RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_OSMutexPost3_3_event_rdy_post1´ := forall (
    v´ : val
)(
         v´0 : val
)(
         v´1 : val
)(
         v´2 : val
)(
         v´3 : list vallist
)(
         v´4 : list vallist
)(
         v´5 : list vallist
)(
         v´6 : list EventData
)(
         v´7 : list EventCtr
)(
         v´8 : vallist
)(
         v´9 : val
)(
         v´10 : val
)(
         v´11 : list vallist
)(
         v´12 : vallist
)(
         v´13 : list vallist
)(
         v´14 : vallist
)(
         v´15 : val
)(
         v´16 : EcbMod.map
)(
         v´17 : TcbMod.map
)(
         v´18 : int32
)(
         v´19 : addrval
)(
         v´20 : addrval
)(
         v´21 : val
)(
         v´22 : list vallist
)(
         H : RH_TCBList_ECBList_P v´16 v´17 v´19
)(
         H0 : RH_CurTCB v´19 v´17
)(
         v´25 : list EventCtr
)(
         v´26 : list EventCtr
)(
         v´27 : list EventData
)(
         v´28 : list EventData
)(
         v´30 : vallist
)(
         v´31 : val
)(
         v´33 : list vallist
)(
         v´35 : list vallist
)(
         v´36 : vallist
)(
         v´38 : EcbMod.map
)(
         v´39 : TcbMod.map
)(
         v´42 : val
)(
         v´44 : vallist
)(
         v´46 : val
)(
         v´47 : EcbMod.map
)(
         v´48 : EcbMod.map
)(
         v´49 : EcbMod.map
)(
         w : waitset
)(
         v´51 : addrval
)(
         H3 : ECBList_P v´46 Vnull v´26 v´28 v´48 v´39
)(
         H17 : EcbMod.join v´47 v´49 v´38
)(
         H12 : length v´25 = length v´27
)(
         H16 : isptr v´46
)(
         v´23 : addrval
)(
         v´29 : block
)(
         H11 : array_type_vallist_match Int8u v´44
)(
         H19 : length v´44 = ∘OS_EVENT_TBL_SIZE
)(
         x3 : val
)(
         i : int32
)(
         H21 : Int.unsigned i <= 255
)(
         H18 : RL_Tbl_Grp_P v´44 (Vint32 i)
)(
         H24 : isptr v´46
)(
         H2 : ECBList_P v´42 (Vptr (v´29, Int.zero)) v´25 v´27 v´47 v´39
)(
         H14 : id_addrval´ (Vptr (v´29, Int.zero)) OSEventTbl OS_EVENT = Some v´23
)(
         H20 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255
)(
         x : int32
)(
         H10 : Int.unsigned x <= 65535
)(
         H15 : Int.unsigned (x>>ᵢ$ 8) < 64
)(
         H22 : Int.unsigned x <= 65535
)(
         v´24 : val
)(
         v´40 : val
)(
         v´43 : TcbMod.map
)(
         v´45 : TcbMod.map
)(
         v´52 : block
)(
         H31 : v´31 <> Vnull
)(
         H32 : TcbMod.join v´43 v´45 v´39
)(
         H33 : TCBList_P v´31 v´33 v´36 v´43
)(
         H30 : Vptr (v´52, Int.zero) <> Vnull
)(
         i6 : int32
)(
         H39 : Int.unsigned i6 <= 65535
)(
         H36 : isptr v´24
)(
         x7 : val
)(
         x10 : TcbMod.map
)(
         t : taskstatus
)(
         m : msg
)(
         H72 : TCBList_P x7 v´35 v´36 x10
)(
         H7 : RH_TCBList_ECBList_P v´38 v´39 (v´52, Int.zero)
)(
         H8 : RH_CurTCB (v´52, Int.zero) v´39
)(
         H23 : isptr (Vptr (v´52, $ 0))
)(
  H5 : R_ECB_ETbl_P (v´29, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
          v´44) v´39
)(
  H1 : ECBList_P v´42 Vnull
         (v´25 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
           v´44) :: nil) ++ v´26)
         (v´27 ++ (DMutex (Vint32 x) (Vptr (v´52, $ 0)) :: nil) ++ v´28) v´38
         v´39
)(
  H29 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE \/
        x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
         H35 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
         H47 : Int.ltu (x>>ᵢ$ 8) (x&$ OS_MUTEX_KEEP_LOWER_8) = true
)(
         H48 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) < 64
)(
  H6 : EcbMod.joinsig (v´29, Int.zero)
         (absmutexsem (x>>ᵢ$ 8) (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)),
          w) v´48 v´49
)(
         H4 : Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None -> w = nil
)(
  H9 : forall (tid : tid) (opr : int32),
       Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = Some (tid, opr) ->
       Int.ltu (x>>ᵢ$ 8) opr = true /\ Int.unsigned opr < 64
)(
         H13 : w <> nil -> Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) <> None
)(
  H25 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE ->
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None /\
        Vptr (v´52, $ 0) = Vnull
)(
  H26 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE ->
        exists tid,
        Vptr (v´52, $ 0) = Vptr tid /\
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) =
        Some (tid, x&$ OS_MUTEX_KEEP_LOWER_8)
)(
  backup : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (v´52, $ 0)))
             (absmutexsem (x>>ᵢ$ 8)
                          (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)), w)
)(
         v´32 : val
)(
         H46 : array_type_vallist_match OS_TCB ∗ v´30
)(
         H51 : length v´30 = 64%nat
)(
         H49 : RL_RTbl_PrioTbl_P v´36 v´30 v´51
)(
         H50 : R_PrioTbl_P v´30 v´39 v´51
)(
         x1 : val
)(
  H52 : nth_val (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30 =
        Some x1
)(
         x0 : val
)(
         H53 : nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8))) v´30 = Some x0
)(
         H54 : array_type_vallist_match Int8u v´36
)(
         H58 : length v´36 = ∘OS_RDY_TBL_SIZE
)(
         i7 : int32
)(
         H55 : Int.unsigned i7 <= 255
)(
         H57 : prio_in_tbl ($ OS_IDLE_PRIO) v´36
)(
         H56 : RL_Tbl_Grp_P v´36 (Vint32 i7)
)(
         x2 : int32
)(
  fffa : length OSUnMapVallist = 256%nat ->
         (Z.to_nat (Int.unsigned i) < 256)%nat ->
         exists x4,
         Vint32 x2 = Vint32 x4 /\
         true = rule_type_val_match Int8u (Vint32 x4)
)(
         H59 : length OSUnMapVallist = 256%nat
)(
         H60 : (Z.to_nat (Int.unsigned i) < 256)%nat
)(
         H61 : nth_val´ (Z.to_nat (Int.unsigned i)) OSUnMapVallist = Vint32 x2
)(
         H62 : true = rule_type_val_match Int8u (Vint32 x2)
)(
         fffbb : Int.unsigned x2 < 8
)(
         fffbb2 : (Z.to_nat (Int.unsigned x2) < length v´44)%nat
)(
         H19´´ : length v´44 = Z.to_nat 8
)(
         x4 : int32
)(
         H63 : nth_val´ (Z.to_nat (Int.unsigned x2)) v´44 = Vint32 x4
)(
         H64 : Int.unsigned x4 <= 255
)(
         H65 : (Z.to_nat (Int.unsigned x4) < length OSUnMapVallist)%nat
)(
         x5 : int32
)(
         H66 : nth_val´ (Z.to_nat (Int.unsigned x4)) OSUnMapVallist = Vint32 x5
)(
         H67 : Int.unsigned x5 <= 255
)(
         ttfasd : Int.unsigned x5 < 8
)(
  H68 : val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) =
        Vint32 Int.zero \/
        val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) = Vnull
)(
         H27 : isptr x7
)(
         H38 : isptr m
)(
         x6 : int32
)(
         x14 : int32
)(
         H77 : 0 <= Int.unsigned x6
)(
         H85 : Int.unsigned x6 < 64
)(
  H82 : x14 = $ OS_STAT_RDY \/
        x14 = $ OS_STAT_SEM \/
        x14 = $ OS_STAT_Q \/ x14 = $ OS_STAT_MBOX \/ x14 = $ OS_STAT_MUTEX
)(
         x15 : val
)(
         H84 : x14 = $ OS_STAT_RDY -> x15 = Vnull
)(
         H43 : Int.unsigned (x6>>ᵢ$ 3) <= 255
)(
         H45 : Int.unsigned ($ 1<<(x6>>ᵢ$ 3)) <= 255
)(
         H44 : Int.unsigned ($ 1<<(x6&$ 7)) <= 255
)(
         H42 : Int.unsigned (x6&$ 7) <= 255
)(
         H70 : TcbJoin (v´52, Int.zero) (x6, t, m) x10 v´45
)(
         H41 : Int.unsigned x6 <= 255
)(
         H28 : Int.ltu x6 (x>>ᵢ$ 8) = false
)(
         H37 : isptr x15
)(
         H40 : Int.unsigned x14 <= 255
)(
  H73 : R_TCB_Status_P
          (x7
           :: v´24
              :: x15
                 :: m
                    :: Vint32 i6
                       :: Vint32 x14
                          :: Vint32 x6
                             :: Vint32 (x6&$ 7)
                                :: Vint32 (x6>>ᵢ$ 3)
                                   :: Vint32 ($ 1<<(x6&$ 7))
                                      :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
          v´36 (x6, t, m)
)(
  backup2 : TCBList_P (Vptr (v´52, Int.zero))
              ((x7
                :: v´24
                   :: x15
                      :: m
                         :: Vint32 i6
                            :: Vint32 x14
                               :: Vint32 x6
                                  :: Vint32 (x6&$ 7)
                                     :: Vint32 (x6>>ᵢ$ 3)
                                        :: Vint32 ($ 1<<(x6&$ 7))
                                           :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
                 :: v´35) v´36 v´45
)(
         r1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < 8
)(
         r2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) < 8
)(
         r3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) < 8
)(
         r4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < 8
)(
         H34 : array_type_vallist_match Int8u OSMapVallist
)(
         H69 : length OSMapVallist = 8%nat
)(
         H71 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) < 8)%nat
)(
         x8 : int32
)(
  H74 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
          OSMapVallist = Vint32 x8
)(
         H75 : true = rule_type_val_match Int8u (Vint32 x8)
)(
         H76 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
         x9 : int32
)(
  H78 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
                 OSMapVallist = Vint32 x9
)(
         H79 : true = rule_type_val_match Int8u (Vint32 x9)
)(
         H80 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
         x11 : int32
)(
  H81 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
                 OSMapVallist = Vint32 x11
)(
         H83 : true = rule_type_val_match Int8u (Vint32 x11)
)(
         r5 : Int.unsigned (x6>>ᵢ$ 3) < 8
)(
         r6 : Int.unsigned (x6&$ 7) < 8
)(
         rr1 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) < length v´36)%nat
)(
  rr2 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) <
         length v´36)%nat
)(
  rr3 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) <
         length v´36)%nat
)(
         rr4 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)&$ 7)) < length v´36)%nat
)(
         rr5 : (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3)) < length v´36)%nat
)(
         rr6 : (Z.to_nat (Int.unsigned (x6&$ 7)) < length v´36)%nat
)(
         rrr1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) <
         Z.of_nat (length v´36)
)(
  rrr3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) <
         Z.of_nat (length v´36)
)(
         rrr4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < Z.of_nat (length v´36)
)(
         rrr5 : Int.unsigned (x6>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
         rrr6 : Int.unsigned (x6&$ 7) < Z.of_nat (length v´36)
)(
         HH58 : length v´36 = Z.to_nat 8
)(
  aa : rule_type_val_match Int8u
                           (nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36) = true
)(
  aa2 : rule_type_val_match Int8u
          (nth_val´
             (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
             v´36) = true
)(
  aa3 : rule_type_val_match Int8u
                            (nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36) = true
)(
         x16 : int32
)(
  H88 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36 =
        Vint32 x16
)(
         H91 : Int.unsigned x16 <= 255
)(
         x13 : int32
)(
  H87 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3))) v´36 =
        Vint32 x13
)(
         H90 : Int.unsigned x13 <= 255
)(
         x12 : int32
)(
         H86 : nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36 = Vint32 x12
)(
         H89 : Int.unsigned x12 <= 255
)(
         H92 : Int.unsigned (x>>ᵢ$ 8) < Int.unsigned ($ Byte.modulus)
)(
  H93 : val_inj
          (if Int.eq x6 (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) = Vint32 Int.zero \/
        val_inj
          (if Int.eq x6 (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) = Vnull
)(
  H94 : val_inj
          (notint
             (val_inj
                (if Int.eq i ($ 0)
                 then Some (Vint32 Int.one)
                 else Some (Vint32 Int.zero)))) <>
        Vint32 Int.zero
)(
  H95 : val_inj
          (notint
             (val_inj
                (if Int.eq i ($ 0)
                 then Some (Vint32 Int.one)
                 else Some (Vint32 Int.zero)))) <> Vnull
)(
  H96 : val_inj
          (notint
             (val_inj
                (if Int.eq i ($ 0)
                 then Some (Vint32 Int.one)
                 else Some (Vint32 Int.zero)))) <> Vundef
)(
  v´34 : val
),
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV prio @ Int8u |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (os_code_defs.x, Int8u)
          :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post1´
       (Vptr (v´29, Int.zero)
        :: Vptr (v´29, Int.zero) :: V$OS_STAT_MUTEX :: nil)
       (Some v´34)
       (logic_lv v´30
        :: logic_lv
             (x7
              :: v´24
                 :: x15
                    :: m
                       :: Vint32 i6
                          :: Vint32 x14
                             :: Vint32 x6
                                :: Vint32 (x6&$ 7)
                                   :: Vint32 (x6>>ᵢ$ 3)
                                      :: Vint32 ($ 1<<(x6&$ 7))
                                         :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
           :: logic_llv v´33
              :: logic_llv v´35
                 :: logic_lv v´36
                    :: logic_val (Vint32 i7)
                       :: logic_abstcb v´39
                          :: logic_val v´31
                             :: logic_val (Vptr (v´52, Int.zero))
                                :: logic_val (Vptr (v´52, Int.zero))
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_MUTEX
                                         :: Vint32 i
                                            :: Vint32 x
                                               :: Vptr (v´52, $ 0)
                                                  ::
                                                  x3 :: v´46 :: nil)
                                      :: logic_lv v´44
                                         :: logic_leventd
                                              (DMutex
                                                 (Vint32 x)
                                                 (Vptr (v´52, $ 0)) :: nil)
                                            :: logic_code
                                                 (mutexpost
                                                  (Vptr (v´29, Int.zero)
                                                  :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV prio @ Int8u |-> v´34 **
     LV os_code_defs.x @ Int8u |-> (V$OS_STAT_MUTEX) **
     LV legal @ Int8u |-> Vint32 x2 **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     GV OSEventList @ OS_EVENT ∗ |-> v´42 **
     evsllseg v´42 (Vptr (v´29, Int.zero)) v´25 v´27 **
     evsllseg v´46 Vnull v´26 v´28 **
     HECBList v´38 **
     HTCBList v´39 **
     HCurTCB (v´52, Int.zero) **
     AOSEventFreeList v´3 **
     AOSQFreeList v´4 **
     AOSQFreeBlk v´5 **
     AOSIntNesting **
     AOSTCBFreeList v´21 v´22 **
     AOSTime (Vint32 v´18) **
     HTime v´18 **
     AGVars **
     atoy_inv´ **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´29, Int.zero) **
     A_dom_lenv
       ((pevent, OS_EVENT ∗)
        :: (os_code_defs.x, Int8u)
           :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)}}
   pevent ′ → OSEventCnt &= ′OS_MUTEX_KEEP_UPPER_8;ₛ
   pevent ′ → OSEventCnt =ₑ pevent ′ → OSEventCnt |ₑ prio ′;ₛ
   pevent ′ → OSEventPtr =ₑ OSTCBPrioTbl ′ [prio ′];ₛ
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
   RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_OSMutexPost3_3_event_rdy_post1:= forall
(
  v´ : val
)(
  v´0 : val
)(
  v´1 : val
)(
  v´2 : val
)(
  v´3 : list vallist
)(
  v´4 : list vallist
)(
  v´5 : list vallist
)(
  v´6 : list EventData
)(
  v´7 : list EventCtr
)(
  v´8 : vallist
)(
  v´9 : val
)(
  v´10 : val
)(
  v´11 : list vallist
)(
  v´12 : vallist
)(
  v´13 : list vallist
)(
  v´14 : vallist
)(
  v´15 : val
)(
  v´16 : EcbMod.map
)(
  v´17 : TcbMod.map
)(
  v´18 : int32
)(
  v´19 : addrval
)(
  v´20 : addrval
)(
  v´21 : val
)(
  v´22 : list vallist
)(
  H : RH_TCBList_ECBList_P v´16 v´17 v´19
)(
  H0 : RH_CurTCB v´19 v´17
)(
  v´25 : list EventCtr
)(
  v´26 : list EventCtr
)(
  v´27 : list EventData
)(
  v´28 : list EventData
)(
  v´30 : vallist
)(
  v´31 : val
)(
  v´33 : list vallist
)(
  v´35 : list vallist
)(
  v´36 : vallist
)(
  v´38 : EcbMod.map
)(
  v´39 : TcbMod.map
)(
  v´42 : val
)(
  v´44 : vallist
)(
  v´46 : val
)(
  v´47 : EcbMod.map
)(
  v´48 : EcbMod.map
)(
  v´49 : EcbMod.map
)(
  w : waitset
)(
  v´51 : addrval
)(
  H3 : ECBList_P v´46 Vnull v´26 v´28 v´48 v´39
)(
  H17 : EcbMod.join v´47 v´49 v´38
)(
  H12 : length v´25 = length v´27
)(
  H16 : isptr v´46
)(
  v´23 : addrval
)(
  v´29 : block
)(
  H11 : array_type_vallist_match Int8u v´44
)(
  H19 : length v´44 = ∘OS_EVENT_TBL_SIZE
)(
  x3 : val
)(
  i : int32
)(
  H21 : Int.unsigned i <= 255
)(
  H18 : RL_Tbl_Grp_P v´44 (Vint32 i)
)(
  H24 : isptr v´46
)(
  H2 : ECBList_P v´42 (Vptr (v´29, Int.zero)) v´25 v´27 v´47 v´39
)(
  H14 : id_addrval´ (Vptr (v´29, Int.zero)) OSEventTbl OS_EVENT = Some v´23
)(
  H20 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255
)(
  x : int32
)(
  H10 : Int.unsigned x <= 65535
)(
  H15 : Int.unsigned (x>>ᵢ$ 8) < 64
)(
  H22 : Int.unsigned x <= 65535
)(
  v´24 : val
)(
  v´40 : val
)(
  v´43 : TcbMod.map
)(
  v´45 : TcbMod.map
)(
  v´52 : block
)(
  H31 : v´31 <> Vnull
)(
  H32 : TcbMod.join v´43 v´45 v´39
)(
  H33 : TCBList_P v´31 v´33 v´36 v´43
)(
  H30 : Vptr (v´52, Int.zero) <> Vnull
)(
  i6 : int32
)(
  H39 : Int.unsigned i6 <= 65535
)(
  H36 : isptr v´24
)(
  x7 : val
)(
  x10 : TcbMod.map
)(
  t : taskstatus
)(
  m : msg
)(
  H72 : TCBList_P x7 v´35 v´36 x10
)(
  H7 : RH_TCBList_ECBList_P v´38 v´39 (v´52, Int.zero)
)(
  H8 : RH_CurTCB (v´52, Int.zero) v´39
)(
  H23 : isptr (Vptr (v´52, $ 0))
)(
  H5 : R_ECB_ETbl_P (v´29, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
          v´44) v´39
)(
  H1 : ECBList_P v´42 Vnull
         (v´25 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
           v´44) :: nil) ++ v´26)
         (v´27 ++ (DMutex (Vint32 x) (Vptr (v´52, $ 0)) :: nil) ++ v´28) v´38
         v´39
)(
  H29 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE \/
        x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H35 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H47 : Int.ltu (x>>ᵢ$ 8) (x&$ OS_MUTEX_KEEP_LOWER_8) = true
)(
  H48 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) < 64
)(
  H6 : EcbMod.joinsig (v´29, Int.zero)
         (absmutexsem (x>>ᵢ$ 8) (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)),
          w) v´48 v´49
)(
  H4 : Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None -> w = nil
)(
  H9 : forall (tid : tid) (opr : int32),
       Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = Some (tid, opr) ->
       Int.ltu (x>>ᵢ$ 8) opr = true /\ Int.unsigned opr < 64
)(
  H13 : w <> nil -> Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) <> None
)(
  H25 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE ->
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None /\
        Vptr (v´52, $ 0) = Vnull
)(
  H26 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE ->
        exists tid,
        Vptr (v´52, $ 0) = Vptr tid /\
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) =
        Some (tid, x&$ OS_MUTEX_KEEP_LOWER_8)
)(
  backup : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (v´52, $ 0)))
             (absmutexsem (x>>ᵢ$ 8)
                          (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)), w)
)(
  v´32 : val
)(
  H46 : array_type_vallist_match OS_TCB ∗ v´30
)(
  H51 : length v´30 = 64%nat
)(
  H49 : RL_RTbl_PrioTbl_P v´36 v´30 v´51
)(
  H50 : R_PrioTbl_P v´30 v´39 v´51
)(
  x1 : val
)(
  H52 : nth_val (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30 =
        Some x1
)(
  x0 : val
)(
  H53 : nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8))) v´30 = Some x0
)(
  H54 : array_type_vallist_match Int8u v´36
)(
  H58 : length v´36 = ∘OS_RDY_TBL_SIZE
)(
  i7 : int32
)(
  H55 : Int.unsigned i7 <= 255
)(
  H57 : prio_in_tbl ($ OS_IDLE_PRIO) v´36
)(
  H56 : RL_Tbl_Grp_P v´36 (Vint32 i7)
)(
  x2 : int32
)(
  fffa : length OSUnMapVallist = 256%nat ->
         (Z.to_nat (Int.unsigned i) < 256)%nat ->
         exists x4,
         Vint32 x2 = Vint32 x4 /\
         true = rule_type_val_match Int8u (Vint32 x4)
)(
  H59 : length OSUnMapVallist = 256%nat
)(
  H60 : (Z.to_nat (Int.unsigned i) < 256)%nat
)(
  H61 : nth_val´ (Z.to_nat (Int.unsigned i)) OSUnMapVallist = Vint32 x2
)(
  H62 : true = rule_type_val_match Int8u (Vint32 x2)
)(
  fffbb : Int.unsigned x2 < 8
)(
  fffbb2 : (Z.to_nat (Int.unsigned x2) < length v´44)%nat
)(
  H19´´ : length v´44 = Z.to_nat 8
)(
  x4 : int32
)(
  H63 : nth_val´ (Z.to_nat (Int.unsigned x2)) v´44 = Vint32 x4
)(
  H64 : Int.unsigned x4 <= 255
)(
  H65 : (Z.to_nat (Int.unsigned x4) < length OSUnMapVallist)%nat
)(
  x5 : int32
)(
  H66 : nth_val´ (Z.to_nat (Int.unsigned x4)) OSUnMapVallist = Vint32 x5
)(
  H67 : Int.unsigned x5 <= 255
)(
  ttfasd : Int.unsigned x5 < 8
)(
  H68 : val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) =
        Vint32 Int.zero \/
        val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) = Vnull
)(
  H27 : isptr x7
)(
  H38 : isptr m
)(
  x6 : int32
)(
  x14 : int32
)(
  H77 : 0 <= Int.unsigned x6
)(
  H85 : Int.unsigned x6 < 64
)(
  H82 : x14 = $ OS_STAT_RDY \/
        x14 = $ OS_STAT_SEM \/
        x14 = $ OS_STAT_Q \/ x14 = $ OS_STAT_MBOX \/ x14 = $ OS_STAT_MUTEX
)(
  x15 : val
)(
  H84 : x14 = $ OS_STAT_RDY -> x15 = Vnull
)(
  H43 : Int.unsigned (x6>>ᵢ$ 3) <= 255
)(
  H45 : Int.unsigned ($ 1<<(x6>>ᵢ$ 3)) <= 255
)(
  H44 : Int.unsigned ($ 1<<(x6&$ 7)) <= 255
)(
  H42 : Int.unsigned (x6&$ 7) <= 255
)(
  H70 : TcbJoin (v´52, Int.zero) (x6, t, m) x10 v´45
)(
  H41 : Int.unsigned x6 <= 255
)(
  H28 : Int.ltu x6 (x>>ᵢ$ 8) = false
)(
  H37 : isptr x15
)(
  H40 : Int.unsigned x14 <= 255
)(
  H73 : R_TCB_Status_P
          (x7
           :: v´24
              :: x15
                 :: m
                    :: Vint32 i6
                       :: Vint32 x14
                          :: Vint32 x6
                             :: Vint32 (x6&$ 7)
                                :: Vint32 (x6>>ᵢ$ 3)
                                   :: Vint32 ($ 1<<(x6&$ 7))
                                      :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
          v´36 (x6, t, m)
)(
  backup2 : TCBList_P (Vptr (v´52, Int.zero))
              ((x7
                :: v´24
                   :: x15
                      :: m
                         :: Vint32 i6
                            :: Vint32 x14
                               :: Vint32 x6
                                  :: Vint32 (x6&$ 7)
                                     :: Vint32 (x6>>ᵢ$ 3)
                                        :: Vint32 ($ 1<<(x6&$ 7))
                                           :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
                 :: v´35) v´36 v´45
)(
  r1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < 8
)(
  r2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) < 8
)(
  r3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) < 8
)(
  r4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < 8
)(
  H34 : array_type_vallist_match Int8u OSMapVallist
)(
  H69 : length OSMapVallist = 8%nat
)(
  H71 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) < 8)%nat
)(
  x8 : int32
)(
  H74 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
          OSMapVallist = Vint32 x8
)(
  H75 : true = rule_type_val_match Int8u (Vint32 x8)
)(
  H76 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
  x9 : int32
)(
  H78 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
                 OSMapVallist = Vint32 x9
)(
  H79 : true = rule_type_val_match Int8u (Vint32 x9)
)(
  H80 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
  x11 : int32
)(
  H81 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
                 OSMapVallist = Vint32 x11
)(
  H83 : true = rule_type_val_match Int8u (Vint32 x11)
)(
  r5 : Int.unsigned (x6>>ᵢ$ 3) < 8
)(
  r6 : Int.unsigned (x6&$ 7) < 8
)(
  rr1 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) < length v´36)%nat
)(
  rr2 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) <
         length v´36)%nat
)(
  rr3 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) <
         length v´36)%nat
)(
  rr4 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)&$ 7)) < length v´36)%nat
)(
  rr5 : (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3)) < length v´36)%nat
)(
  rr6 : (Z.to_nat (Int.unsigned (x6&$ 7)) < length v´36)%nat
)(
  rrr1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) <
         Z.of_nat (length v´36)
)(
  rrr3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) <
         Z.of_nat (length v´36)
)(
  rrr4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < Z.of_nat (length v´36)
)(
  rrr5 : Int.unsigned (x6>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr6 : Int.unsigned (x6&$ 7) < Z.of_nat (length v´36)
)(
  HH58 : length v´36 = Z.to_nat 8
)(
  aa : rule_type_val_match Int8u
                           (nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36) = true
)(
  aa2 : rule_type_val_match Int8u
          (nth_val´
             (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
             v´36) = true
)(
  aa3 : rule_type_val_match Int8u
                            (nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36) = true
)(
  x16 : int32
)(
  H88 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36 =
        Vint32 x16
)(
  H91 : Int.unsigned x16 <= 255
)(
  x13 : int32
)(
  H87 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3))) v´36 =
        Vint32 x13
)(
  H90 : Int.unsigned x13 <= 255
)(
  x12 : int32
)(
  H86 : nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36 = Vint32 x12
)(
  H89 : Int.unsigned x12 <= 255
)(
  H92 : Int.unsigned (x>>ᵢ$ 8) < Int.unsigned ($ Byte.modulus)
)(
  H93 : val_inj
          (if Int.eq x6 (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) = Vint32 Int.zero \/
        val_inj
          (if Int.eq x6 (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) = Vnull
)(
  H94 : val_inj
          (notint
             (val_inj
                (if Int.eq i ($ 0)
                 then Some (Vint32 Int.one)
                 else Some (Vint32 Int.zero)))) <>
        Vint32 Int.zero
)(
  H95 : val_inj
          (notint
             (val_inj
                (if Int.eq i ($ 0)
                 then Some (Vint32 Int.one)
                 else Some (Vint32 Int.zero)))) <> Vnull
)(
  H96 : val_inj
          (notint
             (val_inj
                (if Int.eq i ($ 0)
                 then Some (Vint32 Int.one)
                 else Some (Vint32 Int.zero)))) <> Vundef
)(
  v´34 : val
),
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV prio @ Int8u |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (os_code_defs.x, Int8u)
          :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post1
       (Vptr (v´29, Int.zero)
        :: Vptr (v´29, Int.zero) :: V$OS_STAT_MUTEX :: nil)
       (Some v´34)
       (logic_lv v´30
        :: logic_lv
             (x7
              :: v´24
                 :: x15
                    :: m
                       :: Vint32 i6
                          :: Vint32 x14
                             :: Vint32 x6
                                :: Vint32 (x6&$ 7)
                                   :: Vint32 (x6>>ᵢ$ 3)
                                      :: Vint32 ($ 1<<(x6&$ 7))
                                         :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
           :: logic_llv v´33
              :: logic_llv v´35
                 :: logic_lv v´36
                    :: logic_val (Vint32 i7)
                       :: logic_abstcb v´39
                          :: logic_val v´31
                             :: logic_val (Vptr (v´52, Int.zero))
                                :: logic_val (Vptr (v´52, Int.zero))
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_MUTEX
                                         :: Vint32 i
                                            :: Vint32 x
                                               :: Vptr (v´52, $ 0)
                                                  ::
                                                  x3 :: v´46 :: nil)
                                      :: logic_lv v´44
                                         :: logic_leventd
                                              (DMutex
                                                 (Vint32 x)
                                                 (Vptr (v´52, $ 0)) :: nil)
                                            :: logic_code
                                                 (mutexpost
                                                  (Vptr (v´29, Int.zero)
                                                  :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV prio @ Int8u |-> v´34 **
     LV os_code_defs.x @ Int8u |-> (V$OS_STAT_MUTEX) **
     LV legal @ Int8u |-> Vint32 x2 **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     GV OSEventList @ OS_EVENT ∗ |-> v´42 **
     evsllseg v´42 (Vptr (v´29, Int.zero)) v´25 v´27 **
     evsllseg v´46 Vnull v´26 v´28 **
     HECBList v´38 **
     HTCBList v´39 **
     HCurTCB (v´52, Int.zero) **
     AOSEventFreeList v´3 **
     AOSQFreeList v´4 **
     AOSQFreeBlk v´5 **
     AOSIntNesting **
     AOSTCBFreeList v´21 v´22 **
     AOSTime (Vint32 v´18) **
     HTime v´18 **
     AGVars **
     atoy_inv´ **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´29, Int.zero) **
     A_dom_lenv
       ((pevent, OS_EVENT ∗)
        :: (os_code_defs.x, Int8u)
           :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)}}
   pevent ′ → OSEventCnt &= ′OS_MUTEX_KEEP_UPPER_8;ₛ
   pevent ′ → OSEventCnt =ₑ pevent ′ → OSEventCnt |ₑ prio ′;ₛ
   pevent ′ → OSEventPtr =ₑ OSTCBPrioTbl ′ [prio ′];ₛ
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
   RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_OSMutexPost3_3_event_rdy_post3´:= forall (
    v´ : val
)(
         v´0 : val
)(
         v´1 : val
)(
         v´2 : val
)(
         v´3 : list vallist
)(
         v´4 : list vallist
)(
         v´5 : list vallist
)(
         v´6 : list EventData
)(
         v´7 : list EventCtr
)(
         v´8 : vallist
)(
         v´9 : val
)(
         v´10 : val
)(
         v´11 : list vallist
)(
         v´12 : vallist
)(
         v´13 : list vallist
)(
         v´14 : vallist
)(
         v´15 : val
)(
         v´16 : EcbMod.map
)(
         v´17 : TcbMod.map
)(
         v´18 : int32
)(
         v´19 : addrval
)(
         v´20 : addrval
)(
         v´21 : val
)(
         v´22 : list vallist
)(
         H : RH_TCBList_ECBList_P v´16 v´17 v´19
)(
         H0 : RH_CurTCB v´19 v´17
)(
         v´25 : list EventCtr
)(
         v´26 : list EventCtr
)(
         v´27 : list EventData
)(
         v´28 : list EventData
)(
         v´30 : vallist
)(
         v´31 : val
)(
         v´33 : list vallist
)(
         v´35 : list vallist
)(
         v´36 : vallist
)(
         v´38 : EcbMod.map
)(
         v´39 : TcbMod.map
)(
         v´42 : val
)(
         v´44 : vallist
)(
         v´46 : val
)(
         v´47 : EcbMod.map
)(
         v´48 : EcbMod.map
)(
         v´49 : EcbMod.map
)(
         w : waitset
)(
         v´51 : addrval
)(
         H3 : ECBList_P v´46 Vnull v´26 v´28 v´48 v´39
)(
         H17 : EcbMod.join v´47 v´49 v´38
)(
         H12 : length v´25 = length v´27
)(
         H16 : isptr v´46
)(
         v´23 : addrval
)(
         v´29 : block
)(
         H11 : array_type_vallist_match Int8u v´44
)(
         H19 : length v´44 = ∘OS_EVENT_TBL_SIZE
)(
         x3 : val
)(
         i : int32
)(
         H21 : Int.unsigned i <= 255
)(
         H18 : RL_Tbl_Grp_P v´44 (Vint32 i)
)(
         H24 : isptr v´46
)(
         H2 : ECBList_P v´42 (Vptr (v´29, Int.zero)) v´25 v´27 v´47 v´39
)(
         H14 : id_addrval´ (Vptr (v´29, Int.zero)) OSEventTbl OS_EVENT = Some v´23
)(
         H20 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255
)(
         x : int32
)(
         H10 : Int.unsigned x <= 65535
)(
         H15 : Int.unsigned (x>>ᵢ$ 8) < 64
)(
         H22 : Int.unsigned x <= 65535
)(
         v´24 : val
)(
         v´40 : val
)(
         v´43 : TcbMod.map
)(
         v´45 : TcbMod.map
)(
         v´52 : block
)(
         H31 : v´31 <> Vnull
)(
         H32 : TcbMod.join v´43 v´45 v´39
)(
         H33 : TCBList_P v´31 v´33 v´36 v´43
)(
         H30 : Vptr (v´52, Int.zero) <> Vnull
)(
         i6 : int32
)(
         H39 : Int.unsigned i6 <= 65535
)(
         H36 : isptr v´24
)(
         x7 : val
)(
         x10 : TcbMod.map
)(
         t : taskstatus
)(
         m : msg
)(
         H72 : TCBList_P x7 v´35 v´36 x10
)(
         H7 : RH_TCBList_ECBList_P v´38 v´39 (v´52, Int.zero)
)(
         H8 : RH_CurTCB (v´52, Int.zero) v´39
)(
         H23 : isptr (Vptr (v´52, $ 0))
)(
         H5 : R_ECB_ETbl_P (v´29, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
             :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
   v´44) v´39
)(
         H1 : ECBList_P v´42 Vnull
         (v´25 ++
             ((V$OS_EVENT_TYPE_MUTEX
                  :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
   v´44) :: nil) ++ v´26)
         (v´27 ++ (DMutex (Vint32 x) (Vptr (v´52, $ 0)) :: nil) ++ v´28) v´38
         v´39
)(
  H29 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE \/
        x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
         H35 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
         H47 : Int.ltu (x>>ᵢ$ 8) (x&$ OS_MUTEX_KEEP_LOWER_8) = true
)(
         H48 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) < 64
)(
  H6 : EcbMod.joinsig (v´29, Int.zero)
         (absmutexsem (x>>ᵢ$ 8) (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)),
          w) v´48 v´49
)(
         H4 : Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None -> w = nil
)(
  H9 : forall (tid : tid) (opr : int32),
       Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = Some (tid, opr) ->
       Int.ltu (x>>ᵢ$ 8) opr = true /\ Int.unsigned opr < 64
)(
         H13 : w <> nil -> Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) <> None
)(
  H25 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE ->
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None /\
        Vptr (v´52, $ 0) = Vnull
)(
  H26 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE ->
        exists tid,
        Vptr (v´52, $ 0) = Vptr tid /\
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) =
        Some (tid, x&$ OS_MUTEX_KEEP_LOWER_8)
)(
  backup : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (v´52, $ 0)))
             (absmutexsem (x>>ᵢ$ 8)
                          (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)), w)
       )(
         v´32 : val
)(
         H46 : array_type_vallist_match OS_TCB ∗ v´30
)(
         H51 : length v´30 = 64%nat
)(
         H49 : RL_RTbl_PrioTbl_P v´36 v´30 v´51
)(
         H50 : R_PrioTbl_P v´30 v´39 v´51
)(
         x1 : val
)(
  H52 : nth_val (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30 =
        Some x1
)(
         x0 : val
)(
         H53 : nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8))) v´30 = Some x0
)(
         H54 : array_type_vallist_match Int8u v´36
)(
         H58 : length v´36 = ∘OS_RDY_TBL_SIZE
)(
         i7 : int32
)(
         H55 : Int.unsigned i7 <= 255
)(
         H57 : prio_in_tbl ($ OS_IDLE_PRIO) v´36
)(
         H56 : RL_Tbl_Grp_P v´36 (Vint32 i7)
)(
         x2 : int32
)(
  fffa : length OSUnMapVallist = 256%nat ->
         (Z.to_nat (Int.unsigned i) < 256)%nat ->
         exists x4,
         Vint32 x2 = Vint32 x4 /\
         true = rule_type_val_match Int8u (Vint32 x4)
)(
         H59 : length OSUnMapVallist = 256%nat
)(
         H60 : (Z.to_nat (Int.unsigned i) < 256)%nat
)(
         H61 : nth_val´ (Z.to_nat (Int.unsigned i)) OSUnMapVallist = Vint32 x2
)(
         H62 : true = rule_type_val_match Int8u (Vint32 x2)
)(
         fffbb : Int.unsigned x2 < 8
)(
         fffbb2 : (Z.to_nat (Int.unsigned x2) < length v´44)%nat
)(
         H19´´ : length v´44 = Z.to_nat 8
)(
         x4 : int32
)(
         H63 : nth_val´ (Z.to_nat (Int.unsigned x2)) v´44 = Vint32 x4
)(
         H64 : Int.unsigned x4 <= 255
)(
         H65 : (Z.to_nat (Int.unsigned x4) < length OSUnMapVallist)%nat
)(
         x5 : int32
)(
         H66 : nth_val´ (Z.to_nat (Int.unsigned x4)) OSUnMapVallist = Vint32 x5
)(
         H67 : Int.unsigned x5 <= 255
)(
         ttfasd : Int.unsigned x5 < 8
)(
  H68 : val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) =
        Vint32 Int.zero \/
        val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) = Vnull
)(
         H27 : isptr x7
)(
         H38 : isptr m
)(
         x6 : int32
)(
         x14 : int32
)(
         H77 : 0 <= Int.unsigned x6
)(
         H85 : Int.unsigned x6 < 64
)(
  H82 : x14 = $ OS_STAT_RDY \/
        x14 = $ OS_STAT_SEM \/
        x14 = $ OS_STAT_Q \/ x14 = $ OS_STAT_MBOX \/ x14 = $ OS_STAT_MUTEX
)(
         x15 : val
)(
         H84 : x14 = $ OS_STAT_RDY -> x15 = Vnull
)(
         H43 : Int.unsigned (x6>>ᵢ$ 3) <= 255
)(
         H45 : Int.unsigned ($ 1<<(x6>>ᵢ$ 3)) <= 255
)(
         H44 : Int.unsigned ($ 1<<(x6&$ 7)) <= 255
)(
         H42 : Int.unsigned (x6&$ 7) <= 255
)(
         H70 : TcbJoin (v´52, Int.zero) (x6, t, m) x10 v´45
)(
         H41 : Int.unsigned x6 <= 255
)(
         H28 : Int.ltu x6 (x>>ᵢ$ 8) = false
)(
         H37 : isptr x15
)(
         H40 : Int.unsigned x14 <= 255
)(
  H73 : R_TCB_Status_P
          (x7
           :: v´24
              :: x15
                 :: m
                    :: Vint32 i6
                       :: Vint32 x14
                          :: Vint32 x6
                             :: Vint32 (x6&$ 7)
                                :: Vint32 (x6>>ᵢ$ 3)
                                   :: Vint32 ($ 1<<(x6&$ 7))
                                      :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
          v´36 (x6, t, m)
)(
  backup2 : TCBList_P (Vptr (v´52, Int.zero))
              ((x7
                :: v´24
                   :: x15
                      :: m
                         :: Vint32 i6
                            :: Vint32 x14
                               :: Vint32 x6
                                  :: Vint32 (x6&$ 7)
                                     :: Vint32 (x6>>ᵢ$ 3)
                                        :: Vint32 ($ 1<<(x6&$ 7))
                                           :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
                 :: v´35) v´36 v´45
)(
         r1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < 8
)(
         r2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) < 8
)(
         r3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) < 8
)(
         r4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < 8
)(
         H34 : array_type_vallist_match Int8u OSMapVallist
)(
         H69 : length OSMapVallist = 8%nat
)(
         H71 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) < 8)%nat
)(
         x8 : int32
)(
  H74 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
          OSMapVallist = Vint32 x8
)(
         H75 : true = rule_type_val_match Int8u (Vint32 x8)
)(
         H76 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
         x9 : int32
)(
  H78 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
                 OSMapVallist = Vint32 x9
)(
         H79 : true = rule_type_val_match Int8u (Vint32 x9)
)(
         H80 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
         x11 : int32
)(
  H81 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
                 OSMapVallist = Vint32 x11
)(
         H83 : true = rule_type_val_match Int8u (Vint32 x11)
)(
         r5 : Int.unsigned (x6>>ᵢ$ 3) < 8
)(
         r6 : Int.unsigned (x6&$ 7) < 8
)(
         rr1 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) < length v´36)%nat
)(
  rr2 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) <
         length v´36)%nat
)(
  rr3 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) <
         length v´36)%nat
)(
         rr4 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)&$ 7)) < length v´36)%nat
)(
         rr5 : (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3)) < length v´36)%nat
)(
         rr6 : (Z.to_nat (Int.unsigned (x6&$ 7)) < length v´36)%nat
)(
         rrr1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) <
         Z.of_nat (length v´36)
)(
  rrr3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) <
         Z.of_nat (length v´36)
)(
         rrr4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < Z.of_nat (length v´36)
)(
         rrr5 : Int.unsigned (x6>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
         rrr6 : Int.unsigned (x6&$ 7) < Z.of_nat (length v´36)
)(
         HH58 : length v´36 = Z.to_nat 8
)(
  aa : rule_type_val_match Int8u
                           (nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36) = true
)(
  aa2 : rule_type_val_match Int8u
          (nth_val´
             (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
             v´36) = true
)(
  aa3 : rule_type_val_match Int8u
                            (nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36) = true
)(
         x16 : int32
)(
  H88 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36 =
        Vint32 x16
)(
         H91 : Int.unsigned x16 <= 255
)(
         x13 : int32
)(
  H87 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3))) v´36 =
        Vint32 x13
)(
         H90 : Int.unsigned x13 <= 255
)(
         x12 : int32
)(
         H86 : nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36 = Vint32 x12
)(
         H89 : Int.unsigned x12 <= 255
)(
         H92 : Int.unsigned (x>>ᵢ$ 8) < Int.unsigned ($ Byte.modulus)
)(
  H93 : val_inj
          (if Int.eq x6 (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) = Vint32 Int.zero \/
        val_inj
          (if Int.eq x6 (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) = Vnull
)(
  H94 : val_inj
          (notint
             (val_inj
                (if Int.eq i ($ 0)
                 then Some (Vint32 Int.one)
                 else Some (Vint32 Int.zero)))) <>
        Vint32 Int.zero
)(
  H95 : val_inj
          (notint
             (val_inj
                (if Int.eq i ($ 0)
                 then Some (Vint32 Int.one)
                 else Some (Vint32 Int.zero)))) <> Vnull
)(
  H96 : val_inj
          (notint
             (val_inj
                (if Int.eq i ($ 0)
                 then Some (Vint32 Int.one)
                 else Some (Vint32 Int.zero)))) <> Vundef
)(
  v´34 : val
       ),
{|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV prio @ Int8u |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (os_code_defs.x, Int8u)
          :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post3´
       (Vptr (v´29, Int.zero)
        :: Vptr (v´29, Int.zero) :: V$OS_STAT_MUTEX :: nil)
       (Some v´34)
       (logic_lv v´30
        :: logic_lv
             (x7
              :: v´24
                 :: x15
                    :: m
                       :: Vint32 i6
                          :: Vint32 x14
                             :: Vint32 x6
                                :: Vint32 (x6&$ 7)
                                   :: Vint32 (x6>>ᵢ$ 3)
                                      :: Vint32 ($ 1<<(x6&$ 7))
                                         :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
           :: logic_llv v´33
              :: logic_llv v´35
                 :: logic_lv v´36
                    :: logic_val (Vint32 i7)
                       :: logic_abstcb v´39
                          :: logic_val v´31
                             :: logic_val (Vptr (v´52, Int.zero))
                                :: logic_val (Vptr (v´52, Int.zero))
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_MUTEX
                                         :: Vint32 i
                                            :: Vint32 x
                                               :: Vptr (v´52, $ 0)
                                                  ::
                                                  x3 :: v´46 :: nil)
                                      :: logic_lv v´44
                                         :: logic_leventd
                                              (DMutex
                                                 (Vint32 x)
                                                 (Vptr (v´52, $ 0)) :: nil)
                                            :: logic_code
                                                 (mutexpost
                                                  (Vptr (v´29, Int.zero)
                                                  :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV prio @ Int8u |-> v´34 **
     LV os_code_defs.x @ Int8u |-> (V$OS_STAT_MUTEX) **
     LV legal @ Int8u |-> Vint32 x2 **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     GV OSEventList @ OS_EVENT ∗ |-> v´42 **
     evsllseg v´42 (Vptr (v´29, Int.zero)) v´25 v´27 **
     evsllseg v´46 Vnull v´26 v´28 **
     HECBList v´38 **
     HTCBList v´39 **
     HCurTCB (v´52, Int.zero) **
     AOSEventFreeList v´3 **
     AOSQFreeList v´4 **
     AOSQFreeBlk v´5 **
     AOSIntNesting **
     AOSTCBFreeList v´21 v´22 **
     AOSTime (Vint32 v´18) **
     HTime v´18 **
     AGVars **
     atoy_inv´ **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´29, Int.zero) **
     A_dom_lenv
       ((pevent, OS_EVENT ∗)
        :: (os_code_defs.x, Int8u)
           :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)}}
   pevent ′ → OSEventCnt &= ′OS_MUTEX_KEEP_UPPER_8;ₛ
   pevent ′ → OSEventCnt =ₑ pevent ′ → OSEventCnt |ₑ prio ′;ₛ
   pevent ′ → OSEventPtr =ₑ OSTCBPrioTbl ′ [prio ′];ₛ
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
   RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_OSMutexPost3_3_event_rdy_post3 := forall (
    v´ : val
)(
         v´0 : val
)(
         v´1 : val
)(
         v´2 : val
)(
         v´3 : list vallist
)(
         v´4 : list vallist
)(
         v´5 : list vallist
)(
         v´6 : list EventData
)(
         v´7 : list EventCtr
)(
         v´8 : vallist
)(
         v´9 : val
)(
         v´10 : val
)(
         v´11 : list vallist
)(
         v´12 : vallist
)(
         v´13 : list vallist
)(
         v´14 : vallist
)(
         v´15 : val
)(
         v´16 : EcbMod.map
)(
         v´17 : TcbMod.map
)(
         v´18 : int32
)(
         v´19 : addrval
)(
         v´20 : addrval
)(
         v´21 : val
)(
         v´22 : list vallist
)(
         H : RH_TCBList_ECBList_P v´16 v´17 v´19
)(
         H0 : RH_CurTCB v´19 v´17
)(
         v´25 : list EventCtr
)(
         v´26 : list EventCtr
)(
         v´27 : list EventData
)(
         v´28 : list EventData
)(
         v´30 : vallist
)(
         v´31 : val
)(
         v´33 : list vallist
)(
         v´35 : list vallist
)(
         v´36 : vallist
)(
         v´38 : EcbMod.map
)(
         v´39 : TcbMod.map
)(
         v´42 : val
)(
         v´44 : vallist
)(
         v´46 : val
)(
         v´47 : EcbMod.map
)(
         v´48 : EcbMod.map
)(
         v´49 : EcbMod.map
)(
         w : waitset
)(
         v´51 : addrval
)(
         H3 : ECBList_P v´46 Vnull v´26 v´28 v´48 v´39
)(
         H17 : EcbMod.join v´47 v´49 v´38
)(
         H12 : length v´25 = length v´27
)(
         H16 : isptr v´46
)(
         v´23 : addrval
)(
         v´29 : block
)(
         H11 : array_type_vallist_match Int8u v´44
)(
         H19 : length v´44 = ∘OS_EVENT_TBL_SIZE
)(
         x3 : val
)(
         i : int32
)(
         H21 : Int.unsigned i <= 255
)(
         H18 : RL_Tbl_Grp_P v´44 (Vint32 i)
)(
         H24 : isptr v´46
)(
         H2 : ECBList_P v´42 (Vptr (v´29, Int.zero)) v´25 v´27 v´47 v´39
)(
         H14 : id_addrval´ (Vptr (v´29, Int.zero)) OSEventTbl OS_EVENT = Some v´23
)(
         H20 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255
)(
         x : int32
)(
         H10 : Int.unsigned x <= 65535
)(
         H15 : Int.unsigned (x>>ᵢ$ 8) < 64
)(
         H22 : Int.unsigned x <= 65535
)(
         v´24 : val
)(
         v´40 : val
)(
         v´43 : TcbMod.map
)(
         v´45 : TcbMod.map
)(
         v´52 : block
)(
         H31 : v´31 <> Vnull
)(
         H32 : TcbMod.join v´43 v´45 v´39
)(
         H33 : TCBList_P v´31 v´33 v´36 v´43
)(
         H30 : Vptr (v´52, Int.zero) <> Vnull
)(
         i6 : int32
)(
         H39 : Int.unsigned i6 <= 65535
)(
         H36 : isptr v´24
)(
         x7 : val
)(
         x10 : TcbMod.map
)(
         t : taskstatus
)(
         m : msg
)(
         H72 : TCBList_P x7 v´35 v´36 x10
)(
         H7 : RH_TCBList_ECBList_P v´38 v´39 (v´52, Int.zero)
)(
         H8 : RH_CurTCB (v´52, Int.zero) v´39
)(
         H23 : isptr (Vptr (v´52, $ 0))
)(
  H5 : R_ECB_ETbl_P (v´29, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
          v´44) v´39
)(
  H1 : ECBList_P v´42 Vnull
         (v´25 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
           v´44) :: nil) ++ v´26)
         (v´27 ++ (DMutex (Vint32 x) (Vptr (v´52, $ 0)) :: nil) ++ v´28) v´38
         v´39
)(
  H29 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE \/
        x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
         H35 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
         H47 : Int.ltu (x>>ᵢ$ 8) (x&$ OS_MUTEX_KEEP_LOWER_8) = true
)(
         H48 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) < 64
)(
  H6 : EcbMod.joinsig (v´29, Int.zero)
         (absmutexsem (x>>ᵢ$ 8) (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)),
          w) v´48 v´49
)(
         H4 : Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None -> w = nil
)(
  H9 : forall (tid : tid) (opr : int32),
       Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = Some (tid, opr) ->
       Int.ltu (x>>ᵢ$ 8) opr = true /\ Int.unsigned opr < 64
)(
         H13 : w <> nil -> Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) <> None
)(
  H25 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE ->
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None /\
        Vptr (v´52, $ 0) = Vnull
)(
  H26 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE ->
        exists tid,
        Vptr (v´52, $ 0) = Vptr tid /\
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) =
        Some (tid, x&$ OS_MUTEX_KEEP_LOWER_8)
)(
  backup : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (v´52, $ 0)))
             (absmutexsem (x>>ᵢ$ 8)
                          (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)), w)
)(
         v´32 : val
)(
         H46 : array_type_vallist_match OS_TCB ∗ v´30
)(
         H51 : length v´30 = 64%nat
)(
         H49 : RL_RTbl_PrioTbl_P v´36 v´30 v´51
)(
         H50 : R_PrioTbl_P v´30 v´39 v´51
)(
         x1 : val
)(
  H52 : nth_val (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30 =
        Some x1
)(
         x0 : val
)(
         H53 : nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8))) v´30 = Some x0
)(
         H54 : array_type_vallist_match Int8u v´36
)(
         H58 : length v´36 = ∘OS_RDY_TBL_SIZE
)(
         i7 : int32
)(
         H55 : Int.unsigned i7 <= 255
)(
         H57 : prio_in_tbl ($ OS_IDLE_PRIO) v´36
)(
         H56 : RL_Tbl_Grp_P v´36 (Vint32 i7)
)(
         x2 : int32
)(
  fffa : length OSUnMapVallist = 256%nat ->
         (Z.to_nat (Int.unsigned i) < 256)%nat ->
         exists x4,
         Vint32 x2 = Vint32 x4 /\
         true = rule_type_val_match Int8u (Vint32 x4)
)(
         H59 : length OSUnMapVallist = 256%nat
)(
         H60 : (Z.to_nat (Int.unsigned i) < 256)%nat
)(
         H61 : nth_val´ (Z.to_nat (Int.unsigned i)) OSUnMapVallist = Vint32 x2
)(
         H62 : true = rule_type_val_match Int8u (Vint32 x2)
)(
         fffbb : Int.unsigned x2 < 8
)(
         fffbb2 : (Z.to_nat (Int.unsigned x2) < length v´44)%nat
)(
         H19´´ : length v´44 = Z.to_nat 8
)(
         x4 : int32
)(
         H63 : nth_val´ (Z.to_nat (Int.unsigned x2)) v´44 = Vint32 x4
)(
         H64 : Int.unsigned x4 <= 255
)(
         H65 : (Z.to_nat (Int.unsigned x4) < length OSUnMapVallist)%nat
)(
         x5 : int32
)(
         H66 : nth_val´ (Z.to_nat (Int.unsigned x4)) OSUnMapVallist = Vint32 x5
)(
         H67 : Int.unsigned x5 <= 255
)(
         ttfasd : Int.unsigned x5 < 8
)(
  H68 : val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) =
        Vint32 Int.zero \/
        val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) = Vnull
)(
         H27 : isptr x7
)(
         H38 : isptr m
)(
         x6 : int32
)(
         x14 : int32
)(
         H77 : 0 <= Int.unsigned x6
)(
         H85 : Int.unsigned x6 < 64
)(
  H82 : x14 = $ OS_STAT_RDY \/
        x14 = $ OS_STAT_SEM \/
        x14 = $ OS_STAT_Q \/ x14 = $ OS_STAT_MBOX \/ x14 = $ OS_STAT_MUTEX
)(
         x15 : val
)(
         H84 : x14 = $ OS_STAT_RDY -> x15 = Vnull
)(
         H43 : Int.unsigned (x6>>ᵢ$ 3) <= 255
)(
         H45 : Int.unsigned ($ 1<<(x6>>ᵢ$ 3)) <= 255
)(
         H44 : Int.unsigned ($ 1<<(x6&$ 7)) <= 255
)(
         H42 : Int.unsigned (x6&$ 7) <= 255
)(
         H70 : TcbJoin (v´52, Int.zero) (x6, t, m) x10 v´45
)(
         H41 : Int.unsigned x6 <= 255
)(
         H28 : Int.ltu x6 (x>>ᵢ$ 8) = false
)(
         H37 : isptr x15
)(
         H40 : Int.unsigned x14 <= 255
)(
  H73 : R_TCB_Status_P
          (x7
           :: v´24
              :: x15
                 :: m
                    :: Vint32 i6
                       :: Vint32 x14
                          :: Vint32 x6
                             :: Vint32 (x6&$ 7)
                                :: Vint32 (x6>>ᵢ$ 3)
                                   :: Vint32 ($ 1<<(x6&$ 7))
                                      :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
          v´36 (x6, t, m)
)(
  backup2 : TCBList_P (Vptr (v´52, Int.zero))
              ((x7
                :: v´24
                   :: x15
                      :: m
                         :: Vint32 i6
                            :: Vint32 x14
                               :: Vint32 x6
                                  :: Vint32 (x6&$ 7)
                                     :: Vint32 (x6>>ᵢ$ 3)
                                        :: Vint32 ($ 1<<(x6&$ 7))
                                           :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
                 :: v´35) v´36 v´45
)(
         r1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < 8
)(
         r2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) < 8
)(
         r3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) < 8
)(
         r4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < 8
)(
         H34 : array_type_vallist_match Int8u OSMapVallist
)(
         H69 : length OSMapVallist = 8%nat
)(
         H71 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) < 8)%nat
)(
         x8 : int32
)(
  H74 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
          OSMapVallist = Vint32 x8
)(
         H75 : true = rule_type_val_match Int8u (Vint32 x8)
)(
         H76 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
         x9 : int32
)(
  H78 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
                 OSMapVallist = Vint32 x9
)(
         H79 : true = rule_type_val_match Int8u (Vint32 x9)
)(
         H80 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
         x11 : int32
)(
  H81 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
                 OSMapVallist = Vint32 x11
)(
         H83 : true = rule_type_val_match Int8u (Vint32 x11)
)(
         r5 : Int.unsigned (x6>>ᵢ$ 3) < 8
)(
         r6 : Int.unsigned (x6&$ 7) < 8
)(
         rr1 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) < length v´36)%nat
)(
  rr2 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) <
         length v´36)%nat
)(
  rr3 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) <
         length v´36)%nat
)(
         rr4 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)&$ 7)) < length v´36)%nat
)(
         rr5 : (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3)) < length v´36)%nat
)(
         rr6 : (Z.to_nat (Int.unsigned (x6&$ 7)) < length v´36)%nat
)(
         rrr1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) <
         Z.of_nat (length v´36)
)(
  rrr3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) <
         Z.of_nat (length v´36)
)(
         rrr4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < Z.of_nat (length v´36)
)(
         rrr5 : Int.unsigned (x6>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
         rrr6 : Int.unsigned (x6&$ 7) < Z.of_nat (length v´36)
)(
         HH58 : length v´36 = Z.to_nat 8
)(
  aa : rule_type_val_match Int8u
                           (nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36) = true
)(
  aa2 : rule_type_val_match Int8u
          (nth_val´
             (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
             v´36) = true
)(
  aa3 : rule_type_val_match Int8u
                            (nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36) = true
)(
         x16 : int32
)(
  H88 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36 =
        Vint32 x16
)(
         H91 : Int.unsigned x16 <= 255
)(
         x13 : int32
)(
  H87 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3))) v´36 =
        Vint32 x13
)(
         H90 : Int.unsigned x13 <= 255
)(
         x12 : int32
)(
         H86 : nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36 = Vint32 x12
)(
         H89 : Int.unsigned x12 <= 255
)(
         H92 : Int.unsigned (x>>ᵢ$ 8) < Int.unsigned ($ Byte.modulus)
)(
  H93 : val_inj
          (if Int.eq x6 (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) = Vint32 Int.zero \/
        val_inj
          (if Int.eq x6 (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) = Vnull
)(
  H94 : val_inj
          (notint
             (val_inj
                (if Int.eq i ($ 0)
                 then Some (Vint32 Int.one)
                 else Some (Vint32 Int.zero)))) <>
        Vint32 Int.zero
)(
  H95 : val_inj
          (notint
             (val_inj
                (if Int.eq i ($ 0)
                 then Some (Vint32 Int.one)
                 else Some (Vint32 Int.zero)))) <> Vnull
)(
  H96 : val_inj
          (notint
             (val_inj
                (if Int.eq i ($ 0)
                 then Some (Vint32 Int.one)
                 else Some (Vint32 Int.zero)))) <> Vundef
)(
  v´34 : val
),
 {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV prio @ Int8u |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (os_code_defs.x, Int8u)
          :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post3
       (Vptr (v´29, Int.zero)
        :: Vptr (v´29, Int.zero) :: V$OS_STAT_MUTEX :: nil)
       (Some v´34)
       (logic_lv v´30
        :: logic_lv
             (x7
              :: v´24
                 :: x15
                    :: m
                       :: Vint32 i6
                          :: Vint32 x14
                             :: Vint32 x6
                                :: Vint32 (x6&$ 7)
                                   :: Vint32 (x6>>ᵢ$ 3)
                                      :: Vint32 ($ 1<<(x6&$ 7))
                                         :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
           :: logic_llv v´33
              :: logic_llv v´35
                 :: logic_lv v´36
                    :: logic_val (Vint32 i7)
                       :: logic_abstcb v´39
                          :: logic_val v´31
                             :: logic_val (Vptr (v´52, Int.zero))
                                :: logic_val (Vptr (v´52, Int.zero))
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_MUTEX
                                         :: Vint32 i
                                            :: Vint32 x
                                               :: Vptr (v´52, $ 0)
                                                  ::
                                                  x3 :: v´46 :: nil)
                                      :: logic_lv v´44
                                         :: logic_leventd
                                              (DMutex
                                                 (Vint32 x)
                                                 (Vptr (v´52, $ 0)) :: nil)
                                            :: logic_code
                                                 (mutexpost
                                                  (Vptr (v´29, Int.zero)
                                                  :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV prio @ Int8u |-> v´34 **
     LV os_code_defs.x @ Int8u |-> (V$OS_STAT_MUTEX) **
     LV legal @ Int8u |-> Vint32 x2 **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     GV OSEventList @ OS_EVENT ∗ |-> v´42 **
     evsllseg v´42 (Vptr (v´29, Int.zero)) v´25 v´27 **
     evsllseg v´46 Vnull v´26 v´28 **
     HECBList v´38 **
     HTCBList v´39 **
     HCurTCB (v´52, Int.zero) **
     AOSEventFreeList v´3 **
     AOSQFreeList v´4 **
     AOSQFreeBlk v´5 **
     AOSIntNesting **
     AOSTCBFreeList v´21 v´22 **
     AOSTime (Vint32 v´18) **
     HTime v´18 **
     AGVars **
     atoy_inv´ **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´29, Int.zero) **
     A_dom_lenv
       ((pevent, OS_EVENT ∗)
        :: (os_code_defs.x, Int8u)
           :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)}}
   pevent ′ → OSEventCnt &= ′OS_MUTEX_KEEP_UPPER_8;ₛ
   pevent ′ → OSEventCnt =ₑ pevent ′ → OSEventCnt |ₑ prio ′;ₛ
   pevent ′ → OSEventPtr =ₑ OSTCBPrioTbl ′ [prio ′];ₛ
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
   RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_OSMutexPost3_3_event_rdy_post5´:= forall (
    v´ : val
)(
         v´0 : val
)(
         v´1 : val
)(
         v´2 : val
)(
         v´3 : list vallist
)(
         v´4 : list vallist
)(
         v´5 : list vallist
)(
         v´6 : list EventData
)(
         v´7 : list EventCtr
)(
         v´8 : vallist
)(
         v´9 : val
)(
         v´10 : val
)(
         v´11 : list vallist
)(
         v´12 : vallist
)(
         v´13 : list vallist
)(
         v´14 : vallist
)(
         v´15 : val
)(
         v´16 : EcbMod.map
)(
         v´17 : TcbMod.map
)(
         v´18 : int32
)(
         v´19 : addrval
)(
         v´20 : addrval
)(
         v´21 : val
)(
         v´22 : list vallist
)(
         H : RH_TCBList_ECBList_P v´16 v´17 v´19
)(
         H0 : RH_CurTCB v´19 v´17
)(
         v´25 : list EventCtr
)(
         v´26 : list EventCtr
)(
         v´27 : list EventData
)(
         v´28 : list EventData
)(
         v´30 : vallist
)(
         v´31 : val
)(
         v´33 : list vallist
)(
         v´35 : list vallist
)(
         v´36 : vallist
)(
         v´38 : EcbMod.map
)(
         v´39 : TcbMod.map
)(
         v´42 : val
)(
         v´44 : vallist
)(
         v´46 : val
)(
         v´47 : EcbMod.map
)(
         v´48 : EcbMod.map
)(
         v´49 : EcbMod.map
)(
         w : waitset
)(
         v´51 : addrval
)(
         H3 : ECBList_P v´46 Vnull v´26 v´28 v´48 v´39
)(
         H17 : EcbMod.join v´47 v´49 v´38
)(
         H12 : length v´25 = length v´27
)(
         H16 : isptr v´46
)(
         v´23 : addrval
)(
         v´29 : block
)(
         H11 : array_type_vallist_match Int8u v´44
)(
         H19 : length v´44 = ∘OS_EVENT_TBL_SIZE
)(
         x3 : val
)(
         i : int32
)(
         H21 : Int.unsigned i <= 255
)(
         H18 : RL_Tbl_Grp_P v´44 (Vint32 i)
)(
         H24 : isptr v´46
)(
         H2 : ECBList_P v´42 (Vptr (v´29, Int.zero)) v´25 v´27 v´47 v´39
)(
         H14 : id_addrval´ (Vptr (v´29, Int.zero)) OSEventTbl OS_EVENT = Some v´23
)(
         H20 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255
)(
         x : int32
)(
         H10 : Int.unsigned x <= 65535
)(
         H15 : Int.unsigned (x>>ᵢ$ 8) < 64
)(
         H22 : Int.unsigned x <= 65535
)(
         v´24 : val
)(
         v´40 : val
)(
         v´43 : TcbMod.map
)(
         v´45 : TcbMod.map
)(
         v´52 : block
)(
         H31 : v´31 <> Vnull
)(
         H32 : TcbMod.join v´43 v´45 v´39
)(
         H33 : TCBList_P v´31 v´33 v´36 v´43
)(
         H30 : Vptr (v´52, Int.zero) <> Vnull
)(
         i6 : int32
)(
         H39 : Int.unsigned i6 <= 65535
)(
         H36 : isptr v´24
)(
         x7 : val
)(
         x10 : TcbMod.map
)(
         t : taskstatus
)(
         m : msg
)(
         H72 : TCBList_P x7 v´35 v´36 x10
)(
         H7 : RH_TCBList_ECBList_P v´38 v´39 (v´52, Int.zero)
)(
         H8 : RH_CurTCB (v´52, Int.zero) v´39
)(
         H23 : isptr (Vptr (v´52, $ 0))
)(
  H5 : R_ECB_ETbl_P (v´29, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
          v´44) v´39
)(
  H1 : ECBList_P v´42 Vnull
         (v´25 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
           v´44) :: nil) ++ v´26)
         (v´27 ++ (DMutex (Vint32 x) (Vptr (v´52, $ 0)) :: nil) ++ v´28) v´38
         v´39
)(
  H29 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE \/
        x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
         H35 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
         H47 : Int.ltu (x>>ᵢ$ 8) (x&$ OS_MUTEX_KEEP_LOWER_8) = true
)(
         H48 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) < 64
)(
  H6 : EcbMod.joinsig (v´29, Int.zero)
         (absmutexsem (x>>ᵢ$ 8) (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)),
          w) v´48 v´49
)(
         H4 : Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None -> w = nil
)(
  H9 : forall (tid : tid) (opr : int32),
       Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = Some (tid, opr) ->
       Int.ltu (x>>ᵢ$ 8) opr = true /\ Int.unsigned opr < 64
)(
         H13 : w <> nil -> Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) <> None
)(
  H25 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE ->
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None /\
        Vptr (v´52, $ 0) = Vnull
)(
  H26 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE ->
        exists tid,
        Vptr (v´52, $ 0) = Vptr tid /\
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) =
        Some (tid, x&$ OS_MUTEX_KEEP_LOWER_8)
)(
  backup : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (v´52, $ 0)))
             (absmutexsem (x>>ᵢ$ 8)
                          (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)), w)
)(
         v´32 : val
)(
         H46 : array_type_vallist_match OS_TCB ∗ v´30
)(
         H51 : length v´30 = 64%nat
)(
         H49 : RL_RTbl_PrioTbl_P v´36 v´30 v´51
)(
         H50 : R_PrioTbl_P v´30 v´39 v´51
)(
         x1 : val
)(
  H52 : nth_val (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30 =
        Some x1
)(
         x0 : val
)(
         H53 : nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8))) v´30 = Some x0
)(
         H54 : array_type_vallist_match Int8u v´36
)(
         H58 : length v´36 = ∘OS_RDY_TBL_SIZE
)(
         i7 : int32
)(
         H55 : Int.unsigned i7 <= 255
)(
         H57 : prio_in_tbl ($ OS_IDLE_PRIO) v´36
)(
         H56 : RL_Tbl_Grp_P v´36 (Vint32 i7)
)(
         x2 : int32
)(
  fffa : length OSUnMapVallist = 256%nat ->
         (Z.to_nat (Int.unsigned i) < 256)%nat ->
         exists x4,
         Vint32 x2 = Vint32 x4 /\
         true = rule_type_val_match Int8u (Vint32 x4)
)(
         H59 : length OSUnMapVallist = 256%nat
)(
         H60 : (Z.to_nat (Int.unsigned i) < 256)%nat
)(
         H61 : nth_val´ (Z.to_nat (Int.unsigned i)) OSUnMapVallist = Vint32 x2
)(
         H62 : true = rule_type_val_match Int8u (Vint32 x2)
)(
         fffbb : Int.unsigned x2 < 8
)(
         fffbb2 : (Z.to_nat (Int.unsigned x2) < length v´44)%nat
)(
         H19´´ : length v´44 = Z.to_nat 8
)(
         x4 : int32
)(
         H63 : nth_val´ (Z.to_nat (Int.unsigned x2)) v´44 = Vint32 x4
)(
         H64 : Int.unsigned x4 <= 255
)(
         H65 : (Z.to_nat (Int.unsigned x4) < length OSUnMapVallist)%nat
)(
         x5 : int32
)(
         H66 : nth_val´ (Z.to_nat (Int.unsigned x4)) OSUnMapVallist = Vint32 x5
)(
         H67 : Int.unsigned x5 <= 255
)(
         ttfasd : Int.unsigned x5 < 8
)(
  H68 : val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) =
        Vint32 Int.zero \/
        val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) = Vnull
)(
         H27 : isptr x7
)(
         H38 : isptr m
)(
         x6 : int32
)(
         x14 : int32
)(
         H77 : 0 <= Int.unsigned x6
)(
         H85 : Int.unsigned x6 < 64
)(
  H82 : x14 = $ OS_STAT_RDY \/
        x14 = $ OS_STAT_SEM \/
        x14 = $ OS_STAT_Q \/ x14 = $ OS_STAT_MBOX \/ x14 = $ OS_STAT_MUTEX
)(
         x15 : val
)(
         H84 : x14 = $ OS_STAT_RDY -> x15 = Vnull
)(
         H43 : Int.unsigned (x6>>ᵢ$ 3) <= 255
)(
         H45 : Int.unsigned ($ 1<<(x6>>ᵢ$ 3)) <= 255
)(
         H44 : Int.unsigned ($ 1<<(x6&$ 7)) <= 255
)(
         H42 : Int.unsigned (x6&$ 7) <= 255
)(
         H70 : TcbJoin (v´52, Int.zero) (x6, t, m) x10 v´45
)(
         H41 : Int.unsigned x6 <= 255
)(
         H28 : Int.ltu x6 (x>>ᵢ$ 8) = false
)(
         H37 : isptr x15
)(
         H40 : Int.unsigned x14 <= 255
)(
  H73 : R_TCB_Status_P
          (x7
           :: v´24
              :: x15
                 :: m
                    :: Vint32 i6
                       :: Vint32 x14
                          :: Vint32 x6
                             :: Vint32 (x6&$ 7)
                                :: Vint32 (x6>>ᵢ$ 3)
                                   :: Vint32 ($ 1<<(x6&$ 7))
                                      :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
          v´36 (x6, t, m)
)(
  backup2 : TCBList_P (Vptr (v´52, Int.zero))
              ((x7
                :: v´24
                   :: x15
                      :: m
                         :: Vint32 i6
                            :: Vint32 x14
                               :: Vint32 x6
                                  :: Vint32 (x6&$ 7)
                                     :: Vint32 (x6>>ᵢ$ 3)
                                        :: Vint32 ($ 1<<(x6&$ 7))
                                           :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
                 :: v´35) v´36 v´45
)(
         r1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < 8
)(
         r2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) < 8
)(
         r3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) < 8
)(
         r4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < 8
)(
         H34 : array_type_vallist_match Int8u OSMapVallist
)(
         H69 : length OSMapVallist = 8%nat
)(
         H71 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) < 8)%nat
)(
         x8 : int32
)(
  H74 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
          OSMapVallist = Vint32 x8
)(
         H75 : true = rule_type_val_match Int8u (Vint32 x8)
)(
         H76 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
         x9 : int32
)(
  H78 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
                 OSMapVallist = Vint32 x9
)(
         H79 : true = rule_type_val_match Int8u (Vint32 x9)
)(
         H80 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
         x11 : int32
)(
  H81 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
                 OSMapVallist = Vint32 x11
)(
         H83 : true = rule_type_val_match Int8u (Vint32 x11)
)(
         r5 : Int.unsigned (x6>>ᵢ$ 3) < 8
)(
         r6 : Int.unsigned (x6&$ 7) < 8
)(
         rr1 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) < length v´36)%nat
)(
  rr2 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) <
         length v´36)%nat
)(
  rr3 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) <
         length v´36)%nat
)(
         rr4 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)&$ 7)) < length v´36)%nat
)(
         rr5 : (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3)) < length v´36)%nat
)(
         rr6 : (Z.to_nat (Int.unsigned (x6&$ 7)) < length v´36)%nat
)(
         rrr1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) <
         Z.of_nat (length v´36)
)(
  rrr3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) <
         Z.of_nat (length v´36)
)(
         rrr4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < Z.of_nat (length v´36)
)(
         rrr5 : Int.unsigned (x6>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
         rrr6 : Int.unsigned (x6&$ 7) < Z.of_nat (length v´36)
)(
         HH58 : length v´36 = Z.to_nat 8
)(
  aa : rule_type_val_match Int8u
                           (nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36) = true
)(
  aa2 : rule_type_val_match Int8u
          (nth_val´
             (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
             v´36) = true
)(
  aa3 : rule_type_val_match Int8u
                            (nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36) = true
)(
         x16 : int32
)(
  H88 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36 =
        Vint32 x16
)(
         H91 : Int.unsigned x16 <= 255
)(
         x13 : int32
)(
  H87 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3))) v´36 =
        Vint32 x13
)(
         H90 : Int.unsigned x13 <= 255
)(
         x12 : int32
)(
         H86 : nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36 = Vint32 x12
)(
         H89 : Int.unsigned x12 <= 255
)(
         H92 : Int.unsigned (x>>ᵢ$ 8) < Int.unsigned ($ Byte.modulus)
)(
  H93 : val_inj
          (if Int.eq x6 (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) = Vint32 Int.zero \/
        val_inj
          (if Int.eq x6 (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) = Vnull
)(
  H94 : val_inj
          (notint
             (val_inj
                (if Int.eq i ($ 0)
                 then Some (Vint32 Int.one)
                 else Some (Vint32 Int.zero)))) <>
        Vint32 Int.zero
)(
  H95 : val_inj
          (notint
             (val_inj
                (if Int.eq i ($ 0)
                 then Some (Vint32 Int.one)
                 else Some (Vint32 Int.zero)))) <> Vnull
)(
  H96 : val_inj
          (notint
             (val_inj
                (if Int.eq i ($ 0)
                 then Some (Vint32 Int.one)
                 else Some (Vint32 Int.zero)))) <> Vundef
)(
  v´34 : val
),
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV prio @ Int8u |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (os_code_defs.x, Int8u)
          :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post5´
       (Vptr (v´29, Int.zero)
        :: Vptr (v´29, Int.zero) :: V$OS_STAT_MUTEX :: nil)
       (Some v´34)
       (logic_lv v´30
        :: logic_lv
             (x7
              :: v´24
                 :: x15
                    :: m
                       :: Vint32 i6
                          :: Vint32 x14
                             :: Vint32 x6
                                :: Vint32 (x6&$ 7)
                                   :: Vint32 (x6>>ᵢ$ 3)
                                      :: Vint32 ($ 1<<(x6&$ 7))
                                         :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
           :: logic_llv v´33
              :: logic_llv v´35
                 :: logic_lv v´36
                    :: logic_val (Vint32 i7)
                       :: logic_abstcb v´39
                          :: logic_val v´31
                             :: logic_val (Vptr (v´52, Int.zero))
                                :: logic_val (Vptr (v´52, Int.zero))
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_MUTEX
                                         :: Vint32 i
                                            :: Vint32 x
                                               :: Vptr (v´52, $ 0)
                                                  ::
                                                  x3 :: v´46 :: nil)
                                      :: logic_lv v´44
                                         :: logic_leventd
                                              (DMutex
                                                 (Vint32 x)
                                                 (Vptr (v´52, $ 0)) :: nil)
                                            :: logic_code
                                                 (mutexpost
                                                  (Vptr (v´29, Int.zero)
                                                  :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV prio @ Int8u |-> v´34 **
     LV os_code_defs.x @ Int8u |-> (V$OS_STAT_MUTEX) **
     LV legal @ Int8u |-> Vint32 x2 **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     GV OSEventList @ OS_EVENT ∗ |-> v´42 **
     evsllseg v´42 (Vptr (v´29, Int.zero)) v´25 v´27 **
     evsllseg v´46 Vnull v´26 v´28 **
     HECBList v´38 **
     HTCBList v´39 **
     HCurTCB (v´52, Int.zero) **
     AOSEventFreeList v´3 **
     AOSQFreeList v´4 **
     AOSQFreeBlk v´5 **
     AOSIntNesting **
     AOSTCBFreeList v´21 v´22 **
     AOSTime (Vint32 v´18) **
     HTime v´18 **
     AGVars **
     atoy_inv´ **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´29, Int.zero) **
     A_dom_lenv
       ((pevent, OS_EVENT ∗)
        :: (os_code_defs.x, Int8u)
           :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)}}
   pevent ′ → OSEventCnt &= ′OS_MUTEX_KEEP_UPPER_8;ₛ
   pevent ′ → OSEventCnt =ₑ pevent ′ → OSEventCnt |ₑ prio ′;ₛ
   pevent ′ → OSEventPtr =ₑ OSTCBPrioTbl ′ [prio ′];ₛ
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
                 RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_OSMutexPost3_3_event_rdy_post5:= forall (
    v´ : val
)(
         v´0 : val
)(
         v´1 : val
)(
         v´2 : val
)(
         v´3 : list vallist
)(
         v´4 : list vallist
)(
         v´5 : list vallist
)(
         v´6 : list EventData
)(
         v´7 : list EventCtr
)(
         v´8 : vallist
)(
         v´9 : val
)(
         v´10 : val
)(
         v´11 : list vallist
)(
         v´12 : vallist
)(
         v´13 : list vallist
)(
         v´14 : vallist
)(
         v´15 : val
)(
         v´16 : EcbMod.map
)(
         v´17 : TcbMod.map
)(
         v´18 : int32
)(
         v´19 : addrval
)(
         v´20 : addrval
)(
         v´21 : val
)(
         v´22 : list vallist
)(
         H : RH_TCBList_ECBList_P v´16 v´17 v´19
)(
         H0 : RH_CurTCB v´19 v´17
)(
         v´25 : list EventCtr
)(
         v´26 : list EventCtr
)(
         v´27 : list EventData
)(
         v´28 : list EventData
)(
         v´30 : vallist
)(
         v´31 : val
)(
         v´33 : list vallist
)(
         v´35 : list vallist
)(
         v´36 : vallist
)(
         v´38 : EcbMod.map
)(
         v´39 : TcbMod.map
)(
         v´42 : val
)(
         v´44 : vallist
)(
         v´46 : val
)(
         v´47 : EcbMod.map
)(
         v´48 : EcbMod.map
)(
         v´49 : EcbMod.map
)(
         w : waitset
)(
         v´51 : addrval
)(
         H3 : ECBList_P v´46 Vnull v´26 v´28 v´48 v´39
)(
         H17 : EcbMod.join v´47 v´49 v´38
)(
         H12 : length v´25 = length v´27
)(
         H16 : isptr v´46
)(
         v´23 : addrval
)(
         v´29 : block
)(
         H11 : array_type_vallist_match Int8u v´44
)(
         H19 : length v´44 = ∘OS_EVENT_TBL_SIZE
)(
         x3 : val
)(
         i : int32
)(
         H21 : Int.unsigned i <= 255
)(
         H18 : RL_Tbl_Grp_P v´44 (Vint32 i)
)(
         H24 : isptr v´46
)(
         H2 : ECBList_P v´42 (Vptr (v´29, Int.zero)) v´25 v´27 v´47 v´39
)(
         H14 : id_addrval´ (Vptr (v´29, Int.zero)) OSEventTbl OS_EVENT = Some v´23
)(
         H20 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255
)(
         x : int32
)(
         H10 : Int.unsigned x <= 65535
)(
         H15 : Int.unsigned (x>>ᵢ$ 8) < 64
)(
         H22 : Int.unsigned x <= 65535
)(
         v´24 : val
)(
         v´40 : val
)(
         v´43 : TcbMod.map
)(
         v´45 : TcbMod.map
)(
         v´52 : block
)(
         H31 : v´31 <> Vnull
)(
         H32 : TcbMod.join v´43 v´45 v´39
)(
         H33 : TCBList_P v´31 v´33 v´36 v´43
)(
         H30 : Vptr (v´52, Int.zero) <> Vnull
)(
         i6 : int32
)(
         H39 : Int.unsigned i6 <= 65535
)(
         H36 : isptr v´24
)(
         x7 : val
)(
         x10 : TcbMod.map
)(
         t : taskstatus
)(
         m : msg
)(
         H72 : TCBList_P x7 v´35 v´36 x10
)(
         H7 : RH_TCBList_ECBList_P v´38 v´39 (v´52, Int.zero)
)(
         H8 : RH_CurTCB (v´52, Int.zero) v´39
)(
         H23 : isptr (Vptr (v´52, $ 0))
)(
  H5 : R_ECB_ETbl_P (v´29, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
          v´44) v´39
)(
  H1 : ECBList_P v´42 Vnull
         (v´25 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
           v´44) :: nil) ++ v´26)
         (v´27 ++ (DMutex (Vint32 x) (Vptr (v´52, $ 0)) :: nil) ++ v´28) v´38
         v´39
)(
  H29 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE \/
        x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
         H35 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
         H47 : Int.ltu (x>>ᵢ$ 8) (x&$ OS_MUTEX_KEEP_LOWER_8) = true
)(
         H48 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) < 64
)(
  H6 : EcbMod.joinsig (v´29, Int.zero)
         (absmutexsem (x>>ᵢ$ 8) (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)),
          w) v´48 v´49
)(
         H4 : Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None -> w = nil
)(
  H9 : forall (tid : tid) (opr : int32),
       Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = Some (tid, opr) ->
       Int.ltu (x>>ᵢ$ 8) opr = true /\ Int.unsigned opr < 64
)(
         H13 : w <> nil -> Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) <> None
)(
  H25 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE ->
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None /\
        Vptr (v´52, $ 0) = Vnull
)(
  H26 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE ->
        exists tid,
        Vptr (v´52, $ 0) = Vptr tid /\
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) =
        Some (tid, x&$ OS_MUTEX_KEEP_LOWER_8)
)(
  backup : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (v´52, $ 0)))
             (absmutexsem (x>>ᵢ$ 8)
                          (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)), w)
)(
         v´32 : val
)(
         H46 : array_type_vallist_match OS_TCB ∗ v´30
)(
         H51 : length v´30 = 64%nat
)(
         H49 : RL_RTbl_PrioTbl_P v´36 v´30 v´51
)(
         H50 : R_PrioTbl_P v´30 v´39 v´51
)(
         x1 : val
)(
  H52 : nth_val (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30 =
        Some x1
)(
         x0 : val
)(
         H53 : nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8))) v´30 = Some x0
)(
         H54 : array_type_vallist_match Int8u v´36
)(
         H58 : length v´36 = ∘OS_RDY_TBL_SIZE
)(
         i7 : int32
)(
         H55 : Int.unsigned i7 <= 255
)(
         H57 : prio_in_tbl ($ OS_IDLE_PRIO) v´36
)(
         H56 : RL_Tbl_Grp_P v´36 (Vint32 i7)
)(
         x2 : int32
)(
  fffa : length OSUnMapVallist = 256%nat ->
         (Z.to_nat (Int.unsigned i) < 256)%nat ->
         exists x4,
         Vint32 x2 = Vint32 x4 /\
         true = rule_type_val_match Int8u (Vint32 x4)
)(
         H59 : length OSUnMapVallist = 256%nat
)(
         H60 : (Z.to_nat (Int.unsigned i) < 256)%nat
)(
         H61 : nth_val´ (Z.to_nat (Int.unsigned i)) OSUnMapVallist = Vint32 x2
)(
         H62 : true = rule_type_val_match Int8u (Vint32 x2)
)(
         fffbb : Int.unsigned x2 < 8
)(
         fffbb2 : (Z.to_nat (Int.unsigned x2) < length v´44)%nat
)(
         H19´´ : length v´44 = Z.to_nat 8
)(
         x4 : int32
)(
         H63 : nth_val´ (Z.to_nat (Int.unsigned x2)) v´44 = Vint32 x4
)(
         H64 : Int.unsigned x4 <= 255
)(
         H65 : (Z.to_nat (Int.unsigned x4) < length OSUnMapVallist)%nat
)(
         x5 : int32
)(
         H66 : nth_val´ (Z.to_nat (Int.unsigned x4)) OSUnMapVallist = Vint32 x5
)(
         H67 : Int.unsigned x5 <= 255
)(
         ttfasd : Int.unsigned x5 < 8
)(
  H68 : val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) =
        Vint32 Int.zero \/
        val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) = Vnull
)(
         H27 : isptr x7
)(
         H38 : isptr m
)(
         x6 : int32
)(
         x14 : int32
)(
         H77 : 0 <= Int.unsigned x6
)(
         H85 : Int.unsigned x6 < 64
)(
  H82 : x14 = $ OS_STAT_RDY \/
        x14 = $ OS_STAT_SEM \/
        x14 = $ OS_STAT_Q \/ x14 = $ OS_STAT_MBOX \/ x14 = $ OS_STAT_MUTEX
)(
         x15 : val
)(
         H84 : x14 = $ OS_STAT_RDY -> x15 = Vnull
)(
         H43 : Int.unsigned (x6>>ᵢ$ 3) <= 255
)(
         H45 : Int.unsigned ($ 1<<(x6>>ᵢ$ 3)) <= 255
)(
         H44 : Int.unsigned ($ 1<<(x6&$ 7)) <= 255
)(
         H42 : Int.unsigned (x6&$ 7) <= 255
)(
         H70 : TcbJoin (v´52, Int.zero) (x6, t, m) x10 v´45
)(
         H41 : Int.unsigned x6 <= 255
)(
         H28 : Int.ltu x6 (x>>ᵢ$ 8) = false
)(
         H37 : isptr x15
)(
         H40 : Int.unsigned x14 <= 255
)(
  H73 : R_TCB_Status_P
          (x7
           :: v´24
              :: x15
                 :: m
                    :: Vint32 i6
                       :: Vint32 x14
                          :: Vint32 x6
                             :: Vint32 (x6&$ 7)
                                :: Vint32 (x6>>ᵢ$ 3)
                                   :: Vint32 ($ 1<<(x6&$ 7))
                                      :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
          v´36 (x6, t, m)
)(
  backup2 : TCBList_P (Vptr (v´52, Int.zero))
              ((x7
                :: v´24
                   :: x15
                      :: m
                         :: Vint32 i6
                            :: Vint32 x14
                               :: Vint32 x6
                                  :: Vint32 (x6&$ 7)
                                     :: Vint32 (x6>>ᵢ$ 3)
                                        :: Vint32 ($ 1<<(x6&$ 7))
                                           :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
                 :: v´35) v´36 v´45
)(
         r1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < 8
)(
         r2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) < 8
)(
         r3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) < 8
)(
         r4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < 8
)(
         H34 : array_type_vallist_match Int8u OSMapVallist
)(
         H69 : length OSMapVallist = 8%nat
)(
         H71 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) < 8)%nat
)(
         x8 : int32
)(
  H74 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
          OSMapVallist = Vint32 x8
)(
         H75 : true = rule_type_val_match Int8u (Vint32 x8)
)(
         H76 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
         x9 : int32
)(
  H78 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
                 OSMapVallist = Vint32 x9
)(
         H79 : true = rule_type_val_match Int8u (Vint32 x9)
)(
         H80 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
         x11 : int32
)(
  H81 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
                 OSMapVallist = Vint32 x11
)(
         H83 : true = rule_type_val_match Int8u (Vint32 x11)
)(
         r5 : Int.unsigned (x6>>ᵢ$ 3) < 8
)(
         r6 : Int.unsigned (x6&$ 7) < 8
)(
         rr1 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) < length v´36)%nat
)(
  rr2 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) <
         length v´36)%nat
)(
  rr3 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) <
         length v´36)%nat
)(
         rr4 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)&$ 7)) < length v´36)%nat
)(
         rr5 : (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3)) < length v´36)%nat
)(
         rr6 : (Z.to_nat (Int.unsigned (x6&$ 7)) < length v´36)%nat
)(
         rrr1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) <
         Z.of_nat (length v´36)
)(
  rrr3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) <
         Z.of_nat (length v´36)
)(
         rrr4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < Z.of_nat (length v´36)
)(
         rrr5 : Int.unsigned (x6>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
         rrr6 : Int.unsigned (x6&$ 7) < Z.of_nat (length v´36)
)(
         HH58 : length v´36 = Z.to_nat 8
)(
  aa : rule_type_val_match Int8u
                           (nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36) = true
)(
  aa2 : rule_type_val_match Int8u
          (nth_val´
             (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
             v´36) = true
)(
  aa3 : rule_type_val_match Int8u
                            (nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36) = true
)(
         x16 : int32
)(
  H88 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36 =
        Vint32 x16
)(
         H91 : Int.unsigned x16 <= 255
)(
         x13 : int32
)(
  H87 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3))) v´36 =
        Vint32 x13
)(
         H90 : Int.unsigned x13 <= 255
)(
         x12 : int32
)(
         H86 : nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36 = Vint32 x12
)(
         H89 : Int.unsigned x12 <= 255
)(
         H92 : Int.unsigned (x>>ᵢ$ 8) < Int.unsigned ($ Byte.modulus)
)(
  H93 : val_inj
          (if Int.eq x6 (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) = Vint32 Int.zero \/
        val_inj
          (if Int.eq x6 (x>>ᵢ$ 8)
           then Some (Vint32 Int.one)
           else Some (Vint32 Int.zero)) = Vnull
)(
  H94 : val_inj
          (notint
             (val_inj
                (if Int.eq i ($ 0)
                 then Some (Vint32 Int.one)
                 else Some (Vint32 Int.zero)))) <>
        Vint32 Int.zero
)(
  H95 : val_inj
          (notint
             (val_inj
                (if Int.eq i ($ 0)
                 then Some (Vint32 Int.one)
                 else Some (Vint32 Int.zero)))) <> Vnull
)(
  H96 : val_inj
          (notint
             (val_inj
                (if Int.eq i ($ 0)
                 then Some (Vint32 Int.one)
                 else Some (Vint32 Int.zero)))) <> Vundef
)(
  v´34 : val
),
 {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV prio @ Int8u |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (os_code_defs.x, Int8u)
          :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{event_rdy_post5
       (Vptr (v´29, Int.zero)
        :: Vptr (v´29, Int.zero) :: V$OS_STAT_MUTEX :: nil)
       (Some v´34)
       (logic_lv v´30
        :: logic_lv
             (x7
              :: v´24
                 :: x15
                    :: m
                       :: Vint32 i6
                          :: Vint32 x14
                             :: Vint32 x6
                                :: Vint32 (x6&$ 7)
                                   :: Vint32 (x6>>ᵢ$ 3)
                                      :: Vint32 ($ 1<<(x6&$ 7))
                                         :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
           :: logic_llv v´33
              :: logic_llv v´35
                 :: logic_lv v´36
                    :: logic_val (Vint32 i7)
                       :: logic_abstcb v´39
                          :: logic_val v´31
                             :: logic_val (Vptr (v´52, Int.zero))
                                :: logic_val (Vptr (v´52, Int.zero))
                                   :: logic_lv
                                        (V$OS_EVENT_TYPE_MUTEX
                                         :: Vint32 i
                                            :: Vint32 x
                                               :: Vptr (v´52, $ 0)
                                                  ::
                                                  x3 :: v´46 :: nil)
                                      :: logic_lv v´44
                                         :: logic_leventd
                                              (DMutex
                                                 (Vint32 x)
                                                 (Vptr (v´52, $ 0)) :: nil)
                                            :: logic_code
                                                 (mutexpost
                                                  (Vptr (v´29, Int.zero)
                                                  :: nil)) :: nil) **
     (Aie false **
      Ais nil ** Acs (true :: nil) ** Aisr empisr ** A_isr_is_prop) **
     LV prio @ Int8u |-> v´34 **
     LV os_code_defs.x @ Int8u |-> (V$OS_STAT_MUTEX) **
     LV legal @ Int8u |-> Vint32 x2 **
     LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
     GV OSEventList @ OS_EVENT ∗ |-> v´42 **
     evsllseg v´42 (Vptr (v´29, Int.zero)) v´25 v´27 **
     evsllseg v´46 Vnull v´26 v´28 **
     HECBList v´38 **
     HTCBList v´39 **
     HCurTCB (v´52, Int.zero) **
     AOSEventFreeList v´3 **
     AOSQFreeList v´4 **
     AOSQFreeBlk v´5 **
     AOSIntNesting **
     AOSTCBFreeList v´21 v´22 **
     AOSTime (Vint32 v´18) **
     HTime v´18 **
     AGVars **
     atoy_inv´ **
     LV pevent @ OS_EVENT ∗ |-> Vptr (v´29, Int.zero) **
     A_dom_lenv
       ((pevent, OS_EVENT ∗)
        :: (os_code_defs.x, Int8u)
           :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)}}
   pevent ′ → OSEventCnt &= ′OS_MUTEX_KEEP_UPPER_8;ₛ
   pevent ′ → OSEventCnt =ₑ pevent ′ → OSEventCnt |ₑ prio ′;ₛ
   pevent ′ → OSEventPtr =ₑ OSTCBPrioTbl ′ [prio ′];ₛ
   EXIT_CRITICAL;ₛ
   OS_Sched(­);ₛ
                 RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_MutexPostNoUnliftSuccReturn:= forall(
  v´ : val
)(
  v´0 : val
)(
  v´1 : val
)(
  v´2 : val
)(
  v´3 : list vallist
)(
  v´4 : list vallist
)(
  v´5 : list vallist
)(
  v´6 : list EventData
)(
  v´7 : list EventCtr
)(
  v´8 : vallist
)(
  v´9 : val
)(
  v´10 : val
)(
  v´11 : list vallist
)(
  v´12 : vallist
)(
  v´13 : list vallist
)(
  v´14 : vallist
)(
  v´15 : val
)(
  v´16 : EcbMod.map
)(
  v´17 : TcbMod.map
)(
  v´18 : int32
)(
  v´19 : addrval
)(
  v´20 : addrval
)(
  v´21 : val
)(
  v´22 : list vallist
)(
  H : RH_TCBList_ECBList_P v´16 v´17 v´19
)(
  H0 : RH_CurTCB v´19 v´17
)(
  v´25 : list EventCtr
)(
  v´26 : list EventCtr
)(
  v´27 : list EventData
)(
  v´28 : list EventData
)(
  v´30 : vallist
)(
  v´31 : val
)(
  v´33 : list vallist
)(
  v´35 : list vallist
)(
  v´36 : vallist
)(
  v´38 : EcbMod.map
)(
  v´39 : TcbMod.map
)(
  v´42 : val
)(
  v´44 : vallist
)(
  v´46 : val
)(
  v´47 : EcbMod.map
)(
  v´48 : EcbMod.map
)(
  v´49 : EcbMod.map
)(
  w : waitset
)(
  v´51 : addrval
)(
  H3 : ECBList_P v´46 Vnull v´26 v´28 v´48 v´39
)(
  H17 : EcbMod.join v´47 v´49 v´38
)(
  H12 : length v´25 = length v´27
)(
  H16 : isptr v´46
)(
  v´23 : addrval
)(
  v´29 : block
)(
  H11 : array_type_vallist_match Int8u v´44
)(
  H19 : length v´44 = ∘OS_EVENT_TBL_SIZE
)(
  x3 : val
)(
  i : int32
)(
  H21 : Int.unsigned i <= 255
)(
  H18 : RL_Tbl_Grp_P v´44 (Vint32 i)
)(
  H24 : isptr v´46
)(
  H2 : ECBList_P v´42 (Vptr (v´29, Int.zero)) v´25 v´27 v´47 v´39
)(
  H14 : id_addrval´ (Vptr (v´29, Int.zero)) OSEventTbl OS_EVENT = Some v´23
)(
  H20 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255
)(
  x : int32
)(
  H10 : Int.unsigned x <= 65535
)(
  H15 : Int.unsigned (x>>ᵢ$ 8) < 64
)(
  H22 : Int.unsigned x <= 65535
)(
  v´24 : val
)(
  v´40 : val
)(
  v´43 : TcbMod.map
)(
  v´45 : TcbMod.map
)(
  v´52 : block
)(
  H31 : v´31 <> Vnull
)(
  H32 : TcbMod.join v´43 v´45 v´39
)(
  H33 : TCBList_P v´31 v´33 v´36 v´43
)(
  H30 : Vptr (v´52, Int.zero) <> Vnull
)(
  i6 : int32
)(
  H39 : Int.unsigned i6 <= 65535
)(
  H36 : isptr v´24
)(
  x7 : val
)(
  x10 : TcbMod.map
)(
  t : taskstatus
)(
  m : msg
)(
  H72 : TCBList_P x7 v´35 v´36 x10
)(
  H7 : RH_TCBList_ECBList_P v´38 v´39 (v´52, Int.zero)
)(
  H8 : RH_CurTCB (v´52, Int.zero) v´39
)(
  H23 : isptr (Vptr (v´52, $ 0))
)(
  H5 : R_ECB_ETbl_P (v´29, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
         v´44) v´39
)(
  H1 : ECBList_P v´42 Vnull
         (v´25 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
           v´44) :: nil) ++ v´26)
         (v´27 ++ (DMutex (Vint32 x) (Vptr (v´52, $ 0)) :: nil) ++ v´28) v´38
         v´39
)(
  H29 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE \/
        x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H35 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H47 : Int.ltu (x>>ᵢ$ 8) (x&$ OS_MUTEX_KEEP_LOWER_8) = true
)(
  H48 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) < 64
)(
  H6 : EcbMod.joinsig (v´29, Int.zero)
         (absmutexsem (x>>ᵢ$ 8) (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)),
         w) v´48 v´49
)(
  H4 : Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None -> w = nil
)(
  H9 : forall (tid : tid) (opr : int32),
       Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = Some (tid, opr) ->
       Int.ltu (x>>ᵢ$ 8) opr = true /\ Int.unsigned opr < 64
)(
  H13 : w <> nil -> Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) <> None
)(
  H25 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE ->
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None /\
        Vptr (v´52, $ 0) = Vnull
)(
  H26 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE ->
        exists tid,
        Vptr (v´52, $ 0) = Vptr tid /\
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) =
        Some (tid, x&$ OS_MUTEX_KEEP_LOWER_8)
)(
  backup : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (v´52, $ 0)))
             (absmutexsem (x>>ᵢ$ 8)
                (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)), w)
)(
  v´32 : val
)(
  H46 : array_type_vallist_match OS_TCB ∗ v´30
)(
  H51 : length v´30 = 64%nat
)(
  H49 : RL_RTbl_PrioTbl_P v´36 v´30 v´51
)(
  H50 : R_PrioTbl_P v´30 v´39 v´51
)(
  x1 : val
)(
  H52 : nth_val (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30 =
        Some x1
)(
  x0 : val
)(
  H53 : nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8))) v´30 = Some x0
)(
  H54 : array_type_vallist_match Int8u v´36
)(
  H58 : length v´36 = ∘OS_RDY_TBL_SIZE
)(
  i7 : int32
)(
  H55 : Int.unsigned i7 <= 255
)(
  H57 : prio_in_tbl ($ OS_IDLE_PRIO) v´36
)(
  H56 : RL_Tbl_Grp_P v´36 (Vint32 i7)
)(
  x2 : int32
)(
  fffa : length OSUnMapVallist = 256%nat ->
         (Z.to_nat (Int.unsigned i) < 256)%nat ->
         exists x4,
         Vint32 x2 = Vint32 x4 /\
         true = rule_type_val_match Int8u (Vint32 x4)
)(
  H59 : length OSUnMapVallist = 256%nat
)(
  H60 : (Z.to_nat (Int.unsigned i) < 256)%nat
)(
  H61 : nth_val´ (Z.to_nat (Int.unsigned i)) OSUnMapVallist = Vint32 x2
)(
  H62 : true = rule_type_val_match Int8u (Vint32 x2)
)(
  fffbb : Int.unsigned x2 < 8
)(
  fffbb2 : (Z.to_nat (Int.unsigned x2) < length v´44)%nat
)(
  H19´´ : length v´44 = Z.to_nat 8
)(
  x4 : int32
)(
  H63 : nth_val´ (Z.to_nat (Int.unsigned x2)) v´44 = Vint32 x4
)(
  H64 : Int.unsigned x4 <= 255
)(
  H65 : (Z.to_nat (Int.unsigned x4) < length OSUnMapVallist)%nat
)(
  x5 : int32
)(
  H66 : nth_val´ (Z.to_nat (Int.unsigned x4)) OSUnMapVallist = Vint32 x5
)(
  H67 : Int.unsigned x5 <= 255
)(
  ttfasd : Int.unsigned x5 < 8
)(
  H68 : val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) =
        Vint32 Int.zero \/
        val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5) (x>>ᵢ$ 8)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) = Vnull
)(
  H27 : isptr x7
)(
  H38 : isptr m
)(
  x6 : int32
)(
  x14 : int32
)(
  H77 : 0 <= Int.unsigned x6
)(
  H85 : Int.unsigned x6 < 64
)(
  H82 : x14 = $ OS_STAT_RDY \/
        x14 = $ OS_STAT_SEM \/
        x14 = $ OS_STAT_Q \/ x14 = $ OS_STAT_MBOX \/ x14 = $ OS_STAT_MUTEX
)(
  x15 : val
)(
  H84 : x14 = $ OS_STAT_RDY -> x15 = Vnull
)(
  H43 : Int.unsigned (x6>>ᵢ$ 3) <= 255
)(
  H45 : Int.unsigned ($ 1<<(x6>>ᵢ$ 3)) <= 255
)(
  H44 : Int.unsigned ($ 1<<(x6&$ 7)) <= 255
)(
  H42 : Int.unsigned (x6&$ 7) <= 255
)(
  H70 : TcbJoin (v´52, Int.zero) (x6, t, m) x10 v´45
)(
  H41 : Int.unsigned x6 <= 255
)(
  H28 : Int.ltu x6 (x>>ᵢ$ 8) = false
)(
  H37 : isptr x15
)(
  H40 : Int.unsigned x14 <= 255
)(
  H73 : R_TCB_Status_P
          (x7
           :: v´24
              :: x15
                 :: m
                    :: Vint32 i6
                       :: Vint32 x14
                          :: Vint32 x6
                             :: Vint32 (x6&$ 7)
                                :: Vint32 (x6>>ᵢ$ 3)
                                   :: Vint32 ($ 1<<(x6&$ 7))
                                      :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
          v´36 (x6, t, m)
)(
  backup2 : TCBList_P (Vptr (v´52, Int.zero))
              ((x7
                :: v´24
                   :: x15
                      :: m
                         :: Vint32 i6
                            :: Vint32 x14
                               :: Vint32 x6
                                  :: Vint32 (x6&$ 7)
                                     :: Vint32 (x6>>ᵢ$ 3)
                                        :: Vint32 ($ 1<<(x6&$ 7))
                                           :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
               :: v´35) v´36 v´45
)(
  r1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < 8
)(
  r2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) < 8
)(
  r3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) < 8
)(
  r4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < 8
)(
  H34 : array_type_vallist_match Int8u OSMapVallist
)(
  H69 : length OSMapVallist = 8%nat
)(
  H71 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) < 8)%nat
)(
  x8 : int32
)(
  H74 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
          OSMapVallist = Vint32 x8
)(
  H75 : true = rule_type_val_match Int8u (Vint32 x8)
)(
  H76 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
  x9 : int32
)(
  H78 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
          OSMapVallist = Vint32 x9
)(
  H79 : true = rule_type_val_match Int8u (Vint32 x9)
)(
  H80 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
  x11 : int32
)(
  H81 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
          OSMapVallist = Vint32 x11
)(
  H83 : true = rule_type_val_match Int8u (Vint32 x11)
)(
  r5 : Int.unsigned (x6>>ᵢ$ 3) < 8
)(
  r6 : Int.unsigned (x6&$ 7) < 8
)(
  rr1 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) < length v´36)%nat
)(
  rr2 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) <
         length v´36)%nat
)(
  rr3 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) <
         length v´36)%nat
)(
  rr4 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)&$ 7)) < length v´36)%nat
)(
  rr5 : (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3)) < length v´36)%nat
)(
  rr6 : (Z.to_nat (Int.unsigned (x6&$ 7)) < length v´36)%nat
)(
  rrr1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) <
         Z.of_nat (length v´36)
)(
  rrr3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) <
         Z.of_nat (length v´36)
)(
  rrr4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < Z.of_nat (length v´36)
)(
  rrr5 : Int.unsigned (x6>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr6 : Int.unsigned (x6&$ 7) < Z.of_nat (length v´36)
)(
  HH58 : length v´36 = Z.to_nat 8
)(
  aa : rule_type_val_match Int8u
         (nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36) = true
)(
  aa2 : rule_type_val_match Int8u
          (nth_val´
             (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
             v´36) = true
)(
  aa3 : rule_type_val_match Int8u
          (nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36) = true
)(
  x16 : int32
)(
  H88 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36 =
        Vint32 x16
)(
  H91 : Int.unsigned x16 <= 255
)(
  x13 : int32
)(
  H87 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3))) v´36 =
        Vint32 x13
)(
  H90 : Int.unsigned x13 <= 255
)(
  x12 : int32
)(
  H86 : nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36 = Vint32 x12
)(
  H89 : Int.unsigned x12 <= 255
)(
  H92 : Int.unsigned (x>>ᵢ$ 8) < Int.unsigned ($ Byte.modulus)
),
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV prio @ Int8u |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (os_code_defs.x, Int8u)
          :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{( <|| mutexpost (Vptr (v´29, Int.zero) :: nil) ||> **
      LV os_code_defs.x @ Int8u |-> Vint32 ((x2<<$ 3)+ᵢx5) **
      LV legal @ Int8u |-> Vint32 x2 **
      PV v´51 @ Int8u |-> v´32 **
      Astruct (v´52, Int.zero) OS_TCB
        (x7
         :: v´24
            :: x15
               :: m
                  :: Vint32 i6
                     :: Vint32 x14
                        :: Vint32 x6
                           :: Vint32 (x6&$ 7)
                              :: Vint32 (x6>>ᵢ$ 3)
                                 :: Vint32 ($ 1<<(x6&$ 7))
                                    :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil) **
      dllseg x7 (Vptr (v´52, Int.zero)) v´40 Vnull v´35 OS_TCB
        (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
      GV OSTCBList @ OS_TCB ∗ |-> v´31 **
      dllseg v´31 Vnull v´24 (Vptr (v´52, Int.zero)) v´33 OS_TCB
        (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
      GV OSTCBCur @ OS_TCB ∗ |-> Vptr (v´52, Int.zero) **
      LV prio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
      LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
      Astruct (v´29, Int.zero) OS_EVENT
        (V$OS_EVENT_TYPE_MUTEX
         :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil) **
      Aarray v´23 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´44 **
      Aie false **
      Ais nil **
      Acs (true :: nil) **
      Aisr empisr **
      GV OSEventList @ OS_EVENT ∗ |-> v´42 **
      evsllseg v´42 (Vptr (v´29, Int.zero)) v´25 v´27 **
      evsllseg v´46 Vnull v´26 v´28 **
      A_isr_is_prop **
      GAarray OSRdyTbl (Tarray Int8u ∘OS_RDY_TBL_SIZE) v´36 **
      GV OSRdyGrp @ Int8u |-> Vint32 i7 **
      GAarray OSTCBPrioTbl (Tarray OS_TCB ∗ 64) v´30 **
      G&OSPlaceHolder @ Int8u == v´51 **
      HECBList v´38 **
      HTCBList v´39 **
      HCurTCB (v´52, Int.zero) **
      AOSEventFreeList v´3 **
      AOSQFreeList v´4 **
      AOSQFreeBlk v´5 **
      GAarray OSMapTbl (Tarray Int8u 8) OSMapVallist **
      GAarray OSUnMapTbl (Tarray Int8u 256) OSUnMapVallist **
      AOSIntNesting **
      AOSTCBFreeList v´21 v´22 **
      AOSTime (Vint32 v´18) **
      HTime v´18 **
      AGVars **
      atoy_inv´ **
      LV pevent @ OS_EVENT ∗ |-> Vptr (v´29, Int.zero) **
      A_dom_lenv
        ((pevent, OS_EVENT ∗)
         :: (os_code_defs.x, Int8u)
            :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)) **
     [|val_inj
         (if Int.eq x6 (x>>ᵢ$ 8)
          then Some (Vint32 Int.one)
          else Some (Vint32 Int.zero)) = Vint32 Int.zero \/
       val_inj
         (if Int.eq x6 (x>>ᵢ$ 8)
          then Some (Vint32 Int.one)
          else Some (Vint32 Int.zero)) = Vnull|]}}
   If(pevent ′ → OSEventGrp !=ₑ ′0)
        {os_code_defs.x ′ =ₑ ′OS_STAT_MUTEX;ₛ
        prio ′ =ᶠ OS_EventTaskRdy (·pevent ′, 〈(Void) ∗ 〉 pevent ′,
        os_code_defs.x ′·);ₛ
        pevent ′ → OSEventCnt &= ′OS_MUTEX_KEEP_UPPER_8;ₛ
        pevent ′ → OSEventCnt =ₑ pevent ′ → OSEventCnt |ₑ prio ′;ₛ
        pevent ′ → OSEventPtr =ₑ OSTCBPrioTbl ′ [prio ′];ₛ
        EXIT_CRITICAL;ₛ
        OS_Sched(­);ₛ
        RETURN ′OS_NO_ERR} ;ₛ
   pevent ′ → OSEventCnt =ₑ pevent ′ → OSEventCnt |ₑ ′OS_MUTEX_AVAILABLE;ₛ
   pevent ′ → OSEventPtr =ₑ NULL;ₛ
   EXIT_CRITICAL;ₛ
   RETURN ′OS_NO_ERR {{Afalse}}.

Definition gen_MutexPostPart3 := forall
(
  v´ : val
)(
  v´0 : val
)(
  v´1 : val
)(
  v´2 : val
)(
  v´3 : list vallist
)(
  v´4 : list vallist
)(
  v´5 : list vallist
)(
  v´6 : list EventData
)(
  v´7 : list EventCtr
)(
  v´8 : vallist
)(
  v´9 : val
)(
  v´10 : val
)(
  v´11 : list vallist
)(
  v´12 : vallist
)(
  v´13 : list vallist
)(
  v´14 : vallist
)(
  v´15 : val
)(
  v´16 : EcbMod.map
)(
  v´17 : TcbMod.map
)(
  v´18 : int32
)(
  v´19 : addrval
)(
  v´20 : addrval
)(
  v´21 : val
)(
  v´22 : list vallist
)(
  H : RH_TCBList_ECBList_P v´16 v´17 v´19
)(
  H0 : RH_CurTCB v´19 v´17
)(
  v´25 : list EventCtr
)(
  v´26 : list EventCtr
)(
  v´27 : list EventData
)(
  v´28 : list EventData
)(
  v´30 : vallist
)(
  v´31 : val
)(
  v´33 : list vallist
)(
  v´35 : list vallist
)(
  v´36 : vallist
)(
  v´38 : EcbMod.map
)(
  v´39 : TcbMod.map
)(
  v´42 : val
)(
  v´44 : vallist
)(
  v´46 : val
)(
  v´47 : EcbMod.map
)(
  v´48 : EcbMod.map
)(
  v´49 : EcbMod.map
)(
  w : waitset
)(
  v´51 : addrval
)(
  H3 : ECBList_P v´46 Vnull v´26 v´28 v´48 v´39
)(
  H17 : EcbMod.join v´47 v´49 v´38
)(
  H12 : length v´25 = length v´27
)(
  H16 : isptr v´46
)(
  v´23 : addrval
)(
  v´29 : block
)(
  H11 : array_type_vallist_match Int8u v´44
)(
  H19 : length v´44 = ∘OS_EVENT_TBL_SIZE
)(
  x3 : val
)(
  i : int32
)(
  H21 : Int.unsigned i <= 255
)(
  H18 : RL_Tbl_Grp_P v´44 (Vint32 i)
)(
  H24 : isptr v´46
)(
  H2 : ECBList_P v´42 (Vptr (v´29, Int.zero)) v´25 v´27 v´47 v´39
)(
  H14 : id_addrval´ (Vptr (v´29, Int.zero)) OSEventTbl OS_EVENT = Some v´23
)(
  H20 : Int.unsigned ($ OS_EVENT_TYPE_MUTEX) <= 255
)(
  x : int32
)(
  H10 : Int.unsigned x <= 65535
)(
  H15 : Int.unsigned (x>>ᵢ$ 8) < 64
)(
  H22 : Int.unsigned x <= 65535
)(
  v´24 : val
)(
  v´40 : val
)(
  v´43 : TcbMod.map
)(
  v´45 : TcbMod.map
)(
  v´52 : block
)(
  H31 : v´31 <> Vnull
)(
  H32 : TcbMod.join v´43 v´45 v´39
)(
  H33 : TCBList_P v´31 v´33 v´36 v´43
)(
  H30 : Vptr (v´52, Int.zero) <> Vnull
)(
  i6 : int32
)(
  H39 : Int.unsigned i6 <= 65535
)(
  H36 : isptr v´24
)(
  x7 : val
)(
  x10 : TcbMod.map
)(
  t : taskstatus
)(
  m : msg
)(
  H72 : TCBList_P x7 v´35 v´36 x10
)(
  H7 : RH_TCBList_ECBList_P v´38 v´39 (v´52, Int.zero)
)(
  H8 : RH_CurTCB (v´52, Int.zero) v´39
)(
  H23 : isptr (Vptr (v´52, $ 0))
)(
  H5 : R_ECB_ETbl_P (v´29, Int.zero)
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
         v´44) v´39
)(
  H1 : ECBList_P v´42 Vnull
         (v´25 ++
          ((V$OS_EVENT_TYPE_MUTEX
            :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil,
           v´44) :: nil) ++ v´26)
         (v´27 ++ (DMutex (Vint32 x) (Vptr (v´52, $ 0)) :: nil) ++ v´28) v´38
         v´39
)(
  H29 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE \/
        x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H35 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE
)(
  H47 : Int.ltu (x>>ᵢ$ 8) (x&$ OS_MUTEX_KEEP_LOWER_8) = true
)(
  H48 : Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8) < 64
)(
  H6 : EcbMod.joinsig (v´29, Int.zero)
         (absmutexsem (x>>ᵢ$ 8) (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)),
         w) v´48 v´49
)(
  H4 : Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None -> w = nil
)(
  H9 : forall (tid : tid) (opr : int32),
       Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = Some (tid, opr) ->
       Int.ltu (x>>ᵢ$ 8) opr = true /\ Int.unsigned opr < 64
)(
  H13 : w <> nil -> Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) <> None
)(
  H25 : x&$ OS_MUTEX_KEEP_LOWER_8 = $ OS_MUTEX_AVAILABLE ->
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) = None /\
        Vptr (v´52, $ 0) = Vnull
)(
  H26 : x&$ OS_MUTEX_KEEP_LOWER_8 <> $ OS_MUTEX_AVAILABLE ->
        exists tid,
        Vptr (v´52, $ 0) = Vptr tid /\
        Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8) =
        Some (tid, x&$ OS_MUTEX_KEEP_LOWER_8)
)(
  backup : RLH_ECBData_P (DMutex (Vint32 x) (Vptr (v´52, $ 0)))
             (absmutexsem (x>>ᵢ$ 8)
                (Some (v´52, $ 0, x&$ OS_MUTEX_KEEP_LOWER_8)), w)
)(
  v´32 : val
)(
  H46 : array_type_vallist_match OS_TCB ∗ v´30
)(
  H51 : length v´30 = 64%nat
)(
  H49 : RL_RTbl_PrioTbl_P v´36 v´30 v´51
)(
  H50 : R_PrioTbl_P v´30 v´39 v´51
)(
  x1 : val
)(
  H52 : nth_val (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30 =
        Some x1
)(
  x0 : val
)(
  H53 : nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8))) v´30 = Some x0
)(
  H54 : array_type_vallist_match Int8u v´36
)(
  H58 : length v´36 = ∘OS_RDY_TBL_SIZE
)(
  i7 : int32
)(
  H55 : Int.unsigned i7 <= 255
)(
  H57 : prio_in_tbl ($ OS_IDLE_PRIO) v´36
)(
  H56 : RL_Tbl_Grp_P v´36 (Vint32 i7)
)(
  x2 : int32
)(
  fffa : length OSUnMapVallist = 256%nat ->
         (Z.to_nat (Int.unsigned i) < 256)%nat ->
         exists x4,
         Vint32 x2 = Vint32 x4 /\
         true = rule_type_val_match Int8u (Vint32 x4)
)(
  H59 : length OSUnMapVallist = 256%nat
)(
  H60 : (Z.to_nat (Int.unsigned i) < 256)%nat
)(
  H61 : nth_val´ (Z.to_nat (Int.unsigned i)) OSUnMapVallist = Vint32 x2
)(
  H62 : true = rule_type_val_match Int8u (Vint32 x2)
)(
  fffbb : Int.unsigned x2 < 8
)(
  fffbb2 : (Z.to_nat (Int.unsigned x2) < length v´44)%nat
)(
  H19´´ : length v´44 = Z.to_nat 8
)(
  x4 : int32
)(
  H63 : nth_val´ (Z.to_nat (Int.unsigned x2)) v´44 = Vint32 x4
)(
  H64 : Int.unsigned x4 <= 255
)(
  H65 : (Z.to_nat (Int.unsigned x4) < length OSUnMapVallist)%nat
)(
  x5 : int32
)(
  H66 : nth_val´ (Z.to_nat (Int.unsigned x4)) OSUnMapVallist = Vint32 x5
)(
  H67 : Int.unsigned x5 <= 255
)(
  ttfasd : Int.unsigned x5 < 8
)(
  H68 : val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5)
                            (Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5)
                            (Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) =
        Vint32 Int.zero \/
        val_inj
          (bool_and
             (val_inj
                (notint
                   (val_inj
                      (if Int.eq i ($ 0)
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))
             (val_inj
                (bool_or
                   (val_inj
                      (if Int.ltu ((x2<<$ 3)+ᵢx5)
                            (Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))
                   (val_inj
                      (if Int.eq ((x2<<$ 3)+ᵢx5)
                            (Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
                       then Some (Vint32 Int.one)
                       else Some (Vint32 Int.zero)))))) = Vnull
)(
  H27 : isptr x7
)(
  H38 : isptr m
)(
  x6 : int32
)(
  x14 : int32
)(
  H77 : 0 <= Int.unsigned x6
)(
  H85 : Int.unsigned x6 < 64
)(
  H82 : x14 = $ OS_STAT_RDY \/
        x14 = $ OS_STAT_SEM \/
        x14 = $ OS_STAT_Q \/ x14 = $ OS_STAT_MBOX \/ x14 = $ OS_STAT_MUTEX
)(
  x15 : val
)(
  H84 : x14 = $ OS_STAT_RDY -> x15 = Vnull
)(
  H43 : Int.unsigned (x6>>ᵢ$ 3) <= 255
)(
  H45 : Int.unsigned ($ 1<<(x6>>ᵢ$ 3)) <= 255
)(
  H44 : Int.unsigned ($ 1<<(x6&$ 7)) <= 255
)(
  H42 : Int.unsigned (x6&$ 7) <= 255
)(
  H70 : TcbJoin (v´52, Int.zero) (x6, t, m) x10 v´45
)(
  H41 : Int.unsigned x6 <= 255
)(
  H28 : Int.ltu x6 (x>>ᵢ$ 8) = false
)(
  H37 : isptr x15
)(
  H40 : Int.unsigned x14 <= 255
)(
  H73 : R_TCB_Status_P
          (x7
           :: v´24
              :: x15
                 :: m
                    :: Vint32 i6
                       :: Vint32 x14
                          :: Vint32 x6
                             :: Vint32 (x6&$ 7)
                                :: Vint32 (x6>>ᵢ$ 3)
                                   :: Vint32 ($ 1<<(x6&$ 7))
                                      :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
          v´36 (x6, t, m)
)(
  backup2 : TCBList_P (Vptr (v´52, Int.zero))
              ((x7
                :: v´24
                   :: x15
                      :: m
                         :: Vint32 i6
                            :: Vint32 x14
                               :: Vint32 x6
                                  :: Vint32 (x6&$ 7)
                                     :: Vint32 (x6>>ᵢ$ 3)
                                        :: Vint32 ($ 1<<(x6&$ 7))
                                           :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil)
               :: v´35) v´36 v´45
)(
  r1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < 8
)(
  r2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) < 8
)(
  r3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) < 8
)(
  r4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < 8
)(
  H34 : array_type_vallist_match Int8u OSMapVallist
)(
  H69 : length OSMapVallist = 8%nat
)(
  H71 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) < 8)%nat
)(
  x8 : int32
)(
  H74 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
          OSMapVallist = Vint32 x8
)(
  H75 : true = rule_type_val_match Int8u (Vint32 x8)
)(
  H76 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
  x9 : int32
)(
  H78 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
          OSMapVallist = Vint32 x9
)(
  H79 : true = rule_type_val_match Int8u (Vint32 x9)
)(
  H80 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) < 8)%nat
)(
  x11 : int32
)(
  H81 : nth_val´ (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)))
          OSMapVallist = Vint32 x11
)(
  H83 : true = rule_type_val_match Int8u (Vint32 x11)
)(
  r5 : Int.unsigned (x6>>ᵢ$ 3) < 8
)(
  r6 : Int.unsigned (x6&$ 7) < 8
)(
  rr1 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3)) < length v´36)%nat
)(
  rr2 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)) <
         length v´36)%nat
)(
  rr3 : (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)) <
         length v´36)%nat
)(
  rr4 : (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)&$ 7)) < length v´36)%nat
)(
  rr5 : (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3)) < length v´36)%nat
)(
  rr6 : (Z.to_nat (Int.unsigned (x6&$ 7)) < length v´36)%nat
)(
  rrr1 : Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr2 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7) <
         Z.of_nat (length v´36)
)(
  rrr3 : Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3) <
         Z.of_nat (length v´36)
)(
  rrr4 : Int.unsigned ((x>>ᵢ$ 8)&$ 7) < Z.of_nat (length v´36)
)(
  rrr5 : Int.unsigned (x6>>ᵢ$ 3) < Z.of_nat (length v´36)
)(
  rrr6 : Int.unsigned (x6&$ 7) < Z.of_nat (length v´36)
)(
  HH58 : length v´36 = Z.to_nat 8
)(
  aa : rule_type_val_match Int8u
         (nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36) = true
)(
  aa2 : rule_type_val_match Int8u
          (nth_val´
             (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
             v´36) = true
)(
  aa3 : rule_type_val_match Int8u
          (nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36) = true
)(
  x16 : int32
)(
  H88 : nth_val´ (Z.to_nat (Int.unsigned ((x>>ᵢ$ 8)>>ᵢ$ 3))) v´36 =
        Vint32 x16
)(
  H91 : Int.unsigned x16 <= 255
)(
  x13 : int32
)(
  H87 : nth_val´
          (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3))) v´36 =
        Vint32 x13
)(
  H90 : Int.unsigned x13 <= 255
)(
  x12 : int32
)(
  H86 : nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36 = Vint32 x12
)(
  H89 : Int.unsigned x12 <= 255
)
( last_condition : ProtectWrapper (x14 = $ OS_STAT_RDY /\ i6 = $ 0))
,
   {|OSQ_spec , GetHPrio, I,
   fun v : option val =>
   ((((EX v0 : val, LV pevent @ OS_EVENT ∗ |-> v0) **
      (EX v0 : val, LV os_code_defs.x @ Int8u |-> v0) **
      (EX v0 : val, LV pip @ Int8u |-> v0) **
      (EX v0 : val, LV prio @ Int8u |-> v0) **
      (EX v0 : val, LV legal @ Int8u |-> v0) ** Aemp) **
     Aie true ** Ais nil ** Acs nil ** Aisr empisr) **
    A_dom_lenv
      ((pevent, OS_EVENT ∗)
       :: (os_code_defs.x, Int8u)
          :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)) **
    <|| END v ||> , Afalse|}|-
   {{(( <|| mutexpost (Vptr (v´29, Int.zero) :: nil) ||> **
       A_dom_lenv
         ((pevent, OS_EVENT ∗)
          :: (os_code_defs.x, Int8u)
             :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil) **
       GAarray OSTCBPrioTbl (Tarray OS_TCB ∗ 64)
         (update_nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8)))
            (update_nth_val
               (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30
               (Vptr (v´52, Int.zero))) (Vptr v´51)) **
       GAarray OSRdyTbl (Tarray Int8u ∘OS_RDY_TBL_SIZE)
         (update_nth_val
            (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
            (update_nth_val (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36
               (val_inj (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7)))))))
            (val_inj
               (or
                  (nth_val´
                     (Z.to_nat
                        (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
                     (update_nth_val (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3)))
                        v´36
                        (val_inj
                           (and (Vint32 x12)
                              (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
                  (Vint32 x11)))) **
       GV OSRdyGrp @ Int8u
       |-> Vint32 (Int.or (i7&Int.not ($ 1<<(x6>>ᵢ$ 3))) x8) **
       GV OSTCBCur @ OS_TCB ∗ |-> Vptr (v´52, Int.zero) **
       Astruct (v´52, Int.zero) OS_TCB
         (x7
          :: v´24
             :: x15
                :: m
                   :: Vint32 i6
                      :: Vint32 x14
                         :: Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8)
                            :: Vint32 ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)
                               :: Vint32 ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)
                                  :: Vint32 x11 :: Vint32 x8 :: nil) **
       LV os_code_defs.x @ Int8u |-> Vint32 ((x2<<$ 3)+ᵢx5) **
       LV legal @ Int8u |-> Vint32 x2 **
       PV v´51 @ Int8u |-> v´32 **
       dllseg x7 (Vptr (v´52, Int.zero)) v´40 Vnull v´35 OS_TCB
         (fun vl : vallist => nth_val 1 vl)
         (fun vl : vallist => nth_val 0 vl) **
       GV OSTCBList @ OS_TCB ∗ |-> v´31 **
       dllseg v´31 Vnull v´24 (Vptr (v´52, Int.zero)) v´33 OS_TCB
         (fun vl : vallist => nth_val 1 vl)
         (fun vl : vallist => nth_val 0 vl) **
       LV prio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
       LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
       Astruct (v´29, Int.zero) OS_EVENT
         (V$OS_EVENT_TYPE_MUTEX
          :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil) **
       Aarray v´23 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´44 **
       Aie false **
       Ais nil **
       Acs (true :: nil) **
       Aisr empisr **
       GV OSEventList @ OS_EVENT ∗ |-> v´42 **
       evsllseg v´42 (Vptr (v´29, Int.zero)) v´25 v´27 **
       evsllseg v´46 Vnull v´26 v´28 **
       A_isr_is_prop **
       G&OSPlaceHolder @ Int8u == v´51 **
       HECBList v´38 **
       HTCBList v´39 **
       HCurTCB (v´52, Int.zero) **
       AOSEventFreeList v´3 **
       AOSQFreeList v´4 **
       AOSQFreeBlk v´5 **
       GAarray OSMapTbl (Tarray Int8u 8) OSMapVallist **
       GAarray OSUnMapTbl (Tarray Int8u 256) OSUnMapVallist **
       AOSIntNesting **
       AOSTCBFreeList v´21 v´22 **
       AOSTime (Vint32 v´18) **
       HTime v´18 **
       AGVars **
       atoy_inv´ **
       LV pevent @ OS_EVENT ∗ |-> Vptr (v´29, Int.zero) **
       [|val_inj
           (val_eq
              (nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3)))
                 (update_nth_val (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36
                    (val_inj
                       (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
              (V$0)) <> Vint32 Int.zero /\
         val_inj
           (val_eq
              (nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3)))
                 (update_nth_val (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36
                    (val_inj
                       (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
              (V$0)) <> Vnull /\
         val_inj
           (val_eq
              (nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3)))
                 (update_nth_val (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36
                    (val_inj
                       (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
              (V$0)) <> Vundef|] **
       [|val_inj
           (val_eq
              (nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3)))
                 (update_nth_val (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36
                    (val_inj
                       (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
              (V$0)) <> Vint32 Int.zero /\
         val_inj
           (val_eq
              (nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3)))
                 (update_nth_val (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36
                    (val_inj
                       (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
              (V$0)) <> Vnull /\
         val_inj
           (val_eq
              (nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3)))
                 (update_nth_val (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36
                    (val_inj
                       (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
              (V$0)) <> Vundef|]) ** [|x1 = Vptr v´51|] \\//
       <|| mutexpost (Vptr (v´29, Int.zero) :: nil) ||> **
      A_dom_lenv
        ((pevent, OS_EVENT ∗)
         :: (os_code_defs.x, Int8u)
            :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil) **
      GAarray OSTCBPrioTbl (Tarray OS_TCB ∗ 64)
        (update_nth_val (Z.to_nat (Int.unsigned (x>>ᵢ$ 8)))
           (update_nth_val
              (Z.to_nat (Int.unsigned (x&$ OS_MUTEX_KEEP_LOWER_8))) v´30
              (Vptr (v´52, Int.zero))) (Vptr v´51)) **
      GAarray OSRdyTbl (Tarray Int8u ∘OS_RDY_TBL_SIZE)
        (update_nth_val
           (Z.to_nat (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
           (update_nth_val (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36
              (val_inj (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7)))))))
           (val_inj
              (or
                 (nth_val´
                    (Z.to_nat
                       (Int.unsigned ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)))
                    (update_nth_val (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36
                       (val_inj
                          (and (Vint32 x12)
                             (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
                 (Vint32 x11)))) **
      GV OSRdyGrp @ Int8u |-> Vint32 (Int.or i7 x8) **
      GV OSTCBCur @ OS_TCB ∗ |-> Vptr (v´52, Int.zero) **
      Astruct (v´52, Int.zero) OS_TCB
        (x7
         :: v´24
            :: x15
               :: m
                  :: Vint32 i6
                     :: Vint32 x14
                        :: Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8)
                           :: Vint32 ((x&$ OS_MUTEX_KEEP_LOWER_8)&$ 7)
                              :: Vint32 ((x&$ OS_MUTEX_KEEP_LOWER_8)>>ᵢ$ 3)
                                 :: Vint32 x11 :: Vint32 x8 :: nil) **
      LV os_code_defs.x @ Int8u |-> Vint32 ((x2<<$ 3)+ᵢx5) **
      LV legal @ Int8u |-> Vint32 x2 **
      PV v´51 @ Int8u |-> v´32 **
      dllseg x7 (Vptr (v´52, Int.zero)) v´40 Vnull v´35 OS_TCB
        (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
      GV OSTCBList @ OS_TCB ∗ |-> v´31 **
      dllseg v´31 Vnull v´24 (Vptr (v´52, Int.zero)) v´33 OS_TCB
        (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
      LV prio @ Int8u |-> Vint32 (x&$ OS_MUTEX_KEEP_LOWER_8) **
      LV pip @ Int8u |-> Vint32 (x>>ᵢ$ 8) **
      Astruct (v´29, Int.zero) OS_EVENT
        (V$OS_EVENT_TYPE_MUTEX
         :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil) **
      Aarray v´23 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´44 **
      Aie false **
      Ais nil **
      Acs (true :: nil) **
      Aisr empisr **
      GV OSEventList @ OS_EVENT ∗ |-> v´42 **
      evsllseg v´42 (Vptr (v´29, Int.zero)) v´25 v´27 **
      evsllseg v´46 Vnull v´26 v´28 **
      A_isr_is_prop **
      G&OSPlaceHolder @ Int8u == v´51 **
      HECBList v´38 **
      HTCBList v´39 **
      HCurTCB (v´52, Int.zero) **
      AOSEventFreeList v´3 **
      AOSQFreeList v´4 **
      AOSQFreeBlk v´5 **
      GAarray OSMapTbl (Tarray Int8u 8) OSMapVallist **
      GAarray OSUnMapTbl (Tarray Int8u 256) OSUnMapVallist **
      AOSIntNesting **
      AOSTCBFreeList v´21 v´22 **
      AOSTime (Vint32 v´18) **
      HTime v´18 **
      AGVars **
      atoy_inv´ **
      LV pevent @ OS_EVENT ∗ |-> Vptr (v´29, Int.zero) **
      [|val_inj
          (val_eq
             (nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3)))
                (update_nth_val (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36
                   (val_inj
                      (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
             (V$0)) = Vint32 Int.zero \/
        val_inj
          (val_eq
             (nth_val´ (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3)))
                (update_nth_val (Z.to_nat (Int.unsigned (x6>>ᵢ$ 3))) v´36
                   (val_inj
                      (and (Vint32 x12) (Vint32 (Int.not ($ 1<<(x6&$ 7))))))))
             (V$0)) = Vnull|] ** [|x1 = Vptr v´51|]) **
     [|val_inj
         (if Int.eq x6 (Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
          then Some (Vint32 Int.one)
          else Some (Vint32 Int.zero)) <> Vint32 Int.zero /\
       val_inj
         (if Int.eq x6 (Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
          then Some (Vint32 Int.one)
          else Some (Vint32 Int.zero)) <> Vnull /\
       val_inj
         (if Int.eq x6 (Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
          then Some (Vint32 Int.one)
          else Some (Vint32 Int.zero)) <> Vundef|] \\//
     ( <|| mutexpost (Vptr (v´29, Int.zero) :: nil) ||> **
      LV os_code_defs.x @ Int8u |-> Vint32 ((x2<<$ 3)+ᵢx5) **
      LV legal @ Int8u |-> Vint32 x2 **
      PV v´51 @ Int8u |-> v´32 **
      Astruct (v´52, Int.zero) OS_TCB
        (x7
         :: v´24
            :: x15
               :: m
                  :: Vint32 i6
                     :: Vint32 x14
                        :: Vint32 x6
                           :: Vint32 (x6&$ 7)
                              :: Vint32 (x6>>ᵢ$ 3)
                                 :: Vint32 ($ 1<<(x6&$ 7))
                                    :: Vint32 ($ 1<<(x6>>ᵢ$ 3)) :: nil) **
      dllseg x7 (Vptr (v´52, Int.zero)) v´40 Vnull v´35 OS_TCB
        (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
      GV OSTCBList @ OS_TCB ∗ |-> v´31 **
      dllseg v´31 Vnull v´24 (Vptr (v´52, Int.zero)) v´33 OS_TCB
        (fun vl : vallist => nth_val 1 vl) (fun vl : vallist => nth_val 0 vl) **
      GV OSTCBCur @ OS_TCB ∗ |-> Vptr (v´52, Int.zero) **
      LV prio @ Int8u
      |-> Vint32 (Int.modu (x&$ OS_MUTEX_KEEP_LOWER_8) ($ Byte.modulus)) **
      LV pip @ Int8u |-> Vint32 (Int.modu (x>>ᵢ$ 8) ($ Byte.modulus)) **
      Astruct (v´29, Int.zero) OS_EVENT
        (V$OS_EVENT_TYPE_MUTEX
         :: Vint32 i :: Vint32 x :: Vptr (v´52, $ 0) :: x3 :: v´46 :: nil) **
      Aarray v´23 (Tarray Int8u ∘OS_EVENT_TBL_SIZE) v´44 **
      Aie false **
      Ais nil **
      Acs (true :: nil) **
      Aisr empisr **
      GV OSEventList @ OS_EVENT ∗ |-> v´42 **
      evsllseg v´42 (Vptr (v´29, Int.zero)) v´25 v´27 **
      evsllseg v´46 Vnull v´26 v´28 **
      A_isr_is_prop **
      GAarray OSRdyTbl (Tarray Int8u ∘OS_RDY_TBL_SIZE) v´36 **
      GV OSRdyGrp @ Int8u |-> Vint32 i7 **
      GAarray OSTCBPrioTbl (Tarray OS_TCB ∗ 64) v´30 **
      G&OSPlaceHolder @ Int8u == v´51 **
      HECBList v´38 **
      HTCBList v´39 **
      HCurTCB (v´52, Int.zero) **
      AOSEventFreeList v´3 **
      AOSQFreeList v´4 **
      AOSQFreeBlk v´5 **
      GAarray OSMapTbl (Tarray Int8u 8) OSMapVallist **
      GAarray OSUnMapTbl (Tarray Int8u 256) OSUnMapVallist **
      AOSIntNesting **
      AOSTCBFreeList v´21 v´22 **
      AOSTime (Vint32 v´18) **
      HTime v´18 **
      AGVars **
      atoy_inv´ **
      LV pevent @ OS_EVENT ∗ |-> Vptr (v´29, Int.zero) **
      A_dom_lenv
        ((pevent, OS_EVENT ∗)
         :: (os_code_defs.x, Int8u)
            :: (pip, Int8u) :: (prio, Int8u) :: (legal, Int8u) :: nil)) **
     [|val_inj
         (if Int.eq x6 (Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
          then Some (Vint32 Int.one)
          else Some (Vint32 Int.zero)) = Vint32 Int.zero \/
       val_inj
         (if Int.eq x6 (Int.modu (x>>ᵢ$ 8) ($ Byte.modulus))
          then Some (Vint32 Int.one)
          else Some (Vint32 Int.zero)) = Vnull|]}}
   If(pevent ′ → OSEventGrp !=ₑ ′0)
        {os_code_defs.x ′ =ₑ ′OS_STAT_MUTEX;ₛ
        prio ′ =ᶠ OS_EventTaskRdy (·pevent ′, 〈(Void) ∗ 〉 pevent ′,
        os_code_defs.x ′·);ₛ
        pevent ′ → OSEventCnt &= ′OS_MUTEX_KEEP_UPPER_8;ₛ
        pevent ′ → OSEventCnt =ₑ pevent ′ → OSEventCnt |ₑ prio ′;ₛ
        pevent ′ → OSEventPtr =ₑ OSTCBPrioTbl ′ [prio ′];ₛ
        EXIT_CRITICAL;ₛ
        OS_Sched(­);ₛ
        RETURN ′OS_NO_ERR} ;ₛ
   pevent ′ → OSEventCnt =ₑ pevent ′ → OSEventCnt |ₑ ′OS_MUTEX_AVAILABLE;ₛ
   pevent ′ → OSEventPtr =ₑ NULL;ₛ
   EXIT_CRITICAL;ₛ
   RETURN ′OS_NO_ERR {{Afalse}}.

Close Scope code_scope.